Merge 7460a5c452 into cd5bb09d0d

ui/public/locales/en.json

@@ -2527,7 +2527,7 @@
 "label.vnf.app.action.reinstall": "Reinstall VNF Appliance",
 "label.vnf.cidr.list": "CIDR from which access to the VNF appliance's Management interface should be allowed from",
 "label.vnf.cidr.list.tooltip": "the CIDR list to forward traffic from to the VNF management interface. Multiple entries must be separated by a single comma character (,). The default value is 0.0.0.0/0.",
-"label.vnf.configure.management": "Configure Firewall and Port Forwarding rules for VNF's management interfaces",
+"label.vnf.configure.management": "Configure network rules for VNF's management interfaces",
 "label.vnf.configure.management.tooltip": "True by default, security group or network rules (source nat and firewall rules) will be configured for VNF management interfaces. False otherwise. Learn what rules are configured at http://docs.cloudstack.apache.org/en/latest/adminguide/networking/vnf_templates_appliances.html#deploying-vnf-appliances",
 "label.vnf.detail.add": "Add VNF detail",
 "label.vnf.detail.remove": "Remove VNF detail",

ui/src/config/section/network.js

@@ -356,7 +356,10 @@ export default {
       permission: ['listVnfAppliances'],
       resourceType: 'UserVm',
       params: () => {
-        return { details: 'servoff,tmpl,nics', isvnf: true }
+        return {
+          details: 'group,nics,secgrp,tmpl,servoff,diskoff,iso,volume,affgrp,backoff,vnfnics',
+          isvnf: true
+        }
       },
       columns: () => {
         const fields = ['name', 'state', 'ipaddress']

ui/src/views/compute/DeployVnfAppliance.vue

@@ -1305,7 +1305,7 @@ export default {
       for (const deviceId of managementDeviceIds) {
         if (this.vnfNicNetworks && this.vnfNicNetworks[deviceId] &&
           ((this.vnfNicNetworks[deviceId].type === 'Isolated' && this.vnfNicNetworks[deviceId].vpcid === undefined) ||
-            (this.vnfNicNetworks[deviceId].type === 'Shared' && this.zone.securitygroupsenabled))) {
+            (this.vnfNicNetworks[deviceId].type === 'Shared' && this.vnfNicNetworks[deviceId].service.filter(svc => svc.name === 'SecurityGroupProvider')))) {
           return true
         }
       }

ui/src/views/network/VnfAppliancesTab.vue

@@ -120,7 +120,7 @@ export default {
   methods: {
     fetchData () {
       var params = {
-        details: 'servoff,tmpl,nics',
+        details: 'group,nics,secgrp,tmpl,servoff,diskoff,iso,volume,affgrp,backoff,vnfnics',
         isVnf: true,
         listAll: true
       }

utils/src/main/java/com/cloud/utils/script/Script.java

@@ -40,9 +40,11 @@ import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.ScheduledFuture;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.TimeoutException;
+import java.util.concurrent.atomic.AtomicReference;
 import java.util.stream.Collectors;
 
 import org.apache.cloudstack.utils.security.KeyStoreUtils;
+import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.io.IOUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -708,13 +710,31 @@ public class Script implements Callable<String> {
         return executeCommandForExitValue(0, command);
     }
 
+    private static void cleanupProcesses(AtomicReference<List<Process>> processesRef) {
+        List<Process> processes = processesRef.get();
+        if (CollectionUtils.isNotEmpty(processes)) {
+            for (Process process : processes) {
+                if (process == null) {
+                    continue;
+                }
+                LOGGER.trace(String.format("Cleaning up process [%s] from piped commands.", process.pid()));
+                IOUtils.closeQuietly(process.getErrorStream());
+                IOUtils.closeQuietly(process.getOutputStream());
+                IOUtils.closeQuietly(process.getInputStream());
+                process.destroyForcibly();
+            }
+        }
+    }
+
     public static Pair<Integer, String> executePipedCommands(List<String[]> commands, long timeout) {
         if (timeout <= 0) {
             timeout = DEFAULT_TIMEOUT;
         }
+        final AtomicReference<List<Process>> processesRef = new AtomicReference<>();
         Callable<Pair<Integer, String>> commandRunner = () -> {
             List<ProcessBuilder> builders = commands.stream().map(ProcessBuilder::new).collect(Collectors.toList());
             List<Process> processes = ProcessBuilder.startPipeline(builders);
+            processesRef.set(processes);
             Process last = processes.get(processes.size()-1);
             try (BufferedReader reader = new BufferedReader(new InputStreamReader(last.getInputStream()))) {
                 String line;
@@ -741,6 +761,8 @@ public class Script implements Callable<String> {
             result.second(ERR_TIMEOUT);
         } catch (InterruptedException | ExecutionException e) {
             LOGGER.error("Error executing piped commands", e);
+        } finally {
+            cleanupProcesses(processesRef);
         }
         return result;
     }

