Merge from trunk

3 files changed, 102 insertions, 25 deletions

diff --git a/nova/api/ec2/__init__.py b/nova/api/ec2/__init__.py
index dd87d1f71..51d33bcc6 100644
--- a/nova/api/ec2/__init__.py
+++ b/nova/api/ec2/__init__.py
@@ -26,8 +26,8 @@ import webob
 import webob.dec
 import webob.exc
 
-from nova import exception
 from nova import context
+from nova import exception
 from nova import flags
 from nova import wsgi
 from nova.api.ec2 import apirequest
@@ -37,16 +37,82 @@ from nova.auth import manager
 
 
 FLAGS = flags.FLAGS
+flags.DEFINE_boolean('use_forwarded_for', False,
+                     'Treat X-Forwarded-For as the canonical remote address. '
+                     'Only enable this if you have a sanitizing proxy.')
+flags.DEFINE_boolean('use_lockout', False,
+                     'Whether or not to use lockout middleware.')
+flags.DEFINE_integer('lockout_attempts', 5,
+                     'Number of failed auths before lockout.')
+flags.DEFINE_integer('lockout_minutes', 15,
+                     'Number of minutes to lockout if triggered.')
+flags.DEFINE_integer('lockout_window', 15,
+                     'Number of minutes for lockout window.')
+flags.DEFINE_list('lockout_memcached_servers', None,
+                  'Memcached servers or None for in process cache.')
+
+
 _log = logging.getLogger("api")
 _log.setLevel(logging.DEBUG)
 
 
 class API(wsgi.Middleware):
-
     """Routing for all EC2 API requests."""
 
     def __init__(self):
         self.application = Authenticate(Router(Authorizer(Executor())))
+        if FLAGS.use_lockout:
+            self.application = Lockout(self.application)
+
+
+class Lockout(wsgi.Middleware):
+    """Lockout for x minutes on y failed auths in a z minute period.
+
+    x = lockout_timeout flag
+    y = lockout_window flag
+    z = lockout_attempts flag
+
+    Uses memcached if lockout_memcached_servers flag is set, otherwise it
+    uses a very simple in-proccess cache. Due to the simplicity of
+    the implementation, the timeout window is started with the first
+    failed request, so it will block if there are x failed logins within
+    that period.
+
+    There is a possible race condition where simultaneous requests could
+    sneak in before the lockout hits, but this is extremely rare and would
+    only result in a couple of extra failed attempts."""
+
+    def __init__(self, application):
+        """middleware can use fake for testing."""
+        if FLAGS.lockout_memcached_servers:
+            import memcache
+        else:
+            from nova import fakememcache as memcache
+        self.mc = memcache.Client(FLAGS.lockout_memcached_servers,
+                                  debug=0)
+        super(Lockout, self).__init__(application)
+
+    @webob.dec.wsgify
+    def __call__(self, req):
+        access_key = str(req.params['AWSAccessKeyId'])
+        failures_key = "authfailures-%s" % access_key
+        failures = int(self.mc.get(failures_key) or 0)
+        if failures >= FLAGS.lockout_attempts:
+            detail = "Too many failed authentications."
+            raise webob.exc.HTTPForbidden(detail=detail)
+        res = req.get_response(self.application)
+        if res.status_int == 403:
+            failures = self.mc.incr(failures_key)
+            if failures is None:
+                # NOTE(vish): To use incr, failures has to be a string.
+                self.mc.set(failures_key, '1', time=FLAGS.lockout_window * 60)
+            elif failures >= FLAGS.lockout_attempts:
+                _log.warn('Access key %s has had %d failed authentications'
+                          ' and will be locked out for %d minutes.' %
+                          (access_key, failures, FLAGS.lockout_minutes))
+                self.mc.set(failures_key, str(failures),
+                            time=FLAGS.lockout_minutes * 60)
+        return res
 
 
 class Authenticate(wsgi.Middleware):
@@ -81,9 +147,12 @@ class Authenticate(wsgi.Middleware):
             raise webob.exc.HTTPForbidden()
 
