[
https://issues.apache.org/jira/browse/CLOUDSTACK-10175?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16305197#comment-16305197
]
ASF GitHub Bot commented on CLOUDSTACK-10175:
---------------------------------------------
rhtyd closed pull request #2352: CLOUDSTACK-10175: prevent VPC list leakage
URL: https://github.com/apache/cloudstack/pull/2352
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java
b/server/src/com/cloud/user/AccountManagerImpl.java
index e3209474563..294bc6e84ef 100644
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -16,6 +16,54 @@
// under the License.
package com.cloud.user;
+import java.net.InetAddress;
+import java.net.URLEncoder;
+import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.TimeUnit;
+
+import javax.crypto.KeyGenerator;
+import javax.crypto.Mac;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+
+import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.lang.StringUtils;
+import org.apache.log4j.Logger;
+
+import org.apache.cloudstack.acl.ControlledEntity;
+import org.apache.cloudstack.acl.QuerySelector;
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.acl.SecurityChecker;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.affinity.AffinityGroup;
+import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
+import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd;
+import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd;
+import org.apache.cloudstack.api.command.admin.user.GetUserKeysCmd;
+import org.apache.cloudstack.api.command.admin.user.RegisterCmd;
+import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
+import org.apache.cloudstack.context.CallContext;
+import
org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
+import org.apache.cloudstack.framework.config.ConfigKey;
+import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
+import org.apache.cloudstack.framework.messagebus.MessageBus;
+import org.apache.cloudstack.framework.messagebus.PublishScope;
+import org.apache.cloudstack.managed.context.ManagedContextRunnable;
+import org.apache.cloudstack.region.gslb.GlobalLoadBalancerRuleDao;
+import org.apache.cloudstack.utils.baremetal.BaremetalUtils;
+
import com.cloud.api.ApiDBUtils;
import com.cloud.api.query.vo.ControlledViewEntity;
import com.cloud.configuration.Config;
@@ -123,53 +171,6 @@
import com.cloud.vm.snapshot.VMSnapshotManager;
import com.cloud.vm.snapshot.VMSnapshotVO;
import com.cloud.vm.snapshot.dao.VMSnapshotDao;
-import org.apache.cloudstack.acl.ControlledEntity;
-import org.apache.cloudstack.acl.QuerySelector;
-import org.apache.cloudstack.acl.RoleType;
-import org.apache.cloudstack.acl.SecurityChecker;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.affinity.AffinityGroup;
-import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
-import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd;
-import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd;
-import org.apache.cloudstack.api.command.admin.user.GetUserKeysCmd;
-import org.apache.cloudstack.api.command.admin.user.RegisterCmd;
-import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
-import org.apache.cloudstack.context.CallContext;
-import
org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
-import org.apache.cloudstack.framework.config.ConfigKey;
-import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
-import org.apache.cloudstack.framework.messagebus.MessageBus;
-import org.apache.cloudstack.framework.messagebus.PublishScope;
-import org.apache.cloudstack.managed.context.ManagedContextRunnable;
-import org.apache.cloudstack.region.gslb.GlobalLoadBalancerRuleDao;
-import org.apache.cloudstack.utils.baremetal.BaremetalUtils;
-import org.apache.commons.codec.binary.Base64;
-import org.apache.commons.lang.StringUtils;
-import org.apache.log4j.Logger;
-
-import javax.crypto.KeyGenerator;
-import javax.crypto.Mac;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-import javax.inject.Inject;
-import javax.naming.ConfigurationException;
-import java.net.InetAddress;
-import java.net.URLEncoder;
-import java.security.NoSuchAlgorithmException;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.UUID;
-import java.util.concurrent.Executors;
-import java.util.concurrent.ScheduledExecutorService;
-import java.util.concurrent.TimeUnit;
-
-
public class AccountManagerImpl extends ManagerBase implements AccountManager,
Manager {
