[ https://issues.apache.org/jira/browse/CLOUDSTACK-10175?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16305197#comment-16305197 ]
ASF GitHub Bot commented on CLOUDSTACK-10175: --------------------------------------------- rhtyd closed pull request #2352: CLOUDSTACK-10175: prevent VPC list leakage URL: https://github.com/apache/cloudstack/pull/2352 This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java index e3209474563..294bc6e84ef 100644 --- a/server/src/com/cloud/user/AccountManagerImpl.java +++ b/server/src/com/cloud/user/AccountManagerImpl.java @@ -16,6 +16,54 @@ // under the License. package com.cloud.user; +import java.net.InetAddress; +import java.net.URLEncoder; +import java.security.NoSuchAlgorithmException; +import java.util.ArrayList; +import java.util.Collections; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Map; +import java.util.UUID; +import java.util.concurrent.Executors; +import java.util.concurrent.ScheduledExecutorService; +import java.util.concurrent.TimeUnit; + +import javax.crypto.KeyGenerator; +import javax.crypto.Mac; +import javax.crypto.SecretKey; +import javax.crypto.spec.SecretKeySpec; +import javax.inject.Inject; +import javax.naming.ConfigurationException; + +import org.apache.commons.codec.binary.Base64; +import org.apache.commons.lang.StringUtils; +import org.apache.log4j.Logger; + +import org.apache.cloudstack.acl.ControlledEntity; +import org.apache.cloudstack.acl.QuerySelector; +import org.apache.cloudstack.acl.RoleType; +import org.apache.cloudstack.acl.SecurityChecker; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; +import org.apache.cloudstack.affinity.AffinityGroup; +import org.apache.cloudstack.affinity.dao.AffinityGroupDao; +import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd; +import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd; +import org.apache.cloudstack.api.command.admin.user.GetUserKeysCmd; +import org.apache.cloudstack.api.command.admin.user.RegisterCmd; +import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd; +import org.apache.cloudstack.context.CallContext; +import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService; +import org.apache.cloudstack.framework.config.ConfigKey; +import org.apache.cloudstack.framework.config.dao.ConfigurationDao; +import org.apache.cloudstack.framework.messagebus.MessageBus; +import org.apache.cloudstack.framework.messagebus.PublishScope; +import org.apache.cloudstack.managed.context.ManagedContextRunnable; +import org.apache.cloudstack.region.gslb.GlobalLoadBalancerRuleDao; +import org.apache.cloudstack.utils.baremetal.BaremetalUtils; + import com.cloud.api.ApiDBUtils; import com.cloud.api.query.vo.ControlledViewEntity; import com.cloud.configuration.Config; @@ -123,53 +171,6 @@ import com.cloud.vm.snapshot.VMSnapshotManager; import com.cloud.vm.snapshot.VMSnapshotVO; import com.cloud.vm.snapshot.dao.VMSnapshotDao; -import org.apache.cloudstack.acl.ControlledEntity; -import org.apache.cloudstack.acl.QuerySelector; -import org.apache.cloudstack.acl.RoleType; -import org.apache.cloudstack.acl.SecurityChecker; -import org.apache.cloudstack.acl.SecurityChecker.AccessType; -import org.apache.cloudstack.affinity.AffinityGroup; -import org.apache.cloudstack.affinity.dao.AffinityGroupDao; -import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd; -import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd; -import org.apache.cloudstack.api.command.admin.user.GetUserKeysCmd; -import org.apache.cloudstack.api.command.admin.user.RegisterCmd; -import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd; -import org.apache.cloudstack.context.CallContext; -import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService; -import org.apache.cloudstack.framework.config.ConfigKey; -import org.apache.cloudstack.framework.config.dao.ConfigurationDao; -import org.apache.cloudstack.framework.messagebus.MessageBus; -import org.apache.cloudstack.framework.messagebus.PublishScope; -import org.apache.cloudstack.managed.context.ManagedContextRunnable; -import org.apache.cloudstack.region.gslb.GlobalLoadBalancerRuleDao; -import org.apache.cloudstack.utils.baremetal.BaremetalUtils; -import org.apache.commons.codec.binary.Base64; -import org.apache.commons.lang.StringUtils; -import org.apache.log4j.Logger; - -import javax.crypto.KeyGenerator; -import javax.crypto.Mac; -import javax.crypto.SecretKey; -import javax.crypto.spec.SecretKeySpec; -import javax.inject.Inject; -import