Author: fapeeler
Date: Mon Nov 21 20:59:46 2011
New Revision: 1204701

URL: http://svn.apache.org/viewvc?rev=1204701&view=rev
Log:
VCL-30

Updated firewall code to chck for the user being logged in.
Comfirm the correct IP address.
Update the database if needed.



Modified:
    incubator/vcl/trunk/managementnode/lib/VCL/DataStructure.pm
    incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm
    incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm
    incubator/vcl/trunk/managementnode/lib/VCL/inuse.pm
    incubator/vcl/trunk/managementnode/lib/VCL/reserved.pm

Modified: incubator/vcl/trunk/managementnode/lib/VCL/DataStructure.pm
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/lib/VCL/DataStructure.pm?rev=1204701&r1=1204700&r2=1204701&view=diff
==============================================================================
--- incubator/vcl/trunk/managementnode/lib/VCL/DataStructure.pm (original)
+++ incubator/vcl/trunk/managementnode/lib/VCL/DataStructure.pm Mon Nov 21 
20:59:46 2011
@@ -1058,6 +1058,52 @@ sub get_reservation_data {
 
 #/////////////////////////////////////////////////////////////////////////////
 
+=head2 set_reservation_remote_ip
+
+ Parameters  : None
+ Returns     : string
+ Description : 
+
+=cut
+
+sub set_reservation_remote_ip {
+   my $self = shift;
+   my $reservation_id  = $self->get_reservation_id();
+       
+       my $new_remote_ip = shift;
+       
+       # Check to make sure reservation ID was passed
+   if (!$new_remote_ip) {
+        notify($ERRORS{'WARNING'}, 0, "new_remote_ip was not specified, 
returning self");
+        return 0;;
+   }
+
+       
+       my $update_statement = "
+                 UPDATE
+                 reservation
+                 SET
+                 remoteIP = \'$new_remote_ip\'
+                 WHERE
+                 id = \'$reservation_id\'
+                         ";
+
+        # Call the database execute subroutine
+        if (database_execute($update_statement)) {
+                # Update successful
+                notify($ERRORS{'OK'}, 0, "new remoteIP $new_remote_ip for 
reservation id $reservation_id updated");
+                return 1;
+        }
+        else {
+                notify($ERRORS{'CRITICAL'}, 0, "unable to update new remote ip 
for reservation id $reservation_id");
+                return 0;
+        }
+
+
+} ## end sub set_reservation_remote_ip
+
+#/////////////////////////////////////////////////////////////////////////////
+
 =head2 get_reservation_remote_ip
 
  Parameters  : None

Modified: incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm?rev=1204701&r1=1204700&r2=1204701&view=diff
==============================================================================
--- incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm (original)
+++ incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm Mon Nov 21 
20:59:46 2011
@@ -3191,6 +3191,7 @@ sub check_connection_on_port {
        my $remote_ip                   = 
$self->data->get_reservation_remote_ip();
        my $computer_ip_address         = 
$self->data->get_computer_ip_address();
        my $request_state_name          = $self->data->get_request_state_name();
+       my $username = $self->data->get_user_login_id();
 
        my $port = shift;
        if (!$port) {
@@ -3220,9 +3221,21 @@ sub check_connection_on_port {
                          return $ret_val;
                      }
                      else {
-                         #this isn't the remoteIP
-                          $ret_val = "conn_wrong_ip";
-                         return $ret_val;
+                                                         my $new_remote_ip = 
$4;
+                         #this isn't the defined remoteIP
+                                                               # Confirm the 
user is logged in
+                                                               # Is user 
logged in
+                        if (!$self->user_logged_in()) {
+                           notify($ERRORS{'OK'}, 0, "Detected $new_remote_ip 
is connected. $username is not logged in yet. Returning no connection");
+                           $ret_val = "no";
+                           return $ret_val;
+                        }
+                        else { 
+                                                                               
  $self->data->set_reservation_remote_ip($new_remote_ip);       
+                                                                               
  notify($ERRORS{'OK'}, 0, "Updating reservation remote_ip with 
$new_remote_ip");
+                                                                               
  $ret_val = "conn_wrong_ip";
+                                                                               
  return $ret_val;
+                                                               }
                      }
                  }    # tcp check
        }
@@ -4225,6 +4238,57 @@ sub clean_iptables {
 
