Handle console session in multiple management servers

api/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManager.java

@@ -26,4 +26,6 @@ public interface ConsoleAccessManager extends Manager {
     boolean isSessionAllowed(String sessionUuid);
 
     void removeSessions(String[] sessionUuids);
+
+    void removeSession(String sessionUuid);
 }

engine/schema/src/main/java/com/cloud/vm/AllowedConsoleSessionVo.java

@@ -0,0 +1,64 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+
+
+package com.cloud.vm;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+
+@Entity
+@Table(name = "allowed_console_session")
+public class AllowedConsoleSessionVo {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    @Column(name = "id")
+    private long id;
+
+    @Column(name = "session_uuid")
+    private String sessionUuid;
+
+    public AllowedConsoleSessionVo() {
+    }
+
+    public AllowedConsoleSessionVo(String sessionUuid) {
+        this.sessionUuid = sessionUuid;
+    }
+
+    public long getId() {
+        return id;
+    }
+
+    public void setId(long id) {
+        this.id = id;
+    }
+
+    public String getSessionUuid() {
+        return sessionUuid;
+    }
+
+    public void setSessionUuid(String sessionUuid) {
+        this.sessionUuid = sessionUuid;
+    }
+}

engine/schema/src/main/java/com/cloud/vm/dao/AllowedConsoleSessionDao.java

@@ -0,0 +1,31 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+
+package com.cloud.vm.dao;
+
+import com.cloud.vm.AllowedConsoleSessionVo;
+import com.cloud.utils.db.GenericDao;
+
+public interface AllowedConsoleSessionDao extends GenericDao<AllowedConsoleSessionVo, Long> {
+
+    void expungeBySessionUuids(Object[] sessionUuid);
+
+    boolean isSessionUuidAllowed(String sessionUuid);
+
+}

engine/schema/src/main/java/com/cloud/vm/dao/AllowedConsoleSessionDaoImpl.java

@@ -0,0 +1,52 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+
+package com.cloud.vm.dao;
+
+import com.cloud.vm.AllowedConsoleSessionVo;
+import com.cloud.utils.db.GenericDaoBase;
+import com.cloud.utils.db.SearchBuilder;
+import com.cloud.utils.db.SearchCriteria;
+
+public class AllowedConsoleSessionDaoImpl extends GenericDaoBase<AllowedConsoleSessionVo, Long> implements AllowedConsoleSessionDao {
+
+    private final SearchBuilder<AllowedConsoleSessionVo> searchBySessionUuids;
+
+    protected AllowedConsoleSessionDaoImpl() {
+        searchBySessionUuids = createSearchBuilder();
+        searchBySessionUuids.and("sessions", searchBySessionUuids.entity().getSessionUuid(), SearchCriteria.Op.IN);
+        searchBySessionUuids.done();
+    }
+
+    @Override
+    public void expungeBySessionUuids(Object[] sessionsUuids) {
+        expunge(getSearchCriteriaBySessionUuids(sessionsUuids));
+    }
+
+    @Override
+    public boolean isSessionUuidAllowed(String sessionUuid) {
+        return findOneBy(getSearchCriteriaBySessionUuids(new String[]{sessionUuid})) != null;
+    }
+
+    private SearchCriteria<AllowedConsoleSessionVo> getSearchCriteriaBySessionUuids(Object[] sessionsUuids) {
+        SearchCriteria<AllowedConsoleSessionVo> sc = searchBySessionUuids.create();
+        sc.setParameters("sessions", sessionsUuids);
+        return sc;
+    }
+}

engine/schema/src/main/resources/META-INF/cloudstack/core/spring-engine-schema-core-daos-context.xml