javax.naming.ConfigurationException; -import java.net.InetAddress; -import java.net.URLEncoder; -import java.security.NoSuchAlgorithmException; -import java.util.ArrayList; -import java.util.Collections; -import java.util.HashMap; -import java.util.HashSet; -import java.util.Iterator; -import java.util.List; -import java.util.Map; -import java.util.UUID; -import java.util.concurrent.Executors; -import java.util.concurrent.ScheduledExecutorService; -import java.util.concurrent.TimeUnit; - - public class AccountManagerImpl extends ManagerBase implements AccountManager, Manager { public static final Logger s_logger = Logger.getLogger(AccountManagerImpl.class); @@ -350,7 +351,7 @@ public boolean configure(final String name, final Map<String, Object> params) th public UserVO getSystemUser() { if (_systemUser == null) { _systemUser = _userDao.findById(User.UID_SYSTEM); - } + } return _systemUser; } @@ -493,7 +494,6 @@ public void checkAccess(Account caller, Domain domain) throws PermissionDeniedEx throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to " + domain); } - @Override public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, ControlledEntity... entities) { checkAccess(caller, accessType, sameOwner, null, entities); @@ -535,8 +535,8 @@ public void checkAccess(Account caller, AccessType accessType, boolean sameOwner Account account = ApiDBUtils.findAccountById(entity.getAccountId()); domainId = account != null ? account.getDomainId() : -1; } - if (entity.getAccountId() != -1 && domainId != -1 && !(entity instanceof VirtualMachineTemplate) && - !(entity instanceof Network && accessType != null && accessType == AccessType.UseEntry) && !(entity instanceof AffinityGroup)) { + if (entity.getAccountId() != -1 && domainId != -1 && !(entity instanceof VirtualMachineTemplate) + && !(entity instanceof Network && accessType != null && accessType == AccessType.UseEntry) && !(entity instanceof AffinityGroup)) { List<ControlledEntity> toBeChecked = domains.get(entity.getDomainId()); // for templates, we don't have to do cross domains check if (toBeChecked == null) { @@ -614,13 +614,13 @@ public void updateLoginAttempts(final Long id, final int attempts, final boolean Transaction.execute(new TransactionCallbackNoReturn() { @Override public void doInTransactionWithoutResult(TransactionStatus status) { - UserAccountVO user = null; - user = _userAccountDao.lockRow(id, true); - user.setLoginAttempts(attempts); + UserAccountVO user = null; + user = _userAccountDao.lockRow(id, true); + user.setLoginAttempts(attempts); if (toDisable) { - user.setState(State.disabled.toString()); - } - _userAccountDao.update(id, user); + user.setState(State.disabled.toString()); + } + _userAccountDao.update(id, user); } }); } catch (Exception e) { @@ -855,9 +855,7 @@ protected boolean cleanupAccount(AccountVO account, long callerUserId, Account c for (IpAddress ip : ipsToRelease) { s_logger.debug("Releasing ip " + ip + " as a part of account id=" + accountId + " cleanup"); if (!_ipAddrMgr.disassociatePublicIpAddress(ip.getId(), callerUserId, caller)) { - s_logger.warn("Failed to release ip address " + ip - + " as a part of account id=" + accountId - + " clenaup"); + s_logger.warn("Failed to release ip address " + ip + " as a part of account id=" + accountId + " clenaup"); accountCleanupNeeded = true; } } @@ -900,8 +898,8 @@ protected boolean cleanupAccount(AccountVO account, long callerUserId, Account c List<? extends IpAddress> ipsToRelease = _ipAddressDao.listByAccount(accountId); for (IpAddress ip : ipsToRelease) { if (ip.isPortable()) { - s_logger.debug("Releasing portable ip " + ip + " as a part of account id=" + accountId + " cleanup"); - _ipAddrMgr.releasePortableIpAddress(ip.getId()); + s_logger.debug("Releasing portable ip " + ip + " as a part of account id=" + accountId + " cleanup"); + _ipAddrMgr.releasePortableIpAddress(ip.getId()); } } @@ -930,7 +928,7 @@ protected boolean cleanupAccount(AccountVO account, long callerUserId, Account c // Delete ssh keypairs List<SSHKeyPairVO> sshkeypairs = _sshKeyPairDao.listKeyPairs(accountId, account.getDomainId()); - for (SSHKeyPairVO keypair: sshkeypairs) { + for (SSHKeyPairVO keypair : sshkeypairs) { _sshKeyPairDao.remove(keypair.getId()); } return true; @@ -994,9 +992,7 @@ private boolean doDisableAccount(long accountId) throws ConcurrentOperationExcep try { _itMgr.advanceStop(vm.getUuid(), false); } catch (OperationTimedoutException ote) { - s_logger.warn( - "Operation for