etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

CLOUDSTACK-7958: Add configuration for limit to CIDRs for Admin API calls (#2046) 

* Cleanup and Improve NetUtils

This class had many unused methods, inconsistent names and redundant code.

This commit cleans up code, renames a few methods and constants.

The global/account setting 'api.allowed.source.cidr.list' is set
to 0.0.0.0/0,::/0 by default preserve the current behavior and thus
allow API calls for accounts from all IPv4 and IPv6 subnets.

Users can set it to a comma-separated list of IPv4/IPv6 subnets to
restrict API calls for Admin accounts to certain parts of their network(s).

This is to improve Security. Should an attacker steal the Access/Secret key
of an account he/she still needs to be in a subnet from where accounts are
allowed to perform API calls.

This is a good security measure for APIs which are connected to the public internet.

Signed-off-by: Wido den Hollander <wido@widodh.nl>
This commit is contained in:
Wido den Hollander 2018-01-04 06:26:30 +01:00 committed by Rohit Yadav
parent 2adbaeb641
commit 9988c269b2
41 changed files with 371 additions and 344 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
agent/src/com/cloud/agent/resource/consoleproxy/ConsoleProxyResource.java
View File

@ -276,12 +276,12 @@ public class ConsoleProxyResource extends ServerResourceBase implements ServerRe
s_logger.debug("addRouteToInternalIp: destIp is null");
return;
}
if (!NetUtils.isValidIp(destIpOrCidr) && !NetUtils.isValidCIDR(destIpOrCidr)) {
if (!NetUtils.isValidIp4(destIpOrCidr) && !NetUtils.isValidIp4Cidr(destIpOrCidr)) {
s_logger.warn(" destIp is not a valid ip address or cidr destIp=" + destIpOrCidr);
return;
}
boolean inSameSubnet = false;
if (NetUtils.isValidIp(destIpOrCidr)) {
if (NetUtils.isValidIp4(destIpOrCidr)) {
if (eth1ip != null && eth1mask != null) {
inSameSubnet = NetUtils.sameSubnet(eth1ip, destIpOrCidr, eth1mask);
} else {

2
api/src/org/apache/cloudstack/api/ApiServerService.java
View File

@ -24,7 +24,7 @@ import javax.servlet.http.HttpSession;
import com.cloud.exception.CloudAuthenticationException;
public interface ApiServerService {
public boolean verifyRequest(Map<String, Object[]> requestParameters, Long userId) throws ServerApiException;
public boolean verifyRequest(Map<String, Object[]> requestParameters, Long userId, InetAddress remoteAddress) throws ServerApiException;
public Long fetchDomainId(String domainUUID);

6
api/src/org/apache/cloudstack/api/command/user/firewall/CreateEgressFirewallRuleCmd.java
View File

@ -246,10 +246,10 @@ public class CreateEgressFirewallRuleCmd extends BaseAsyncCreateCmd implements F
String guestCidr = _networkService.getNetwork(getNetworkId()).getCidr();
for (String cidr : getSourceCidrList()) {
if (!NetUtils.isValidCIDR(cidr)) {
if (!NetUtils.isValidIp4Cidr(cidr) && !NetUtils.isValidIp6Cidr(cidr)) {
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Source cidrs formatting error " + cidr);
}
if (cidr.equals(NetUtils.ALL_CIDRS)) {
if (cidr.equals(NetUtils.ALL_IP4_CIDRS)) {
continue;
}
if (!NetUtils.isNetworkAWithinNetworkB(cidr, guestCidr)) {
@ -261,7 +261,7 @@ public class CreateEgressFirewallRuleCmd extends BaseAsyncCreateCmd implements F
//Destination CIDR formatting check. Since it's optional param, no need to set a default as in the case of source.
if(destCidrList != null){
for(String cidr : destCidrList){
if(!NetUtils.isValidCIDR(cidr)) {
if(!NetUtils.isValidIp4Cidr(cidr) && !NetUtils.isValidIp6Cidr(cidr)) {
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Destination cidrs formatting error" + cidr);
}
}

4
api/src/org/apache/cloudstack/api/command/user/firewall/CreateFirewallRuleCmd.java
View File

@ -108,7 +108,7 @@ public class CreateFirewallRuleCmd extends BaseAsyncCreateCmd implements Firewal
return cidrlist;
} else {
List<String> oneCidrList = new ArrayList<String>();
oneCidrList.add(NetUtils.ALL_CIDRS);
oneCidrList.add(NetUtils.ALL_IP4_CIDRS);
return oneCidrList;
}
@ -242,7 +242,7 @@ public class CreateFirewallRuleCmd extends BaseAsyncCreateCmd implements Firewal
public void create() {
if (getSourceCidrList() != null) {
for (String cidr : getSourceCidrList()) {
if (!NetUtils.isValidCIDR(cidr)) {
if (!NetUtils.isValidIp4Cidr(cidr) && !NetUtils.isValidIp6Cidr(cidr)) {
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Source CIDRs formatting error " + cidr);
}
}

2
api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
View File

@ -348,7 +348,7 @@ public class CreatePortForwardingRuleCmd extends BaseAsyncCreateCmd implements P
Ip privateIp = getVmSecondaryIp();
if (privateIp != null) {
if (!NetUtils.isValidIp(privateIp.toString())) {
if (!NetUtils.isValidIp4(privateIp.toString())) {
throw new InvalidParameterValueException("Invalid vm ip address");
}
}

2
api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java
View File

@ -140,7 +140,7 @@ public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd {
}
//check wether the given ip is valid ip or not
if (vmIp == null || !NetUtils.isValidIp(vmIp)) {
if (vmIp == null || !NetUtils.isValidIp4(vmIp)) {
throw new InvalidParameterValueException("Invalid ip address "+ vmIp +" passed in vmidipmap for " +
"vmid " + vmId);
}

2
api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLCmd.java
View File

@ -134,7 +134,7 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd {
return cidrlist;
} else {
List<String> oneCidrList = new ArrayList<String>();
oneCidrList.add(NetUtils.ALL_CIDRS);
oneCidrList.add(NetUtils.ALL_IP4_CIDRS);
return oneCidrList;
}
}

2
api/src/org/apache/cloudstack/api/command/user/vm/AddIpToVmNicCmd.java
View File

@ -173,7 +173,7 @@ public class AddIpToVmNicCmd extends BaseAsyncCreateCmd {
NicSecondaryIp result;
String secondaryIp = null;
if ((ip = getIpaddress()) != null) {
if (!NetUtils.isValidIp(ip)) {
if (!NetUtils.isValidIp4(ip)) {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Invalid ip address " + ip);
}
}

2
api/src/org/apache/cloudstack/api/command/user/vm/UpdateVmNicIpCmd.java
View File

@ -150,7 +150,7 @@ public class UpdateVmNicIpCmd extends BaseAsyncCmd {
CallContext.current().setEventDetails("Nic Id: " + getNicId() );
String ip;
if ((ip = getIpaddress()) != null) {
if (!NetUtils.isValidIp(ip)) {
if (!NetUtils.isValidIp4(ip)) {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Invalid ip address " + ip);
}
}

7
api/src/org/apache/cloudstack/config/ApiServiceConfiguration.java
View File

@ -25,7 +25,10 @@ public class ApiServiceConfiguration implements Configurable {
"API end point. Can be used by CS components/services deployed remotely, for sending CS API requests", true);
public static final ConfigKey<Long> DefaultUIPageSize = new ConfigKey<Long>("Advanced", Long.class, "default.ui.page.size", "20",
"The default pagesize to be used by UI and other clients when making list* API calls", true, ConfigKey.Scope.Global);
public static final ConfigKey<Boolean> ApiSourceCidrChecksEnabled = new ConfigKey<>("Advanced", Boolean.class, "api.source.cidr.checks.enabled",
"true", "Are the source checks on API calls enabled (true) or not (false)? See api.allowed.source.cidr.list", true, ConfigKey.Scope.Global);
public static final ConfigKey<String> ApiAllowedSourceCidrList = new ConfigKey<String>("Advanced", String.class, "api.allowed.source.cidr.list",
"0.0.0.0/0,::/0", "Comma separated list of IPv4/IPv6 CIDRs from which API calls can be performed. Can be set on Global and Account levels.", true, ConfigKey.Scope.Account);
@Override
public String getConfigComponentName() {
return ApiServiceConfiguration.class.getSimpleName();
@ -33,7 +36,7 @@ public class ApiServiceConfiguration implements Configurable {
@Override
public ConfigKey<?>[] getConfigKeys() {
return new ConfigKey<?>[] {ManagementHostIPAdr, ApiServletPath, DefaultUIPageSize};
return new ConfigKey<?>[] {ManagementHostIPAdr, ApiServletPath, DefaultUIPageSize, ApiSourceCidrChecksEnabled, ApiAllowedSourceCidrList};
}
}

10
core/src/com/cloud/network/HAProxyConfigurator.java
View File

@ -94,7 +94,7 @@ public class HAProxyConfigurator implements LoadBalancerConfigurator {
private List<String> getRulesForPool(final String poolName, final List<PortForwardingRuleTO> fwRules) {
final PortForwardingRuleTO firstRule = fwRules.get(0);
final String publicIP = firstRule.getSrcIp();
final String publicPort = Integer.toString(firstRule.getSrcPortRange()[0]);
final int publicPort = firstRule.getSrcPortRange()[0];
// FIXEME: String algorithm = firstRule.getAlgorithm();
final List<String> result = new ArrayList<String>();
@ -108,9 +108,7 @@ public class HAProxyConfigurator implements LoadBalancerConfigurator {
sb = new StringBuilder();
// FIXME sb.append("\t").append("balance ").append(algorithm);
result.add(sb.toString());
if (publicPort.equals(NetUtils.HTTP_PORT)
// && global option httpclose set (or maybe not in this spot???)
) {
if (publicPort == NetUtils.HTTP_PORT) {
sb = new StringBuilder();
sb.append("\t").append("mode http");
result.add(sb.toString());
@ -473,7 +471,7 @@ public class HAProxyConfigurator implements LoadBalancerConfigurator {
StringBuilder sb = new StringBuilder();
final String poolName = sb.append(lbTO.getSrcIp().replace(".", "_")).append('-').append(lbTO.getSrcPort()).toString();
final String publicIP = lbTO.getSrcIp();
final String publicPort = Integer.toString(lbTO.getSrcPort());
final int publicPort = lbTO.getSrcPort();
final String algorithm = lbTO.getAlgorithm();
final List<String> result = new ArrayList<String>();
@ -544,7 +542,7 @@ public class HAProxyConfigurator implements LoadBalancerConfigurator {
if (stickinessSubRule != null && !destsAvailable) {
s_logger.warn("Haproxy stickiness policy for lb rule: " + lbTO.getSrcIp() + ":" + lbTO.getSrcPort() + ": Not Applied, cause: backends are unavailable");
}
if (publicPort.equals(NetUtils.HTTP_PORT) && !keepAliveEnabled || httpbasedStickiness) {
if (publicPort == NetUtils.HTTP_PORT && !keepAliveEnabled || httpbasedStickiness) {
sb = new StringBuilder();
sb.append("\t").append("mode http");
result.add(sb.toString());

