fix

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

Author: shwstppr

client/src/main/java/org/apache/cloudstack/websocket/JettyWebSocketServlet.java

@@ -30,6 +30,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.eclipse.jetty.websocket.api.Session;
+import org.eclipse.jetty.websocket.api.UpgradeRequest;
 import org.eclipse.jetty.websocket.servlet.ServletUpgradeRequest;
 import org.eclipse.jetty.websocket.servlet.ServletUpgradeResponse;
 import org.eclipse.jetty.websocket.servlet.WebSocketCreator;
@@ -151,16 +152,23 @@ private Map<String, String> parse(String q) {
         }
 
         @Override
-        public void onWebSocketConnect(Session jettySess) {
-            super.onWebSocketConnect(jettySess);
-            this.session = JettyWebSocketSession.adapt(jettySess, routePath, parse(rawQuery));
+        public void onWebSocketConnect(Session jettySession) {
+            super.onWebSocketConnect(jettySession);
+            this.session = JettyWebSocketSession.adapt(jettySession, routePath, parse(rawQuery));
+            UpgradeRequest request = jettySession.getUpgradeRequest();
+            String remoteAddr = request.getHeader("X-Forwarded-For");
+            if (remoteAddr == null) {
+                remoteAddr = jettySession.getRemoteAddress().getAddress().getHostAddress();
+            }
+            this.session.setAttr(WebSocketSession.ATTR_REMOTE_ADDR, remoteAddr);
             try {
+
                 handler.onOpen(session);
             } catch (Throwable t) {
                 try {
                     handler.onError(session, t);
                 } finally {
-                    jettySess.close();
+                    jettySession.close();
                 }
             }
         }

engine/schema/src/main/java/org/apache/cloudstack/util/StringListJsonConverter.java

@@ -29,15 +29,28 @@ public class StringListJsonConverter implements AttributeConverter<List<String>,
 
     private static final ObjectMapper mapper = new ObjectMapper();
 
-    @Override
-    public String convertToDatabaseColumn(List<String> attribute) {
+    public static String getDatabaseColumnTypeValue(List<String> attribute) {
         try {
             return attribute == null ? null : mapper.writeValueAsString(attribute);
         } catch (JsonProcessingException e) {
             throw new IllegalArgumentException("Error converting list to JSON", e);
         }
     }
 
+    public static boolean isValidAttribute(List<String> attribute, int length) {
+        try {
+            String json = getDatabaseColumnTypeValue(attribute);
+            return json != null && json.length() <= length;
+        } catch (IllegalArgumentException e) {
+            return false;
+        }
+    }
+
+    @Override
+    public String convertToDatabaseColumn(List<String> attribute) {
+        return getDatabaseColumnTypeValue(attribute);
+    }
+
     @Override
     public List<String> convertToEntityAttribute(String dbData) {
         try {

engine/schema/src/main/resources/META-INF/db/schema-42200to42300.sql

@@ -35,7 +35,7 @@ CREATE TABLE IF NOT EXISTS `cloud`.`management_server_details` (
 CREATE TABLE IF NOT EXISTS `cloud`.`logs_web_session` (
     `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT COMMENT 'id of the session',
     `uuid` varchar(40) NOT NULL COMMENT 'UUID generated for the session',
-    `filter` varchar(64) DEFAULT NULL COMMENT 'Filter keyword for the session',
+    `filters` varchar(128) DEFAULT NULL COMMENT 'Filter keywords for the session',
     `created` datetime NOT NULL COMMENT 'When the session was created',
     `domain_id` bigint(20) unsigned NOT NULL COMMENT 'Domain of the account who generated the session',
     `account_id` bigint(20) unsigned NOT NULL COMMENT 'Account who generated the session',

framework/websocket-server/src/main/java/org/apache/cloudstack/framework/websocket/server/NettyWebSocketSession.java