stopping vm timed out, unable to stop vm " - + vm.getHostName(), ote); + s_logger.warn("Operation for stopping vm timed out, unable to stop vm " + vm.getHostName(), ote); success = false; } } catch (AgentUnavailableException aue) { @@ -1009,15 +1005,14 @@ private boolean doDisableAccount(long accountId) throws ConcurrentOperationExcep } @Override - @ActionEvents({ - @ActionEvent(eventType = EventTypes.EVENT_ACCOUNT_CREATE, eventDescription = "creating Account"), - @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User") - }) + @ActionEvents({@ActionEvent(eventType = EventTypes.EVENT_ACCOUNT_CREATE, eventDescription = "creating Account"), + @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User")}) public UserAccount createUserAccount(final String userName, final String password, final String firstName, final String lastName, final String email, final String timezone, - String accountName, final short accountType, final Long roleId, Long domainId, final String networkDomain, final Map<String, String> details, String accountUUID, final String userUUID) { + String accountName, final short accountType, final Long roleId, Long domainId, final String networkDomain, final Map<String, String> details, String accountUUID, + final String userUUID) { - return createUserAccount(userName, password, firstName, lastName, email, timezone, accountName, accountType, roleId, domainId, networkDomain, details, accountUUID, userUUID, - User.Source.UNKNOWN); + return createUserAccount(userName, password, firstName, lastName, email, timezone, accountName, accountType, roleId, domainId, networkDomain, details, accountUUID, + userUUID, User.Source.UNKNOWN); } // /////////////////////////////////////////////////// @@ -1026,13 +1021,11 @@ public UserAccount createUserAccount(final String userName, final String passwor @Override @DB - @ActionEvents({ - @ActionEvent(eventType = EventTypes.EVENT_ACCOUNT_CREATE, eventDescription = "creating Account"), - @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User") - }) - public UserAccount createUserAccount(final String userName, final String password, final String firstName, final String lastName, final String email, - final String timezone, String accountName, final short accountType, final Long roleId, Long domainId, final String networkDomain, final Map<String, String> details, - String accountUUID, final String userUUID, final User.Source source) { + @ActionEvents({@ActionEvent(eventType = EventTypes.EVENT_ACCOUNT_CREATE, eventDescription = "creating Account"), + @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User")}) + public UserAccount createUserAccount(final String userName, final String password, final String firstName, final String lastName, final String email, final String timezone, + String accountName, final short accountType, final Long roleId, Long domainId, final String networkDomain, final Map<String, String> details, String accountUUID, + final String userUUID, final User.Source source) { if (accountName == null) { accountName = userName; @@ -1120,8 +1113,8 @@ public UserAccount createUserAccount(final String userName, final String passwor @Override @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User") - public UserVO createUser(String userName, String password, String firstName, String lastName, String email, String timeZone, String accountName, Long domainId, - String userUUID, User.Source source) { + public UserVO createUser(String userName, String password, String firstName, String lastName, String email, String timeZone, String accountName, Long domainId, String userUUID, + User.Source source) { // default domain to ROOT if not specified if (domainId == null) { domainId = Domain.ROOT_DOMAIN; @@ -1156,14 +1149,15 @@ public UserVO createUser(String userName, String password, String firstName, Str @Override @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User") public UserVO createUser(String userName, String password, String firstName, String lastName, String email, String timeZone, String accountName, Long domainId, - String userUUID) { + String userUUID) { - return createUser(userName, password, firstName,lastName, email, timeZone, accountName, domainId, userUUID, User.Source.UNKNOWN); + return createUser(userName, password, firstName, lastName, email, timeZone, accountName, domainId, userUUID, User.Source.UNKNOWN); } @Override @ActionEvent(eventType = EventTypes.EVENT_USER_UPDATE, eventDescription = "updating User") - public