changes

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

Author: shwstppr

plugins/logs-web-server/src/main/java/org/apache/cloudstack/logsws/LogsWebSessionApiService.java

@@ -31,5 +31,4 @@ public interface LogsWebSessionApiService extends PluggableService {
     ListResponse<LogsWebSessionResponse> listLogsWebSessions(ListLogsWebSessionsCmd cmd);
     LogsWebSessionResponse createLogsWebSession(CreateLogsWebSessionCmd cmd) throws CloudRuntimeException;
     boolean deleteLogsWebSession(DeleteLogsWebSession cmd) throws CloudRuntimeException;
-    LogsWebSessionResponse createLogsWebSessionResponse(long logsEndpointId);
 }

plugins/logs-web-server/src/main/java/org/apache/cloudstack/logsws/LogsWebSessionApiServiceImpl.java

@@ -47,18 +47,23 @@
 
 import com.cloud.api.ApiServlet;
 import com.cloud.domain.Domain;
+import com.cloud.exception.InternalErrorException;
 import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.exception.PermissionDeniedException;
 import com.cloud.user.Account;
 import com.cloud.user.AccountService;
 import com.cloud.user.DomainService;
 import com.cloud.utils.Pair;
+import com.cloud.utils.component.ManagerBase;
 import com.cloud.utils.db.Filter;
 import com.cloud.utils.db.SearchBuilder;
 import com.cloud.utils.db.SearchCriteria;
+import com.cloud.utils.db.Transaction;
+import com.cloud.utils.db.TransactionCallbackWithException;
 import com.cloud.utils.exception.CloudRuntimeException;
 import com.cloud.utils.net.NetUtils;
 
-public class LogsWebSessionApiServiceImpl implements LogsWebSessionApiService {
+public class LogsWebSessionApiServiceImpl extends ManagerBase implements LogsWebSessionApiService {
 
     @Inject
     LogsWebSessionManager logsWSManager;
@@ -72,6 +77,9 @@ public class LogsWebSessionApiServiceImpl implements LogsWebSessionApiService {
     @Override
     public ListResponse<LogsWebSessionResponse> listLogsWebSessions(ListLogsWebSessionsCmd cmd) {
         final Long id = cmd.getId();
+        if (!accountService.isRootAdmin(CallContext.current().getCallingAccountId())) {
+            throw new PermissionDeniedException("Invalid request");
+        }
         List<LogsWebSessionResponse> responsesList = new ArrayList<>();
         SearchBuilder<LogsWebSessionVO> sb = logsWebSessionDao.createSearchBuilder();
         sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
@@ -82,24 +90,34 @@ public ListResponse<LogsWebSessionResponse> listLogsWebSessions(ListLogsWebSessi
 
         Filter searchFilter = new Filter(LogsWebSessionVO.class, "id", true, cmd.getStartIndex(),
                 cmd.getPageSizeVal());
-        Pair<List<LogsWebSessionVO>, Integer> webhooksAndCount = logsWebSessionDao.searchAndCount(sc, searchFilter);
-        for (LogsWebSessionVO webhook : webhooksAndCount.first()) {
-            LogsWebSessionResponse response = createLogsWebSessionResponse(webhook);
-            responsesList.add(response);
+        Pair<List<LogsWebSessionVO>, Integer> logsWebSessionsAndCount = logsWebSessionDao.searchAndCount(sc, searchFilter);
+        for (LogsWebSessionVO session : logsWebSessionsAndCount.first()) {
+            try {
+                LogsWebSessionResponse response = createLogsWebSessionResponse(session);
+                responsesList.add(response);
+            } catch (InternalErrorException exception) {
+                logger.error("Failed to create response for {}", session, exception);
+            }
         }
         ListResponse<LogsWebSessionResponse> response = new ListResponse<>();
-        response.setResponses(responsesList, webhooksAndCount.second());
+        response.setResponses(responsesList, logsWebSessionsAndCount.second());
         return response;
     }
 