         # Authenticated!
+        remote_address = req.remote_addr
+        if FLAGS.use_forwarded_for:
+            remote_address = req.headers.get('X-Forwarded-For', remote_address)
         ctxt = context.RequestContext(user=user,
                                       project=project,
-                                      remote_address=req.remote_addr)
+                                      remote_address=remote_address)
         req.environ['ec2.context'] = ctxt
         return self.application
 
diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py
index e1a21f122..e09261f00 100644
--- a/nova/api/ec2/cloud.py
+++ b/nova/api/ec2/cloud.py
@@ -27,7 +27,6 @@ import datetime
 import logging
 import re
 import os
-import time
 
 from nova import context
 import IPy
@@ -699,19 +698,24 @@ class CloudController(object):
                          context.project_id)
             raise quota.QuotaError(_("Address quota exceeded. You cannot "
                                    "allocate any more addresses"))
-        network_topic = self._get_network_topic(context)
+        # NOTE(vish): We don't know which network host should get the ip
+        #             when we allocate, so just send it to any one.  This
+        #             will probably need to move into a network supervisor
+        #             at some point.
         public_ip = rpc.call(context,
-                             network_topic,
+                             FLAGS.network_topic,
                              {"method": "allocate_floating_ip",
                               "args": {"project_id": context.project_id}})
         return {'addressSet': [{'publicIp': public_ip}]}
 
     def release_address(self, context, public_ip, **kwargs):
-        # NOTE(vish): Should we make sure this works?
         floating_ip_ref = db.floating_ip_get_by_address(context, public_ip)
-        network_topic = self._get_network_topic(context)
+        # NOTE(vish): We don't know which network host should get the ip
+        #             when we deallocate, so just send it to any one.  This
+        #             will probably need to move into a network supervisor
+        #             at some point.
         rpc.cast(context,
-                 network_topic,
+                 FLAGS.network_topic,
                  {"method": "deallocate_floating_ip",
                   "args": {"floating_address": floating_ip_ref['address']}})
         return {'releaseResponse': ["Address released."]}
@@ -722,7 +726,10 @@ class CloudController(object):
         fixed_address = db.instance_get_fixed_address(context,
                                                       instance_ref['id'])
         floating_ip_ref = db.floating_ip_get_by_address(context, public_ip)
-        network_topic = self._get_network_topic(context)
+        # NOTE(vish): Perhaps we should just pass this on to compute and
+        #             let compute communicate with network.
+        network_topic = self.compute_api.get_network_topic(context,
+                                                           internal_id)
         rpc.cast(context,
                  network_topic,
                  {"method": "associate_floating_ip",
@@ -732,24 +739,18 @@ class CloudController(object):
 
     def disassociate_address(self, context, public_ip, **kwargs):
         floating_ip_ref = db.floating_ip_get_by_address(context, public_ip)
-        network_topic = self._get_network_topic(context)
+        # NOTE(vish): Get the topic from the host name of the network of
+        #             the associated fixed ip.
+        if not floating_ip_ref.get('fixed_ip'):
+            raise exception.ApiError('Address is not associated.')
+        host = floating_ip_ref['fixed_ip']['network']['host']
+        topic = db.queue_get_for(context, FLAGS.network_topic, host)
         rpc.cast(context,
-                 network_topic,
+                 topic,
                  {"method": "disassociate_floating_ip",
                   "args": {"floating_address": floating_ip_ref['address']}})
         return {'disassociateResponse': ["Address disassociated."]}
 
-    def _get_network_topic(self, context):
-        """Retrieves the network host for a project"""
-        network_ref = self.network_manager.get_network(context)
-        host = network_ref['host']
-        if not host:
-            host = rpc.call(context,
-                            FLAGS.network_topic,
-                            {"method": "set_network_host",
-                             "args": {"network_id": network_ref['id']}})
-        return db.queue_get_for(context, FLAGS.network_topic, host)
-
     def run_instances(self, context, **kwargs):
         max_count = int(kwargs.get('max_count', 1))
         instances = self.compute_api.create_instances(context,
diff --git a/nova/api/ec2/metadatarequesthandler.py b/nova/api/ec2/metadatarequesthandler.py
index 0e9e686ff..f832863a9 100644
--- a/nova/api/ec2/metadatarequesthandler.py
+++ b/nova/api/ec2/metadatarequesthandler.py
@@ -23,9 +23,13 @@ import logging
 import webob.dec
 import webob.exc
 
+from nova import flags
 from nova.api.ec2 import cloud
 
 
+FLAGS = flags.FLAGS
+
+
 class MetadataRequestHandler(object):
     """Serve metadata from the EC2 API."""
 
@@ -63,10 +67,13 @@ class MetadataRequestHandler(object):
     @webob.dec.wsgify
     def __call__(self, req):
         cc = cloud.CloudController()
-        meta_data = cc.get_metadata(req.remote_addr)
+        remote_address = req.remote_addr
+        if FLAGS.use_forwarded_for:
+            remote_address = req.headers.get('X-Forwarded-For', remote_address)
+        meta_data = cc.get_metadata(remote_address)
         if meta_data is None:
             logging.error(_('Failed to get metadata for ip: %s') %
-                          req.remote_addr)
+                          remote_address)
             raise webob.exc.HTTPNotFound()
         data = self.lookup(req.path_info, meta_data)
         if data is None: