vcl-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From fapee...@apache.org
Subject svn commit: r1204701 - in /incubator/vcl/trunk/managementnode/lib/VCL: DataStructure.pm Module/OS/Linux.pm Module/OS/Windows.pm inuse.pm reserved.pm
Date Mon, 21 Nov 2011 20:59:46 GMT
Author: fapeeler
Date: Mon Nov 21 20:59:46 2011
New Revision: 1204701

URL: http://svn.apache.org/viewvc?rev=1204701&view=rev
Log:
VCL-30

Updated firewall code to chck for the user being logged in.
Comfirm the correct IP address.
Update the database if needed.



Modified:
    incubator/vcl/trunk/managementnode/lib/VCL/DataStructure.pm
    incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm
    incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm
    incubator/vcl/trunk/managementnode/lib/VCL/inuse.pm
    incubator/vcl/trunk/managementnode/lib/VCL/reserved.pm

Modified: incubator/vcl/trunk/managementnode/lib/VCL/DataStructure.pm
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/lib/VCL/DataStructure.pm?rev=1204701&r1=1204700&r2=1204701&view=diff
==============================================================================
--- incubator/vcl/trunk/managementnode/lib/VCL/DataStructure.pm (original)
+++ incubator/vcl/trunk/managementnode/lib/VCL/DataStructure.pm Mon Nov 21 20:59:46 2011
@@ -1058,6 +1058,52 @@ sub get_reservation_data {
 
 #/////////////////////////////////////////////////////////////////////////////
 
+=head2 set_reservation_remote_ip
+
+ Parameters  : None
+ Returns     : string
+ Description : 
+
+=cut
+
+sub set_reservation_remote_ip {
+   my $self = shift;
+   my $reservation_id  = $self->get_reservation_id();
+	
+	my $new_remote_ip = shift;
+	
+	# Check to make sure reservation ID was passed
+   if (!$new_remote_ip) {
+        notify($ERRORS{'WARNING'}, 0, "new_remote_ip was not specified, returning self");
+        return 0;;
+   }
+
+	
+	my $update_statement = "
+		  UPDATE
+		  reservation
+		  SET
+		  remoteIP = \'$new_remote_ip\'
+		  WHERE
+		  id = \'$reservation_id\'
+			  ";
+
+        # Call the database execute subroutine
+        if (database_execute($update_statement)) {
+                # Update successful
+                notify($ERRORS{'OK'}, 0, "new remoteIP $new_remote_ip for reservation id
$reservation_id updated");
+                return 1;
+        }
+        else {
+                notify($ERRORS{'CRITICAL'}, 0, "unable to update new remote ip for reservation
id $reservation_id");
+                return 0;
+        }
+
+
+} ## end sub set_reservation_remote_ip
+
+#/////////////////////////////////////////////////////////////////////////////
+
 =head2 get_reservation_remote_ip
 
  Parameters  : None

Modified: incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm?rev=1204701&r1=1204700&r2=1204701&view=diff
==============================================================================
--- incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm (original)
+++ incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm Mon Nov 21 20:59:46 2011
@@ -3191,6 +3191,7 @@ sub check_connection_on_port {
 	my $remote_ip 			= $self->data->get_reservation_remote_ip();
 	my $computer_ip_address   	= $self->data->get_computer_ip_address();
 	my $request_state_name   	= $self->data->get_request_state_name();
+	my $username = $self->data->get_user_login_id();
 
 	my $port = shift;
 	if (!$port) {
@@ -3220,9 +3221,21 @@ sub check_connection_on_port {
                          return $ret_val;
                      }
                      else {
-                    	  #this isn't the remoteIP
-                          $ret_val = "conn_wrong_ip";
-                     	  return $ret_val;
+							  my $new_remote_ip = $4;
+                    	  #this isn't the defined remoteIP
+								# Confirm the user is logged in
+								# Is user logged in
+                        if (!$self->user_logged_in()) {
+                           notify($ERRORS{'OK'}, 0, "Detected $new_remote_ip is connected.
$username is not logged in yet. Returning no connection");
+                           $ret_val = "no";
+                           return $ret_val;
+                        }
+                        else {	
+										  $self->data->set_reservation_remote_ip($new_remote_ip);	
+										  notify($ERRORS{'OK'}, 0, "Updating reservation remote_ip with $new_remote_ip");
+										  $ret_val = "conn_wrong_ip";
+										  return $ret_val;
+								}
                      }
                  }    # tcp check
 	}
@@ -4225,6 +4238,57 @@ sub clean_iptables {
 