 }
 
+#/////////////////////////////////////////////////////////////////////////////
+
+=head2 user_logged_in
+
+ Parameters  : 
+ Returns     : 
+ Description : 
+
+=cut
+
+sub user_logged_in {
+   my $self = shift;
+   if (ref($self) !~ /linux/i) {
+      notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it 
must be called as a class method");
+      return;
+   }
+
+   my $management_node_keys = $self->data->get_management_node_keys();
+   my $computer_node_name   = $self->data->get_computer_node_name();
+
+   # Attempt to get the username from the arguments
+   # If no argument was supplied, use the user specified in the DataStructure
+   my $username = shift;
+
+   # Remove spaces from beginning and end of username argument
+   # Fixes problem if string containing only spaces is passed
+   $username =~ s/(^\s+|\s+$)//g if $username;
+
+   # Check if username argument was passed
+   if (!$username) {
+      $username = $self->data->get_user_login_id();
+   }
+   notify($ERRORS{'DEBUG'}, 0, "checking if $username is logged in to 
$computer_node_name");
+
+       my $cmd = "users";
+       my ($logged_in_status, $logged_in_output) = $self->execute($cmd);
+   if (!defined($logged_in_output)) {
+      notify($ERRORS{'WARNING'}, 0, "failed to run who command ");
+      return;
+   }
+   elsif (grep(/$username/i, @$logged_in_output)) {
+               notify($ERRORS{'DEBUG'}, 0, "username $username is logged into 
$computer_node_name\n" . join("\n", @$logged_in_output));
+               return 1;
+       
+       }
+       
+       
+       return 0;       
+
+}
+
 
 ##/////////////////////////////////////////////////////////////////////////////
 1;

Modified: incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm?rev=1204701&r1=1204700&r2=1204701&view=diff
==============================================================================
--- incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm (original)
+++ incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm Mon Nov 21 
20:59:46 2011
@@ -947,18 +947,18 @@ sub grant_access {
        # Set the $remote_ip_range variable to the string 'all' if it isn't 
already set (for display purposes)
        $remote_ip_range = 'all' if !$remote_ip_range;
        
-       if($self->process_connect_methods("0.0.0.0", 1) ){
+       if($self->process_connect_methods("", 1) ){
                notify($ERRORS{'OK'}, 0, "processed connection methods on 
$computer_node_name");
        }
 
        # Allow RDP connections
-       if ($self->firewall_enable_rdp($remote_ip_range)) {
-               notify($ERRORS{'OK'}, 0, "firewall was configured to allow RDP 
access from $remote_ip_range on $computer_node_name");
-       }
-       else {
-               notify($ERRORS{'WARNING'}, 0, "firewall could not be configured 
to grant RDP access from $remote_ip_range on $computer_node_name");
-               return 0;
-       }
+       #if ($self->firewall_enable_rdp($remote_ip_range)) {
+       #       notify($ERRORS{'OK'}, 0, "firewall was configured to allow RDP 
access from $remote_ip_range on $computer_node_name");
+       #}
+       #else {
+       #       notify($ERRORS{'WARNING'}, 0, "firewall could not be configured 
to grant RDP access from $remote_ip_range on $computer_node_name");
+       #       return 0;
+       #}
 
        # If this is an imaging request, make sure the Administrator account is 
enabled
        if ($request_forimaging) {
@@ -10611,39 +10611,50 @@ sub check_connection_on_port {
         my $computer_node_name         = $self->data->get_computer_node_name();
         my $remote_ip                  = 
$self->data->get_reservation_remote_ip();
         my $computer_ip_address        = 
$self->data->get_computer_ip_address();
-       my $request_state_name          = $self->data->get_request_state_name();
+                 my $request_state_name          = 
$self->data->get_request_state_name();
 