public static final Logger s_logger =
Logger.getLogger(AccountManagerImpl.class);
@@ -350,7 +351,7 @@ public boolean configure(final String name, final
Map<String, Object> params) th
public UserVO getSystemUser() {
if (_systemUser == null) {
_systemUser = _userDao.findById(User.UID_SYSTEM);
- }
+ }
return _systemUser;
}
@@ -493,7 +494,6 @@ public void checkAccess(Account caller, Domain domain)
throws PermissionDeniedEx
throw new PermissionDeniedException("There's no way to confirm " +
caller + " has access to " + domain);
}
-
@Override
public void checkAccess(Account caller, AccessType accessType, boolean
sameOwner, ControlledEntity... entities) {
checkAccess(caller, accessType, sameOwner, null, entities);
@@ -535,8 +535,8 @@ public void checkAccess(Account caller, AccessType
accessType, boolean sameOwner
Account account =
ApiDBUtils.findAccountById(entity.getAccountId());
domainId = account != null ? account.getDomainId() : -1;
}
- if (entity.getAccountId() != -1 && domainId != -1 && !(entity
instanceof VirtualMachineTemplate) &&
- !(entity instanceof Network && accessType != null &&
accessType == AccessType.UseEntry) && !(entity instanceof AffinityGroup)) {
+ if (entity.getAccountId() != -1 && domainId != -1 && !(entity
instanceof VirtualMachineTemplate)
+ && !(entity instanceof Network && accessType != null &&
accessType == AccessType.UseEntry) && !(entity instanceof AffinityGroup)) {
List<ControlledEntity> toBeChecked =
domains.get(entity.getDomainId());
// for templates, we don't have to do cross domains check
if (toBeChecked == null) {
@@ -614,13 +614,13 @@ public void updateLoginAttempts(final Long id, final int
attempts, final boolean
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus
status) {
- UserAccountVO user = null;
- user = _userAccountDao.lockRow(id, true);
- user.setLoginAttempts(attempts);
+ UserAccountVO user = null;
+ user = _userAccountDao.lockRow(id, true);
+ user.setLoginAttempts(attempts);
if (toDisable) {
- user.setState(State.disabled.toString());
- }
- _userAccountDao.update(id, user);
+ user.setState(State.disabled.toString());
+ }
+ _userAccountDao.update(id, user);
}
});
} catch (Exception e) {
@@ -855,9 +855,7 @@ protected boolean cleanupAccount(AccountVO account, long
callerUserId, Account c
for (IpAddress ip : ipsToRelease) {
s_logger.debug("Releasing ip " + ip + " as a part of
account id=" + accountId + " cleanup");
if (!_ipAddrMgr.disassociatePublicIpAddress(ip.getId(),
callerUserId, caller)) {
- s_logger.warn("Failed to release ip address " + ip
- + " as a part of account id=" + accountId
- + " clenaup");
+ s_logger.warn("Failed to release ip address " + ip + "
as a part of account id=" + accountId + " clenaup");
accountCleanupNeeded = true;
}
}
@@ -900,8 +898,8 @@ protected boolean cleanupAccount(AccountVO account, long
callerUserId, Account c
List<? extends IpAddress> ipsToRelease =
_ipAddressDao.listByAccount(accountId);
for (IpAddress ip : ipsToRelease) {
if (ip.isPortable()) {
- s_logger.debug("Releasing portable ip " + ip + " as a part of
account id=" + accountId + " cleanup");
- _ipAddrMgr.releasePortableIpAddress(ip.getId());
+ s_logger.debug("Releasing portable ip " + ip + " as a part
of account id=" + accountId + " cleanup");
+ _ipAddrMgr.releasePortableIpAddress(ip.getId());
}
}
@@ -930,7 +928,7 @@ protected boolean cleanupAccount(AccountVO account, long
callerUserId, Account c
// Delete ssh keypairs
List<SSHKeyPairVO> sshkeypairs =
_sshKeyPairDao.listKeyPairs(accountId, account.getDomainId());
- for (SSHKeyPairVO keypair: sshkeypairs) {
+ for (SSHKeyPairVO keypair : sshkeypairs) {
_sshKeyPairDao.remove(keypair.getId());
}
return true;
@@ -994,9 +992,7 @@ private boolean doDisableAccount(long accountId) throws
ConcurrentOperationExcep
try {
_itMgr.advanceStop(vm.getUuid(), false);
} catch (OperationTimedoutException ote) {
- s_logger.warn(
- "Operation for stopping vm timed out, unable to
stop vm "
- + vm.getHostName(), ote);
+ s_logger.warn("Operation for stopping vm timed out, unable
to stop vm " + vm.getHostName(), ote);
success = false;
}
} catch (AgentUnavailableException aue) {
@@ -1009,15 +1005,14 @@ private boolean doDisableAccount(long accountId) throws
ConcurrentOperationExcep
}
@Override
- @ActionEvents({
- @ActionEvent(eventType = EventTypes.EVENT_ACCOUNT_CREATE,
eventDescription = "creating Account"),
- @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE,