 }
 
+#/////////////////////////////////////////////////////////////////////////////
+
+=head2 user_logged_in
+
+ Parameters  : 
+ Returns     : 
+ Description : 
+
+=cut
+
+sub user_logged_in {
+   my $self = shift;
+   if (ref($self) !~ /linux/i) {
+      notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called
as a class method");
+      return;
+   }
+
+   my $management_node_keys = $self->data->get_management_node_keys();
+   my $computer_node_name   = $self->data->get_computer_node_name();
+
+   # Attempt to get the username from the arguments
+   # If no argument was supplied, use the user specified in the DataStructure
+   my $username = shift;
+
+   # Remove spaces from beginning and end of username argument
+   # Fixes problem if string containing only spaces is passed
+   $username =~ s/(^\s+|\s+$)//g if $username;
+
+   # Check if username argument was passed
+   if (!$username) {
+      $username = $self->data->get_user_login_id();
+   }
+   notify($ERRORS{'DEBUG'}, 0, "checking if $username is logged in to $computer_node_name");
+
+	my $cmd = "users";
+	my ($logged_in_status, $logged_in_output) = $self->execute($cmd);
+   if (!defined($logged_in_output)) {
+      notify($ERRORS{'WARNING'}, 0, "failed to run who command ");
+      return;
+   }
+   elsif (grep(/$username/i, @$logged_in_output)) {
+		notify($ERRORS{'DEBUG'}, 0, "username $username is logged into $computer_node_name\n" .
join("\n", @$logged_in_output));
+		return 1;
+	
+	}
+	
+	
+	return 0;	
+
+}
+
 
 ##/////////////////////////////////////////////////////////////////////////////
 1;

Modified: incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm?rev=1204701&r1=1204700&r2=1204701&view=diff
==============================================================================
--- incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm (original)
+++ incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm Mon Nov 21 20:59:46 2011
@@ -947,18 +947,18 @@ sub grant_access {
 	# Set the $remote_ip_range variable to the string 'all' if it isn't already set (for display
purposes)
 	$remote_ip_range = 'all' if !$remote_ip_range;
 	
-	if($self->process_connect_methods("0.0.0.0", 1) ){
+	if($self->process_connect_methods("", 1) ){
 		notify($ERRORS{'OK'}, 0, "processed connection methods on $computer_node_name");
 	}
 
 	# Allow RDP connections
-	if ($self->firewall_enable_rdp($remote_ip_range)) {
-		notify($ERRORS{'OK'}, 0, "firewall was configured to allow RDP access from $remote_ip_range
on $computer_node_name");
-	}
-	else {
-		notify($ERRORS{'WARNING'}, 0, "firewall could not be configured to grant RDP access from
$remote_ip_range on $computer_node_name");
-		return 0;
-	}
+	#if ($self->firewall_enable_rdp($remote_ip_range)) {
+	#	notify($ERRORS{'OK'}, 0, "firewall was configured to allow RDP access from $remote_ip_range
on $computer_node_name");
+	#}
+	#else {
+	#	notify($ERRORS{'WARNING'}, 0, "firewall could not be configured to grant RDP access from
$remote_ip_range on $computer_node_name");
+	#	return 0;
+	#}
 
 	# If this is an imaging request, make sure the Administrator account is enabled
 	if ($request_forimaging) {
@@ -10611,39 +10611,50 @@ sub check_connection_on_port {
         my $computer_node_name   	= $self->data->get_computer_node_name();
         my $remote_ip 			= $self->data->get_reservation_remote_ip();
         my $computer_ip_address   	= $self->data->get_computer_ip_address();
-	my $request_state_name          = $self->data->get_request_state_name();
+		  my $request_state_name          = $self->data->get_request_state_name();
 
