From 00fe5f14719d22c429d609657887198d93c1b98f Mon Sep 17 00:00:00 2001 From: dahn Date: Tue, 1 Oct 2024 10:25:31 +0200 Subject: [PATCH] cleanup validations for VPN connection creation (#9195) --- .../network/vpn/Site2SiteVpnManagerImpl.java | 114 ++++++++++-------- ui/src/views/network/VpcTab.vue | 8 +- 2 files changed, 67 insertions(+), 55 deletions(-) diff --git a/server/src/main/java/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java b/server/src/main/java/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java index 51d5f9cf97b4..3efe9a8788f2 100644 --- a/server/src/main/java/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java +++ b/server/src/main/java/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java @@ -23,11 +23,12 @@ import javax.inject.Inject; import javax.naming.ConfigurationException; -import org.apache.cloudstack.annotation.AnnotationService; -import org.apache.cloudstack.annotation.dao.AnnotationDao; +import org.apache.commons.collections.CollectionUtils; import org.apache.log4j.Logger; import org.springframework.stereotype.Component; +import org.apache.cloudstack.annotation.AnnotationService; +import org.apache.cloudstack.annotation.dao.AnnotationDao; import org.apache.cloudstack.api.command.user.vpn.CreateVpnConnectionCmd; import org.apache.cloudstack.api.command.user.vpn.CreateVpnCustomerGatewayCmd; import org.apache.cloudstack.api.command.user.vpn.CreateVpnGatewayCmd; @@ -46,7 +47,6 @@ import com.cloud.event.ActionEvent; import com.cloud.event.EventTypes; import com.cloud.exception.InvalidParameterValueException; -import com.cloud.exception.NetworkRuleConflictException; import com.cloud.exception.PermissionDeniedException; import com.cloud.exception.ResourceUnavailableException; import com.cloud.network.Site2SiteCustomerGateway; @@ -108,7 +108,6 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn @Inject private AnnotationDao annotationDao; - String _name; int _connLimit; int _subnetsLimit; @@ -255,7 +254,7 @@ public Site2SiteCustomerGateway createCustomerGateway(CreateVpnCustomerGatewayCm @Override @ActionEvent(eventType = EventTypes.EVENT_S2S_VPN_CONNECTION_CREATE, eventDescription = "creating s2s vpn connection", create = true) - public Site2SiteVpnConnection createVpnConnection(CreateVpnConnectionCmd cmd) throws NetworkRuleConflictException { + public Site2SiteVpnConnection createVpnConnection(CreateVpnConnectionCmd cmd) { Account caller = CallContext.current().getCallingAccount(); Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId()); @@ -263,27 +262,15 @@ public Site2SiteVpnConnection createVpnConnection(CreateVpnConnectionCmd cmd) th _accountMgr.checkAccess(caller, null, false, owner); Long customerGatewayId = cmd.getCustomerGatewayId(); - Site2SiteCustomerGateway customerGateway = _customerGatewayDao.findById(customerGatewayId); - if (customerGateway == null) { - throw new InvalidParameterValueException("Unable to found specified Site to Site VPN customer gateway " + customerGatewayId + " !"); - } - _accountMgr.checkAccess(caller, null, false, customerGateway); + Site2SiteCustomerGateway customerGateway = getAndValidateSite2SiteCustomerGateway(customerGatewayId, caller); Long vpnGatewayId = cmd.getVpnGatewayId(); - Site2SiteVpnGateway vpnGateway = _vpnGatewayDao.findById(vpnGatewayId); - if (vpnGateway == null) { - throw new InvalidParameterValueException("Unable to found specified Site to Site VPN gateway " + vpnGatewayId + " !"); - } - _accountMgr.checkAccess(caller, null, false, vpnGateway); + Site2SiteVpnGateway vpnGateway = getAndValidateSite2SiteVpnGateway(vpnGatewayId, caller); - if (customerGateway.getAccountId() != vpnGateway.getAccountId() || customerGateway.getDomainId() != vpnGateway.getDomainId()) { - throw new InvalidParameterValueException("VPN connection can only be esitablished between same account's VPN gateway and customer gateway!"); - } + validateVpnConnectionOfTheRightAccount(customerGateway, vpnGateway); + validateVpnConnectionDoesntExist(vpnGatewayId, customerGatewayId); + validatePrerequisiteVpnGateway(vpnGateway); - if (_vpnConnectionDao.findByVpnGatewayIdAndCustomerGatewayId(vpnGatewayId, customerGatewayId) != null) { - throw new InvalidParameterValueException("The vpn connection with customer gateway id " + customerGatewayId + " and vpn gateway id " + vpnGatewayId + - " already existed!"); - } String[] cidrList = customerGateway.getGuestCidrList().split(","); // Remote sub nets cannot overlap VPC's sub net @@ -326,13 +313,51 @@ public Site2SiteVpnConnection createVpnConnection(CreateVpnConnectionCmd cmd) th return conn; } + private Site2SiteCustomerGateway getAndValidateSite2SiteCustomerGateway(Long customerGatewayId, Account caller) { + Site2SiteCustomerGateway