     @Override
     public LogsWebSessionResponse createLogsWebSession(CreateLogsWebSessionCmd cmd) throws CloudRuntimeException {
+        final Account caller = CallContext.current().getCallingAccount();
         final List<String> filters = cmd.getFilters();
+        final Map<String, String> params = cmd.getFullUrlParams();
         final String extraSecurityToken = cmd.getExtraSecurityToken();
-        String clientAddress = null;
-        Map<String, String> params = cmd.getFullUrlParams();
+        String clientAddress;
         if (MapUtils.isNotEmpty(params)) {
             clientAddress = params.get(ApiServlet.CLIENT_INET_ADDRESS_KEY);
+        } else {
+            clientAddress = null;
+        }
+        if (!accountService.isRootAdmin(caller.getAccountId())) {
+            throw new PermissionDeniedException("Invalid request");
         }
         for (String filter : filters) {
             if (StringUtils.isBlank(filter)) {
@@ -108,18 +126,26 @@ public LogsWebSessionResponse createLogsWebSession(CreateLogsWebSessionCmd cmd)
             }
         }
         if (!logsWSManager.canCreateNewLogsWebSession()) {
-            throw new CloudRuntimeException("Max Logs Web Session limit reached");
+            throw new CloudRuntimeException("Failed to create logs web session as max session limit reached");
+        }
+        try {
+            return Transaction.execute((TransactionCallbackWithException<LogsWebSessionResponse, InternalErrorException>) status -> {
+                LogsWebSessionVO logsWebSessionVO = new LogsWebSessionVO(filters, caller.getDomainId(), caller.getAccountId(),
+                        clientAddress);
+                logsWebSessionVO = logsWebSessionDao.persist(logsWebSessionVO);
+                return createLogsWebSessionResponse(logsWebSessionVO);
+            });
+        } catch (InternalErrorException e) {
+            throw new CloudRuntimeException("Failed to create logs web session as unable to prepare response", e);
         }
-        final Account account = CallContext.current().getCallingAccount();
-        LogsWebSessionVO logsWebSessionVO = new LogsWebSessionVO(filters, account.getDomainId(), account.getAccountId(),
-                clientAddress);
-        logsWebSessionVO = logsWebSessionDao.persist(logsWebSessionVO);
-        return createLogsWebSessionResponse(logsWebSessionVO);
     }
 
     @Override
     public boolean deleteLogsWebSession(DeleteLogsWebSession cmd) throws CloudRuntimeException {
         final long id = cmd.getId();
+        if (!accountService.isRootAdmin(CallContext.current().getCallingAccountId())) {
+            throw new PermissionDeniedException("Invalid request");
+        }
         return logsWebSessionDao.remove(id);
     }
 
@@ -142,7 +168,7 @@ protected String getRealIp4Address() {
     }
 
     protected Set<LogsWebSessionWebSocketResponse> getLogsWebSessionWebSocketResponses(
-            final LogsWebSessionVO logsWebSessionVO) {
+            final LogsWebSessionVO logsWebSessionVO) throws InternalErrorException {
         Set<LogsWebSessionWebSocketResponse> responses = new HashSet<>();
         List<LogsWebSessionWebSocket> webSockets = logsWSManager.getLogsWebSessionWebSockets(logsWebSessionVO);
         for (LogsWebSessionWebSocket socket : webSockets) {
@@ -164,7 +190,7 @@ protected Set<LogsWebSessionWebSocketResponse> getLogsWebSessionWebSocketRespons
         return responses;
     }
 
-    protected LogsWebSessionResponse createLogsWebSessionResponse(final LogsWebSessionVO logsWebSessionVO) {
+    protected LogsWebSessionResponse createLogsWebSessionResponse(final LogsWebSessionVO logsWebSessionVO) throws InternalErrorException {
         LogsWebSessionResponse response = new LogsWebSessionResponse();
         response.setObjectName("logswebsession");
         response.setId(logsWebSessionVO.getUuid());
@@ -183,15 +209,6 @@ protected LogsWebSessionResponse createLogsWebSessionResponse(final LogsWebSessi
         return response;
     }
 
-    @Override
-    public LogsWebSessionResponse createLogsWebSessionResponse(long logsEndpointId) {
-        LogsWebSessionVO logsWebSessionVO = logsWebSessionDao.findById(logsEndpointId);
-        if (logsWebSessionVO == null) {
-            return null;
-        }
-        return createLogsWebSessionResponse(logsWebSessionVO);
-    }
-
     @Override
     public List<Class<?>> getCommands() {
         if (!LogsWebSessionManager.LogsWebServerEnabled.value()) {

plugins/logs-web-server/src/main/java/org/apache/cloudstack/logsws/LogsWebSessionManager.java

@@ -22,10 +22,12 @@
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.framework.config.Configurable;
 
+import com.cloud.exception.InternalErrorException;
 import com.cloud.utils.component.PluggableService;
 
 public interface LogsWebSessionManager extends PluggableService, Configurable {
     String WS_PATH = "/logger";
+    String ENCRYPTION_PASSPHRASE = "LogsWebSessionEncryptionPassphrase";
 
     ConfigKey<Boolean> LogsWebServerEnabled = new ConfigKey<>("Advanced", Boolean.class,
             "logs.web.server.enabled", "false",
@@ -65,6 +67,6 @@ public interface LogsWebSessionManager extends PluggableService, Configurable {
             true,
             ConfigKey.Scope.ManagementServer);
 
