Search in sources :

Example 6 with RemoteAccessVpn

use of com.cloud.network.RemoteAccessVpn in project cloudstack by apache.

the class VpcVirtualRouterElementTest method testApplyVpnUsersException2.

@Test
public void testApplyVpnUsersException2() {
    vpcVirtualRouterElement._vpcRouterMgr = _vpcRouterMgr;
    final AdvancedNetworkTopology advancedNetworkTopology = Mockito.mock(AdvancedNetworkTopology.class);
    final BasicNetworkTopology basicNetworkTopology = Mockito.mock(BasicNetworkTopology.class);
    networkTopologyContext.setAdvancedNetworkTopology(advancedNetworkTopology);
    networkTopologyContext.setBasicNetworkTopology(basicNetworkTopology);
    networkTopologyContext.init();
    final RemoteAccessVpn remoteAccessVpn = Mockito.mock(RemoteAccessVpn.class);
    final List<VpnUser> users = new ArrayList<VpnUser>();
    final Long vpcId = new Long(1l);
    when(remoteAccessVpn.getVpcId()).thenReturn(vpcId);
    when(_vpcRouterMgr.getVpcRouters(vpcId)).thenReturn(null);
    try {
        final String[] results = vpcVirtualRouterElement.applyVpnUsers(remoteAccessVpn, users);
        assertNull(results);
    } catch (final ResourceUnavailableException e) {
        fail(e.getMessage());
    }
    verify(remoteAccessVpn, times(1)).getVpcId();
}
Also used : BasicNetworkTopology(org.apache.cloudstack.network.topology.BasicNetworkTopology) VpnUser(com.cloud.network.VpnUser) ArrayList(java.util.ArrayList) ResourceUnavailableException(com.cloud.exception.ResourceUnavailableException) AdvancedNetworkTopology(org.apache.cloudstack.network.topology.AdvancedNetworkTopology) RemoteAccessVpn(com.cloud.network.RemoteAccessVpn) Test(org.junit.Test)

Example 7 with RemoteAccessVpn

use of com.cloud.network.RemoteAccessVpn in project cosmic by MissionCriticalCloud.

the class NetworkOrchestrator method reprogramNetworkRules.