2
plugins/alert-handlers/snmp-alerts/src/org/apache/cloudstack/alert/snmp/SnmpTrapAppender.java
View File

@ -161,7 +161,7 @@ public class SnmpTrapAppender extends AppenderSkeleton {
if (ipAddress.trim().equalsIgnoreCase("localhost")) {
continue;
}
if (!NetUtils.isValidIp(ipAddress)) {
if (!NetUtils.isValidIp4(ipAddress)) {
return false;
}
}

2
plugins/alert-handlers/syslog-alerts/src/org/apache/cloudstack/syslog/AlertsSyslogAppender.java
View File

@ -168,7 +168,7 @@ public class AlertsSyslogAppender extends AppenderSkeleton {
if (ip.equalsIgnoreCase("localhost")) {
continue;
}
if (!NetUtils.isValidIp(ip)) {
if (!NetUtils.isValidIp4(ip)) {
return false;
}
} else

4
plugins/hypervisors/kvm/src/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtGetVmIpAddressCommandWrapper.java
View File

@ -49,7 +49,7 @@ public final class LibvirtGetVmIpAddressCommandWrapper extends CommandWrapper<Ge
String ipAddr = Script.runSimpleBashScript(new StringBuilder().append("virt-cat ").append(command.getVmName())
.append(" /var/lib/dhclient/" + leaseFile + " | tail -16 | grep 'fixed-address' | awk '{print $2}' | sed -e 's/;//'").toString());
// Check if the IP belongs to the network
if((ipAddr != null) && NetUtils.isIpWithtInCidrRange(ipAddr, networkCidr)){
if((ipAddr != null) && NetUtils.isIpWithInCidrRange(ipAddr, networkCidr)){
ip = ipAddr;
break;
}
@ -65,7 +65,7 @@ public final class LibvirtGetVmIpAddressCommandWrapper extends CommandWrapper<Ge
String[] ips = ipList.split("\n");
for (String ipAddr : ips){
// Check if the IP belongs to the network
if((ipAddr != null) && NetUtils.isIpWithtInCidrRange(ipAddr, networkCidr)){
if((ipAddr != null) && NetUtils.isIpWithInCidrRange(ipAddr, networkCidr)){
ip = ipAddr;
break;
}

2
plugins/hypervisors/ovm3/src/main/java/com/cloud/hypervisor/ovm3/resources/helpers/Ovm3Configuration.java
View File

@ -130,7 +130,7 @@ public class Ovm3Configuration {
LOGGER.debug("Clustering requires a pool, setting pool to true");
agentInOvm3Pool = true;
}
if (!NetUtils.isValidIp(ovm3PoolVip)) {
if (!NetUtils.isValidIp4(ovm3PoolVip)) {
LOGGER.debug("No VIP, Setting ovm3pool and ovm3cluster to false");
agentInOvm3Pool = false;
agentInOvm3Cluster = false;

2
plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/wrapper/xenbase/CitrixGetVmIpAddressCommandWrapper.java
View File

@ -56,7 +56,7 @@ public final class CitrixGetVmIpAddressCommandWrapper extends CommandWrapper<Get
Map<String, String> vmIpsMap = rec.networks;
for (String ipAddr: vmIpsMap.values()) {
if (NetUtils.isIpWithtInCidrRange(ipAddr, networkCidr)) {
if (NetUtils.isIpWithInCidrRange(ipAddr, networkCidr)) {
vmIp = ipAddr;
break;
}

4
plugins/network-elements/netscaler/src/com/cloud/network/resource/NetscalerResource.java
View File

@ -2574,7 +2574,7 @@ public class NetscalerResource implements ServerResource {
}
private String getNetScalerProtocol(final LoadBalancerTO loadBalancer) throws ExecutionException {
final String port = Integer.toString(loadBalancer.getSrcPort());
final int port = loadBalancer.getSrcPort();
String lbProtocol = loadBalancer.getLbProtocol();
final StickinessPolicyTO[] stickyPolicies = loadBalancer.getStickinessPolicies();
String nsProtocol = "TCP";
@ -2596,7 +2596,7 @@ public class NetscalerResource implements ServerResource {
return lbProtocol.toUpperCase();
}
if (port.equals(NetUtils.HTTP_PORT)) {
if (port == NetUtils.HTTP_PORT) {
nsProtocol = "HTTP";
} else if (NetUtils.TCP_PROTO.equalsIgnoreCase(lbProtocol)) {
nsProtocol = "TCP";

62
server/src/com/cloud/api/ApiServer.java
View File

@ -46,6 +46,7 @@ import com.cloud.utils.NumbersUtil;
import com.cloud.utils.Pair;
import com.cloud.utils.ReflectUtil;
import com.cloud.utils.StringUtils;
import com.cloud.utils.net.NetUtils;
import com.cloud.utils.component.ComponentContext;
import com.cloud.utils.component.ManagerBase;
import com.cloud.utils.component.PluggableService;
@ -97,6 +98,7 @@ import org.apache.cloudstack.api.response.CreateCmdResponse;
import org.apache.cloudstack.api.response.ExceptionResponse;
import org.apache.cloudstack.api.response.ListResponse;
import org.apache.cloudstack.api.response.LoginCmdResponse;
import org.apache.cloudstack.config.ApiServiceConfiguration;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.framework.config.ConfigKey;
import org.apache.cloudstack.framework.config.Configurable;
@ -795,7 +797,7 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
}
@Override
public boolean verifyRequest(final Map<String, Object[]> requestParameters, final Long userId) throws ServerApiException {
public boolean verifyRequest(final Map<String, Object[]> requestParameters, final Long userId, InetAddress remoteAddress) throws ServerApiException {
try {
String apiKey = null;
String secretKey = null;
@ -814,21 +816,18 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
if (userId != null) {
final User user = ApiDBUtils.findUserById(userId);
try {
checkCommandAvailable(user, commandName);
} catch (final RequestLimitException ex) {
s_logger.debug(ex.getMessage());
throw new ServerApiException(ApiErrorCode.API_LIMIT_EXCEED, ex.getMessage());
} catch (final PermissionDeniedException ex) {
s_logger.debug("The user with id:" + userId + " is not allowed to request the API command or the API command does not exist: " + commandName);
throw new ServerApiException(ApiErrorCode.UNSUPPORTED_ACTION_ERROR, "The user is not allowed to request the API command or the API command does not exist");
if (!commandAvailable(remoteAddress, commandName, user)) {
return false;
}
return true;
} else {
// check against every available command to see if the command exists or not
if (!s_apiNameCmdClassMap.containsKey(commandName) && !commandName.equals("login") && !commandName.equals("logout")) {
s_logger.debug("The user with id:" + userId + " is not allowed to request the API command or the API command does not exist: " + commandName);
throw new ServerApiException(ApiErrorCode.UNSUPPORTED_ACTION_ERROR, "The user is not allowed to request the API command or the API command does not exist");
final String errorMessage = "The given command " + commandName + " either does not exist, is not available" +
" for user, or not available from ip address '" + remoteAddress.getHostAddress() + "'.";
s_logger.debug(errorMessage);
return false;
}
}
@ -916,15 +915,8 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
return false;
}
try {
checkCommandAvailable(user, commandName);
} catch (final RequestLimitException ex) {
s_logger.debug(ex.getMessage());
throw new ServerApiException(ApiErrorCode.API_LIMIT_EXCEED, ex.getMessage());
} catch (final PermissionDeniedException ex) {
s_logger.debug("The given command:" + commandName + " does not exist or it is not available for user");
throw new ServerApiException(ApiErrorCode.UNSUPPORTED_ACTION_ERROR, "The given command:" + commandName + " does not exist or it is not available for user with id:"
+ userId);
if (!commandAvailable(remoteAddress, commandName, user)) {
return false;
}
// verify secret key exists
@ -959,6 +951,21 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
return false;
}
private boolean commandAvailable(final InetAddress remoteAddress, final String commandName, final User user) {
try {
checkCommandAvailable(user, commandName, remoteAddress);
} catch (final RequestLimitException ex) {
s_logger.debug(ex.getMessage());
throw new ServerApiException(ApiErrorCode.API_LIMIT_EXCEED, ex.getMessage());
} catch (final PermissionDeniedException ex) {
final String errorMessage = "The given command '" + commandName + "' either does not exist, is not available" +
" for user, or not available from ip address '" + remoteAddress + "'.";
s_logger.debug(errorMessage);
return false;
}
return true;
}
@Override
public Long fetchDomainId(final String domainUUID) {
final Domain domain = domainMgr.getDomain(domainUUID);
@ -1113,11 +1120,24 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
return true;
}
private void checkCommandAvailable(final User user, final String commandName) throws PermissionDeniedException {
private void checkCommandAvailable(final User user, final String commandName, final InetAddress remoteAddress) throws PermissionDeniedException {
if (user == null) {
throw new PermissionDeniedException("User is null for role based API access check for command" + commandName);
}
final Account account = accountMgr.getAccount(user.getAccountId());
final String accessAllowedCidrs = ApiServiceConfiguration.ApiAllowedSourceCidrList.valueIn(account.getId()).replaceAll("\\s","");
final Boolean apiSourceCidrChecksEnabled = ApiServiceConfiguration.ApiSourceCidrChecksEnabled.value();
if (apiSourceCidrChecksEnabled) {
s_logger.debug("CIDRs from which account '" + account.toString() + "' is allowed to perform API calls: " + accessAllowedCidrs);
if (!NetUtils.isIpInCidrList(remoteAddress, accessAllowedCidrs.split(","))) {
s_logger.warn("Request by account '" + account.toString() + "' was denied since " + remoteAddress + " does not match " + accessAllowedCidrs);
throw new PermissionDeniedException("Calls for domain '" + account.getAccountName() + "' are not allowed from ip address '" + remoteAddress.getHostAddress());
}
}
for (final APIChecker apiChecker : apiAccessCheckers) {
apiChecker.checkAccess(user, commandName);
}

