use of com.cloud.network.RemoteAccessVpn in project cloudstack by apache.
the class VpcVirtualRouterElementTest method testApplyVpnUsersException2.
@Test
public void testApplyVpnUsersException2() {
vpcVirtualRouterElement._vpcRouterMgr = _vpcRouterMgr;
final AdvancedNetworkTopology advancedNetworkTopology = Mockito.mock(AdvancedNetworkTopology.class);
final BasicNetworkTopology basicNetworkTopology = Mockito.mock(BasicNetworkTopology.class);
networkTopologyContext.setAdvancedNetworkTopology(advancedNetworkTopology);
networkTopologyContext.setBasicNetworkTopology(basicNetworkTopology);
networkTopologyContext.init();
final RemoteAccessVpn remoteAccessVpn = Mockito.mock(RemoteAccessVpn.class);
final List<VpnUser> users = new ArrayList<VpnUser>();
final Long vpcId = new Long(1l);
when(remoteAccessVpn.getVpcId()).thenReturn(vpcId);
when(_vpcRouterMgr.getVpcRouters(vpcId)).thenReturn(null);
try {
final String[] results = vpcVirtualRouterElement.applyVpnUsers(remoteAccessVpn, users);
assertNull(results);
} catch (final ResourceUnavailableException e) {
fail(e.getMessage());
}
verify(remoteAccessVpn, times(1)).getVpcId();
}
use of com.cloud.network.RemoteAccessVpn in project cosmic by MissionCriticalCloud.
the class NetworkOrchestrator method reprogramNetworkRules.
// This method re-programs the rules/ips for existing network
protected boolean reprogramNetworkRules(final long networkId, final Account caller, final Network network) throws ResourceUnavailableException {
boolean success = true;
// Apply egress rules first to effect the egress policy early on the guest traffic
final List<FirewallRuleVO> firewallEgressRulesToApply = _firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall, FirewallRule.TrafficType.Egress);
final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
final Zone zone = _zoneRepository.findOne(network.getDataCenterId());
if (_networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall) && _networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall) && (network.getGuestType() == GuestType.Isolated || network.getGuestType() == GuestType.Shared && zone.getNetworkType() == com.cloud.model.enumeration.NetworkType.Advanced)) {
// add default egress rule to accept the traffic
_firewallMgr.applyDefaultEgressFirewallRule(network.getId(), offering.getEgressDefaultPolicy(), true);
}
if (!_firewallMgr.applyFirewallRules(firewallEgressRulesToApply, false, caller)) {
s_logger.warn("Failed to reapply firewall Egress rule(s) as a part of network id=" + networkId + " restart");
success = false;
}
// associate all ip addresses
if (!_ipAddrMgr.applyIpAssociations(network, false)) {
s_logger.warn("Failed to apply ip addresses as a part of network id" + networkId + " restart");
success = false;
}
// apply static nat
if (!_rulesMgr.applyStaticNatsForNetwork(networkId, false, caller)) {
s_logger.warn("Failed to apply static nats a part of network id" + networkId + " restart");
success = false;
}
// apply firewall rules
final List<FirewallRuleVO> firewallIngressRulesToApply = _firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall, FirewallRule.TrafficType.Ingress);
if (!_firewallMgr.applyFirewallRules(firewallIngressRulesToApply, false, caller)) {
s_logger.warn("Failed to reapply Ingress firewall rule(s) as a part of network id=" + networkId + " restart");
success = false;
}
// apply port forwarding rules
if (!_rulesMgr.applyPortForwardingRulesForNetwork(networkId, false, caller)) {
s_logger.warn("Failed to reapply port forwarding rule(s) as a part of network id=" + networkId + " restart");
success = false;
}
// apply static nat rules
if (!_rulesMgr.applyStaticNatRulesForNetwork(networkId, false, caller)) {
s_logger.warn("Failed to reapply static nat rule(s) as a part of network id=" + networkId + " restart");
success = false;
}
// apply public load balancer rules
if (!_lbMgr.applyLoadBalancersForNetwork(networkId, Scheme.Public)) {
s_logger.warn("Failed to reapply Public load balancer rules as a part of network id=" + networkId + " restart");
success = false;
}
// apply vpn rules
final List<? extends RemoteAccessVpn> vpnsToReapply = _vpnMgr.listRemoteAccessVpns(networkId);
if (vpnsToReapply != null) {
for (final RemoteAccessVpn vpn : vpnsToReapply) {
// Start remote access vpn per ip
if (_vpnMgr.startRemoteAccessVpn(vpn.getServerAddressId(), false) == null) {
s_logger.warn("Failed to reapply vpn rules as a part of network id=" + networkId + " restart");
success = false;
}
}
}
// apply network ACLs
if (!_networkACLMgr.applyACLToNetwork(networkId)) {
s_logger.warn("Failed to reapply network ACLs as a part of of network id=" + networkId + " restart");
success = false;
}
return success;
}
use of com.cloud.network.RemoteAccessVpn in project cosmic by MissionCriticalCloud.
