You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ki...@apache.org on 2013/02/01 07:11:33 UTC
[36/48] git commit: refs/heads/regions - [EC2 Query API] Remove the
registration step since query API does not require the certificate
[EC2 Query API] Remove the registration step since query API does not require the certificate
https://reviews.apache.org/r/8742/
While checking if the user keys exists and also while retrieving the secret-key for signature generation (Query API only), make a change to directly check in the 'cloud' DB instead of the 'cloudbridge' DB.
With this change user will not require to register the keys before making EC2 Query API calls against CS. The registration process to make EC2 SOAP API calls will remain the same.
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/64b00d0b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/64b00d0b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/64b00d0b
Branch: refs/heads/regions
Commit: 64b00d0b34c6705be38494b7bcfe432d96d58fc1
Parents: f18828d
Author: Likitha Shetty <Li...@citrix.com>
Authored: Thu Jan 31 11:59:34 2013 -0800
Committer: Prachi Damle <pr...@cloud.com>
Committed: Thu Jan 31 12:00:39 2013 -0800
----------------------------------------------------------------------
.../com/cloud/bridge/model/CloudStackUserVO.java | 49 +++++++++++
.../bridge/persist/dao/CloudStackUserDao.java | 26 ++++++
.../bridge/persist/dao/CloudStackUserDaoImpl.java | 66 +++++++++++++++
.../com/cloud/bridge/service/EC2RestServlet.java | 23 +++---
4 files changed, 153 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/64b00d0b/awsapi/src/com/cloud/bridge/model/CloudStackUserVO.java
----------------------------------------------------------------------
diff --git a/awsapi/src/com/cloud/bridge/model/CloudStackUserVO.java b/awsapi/src/com/cloud/bridge/model/CloudStackUserVO.java
new file mode 100644
index 0000000..fe1ec94
--- /dev/null
+++ b/awsapi/src/com/cloud/bridge/model/CloudStackUserVO.java
@@ -0,0 +1,49 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.bridge.model;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.Table;
+
+@Entity
+@Table(name="user")
+public class CloudStackUserVO {
+
+ @Column(name="api_key")
+ private String apiKey;
+
+ @Column(name="secret_key")
+ private String secretKey;
+
+ public String getApiKey() {
+ return apiKey;
+ }
+
+ public String getSecretKey() {
+ return secretKey;
+ }
+
+ public void setApiKey(String apiKey) {
+ this.apiKey = apiKey;
+ }
+
+ public void setSecretKey(String secretKey) {
+ this.secretKey = secretKey;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/64b00d0b/awsapi/src/com/cloud/bridge/persist/dao/CloudStackUserDao.java
----------------------------------------------------------------------
diff --git a/awsapi/src/com/cloud/bridge/persist/dao/CloudStackUserDao.java b/awsapi/src/com/cloud/bridge/persist/dao/CloudStackUserDao.java
new file mode 100644
index 0000000..f5d4aa1
--- /dev/null
+++ b/awsapi/src/com/cloud/bridge/persist/dao/CloudStackUserDao.java
@@ -0,0 +1,26 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.bridge.persist.dao;
+
+import com.cloud.bridge.model.CloudStackUserVO;
+import com.cloud.utils.db.GenericDao;
+
+public interface CloudStackUserDao extends GenericDao<CloudStackUserVO, String> {
+
+ public String getSecretKeyByAccessKey(String acessKey);
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/64b00d0b/awsapi/src/com/cloud/bridge/persist/dao/CloudStackUserDaoImpl.java
----------------------------------------------------------------------
diff --git a/awsapi/src/com/cloud/bridge/persist/dao/CloudStackUserDaoImpl.java b/awsapi/src/com/cloud/bridge/persist/dao/CloudStackUserDaoImpl.java
new file mode 100644
index 0000000..0613519
--- /dev/null
+++ b/awsapi/src/com/cloud/bridge/persist/dao/CloudStackUserDaoImpl.java
@@ -0,0 +1,66 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.bridge.persist.dao;
+
+import javax.ejb.Local;
+
+import org.apache.log4j.Logger;
+import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
+
+import com.cloud.bridge.model.CloudStackUserVO;
+import com.cloud.bridge.util.EncryptionSecretKeyCheckerUtil;
+import com.cloud.utils.db.GenericDaoBase;
+import com.cloud.utils.db.SearchBuilder;
+import com.cloud.utils.db.SearchCriteria;
+import com.cloud.utils.db.Transaction;
+
+@Local(value={CloudStackUserDao.class})
+public class CloudStackUserDaoImpl extends GenericDaoBase<CloudStackUserVO, String> implements CloudStackUserDao {
+ public static final Logger logger = Logger.getLogger(CloudStackUserDaoImpl.class);