33
server/src/com/cloud/api/ApiServlet.java
View File

@ -19,6 +19,7 @@ package com.cloud.api;
import java.io.UnsupportedEncodingException;
import java.net.InetAddress;
import java.net.URLDecoder;
import java.net.UnknownHostException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
@ -132,9 +133,21 @@ public class ApiServlet extends HttpServlet {
}
void processRequestInContext(final HttpServletRequest req, final HttpServletResponse resp) {
final String remoteAddress = getClientAddress(req);
InetAddress remoteAddress = null;
try {
remoteAddress = getClientAddress(req);
} catch (UnknownHostException e) {
s_logger.warn("UnknownHostException when trying to lookup remote IP-Address. This should never happen. Blocking request.", e);
final String response = apiServer.getSerializedApiError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"UnknownHostException when trying to lookup remote IP-Address", null,
HttpUtils.RESPONSE_TYPE_XML);
HttpUtils.writeHttpResponse(resp, response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
HttpUtils.RESPONSE_TYPE_XML, ApiServer.JSONcontentType.value());
return;
}
final StringBuilder auditTrailSb = new StringBuilder(128);
auditTrailSb.append(" ").append(remoteAddress);
auditTrailSb.append(" ").append(remoteAddress.getHostAddress());
auditTrailSb.append(" -- ").append(req.getMethod()).append(' ');
// get the response format since we'll need it in a couple of places
String responseType = HttpUtils.RESPONSE_TYPE_XML;
@ -198,7 +211,7 @@ public class ApiServlet extends HttpServlet {
}
try {
responseString = apiAuthenticator.authenticate(command, params, session, InetAddress.getByName(remoteAddress), responseType, auditTrailSb, req, resp);
responseString = apiAuthenticator.authenticate(command, params, session, remoteAddress, responseType, auditTrailSb, req, resp);
if (session != null && session.getAttribute(ApiConstants.SESSIONKEY) != null) {
resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly", ApiConstants.SESSIONKEY, session.getAttribute(ApiConstants.SESSIONKEY)));
}
@ -288,12 +301,12 @@ public class ApiServlet extends HttpServlet {
CallContext.register(accountMgr.getSystemUser(), accountMgr.getSystemAccount());
}
if (apiServer.verifyRequest(params, userId)) {
if (apiServer.verifyRequest(params, userId, remoteAddress)) {
auditTrailSb.insert(0, "(userId=" + CallContext.current().getCallingUserId() + " accountId=" + CallContext.current().getCallingAccount().getId() +
" sessionId=" + (session != null ? session.getId() : null) + ")");
// Add the HTTP method (GET/POST/PUT/DELETE) as well into the params map.
params.put("httpmethod", new String[] {req.getMethod()});
params.put("httpmethod", new String[]{req.getMethod()});
final String response = apiServer.handleRequest(params, responseType, auditTrailSb);
HttpUtils.writeHttpResponse(resp, response != null ? response : "", HttpServletResponse.SC_OK, responseType, ApiServer.JSONcontentType.value());
} else {
@ -330,29 +343,29 @@ public class ApiServlet extends HttpServlet {
}
//This method will try to get login IP of user even if servlet is behind reverseProxy or loadBalancer
static String getClientAddress(final HttpServletRequest request) {
static InetAddress getClientAddress(final HttpServletRequest request) throws UnknownHostException {
for(final String header : s_clientAddressHeaders) {
final String ip = getCorrectIPAddress(request.getHeader(header));
if (ip != null) {
return ip;
return InetAddress.getByName(ip);
}
}
return request.getRemoteAddr();
return InetAddress.getByName(request.getRemoteAddr());
}
private static String getCorrectIPAddress(String ip) {
if(ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
return null;
}
if(NetUtils.isValidIp(ip) || NetUtils.isValidIpv6(ip)) {
if(NetUtils.isValidIp4(ip) || NetUtils.isValidIp6(ip)) {
return ip;
}
//it could be possible to have multiple IPs in HTTP header, this happens if there are multiple proxy in between
//the client and the servlet, so parse the client IP
String[] ips = ip.split(",");
for(String i : ips) {
if(NetUtils.isValidIp(i.trim()) || NetUtils.isValidIpv6(i.trim())) {
if(NetUtils.isValidIp4(i.trim()) || NetUtils.isValidIp6(i.trim())) {
return i.trim();
}
}

58
server/src/com/cloud/configuration/ConfigurationManagerImpl.java
View File

@ -872,7 +872,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
throw new InvalidParameterValueException("Error parsing ip address");
}
} else if (range.equals("netmask")) {
if (!NetUtils.isValidNetmask(value)) {
if (!NetUtils.isValidIp4Netmask(value)) {
s_logger.error("netmask " + value + " is not a valid net mask for configuration variable " + name);
return "Please enter a valid netmask.";
}
@ -904,7 +904,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
for (final String route : routes) {
if (route != null) {
final String routeToVerify = route.trim();
if (!NetUtils.isValidCIDR(routeToVerify)) {
if (!NetUtils.isValidIp4Cidr(routeToVerify)) {
throw new InvalidParameterValueException("Invalid value for blacklisted route: " + route + ". Valid format is list"
+ " of cidrs separated by coma. Example: 10.1.1.0/24,192.168.0.0/24");
}
@ -989,7 +989,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
long cidrSize;
// Get the individual cidrAddress and cidrSize values, if the CIDR is
// valid. If it's not valid, return an error.
if (NetUtils.isValidCIDR(cidr)) {
if (NetUtils.isValidIp4Cidr(cidr)) {
cidrAddress = getCidrAddress(cidr);
cidrSize = getCidrSize(cidr);
} else {
@ -1005,7 +1005,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
}
// Check if the gateway is a valid IP address
if (!NetUtils.isValidIp(gateway)) {
if (!NetUtils.isValidIp4(gateway)) {
throw new InvalidParameterValueException("The gateway is not a valid IP address.");
}
@ -1119,11 +1119,11 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
final long zoneId = pod.getDataCenterId();
if(!NetUtils.isValidIp(gateway)) {
if(!NetUtils.isValidIp4(gateway)) {
throw new InvalidParameterValueException("The gateway IP address is invalid.");
}
if(!NetUtils.isValidNetmask(netmask)) {
if(!NetUtils.isValidIp4Netmask(netmask)) {
throw new InvalidParameterValueException("The netmask IP address is invalid.");
}
@ -1133,7 +1133,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
final String cidr = NetUtils.ipAndNetMaskToCidr(gateway, netmask);
if(!NetUtils.isValidCIDR(cidr)) {
if(!NetUtils.isValidIp4Cidr(cidr)) {
throw new InvalidParameterValueException("The CIDR is invalid " + cidr);
}
@ -1170,7 +1170,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
final String[] existingPodIpRange = podIpRange.split("-");
if (existingPodIpRange.length > 1) {
if (!NetUtils.isValidIp(existingPodIpRange[0]) || !NetUtils.isValidIp(existingPodIpRange[1])) {
if (!NetUtils.isValidIp4(existingPodIpRange[0]) || !NetUtils.isValidIp4(existingPodIpRange[1])) {
continue;
}
// Check if the range overlaps with any existing range.
@ -1236,11 +1236,11 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
throw new InvalidParameterValueException("Unable to find pod by id " + podId);
}
if (startIp == null || !NetUtils.isValidIp(startIp)) {
if (startIp == null || !NetUtils.isValidIp4(startIp)) {
throw new InvalidParameterValueException("The start address of the IP range is not a valid IP address.");
}
if (endIp == null || !NetUtils.isValidIp(endIp)) {
if (endIp == null || !NetUtils.isValidIp4(endIp)) {
throw new InvalidParameterValueException("The end address of the IP range is not a valid IP address.");
}
@ -1390,7 +1390,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
final String[] existingPodIpRange = podIpRange.split("-");
if (existingPodIpRange.length > 1) {
if (!NetUtils.isValidIp(existingPodIpRange[0]) || !NetUtils.isValidIp(existingPodIpRange[1])) {
if (!NetUtils.isValidIp4(existingPodIpRange[0]) || !NetUtils.isValidIp4(existingPodIpRange[1])) {
continue;
}
@ -1443,11 +1443,11 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
@Override
public Pod createPod(final long zoneId, final String name, final String startIp, final String endIp, final String gateway, final String netmask, String allocationState) {
// Check if the gateway is a valid IP address
if (!NetUtils.isValidIp(gateway)) {
if (!NetUtils.isValidIp4(gateway)) {
throw new InvalidParameterValueException("The gateway is invalid");
}
if (!NetUtils.isValidNetmask(netmask)) {
if (!NetUtils.isValidIp4Netmask(netmask)) {
throw new InvalidParameterValueException("The netmask is invalid");
}
@ -1601,27 +1601,27 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
// Check IP validity for DNS addresses
// Empty strings is a valid input -- hence the length check
if (dns1 != null && dns1.length() > 0 && !NetUtils.isValidIp(dns1)) {
if (dns1 != null && dns1.length() > 0 && !NetUtils.isValidIp4(dns1)) {
throw new InvalidParameterValueException("Please enter a valid IP address for DNS1");
}
if (dns2 != null && dns2.length() > 0 && !NetUtils.isValidIp(dns2)) {
if (dns2 != null && dns2.length() > 0 && !NetUtils.isValidIp4(dns2)) {
throw new InvalidParameterValueException("Please enter a valid IP address for DNS2");
}
if (internalDns1 != null && internalDns1.length() > 0 && !NetUtils.isValidIp(internalDns1)) {
if (internalDns1 != null && internalDns1.length() > 0 && !NetUtils.isValidIp4(internalDns1)) {
throw new InvalidParameterValueException("Please enter a valid IP address for internal DNS1");
}
if (internalDns2 != null && internalDns2.length() > 0 && !NetUtils.isValidIp(internalDns2)) {
if (internalDns2 != null && internalDns2.length() > 0 && !NetUtils.isValidIp4(internalDns2)) {
throw new InvalidParameterValueException("Please enter a valid IP address for internal DNS2");
}
if (ip6Dns1 != null && ip6Dns1.length() > 0 && !NetUtils.isValidIpv6(ip6Dns1)) {
if (ip6Dns1 != null && ip6Dns1.length() > 0 && !NetUtils.isValidIp6(ip6Dns1)) {
throw new InvalidParameterValueException("Please enter a valid IPv6 address for IP6 DNS1");
}
if (ip6Dns2 != null && ip6Dns2.length() > 0 && !NetUtils.isValidIpv6(ip6Dns2)) {
if (ip6Dns2 != null && ip6Dns2.length() > 0 && !NetUtils.isValidIp6(ip6Dns2)) {
throw new InvalidParameterValueException("Please enter a valid IPv6 address for IP6 DNS2");
}
@ -1637,11 +1637,11 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
private void checkIpRange(final String startIp, final String endIp, final String cidrAddress, final long cidrSize) {
//Checking not null for start IP as well. Previously we assumed to be not null always.
//But the check is required for the change in updatePod API.
if (!Strings.isNullOrEmpty(startIp) && !NetUtils.isValidIp(startIp)) {
if (!Strings.isNullOrEmpty(startIp) && !NetUtils.isValidIp4(startIp)) {
throw new InvalidParameterValueException("The start address of the IP range is not a valid IP address.");
}
if (!Strings.isNullOrEmpty(endIp) && !NetUtils.isValidIp(endIp)) {
if (!Strings.isNullOrEmpty(endIp) && !NetUtils.isValidIp4(endIp)) {
throw new InvalidParameterValueException("The end address of the IP range is not a valid IP address.");
}
@ -1683,7 +1683,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
final String[] existingPodIpRange = podIpRange.split("-");
if (existingPodIpRange.length > 1) {
if (!NetUtils.isValidIp(existingPodIpRange[0]) || !NetUtils.isValidIp(existingPodIpRange[1])) {
if (!NetUtils.isValidIp4(existingPodIpRange[0]) || !NetUtils.isValidIp4(existingPodIpRange[1])) {
continue;
}
@ -3299,18 +3299,18 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
if (ipv4) {
// Make sure the gateway is valid
if (!NetUtils.isValidIp(vlanGateway)) {
if (!NetUtils.isValidIp4(vlanGateway)) {
throw new InvalidParameterValueException("Please specify a valid gateway");
}
// Make sure the netmask is valid
if (!NetUtils.isValidNetmask(vlanNetmask)) {
if (!NetUtils.isValidIp4Netmask(vlanNetmask)) {
throw new InvalidParameterValueException("Please specify a valid netmask");
}
}
if (ipv6) {
if (!NetUtils.isValidIpv6(vlanIp6Gateway)) {
if (!NetUtils.isValidIp6(vlanIp6Gateway)) {
throw new InvalidParameterValueException("Please specify a valid IPv6 gateway");
}
if (!NetUtils.isValidIp6Cidr(vlanIp6Cidr)) {
@ -3322,7 +3322,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
final String newCidr = NetUtils.getCidrFromGatewayAndNetmask(vlanGateway, vlanNetmask);
//Make sure start and end ips are with in the range of cidr calculated for this gateway and netmask {
if (!NetUtils.isIpWithtInCidrRange(vlanGateway, newCidr) || !NetUtils.isIpWithtInCidrRange(startIP, newCidr) || !NetUtils.isIpWithtInCidrRange(endIP, newCidr)) {
if (!NetUtils.isIpWithInCidrRange(vlanGateway, newCidr) || !NetUtils.isIpWithInCidrRange(startIP, newCidr) || !NetUtils.isIpWithInCidrRange(endIP, newCidr)) {
throw new InvalidParameterValueException("Please specify a valid IP range or valid netmask or valid gateway");
}
@ -3819,11 +3819,11 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
private void checkPublicIpRangeErrors(final long zoneId, final String vlanId, final String vlanGateway, final String vlanNetmask, final String startIP, final String endIP) {
// Check that the start and end IPs are valid
if (!NetUtils.isValidIp(startIP)) {
if (!NetUtils.isValidIp4(startIP)) {
throw new InvalidParameterValueException("Please specify a valid start IP");
}
if (endIP != null && !NetUtils.isValidIp(endIP)) {
if (endIP != null && !NetUtils.isValidIp4(endIP)) {
throw new InvalidParameterValueException("Please specify a valid end IP");
}
@ -5422,7 +5422,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
throw new InvalidParameterValueException("Invalid region ID: " + regionId);
}
if (!NetUtils.isValidIp(startIP) || !NetUtils.isValidIp(endIP) || !NetUtils.validIpRange(startIP, endIP)) {
if (!NetUtils.isValidIp4(startIP) || !NetUtils.isValidIp4(endIP) || !NetUtils.validIpRange(startIP, endIP)) {
throw new InvalidParameterValueException("Invalid portable ip range: " + startIP + "-" + endIP);
}