the class CommandSetupHelper method configureRemoteAccessVpn.
private void configureRemoteAccessVpn(final VirtualRouter router, final RemoteAccessVpn remoteAccessVpnToExclude, final NetworkOverviewTO.VPNTO vpnTO) {
final RemoteAccessVpnVO vpn = _remoteAccessVpnDao.findByAccountAndVpc(router.getAccountId(), router.getVpcId());
if (vpn != null && !vpn.equals(remoteAccessVpnToExclude)) {
final NetworkOverviewTO.VPNTO.RemoteAccessTO remoteAccessTO = new NetworkOverviewTO.VPNTO.RemoteAccessTO();
final IpAddress serverIp = _networkModel.getIp(vpn.getServerAddressId());
remoteAccessTO.setVpnServerIp(serverIp.getAddress().addr());
remoteAccessTO.setPreSharedKey(vpn.getIpsecPresharedKey());
remoteAccessTO.setIpRange(vpn.getIpRange());
remoteAccessTO.setLocalIp(vpn.getLocalIp());
final Vpc vpc = _vpcDao.findById(vpn.getVpcId());
remoteAccessTO.setLocalCidr(vpc.getCidr());
remoteAccessTO.setVpnUsers(_vpnUsersDao.listByAccount(vpn.getAccountId()).stream().filter(vpnUser -> VpnUser.State.Add.equals(vpnUser.getState()) || VpnUser.State.Active.equals(vpnUser.getState())).map(vpnUser -> new NetworkOverviewTO.VPNTO.RemoteAccessTO.VPNUserTO(vpnUser.getUsername(), vpnUser.getPassword())).toArray(NetworkOverviewTO.VPNTO.RemoteAccessTO.VPNUserTO[]::new));
vpnTO.setRemoteAccess(remoteAccessTO);
}
}
use of com.cloud.network.RemoteAccessVpn in project cosmic by MissionCriticalCloud.
the class RemoteAccessVpnManagerImpl method createRemoteAccessVpn.
@Override
@DB
public RemoteAccessVpn createRemoteAccessVpn(final long publicIpId, String ipRange, boolean openFirewall, final Boolean forDisplay) throws NetworkRuleConflictException {
final CallContext ctx = CallContext.current();
final Account caller = ctx.getCallingAccount();
final Long networkId;
// make sure ip address exists
final PublicIpAddress ipAddr = _networkMgr.getPublicIpAddress(publicIpId);
if (ipAddr == null) {
throw new InvalidParameterValueException("Unable to create remote access vpn, invalid public IP address id" + publicIpId);
}
_accountMgr.checkAccess(caller, null, true, ipAddr);
if (!ipAddr.readyToUse()) {
throw new InvalidParameterValueException("The Ip address is not ready to be used yet: " + ipAddr.getAddress());
}
final IPAddressVO ipAddress = _ipAddressDao.findById(publicIpId);
networkId = ipAddress.getAssociatedWithNetworkId();
if (networkId != null) {
_networkMgr.checkIpForService(ipAddress, Service.Vpn, null);
}
final Long vpcId = ipAddress.getVpcId();
/* IP Address used for VPC must be the source NAT IP of whole VPC */
if (vpcId != null && ipAddress.isSourceNat()) {
assert networkId == null;
// No firewall setting for VPC, it would be open internally
openFirewall = false;
}
final boolean openFirewallFinal = openFirewall;
if (networkId == null && vpcId == null) {
throw new InvalidParameterValueException("Unable to create remote access vpn for the ipAddress: " + ipAddr.getAddress().addr() + " as ip is not associated with any network or VPC");
}
RemoteAccessVpnVO vpnVO = _remoteAccessVpnDao.findByPublicIpAddress(publicIpId);
if (vpnVO != null) {
// if vpn is in Added state, return it to the api
if (vpnVO.getState() == RemoteAccessVpn.State.Added) {
return vpnVO;
}
throw new InvalidParameterValueException("A Remote Access VPN already exists for this public Ip address");
}
if (ipRange == null) {
ipRange = RemoteAccessVpnClientIpRange.valueIn(ipAddr.getAccountId());
}
final String[] range = ipRange.split("-");