eventDescription = "creating User")
- })
+ @ActionEvents({@ActionEvent(eventType = EventTypes.EVENT_ACCOUNT_CREATE,
eventDescription = "creating Account"),
+ @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE,
eventDescription = "creating User")})
public UserAccount createUserAccount(final String userName, final String
password, final String firstName, final String lastName, final String email,
final String timezone,
- String accountName, final short accountType, final Long roleId,
Long domainId, final String networkDomain, final Map<String, String> details,
String accountUUID, final String userUUID) {
+ String accountName, final short accountType, final Long roleId,
Long domainId, final String networkDomain, final Map<String, String> details,
String accountUUID,
+ final String userUUID) {
- return createUserAccount(userName, password, firstName, lastName,
email, timezone, accountName, accountType, roleId, domainId, networkDomain,
details, accountUUID, userUUID,
- User.Source.UNKNOWN);
+ return createUserAccount(userName, password, firstName, lastName,
email, timezone, accountName, accountType, roleId, domainId, networkDomain,
details, accountUUID,
+ userUUID, User.Source.UNKNOWN);
}
// ///////////////////////////////////////////////////
@@ -1026,13 +1021,11 @@ public UserAccount createUserAccount(final String
userName, final String passwor
@Override
@DB
- @ActionEvents({
- @ActionEvent(eventType = EventTypes.EVENT_ACCOUNT_CREATE,
eventDescription = "creating Account"),
- @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE,
eventDescription = "creating User")
- })
- public UserAccount createUserAccount(final String userName, final String
password, final String firstName, final String lastName, final String email,
- final String timezone, String accountName, final short accountType,
final Long roleId, Long domainId, final String networkDomain, final Map<String,
String> details,
- String accountUUID, final String userUUID, final User.Source source) {
+ @ActionEvents({@ActionEvent(eventType = EventTypes.EVENT_ACCOUNT_CREATE,
eventDescription = "creating Account"),
+ @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE,
eventDescription = "creating User")})
+ public UserAccount createUserAccount(final String userName, final String
password, final String firstName, final String lastName, final String email,
final String timezone,
+ String accountName, final short accountType, final Long roleId,
Long domainId, final String networkDomain, final Map<String, String> details,
String accountUUID,
+ final String userUUID, final User.Source source) {
if (accountName == null) {
accountName = userName;
@@ -1120,8 +1113,8 @@ public UserAccount createUserAccount(final String
userName, final String passwor
@Override
@ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription =
"creating User")
- public UserVO createUser(String userName, String password, String
firstName, String lastName, String email, String timeZone, String accountName,
Long domainId,
- String userUUID, User.Source source) {
+ public UserVO createUser(String userName, String password, String
firstName, String lastName, String email, String timeZone, String accountName,
Long domainId, String userUUID,
+ User.Source source) {
// default domain to ROOT if not specified
if (domainId == null) {
domainId = Domain.ROOT_DOMAIN;
@@ -1156,14 +1149,15 @@ public UserVO createUser(String userName, String
password, String firstName, Str
@Override
@ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription =
"creating User")
public UserVO createUser(String userName, String password, String
firstName, String lastName, String email, String timeZone, String accountName,
Long domainId,
- String userUUID) {
+ String userUUID) {
- return createUser(userName, password, firstName,lastName, email,
timeZone, accountName, domainId, userUUID, User.Source.UNKNOWN);
+ return createUser(userName, password, firstName, lastName, email,
timeZone, accountName, domainId, userUUID, User.Source.UNKNOWN);
}
@Override
@ActionEvent(eventType = EventTypes.EVENT_USER_UPDATE, eventDescription =
"updating User")
- public UserAccount updateUser(Long userId, String firstName, String
lastName, String email, String userName, String password, String apiKey, String
secretKey, String timeZone) {
+ public UserAccount updateUser(Long userId, String firstName, String
