fixed more conflicts

author: Vishvananda Ishaya <vishvananda@gmail.com> 2010-12-22 21:21:56 +0000
committer: Vishvananda Ishaya <vishvananda@gmail.com> 2010-12-22 21:21:56 +0000
commit: f7a9bc85e57a5941ec3557d62143a246c12273af (patch)
tree: 6929a3d574aca4d8699815d72fac71fccefba17c /nova/api
parent: 9d4a60d6bd7621b44a1ccd4a48741f32e620f342 (diff)
parent: 0149b760b686465aaa7d68a1411713207becd035 (diff)
download: nova-f7a9bc85e57a5941ec3557d62143a246c12273af.tar.gz
nova-f7a9bc85e57a5941ec3557d62143a246c12273af.tar.xz
nova-f7a9bc85e57a5941ec3557d62143a246c12273af.zip
4 files changed, 77 insertions, 80 deletions
diff --git a/nova/api/__init__.py b/nova/api/__init__.py
index 80f9f2109..803470570 100644
--- a/nova/api/__init__.py
+++ b/nova/api/__init__.py
@@ -29,9 +29,7 @@ import routes
 import webob.dec
 
 from nova import flags
-from nova import utils
 from nova import wsgi
-from nova.api import cloudpipe
 from nova.api import ec2
 from nova.api import openstack
 from nova.api.ec2 import metadatarequesthandler
@@ -41,6 +39,7 @@ flags.DEFINE_string('osapi_subdomain', 'api',
                     'subdomain running the OpenStack API')
 flags.DEFINE_string('ec2api_subdomain', 'ec2',
                     'subdomain running the EC2 API')
+
 FLAGS = flags.FLAGS
 
 
@@ -80,7 +79,6 @@ class API(wsgi.Router):
             mapper.connect('%s/{path_info:.*}' % s, controller=mrh,
                            conditions=ec2api_subdomain)
 
-        mapper.connect("/cloudpipe/{path_info:.*}", controller=cloudpipe.API())
         super(API, self).__init__(mapper)
 
     @webob.dec.wsgify
diff --git a/nova/api/cloudpipe/__init__.py b/nova/api/cloudpipe/__init__.py
deleted file mode 100644
index 00ad38913..000000000
--- a/nova/api/cloudpipe/__init__.py
+++ /dev/null
@@ -1,69 +0,0 @@
-# vim: tabstop=4 shiftwidth=4 softtabstop=4
-
-# Copyright 2010 United States Government as represented by the
-# Administrator of the National Aeronautics and Space Administration.
-# All Rights Reserved.
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-"""
-REST API Request Handlers for CloudPipe
-"""
-
-import logging
-import urllib
-import webob
-import webob.dec
-import webob.exc
-
-from nova import crypto
-from nova import wsgi
-from nova.auth import manager
-from nova.api.ec2 import cloud
-
-
-_log = logging.getLogger("api")
-_log.setLevel(logging.DEBUG)
-
-
-class API(wsgi.Application):
-
-    def __init__(self):
-        self.controller = cloud.CloudController()
-
-    @webob.dec.wsgify
-    def __call__(self, req):
-        if req.method == 'POST':
-            return self.sign_csr(req)
-        _log.debug(_("Cloudpipe path is %s") % req.path_info)
-        if req.path_info.endswith("/getca/"):
-            return self.send_root_ca(req)
-        return webob.exc.HTTPNotFound()
-
-    def get_project_id_from_ip(self, ip):
-        # TODO(eday): This was removed with the ORM branch, fix!
-        instance = self.controller.get_instance_by_ip(ip)
-        return instance['project_id']
-
-    def send_root_ca(self, req):
-        _log.debug(_("Getting root ca"))
-        project_id = self.get_project_id_from_ip(req.remote_addr)
-        res = webob.Response()
-        res.headers["Content-Type"] = "text/plain"
-        res.body = crypto.fetch_ca(project_id)
-        return res
-
-    def sign_csr(self, req):
-        project_id = self.get_project_id_from_ip(req.remote_addr)
-        cert = self.str_params['cert']
-        return crypto.sign_csr(urllib.unquote(cert), project_id)
diff --git a/nova/api/ec2/__init__.py b/nova/api/ec2/__init__.py
index dd87d1f71..d1e2596c3 100644
--- a/nova/api/ec2/__init__.py
+++ b/nova/api/ec2/__init__.py
@@ -26,8 +26,8 @@ import webob
 import webob.dec
 import webob.exc
 
-from nova import exception
 from nova import context
+from nova import exception
 from nova import flags
 from nova import wsgi
 from nova.api.ec2 import apirequest
@@ -37,16 +37,79 @@ from nova.auth import manager
 
 
 FLAGS = flags.FLAGS
+flags.DEFINE_boolean('use_lockout', False,
+                     'Whether or not to use lockout middleware.')
+flags.DEFINE_integer('lockout_attempts', 5,
+                     'Number of failed auths before lockout.')
+flags.DEFINE_integer('lockout_minutes', 15,
+                     'Number of minutes to lockout if triggered.')
+flags.DEFINE_integer('lockout_window', 15,
+                     'Number of minutes for lockout window.')
+flags.DEFINE_list('lockout_memcached_servers', None,
+                  'Memcached servers or None for in process cache.')
+
+
 _log = logging.getLogger("api")
 _log.setLevel(logging.DEBUG)
 
 
 class API(wsgi.Middleware):
-
     """Routing for all EC2 API requests."""
 