utils/src/main/java/com/cloud/utils/ssh/SshHelper.java

@@ -23,6 +23,8 @@ import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang3.StringUtils;
@@ -40,6 +42,23 @@ public class SshHelper {
     private static final int DEFAULT_CONNECT_TIMEOUT = 180000;
     private static final int DEFAULT_KEX_TIMEOUT = 60000;
     private static final int DEFAULT_WAIT_RESULT_TIMEOUT = 120000;
+    private static final String MASKED_VALUE = "*****";
+
+    private static final Pattern[] SENSITIVE_COMMAND_PATTERNS = new Pattern[] {
+            Pattern.compile("(?i)(\\s+-p\\s+['\"])([^'\"]*)(['\"])"),
+            Pattern.compile("(?i)(\\s+-p\\s+)([^\\s]+)"),
+            Pattern.compile("(?i)(\\s+-p=['\"])([^'\"]*)(['\"])"),
+            Pattern.compile("(?i)(\\s+-p=)([^\\s]+)"),
+            Pattern.compile("(?i)(--password=['\"])([^'\"]*)(['\"])"),
+            Pattern.compile("(?i)(--password=)([^\\s]+)"),
+            Pattern.compile("(?i)(--password\\s+['\"])([^'\"]*)(['\"])"),
+            Pattern.compile("(?i)(--password\\s+)([^\\s]+)"),
+            Pattern.compile("(?i)(\\s+-u\\s+['\"][^,'\":]+[,:])([^'\"]*)(['\"])"),
+            Pattern.compile("(?i)(\\s+-u\\s+[^\\s,:]+[,:])([^\\s]+)"),
+            Pattern.compile("(?i)(\\s+-s\\s+['\"])([^'\"]*)(['\"])"),
+            Pattern.compile("(?i)(\\s+-s\\s+)([^\\s]+)"),
+
+    };
 
     protected static Logger LOGGER = LogManager.getLogger(SshHelper.class);
 
@@ -145,7 +164,7 @@ public class SshHelper {
     }
 
     public static void scpTo(String host, int port, String user, File pemKeyFile, String password, String remoteTargetDirectory, String[] localFiles, String fileMode,
-                             int connectTimeoutInMs, int kexTimeoutInMs) throws Exception {
+            int connectTimeoutInMs, int kexTimeoutInMs) throws Exception {
 
         com.trilead.ssh2.Connection conn = null;
         com.trilead.ssh2.SCPClient scpClient = null;
@@ -291,13 +310,16 @@ public class SshHelper {
             }
 
             if (sess.getExitStatus() == null) {
-                //Exit status is NOT available. Returning failure result.
-                LOGGER.error(String.format("SSH execution of command %s has no exit status set. Result output: %s", command, result));
+                // Exit status is NOT available. Returning failure result.
+                LOGGER.error(String.format("SSH execution of command %s has no exit status set. Result output: %s",
+                        sanitizeForLogging(command), sanitizeForLogging(result)));
                 return new Pair<Boolean, String>(false, result);
             }
 
