Bind port 8096 to 127.0.0.1

[GabrielBrascher]

Description

CloudStack provides CloudStack API Unauthenticated Access through port 8096. It should not be open to the Internet in any case. If this port is not properly blocked by a firewall it could be really serious.

Fixes: #3450

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)

How Has This Been Tested?

Using 8080:
http://public.ip.address.acs:8080/client/api?command=listClusters&response=json&listAll=true&page=1&pagesize=20&_=1556128046728

{"listclustersresponse":{"uuidList":[],"errorcode":401,"errortext":"unable to verify user credentials and/or request signature"}}

Using 8096:
Before the fix
http://public.ip.address.acs:8096/client/api?command=listClusters&response=json&listAll=true&page=1&pagesize=20&_=1556128046728

listed all clusters of the zone

With the fix
I was able to retrieve the clusters of the zone only when seding the API call via 127.0.0.1 IPv4 address.

curl http://public.ip.address.acs:8096/client/api?command=listClusters&response=json&listAll=true&page=1&pagesize=20&_=1556128046728
[1] 3458
[2] 3459
[3] 3460
[4] 3461
[5] 3462
[2]   Done                    response=json
~$ curl: (7) Failed to connect to public.ip.address.acs port 8096: Connection refused

~$ curl http://localhost:8096/client/api?command=listClusters&response=json&listAll=true&page=1&pagesize=20&_=1556128046728
[1] 3468
[2] 3469
[3] 3470
[4] 3471
[5] 3472
[2]   Done                    response=json

[wido]

LGTM based on code

[rohityadavcloud]

Port 8096 is disabled by default, it's purpose is for testing CloudStack only. This means if the test client/code is not on the mgmt server host then this PR will block any existing testing frameworks or CI systems that assume the previous behaviour since 4.0.

I'm +0 on this PR and have concerns that this may break test and CI systems that assume the old behaviour. @PaulAngus @andrijapanic does Trillian depend on unauthenticated port? I'll check Travis for simulator.

@blueorangutan package

[blueorangutan]

@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result: ✔centos6 ✔centos7 ✔debian. JID-71

[rohityadavcloud]

@blueorangutan test

[blueorangutan]

@rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[GabrielBrascher]

@rhtyd port 8096 is not disabled by default. Is there a configuration to disable port 8096?

In case we need for tests then I can add on this fix a configuration key to set an IP address to bind with 8096.

[rohityadavcloud]

@GabrielBrascher yes, set integration.api.port to 0 to disable it.

[rohityadavcloud]

You can also change the unauthenticated port via integration.api.port

[GabrielBrascher]

@rhtyd This is weird. Something broke this configuration then. I have it disabled on test environments and I am still able to access the API through 8096.

[rohityadavcloud]

@GabrielBrascher tested on 4.11.3.0 rc2, works for me. Do restart if you change setting, this is only enabled with mvn developer mode. On prod or installations this is disabled by default.

[GabrielBrascher]

It worked after restarting. Hoever, it was enabled by default. Tested on 4.12 and 4.13-snapshot test environments (some updated from 4.9 -> 4.11 -> 4.12, some installed from scrach with 4.12).

[rohityadavcloud]

@GabrielBrascher was it a maven deployed system or installed via rpm/deb packages? It comes disabled by default unless something changed in master or 4.12.

[rohityadavcloud]

I think it's not an issue, Can you close this PR and the issue @GabrielBrascher?

[GabrielBrascher]

@rhtyd I will close this PR for now then, thanks for the feedback.
However, I did look around and could find such issue (8096 enabled) even on 4.9.3 ACS. I deployed all test environments via deb packages. I will double check on that.