     def __init__(self):
         self.application = Authenticate(Router(Authorizer(Executor())))
+        if FLAGS.use_lockout:
+            self.application = Lockout(self.application)
+
+
+class Lockout(wsgi.Middleware):
+    """Lockout for x minutes on y failed auths in a z minute period.
+
+    x = lockout_timeout flag
+    y = lockout_window flag
+    z = lockout_attempts flag
+
+    Uses memcached if lockout_memcached_servers flag is set, otherwise it
+    uses a very simple in-proccess cache. Due to the simplicity of
+    the implementation, the timeout window is started with the first
+    failed request, so it will block if there are x failed logins within
+    that period.
+
+    There is a possible race condition where simultaneous requests could
+    sneak in before the lockout hits, but this is extremely rare and would
+    only result in a couple of extra failed attempts."""
+
+    def __init__(self, application):
+        """middleware can use fake for testing."""
+        if FLAGS.lockout_memcached_servers:
+            import memcache
+        else:
+            from nova import fakememcache as memcache
+        self.mc = memcache.Client(FLAGS.lockout_memcached_servers,
+                                  debug=0)
+        super(Lockout, self).__init__(application)
+
+    @webob.dec.wsgify
+    def __call__(self, req):
+        access_key = str(req.params['AWSAccessKeyId'])
+        failures_key = "authfailures-%s" % access_key
+        failures = int(self.mc.get(failures_key) or 0)
+        if failures >= FLAGS.lockout_attempts:
+            detail = "Too many failed authentications."
+            raise webob.exc.HTTPForbidden(detail=detail)
+        res = req.get_response(self.application)
+        if res.status_int == 403:
+            failures = self.mc.incr(failures_key)
+            if failures is None:
+                # NOTE(vish): To use incr, failures has to be a string.
+                self.mc.set(failures_key, '1', time=FLAGS.lockout_window * 60)
+            elif failures >= FLAGS.lockout_attempts:
+                _log.warn('Access key %s has had %d failed authentications'
+                          ' and will be locked out for %d minutes.' %
+                          (access_key, failures, FLAGS.lockout_minutes))
+                self.mc.set(failures_key, str(failures),
+                            time=FLAGS.lockout_minutes * 60)
+        return res
 
 
 class Authenticate(wsgi.Middleware):
diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py
index 27f65852d..e09261f00 100644
--- a/nova/api/ec2/cloud.py
+++ b/nova/api/ec2/cloud.py
@@ -195,15 +195,19 @@ class CloudController(object):
         if FLAGS.region_list:
             regions = []
             for region in FLAGS.region_list:
-                name, _sep, url = region.partition('=')
+                name, _sep, host = region.partition('=')
+                endpoint = '%s://%s:%s%s' % (FLAGS.ec2_prefix,
+                                             host,
+                                             FLAGS.cc_port,
+                                             FLAGS.ec2_suffix)
                 regions.append({'regionName': name,
-                                'regionEndpoint': url})
+                                'regionEndpoint': endpoint})
         else:
             regions = [{'regionName': 'nova',
-                        'regionEndpoint': FLAGS.ec2_url}]
-        if region_name:
-            regions = [r for r in regions if r['regionName'] in region_name]
-        return {'regionInfo': regions}
+                        'regionEndpoint': '%s://%s:%s%s' % (FLAGS.ec2_prefix,
+                                                            FLAGS.cc_host,
+                                                            FLAGS.cc_port,
+                                                            FLAGS.ec2_suffix)}]
 
     def describe_snapshots(self,
                            context,
@@ -759,6 +763,7 @@ class CloudController(object):
             display_name=kwargs.get('display_name'),
             description=kwargs.get('display_description'),
             key_name=kwargs.get('key_name'),
+            user_data=kwargs.get('user_data'),
             security_group=kwargs.get('security_group'),
             generate_hostname=internal_id_to_ec2_id)
         return self._format_run_instances(context,
author	Vishvananda Ishaya <vishvananda@gmail.com>	2010-12-22 21:21:56 +0000
committer	Vishvananda Ishaya <vishvananda@gmail.com>	2010-12-22 21:21:56 +0000
commit	f7a9bc85e57a5941ec3557d62143a246c12273af (patch)
tree	6929a3d574aca4d8699815d72fac71fccefba17c /nova/api
parent	9d4a60d6bd7621b44a1ccd4a48741f32e620f342 (diff)
parent	0149b760b686465aaa7d68a1411713207becd035 (diff)
download	nova-f7a9bc85e57a5941ec3557d62143a246c12273af.tar.gz nova-f7a9bc85e57a5941ec3557d62143a246c12273af.tar.xz nova-f7a9bc85e57a5941ec3557d62143a246c12273af.zip