// This method re-programs the rules/ips for existing network
protected boolean reprogramNetworkRules(final long networkId, final Account caller, final Network network) throws ResourceUnavailableException {
    boolean success = true;
    // Apply egress rules first to effect the egress policy early on the guest traffic
    final List<FirewallRuleVO> firewallEgressRulesToApply = _firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall, FirewallRule.TrafficType.Egress);
    final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
    final Zone zone = _zoneRepository.findOne(network.getDataCenterId());
    if (_networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall) && _networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall) && (network.getGuestType() == GuestType.Isolated || network.getGuestType() == GuestType.Shared && zone.getNetworkType() == com.cloud.model.enumeration.NetworkType.Advanced)) {
        // add default egress rule to accept the traffic
        _firewallMgr.applyDefaultEgressFirewallRule(network.getId(), offering.getEgressDefaultPolicy(), true);
    }
    if (!_firewallMgr.applyFirewallRules(firewallEgressRulesToApply, false, caller)) {
        s_logger.warn("Failed to reapply firewall Egress rule(s) as a part of network id=" + networkId + " restart");
        success = false;
    }
    // associate all ip addresses
    if (!_ipAddrMgr.applyIpAssociations(network, false)) {
        s_logger.warn("Failed to apply ip addresses as a part of network id" + networkId + " restart");
        success = false;
    }
    // apply static nat
    if (!_rulesMgr.applyStaticNatsForNetwork(networkId, false, caller)) {
        s_logger.warn("Failed to apply static nats a part of network id" + networkId + " restart");
        success = false;
    }
    // apply firewall rules
    final List<FirewallRuleVO> firewallIngressRulesToApply = _firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall, FirewallRule.TrafficType.Ingress);
    if (!_firewallMgr.applyFirewallRules(firewallIngressRulesToApply, false, caller)) {
        s_logger.warn("Failed to reapply Ingress firewall rule(s) as a part of network id=" + networkId + " restart");
        success = false;
    }
    // apply port forwarding rules
    if (!_rulesMgr.applyPortForwardingRulesForNetwork(networkId, false, caller)) {
        s_logger.warn("Failed to reapply port forwarding rule(s) as a part of network id=" + networkId + " restart");
        success = false;
    }
    // apply static nat rules
    if (!_rulesMgr.applyStaticNatRulesForNetwork(networkId, false, caller)) {
        s_logger.warn("Failed to reapply static nat rule(s) as a part of network id=" + networkId + " restart");
        success = false;
    }
    // apply public load balancer rules
    if (!_lbMgr.applyLoadBalancersForNetwork(networkId, Scheme.Public)) {
        s_logger.warn("Failed to reapply Public load balancer rules as a part of network id=" + networkId + " restart");
        success = false;
    }
    // apply vpn rules
    final List<? extends RemoteAccessVpn> vpnsToReapply = _vpnMgr.listRemoteAccessVpns(networkId);
    if (vpnsToReapply != null) {
        for (final RemoteAccessVpn vpn : vpnsToReapply) {
            // Start remote access vpn per ip
            if (_vpnMgr.startRemoteAccessVpn(vpn.getServerAddressId(), false) == null) {
                s_logger.warn("Failed to reapply vpn rules as a part of network id=" + networkId + " restart");
                success = false;
            }
        }
    }
    // apply network ACLs
    if (!_networkACLMgr.applyACLToNetwork(networkId)) {
        s_logger.warn("Failed to reapply network ACLs as a part of  of network id=" + networkId + " restart");
        success = false;
    }
    return success;
}
Also used : Zone(com.cloud.db.model.Zone) NetworkOfferingVO(com.cloud.offerings.NetworkOfferingVO) FirewallRuleVO(com.cloud.network.rules.FirewallRuleVO) RemoteAccessVpn(com.cloud.network.RemoteAccessVpn)

Example 8 with RemoteAccessVpn

use of com.cloud.network.RemoteAccessVpn in project cosmic by MissionCriticalCloud.

the class CommandSetupHelper method configureRemoteAccessVpn.