-        my $port = shift;
-        if (!$port) {
-                notify($ERRORS{'WARNING'}, 0, "port variable was not passed as 
an argument");
-                return "failed";
-        }
-       
-       my $ret_val = "no";
-        my $command = "netstat -an";
-        my ($status, $output) = run_ssh_command($computer_node_name, 
$management_node_keys, $command, '', '', 1);
-        notify($ERRORS{'DEBUG'}, 0, "checking connections on node 
$computer_node_name on port $port");
-        foreach my $line (@{$output}) {
-                if ($line =~ /Connection refused|Permission denied/) {
-                    chomp($line);
-                    notify($ERRORS{'WARNING'}, 0, "$line");
-                    if ($request_state_name =~ /reserved/) {
-                        $ret_val = "failed";
-                    }
-                    else {
-                         $ret_val = "timeout";
-                    }
-                    return $ret_val;
-                 } ## end if ($line =~ /Connection refused|Permission denied/)
-               if ($line =~ 
/\s+($computer_ip_address:$port)\s+([.0-9]*):([0-9]*)\s+(ESTABLISHED)/) {
+                 my $port = shift;
+                 if (!$port) {
+                                        notify($ERRORS{'WARNING'}, 0, "port 
variable was not passed as an argument");
+                                        return "failed";
+                 }
+
+                 my $ret_val = "no";
+                 my $command = "netstat -an";
+                 my ($status, $output) = run_ssh_command($computer_node_name, 
$management_node_keys, $command, '', '', 1);
+                 notify($ERRORS{'DEBUG'}, 0, "checking connections on node 
$computer_node_name on port $port");
+                 foreach my $line (@{$output}) {
+                                        if ($line =~ /Connection 
refused|Permission denied/) {
+                                                 chomp($line);
+                                                 notify($ERRORS{'WARNING'}, 0, 
"$line");
+                                                 if ($request_state_name =~ 
/reserved/) {
+                                                               $ret_val = 
"failed";
+                                                 }
+                                                 else {
+                                                                $ret_val = 
"timeout";
+                                                 }
+                                                 return $ret_val;
+                                         } ## end if ($line =~ /Connection 
refused|Permission denied/)
+                                        if ($line =~ 
/\s+($computer_ip_address:$port)\s+([.0-9]*):([0-9]*)\s+(ESTABLISHED)/) {
                      if ($2 eq $remote_ip) {
                          $ret_val = "connected";
                          return $ret_val;
                      }
                      else {
                           #this isn't the remoteIP
-                          $ret_val = "conn_wrong_ip";
-                          return $ret_val;
+                                                               # Is user 
logged in
+                                                               if 
(!$self->user_logged_in()) {
+                                                                       
notify($ERRORS{'OK'}, 0, "Detected $4 is connected. user is not logged in yet. 
Returning no connection");
+                                                                       
$ret_val = "no";
+                                                                       return 
$ret_val;
+                                                               }
+                                                               else {
+                                                                               
my $new_remote_ip = $2;
+                                                                               
  $self->data->set_reservation_remote_ip($new_remote_ip);  
+                                                                               
  notify($ERRORS{'OK'}, 0, "Updating reservation remote_ip with 
$new_remote_ip");
+                                                                               
  $ret_val = "conn_wrong_ip";
+                                                                               
  return $ret_val;
+                                                               }
                      }
                  }    # tcp check
         }
@@ -10652,6 +10663,93 @@ sub check_connection_on_port {
 
 #/////////////////////////////////////////////////////////////////////////////
 
+=head2 firewall_compare_update
+
+ Parameters  : $node,$reote_IP, $identity, $type
+ Returns     : 0 or 1 (nochange or updated)
+ Description : compares and updates the firewall for rdp port, specfically for 
windows
+                                        Currently only handles windows and 
allows two seperate scopes
+
+=cut
+
+sub firewall_compare_update {
+   my $self = shift;
+   if (ref($self) !~ /windows/i) {
+      notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it 
must be called as a class method");
+      return;
+   }
+  
+   my $computer_node_name = $self->data->get_computer_node_name();
+   my $imagerevision_id   = $self->data->get_imagerevision_id();
+   my $remote_ip          = $self->data->get_reservation_remote_ip();
+  
+   #collect connection_methods
+   #collect firewall_config
+   #For each port defined in connection_methods
+   #compare rule source address with remote_IP address
+       notify($ERRORS{'OK'}, 0, "pulling connect methods");
+  
+   # Retrieve the connect method info hash
+   my $connect_method_info = get_connect_method_info($imagerevision_id);
+   if (!$connect_method_info) {
+      notify($ERRORS{'WARNING'}, 0, "no connect methods are configured for 
image revision $imagerevision_id");
+      return;
+   }
+
+   # Retrieve the firewall configuration
+   my $firewall_configuration = $self->get_firewall_configuration() || return;
+
+   for my $connect_method_id (sort keys %{$connect_method_info} ) {
+               
+      my $name            = $connect_method_info->{$connect_method_id}{name};
+      my $description     = 
$connect_method_info->{$connect_method_id}{description};
+      my $protocol        = 
$connect_method_info->{$connect_method_id}{protocol} || 'TCP';
+      my $port            = $connect_method_info->{$connect_method_id}{port};
+      my $scope;
+               
+               next if ( !$port );
+
+     # $protocol = lc($protocol);
+
+               my $existing_scope = 
$firewall_configuration->{$protocol}{$port}{scope} || '';
+               if(!$existing_scope ) {
+                       notify($ERRORS{'WARNING'}, 0, "No existing scope 
defined for protocol= $protocol port= $port ");
+                       return 1;
+      }
+               else {
+            my $parsed_existing_scope = 
$self->parse_firewall_scope($existing_scope);
+            if (!$parsed_existing_scope) {
+                notify($ERRORS{'WARNING'}, 0, "failed to parse existing 
firewall scope: '$existing_scope'");
+                return;
+            }
+            $scope = $self->parse_firewall_scope("$remote_ip,$existing_scope");
+            if (!$scope) {
+                notify($ERRORS{'WARNING'}, 0, "failed to parse firewall scope 
argument appended with existing scope: '$remote_ip,$existing_scope'");
+                return;
+            }
+
+            if ($scope eq $parsed_existing_scope) {
+                notify($ERRORS{'DEBUG'}, 0, "firewall is already open on 
$computer_node_name, existing scope matches scope argument:\n" .
+               "name: '$name'\n" .
+               "protocol: $protocol\n" .
+               "port/type: $port\n" .
+               "scope: $scope\n");
+                return 1;
+            }
+                               else {
+               if ($self->enable_firewall_port($protocol, $port, 
"$remote_ip/24", 0)) {
+                   notify($ERRORS{'OK'}, 0, "opened firewall port $port on 
$computer_node_name for $remote_ip $name connect method");
+               }
+            }
+                       }
+       
+       }
+       return 1;
+
+}
+
+#/////////////////////////////////////////////////////////////////////////////
+
 1;
 __END__
 

Modified: incubator/vcl/trunk/managementnode/lib/VCL/inuse.pm
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/lib/VCL/inuse.pm?rev=1204701&r1=1204700&r2=1204701&view=diff
==============================================================================
--- incubator/vcl/trunk/managementnode/lib/VCL/inuse.pm (original)
+++ incubator/vcl/trunk/managementnode/lib/VCL/inuse.pm Mon Nov 21 20:59:46 2011
@@ -188,16 +188,14 @@ sub process {
        if ($request_checktime eq "poll") {
                notify($ERRORS{'OK'}, 0, "beginning to poll");
 
+                               notify($ERRORS{'OK'}, 0, "confirming firewall 
scope needs to be updated");
                if ($self->os->can('firewall_compare_update')) {
          if ($self->os->firewall_compare_update()) {
                                notify($ERRORS{'OK'}, 0, "confirmed firewall 
scope has been updated");
                        }
                }       
-               
-               if ($image_os_type =~ /windows/) {
-                       if (firewall_compare_update($computer_nodename, 
$reservation_remoteip, $identity_key, $image_os_type)) {
-                               notify($ERRORS{'OK'}, 0, "confirmed firewall 
scope has been updated");
-                       }
+               else {
+                       notify($ERRORS{'OK'}, 0, "OS does not support 
firewall_compare_update");
                }
                
                # Check the imagemeta checkuser flag, request forimaging flag, 
and if cluster request

Modified: incubator/vcl/trunk/managementnode/lib/VCL/reserved.pm
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/lib/VCL/reserved.pm?rev=1204701&r1=1204700&r2=1204701&view=diff
==============================================================================
--- incubator/vcl/trunk/managementnode/lib/VCL/reserved.pm (original)
+++ incubator/vcl/trunk/managementnode/lib/VCL/reserved.pm Mon Nov 21 20:59:46 
2011
@@ -371,6 +371,8 @@ sub process {
 
        elsif ($retval_conn eq "conn_wrong_ip") {
                # does the same as above, until we make a firm decision as to 
how to handle this
+               #update remote_ip
+               $remote_ip = $self->data->get_reservation_remote_ip();
 
                if($self->os->process_connect_methods($remote_ip, 1)) {
          notify($ERRORS{'OK'}, 0, "process_connect_methods return successfully 
 $remote_ip $nodename");


Reply via email to