             if (sess.getExitStatus() != null && sess.getExitStatus().intValue() != 0) {
-                LOGGER.error(String.format("SSH execution of command %s has an error status code in return. Result output: %s", command, result));
+                LOGGER.error(String.format(
+                        "SSH execution of command %s has an error status code in return. Result output: %s",
+                        sanitizeForLogging(command), sanitizeForLogging(result)));
                 return new Pair<Boolean, String>(false, result);
             }
             return new Pair<Boolean, String>(true, result);
@@ -366,4 +388,47 @@ public class SshHelper {
             throw new SshException(msg);
         }
     }
+
+    private static String sanitizeForLogging(String value) {
+        if (value == null) {
+            return null;
+        }
+        String masked = maskSensitiveValue(value);
+        String cleaned = com.cloud.utils.StringUtils.cleanString(masked);
+        if (StringUtils.isBlank(cleaned)) {
+            return masked;
+        }
+        return cleaned;
+    }
+
+    private static String maskSensitiveValue(String value) {
+        String masked = value;
+        for (Pattern pattern : SENSITIVE_COMMAND_PATTERNS) {
+            masked = replaceWithMask(masked, pattern);
+        }
+        return masked;
+    }
+
+    private static String replaceWithMask(String value, Pattern pattern) {
+        Matcher matcher = pattern.matcher(value);
+        if (!matcher.find()) {
+            return value;
+        }
+
+        StringBuffer buffer = new StringBuffer();
+        do {
+            StringBuilder replacement = new StringBuilder();
+            replacement.append(matcher.group(1));
+            if (matcher.groupCount() >= 3) {
+                replacement.append(MASKED_VALUE);
+                replacement.append(matcher.group(matcher.groupCount()));
+            } else {
+                replacement.append(MASKED_VALUE);
+            }
+            matcher.appendReplacement(buffer, Matcher.quoteReplacement(replacement.toString()));
+        } while (matcher.find());
+
+        matcher.appendTail(buffer);
+        return buffer.toString();
+    }
 }

utils/src/test/java/com/cloud/utils/ssh/SshHelperTest.java

@@ -21,6 +21,7 @@ package com.cloud.utils.ssh;
 
 import java.io.IOException;
 import java.io.InputStream;
+import java.lang.reflect.Method;
 
 import org.junit.Assert;
 import org.junit.Test;
@@ -140,4 +141,63 @@ public class SshHelperTest {
 
         Mockito.verify(conn).openSession();
     }
+
+    @Test
+    public void sanitizeForLoggingMasksShortPasswordFlag() throws Exception {
+        String command = "/opt/cloud/bin/script -v 10.0.0.1 -p superSecret";
+        String sanitized = invokeSanitizeForLogging(command);
+
+        Assert.assertTrue("Sanitized command should retain flag", sanitized.contains("-p *****"));
+        Assert.assertFalse("Sanitized command should not contain original password", sanitized.contains("superSecret"));
+    }
+
+    @Test
+    public void sanitizeForLoggingMasksQuotedPasswordFlag() throws Exception {
+        String command = "/opt/cloud/bin/script -v 10.0.0.1 -p \"super Secret\"";
+        String sanitized = invokeSanitizeForLogging(command);
+
+        Assert.assertTrue("Sanitized command should retain quoted flag", sanitized.contains("-p *****"));
+        Assert.assertFalse("Sanitized command should not contain original password",
+                sanitized.contains("super Secret"));
+    }
+
+    @Test
+    public void sanitizeForLoggingMasksLongPasswordAssignments() throws Exception {
+        String command = "tool --password=superSecret";
+        String sanitized = invokeSanitizeForLogging(command);
+
+        Assert.assertTrue("Sanitized command should retain assignment", sanitized.contains("--password=*****"));
+        Assert.assertFalse("Sanitized command should not contain original password", sanitized.contains("superSecret"));
+    }
+
+    @Test
+    public void sanitizeForLoggingMasksUsernamePasswordPairs() throws Exception {
+        String command = "/opt/cloud/bin/vpn_l2tp.sh -u alice,topSecret";
+        String sanitized = invokeSanitizeForLogging(command);
+
+        Assert.assertTrue("Sanitized command should retain username and mask password",
+                sanitized.contains("-u alice,*****"));
+        Assert.assertFalse("Sanitized command should not contain original password", sanitized.contains("topSecret"));
+    }
+
+    @Test
+    public void sanitizeForLoggingMasksUsernamePasswordPairsWithColon() throws Exception {
+        String command = "curl -u alice:topSecret https://example.com";
+        String sanitized = invokeSanitizeForLogging(command);
+
+        Assert.assertTrue("Sanitized command should retain username and mask password",
+                sanitized.contains("-u alice:*****"));
+        Assert.assertFalse("Sanitized command should not contain original password", sanitized.contains("topSecret"));
+    }
+
+    @Test
+    public void sanitizeForLoggingHandlesNullValues() throws Exception {
+        Assert.assertNull(invokeSanitizeForLogging(null));
+    }
+
+    private String invokeSanitizeForLogging(String value) throws Exception {
+        Method method = SshHelper.class.getDeclaredMethod("sanitizeForLogging", String.class);
+        method.setAccessible(true);
+        return (String) method.invoke(null, value);
+    }
 }