lastName, String email, String userName, String password, String apiKey, String
secretKey,
+ String timeZone) {
// Input validation
UserVO user = _userDao.getUser(userId);
@@ -1298,7 +1292,7 @@ public UserAccount updateUser(UpdateUserCmd cmd) {
String timeZone = cmd.getTimezone();
String userName = cmd.getUsername();
- return updateUser(id, firstName, lastName, email, userName, password,
apiKey, secretKey, timeZone);
+ return updateUser(id, firstName, lastName, email, userName, password,
apiKey, secretKey, timeZone);
}
@Override
@@ -1556,8 +1550,7 @@ public AccountVO lockAccount(String accountName, Long
domainId, Long accountId)
}
if (account == null || account.getType() ==
Account.ACCOUNT_TYPE_PROJECT) {
- throw new InvalidParameterValueException("Unable to find active
account by accountId: " + accountId + " OR by name: " + accountName + " in
domain " +
- domainId);
+ throw new InvalidParameterValueException("Unable to find active
account by accountId: " + accountId + " OR by name: " + accountName + " in
domain " + domainId);
}
if (account.getId() == Account.ACCOUNT_ID_SYSTEM) {
@@ -1645,8 +1638,8 @@ public AccountVO updateAccount(UpdateAccountCmd cmd) {
// to
// update
// itself
- throw new InvalidParameterValueException("There already exists an
account with the name:" + newAccountName + " in the domain:" + domainId +
- " with existing account id:" + duplicateAcccount.getId());
+ throw new InvalidParameterValueException(
+ "There already exists an account with the name:" +
newAccountName + " in the domain:" + domainId + " with existing account id:" +
duplicateAcccount.getId());
}
if (networkDomain != null && !networkDomain.isEmpty()) {
@@ -1674,9 +1667,9 @@ public AccountVO updateAccount(UpdateAccountCmd cmd) {
public Boolean doInTransaction(TransactionStatus status) {
boolean success = _accountDao.update(accountFinal.getId(),
acctForUpdate);
- if (details != null && success) {
+ if (details != null && success) {
_accountDetailsDao.update(accountFinal.getId(), details);
- }
+ }
return success;
}
@@ -1919,8 +1912,8 @@ public void markUserRegistered(long userId) {
@Override
@DB
- public AccountVO createAccount(final String accountName, final short
accountType, final Long roleId, final Long domainId, final String
networkDomain, final Map<String, String> details,
- final String uuid) {
+ public AccountVO createAccount(final String accountName, final short
accountType, final Long roleId, final Long domainId, final String networkDomain,
+ final Map<String, String> details, final String uuid) {
// Validate domain
Domain domain = _domainMgr.getDomain(domainId);
if (domain == null) {
@@ -1932,7 +1925,8 @@ public AccountVO createAccount(final String accountName,
final short accountType
}
if ((domainId != Domain.ROOT_DOMAIN) && (accountType ==
Account.ACCOUNT_TYPE_ADMIN)) {
- throw new InvalidParameterValueException("Invalid account type " +
accountType + " given for an account in domain " + domainId + "; unable to
create user of admin role type in non-ROOT domain.");
+ throw new InvalidParameterValueException(
+ "Invalid account type " + accountType + " given for an
account in domain " + domainId + "; unable to create user of admin role type in
non-ROOT domain.");
}
// Validate account/user/domain settings
@@ -1964,37 +1958,37 @@ public AccountVO createAccount(final String
accountName, final short accountType
return Transaction.execute(new TransactionCallback<AccountVO>() {
@Override
public AccountVO doInTransaction(TransactionStatus status) {
- AccountVO account = _accountDao.persist(new AccountVO(accountName,
domainId, networkDomain, accountType, roleId, uuid));
+ AccountVO account = _accountDao.persist(new
AccountVO(accountName, domainId, networkDomain, accountType, roleId, uuid));
- if (account == null) {
- throw new CloudRuntimeException("Failed to create account name " +
accountName + " in domain id=" + domainId);
- }
+ if (account == null) {
+ throw new CloudRuntimeException("Failed to create account
name " + accountName + " in domain id=" + domainId);
+ }
- Long accountId = account.getId();
+ Long accountId = account.getId();
- if (details != null) {
- _accountDetailsDao.persist(accountId, details);
- }
+ if (details != null) {
+ _accountDetailsDao.persist(accountId, details);
+ }
- // Create resource count records for the account
- _resourceCountDao.createResourceCounts(accountId,
ResourceLimit.ResourceOwnerType.Account);
+ // Create resource count records for the account