if (range.length != 2) {
throw new InvalidParameterValueException("Invalid ip range");
}
if (!NetUtils.isValidIp4(range[0]) || !NetUtils.isValidIp4(range[1])) {
throw new InvalidParameterValueException("Invalid ip in range specification " + ipRange);
}
if (!NetUtils.validIpRange(range[0], range[1])) {
throw new InvalidParameterValueException("Invalid ip range " + ipRange);
}
final Pair<String, Integer> cidr;
// TODO: assumes one virtual network / domr per account per zone
if (networkId != null) {
vpnVO = _remoteAccessVpnDao.findByAccountAndNetwork(ipAddr.getAccountId(), networkId);
if (vpnVO != null) {
// if vpn is in Added state, return it to the api
if (vpnVO.getState() == RemoteAccessVpn.State.Added) {
return vpnVO;
}
throw new InvalidParameterValueException("A Remote Access VPN already exists for this account");
}
// Verify that vpn service is enabled for the network
final Network network = _networkMgr.getNetwork(networkId);
if (!_networkMgr.areServicesSupportedInNetwork(network.getId(), Service.Vpn)) {
throw new InvalidParameterValueException("Vpn service is not supported in network id=" + ipAddr.getAssociatedWithNetworkId());
}
cidr = NetUtils.getCidr(network.getCidr());
} else {
// Don't need to check VPC because there is only one IP(source NAT IP) available for VPN
final Vpc vpc = _vpcDao.findById(vpcId);
cidr = NetUtils.getCidr(vpc.getCidr());
}
// FIXME: This check won't work for the case where the guest ip range
// changes depending on the vlan allocated.
final String[] guestIpRange = NetUtils.getIpRangeFromCidr(cidr.first(), cidr.second());
if (NetUtils.ipRangesOverlap(range[0], range[1], guestIpRange[0], guestIpRange[1])) {
throw new InvalidParameterValueException("Invalid ip range: " + ipRange + " overlaps with guest ip range " + guestIpRange[0] + "-" + guestIpRange[1]);
}
// TODO: check sufficient range
// TODO: check overlap with private and public ip ranges in datacenter
long startIp = NetUtils.ip2Long(range[0]);
final String newIpRange = NetUtils.long2Ip(++startIp) + "-" + range[1];
final String sharedSecret = PasswordGenerator.generatePresharedKey(_pskLength);
return Transaction.execute(new TransactionCallbackWithException<RemoteAccessVpn, NetworkRuleConflictException>() {
@Override
public RemoteAccessVpn doInTransaction(final TransactionStatus status) throws NetworkRuleConflictException {
if (vpcId == null) {
_rulesMgr.reservePorts(ipAddr, NetUtils.UDP_PROTO, Purpose.Vpn, openFirewallFinal, caller, NetUtils.VPN_PORT, NetUtils.VPN_L2TP_PORT, NetUtils.VPN_NATT_PORT);
}
final RemoteAccessVpnVO vpnVO = new RemoteAccessVpnVO(ipAddr.getAccountId(), ipAddr.getDomainId(), ipAddr.getAssociatedWithNetworkId(), publicIpId, vpcId, range[0], newIpRange, sharedSecret);
if (forDisplay != null) {
vpnVO.setDisplay(forDisplay);
}
return _remoteAccessVpnDao.persist(vpnVO);
}
});
}
use of com.cloud.network.RemoteAccessVpn in project cloudstack by apache.
the class UpdateRemoteAccessVpnCmd method execute.
// ///////////////////////////////////////////////////
// ///////////// API Implementation///////////////////
// ///////////////////////////////////////////////////
@Override
public void execute() {
RemoteAccessVpn result = _ravService.updateRemoteAccessVpn(id, this.getCustomId(), getDisplay());
RemoteAccessVpnResponse response = _responseGenerator.createRemoteAccessVpnResponse(result);
response.setResponseName(getCommandName());
this.setResponseObject(response);
}
Aggregations