@@ -24,9 +24,13 @@
 
 import org.apache.cloudstack.framework.websocket.server.common.WebSocketSession;
 
+import io.netty.buffer.Unpooled;
 import io.netty.channel.Channel;
+import io.netty.channel.ChannelFutureListener;
 import io.netty.handler.codec.http.websocketx.BinaryWebSocketFrame;
+import io.netty.handler.codec.http.websocketx.CloseWebSocketFrame;
 import io.netty.handler.codec.http.websocketx.TextWebSocketFrame;
+import io.netty.util.AttributeKey;
 
 final class NettyWebSocketSession implements WebSocketSession {
     private final Channel ch;
@@ -61,25 +65,25 @@ public void sendText(String text) {
 
     @Override
     public void sendBinary(ByteBuffer buf) {
-        io.netty.buffer.ByteBuf bb = io.netty.buffer.Unpooled.wrappedBuffer(buf);
+        io.netty.buffer.ByteBuf bb = Unpooled.wrappedBuffer(buf);
         ch.writeAndFlush(new BinaryWebSocketFrame(bb));
     }
 
     @Override
     public void close(int code, String reason) {
-        ch.writeAndFlush(new io.netty.handler.codec.http.websocketx.CloseWebSocketFrame(code, reason))
-                .addListener(io.netty.channel.ChannelFutureListener.CLOSE);
+        ch.writeAndFlush(new CloseWebSocketFrame(code, reason))
+                .addListener(ChannelFutureListener.CLOSE);
     }
 
     @Override
     public <T> void setAttr(String key, T val) {
-        ch.attr(io.netty.util.AttributeKey.valueOf(key)).set(val);
+        ch.attr(AttributeKey.valueOf(key)).set(val);
     }
 
     @SuppressWarnings("unchecked")
     @Override
     public <T> T getAttr(String key) {
-        return (T) ch.attr(io.netty.util.AttributeKey.valueOf(key)).get();
+        return (T) ch.attr(AttributeKey.valueOf(key)).get();
     }
 
     Channel unwrap() {

framework/websocket-server/src/main/java/org/apache/cloudstack/framework/websocket/server/WebSocketServer.java

@@ -124,11 +124,11 @@ protected SslContext createServerSslContextIfNeeded() throws IllegalArgumentExce
             return null;
         }
         String keystoreFile = ServerPropertiesUtil.getProperty(ServerPropertiesUtil.KEY_KEYSTORE_FILE);
-        String keystorePassword = ServerPropertiesUtil.getProperty(ServerPropertiesUtil.KEY_KEYSTORE_FILE);
+        String keystorePassword = ServerPropertiesUtil.getProperty(ServerPropertiesUtil.KEY_KEYSTORE_PASSWORD);
         if (StringUtils.isBlank(keystoreFile) || StringUtils.isBlank(keystorePassword)) {
             throw new IllegalArgumentException("SSL is enabled but keystore file or password is not configured");
         }
-        if (Files.exists(Path.of(keystoreFile))) {
+        if (!Files.exists(Path.of(keystoreFile))) {
             throw new IllegalArgumentException(String.format("SSL is enabled but keystore file does not exist: %s",
                     keystoreFile));
         }

framework/websocket-server/src/main/java/org/apache/cloudstack/framework/websocket/server/WebSocketServerRoutingHandler.java

@@ -80,7 +80,7 @@ public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exc
             }
 
             session = new NettyWebSocketSession(ctx.channel(), path, QueryUtils.parse(rawQuery));
-            session.setAttr("remoteAddress", String.valueOf(ctx.channel().remoteAddress()));
+            session.setAttr(WebSocketSession.ATTR_REMOTE_ADDR, String.valueOf(ctx.channel().remoteAddress()));
 
             try {
                 handler.onOpen(session);

framework/websocket-server/src/main/java/org/apache/cloudstack/framework/websocket/server/common/WebSocketSession.java