-    List<LogsWebSessionWebSocket> getLogsWebSessionWebSockets(final LogsWebSession logsWebSession);
+    List<LogsWebSessionWebSocket> getLogsWebSessionWebSockets(final LogsWebSession logsWebSession) throws InternalErrorException;
     boolean canCreateNewLogsWebSession();
 }

plugins/logs-web-server/src/main/java/org/apache/cloudstack/logsws/LogsWebSessionManagerImpl.java

@@ -17,6 +17,7 @@
 
 package org.apache.cloudstack.logsws;
 
+import java.security.GeneralSecurityException;
 import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
@@ -43,6 +44,7 @@
 
 import com.cloud.cluster.ManagementServerHostVO;
 import com.cloud.cluster.dao.ManagementServerHostDao;
+import com.cloud.exception.InternalErrorException;
 import com.cloud.utils.DateUtil;
 import com.cloud.utils.component.ManagerBase;
 import com.cloud.utils.concurrency.NamedThreadFactory;
@@ -60,18 +62,23 @@ public class LogsWebSessionManagerImpl extends ManagerBase implements LogsWebSes
     private String serverPath;
     private int idleTimeoutSeconds;
     private ScheduledExecutorService staleLogsWebSessionCleanupExecutor;
-    private Long managementServerId = null;
+    private ManagementServerHost managementServer = null;
     private LogsWebSocketRouteManager logsWebSocketRouteManager;
 
-    protected Long getManagementServerId() {
-        if (managementServerId != null) {
-            ManagementServerHostVO managementServerHostVO =
+    protected ManagementServerHost getCurrentManagementServer() {
+        if (managementServer == null) {
+            managementServer =
                     managementServerHostDao.findByMsid(ManagementServerNode.getManagementServerId());
-            if (managementServerHostVO != null) {
-                managementServerId = managementServerHostVO.getId();
-            }
         }
-        return managementServerId;
+        return managementServer;
+    }
+
+    protected Long getManagementServerId() {
+        return getCurrentManagementServer().getId();
+    }
+
+    protected Long getManagementServerRunId() {
+        return getCurrentManagementServer().getId();
     }
 
     protected void registerLogsWebSocketServerRoute() {
@@ -118,18 +125,30 @@ public boolean stop() {
         return true;
     }
 
-    private String getLogsWebSessionWebSocketPathUsingVO(long msId, LogsWebSession session) {
+    protected LogsWebSessionTokenPayload getLogsWebSessionWebSocketTokenPayloadUsingVO(LogsWebSession session) {
         LogsWebSessionVO sessionVO = null;
         if (session instanceof LogsWebSessionVO) {
-            sessionVO = (LogsWebSessionVO)session;
+            sessionVO = (LogsWebSessionVO) session;
         } else {
             sessionVO = logsWebSessionDao.findById(session.getId());
         }
+        LogsWebSessionTokenPayload tokenPayload = new LogsWebSessionTokenPayload(sessionVO.getUuid(),
+                sessionVO.getCreatorAddress());
+        return tokenPayload;
+    }
+
+    protected String getLogsWebSessionWebSocketPathForManagementServer(ManagementServerHostVO managementServerHostVO,
+                   LogsWebSessionTokenPayload payload) throws InternalErrorException {
         String path = serverPath;
-        if (!Objects.equals(msId, getManagementServerId())) {
-            serverPath = LogsWebServerPath.valueIn(msId);
+        if (!Objects.equals(managementServerHostVO.getId(), getManagementServerId())) {
+            path = LogsWebServerPath.valueIn(managementServerHostVO.getId());
+        }
+        try {
+            return String.format("%s/%s", path, LogsWebSessionTokenCryptoUtil.encrypt(payload,
+                    String.valueOf(managementServerHostVO.getRunid())));
+        } catch (GeneralSecurityException e) {
+            throw new InternalErrorException("Failed to encrypt token payload: " + payload, e);
         }
-        return String.format("%s/%s", path, sessionVO.getUuid());
     }
 
     @Override
@@ -165,6 +184,16 @@ public int getMaxReadExistingLines() {
         return LogsWebServerSessionTailExistingLines.valueIn(getManagementServerId());
     }
 
+    @Override
+    public LogsWebSessionTokenPayload parseToken(String token) {
+        try {
+            return LogsWebSessionTokenCryptoUtil.decrypt(token, String.valueOf(getManagementServerRunId()));
+        } catch (GeneralSecurityException e) {
+            logger.error("Failed to decrypt route token: {}", token, e);
+        }
+        return null;
+    }
+
     @Override
     public LogsWebSession getSession(String route) {
         if (StringUtils.isBlank(route)) {
@@ -198,14 +227,15 @@ public void updateSessionConnection(long sessionId, String clientAddress) {
     }
 