2
server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
View File

@ -1395,7 +1395,7 @@ public class ConsoleProxyManagerImpl extends ManagerBase implements ConsoleProxy
if (nic.getTrafficType() == TrafficType.Management) {
String mgmt_cidr = _configDao.getValue(Config.ManagementNetwork.key());
if (NetUtils.isValidCIDR(mgmt_cidr)) {
if (NetUtils.isValidIp4Cidr(mgmt_cidr)) {
buf.append(" mgmtcidr=").append(mgmt_cidr);
}
buf.append(" localgw=").append(dest.getPod().getGateway());

10
server/src/com/cloud/network/NetworkModelImpl.java
View File

@ -2148,10 +2148,10 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel, Confi
@Override
public void checkIp6Parameters(String startIPv6, String endIPv6, String ip6Gateway, String ip6Cidr) throws InvalidParameterValueException {
if (!NetUtils.isValidIpv6(startIPv6)) {
if (!NetUtils.isValidIp6(startIPv6)) {
throw new InvalidParameterValueException("Invalid format for the startIPv6 parameter");
}
if (!NetUtils.isValidIpv6(endIPv6)) {
if (!NetUtils.isValidIp6(endIPv6)) {
throw new InvalidParameterValueException("Invalid format for the endIPv6 parameter");
}
@ -2159,7 +2159,7 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel, Confi
throw new InvalidParameterValueException("ip6Gateway and ip6Cidr should be defined when startIPv6/endIPv6 are passed in");
}
if (!NetUtils.isValidIpv6(ip6Gateway)) {
if (!NetUtils.isValidIp6(ip6Gateway)) {
throw new InvalidParameterValueException("Invalid ip6Gateway");
}
if (!NetUtils.isValidIp6Cidr(ip6Cidr)) {
@ -2188,13 +2188,13 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel, Confi
String ip6 = ips.getIp6Address();
String mac = ips.getMacAddress();
if (ip4 != null) {
if (!NetUtils.isValidIp(ip4)) {
if (!NetUtils.isValidIp4(ip4)) {
throw new InvalidParameterValueException("Invalid specified IPv4 address " + ip4);
}
//Other checks for ipv4 are done in assignPublicIpAddress()
}
if (ip6 != null) {
if (!NetUtils.isValidIpv6(ip6)) {
if (!NetUtils.isValidIp6(ip6)) {
throw new InvalidParameterValueException("Invalid specified IPv6 address " + ip6);
}
if (_ipv6Dao.findByNetworkIdAndIp(networkId, ip6) != null) {

18
server/src/com/cloud/network/NetworkServiceImpl.java
View File

@ -1169,12 +1169,12 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
if (ipv4) {
// if end ip is not specified, default it to startIp
if (startIP != null) {
if (!NetUtils.isValidIp(startIP)) {
if (!NetUtils.isValidIp4(startIP)) {
throw new InvalidParameterValueException("Invalid format for the startIp parameter");
}
if (endIP == null) {
endIP = startIP;
} else if (!NetUtils.isValidIp(endIP)) {
} else if (!NetUtils.isValidIp4(endIP)) {
throw new InvalidParameterValueException("Invalid format for the endIp parameter");
}
}
@ -1193,10 +1193,10 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
throw new InvalidParameterValueException("Invalid gateway IP provided. Either the IP is broadcast or network IP.");
}
if (!NetUtils.isValidIp(gateway)) {
if (!NetUtils.isValidIp4(gateway)) {
throw new InvalidParameterValueException("Invalid gateway");
}
if (!NetUtils.isValidNetmask(netmask)) {
if (!NetUtils.isValidIp4Netmask(netmask)) {
throw new InvalidParameterValueException("Invalid netmask");
}
@ -2129,7 +2129,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
throw new InvalidParameterValueException("The network must be in " + Network.State.Implemented + " state. IP Reservation cannot be applied in "
+ network.getState() + " state");
}
if (!NetUtils.isValidCIDR(guestVmCidr)) {
if (!NetUtils.isValidIp4Cidr(guestVmCidr)) {
throw new InvalidParameterValueException("Invalid format of Guest VM CIDR.");
}
if (!NetUtils.validateGuestCidr(guestVmCidr)) {
@ -4296,19 +4296,19 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
// VALIDATE IP INFO
// if end ip is not specified, default it to startIp
if (!NetUtils.isValidIp(startIp)) {
if (!NetUtils.isValidIp4(startIp)) {
throw new InvalidParameterValueException("Invalid format for the ip address parameter");
}
if (endIp == null) {
endIp = startIp;
} else if (!NetUtils.isValidIp(endIp)) {
} else if (!NetUtils.isValidIp4(endIp)) {
throw new InvalidParameterValueException("Invalid format for the endIp address parameter");
}
if (!NetUtils.isValidIp(gateway)) {
if (!NetUtils.isValidIp4(gateway)) {
throw new InvalidParameterValueException("Invalid gateway");
}
if (!NetUtils.isValidNetmask(netmask)) {
if (!NetUtils.isValidIp4Netmask(netmask)) {
throw new InvalidParameterValueException("Invalid netmask");
}

6
server/src/com/cloud/network/StorageNetworkManagerImpl.java
View File

@ -84,7 +84,7 @@ public class StorageNetworkManagerImpl extends ManagerBase implements StorageNet
final String[] existingPodIpRange = podIpRange.split("-");
if (existingPodIpRange.length > 1) {
if (!NetUtils.isValidIp(existingPodIpRange[0]) || !NetUtils.isValidIp(existingPodIpRange[1])) {
if (!NetUtils.isValidIp4(existingPodIpRange[0]) || !NetUtils.isValidIp4(existingPodIpRange[1])) {
continue;
}
@ -137,7 +137,7 @@ public class StorageNetworkManagerImpl extends ManagerBase implements StorageNet
String endIp = cmd.getEndIp();
final String netmask = cmd.getNetmask();
if (netmask != null && !NetUtils.isValidNetmask(netmask)) {
if (netmask != null && !NetUtils.isValidIp4Netmask(netmask)) {
throw new CloudRuntimeException("Invalid netmask:" + netmask);
}
@ -207,7 +207,7 @@ public class StorageNetworkManagerImpl extends ManagerBase implements StorageNet
endIp = startIp;
}
if (!NetUtils.isValidNetmask(netmask)) {
if (!NetUtils.isValidIp4Netmask(netmask)) {
throw new CloudRuntimeException("Invalid netmask:" + netmask);
}

4
server/src/com/cloud/network/firewall/FirewallManagerImpl.java
View File

@ -704,7 +704,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
sourceCidr.add(network.getCidr());
destCidr.add(NetUtils.ALL_CIDRS);
destCidr.add(NetUtils.ALL_IP4_CIDRS);
FirewallRuleVO ruleVO =
new FirewallRuleVO(null, null, null, null, "all", networkId, network.getAccountId(), network.getDomainId(), Purpose.Firewall, sourceCidr, destCidr, null, null, null,
@ -905,7 +905,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
}
List<String> oneCidr = new ArrayList<String>();
oneCidr.add(NetUtils.ALL_CIDRS);
oneCidr.add(NetUtils.ALL_IP4_CIDRS);
return createFirewallRule(ipAddrId, caller, null, startPort, endPort, protocol, oneCidr, null, icmpCode, icmpType, relatedRuleId, FirewallRule.FirewallRuleType.User,
networkId, FirewallRule.TrafficType.Ingress, true);
}

4
server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
View File

@ -1383,7 +1383,7 @@ Configurable, StateListener<VirtualMachine.State, VirtualMachine.Event, VirtualM
// networking setup, DomR may have two interfaces while both
// are on the same subnet
_mgmtCidr = _configDao.getValue(Config.ManagementNetwork.key());
if (NetUtils.isValidCIDR(_mgmtCidr)) {
if (NetUtils.isValidIp4Cidr(_mgmtCidr)) {
buf.append(" mgmtcidr=").append(_mgmtCidr);
buf.append(" localgw=").append(dest.getPod().getGateway());
}
@ -1955,7 +1955,7 @@ Configurable, StateListener<VirtualMachine.State, VirtualMachine.Event, VirtualM
final List<String> destCidr = new ArrayList<String>();
sourceCidr.add(network.getCidr());
destCidr.add(NetUtils.ALL_CIDRS);
destCidr.add(NetUtils.ALL_IP4_CIDRS);
final FirewallRule rule = new FirewallRuleVO(null, null, null, null, "all", networkId, network.getAccountId(), network.getDomainId(), Purpose.Firewall, sourceCidr,
destCidr, null, null, null, FirewallRule.TrafficType.Egress, FirewallRule.FirewallRuleType.System);

2
server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
View File

@ -611,7 +611,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
if (cidrList != null) {
for (String cidr : cidrList) {
if (!NetUtils.isValidCIDR(cidr)) {
if (!NetUtils.isValidIp4Cidr(cidr) && !NetUtils.isValidIp6Cidr(cidr)) {
throw new InvalidParameterValueException("Invalid cidr " + cidr);
}
}

2
server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
View File

@ -406,7 +406,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (sourceCidrList != null) {
for (final String cidr : sourceCidrList) {
if (!NetUtils.isValidCIDR(cidr)) {
if (!NetUtils.isValidIp4Cidr(cidr)) {
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Source cidrs formatting error " + cidr);
}
}

4
server/src/com/cloud/network/vpc/VpcManagerImpl.java
View File

@ -792,7 +792,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
protected Vpc createVpc(final Boolean displayVpc, final VpcVO vpc) {
final String cidr = vpc.getCidr();
// Validate CIDR
if (!NetUtils.isValidCIDR(cidr)) {
if (!NetUtils.isValidIp4Cidr(cidr)) {
throw new InvalidParameterValueException("Invalid CIDR specified " + cidr);
}
@ -2030,7 +2030,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
}
_accountMgr.checkAccess(caller, null, false, vpc);
if (!NetUtils.isValidCIDR(cidr)) {
if (!NetUtils.isValidIp4Cidr(cidr)) {
throw new InvalidParameterValueException("Invalid format for cidr " + cidr);
}

4
server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
View File

@ -194,7 +194,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
if (range.length != 2) {
throw new InvalidParameterValueException("Invalid ip range");
}
if (!NetUtils.isValidIp(range[0]) || !NetUtils.isValidIp(range[1])) {
if (!NetUtils.isValidIp4(range[0]) || !NetUtils.isValidIp4(range[1])) {
throw new InvalidParameterValueException("Invalid ip in range specification " + ipRange);
}
if (!NetUtils.validIpRange(range[0], range[1])) {
@ -271,7 +271,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
if (range.length != 2) {
throw new ConfigurationException("Remote Access VPN: Invalid ip range " + ipRange);
}
if (!NetUtils.isValidIp(range[0]) || !NetUtils.isValidIp(range[1])) {
if (!NetUtils.isValidIp4(range[0]) || !NetUtils.isValidIp4(range[1])) {
throw new ConfigurationException("Remote Access VPN: Invalid ip in range specification " + ipRange);
}
if (!NetUtils.validIpRange(range[0], range[1])) {

6
server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
View File

@ -177,7 +177,8 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
String name = cmd.getName();
String gatewayIp = cmd.getGatewayIp();
if (!NetUtils.isValidIp(gatewayIp) && !NetUtils.verifyDomainName(gatewayIp)) {
if (!NetUtils.isValidIp4(gatewayIp) && !NetUtils.verifyDomainName(gatewayIp)) {
throw new InvalidParameterValueException("The customer gateway ip/Domain " + gatewayIp + " is invalid!");
}
if (name == null) {
@ -428,7 +429,8 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
}
String name = cmd.getName();
String gatewayIp = cmd.getGatewayIp();
if (!NetUtils.isValidIp(gatewayIp) && !NetUtils.verifyDomainName(gatewayIp)) {
if (!NetUtils.isValidIp4(gatewayIp) && !NetUtils.verifyDomainName(gatewayIp)) {
throw new InvalidParameterValueException("The customer gateway ip/Domain " + gatewayIp + " is invalid!");
}
if (name == null) {

4
server/src/com/cloud/test/PodZoneConfig.java
View File

@ -221,11 +221,11 @@ public class PodZoneConfig {
if (add) {
// Make sure the gateway is valid
if (!NetUtils.isValidIp(vlanGateway))
if (!NetUtils.isValidIp4(vlanGateway))
return genReturnList("false", "Please specify a valid gateway.");
// Make sure the netmask is valid
if (!NetUtils.isValidIp(vlanNetmask))
if (!NetUtils.isValidIp4(vlanNetmask))
return genReturnList("false", "Please specify a valid netmask.");
// Check if a vlan with the same vlanId already exists in the specified zone

28
server/src/com/cloud/user/AccountManagerImpl.java
View File

@ -172,6 +172,8 @@ import com.cloud.vm.snapshot.VMSnapshot;
import com.cloud.vm.snapshot.VMSnapshotManager;
import com.cloud.vm.snapshot.VMSnapshotVO;
import com.cloud.vm.snapshot.dao.VMSnapshotDao;
import org.apache.cloudstack.config.ApiServiceConfiguration;
public class AccountManagerImpl extends ManagerBase implements AccountManager, Manager {
public static final Logger s_logger = Logger.getLogger(AccountManagerImpl.class);
@ -179,6 +181,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
@Inject
private AccountDao _accountDao;
@Inject
private AccountManager _accountMgr;
@Inject
ConfigurationDao _configDao;
@Inject
private ResourceCountDao _resourceCountDao;
@ -2076,7 +2080,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
@Override
public UserAccount authenticateUser(String username, String password, Long domainId, InetAddress loginIpAddress, Map<String, Object[]> requestParameters) {
public UserAccount authenticateUser(final String username, final String password, final Long domainId, final InetAddress loginIpAddress, final Map<String, Object[]>
requestParameters) {
UserAccount user = null;
if (password != null && !password.isEmpty()) {
user = getUserAccount(username, password, domainId, requestParameters);
@ -2186,6 +2191,27 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
return null;
}
// We authenticated successfully by now, let's check if we are allowed to login from the ip address the reqest comes from
final Account account = _accountMgr.getAccount(user.getAccountId());
final DomainVO domain = (DomainVO) _domainMgr.getDomain(account.getDomainId());
// Get the CIDRs from where this account is allowed to make calls
final String accessAllowedCidrs = ApiServiceConfiguration.ApiAllowedSourceCidrList.valueIn(account.getId()).replaceAll("\\s","");
final Boolean ApiSourceCidrChecksEnabled = ApiServiceConfiguration.ApiSourceCidrChecksEnabled.value();
if (ApiSourceCidrChecksEnabled) {
s_logger.debug("CIDRs from which account '" + account.toString() + "' is allowed to perform API calls: " + accessAllowedCidrs);
// Block when is not in the list of allowed IPs
if (!NetUtils.isIpInCidrList(loginIpAddress, accessAllowedCidrs.split(","))) {
s_logger.warn("Request by account '" + account.toString() + "' was denied since " + loginIpAddress.toString().replaceAll("/","")
+ " does not match " + accessAllowedCidrs);
throw new CloudAuthenticationException("Failed to authenticate user '" + username + "' in domain '" + domain.getPath() + "' from ip "
+ loginIpAddress.toString().replaceAll("/","") + "; please provide valid credentials");
}
}
// Here all is fine!
if (s_logger.isDebugEnabled()) {
s_logger.debug("User: " + username + " in domain " + domainId + " has successfully logged in");
}

4
server/src/com/cloud/vm/UserVmManagerImpl.java
View File

@ -649,7 +649,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
if (answer.getResult()) {
String vmIp = answer.getDetails();
if (NetUtils.isValidIp(vmIp)) {
if (NetUtils.isValidIp4(vmIp)) {
// set this vm ip addr in vm nic.
if (nic != null) {
nic.setIPv4Address(vmIp);
@ -1184,7 +1184,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
NicProfile profile = new NicProfile(ipAddress, null, macAddress);
if (ipAddress != null) {
if (!(NetUtils.isValidIp(ipAddress) || NetUtils.isValidIpv6(ipAddress))) {
if (!(NetUtils.isValidIp4(ipAddress) || NetUtils.isValidIp6(ipAddress))) {
throw new InvalidParameterValueException("Invalid format for IP address parameter: " + ipAddress);
}
}

24
server/test/com/cloud/api/ApiServletTest.java
View File

@ -174,7 +174,7 @@ public class ApiServletTest {
public void processRequestInContextUnauthorizedGET() {
Mockito.when(request.getMethod()).thenReturn("GET");
Mockito.when(
apiServer.verifyRequest(Mockito.anyMap(), Mockito.anyLong()))
apiServer.verifyRequest(Mockito.anyMap(), Mockito.anyLong(), Mockito.any(InetAddress.class)))
.thenReturn(false);
servlet.processRequestInContext(request, response);
Mockito.verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
@ -188,7 +188,7 @@ public class ApiServletTest {
public void processRequestInContextAuthorizedGet() {
Mockito.when(request.getMethod()).thenReturn("GET");
Mockito.when(
apiServer.verifyRequest(Mockito.anyMap(), Mockito.anyLong()))
apiServer.verifyRequest(Mockito.anyMap(), Mockito.anyLong(), Mockito.any(InetAddress.class)))
.thenReturn(true);
servlet.processRequestInContext(request, response);
Mockito.verify(response).setStatus(HttpServletResponse.SC_OK);
@ -242,33 +242,33 @@ public class ApiServletTest {
}
@Test
public void getClientAddressWithXForwardedFor() {
public void getClientAddressWithXForwardedFor() throws UnknownHostException {
Mockito.when(request.getHeader(Mockito.eq("X-Forwarded-For"))).thenReturn("192.168.1.1");
Assert.assertEquals("192.168.1.1", ApiServlet.getClientAddress(request));
Assert.assertEquals(InetAddress.getByName("192.168.1.1"), ApiServlet.getClientAddress(request));
}
@Test
public void getClientAddressWithHttpXForwardedFor() {
public void getClientAddressWithHttpXForwardedFor() throws UnknownHostException {
Mockito.when(request.getHeader(Mockito.eq("HTTP_X_FORWARDED_FOR"))).thenReturn("192.168.1.1");
Assert.assertEquals("192.168.1.1", ApiServlet.getClientAddress(request));
Assert.assertEquals(InetAddress.getByName("192.168.1.1"), ApiServlet.getClientAddress(request));
}
@Test
public void getClientAddressWithXRemoteAddr() {
public void getClientAddressWithXRemoteAddr() throws UnknownHostException {
Mockito.when(request.getHeader(Mockito.eq("Remote_Addr"))).thenReturn("192.168.1.1");
Assert.assertEquals("192.168.1.1", ApiServlet.getClientAddress(request));
Assert.assertEquals(InetAddress.getByName("192.168.1.1"), ApiServlet.getClientAddress(request));
}
@Test
public void getClientAddressWithHttpClientIp() {
public void getClientAddressWithHttpClientIp() throws UnknownHostException {
Mockito.when(request.getHeader(Mockito.eq("HTTP_CLIENT_IP"))).thenReturn("192.168.1.1");
Assert.assertEquals("192.168.1.1", ApiServlet.getClientAddress(request));
Assert.assertEquals(InetAddress.getByName("192.168.1.1"), ApiServlet.getClientAddress(request));
}
@Test
public void getClientAddressDefault() {
public void getClientAddressDefault() throws UnknownHostException {
Mockito.when(request.getRemoteAddr()).thenReturn("127.0.0.1");
Assert.assertEquals("127.0.0.1", ApiServlet.getClientAddress(request));
Assert.assertEquals(InetAddress.getByName("127.0.0.1"), ApiServlet.getClientAddress(request));
}
}

4
services/secondary-storage/controller/src/org/apache/cloudstack/secondarystorage/SecondaryStorageManagerImpl.java
View File

@ -388,7 +388,7 @@ public class SecondaryStorageManagerImpl extends ManagerBase implements Secondar
List<String> allowedCidrs = new ArrayList<String>();
String[] cidrs = _allowedInternalSites.split(",");
for (String cidr : cidrs) {
if (NetUtils.isValidCIDR(cidr) || NetUtils.isValidIp(cidr) || !cidr.startsWith("0.0.0.0")) {
if (NetUtils.isValidIp4Cidr(cidr) || NetUtils.isValidIp4(cidr) || !cidr.startsWith("0.0.0.0")) {
allowedCidrs.add(cidr);
}
}
@ -1170,7 +1170,7 @@ public class SecondaryStorageManagerImpl extends ManagerBase implements Secondar
}
if (nic.getTrafficType() == TrafficType.Management) {
String mgmt_cidr = _configDao.getValue(Config.ManagementNetwork.key());
if (NetUtils.isValidCIDR(mgmt_cidr)) {
if (NetUtils.isValidIp4Cidr(mgmt_cidr)) {
buf.append(" mgmtcidr=").append(mgmt_cidr);
}
buf.append(" localgw=").append(dest.getPod().getGateway());

4
services/secondary-storage/server/src/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java
View File

@ -2293,12 +2293,12 @@ public class NfsSecondaryStorageResource extends ServerResourceBase implements S
s_logger.debug("addRouteToInternalIp: destIp is null");
return;
}
if (!NetUtils.isValidIp(destIpOrCidr) && !NetUtils.isValidCIDR(destIpOrCidr)) {
if (!NetUtils.isValidIp4(destIpOrCidr) && !NetUtils.isValidIp4Cidr(destIpOrCidr)) {
s_logger.warn(" destIp is not a valid ip address or cidr destIp=" + destIpOrCidr);
return;
}
boolean inSameSubnet = false;
if (NetUtils.isValidIp(destIpOrCidr)) {
if (NetUtils.isValidIp4(destIpOrCidr)) {
if (eth1ip != null && eth1mask != null) {
inSameSubnet = NetUtils.sameSubnet(eth1ip, destIpOrCidr, eth1mask);
} else {

2
ui/l10n/en.js
View File

@ -22,7 +22,7 @@ var dictionary = {"ICMP.code":"ICMP Code",
"error.could.not.change.your.password.because.non.native.user":"Error could not change your password because user is not a native CloudStack user.",
"error.could.not.enable.zone":"Could not enable zone",
"error.installWizard.message":"Something went wrong; you may go back and correct any errors",
"error.invalid.username.password":"Invalid username or password",
"error.invalid.username.password": "Invalid username or password.<br/><br/>This could also be a restriction on the IP address you are connecting from.",
"error.login":"Your username/password does not match our records.",
"error.menu.select":"Unable to perform action due to no items being selected.",
"error.mgmt.server.inaccessible":"The Management Server is unaccessible. Please try again later.",

