Updated Branches: refs/heads/4.3 ee82870aa -> 06d2e768b
CLOUDSTACK-5152: when deployVm with SG, verify that vm and sg belong to the same account. Do this verification even when the call is done by the ROOT admin Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/06d2e768 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/06d2e768 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/06d2e768 Branch: refs/heads/4.3 Commit: 06d2e768b61890f69daa197f64d9fb4991523792 Parents: ee82870 Author: Alena Prokharchyk <[email protected]> Authored: Wed Dec 4 11:36:33 2013 -0800 Committer: Alena Prokharchyk <[email protected]> Committed: Wed Dec 4 11:37:24 2013 -0800 ---------------------------------------------------------------------- .../src/com/cloud/user/AccountManagerImpl.java | 33 +++++++++++--------- 1 file changed, 19 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/06d2e768/server/src/com/cloud/user/AccountManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java index f8c59e2..8ea495f 100755 --- a/server/src/com/cloud/user/AccountManagerImpl.java +++ b/server/src/com/cloud/user/AccountManagerImpl.java @@ -37,8 +37,6 @@ import javax.ejb.Local; import javax.inject.Inject; import javax.naming.ConfigurationException; -import org.apache.commons.codec.binary.Base64; -import org.apache.log4j.Logger; import org.apache.cloudstack.acl.ControlledEntity; import org.apache.cloudstack.acl.RoleType; import org.apache.cloudstack.acl.SecurityChecker; @@ -54,6 +52,8 @@ import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationSe import org.apache.cloudstack.framework.config.dao.ConfigurationDao; import org.apache.cloudstack.managed.context.ManagedContextRunnable; import org.apache.cloudstack.region.gslb.GlobalLoadBalancerRuleDao; +import org.apache.commons.codec.binary.Base64; +import org.apache.log4j.Logger; import com.cloud.api.ApiDBUtils; import com.cloud.api.query.vo.ControlledViewEntity; @@ -379,6 +379,22 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M @Override public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, ControlledEntity... entities) { + + //check for the same owner + Long ownerId = null; + ControlledEntity prevEntity = null; + if (sameOwner) { + for (ControlledEntity entity : entities) { + if (sameOwner) { + if (ownerId == null) { + ownerId = entity.getAccountId(); + } else if (ownerId.longValue() != entity.getAccountId()) { + throw new PermissionDeniedException("Entity " + entity + " and entity " + prevEntity + " belong to different accounts"); + } + prevEntity = entity; + } + } + } if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getType())) { // no need to make permission checks if the system/root admin makes the call @@ -389,13 +405,11 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M } HashMap<Long, List<ControlledEntity>> domains = new HashMap<Long, List<ControlledEntity>>(); - Long ownerId = null; - ControlledEntity prevEntity = null; for (ControlledEntity entity : entities) { long domainId = entity.getDomainId(); if (entity.getAccountId() != -1 && domainId == -1) { // If account exists domainId should too so calculate -// it. This condition might be hit for templates or entities which miss domainId in their tables + // it. This condition might be hit for templates or entities which miss domainId in their tables Account account = ApiDBUtils.findAccountById(entity.getAccountId()); domainId = account != null ? account.getDomainId() : -1; } @@ -421,15 +435,6 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M } } - if (sameOwner) { - if (ownerId == null) { - ownerId = entity.getAccountId(); - } else if (ownerId.longValue() != entity.getAccountId()) { - throw new PermissionDeniedException("Entity " + entity + " and entity " + prevEntity + " belong to different accounts"); - } - prevEntity = entity; - } - if (!granted) { assert false : "How can all of the security checkers pass on checking this check: " + entity; throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to " + entity);
