cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Will Stevens (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-8407) Presharedkey is not create during the creation of remote access vpn
Date Tue, 26 May 2015 20:52:20 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-8407?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14559846#comment-14559846
] 

Will Stevens commented on CLOUDSTACK-8407:
------------------------------------------

So the preshared key is actually created, but we have no way to access it (unfortunately).

The following commit changed this functionality between the 4.4.1 and 4.4.3 version:
{code}
$ git show c620a0640a7b29957ce18d4ccc2076e5c1405cd5
commit c620a0640a7b29957ce18d4ccc2076e5c1405cd5
Author: Rohit Yadav <rohit.yadav@shapeblue.com>
Date:   Wed Mar 11 16:30:20 2015 +0530

    api: avoid sending sensitive data in api response
    
    - UI: use post when updating user
    - S3: don't send s3 key in the response
    - VPN: don't send preshared key in remoteaccessvpn api response
    - Snapshot response should set zone id not volume's device id
    
    Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
    (cherry picked from commit 02cadc3fb3fae7f5e8c87b7fafb977fb5eeae6eb)
    Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
    
    Conflicts:
        server/src/com/cloud/api/ApiResponseHelper.java

diff --git a/api/src/org/apache/cloudstack/api/response/RemoteAccessVpnResponse.java b/api/src/org/apache/cloudstack/api/response/RemoteAccessVpnResponse.java
index 28d788b..60a45b6 100644
--- a/api/src/org/apache/cloudstack/api/response/RemoteAccessVpnResponse.java
+++ b/api/src/org/apache/cloudstack/api/response/RemoteAccessVpnResponse.java
@@ -41,10 +41,6 @@ public class RemoteAccessVpnResponse extends BaseResponse implements ControlledE
     @Param(description = "the range of ips to allocate to the clients")
     private String ipRange;
 
-    @SerializedName("presharedkey")
-    @Param(description = "the ipsec preshared key")
-    private String presharedKey;
-
     @SerializedName(ApiConstants.ACCOUNT)
     @Param(description = "the account of the remote access vpn")
     private String accountName;
@@ -85,10 +81,6 @@ public class RemoteAccessVpnResponse extends BaseResponse implements ControlledE
         this.ipRange = ipRange;
     }
 
-    public void setPresharedKey(String presharedKey) {
-        this.presharedKey = presharedKey;
-    }
-
     @Override
     public void setAccountName(String accountName) {
         this.accountName = accountName;
diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java
index df4cca8..3d174c7 100755
--- a/server/src/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/com/cloud/api/ApiResponseHelper.java
@@ -1284,7 +1284,6 @@ public class ApiResponseHelper implements ResponseGenerator {
             vpnResponse.setPublicIp(ip.getAddress().addr());
         }
         vpnResponse.setIpRange(vpn.getIpRange());
-        vpnResponse.setPresharedKey(vpn.getIpsecPresharedKey());
         populateOwner(vpnResponse, vpn);
         vpnResponse.setState(vpn.getState().toString());
         vpnResponse.setId(vpn.getUuid());
diff --git a/server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java b/server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java
index f1f873c..6e9c148 100644
--- a/server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java
+++ b/server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java
@@ -84,7 +84,8 @@ public class ImageStoreJoinDaoImpl extends GenericDaoBase<ImageStoreJoinVO,
Long
         if ( detailName != null && detailName.length() > 0 && !detailName.equals(ApiConstants.PASSWORD))
{
             String detailValue = ids.getDetailValue();
             if (detailName.equals(ApiConstants.KEY) || detailName.equals(ApiConstants.S3_SECRET_KEY))
{
-                detailValue = DBEncryptionUtil.decrypt(detailValue);
+                // ALWAYS return an empty value for the S3 secret key since that key is managed
by Amazon and not CloudStack
+                detailValue = "";
             }
             ImageStoreDetailResponse osdResponse = new ImageStoreDetailResponse(detailName,
detailValue);
             osResponse.addDetail(osdResponse);
@@ -99,7 +100,8 @@ public class ImageStoreJoinDaoImpl extends GenericDaoBase<ImageStoreJoinVO,
Long
         if ( detailName != null && detailName.length() > 0 && !detailName.equals(ApiConstants.PASSWORD))
{
             String detailValue = ids.getDetailValue();
             if (detailName.equals(ApiConstants.KEY) || detailName.equals(ApiConstants.S3_SECRET_KEY))
{
-                detailValue = DBEncryptionUtil.decrypt(detailValue);
+                // ALWAYS return an empty value for the S3 secret key since that key is managed
by Amazon and not CloudStack
+                detailValue = "";
             }
             ImageStoreDetailResponse osdResponse = new ImageStoreDetailResponse(detailName,
detailValue);
             response.addDetail(osdResponse);
diff --git a/ui/scripts/installWizard.js b/ui/scripts/installWizard.js
index 85eaff0..bf9450a 100644
--- a/ui/scripts/installWizard.js
+++ b/ui/scripts/installWizard.js
@@ -37,6 +37,7 @@
                     id: cloudStack.context.users[0].userid,
                     password: md5Hashed ? $.md5(args.data.password) : todb(args.data.password)
                 },
+                type: 'POST',
                 dataType: 'json',
                 async: true,
                 success: function(data) {
{code}

As you have noticed, this change was not implemented very well because the UI still tries
to access the preshared key of this object.

So for example, in the `ui/scripts/network.js` file, the `remoteaccessvpn.presharedkey` variable
is expected to be set.

{code}
complete: function(args) {
        var msg;
        if (args.vpn.state == "Running") {
            msg = _l('message.enabled.vpn') + ' ' + args.remoteaccessvpn.publicip + '.' +
'<br/>' + _l('message.enabled.vpn.ip.sec') + '<br/>' + args.remoteaccessvpn.presharedkey;
        } else {
            msg = "Remote Access VPN configuration has been generated, but it failed to apply.
Please check connectivity of the network element, then re-try.";
        }
        return msg;
    }
{code}

This is a bit of a regression because now there is no way to access the preshared key without
connecting to the DB and pulling it out directly from there, so automation using that key
is pretty much impossible.

Not sure what the best approach is for resolving this...

> Presharedkey is not create during the creation of remote access vpn
> -------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8407
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8407
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Automation, Management Server
>    Affects Versions: 4.4.3, 4.5.1
>            Reporter: Nicolas Grangier
>            Priority: Minor
>
> The presharedkey not appear/create during remote access vpn creation
> Confirmed with cloudmonkey that the value is not present,
> ===============
> Steps to Reproduce:
> ===============
> 1.	Go the network tab
> 2.	Configure the VPC
> 3.	Go in the router section, public IP adresses
> 4.	Click on the IP who is SourceNat,
> 5.	Activate the remote access VPN,
> 6.	It say : 
> Your Remote Access VPN is currently enabled and can be accessed via the IP x.x.x.x.
> Your IPSec pre-shared key is
> undefined
> Actual result :
> Remote Access VPN is created in the database, but it didn't create the presharedkey,
i also use cloudmonkey to list remoteaccessvpns, the field "presharedkey =" is even not created.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message