-        my $port = shift;
-        if (!$port) {
-                notify($ERRORS{'WARNING'}, 0, "port variable was not passed as an argument");
-                return "failed";
-        }
-	
-	my $ret_val = "no";
-        my $command = "netstat -an";
-        my ($status, $output) = run_ssh_command($computer_node_name, $management_node_keys,
$command, '', '', 1);
-        notify($ERRORS{'DEBUG'}, 0, "checking connections on node $computer_node_name on
port $port");
-        foreach my $line (@{$output}) {
-                if ($line =~ /Connection refused|Permission denied/) {
-                    chomp($line);
-                    notify($ERRORS{'WARNING'}, 0, "$line");
-                    if ($request_state_name =~ /reserved/) {
-                        $ret_val = "failed";
-                    }
-                    else {
-                         $ret_val = "timeout";
-                    }
-                    return $ret_val;
-                 } ## end if ($line =~ /Connection refused|Permission denied/)
-		if ($line =~ /\s+($computer_ip_address:$port)\s+([.0-9]*):([0-9]*)\s+(ESTABLISHED)/) {
+		  my $port = shift;
+		  if (!$port) {
+					 notify($ERRORS{'WARNING'}, 0, "port variable was not passed as an argument");
+					 return "failed";
+		  }
+
+		  my $ret_val = "no";
+		  my $command = "netstat -an";
+		  my ($status, $output) = run_ssh_command($computer_node_name, $management_node_keys, $command,
'', '', 1);
+		  notify($ERRORS{'DEBUG'}, 0, "checking connections on node $computer_node_name on port
$port");
+		  foreach my $line (@{$output}) {
+					 if ($line =~ /Connection refused|Permission denied/) {
+						  chomp($line);
+						  notify($ERRORS{'WARNING'}, 0, "$line");
+						  if ($request_state_name =~ /reserved/) {
+								$ret_val = "failed";
+						  }
+						  else {
+								 $ret_val = "timeout";
+						  }
+						  return $ret_val;
+					  } ## end if ($line =~ /Connection refused|Permission denied/)
+					 if ($line =~ /\s+($computer_ip_address:$port)\s+([.0-9]*):([0-9]*)\s+(ESTABLISHED)/)
{
                      if ($2 eq $remote_ip) {
                          $ret_val = "connected";
                          return $ret_val;
                      }
                      else {
                           #this isn't the remoteIP
-                          $ret_val = "conn_wrong_ip";
-                          return $ret_val;
+								# Is user logged in
+								if (!$self->user_logged_in()) {
+									notify($ERRORS{'OK'}, 0, "Detected $4 is connected. user is not logged in yet. Returning
no connection");
+									$ret_val = "no";
+									return $ret_val;
+								}
+								else {
+										my $new_remote_ip = $2;
+										  $self->data->set_reservation_remote_ip($new_remote_ip);  
+										  notify($ERRORS{'OK'}, 0, "Updating reservation remote_ip with $new_remote_ip");
+										  $ret_val = "conn_wrong_ip";
+										  return $ret_val;
+								}
                      }
                  }    # tcp check
         }
@@ -10652,6 +10663,93 @@ sub check_connection_on_port {
 