UserAccount updateUser(Long userId, String firstName, String lastName, String email, String userName, String password, String apiKey, String secretKey, String timeZone) { + public UserAccount updateUser(Long userId, String firstName, String lastName, String email, String userName, String password, String apiKey, String secretKey, + String timeZone) { // Input validation UserVO user = _userDao.getUser(userId); @@ -1298,7 +1292,7 @@ public UserAccount updateUser(UpdateUserCmd cmd) { String timeZone = cmd.getTimezone(); String userName = cmd.getUsername(); - return updateUser(id, firstName, lastName, email, userName, password, apiKey, secretKey, timeZone); + return updateUser(id, firstName, lastName, email, userName, password, apiKey, secretKey, timeZone); } @Override @@ -1556,8 +1550,7 @@ public AccountVO lockAccount(String accountName, Long domainId, Long accountId) } if (account == null || account.getType() == Account.ACCOUNT_TYPE_PROJECT) { - throw new InvalidParameterValueException("Unable to find active account by accountId: " + accountId + " OR by name: " + accountName + " in domain " + - domainId); + throw new InvalidParameterValueException("Unable to find active account by accountId: " + accountId + " OR by name: " + accountName + " in domain " + domainId); } if (account.getId() == Account.ACCOUNT_ID_SYSTEM) { @@ -1645,8 +1638,8 @@ public AccountVO updateAccount(UpdateAccountCmd cmd) { // to // update // itself - throw new InvalidParameterValueException("There already exists an account with the name:" + newAccountName + " in the domain:" + domainId + - " with existing account id:" + duplicateAcccount.getId()); + throw new InvalidParameterValueException( + "There already exists an account with the name:" + newAccountName + " in the domain:" + domainId + " with existing account id:" + duplicateAcccount.getId()); } if (networkDomain != null && !networkDomain.isEmpty()) { @@ -1674,9 +1667,9 @@ public AccountVO updateAccount(UpdateAccountCmd cmd) { public Boolean doInTransaction(TransactionStatus status) { boolean success = _accountDao.update(accountFinal.getId(), acctForUpdate); - if (details != null && success) { + if (details != null && success) { _accountDetailsDao.update(accountFinal.getId(), details); - } + } return success; } @@ -1919,8 +1912,8 @@ public void markUserRegistered(long userId) { @Override @DB - public AccountVO createAccount(final String accountName, final short accountType, final Long roleId, final Long domainId, final String networkDomain, final Map<String, String> details, - final String uuid) { + public AccountVO createAccount(final String accountName, final short accountType, final Long roleId, final Long domainId, final String networkDomain, + final Map<String, String> details, final String uuid) { // Validate domain Domain domain = _domainMgr.getDomain(domainId); if (domain == null) { @@ -1932,7 +1925,8 @@ public AccountVO createAccount(final String accountName, final short accountType } if ((domainId != Domain.ROOT_DOMAIN) && (accountType == Account.ACCOUNT_TYPE_ADMIN)) { - throw new InvalidParameterValueException("Invalid account type " + accountType + " given for an account in domain " + domainId + "; unable to create user of admin role type in non-ROOT domain."); + throw new InvalidParameterValueException( + "Invalid account type " + accountType + " given for an account in domain " + domainId + "; unable to create user of admin role type in non-ROOT domain."); } // Validate account/user/domain settings @@ -1964,37 +1958,37 @@ public AccountVO createAccount(final String accountName, final short accountType return Transaction.execute(new TransactionCallback<AccountVO>() { @Override public AccountVO doInTransaction(TransactionStatus status) { - AccountVO account = _accountDao.persist(new AccountVO(accountName, domainId, networkDomain, accountType, roleId, uuid)); + AccountVO account = _accountDao.persist(new AccountVO(accountName, domainId, networkDomain, accountType, roleId, uuid)); - if (account == null) { - throw new CloudRuntimeException("Failed to create account name " + accountName + " in domain id=" + domainId); - } + if (account == null) { + throw new CloudRuntimeException("Failed to create account name " + accountName + " in domain id=" + domainId); + } - Long accountId = account.getId(); + Long accountId = account.getId(); - if (details != null) { - _accountDetailsDao.persist(accountId, details); - } + if (details != null) { + _accountDetailsDao.persist(accountId, details); + } - // Create