+ _resourceCountDao.createResourceCounts(accountId,
ResourceLimit.ResourceOwnerType.Account);
- // Create default security group
- _networkGroupMgr.createDefaultSecurityGroup(accountId);
+ // Create default security group
+ _networkGroupMgr.createDefaultSecurityGroup(accountId);
- return account;
- }
+ return account;
+ }
});
}
protected UserVO createUser(long accountId, String userName, String
password, String firstName, String lastName, String email, String timezone,
String userUUID,
- User.Source source) {
+ User.Source source) {
if (s_logger.isDebugEnabled()) {
s_logger.debug("Creating user: " + userName + ", accountId: " +
accountId + " timezone:" + timezone);
}
String encodedPassword = null;
- for (UserAuthenticator authenticator : _userPasswordEncoders) {
+ for (UserAuthenticator authenticator : _userPasswordEncoders) {
encodedPassword = authenticator.encode(password);
if (encodedPassword != null) {
break;
@@ -2005,7 +1999,7 @@ protected UserVO createUser(long accountId, String
userName, String password, St
}
if (userUUID == null) {
- userUUID = UUID.randomUUID().toString();
+ userUUID = UUID.randomUUID().toString();
}
UserVO user = _userDao.persist(new UserVO(accountId, userName,
encodedPassword, firstName, lastName, email, timezone, userUUID, source));
CallContext.current().putContextParameter(User.class, user.getUuid());
@@ -2135,8 +2129,8 @@ public UserAccount authenticateUser(String username,
String password, Long domai
s_logger.debug("User: " + username + " in domain " + domainId
+ " has successfully logged in");
}
- ActionEventUtils.onActionEvent(user.getId(), user.getAccountId(),
user.getDomainId(), EventTypes.EVENT_USER_LOGIN, "user has logged in from IP
Address " +
- loginIpAddress);
+ ActionEventUtils.onActionEvent(user.getId(), user.getAccountId(),
user.getDomainId(), EventTypes.EVENT_USER_LOGIN,
+ "user has logged in from IP Address " + loginIpAddress);
return user;
} else {
@@ -2155,10 +2149,10 @@ private UserAccount getUserAccount(String username,
String password, Long domain
boolean authenticated = false;
HashSet<ActionOnFailedAuthentication> actionsOnFailedAuthenticaion =
new HashSet<ActionOnFailedAuthentication>();
- User.Source userSource = userAccount != null ?
userAccount.getSource(): User.Source.UNKNOWN;
+ User.Source userSource = userAccount != null ? userAccount.getSource()
: User.Source.UNKNOWN;
for (UserAuthenticator authenticator : _userAuthenticators) {
- if(userSource != User.Source.UNKNOWN) {
-
if(!authenticator.getName().equalsIgnoreCase(userSource.name())){
+ if (userSource != User.Source.UNKNOWN) {
+ if
(!authenticator.getName().equalsIgnoreCase(userSource.name())) {
continue;
}
}
@@ -2182,12 +2176,12 @@ private UserAccount getUserAccount(String username,
String password, Long domain
}
userAccount = _userAccountDao.getUserAccount(username, domainId);
- if
(!userAccount.getState().equalsIgnoreCase(Account.State.enabled.toString()) ||
-
!userAccount.getAccountState().equalsIgnoreCase(Account.State.enabled.toString()))
{
+ if
(!userAccount.getState().equalsIgnoreCase(Account.State.enabled.toString()) ||
!userAccount.getAccountState().equalsIgnoreCase(Account.State.enabled.toString()))
{
if (s_logger.isInfoEnabled()) {
s_logger.info("User " + username + " in domain " +
domainName + " is disabled/locked (or account is disabled/locked)");
}
- throw new CloudAuthenticationException("User " + username + "
(or their account) in domain " + domainName + " is disabled/locked. Please
contact the administrator.");
+ throw new CloudAuthenticationException(
+ "User " + username + " (or their account) in domain "
+ domainName + " is disabled/locked. Please contact the administrator.");
}
// Whenever the user is able to log in successfully, reset the
login attempts to zero
if (!isInternalAccount(userAccount.getId()))
@@ -2231,17 +2225,17 @@ private UserAccount getUserAccount(String username,
String password, Long domain
}
@Override
- public Map<String, String> getKeys(GetUserKeysCmd cmd){
+ public Map<String, String> getKeys(GetUserKeysCmd cmd) {
final long userId = cmd.getID();
User user = getActiveUser(userId);
- if(user==null){
+ if (user == null) {
throw new InvalidParameterValueException("Unable to find user by
id");
}
final ControlledEntity account =
getAccount(getUserAccountById(userId).getAccountId()); //Extracting the Account
from the userID of the requested user.