 #/////////////////////////////////////////////////////////////////////////////
 
+=head2 firewall_compare_update
+
+ Parameters  : $node,$reote_IP, $identity, $type
+ Returns     : 0 or 1 (nochange or updated)
+ Description : compares and updates the firewall for rdp port, specfically for windows
+                                        Currently only handles windows and allows two seperate
scopes
+
+=cut
+
+sub firewall_compare_update {
+   my $self = shift;
+   if (ref($self) !~ /windows/i) {
+      notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called
as a class method");
+      return;
+   }
+  
+   my $computer_node_name = $self->data->get_computer_node_name();
+   my $imagerevision_id   = $self->data->get_imagerevision_id();
+   my $remote_ip          = $self->data->get_reservation_remote_ip();
+  
+   #collect connection_methods
+   #collect firewall_config
+   #For each port defined in connection_methods
+   #compare rule source address with remote_IP address
+	notify($ERRORS{'OK'}, 0, "pulling connect methods");
+  
+   # Retrieve the connect method info hash
+   my $connect_method_info = get_connect_method_info($imagerevision_id);
+   if (!$connect_method_info) {
+      notify($ERRORS{'WARNING'}, 0, "no connect methods are configured for image revision
$imagerevision_id");
+      return;
+   }
+
+   # Retrieve the firewall configuration
+   my $firewall_configuration = $self->get_firewall_configuration() || return;
+
+   for my $connect_method_id (sort keys %{$connect_method_info} ) {
+		
+      my $name            = $connect_method_info->{$connect_method_id}{name};
+      my $description     = $connect_method_info->{$connect_method_id}{description};
+      my $protocol        = $connect_method_info->{$connect_method_id}{protocol} || 'TCP';
+      my $port            = $connect_method_info->{$connect_method_id}{port};
+      my $scope;
+		
+		next if ( !$port );
+
+     # $protocol = lc($protocol);
+
+		my $existing_scope = $firewall_configuration->{$protocol}{$port}{scope} || '';
+		if(!$existing_scope ) {
+			notify($ERRORS{'WARNING'}, 0, "No existing scope defined for protocol= $protocol port=
$port ");
+			return 1;
+      }
+		else {
+            my $parsed_existing_scope = $self->parse_firewall_scope($existing_scope);
+            if (!$parsed_existing_scope) {
+                notify($ERRORS{'WARNING'}, 0, "failed to parse existing firewall scope: '$existing_scope'");
+                return;
+            }
+            $scope = $self->parse_firewall_scope("$remote_ip,$existing_scope");
+            if (!$scope) {
+                notify($ERRORS{'WARNING'}, 0, "failed to parse firewall scope argument appended
with existing scope: '$remote_ip,$existing_scope'");
+                return;
+            }
+
+            if ($scope eq $parsed_existing_scope) {
+                notify($ERRORS{'DEBUG'}, 0, "firewall is already open on $computer_node_name,
existing scope matches scope argument:\n" .
+               "name: '$name'\n" .
+               "protocol: $protocol\n" .
+               "port/type: $port\n" .
+               "scope: $scope\n");
+                return 1;
+            }
+				else {
+               if ($self->enable_firewall_port($protocol, $port, "$remote_ip/24", 0))
{
+                   notify($ERRORS{'OK'}, 0, "opened firewall port $port on $computer_node_name
for $remote_ip $name connect method");
+               }
+            }
+			}
+	
+	}
+	return 1;
+
+}
+
+#/////////////////////////////////////////////////////////////////////////////
+
 1;
 __END__
 

Modified: incubator/vcl/trunk/managementnode/lib/VCL/inuse.pm
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/lib/VCL/inuse.pm?rev=1204701&r1=1204700&r2=1204701&view=diff
==============================================================================
--- incubator/vcl/trunk/managementnode/lib/VCL/inuse.pm (original)
+++ incubator/vcl/trunk/managementnode/lib/VCL/inuse.pm Mon Nov 21 20:59:46 2011
@@ -188,16 +188,14 @@ sub process {
 	if ($request_checktime eq "poll") {
 		notify($ERRORS{'OK'}, 0, "beginning to poll");
 
+				notify($ERRORS{'OK'}, 0, "confirming firewall scope needs to be updated");
 		if ($self->os->can('firewall_compare_update')) {
          if ($self->os->firewall_compare_update()) {
 				notify($ERRORS{'OK'}, 0, "confirmed firewall scope has been updated");
 			}
 		}	
-		
-		if ($image_os_type =~ /windows/) {
-			if (firewall_compare_update($computer_nodename, $reservation_remoteip, $identity_key,
$image_os_type)) {
-				notify($ERRORS{'OK'}, 0, "confirmed firewall scope has been updated");
-			}
+		else {
+			notify($ERRORS{'OK'}, 0, "OS does not support firewall_compare_update");
 		}
 		
 		# Check the imagemeta checkuser flag, request forimaging flag, and if cluster request

Modified: incubator/vcl/trunk/managementnode/lib/VCL/reserved.pm
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/lib/VCL/reserved.pm?rev=1204701&r1=1204700&r2=1204701&view=diff
==============================================================================
--- incubator/vcl/trunk/managementnode/lib/VCL/reserved.pm (original)
+++ incubator/vcl/trunk/managementnode/lib/VCL/reserved.pm Mon Nov 21 20:59:46 2011
@@ -371,6 +371,8 @@ sub process {
 
 	elsif ($retval_conn eq "conn_wrong_ip") {
 		# does the same as above, until we make a firm decision as to how to handle this
+		#update remote_ip
+		$remote_ip = $self->data->get_reservation_remote_ip();
 
 		if($self->os->process_connect_methods($remote_ip, 1)) {
          notify($ERRORS{'OK'}, 0, "process_connect_methods return successfully  $remote_ip
$nodename");



Mime
View raw message