+
+ public CloudStackUserDaoImpl() {}
+
+ @Override
+ public String getSecretKeyByAccessKey( String accessKey ) {
+ CloudStackUserVO user = null;
+ String cloudSecretKey = null;
+
+ SearchBuilder <CloudStackUserVO> searchByAccessKey = createSearchBuilder();
+ searchByAccessKey.and("apiKey", searchByAccessKey.entity().getApiKey(), SearchCriteria.Op.EQ);
+ searchByAccessKey.done();
+ Transaction txn = Transaction.open(Transaction.CLOUD_DB);
+ try {
+ txn.start();
+ SearchCriteria<CloudStackUserVO> sc = searchByAccessKey.create();
+ sc.setParameters("apiKey", accessKey);
+ user = findOneBy(sc);
+ if ( user != null && user.getSecretKey() != null) {
+ // if the cloud db is encrypted, decrypt the secret_key returned by cloud db before signature generation
+ if( EncryptionSecretKeyCheckerUtil.useEncryption() ) {
+ StandardPBEStringEncryptor encryptor = EncryptionSecretKeyCheckerUtil.getEncryptor();
+ cloudSecretKey = encryptor.decrypt( user.getSecretKey() );
+ } else {
+ cloudSecretKey = user.getSecretKey();
+ }
+ }
+ return cloudSecretKey;
+ } finally {
+ txn.close();
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/64b00d0b/awsapi/src/com/cloud/bridge/service/EC2RestServlet.java
----------------------------------------------------------------------
diff --git a/awsapi/src/com/cloud/bridge/service/EC2RestServlet.java b/awsapi/src/com/cloud/bridge/service/EC2RestServlet.java
index 78e736f..4260e9f 100644
--- a/awsapi/src/com/cloud/bridge/service/EC2RestServlet.java
+++ b/awsapi/src/com/cloud/bridge/service/EC2RestServlet.java
@@ -56,6 +56,7 @@ import org.apache.axis2.databinding.ADBException;
import org.apache.axis2.databinding.utils.writer.MTOMAwareXMLSerializer;
import org.apache.commons.codec.binary.Base64;
import org.apache.log4j.Logger;
+import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
import com.amazon.ec2.AllocateAddressResponse;
import com.amazon.ec2.AssociateAddressResponse;
@@ -94,7 +95,9 @@ import com.amazon.ec2.RunInstancesResponse;
import com.amazon.ec2.StartInstancesResponse;
import com.amazon.ec2.StopInstancesResponse;
import com.amazon.ec2.TerminateInstancesResponse;
+import com.cloud.bridge.model.CloudStackUserVO;
import com.cloud.bridge.model.UserCredentialsVO;
+import com.cloud.bridge.persist.dao.CloudStackUserDaoImpl;
import com.cloud.bridge.persist.dao.OfferingDaoImpl;
import com.cloud.bridge.persist.dao.UserCredentialsDaoImpl;
import com.cloud.bridge.service.controller.s3.ServiceProvider;
@@ -138,6 +141,7 @@ import com.cloud.bridge.service.exception.EC2ServiceException.ClientError;
import com.cloud.bridge.util.AuthenticationUtils;
import com.cloud.bridge.util.ConfigurationHelper;
import com.cloud.bridge.util.EC2RestAuth;
+import com.cloud.bridge.util.EncryptionSecretKeyCheckerUtil;
import com.cloud.stack.models.CloudStackAccount;
import com.cloud.utils.component.ComponentLocator;
import com.cloud.utils.db.Transaction;
@@ -147,6 +151,7 @@ public class EC2RestServlet extends HttpServlet {
private static final long serialVersionUID = -6168996266762804888L;
protected final UserCredentialsDaoImpl ucDao = ComponentLocator.inject(UserCredentialsDaoImpl.class);
+ protected final CloudStackUserDaoImpl userDao = ComponentLocator.inject(CloudStackUserDaoImpl.class);
protected final OfferingDaoImpl ofDao = ComponentLocator.inject(OfferingDaoImpl.class);
public static final Logger logger = Logger.getLogger(EC2RestServlet.class);
@@ -1734,18 +1739,14 @@ public class EC2RestServlet extends HttpServlet {
}
}
- // [B] Use the cloudAccessKey to get the users secret key in the db
- UserCredentialsVO cloudKeys = ucDao.getByAccessKey( cloudAccessKey );
-
- if ( null == cloudKeys )
- {
- logger.debug( cloudAccessKey + " is not defined in the EC2 service - call SetUserKeys" );
- response.sendError(404, cloudAccessKey + " is not defined in the EC2 service - call SetUserKeys" );
- return false;
- }
- else cloudSecretKey = cloudKeys.getSecretKey();
+ // [B] Use the access key to get the users secret key from the cloud DB
+ cloudSecretKey = userDao.getSecretKeyByAccessKey( cloudAccessKey );
+ if ( cloudSecretKey == null ) {
+ logger.debug("No Secret key found for Access key '" + cloudAccessKey + "' in the the EC2 service");
+ throw new EC2ServiceException( ClientError.AuthFailure, "No Secret key found for Access key '" + cloudAccessKey +
+ "' in the the EC2 service" );
+ }
-
// [C] Verify the signature
// -> getting the query-string in this way maintains its URL encoding
EC2RestAuth restAuth = new EC2RestAuth();