checkAccess(CallContext.current().getCallingUser(), account);
- Map <String, String> keys = new HashMap<String, String>();
+ Map<String, String> keys = new HashMap<String, String>();
keys.put("apikey", user.getApiKey());
keys.put("secretkey", user.getSecretKey());
@@ -2277,8 +2271,8 @@ private UserAccount getUserAccount(String username,
String password, Long domain
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status)
{
- keys[0] = createUserApiKey(userId);
- keys[1] = createUserSecretKey(userId);
+ keys[0] = createUserApiKey(userId);
+ keys[1] = createUserSecretKey(userId);
}
});
@@ -2359,18 +2353,16 @@ private String createUserSecretKey(long userId) {
return null;
}
-
-
@Override
- public void buildACLSearchBuilder(SearchBuilder<? extends
ControlledEntity> sb,
- Long domainId, boolean isRecursive, List<Long> permittedAccounts,
ListProjectResourcesCriteria listProjectResourcesCriteria) {
+ public void buildACLSearchBuilder(SearchBuilder<? extends
ControlledEntity> sb, Long domainId, boolean isRecursive, List<Long>
permittedAccounts,
+ ListProjectResourcesCriteria listProjectResourcesCriteria) {
if (sb.entity() instanceof IPAddressVO) {
- sb.and("accountIdIN", ((IPAddressVO)
sb.entity()).getAllocatedToAccountId(), SearchCriteria.Op.IN);
- sb.and("domainId", ((IPAddressVO)
sb.entity()).getAllocatedInDomainId(), SearchCriteria.Op.EQ);
+ sb.and("accountIdIN",
((IPAddressVO)sb.entity()).getAllocatedToAccountId(), SearchCriteria.Op.IN);
+ sb.and("domainId",
((IPAddressVO)sb.entity()).getAllocatedInDomainId(), SearchCriteria.Op.EQ);
} else if (sb.entity() instanceof ProjectInvitationVO) {
- sb.and("accountIdIN", ((ProjectInvitationVO)
sb.entity()).getForAccountId(), SearchCriteria.Op.IN);
- sb.and("domainId", ((ProjectInvitationVO)
sb.entity()).getInDomainId(), SearchCriteria.Op.EQ);
+ sb.and("accountIdIN",
((ProjectInvitationVO)sb.entity()).getForAccountId(), SearchCriteria.Op.IN);
+ sb.and("domainId",
((ProjectInvitationVO)sb.entity()).getInDomainId(), SearchCriteria.Op.EQ);
} else {
sb.and("accountIdIN", sb.entity().getAccountId(),
SearchCriteria.Op.IN);
sb.and("domainId", sb.entity().getDomainId(),
SearchCriteria.Op.EQ);
@@ -2382,9 +2374,9 @@ public void buildACLSearchBuilder(SearchBuilder<? extends
ControlledEntity> sb,
domainSearch.and("path", domainSearch.entity().getPath(),
SearchCriteria.Op.LIKE);
if (sb.entity() instanceof IPAddressVO) {
- sb.join("domainSearch", domainSearch, ((IPAddressVO)
sb.entity()).getAllocatedInDomainId(), domainSearch.entity().getId(),
JoinBuilder.JoinType.INNER);
+ sb.join("domainSearch", domainSearch,
((IPAddressVO)sb.entity()).getAllocatedInDomainId(),
domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
} else if (sb.entity() instanceof ProjectInvitationVO) {
- sb.join("domainSearch", domainSearch, ((ProjectInvitationVO)
sb.entity()).getInDomainId(), domainSearch.entity().getId(),
JoinBuilder.JoinType.INNER);
+ sb.join("domainSearch", domainSearch,
((ProjectInvitationVO)sb.entity()).getInDomainId(),
domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
} else {
sb.join("domainSearch", domainSearch,
sb.entity().getDomainId(), domainSearch.entity().getId(),
JoinBuilder.JoinType.INNER);
}
@@ -2399,9 +2391,9 @@ public void buildACLSearchBuilder(SearchBuilder<? extends
ControlledEntity> sb,
}
if (sb.entity() instanceof IPAddressVO) {
- sb.join("accountSearch", accountSearch, ((IPAddressVO)
sb.entity()).getAllocatedToAccountId(), accountSearch.entity().getId(),
JoinBuilder.JoinType.INNER);
+ sb.join("accountSearch", accountSearch,
((IPAddressVO)sb.entity()).getAllocatedToAccountId(),
accountSearch.entity().getId(), JoinBuilder.JoinType.INNER);
} else if (sb.entity() instanceof ProjectInvitationVO) {
- sb.join("accountSearch", accountSearch, ((ProjectInvitationVO)
sb.entity()).getForAccountId(), accountSearch.entity().getId(),
JoinBuilder.JoinType.INNER);
+ sb.join("accountSearch", accountSearch,
((ProjectInvitationVO)sb.entity()).getForAccountId(),
accountSearch.entity().getId(), JoinBuilder.JoinType.INNER);
} else {
sb.join("accountSearch", accountSearch,
sb.entity().getAccountId(), accountSearch.entity().getId(),
JoinBuilder.JoinType.INNER);
}
@@ -2409,8 +2401,8 @@ public void buildACLSearchBuilder(SearchBuilder<? extends
ControlledEntity> sb,
}
@Override
- public void buildACLSearchCriteria(SearchCriteria<? extends
ControlledEntity> sc,
- Long domainId, boolean isRecursive, List<Long> permittedAccounts,
ListProjectResourcesCriteria listProjectResourcesCriteria) {
+ public void buildACLSearchCriteria(SearchCriteria<? extends
ControlledEntity> sc, Long domainId, boolean isRecursive, List<Long>
permittedAccounts,
+ ListProjectResourcesCriteria listProjectResourcesCriteria) {
if (listProjectResourcesCriteria != null) {
sc.setJoinParameters("accountSearch", "type",
Account.ACCOUNT_TYPE_PROJECT);
@@ -2472,6 +2464,11 @@ public void buildACLSearchParameters(Account caller,
Long id, String accountName
if (projectId.longValue() == -1) {
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId()));
+
+ //permittedAccounts can be empty when the caller is
not a part of any project (a domain account)
+ if (permittedAccounts.isEmpty()) {
+ permittedAccounts.add(caller.getId());
+ }
} else {
domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly);
}
@@ -2516,10 +2513,9 @@ public void buildACLSearchParameters(Account caller,
Long id, String accountName
}
-
@Override
- public void buildACLViewSearchBuilder(SearchBuilder<? extends
ControlledViewEntity> sb, Long domainId,
- boolean isRecursive, List<Long> permittedAccounts,
ListProjectResourcesCriteria listProjectResourcesCriteria) {
+ public void buildACLViewSearchBuilder(SearchBuilder<? extends
ControlledViewEntity> sb, Long domainId, boolean isRecursive, List<Long>
permittedAccounts,
+ ListProjectResourcesCriteria listProjectResourcesCriteria) {
sb.and("accountIdIN", sb.entity().getAccountId(),
SearchCriteria.Op.IN);
sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
@@ -2540,10 +2536,9 @@ public void buildACLViewSearchBuilder(SearchBuilder<?