customerGateway = _customerGatewayDao.findById(customerGatewayId); + if (customerGateway == null) { + throw new InvalidParameterValueException(String.format("Unable to find specified Site to Site VPN customer gateway %s !", customerGatewayId)); + } + _accountMgr.checkAccess(caller, null, false, customerGateway); + return customerGateway; + } + + private Site2SiteVpnGateway getAndValidateSite2SiteVpnGateway(Long vpnGatewayId, Account caller) { + Site2SiteVpnGateway vpnGateway = _vpnGatewayDao.findById(vpnGatewayId); + if (vpnGateway == null) { + throw new InvalidParameterValueException(String.format("Unable to find specified Site to Site VPN gateway %s !", vpnGatewayId)); + } + _accountMgr.checkAccess(caller, null, false, vpnGateway); + return vpnGateway; + } + + private void validateVpnConnectionOfTheRightAccount(Site2SiteCustomerGateway customerGateway, Site2SiteVpnGateway vpnGateway) { + if (customerGateway.getAccountId() != vpnGateway.getAccountId() || customerGateway.getDomainId() != vpnGateway.getDomainId()) { + throw new InvalidParameterValueException("VPN connection can only be established between same account's VPN gateway and customer gateway!"); + } + } + + private void validateVpnConnectionDoesntExist(Long vpnGatewayId, Long customerGatewayId) { + if (_vpnConnectionDao.findByVpnGatewayIdAndCustomerGatewayId(vpnGatewayId, customerGatewayId) != null) { + throw new InvalidParameterValueException("The vpn connection with customer gateway id " + customerGatewayId + " and vpn gateway id " + vpnGatewayId + + " already existed!"); + } + } + + private void validatePrerequisiteVpnGateway(Site2SiteVpnGateway vpnGateway) { + // check if gateway has been defined on the VPC + if (_vpnGatewayDao.findByVpcId(vpnGateway.getVpcId()) == null) { + throw new InvalidParameterValueException("we can not create a VPN connection for a VPC that does not have a VPN gateway defined"); + } + } + @Override @DB @ActionEvent(eventType = EventTypes.EVENT_S2S_VPN_CONNECTION_CREATE, eventDescription = "starting s2s vpn connection", async = true) public Site2SiteVpnConnection startVpnConnection(long id) throws ResourceUnavailableException { Site2SiteVpnConnectionVO conn = _vpnConnectionDao.acquireInLockTable(id); if (conn == null) { - throw new CloudRuntimeException("Unable to acquire lock on " + conn); + throw new CloudRuntimeException("Unable to acquire lock for starting of VPN connection with ID " + id); } try { if (conn.getState() != State.Pending && conn.getState() != State.Disconnected) { @@ -382,11 +407,7 @@ public boolean deleteCustomerGateway(DeleteVpnCustomerGatewayCmd cmd) { Account caller = CallContext.current().getCallingAccount(); Long id = cmd.getId(); - Site2SiteCustomerGateway customerGateway = _customerGatewayDao.findById(id); - if (customerGateway == null) { - throw new InvalidParameterValueException("Fail to find customer gateway with " + id + " !"); - } - _accountMgr.checkAccess(caller, null, false, customerGateway); + Site2SiteCustomerGateway customerGateway = getAndValidateSite2SiteCustomerGateway(id, caller); return doDeleteCustomerGateway(customerGateway); } @@ -394,7 +415,7 @@ public boolean deleteCustomerGateway(DeleteVpnCustomerGatewayCmd cmd) { protected boolean doDeleteCustomerGateway(Site2SiteCustomerGateway gw) { long id = gw.getId(); List vpnConnections = _vpnConnectionDao.listByCustomerGatewayId(id); - if (vpnConnections != null && vpnConnections.size() != 0) { + if (!CollectionUtils.isEmpty(vpnConnections)) { throw new InvalidParameterValueException("Unable to delete VPN customer gateway with id " + id + " because there is still related VPN connections!"); } annotationDao.removeByEntityType(AnnotationService.EntityType.VPN_CUSTOMER_GATEWAY.name(), gw.getUuid()); @@ -404,7 +425,7 @@ protected boolean doDeleteCustomerGateway(Site2SiteCustomerGateway gw) { protected void doDeleteVpnGateway(Site2SiteVpnGateway gw) { List conns = _vpnConnectionDao.listByVpnGatewayId(gw.getId()); - if (conns != null && conns.size() != 0) { + if (!CollectionUtils.isEmpty(conns)) { throw new InvalidParameterValueException("Unable to delete VPN gateway " + gw.getId() + " because there is still related VPN connections!"); } _vpnGatewayDao.remove(gw.getId()); @@ -417,12 +438,7 @@ public boolean deleteVpnGateway(DeleteVpnGatewayCmd cmd) { Account caller = CallContext.current().getCallingAccount(); Long id = cmd.getId(); - Site2SiteVpnGateway vpnGateway = _vpnGatewayDao.findById(id); - if (vpnGateway == null) { - throw new InvalidParameterValueException("Fail to find vpn gateway with " + id + " !"); - } - - _accountMgr.checkAccess(caller, null, false, vpnGateway); + Site2SiteVpnGateway vpnGateway = getAndValidateSite2SiteVpnGateway(id, caller); doDeleteVpnGateway(vpnGateway); return true; @@ -578,7 +594,7 @@ public boolean deleteVpnConnection(DeleteVpnConnectionCmd cmd) throws ResourceUn private void stopVpnConnection(Long id) throws ResourceUnavailableException { Site2SiteVpnConnectionVO conn = _vpnConnectionDao.acquireInLockTable(id); if (conn == null) { - throw new CloudRuntimeException("Unable to acquire lock on " + conn); + throw new CloudRuntimeException("Unable to acquire lock for stopping of VPN connection with ID " + id); } try { if (conn.getState() == State.Pending) { @@ -639,10 +655,9 @@ public Pair, Integer> searchForCustomer String keyword = cmd.getKeyword(); Account caller = CallContext.current().getCallingAccount(); - List permittedAccounts = new ArrayList(); + List permittedAccounts = new ArrayList<>(); - Ternary domainIdRecursiveListProject = new Ternary(domainId, isRecursive, null); + Ternary domainIdRecursiveListProject = new Ternary<>(domainId, isRecursive, null); _accountMgr.buildACLSearchParameters(caller, id, accountName, cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, listAll, false); domainId = domainIdRecursiveListProject.first(); isRecursive = domainIdRecursiveListProject.second(); @@ -667,7 +682,7 @@ public Pair, Integer> searchForCustomer } Pair, Integer> result = _customerGatewayDao.searchAndCount(sc, searchFilter); - return new Pair, Integer>(result.first(), result.second()); + return new Pair<>(result.first(), result.second()); } @Override @@ -684,10 +699,9 @@ public Pair, Integer> searchForVpnGateways(L long pageSizeVal = cmd.getPageSizeVal(); Account caller = CallContext.current().getCallingAccount(); - List permittedAccounts = new ArrayList(); + List permittedAccounts = new ArrayList<>(); - Ternary domainIdRecursiveListProject = new Ternary(domainId, isRecursive, null); + Ternary domainIdRecursiveListProject = new Ternary<>(domainId, isRecursive, null); _accountMgr.buildACLSearchParameters(caller, id, accountName, cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, listAll, false); domainId = domainIdRecursiveListProject.first(); isRecursive = domainIdRecursiveListProject.second(); @@ -717,7 +731,7 @@ public Pair, Integer> searchForVpnGateways(L } Pair, Integer> result = _vpnGatewayDao.searchAndCount(sc, searchFilter); - return new Pair, Integer>(result.first(), result.second()); + return new Pair<>(result.first(), result.second()); } @Override @@ -734,10 +748,9 @@ public Pair, Integer> searchForVpnConnect long pageSizeVal = cmd.getPageSizeVal(); Account caller = CallContext.current().getCallingAccount(); - List permittedAccounts = new ArrayList(); + List permittedAccounts = new ArrayList<>(); - Ternary domainIdRecursiveListProject = new Ternary(domainId, isRecursive, null); + Ternary domainIdRecursiveListProject = new Ternary<>(domainId, isRecursive, null); _accountMgr.buildACLSearchParameters(caller, id, accountName, cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, listAll, false); domainId = domainIdRecursiveListProject.first(); isRecursive = domainIdRecursiveListProject.second(); @@ -771,7 +784,7 @@ public Pair, Integer> searchForVpnConnect } Pair, Integer> result = _vpnConnectionDao.searchAndCount(sc, searchFilter); - return new Pair, Integer>(result.first(), result.second()); + return new Pair<>(result.first(), result.second()); } @Override @@ -818,7 +831,7 @@ public void markDisconnectVpnConnByVpc(long vpcId) { @Override public List getConnectionsForRouter(DomainRouterVO router) { - List conns = new ArrayList(); + List conns = new ArrayList<>(); // One router for one VPC Long vpcId = router.getVpcId(); if (router.getVpcId() == null) { @@ -831,7 +844,6 @@ public List getConnectionsForRouter(DomainRouterVO rou @Override public boolean deleteCustomerGatewayByAccount(long accountId) { boolean result = true; - ; List gws = _customerGatewayDao.listByAccountId(accountId); for (Site2SiteCustomerGatewayVO gw : gws) { result = result & doDeleteCustomerGateway(gw); diff --git a/ui/src/views/network/VpcTab.vue b/ui/src/views/network/VpcTab.vue index 4603e0abf694..657d3c133acf 100644 --- a/ui/src/views/network/VpcTab.vue +++ b/ui/src/views/network/VpcTab.vue @@ -795,12 +795,12 @@ export default { this.formRef.value.validate().then(() => { const values = toRaw(this.form) - - api('createVpnConnection', { - s2svpngatewayid: this.vpnGateways[0].id, + const params = { + s2svpngatewayid: this.vpnGateways[0] ? this.vpnGateways[0].id : null, s2scustomergatewayid: values.vpncustomergateway, passive: values.passive ? values.passive : false - }).then(response => { + } + api('createVpnConnection', params).then(response => { this.$pollJob({ jobId: response.createvpnconnectionresponse.jobid, title: this.$t('label.vpn.connection'),