@@ -45,6 +45,7 @@
   <bean id="accountJoinDaoImpl" class="com.cloud.api.query.dao.AccountJoinDaoImpl" />
   <bean id="accountVlanMapDaoImpl" class="com.cloud.dc.dao.AccountVlanMapDaoImpl" />
   <bean id="alertDaoImpl" class="com.cloud.alert.dao.AlertDaoImpl" />
+  <bean id="allowedConsoleSessionDaoImpl" class="com.cloud.vm.dao.AllowedConsoleSessionDaoImpl" />
   <bean id="asyncJobJoinDaoImpl" class="com.cloud.api.query.dao.AsyncJobJoinDaoImpl" />
   <bean id="autoScalePolicyConditionMapDaoImpl" class="com.cloud.network.as.dao.AutoScalePolicyConditionMapDaoImpl" />
   <bean id="autoScalePolicyDaoImpl" class="com.cloud.network.as.dao.AutoScalePolicyDaoImpl" />

engine/schema/src/main/resources/META-INF/db/schema-41720to41800.sql

@@ -1035,3 +1035,10 @@ WHERE   role_id = (SELECT id FROM `cloud`.`roles` WHERE name = 'Read-Only User -
 INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`)
 SELECT UUID(), `roles`.`id`, 'isAccountAllowedToCreateOfferingsWithTags', 'ALLOW'
 FROM `cloud`.`roles` WHERE `role_type` = 'DomainAdmin';
+
+--- Create table for handling allowed console session temporally
+
+CREATE TABLE `cloud`.`allowed_console_session` (
+    `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT PRIMARY KEY,
+    `session_uuid` VARCHAR(40) NOT NULL
+);

server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java

@@ -110,6 +110,9 @@ public AgentControlAnswer onConsoleAccessAuthentication(ConsoleAccessAuthenticat
                 return new ConsoleAccessAuthenticationAnswer(cmd, false);
             }
 
+            s_logger.debug(String.format("Removing session [%s] from database because it is for an one time usage and we just validated it.", sessionUuid));
+            consoleAccessManager.removeSession(sessionUuid);
+
             if (!ticket.equals(ticketInUrl)) {
                 Date now = new Date();
                 // considering of minute round-up

server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java

@@ -38,17 +38,20 @@
 import com.cloud.utils.component.ManagerBase;
 import com.cloud.utils.db.EntityManager;
 import com.cloud.utils.exception.CloudRuntimeException;
+import com.cloud.vm.AllowedConsoleSessionVo;
 import com.cloud.vm.UserVmDetailVO;
 import com.cloud.vm.VirtualMachine;
 import com.cloud.vm.VirtualMachineManager;
 import com.cloud.vm.VmDetailConstants;
+import com.cloud.vm.dao.AllowedConsoleSessionDao;
 import com.cloud.vm.dao.UserVmDetailsDao;
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
 import org.apache.cloudstack.api.command.user.consoleproxy.ConsoleEndpoint;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.framework.security.keys.KeysManager;
 import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.lang3.ArrayUtils;
 import org.apache.commons.lang3.ObjectUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.log4j.Logger;
@@ -84,6 +87,8 @@ public class ConsoleAccessManagerImpl extends ManagerBase implements ConsoleAcce
     private AgentManager agentManager;
     @Inject
     private ConsoleProxyManager consoleProxyManager;
+    @Inject
+    private AllowedConsoleSessionDao allowedConsoleSessionDao;
 
     private static KeysManager secretKeysManager;
     private final Gson gson = new GsonBuilder().create();
@@ -151,11 +156,16 @@ public boolean isSessionAllowed(String sessionUuid) {
 
     @Override
     public void removeSessions(String[] sessionUuids) {
-        for (String r : sessionUuids) {
-            allowedSessions.remove(r);
+        if (ArrayUtils.isNotEmpty(sessionUuids)) {
+            allowedConsoleSessionDao.expungeBySessionUuids(sessionUuids);
         }
     }
 
+    @Override
+    public void removeSession(String sessionUuid) {
+        removeSessions(new String[] {sessionUuid});
+    }
+
     protected boolean checkSessionPermission(VirtualMachine vm, Account account) {
         if (accountManager.isRootAdmin(account.getId())) {
             return true;
@@ -289,7 +299,7 @@ private ConsoleEndpoint composeConsoleAccessEndpoint(String rootUrl, VirtualMach
         String url = generateConsoleAccessUrl(rootUrl, param, token, vncPort, vm);
 
         s_logger.debug("Adding allowed session: " + sessionUuid);
-        allowedSessions.add(sessionUuid);
+        allowedConsoleSessionDao.persist(new AllowedConsoleSessionVo(sessionUuid));
         managementServer.setConsoleAccessForVm(vm.getId(), sessionUuid);
 
         ConsoleEndpoint consoleEndpoint = new ConsoleEndpoint(true, url);