@@ -21,6 +21,8 @@
 import java.util.Map;
 
 public interface WebSocketSession {
+    String ATTR_REMOTE_ADDR = "remoteAddress";
+
     String id();
 
     String path();

plugins/logs-web-server/src/main/java/org/apache/cloudstack/logsws/LogsWebSession.java

@@ -25,6 +25,8 @@
 import org.apache.cloudstack.api.InternalIdentity;
 
 public interface LogsWebSession extends ControlledEntity, Identity, InternalIdentity {
+    int MAX_FILTERS_LENGTH = 128;
+
     long getId();
     List<String> getFilters();
     long getDomainId();

plugins/logs-web-server/src/main/java/org/apache/cloudstack/logsws/LogsWebSessionApiServiceImpl.java

@@ -42,6 +42,7 @@
 import org.apache.cloudstack.logsws.api.response.LogsWebSessionWebSocketResponse;
 import org.apache.cloudstack.logsws.dao.LogsWebSessionDao;
 import org.apache.cloudstack.logsws.vo.LogsWebSessionVO;
+import org.apache.cloudstack.util.StringListJsonConverter;
 import org.apache.cloudstack.utils.identity.ManagementServerNode;
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.collections.MapUtils;
@@ -120,12 +121,18 @@ public LogsWebSessionResponse createLogsWebSession(CreateLogsWebSessionCmd cmd)
         if (!accountService.isRootAdmin(caller.getAccountId())) {
             throw new PermissionDeniedException("Invalid request");
         }
-        for (String filter : filters) {
-            if (StringUtils.isBlank(filter)) {
-                throw new InvalidParameterValueException(String.format("Invalid value for parameter - %s",
-                        ApiConstants.FILTERS));
+        if (CollectionUtils.isNotEmpty(filters)) {
+            for (String filter : filters) {
+                if (StringUtils.isBlank(filter)) {
+                    throw new InvalidParameterValueException(String.format("Invalid value for parameter - %s",
+                            ApiConstants.FILTERS));
+                }
+            }
+            if (!StringListJsonConverter.isValidAttribute(filters, LogsWebSession.MAX_FILTERS_LENGTH)) {
+                throw new InvalidParameterValueException("Combined filters length too long");
             }
         }
+
         if (!logsWSManager.canCreateNewLogsWebSession()) {
             throw new CloudRuntimeException("Failed to create Logs Web Session as max session limit reached");
         }

plugins/logs-web-server/src/main/java/org/apache/cloudstack/logsws/LogsWebSessionTokenCryptoUtil.java

@@ -17,44 +17,90 @@
 
 package org.apache.cloudstack.logsws;
 
+import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
 import java.security.GeneralSecurityException;
+import java.security.MessageDigest;
+import java.security.SecureRandom;
 import java.util.Base64;
 
 import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.GCMParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
 
 import com.cloud.serializer.GsonHelper;
 
 public class LogsWebSessionTokenCryptoUtil {
     private static final String ALGORITHM = "AES";
-    private static final String TRANSFORMATION = "AES";
-    private static final String KEY_PREFIX = "Logger";
+    private static final String TRANSFORMATION = "AES/GCM/NoPadding";
 
-    private static String getDesiredLengthKey(String key) {
-        if (key.length() >= 16) {
-            return key.substring(0, 16);
-        }
-        return  KEY_PREFIX.substring(0, 16 - key.length()) + key;
+    private static final int IV_LENGTH_BYTES = 12;
+    private static final int GCM_TAG_LENGTH_BITS = 128;
+    private static final byte TOKEN_VERSION = 1;
+
+    private static final SecureRandom SECURE_RANDOM = new SecureRandom();
+
+    private static SecretKey deriveKey(String keyMaterial) throws GeneralSecurityException {
+        MessageDigest digest = MessageDigest.getInstance("SHA-256");
+        byte[] hash = digest.digest(keyMaterial.getBytes(StandardCharsets.UTF_8));
+        return new SecretKeySpec(hash, 0, 32, ALGORITHM);
     }
 