private void configureRemoteAccessVpn(final VirtualRouter router, final RemoteAccessVpn remoteAccessVpnToExclude, final NetworkOverviewTO.VPNTO vpnTO) {
    final RemoteAccessVpnVO vpn = _remoteAccessVpnDao.findByAccountAndVpc(router.getAccountId(), router.getVpcId());
    if (vpn != null && !vpn.equals(remoteAccessVpnToExclude)) {
        final NetworkOverviewTO.VPNTO.RemoteAccessTO remoteAccessTO = new NetworkOverviewTO.VPNTO.RemoteAccessTO();
        final IpAddress serverIp = _networkModel.getIp(vpn.getServerAddressId());
        remoteAccessTO.setVpnServerIp(serverIp.getAddress().addr());
        remoteAccessTO.setPreSharedKey(vpn.getIpsecPresharedKey());
        remoteAccessTO.setIpRange(vpn.getIpRange());
        remoteAccessTO.setLocalIp(vpn.getLocalIp());
        final Vpc vpc = _vpcDao.findById(vpn.getVpcId());
        remoteAccessTO.setLocalCidr(vpc.getCidr());
        remoteAccessTO.setVpnUsers(_vpnUsersDao.listByAccount(vpn.getAccountId()).stream().filter(vpnUser -> VpnUser.State.Add.equals(vpnUser.getState()) || VpnUser.State.Active.equals(vpnUser.getState())).map(vpnUser -> new NetworkOverviewTO.VPNTO.RemoteAccessTO.VPNUserTO(vpnUser.getUsername(), vpnUser.getPassword())).toArray(NetworkOverviewTO.VPNTO.RemoteAccessTO.VPNUserTO[]::new));
        vpnTO.setRemoteAccess(remoteAccessTO);
    }
}
Also used : NetworkModel(com.cloud.network.NetworkModel) Site2SiteVpnGatewayDao(com.cloud.network.dao.Site2SiteVpnGatewayDao) NetworkACLTO(com.cloud.agent.api.to.NetworkACLTO) SetPortForwardingRulesVpcCommand(com.cloud.agent.api.routing.SetPortForwardingRulesVpcCommand) SetPortForwardingRulesCommand(com.cloud.agent.api.routing.SetPortForwardingRulesCommand) UpdateNetworkOverviewCommand(com.cloud.agent.api.UpdateNetworkOverviewCommand) Site2SiteVpnGatewayVO(com.cloud.network.dao.Site2SiteVpnGatewayVO) StaticRouteProfile(com.cloud.network.vpc.StaticRouteProfile) PortForwardingRule(com.cloud.network.rules.PortForwardingRule) ServiceOfferingDao(com.cloud.service.dao.ServiceOfferingDao) VlanDao(com.cloud.dc.dao.VlanDao) Map(java.util.Map) TrafficType(com.cloud.network.Networks.TrafficType) ZoneRepository(com.cloud.db.repository.ZoneRepository) StaticNatRule(com.cloud.network.rules.StaticNatRule) NetworkACLItem(com.cloud.network.vpc.NetworkACLItem) URI(java.net.URI) Ip(com.cloud.utils.net.Ip) StaticNatRuleTO(com.cloud.agent.api.to.StaticNatRuleTO) Config(com.cloud.configuration.Config) StringUtils(com.cloud.utils.StringUtils) SavePasswordCommand(com.cloud.agent.api.routing.SavePasswordCommand) NetworkACLItemVO(com.cloud.network.vpc.NetworkACLItemVO) Network(com.cloud.network.Network) LbDestination(com.cloud.network.lb.LoadBalancingRule.LbDestination) RemoteAccessVpnVO(com.cloud.network.dao.RemoteAccessVpnVO) Commands(com.cloud.agent.manager.Commands) IpAddress(com.cloud.network.IpAddress) NicVO(com.cloud.vm.NicVO) NetworkOfferingVO(com.cloud.offerings.NetworkOfferingVO) Site2SiteCustomerGatewayVO(com.cloud.network.dao.Site2SiteCustomerGatewayVO) Collectors(java.util.stream.Collectors) SetPublicIpACLCommand(com.cloud.agent.api.routing.SetPublicIpACLCommand) List(java.util.List) ServiceOfferingVO(com.cloud.service.ServiceOfferingVO) FirewallRuleTO(com.cloud.agent.api.to.FirewallRuleTO) VpcGateway(com.cloud.network.vpc.VpcGateway) RemoteAccessVpnDao(com.cloud.network