255
utils/src/main/java/com/cloud/utils/net/NetUtils.java
View File

@ -24,6 +24,8 @@ import java.io.IOException;
import java.io.InputStreamReader;
import java.math.BigInteger;
import java.net.InetAddress;
import java.net.Inet4Address;
import java.net.Inet6Address;
import java.net.InterfaceAddress;
import java.net.NetworkInterface;
import java.net.SocketException;
@ -35,7 +37,6 @@ import java.util.List;
import java.util.Random;
import java.util.Set;
import java.util.SortedSet;
import java.util.StringTokenizer;
import java.util.TreeSet;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@ -61,8 +62,8 @@ public class NetUtils {
private static final int MAX_CIDR = 32;
private static final int RFC_3021_31_BIT_CIDR = 31;
public final static String HTTP_PORT = "80";
public final static String HTTPS_PORT = "443";
public final static int HTTP_PORT = 80;
public final static int HTTPS_PORT = 443;
public final static int VPN_PORT = 500;
public final static int VPN_NATT_PORT = 4500;
public final static int VPN_L2TP_PORT = 1701;
@ -76,7 +77,8 @@ public class NetUtils {
public final static String HTTP_PROTO = "http";
public final static String SSL_PROTO = "ssl";
public final static String ALL_CIDRS = "0.0.0.0/0";
public final static String ALL_IP4_CIDRS = "0.0.0.0/0";
public final static String ALL_IP6_CIDRS = "::/0";
public final static int PORT_RANGE_MIN = 0;
public final static int PORT_RANGE_MAX = 65535;
@ -123,7 +125,7 @@ public class NetUtils {
public static String resolveToIp(final String host) {
try {
final InetAddress addr = InetAddress.getByName(host);
return ipFromInetAddress(addr);
return addr.getHostAddress();
} catch (final UnknownHostException e) {
s_logger.warn("Unable to resolve " + host + " to IP due to UnknownHostException");
return null;
@ -162,7 +164,7 @@ public class NetUtils {
final InetAddress addr = address.getAddress();
final int prefixLength = address.getNetworkPrefixLength();
if (prefixLength < MAX_CIDR && prefixLength > 0) {
final String ip = ipFromInetAddress(addr);
final String ip = addr.getHostAddress();
if (ip.equalsIgnoreCase(defaultHostIp)) {
cidrList.add(ipAndNetMaskToCidr(ip, getCidrNetmask(prefixLength)));
}
@ -243,67 +245,15 @@ public class NetUtils {
return defaultRouteList[7];
}
public static InetAddress getFirstNonLoopbackLocalInetAddress() {
final InetAddress[] addrs = getAllLocalInetAddresses();
if (addrs != null) {
for (final InetAddress addr : addrs) {
if (s_logger.isInfoEnabled()) {
s_logger.info("Check local InetAddress : " + addr.toString() + ", total count :" + addrs.length);
}
if (!addr.isLoopbackAddress()) {
return addr;
}
}
}
s_logger.warn("Unable to determine a non-loopback address, local inet address count :" + addrs.length);
return null;
}
public static InetAddress[] getInterfaceInetAddresses(final String ifName) {
final List<InetAddress> addrList = new ArrayList<InetAddress>();
try {
for (final NetworkInterface ifc : IteratorUtil.enumerationAsIterable(NetworkInterface.getNetworkInterfaces())) {
if (ifc.isUp() && !ifc.isVirtual() && ifc.getName().equals(ifName)) {
for (final InetAddress addr : IteratorUtil.enumerationAsIterable(ifc.getInetAddresses())) {
addrList.add(addr);
}
}
}
} catch (final SocketException e) {
s_logger.warn("SocketException in getAllLocalInetAddresses().", e);
}
final InetAddress[] addrs = new InetAddress[addrList.size()];
if (addrList.size() > 0) {
System.arraycopy(addrList.toArray(), 0, addrs, 0, addrList.size());
}
return addrs;
}
public static String getLocalIPString() {
final InetAddress addr = getLocalInetAddress();
if (addr != null) {
return ipFromInetAddress(addr);
return addr.getHostAddress();
}
return "127.0.0.1";
}
public static String ipFromInetAddress(final InetAddress addr) {
assert addr != null;
final byte[] ipBytes = addr.getAddress();
final StringBuffer sb = new StringBuffer();
sb.append(ipBytes[0] & 0xff).append(".");
sb.append(ipBytes[1] & 0xff).append(".");
sb.append(ipBytes[2] & 0xff).append(".");
sb.append(ipBytes[3] & 0xff);
return sb.toString();
}
public static boolean isLocalAddress(final InetAddress addr) {
final InetAddress[] addrs = getAllLocalInetAddresses();
@ -318,10 +268,8 @@ public class NetUtils {
}
public static boolean isLocalAddress(final String strAddress) {
InetAddress addr;
try {
addr = InetAddress.getByName(strAddress);
InetAddress addr = InetAddress.getByName(strAddress);
return isLocalAddress(addr);
} catch (final UnknownHostException e) {
}
@ -346,23 +294,6 @@ public class NetUtils {
return sb.toString();
}
public static long getMacAddressAsLong(final InetAddress address) {
long macAddressAsLong = 0;
try {
final NetworkInterface ni = NetworkInterface.getByInetAddress(address);
final byte[] mac = ni.getHardwareAddress();
for (int i = 0; i < mac.length; i++) {
macAddressAsLong |= (long)(mac[i] & 0xff) << (mac.length - i - 1) * 8;
}
} catch (final SocketException e) {
s_logger.error("SocketException when trying to retrieve MAC address", e);
}
return macAddressAsLong;
}
/**
* This method will fail in case we have a 31 Bit prefix network
* See RFC 3021.
@ -498,40 +429,15 @@ public class NetUtils {
return result.toString();
}
public static boolean isValidPrivateIp(final String ipAddress, final String guestIPAddress) {
final InetAddress privIp = parseIpAddress(ipAddress);
if (privIp == null) {
return false;
}
if (!privIp.isSiteLocalAddress()) {
return false;
}
String firstGuestOctet = "10";
if (guestIPAddress != null && !guestIPAddress.isEmpty()) {
final String[] guestIPList = guestIPAddress.split("\\.");
firstGuestOctet = guestIPList[0];
}
final String[] ipList = ipAddress.split("\\.");
if (!ipList[0].equals(firstGuestOctet)) {
return false;
}
return true;
}
public static boolean isSiteLocalAddress(final String ipAddress) {
if (ipAddress == null) {
return false;
} else {
final InetAddress ip = parseIpAddress(ipAddress);
if(ip != null) {
try {
final InetAddress ip = InetAddress.getByName(ipAddress);
if (ip != null) {
return ip.isSiteLocalAddress();
}
return false;
}
} catch (UnknownHostException e) {}
return false;
}
public static boolean validIpRange(final String startIP, final String endIP) {
@ -544,14 +450,16 @@ public class NetUtils {
return startIPLong <= endIPLong;
}
public static boolean isValidIp(final String ip) {
final InetAddressValidator validator = InetAddressValidator.getInstance();
public static boolean isValidIp4(final String ip) {
if (ip == null)
return false;
final InetAddressValidator validator = InetAddressValidator.getInstance();
return validator.isValidInet4Address(ip);
}
public static boolean is31PrefixCidr(final String cidr) {
final boolean isValidCird = isValidCIDR(cidr);
final boolean isValidCird = isValidIp4Cidr(cidr);
if (isValidCird){
final String[] cidrPair = cidr.split("\\/");
final String cidrSize = cidrPair[1];
@ -564,23 +472,18 @@ public class NetUtils {
return false;
}
public static boolean isValidCIDR(final String cidr) {
public static boolean isValidIp4Cidr(final String cidr) {
if (cidr == null || cidr.isEmpty()) {
return false;
}
try {
IPv6Network.fromString(cidr);
return true;
} catch (IllegalArgumentException e) {}
final String[] cidrPair = cidr.split("\\/");
if (cidrPair.length != 2) {
return false;
}
final String cidrAddress = cidrPair[0];
final String cidrSize = cidrPair[1];
if (!isValidIp(cidrAddress)) {
if (!isValidIp4(cidrAddress)) {
return false;
}
int cidrSizeNum = -1;
@ -598,8 +501,8 @@ public class NetUtils {
return true;
}
public static boolean isValidNetmask(final String netmask) {
if (!isValidIp(netmask)) {
public static boolean isValidIp4Netmask(final String netmask) {
if (!isValidIp4(netmask)) {
return false;
}
@ -624,25 +527,6 @@ public class NetUtils {
return true;
}
private static InetAddress parseIpAddress(final String address) {
final StringTokenizer st = new StringTokenizer(address, ".");
final byte[] bytes = new byte[4];
if (st.countTokens() == 4) {
try {
for (int i = 0; i < 4; i++) {
bytes[i] = (byte)Integer.parseInt(st.nextToken());
}
return InetAddress.getByAddress(address, bytes);
} catch (final NumberFormatException nfe) {
return null;
} catch (final UnknownHostException uhe) {
return null;
}
}
return null;
}
public static String getCidrFromGatewayAndNetmask(final String gatewayStr, final String netmaskStr) {
final long netmask = ip2Long(netmaskStr);
final long gateway = ip2Long(gatewayStr);
@ -808,11 +692,11 @@ public class NetUtils {
}
public static String ipAndNetMaskToCidr(final String ip, final String netmask) {
if (!isValidIp(ip)) {
if (!isValidIp4(ip)) {
return null;
}
if (!isValidNetmask(netmask)) {
if (!isValidIp4Netmask(netmask)) {
return null;
}
@ -909,7 +793,7 @@ public class NetUtils {
}
final String cidrAddress = cidrPair[0];
final String cidrSize = cidrPair[1];
if (!isValidIp(cidrAddress)) {
if (!isValidIp4(cidrAddress)) {
throw new CloudRuntimeException("cidr is not valid in ip space" + cidr);
}
long cidrSizeNum = getCidrSizeFromString(cidrSize);
@ -949,7 +833,7 @@ public class NetUtils {
}
final String cidrAddress = cidrPair[0];
final String cidrSize = cidrPair[1];
if (!isValidIp(cidrAddress)) {
if (!isValidIp4(cidrAddress)) {
return null;
}
long cidrSizeNum = getCidrSizeFromString(cidrSize);
@ -988,23 +872,13 @@ public class NetUtils {
return MAX_CIDR - count;
}
public static boolean isValidPort(final int p) {
return !(p > PORT_RANGE_MAX || p < PORT_RANGE_MIN);
}
public static boolean isValidPort(final String p) {
try {
final int port = Integer.parseInt(p);
return !(port > 65535 || port < 1);
} catch (final NumberFormatException e) {
return false;
}
}
public static boolean isValidPort(final int p) {
return !(p > 65535 || p < 1);
}
public static boolean isValidLBPort(final String p) {
try {
final int port = Integer.parseInt(p);
return !(port > 65535 || port < 1);
return isValidPort(Integer.parseInt(p));
} catch (final NumberFormatException e) {
return false;
}
@ -1126,11 +1000,11 @@ public class NetUtils {
// Check if 2 CIDRs have exactly same IP Range
public static boolean isSameIpRange(final String cidrA, final String cidrB) {
if (!NetUtils.isValidCIDR(cidrA)) {
if (!NetUtils.isValidIp4Cidr(cidrA)) {
s_logger.info("Invalid value of cidr " + cidrA);
return false;
}
if (!NetUtils.isValidCIDR(cidrB)) {
if (!NetUtils.isValidIp4Cidr(cidrB)) {
s_logger.info("Invalid value of cidr " + cidrB);
return false;
}
@ -1164,7 +1038,7 @@ public class NetUtils {
// The allocated address block is 100.64.0.0/10
final String[] allowedNetBlocks = {"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10"};
if (!isValidCIDR(cidr)) {
if (!isValidIp4Cidr(cidr)) {
s_logger.warn("Cidr " + cidr + " is not valid");
return false;
}
@ -1261,7 +1135,7 @@ public class NetUtils {
public static boolean isValidCidrList(final String cidrList) {
for (final String guestCidr : cidrList.split(",")) {
if (!isValidCIDR(guestCidr)) {
if (!isValidIp4Cidr(guestCidr)) {
return false;
}
}
@ -1297,13 +1171,12 @@ public class NetUtils {
return true;
}
public static boolean isValidIpv6(final String ip) {
try {
IPv6Address.fromString(ip);
} catch (final IllegalArgumentException ex) {
return false;
}
return true;
public static boolean isValidIp6(final String ip) {
if (ip == null)
return false;
final InetAddressValidator validator = InetAddressValidator.getInstance();
return validator.isValidInet6Address(ip);
}
public static boolean isValidIp6Cidr(final String ip6Cidr) {
@ -1410,15 +1283,16 @@ public class NetUtils {
return false;
}
public static boolean isIp6InNetwork(final IPv6Address ip, final IPv6Network network) {
return network.contains(ip);
}
public static boolean isIp6InNetwork(final String ip6, final String ip6Cidr) {
IPv6Network network = null;
try {
network = IPv6Network.fromString(ip6Cidr);
return isIp6InNetwork(IPv6Address.fromString(ip6), IPv6Network.fromString(ip6Cidr));
} catch (final IllegalArgumentException ex) {
return false;
}
final IPv6Address ip = IPv6Address.fromString(ip6);
return network.contains(ip);
}
public static boolean isIp6RangeOverlap(final String ipRange1, final String ipRange2) {
@ -1580,11 +1454,11 @@ public class NetUtils {
return long2Mac(mac);
}
public static boolean isIpWithtInCidrRange(final String ipAddress, final String cidr) {
if (!isValidIp(ipAddress)) {
public static boolean isIpWithInCidrRange(final String ipAddress, final String cidr) {
if (!isValidIp4(ipAddress)) {
return false;
}
if (!isValidCIDR(cidr)) {
if (!isValidIp4Cidr(cidr)) {
return false;
}
@ -1602,6 +1476,29 @@ public class NetUtils {
return isInRange;
}
public static boolean isIpInCidrList(final InetAddress address, final String[] cidrlist) {
boolean match = false;
for (String cidr: cidrlist) {
try {
if (address instanceof Inet6Address && isValidIp6Cidr(cidr)) {
if (isIp6InNetwork(IPv6Address.fromInetAddress(address), IPv6Network.fromString(cidr))) {
match = true;
break;
}
} else if (address instanceof Inet4Address && isValidIp4Cidr(cidr)) {
if (NetUtils.isIpWithInCidrRange(address.getHostAddress(), cidr)) {
match = true;
break;
}
}
} catch (IllegalArgumentException e) {
continue;
}
}
return match;
}
public static Boolean IsIpEqualToNetworkOrBroadCastIp(final String requestedIp, final String cidr, final long size) {
assert size < MAX_CIDR : "You do know this is not for ipv6 right? Keep it smaller than 32 but you have " + size;
@ -1647,7 +1544,7 @@ public class NetUtils {
}
public static IPv6Address ipv6LinkLocal(final String macAddress) {
return EUI64Address(IPv6Network.fromString("fe80::/64"), macAddress);
return EUI64Address(IPv6Network.LINK_LOCAL_NETWORK, macAddress);
}
}