-    public static String encrypt(LogsWebSessionTokenPayload payload, String key) throws GeneralSecurityException {
+    public static String encrypt(LogsWebSessionTokenPayload payload, String keyMaterial)
+            throws GeneralSecurityException {
+
         String json = GsonHelper.getGson().toJson(payload);
-        SecretKeySpec secretKey = new SecretKeySpec(getDesiredLengthKey(key).getBytes(StandardCharsets.UTF_8), ALGORITHM);
+        byte[] plaintext = json.getBytes(StandardCharsets.UTF_8);
+
+        SecretKey key = deriveKey(keyMaterial);
+
+        byte[] iv = new byte[IV_LENGTH_BYTES];
+        SECURE_RANDOM.nextBytes(iv);
+
         Cipher cipher = Cipher.getInstance(TRANSFORMATION);
-        cipher.init(Cipher.ENCRYPT_MODE, secretKey);
-        byte[] encrypted = cipher.doFinal(json.getBytes(StandardCharsets.UTF_8));
-        // URL-safe Base64 (no '/' or '+') and remove padding
-        return Base64.getUrlEncoder().withoutPadding().encodeToString(encrypted);
+        GCMParameterSpec spec = new GCMParameterSpec(GCM_TAG_LENGTH_BITS, iv);
+        cipher.init(Cipher.ENCRYPT_MODE, key, spec);
+
+        byte[] ciphertextWithTag = cipher.doFinal(plaintext);
+        ByteBuffer buffer = ByteBuffer.allocate(1 + IV_LENGTH_BYTES + ciphertextWithTag.length);
+        buffer.put(TOKEN_VERSION);
+        buffer.put(iv);
+        buffer.put(ciphertextWithTag);
+
+        return Base64.getUrlEncoder().withoutPadding().encodeToString(buffer.array());
     }
 
-    public static LogsWebSessionTokenPayload decrypt(String token, String key) throws GeneralSecurityException {
-        byte[] decoded = Base64.getUrlDecoder().decode(token);
-        SecretKeySpec secretKey = new SecretKeySpec(getDesiredLengthKey(key).getBytes(StandardCharsets.UTF_8), ALGORITHM);
+    public static LogsWebSessionTokenPayload decrypt(String token, String keyMaterial)
+            throws GeneralSecurityException {
+
+        byte[] allBytes = Base64.getUrlDecoder().decode(token);
+        ByteBuffer buffer = ByteBuffer.wrap(allBytes);
+
+        if (buffer.remaining() < 1 + IV_LENGTH_BYTES + 1) {
+            throw new GeneralSecurityException("Invalid token format");
+        }
+
+        byte version = buffer.get();
+        if (version != TOKEN_VERSION) {
+            throw new GeneralSecurityException("Unsupported token version: " + version);
+        }
+
+        byte[] iv = new byte[IV_LENGTH_BYTES];
+        buffer.get(iv);
+
+        byte[] ciphertextWithTag = new byte[buffer.remaining()];
+        buffer.get(ciphertextWithTag);
+
+        SecretKey key = deriveKey(keyMaterial);
+
         Cipher cipher = Cipher.getInstance(TRANSFORMATION);
-        cipher.init(Cipher.DECRYPT_MODE, secretKey);
-        byte[] decrypted = cipher.doFinal(decoded);
-        String json = new String(decrypted, StandardCharsets.UTF_8);
+        GCMParameterSpec spec = new GCMParameterSpec(GCM_TAG_LENGTH_BITS, iv);
+        cipher.init(Cipher.DECRYPT_MODE, key, spec);
+
+        byte[] plaintext = cipher.doFinal(ciphertextWithTag);
+        String json = new String(plaintext, StandardCharsets.UTF_8);
+
         return GsonHelper.getGson().fromJson(json, LogsWebSessionTokenPayload.class);
     }
 }