.dao.RemoteAccessVpnDao) VirtualMachineManager(com.cloud.vm.VirtualMachineManager) PortForwardingRuleTO(com.cloud.agent.api.to.PortForwardingRuleTO) VpnUserDao(com.cloud.network.dao.VpnUserDao) NetUtils(com.cloud.utils.net.NetUtils) NetworkOverviewTO(com.cloud.agent.api.to.overviews.NetworkOverviewTO) NumbersUtil(com.cloud.utils.NumbersUtil) LbStickinessPolicy(com.cloud.network.lb.LoadBalancingRule.LbStickinessPolicy) VirtualMachine(com.cloud.vm.VirtualMachine) VirtualMachineProfile(com.cloud.vm.VirtualMachineProfile) StaticNat(com.cloud.network.rules.StaticNat) NetworkElementCommand(com.cloud.agent.api.routing.NetworkElementCommand) BroadcastDomainType(com.cloud.network.Networks.BroadcastDomainType) FirewallRule(com.cloud.network.rules.FirewallRule) Zone(com.cloud.db.model.Zone) HashMap(java.util.HashMap) SetupVRCommand(com.cloud.agent.api.SetupVRCommand) NetworkDao(com.cloud.network.dao.NetworkDao) Purpose(com.cloud.network.rules.FirewallRule.Purpose) Nic(com.cloud.vm.Nic) NicProfile(com.cloud.vm.NicProfile) ArrayList(java.util.ArrayList) Inject(javax.inject.Inject) LoadBalancerConfigCommand(com.cloud.agent.api.routing.LoadBalancerConfigCommand) VlanVO(com.cloud.dc.VlanVO) ConfigurationDao(com.cloud.framework.config.dao.ConfigurationDao) IPAddressVO(com.cloud.network.dao.IPAddressVO) DomainRouterVO(com.cloud.vm.DomainRouterVO) VMOverviewTO(com.cloud.agent.api.to.overviews.VMOverviewTO) NetworkVO(com.cloud.network.dao.NetworkVO) SetStaticNatRulesCommand(com.cloud.agent.api.routing.SetStaticNatRulesCommand) Qualifier(org.springframework.beans.factory.annotation.Qualifier) SetFirewallRulesCommand(com.cloud.agent.api.routing.SetFirewallRulesCommand) Site2SiteVpnConnection(com.cloud.network.Site2SiteVpnConnection) IPAddressDao(com.cloud.network.dao.IPAddressDao) DomainRouterDao(com.cloud.vm.dao.DomainRouterDao) FirewallRulesDao(com.cloud.network.dao.FirewallRulesDao) Site2SiteVpnConnectionDao(com.cloud.network.dao.Site2SiteVpnConnectionDao) NicTO(com.cloud.agent.api.to.NicTO) LoadBalancingRule(com.cloud.network.lb.LoadBalancingRule) NetworkACLItemDao(com.cloud.network.vpc.NetworkACLItemDao) Vpc(com.cloud.network.vpc.Vpc) UpdateVmOverviewCommand(com.cloud.agent.api.UpdateVmOverviewCommand) Site2SiteVpnConnectionVO(com.cloud.network.dao.Site2SiteVpnConnectionVO) UserVmDao(com.cloud.vm.dao.UserVmDao) NicDao(com.cloud.vm.dao.NicDao) RemoteAccessVpn(com.cloud.network.RemoteAccessVpn) Site2SiteCustomerGatewayDao(com.cloud.network.dao.Site2SiteCustomerGatewayDao) StaticRouteDao(com.cloud.network.vpc.dao.StaticRouteDao) PublicIpAddress(com.cloud.network.PublicIpAddress) NetworkOffering(com.cloud.offering.NetworkOffering) LoadBalancerTO(com.cloud.agent.api.to.LoadBalancerTO) UserVmVO(com.cloud.vm.UserVmVO) SetNetworkACLCommand(com.cloud.agent.api.routing.SetNetworkACLCommand) PublicIpACLTO(com.cloud.agent.api.to.PublicIpACLTO) VpcDao(com.cloud.network.vpc.dao.VpcDao) NetworkOfferingDao(com.cloud.offerings.dao.NetworkOfferingDao) VpnUser(com.cloud.network.VpnUser) FirewallRuleVO(com.cloud.network.rules.FirewallRuleVO) RemoteAccessVpnVO(com.cloud.network.dao.RemoteAccessVpnVO) NetworkOverviewTO(com.cloud.agent.api.to.overviews.NetworkOverviewTO) Vpc(com.cloud.network.vpc.Vpc) IpAddress(com.cloud.network.IpAddress) PublicIpAddress(com.cloud.network.PublicIpAddress)

Example 9 with RemoteAccessVpn

use of com.cloud.network.RemoteAccessVpn in project cosmic by MissionCriticalCloud.

the class RemoteAccessVpnManagerImpl method createRemoteAccessVpn.

@Override
@DB
public RemoteAccessVpn createRemoteAccessVpn(final long publicIpId, String ipRange, boolean openFirewall, final Boolean forDisplay) throws NetworkRuleConflictException {
    final CallContext ctx = CallContext.current();
    final Account caller = ctx.getCallingAccount();
    final Long networkId;
    // make sure ip address exists
    final PublicIpAddress ipAddr = _networkMgr.getPublicIpAddress(publicIpId);
    if (ipAddr == null) {
        throw new InvalidParameterValueException("Unable to create remote access vpn, invalid public IP address id" + publicIpId);
    }
    _accountMgr.checkAccess(caller, null, true, ipAddr);
    if (!ipAddr.readyToUse()) {
        throw new InvalidParameterValueException("The Ip address is not ready to be used yet: " + ipAddr.getAddress());
    }
    final IPAddressVO ipAddress = _ipAddressDao.findById(publicIpId);
    networkId = ipAddress.getAssociatedWithNetworkId();
    if (networkId != null) {
        _networkMgr.checkIpForService(ipAddress, Service.Vpn, null);
    }
    final Long vpcId = ipAddress.getVpcId();
    /* IP Address used for VPC must be the source NAT IP of whole VPC */
    if (vpcId != null && ipAddress.isSourceNat()) {
        assert networkId == null;
        // No firewall setting for VPC, it would be open internally
        openFirewall = false;
    }
    final boolean openFirewallFinal = openFirewall;
    if (networkId == null && vpcId == null) {
        throw new InvalidParameterValueException("Unable to create remote access vpn for the ipAddress: " + ipAddr.getAddress().addr() + " as ip is not associated with any network or VPC");
    }
    RemoteAccessVpnVO vpnVO = _remoteAccessVpnDao.findByPublicIpAddress(publicIpId);
    if (vpnVO != null) {
        // if vpn is in Added state, return it to the api
        if (vpnVO.getState() == RemoteAccessVpn.State.Added) {
            return vpnVO;
        }
        throw new InvalidParameterValueException("A Remote Access VPN already exists for this public Ip address");
    }
    if (ipRange == null) {
        ipRange = RemoteAccessVpnClientIpRange.valueIn(ipAddr.getAccountId());
    }
    final String[] range = ipRange.split("-");
    if (range.length != 2) {
        throw new InvalidParameterValueException("Invalid ip range");
    }
    if (!NetUtils.isValidIp4(range[0]) || !NetUtils.isValidIp4(range[1])) {
        throw new InvalidParameterValueException("Invalid ip in range specification " + ipRange);
    }
    if (!NetUtils.validIpRange(range[0], range[1])) {
        throw new InvalidParameterValueException("Invalid ip range " + ipRange);
    }
    final Pair<String, Integer> cidr;
    // TODO: assumes one virtual network / domr per account per zone
    if (networkId != null) {
        vpnVO = _remoteAccessVpnDao.findByAccountAndNetwork(ipAddr.getAccountId(), networkId);
        if (vpnVO != null) {
            // if vpn is in Added state, return it to the api
            if (vpnVO.getState() == RemoteAccessVpn.State.Added) {
                return vpnVO;
            }
            throw new InvalidParameterValueException("A Remote Access VPN already exists for this account");
        }
        // Verify that vpn service is enabled for the network
        final Network network = _networkMgr.getNetwork(networkId);
        if (!_networkMgr.areServicesSupportedInNetwork(network.getId(), Service.Vpn)) {
            throw new InvalidParameterValueException("Vpn service is not supported in network id=" + ipAddr.getAssociatedWithNetworkId());
        }
        cidr = NetUtils.getCidr(network.getCidr());
    } else {
        // Don't need to check VPC because there is only one IP(source NAT IP) available for VPN
        final Vpc vpc = _vpcDao.findById(vpcId);
        cidr = NetUtils.getCidr(vpc.getCidr());
    }
    // FIXME: This check won't work for the case where the guest ip range
    // changes depending on the vlan allocated.
    final String[] guestIpRange = NetUtils.getIpRangeFromCidr(cidr.first(), cidr.second());
    if (NetUtils.ipRangesOverlap(range[0], range[1], guestIpRange[0], guestIpRange[1])) {
        throw new InvalidParameterValueException("Invalid ip range: " + ipRange + " overlaps with guest ip range " + guestIpRange[0] + "-" + guestIpRange[1]);
    }
    // TODO: check sufficient range
    // TODO: check overlap with private and public ip ranges in datacenter
    long startIp = NetUtils.ip2Long(range[0]);
    final String newIpRange = NetUtils.long2Ip(++startIp) + "-" + range[1];
    final String sharedSecret = PasswordGenerator.generatePresharedKey(_pskLength);
    return Transaction.execute(new TransactionCallbackWithException<RemoteAccessVpn, NetworkRuleConflictException>() {

        @Override
        public RemoteAccessVpn doInTransaction(final TransactionStatus status) throws NetworkRuleConflictException {
            if (vpcId == null) {
                _rulesMgr.reservePorts(ipAddr, NetUtils.UDP_PROTO, Purpose.Vpn, openFirewallFinal, caller, NetUtils.VPN_PORT, NetUtils.VPN_L2TP_PORT, NetUtils.VPN_NATT_PORT);
            }
            final RemoteAccessVpnVO vpnVO = new RemoteAccessVpnVO(ipAddr.getAccountId(), ipAddr.getDomainId(), ipAddr.getAssociatedWithNetworkId(), publicIpId, vpcId, range[0], newIpRange, sharedSecret);
            if (forDisplay != null) {
                vpnVO.setDisplay(forDisplay);
            }
            return _remoteAccessVpnDao.persist(vpnVO);
        }
    });
}
Also used : Account(com.cloud.user.Account) RemoteAccessVpnVO(com.cloud.network.dao.RemoteAccessVpnVO) Vpc(com.cloud.network.vpc.Vpc) TransactionStatus(com.cloud.utils.db.TransactionStatus) CallContext(com.cloud.context.CallContext) NetworkRuleConflictException(com.cloud.exception.NetworkRuleConflictException) PublicIpAddress(com.cloud.network.PublicIpAddress) InvalidParameterValueException(com.cloud.utils.exception.InvalidParameterValueException) Network(com.cloud.network.Network) IPAddressVO(com.cloud.network.dao.IPAddressVO) RemoteAccessVpn(com.cloud.network.RemoteAccessVpn) DB(com.cloud.utils.db.DB)

Example 10 with RemoteAccessVpn

use of com.cloud.network.RemoteAccessVpn in project cloudstack by apache.

the class UpdateRemoteAccessVpnCmd method execute.

// ///////////////////////////////////////////////////
// ///////////// API Implementation///////////////////
// ///////////////////////////////////////////////////
@Override
public void execute() {
    RemoteAccessVpn result = _ravService.updateRemoteAccessVpn(id, this.getCustomId(), getDisplay());
    RemoteAccessVpnResponse response = _responseGenerator.createRemoteAccessVpnResponse(result);
    response.setResponseName(getCommandName());
    this.setResponseObject(response);
}
Also used : RemoteAccessVpnResponse(org.apache.cloudstack.api.response.RemoteAccessVpnResponse) RemoteAccessVpn(com.cloud.network.RemoteAccessVpn)

Aggregations

RemoteAccessVpn (com.cloud.network.RemoteAccessVpn)22 ArrayList (java.util.ArrayList)11 ResourceUnavailableException (com.cloud.exception.ResourceUnavailableException)9 VpnUser (com.cloud.network.VpnUser)7 Test (org.junit.Test)6 RemoteAccessVpnResponse (com.cloud.api.response.RemoteAccessVpnResponse)5 Vpc (com.cloud.network.vpc.Vpc)5 Network (com.cloud.network.Network)4 PublicIpAddress (com.cloud.network.PublicIpAddress)4 Zone (com.cloud.db.model.Zone)3 NetworkRuleConflictException (com.cloud.exception.NetworkRuleConflictException)3 IPAddressVO (com.cloud.network.dao.IPAddressVO)3 RemoteAccessVpnVO (com.cloud.network.dao.RemoteAccessVpnVO)3 FirewallRuleVO (com.cloud.network.rules.FirewallRuleVO)3 NetworkOfferingVO (com.cloud.offerings.NetworkOfferingVO)3 DomainRouterVO (com.cloud.vm.DomainRouterVO)3 List (java.util.List)3 RemoteAccessVpnResponse (org.apache.cloudstack.api.response.RemoteAccessVpnResponse)3 AdvancedNetworkTopology (org.apache.cloudstack.network.topology.AdvancedNetworkTopology)3 BasicNetworkTopology (org.apache.cloudstack.network.topology.BasicNetworkTopology)3