114
utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java
View File

@ -32,9 +32,12 @@ import static org.junit.Assert.assertThat;
import static org.junit.Assert.assertTrue;
import java.math.BigInteger;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.SortedSet;
import java.util.TreeSet;
import com.googlecode.ipv6.IPv6Network;
import org.apache.log4j.Logger;
import org.junit.Test;
@ -198,10 +201,10 @@ public class NetUtilsTest {
@Test
public void testIsValidIpv6() {
assertTrue(NetUtils.isValidIpv6("fc00::1"));
assertFalse(NetUtils.isValidIpv6(""));
assertFalse(NetUtils.isValidIpv6(null));
assertFalse(NetUtils.isValidIpv6("1234:5678::1/64"));
assertTrue(NetUtils.isValidIp6("fc00::1"));
assertFalse(NetUtils.isValidIp6(""));
assertFalse(NetUtils.isValidIp6(null));
assertFalse(NetUtils.isValidIp6("1234:5678::1/64"));
}
@Test
@ -214,10 +217,10 @@ public class NetUtilsTest {
@Test
public void testIsIp6InNetwork() {
assertFalse(NetUtils.isIp6InNetwork("1234:5678:abcd::1", "1234:5678::/64"));
assertTrue(NetUtils.isIp6InNetwork("1234:5678::1", "1234:5678::/64"));
assertTrue(NetUtils.isIp6InNetwork("1234:5678::ffff:ffff:ffff:ffff", "1234:5678::/64"));
assertTrue(NetUtils.isIp6InNetwork("1234:5678::", "1234:5678::/64"));
assertFalse(NetUtils.isIp6InNetwork(IPv6Address.fromString("1234:5678:abcd::1"), IPv6Network.fromString("1234:5678::/64")));
assertTrue(NetUtils.isIp6InNetwork(IPv6Address.fromString("1234:5678::1"), IPv6Network.fromString("1234:5678::/64")));
assertTrue(NetUtils.isIp6InNetwork(IPv6Address.fromString("1234:5678::ffff:ffff:ffff:ffff"), IPv6Network.fromString("1234:5678::/64")));
assertTrue(NetUtils.isIp6InNetwork(IPv6Address.fromString("1234:5678::"), IPv6Network.fromString("1234:5678::/64")));
}
@Test
@ -267,13 +270,9 @@ public class NetUtilsTest {
final String cidrSecond = "10.0.151.0/20";
final String cidrThird = "10.0.144.0/21";
assertTrue(NetUtils.isValidCIDR(cidrFirst));
assertTrue(NetUtils.isValidCIDR(cidrSecond));
assertTrue(NetUtils.isValidCIDR(cidrThird));
assertTrue(NetUtils.isValidCIDR("2001:db8::/64"));
assertTrue(NetUtils.isValidCIDR("2001:db8::/48"));
assertTrue(NetUtils.isValidCIDR("2001:db8:fff::/56"));
assertFalse(NetUtils.isValidCIDR("2001:db8:gggg::/56"));
assertTrue(NetUtils.isValidIp4Cidr(cidrFirst));
assertTrue(NetUtils.isValidIp4Cidr(cidrSecond));
assertTrue(NetUtils.isValidIp4Cidr(cidrThird));;
}
@Test
@ -285,8 +284,6 @@ public class NetUtilsTest {
assertTrue(NetUtils.isValidCidrList(cidrFirst));
assertTrue(NetUtils.isValidCidrList(cidrSecond));
assertTrue(NetUtils.isValidCidrList(cidrThird));
assertTrue(NetUtils.isValidCidrList("2001:db8::/64,2001:db8:ffff::/48"));
assertTrue(NetUtils.isValidCidrList("2001:db8::/64,2001:db8:ffff::/48,192.168.0.0/24"));
}
@Test
@ -386,7 +383,7 @@ public class NetUtilsTest {
final String ipAddress = "192.168.0.0";
final String cidr = "192.168.0.0/31";
final boolean isInRange = NetUtils.isIpWithtInCidrRange(ipAddress, cidr);
final boolean isInRange = NetUtils.isIpWithInCidrRange(ipAddress, cidr);
assertTrue("Check if the subnetUtils.setInclusiveHostCount(true) has been called.", isInRange);
}
@ -396,7 +393,7 @@ public class NetUtilsTest {
final String ipAddress = "192.168.0.1";
final String cidr = "192.168.0.0/31";
final boolean isInRange = NetUtils.isIpWithtInCidrRange(ipAddress, cidr);
final boolean isInRange = NetUtils.isIpWithInCidrRange(ipAddress, cidr);
assertTrue("Check if the subnetUtils.setInclusiveHostCount(true) has been called.", isInRange);
}
@ -406,7 +403,7 @@ public class NetUtilsTest {
final String ipAddress = "192.168.0.2";
final String cidr = "192.168.0.0/31";
final boolean isInRange = NetUtils.isIpWithtInCidrRange(ipAddress, cidr);
final boolean isInRange = NetUtils.isIpWithInCidrRange(ipAddress, cidr);
assertFalse("Out of the range. Why did it return true?", isInRange);
}
@ -462,21 +459,21 @@ public class NetUtilsTest {
public void testGetCidrNetMask() {
final String cidr = "10.10.0.0/16";
String netmask = NetUtils.getCidrNetmask("10.10.10.10/16");
assertTrue(cidr + " does not generate valid netmask " + netmask,NetUtils.isValidNetmask(netmask));
assertTrue(cidr + " does not generate valid netmask " + netmask,NetUtils.isValidIp4Netmask(netmask));
}
@Test
public void testGetCidrSubNet() {
final String cidr = "10.10.0.0/16";
String subnet = NetUtils.getCidrSubNet("10.10.10.10/16");
assertTrue(cidr + " does not contain " + subnet,NetUtils.isIpWithtInCidrRange(subnet, cidr));
assertTrue(cidr + " does not contain " + subnet,NetUtils.isIpWithInCidrRange(subnet, cidr));
}
@Test
public void testGetCidrSubNetWithWidth() {
final String cidr = "10.10.0.0/16";
String subnet = NetUtils.getCidrSubNet("10.10.10.10", 16);
assertTrue(cidr + " does not contain " + subnet,NetUtils.isIpWithtInCidrRange(subnet, cidr));
assertTrue(cidr + " does not contain " + subnet,NetUtils.isIpWithInCidrRange(subnet, cidr));
}
@Test
@ -610,4 +607,75 @@ public class NetUtilsTest {
assertEquals(IPv6Address.fromString("fe80::42:e0ff:fee8:d6a3"), NetUtils.ipv6LinkLocal("02:42:e0:e8:d6:a3"));
assertEquals(IPv6Address.fromString("fe80::47a:88ff:fe00:8b"), NetUtils.ipv6LinkLocal("06:7a:88:00:00:8b"));
}
@Test
public void testIsIpInCidrList() throws UnknownHostException {
String[] cidrs = "0.0.0.0/0,::/0".split(",");
System.out.println(NetUtils.isIpInCidrList(InetAddress.getByName("192.168.1.1"), cidrs));
assertTrue(NetUtils.isIpInCidrList(InetAddress.getByName("192.168.1.1"), cidrs));
assertTrue(NetUtils.isIpInCidrList(InetAddress.getByName("172.16.8.9"), cidrs));
assertTrue(NetUtils.isIpInCidrList(InetAddress.getByName("127.0.0.1"), cidrs));
assertTrue(NetUtils.isIpInCidrList(InetAddress.getByName("2001:db8:100::1"), cidrs));
assertTrue(NetUtils.isIpInCidrList(InetAddress.getByName("::1"), cidrs));
assertTrue(NetUtils.isIpInCidrList(InetAddress.getByName("2a01:4f8:130:2192::2"), cidrs));
assertTrue(NetUtils.isIpInCidrList(InetAddress.getByName("127.0.0.1"), "127.0.0.1/8".split(",")));
assertFalse(NetUtils.isIpInCidrList(InetAddress.getByName("192.168.1.1"), "127.0.0.1/8".split(",")));
assertTrue(NetUtils.isIpInCidrList(InetAddress.getByName("127.0.0.1"), "127.0.0.1/8,::1/128".split(",")));
assertTrue(NetUtils.isIpInCidrList(InetAddress.getByName("::1"), "127.0.0.1/8,::1/128".split(",")));
assertFalse(NetUtils.isIpInCidrList(InetAddress.getByName("192.168.29.47"), "127.0.0.1/8,::1/128".split(",")));
assertFalse(NetUtils.isIpInCidrList(InetAddress.getByName("2001:db8:1938:3ff1::1"), "127.0.0.1/8,::1/128".split(",")));
assertTrue(NetUtils.isIpInCidrList(InetAddress.getByName("2a01:4f8:130:2192::2"), "::/0,127.0.0.1".split(",")));
assertTrue(NetUtils.isIpInCidrList(InetAddress.getByName("2001:db8:200:300::1"), "2001:db8:200::/48,127.0.0.1".split(",")));
assertFalse(NetUtils.isIpInCidrList(InetAddress.getByName("2001:db8:200:300::1"), "2001:db8:300::/64,127.0.0.1".split(",")));
assertFalse(NetUtils.isIpInCidrList(InetAddress.getByName("2a01:4f8:130:2192::2"), "2001:db8::/64,127.0.0.1".split(",")));
}
@Test
public void testIsSiteLocalAddress() {
assertTrue(NetUtils.isSiteLocalAddress("192.168.0.1"));
assertTrue(NetUtils.isSiteLocalAddress("10.0.0.1"));
assertTrue(NetUtils.isSiteLocalAddress("172.16.0.1"));
assertTrue(NetUtils.isSiteLocalAddress("192.168.254.56"));
assertTrue(NetUtils.isSiteLocalAddress("10.254.254.254"));
assertFalse(NetUtils.isSiteLocalAddress("8.8.8.8"));
assertFalse(NetUtils.isSiteLocalAddress("8.8.4.4"));
assertFalse(NetUtils.isSiteLocalAddress(""));
assertFalse(NetUtils.isSiteLocalAddress(null));
}
@Test
public void testStaticVariables() {
assertEquals(80, NetUtils.HTTP_PORT);
assertEquals(443, NetUtils.HTTPS_PORT);
assertEquals(500, NetUtils.VPN_PORT);
assertEquals(4500, NetUtils.VPN_NATT_PORT);
assertEquals(1701, NetUtils.VPN_L2TP_PORT);
assertEquals(8081, NetUtils.HAPROXY_STATS_PORT);
assertEquals("udp", NetUtils.UDP_PROTO);
assertEquals("tcp", NetUtils.TCP_PROTO);
assertEquals("any", NetUtils.ANY_PROTO);
assertEquals("icmp", NetUtils.ICMP_PROTO);
assertEquals("http", NetUtils.HTTP_PROTO);
assertEquals("ssl", NetUtils.SSL_PROTO);
assertEquals("0.0.0.0/0", NetUtils.ALL_IP4_CIDRS);
assertEquals("::/0", NetUtils.ALL_IP6_CIDRS);
}
@Test
public void testIsValidPort() {
assertTrue(NetUtils.isValidPort(80));
assertTrue(NetUtils.isValidPort("80"));
assertTrue(NetUtils.isValidPort(443));
assertTrue(NetUtils.isValidPort("443"));
assertTrue(NetUtils.isValidPort(0));
assertTrue(NetUtils.isValidPort(65535));
assertFalse(NetUtils.isValidPort(-1));
assertFalse(NetUtils.isValidPort(65536));
}
}

2
vmware-base/src/com/cloud/hypervisor/vmware/mo/HypervisorHostHelper.java
View File

@ -1618,7 +1618,7 @@ public class HypervisorHostHelper {
}
String host = uri.getHost();
if (NetUtils.isValidIp(host)) {
if (NetUtils.isValidIp4(host)) {
s_logger.info("host name in url is already in IP address, url: " + url);
return url;
}