extends ControlledViewEnti
}
-
@Override
- public void buildACLViewSearchCriteria(SearchCriteria<? extends
ControlledViewEntity> sc,
- Long domainId, boolean isRecursive, List<Long> permittedAccounts,
ListProjectResourcesCriteria listProjectResourcesCriteria) {
+ public void buildACLViewSearchCriteria(SearchCriteria<? extends
ControlledViewEntity> sc, Long domainId, boolean isRecursive, List<Long>
permittedAccounts,
+ ListProjectResourcesCriteria listProjectResourcesCriteria) {
if (listProjectResourcesCriteria != null) {
sc.setParameters("accountType", Account.ACCOUNT_TYPE_PROJECT);
}
@@ -2561,13 +2556,11 @@ public void buildACLViewSearchCriteria(SearchCriteria<?
extends ControlledViewEn
}
-
@Override
public UserAccount getUserByApiKey(String apiKey) {
return _userAccountDao.getUserByApiKey(apiKey);
}
-
@Override
public List<String> listAclGroupsByAccount(Long accountId) {
if (_querySelectors == null || _querySelectors.size() == 0)
@@ -2594,8 +2587,8 @@ public Long finalyzeAccountId(final String accountName,
final Long domainId, fin
if (!enabledOnly || account.getState() ==
Account.State.enabled) {
return account.getId();
} else {
- throw new PermissionDeniedException("Can't add resources
to the account id=" + account.getId() + " in state=" + account.getState() +
- " as it's no longer active");
+ throw new PermissionDeniedException(
+ "Can't add resources to the account id=" +
account.getId() + " in state=" + account.getState() + " as it's no longer
active");
}
} else {
// idList is not used anywhere, so removed it now
@@ -2611,9 +2604,8 @@ public Long finalyzeAccountId(final String accountName,
final Long domainId, fin
if (!enabledOnly || project.getState() ==
Project.State.Active) {
return project.getProjectAccountId();
} else {
- final PermissionDeniedException ex =
- new PermissionDeniedException("Can't add resources
to the project with specified projectId in state=" + project.getState() +
- " as it's no longer active");
+ final PermissionDeniedException ex = new
PermissionDeniedException(
+ "Can't add resources to the project with specified
projectId in state=" + project.getState() + " as it's no longer active");
ex.addProxyObject(project.getUuid(), "projectId");
throw ex;
}
@@ -2630,8 +2622,7 @@ public UserAccount getUserAccountById(Long userId) {
}
@Override
- public void checkAccess(Account account, ServiceOffering so)
- throws PermissionDeniedException {
+ public void checkAccess(Account account, ServiceOffering so) throws
PermissionDeniedException {
for (SecurityChecker checker : _securityCheckers) {
if (checker.checkAccess(account, so)) {
if (s_logger.isDebugEnabled()) {
@@ -2646,8 +2637,7 @@ public void checkAccess(Account account, ServiceOffering
so)
}
@Override
- public void checkAccess(Account account, DiskOffering dof)
- throws PermissionDeniedException {
+ public void checkAccess(Account account, DiskOffering dof) throws
PermissionDeniedException {
for (SecurityChecker checker : _securityCheckers) {
if (checker.checkAccess(account, dof)) {
if (s_logger.isDebugEnabled()) {
@@ -2662,11 +2652,10 @@ public void checkAccess(Account account, DiskOffering
dof)
}
@Override
- public void checkAccess(User user, ControlledEntity entity)
- throws PermissionDeniedException {
- for(SecurityChecker checker : _securityCheckers){
- if(checker.checkAccess(user,entity)){
- if(s_logger.isDebugEnabled()){
+ public void checkAccess(User user, ControlledEntity entity) throws
PermissionDeniedException {
+ for (SecurityChecker checker : _securityCheckers) {
+ if (checker.checkAccess(user, entity)) {
+ if (s_logger.isDebugEnabled()) {
s_logger.debug("Access granted to " + user + "to " +
entity + "by " + checker.getName());
}
return;
@@ -2682,6 +2671,6 @@ public String getConfigComponentName() {
@Override
public ConfigKey<?>[] getConfigKeys() {
- return new ConfigKey<?>[]{UseSecretKeyInResponse};
+ return new ConfigKey<?>[] {UseSecretKeyInResponse};
}
}
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Listing VPCs with a domain account and project id -1 returns all the VPCs in
> the syste
> --------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-10175
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10175
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Affects Versions: 4.10.0.0
> Reporter: Khosrow Moossavi
> Fix For: Future
>
>
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