     @Override
-    public List<LogsWebSessionWebSocket> getLogsWebSessionWebSockets(final LogsWebSession logsWebSession) {
+    public List<LogsWebSessionWebSocket> getLogsWebSessionWebSockets(final LogsWebSession logsWebSession) throws InternalErrorException {
         List<LogsWebSessionWebSocket> webSockets = new ArrayList<>();
         final List<ManagementServerHostVO> activeMsList =
                 managementServerHostDao.listBy(ManagementServerHost.State.Up);
+        LogsWebSessionTokenPayload payload = getLogsWebSessionWebSocketTokenPayloadUsingVO(logsWebSession);
         for (ManagementServerHostVO managementServerHostVO : activeMsList) {
             LogsWebSessionWebSocket logsWebSessionWebSocket = new LogsWebSessionWebSocket(managementServerHostVO,
                     webSocketServerManager.getServerPort(),
-                    getLogsWebSessionWebSocketPathUsingVO(managementServerHostVO.getId(), logsWebSession));
+                    getLogsWebSessionWebSocketPathForManagementServer(managementServerHostVO, payload));
             webSockets.add(logsWebSessionWebSocket);
         }
         return webSockets;

plugins/logs-web-server/src/main/java/org/apache/cloudstack/logsws/server/LogsWebSocketRoutingHandler.java

@@ -20,6 +20,8 @@
 import java.nio.charset.StandardCharsets;
 
 import org.apache.cloudstack.logsws.LogsWebSession;
+import org.apache.cloudstack.logsws.LogsWebSessionTokenPayload;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
@@ -58,8 +60,33 @@ protected void closeChannelWithErrorResponse(ChannelHandlerContext ctx, FullHttp
         ctx.writeAndFlush(response).addListener(ChannelFutureListener.CLOSE);
     }
 
+    protected LogsWebSession getValidSession(String route, ChannelHandlerContext ctx) {
+        LogsWebSessionTokenPayload tokenPayload = serverHelper.parseToken(route);
+        if (tokenPayload == null) {
+            LOGGER.error("Decrypted token payload is null for route: {}", route);
+            return null;
+        }
+        String sessionUuid = tokenPayload.getSessionUuid();
+        if (StringUtils.isBlank(sessionUuid)) {
+            LOGGER.error("Session UUID is blank in token payload for route: {}", route);
+            return null;
+        }
+        String creatorAddress = tokenPayload.getCreatorAddress();
+        if (StringUtils.isBlank(creatorAddress)) {
+            LOGGER.error("Creator address is blank in token payload for route: {}", route);
+            return null;
+        }
+        String requestAddress = ctx.channel().remoteAddress().toString();
+        if (!requestAddress.contains(creatorAddress)) {
+            LOGGER.error("Request address: {} does not match creator address: {} for session: {}",
+                    requestAddress, creatorAddress, sessionUuid);
+            return null;
+        }
+        return serverHelper.getSession(sessionUuid);
+    }
+
     @Override
-    public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {
+    public void channelRead(ChannelHandlerContext ctx, Object msg) {
         if (!(msg instanceof FullHttpRequest)) {
             ctx.fireChannelRead(msg);
             return;
@@ -80,7 +107,7 @@ public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception
             closeChannelWithErrorResponse(ctx, req, String.format("Empty route in request URI: %s", uri));
             return;
         }
-        LogsWebSession session = serverHelper.getSession(route);
+        LogsWebSession session = getValidSession(route, ctx);
         if (session == null) {
             closeChannelWithErrorResponse(ctx, req,
                     String.format("Unauthorized connection attempt for route: %s", route));
@@ -105,7 +132,7 @@ public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception
 
         // Rewrite the URI so that the handshake matches the expected sever path
         if (req instanceof DefaultFullHttpRequest) {
-            ((DefaultFullHttpRequest) req).setUri(serverPath);
+            req.setUri(serverPath);
         } else {
             DefaultFullHttpRequest newReq = new DefaultFullHttpRequest(
                     req.protocolVersion(), req.method(), serverPath, req.content().retain());

plugins/logs-web-server/src/main/java/org/apache/cloudstack/logsws/server/LogsWebSocketServerHelper.java

@@ -18,11 +18,13 @@
 package org.apache.cloudstack.logsws.server;
 
 import org.apache.cloudstack.logsws.LogsWebSession;
+import org.apache.cloudstack.logsws.LogsWebSessionTokenPayload;
 
 public interface LogsWebSocketServerHelper {
     String getServerPath();
     String getLogFile();
     int getMaxReadExistingLines();
+    LogsWebSessionTokenPayload parseToken(String token);
     LogsWebSession getSession(String route);
     void updateSessionConnection(long sessionId, String clientAddress);
 }