resource count records for the account - _resourceCountDao.createResourceCounts(accountId, ResourceLimit.ResourceOwnerType.Account); + // Create resource count records for the account + _resourceCountDao.createResourceCounts(accountId, ResourceLimit.ResourceOwnerType.Account); - // Create default security group - _networkGroupMgr.createDefaultSecurityGroup(accountId); + // Create default security group + _networkGroupMgr.createDefaultSecurityGroup(accountId); - return account; - } + return account; + } }); } protected UserVO createUser(long accountId, String userName, String password, String firstName, String lastName, String email, String timezone, String userUUID, - User.Source source) { + User.Source source) { if (s_logger.isDebugEnabled()) { s_logger.debug("Creating user: " + userName + ", accountId: " + accountId + " timezone:" + timezone); } String encodedPassword = null; - for (UserAuthenticator authenticator : _userPasswordEncoders) { + for (UserAuthenticator authenticator : _userPasswordEncoders) { encodedPassword = authenticator.encode(password); if (encodedPassword != null) { break; @@ -2005,7 +1999,7 @@ protected UserVO createUser(long accountId, String userName, String password, St } if (userUUID == null) { - userUUID = UUID.randomUUID().toString(); + userUUID = UUID.randomUUID().toString(); } UserVO user = _userDao.persist(new UserVO(accountId, userName, encodedPassword, firstName, lastName, email, timezone, userUUID, source)); CallContext.current().putContextParameter(User.class, user.getUuid()); @@ -2135,8 +2129,8 @@ public UserAccount authenticateUser(String username, String password, Long domai s_logger.debug("User: " + username + " in domain " + domainId + " has successfully logged in"); } - ActionEventUtils.onActionEvent(user.getId(), user.getAccountId(), user.getDomainId(), EventTypes.EVENT_USER_LOGIN, "user has logged in from IP Address " + - loginIpAddress); + ActionEventUtils.onActionEvent(user.getId(), user.getAccountId(), user.getDomainId(), EventTypes.EVENT_USER_LOGIN, + "user has logged in from IP Address " + loginIpAddress); return user; } else { @@ -2155,10 +2149,10 @@ private UserAccount getUserAccount(String username, String password, Long domain boolean authenticated = false; HashSet<ActionOnFailedAuthentication> actionsOnFailedAuthenticaion = new HashSet<ActionOnFailedAuthentication>(); - User.Source userSource = userAccount != null ? userAccount.getSource(): User.Source.UNKNOWN; + User.Source userSource = userAccount != null ? userAccount.getSource() : User.Source.UNKNOWN; for (UserAuthenticator authenticator : _userAuthenticators) { - if(userSource != User.Source.UNKNOWN) { - if(!authenticator.getName().equalsIgnoreCase(userSource.name())){ + if (userSource != User.Source.UNKNOWN) { + if (!authenticator.getName().equalsIgnoreCase(userSource.name())) { continue; } } @@ -2182,12 +2176,12 @@ private UserAccount getUserAccount(String username, String password, Long domain } userAccount = _userAccountDao.getUserAccount(username, domainId); - if (!userAccount.getState().equalsIgnoreCase(Account.State.enabled.toString()) || - !userAccount.getAccountState().equalsIgnoreCase(Account.State.enabled.toString())) { + if (!userAccount.getState().equalsIgnoreCase(Account.State.enabled.toString()) || !userAccount.getAccountState().equalsIgnoreCase(Account.State.enabled.toString())) { if (s_logger.isInfoEnabled()) { s_logger.info("User " + username + " in domain " + domainName + " is disabled/locked (or account is disabled/locked)"); } - throw new CloudAuthenticationException("User " + username + " (or their account) in domain " + domainName + " is disabled/locked. Please contact the administrator."); + throw new CloudAuthenticationException( + "User " + username + " (or their account) in domain " + domainName + " is disabled/locked. Please contact the administrator."); } // Whenever the user is able to log in successfully, reset the login attempts to zero if (!isInternalAccount(userAccount.getId())) @@ -2231,17 +2225,17 @@ private UserAccount getUserAccount(String username, String password, Long domain } @Override - public Map<String, String> getKeys(GetUserKeysCmd cmd){ + public Map<String, String> getKeys(GetUserKeysCmd cmd) { final long userId = cmd.getID(); User user = getActiveUser(userId); - if(user==null){ + if (user == null) { throw new InvalidParameterValueException("Unable to find user by id"); } final ControlledEntity account = getAccount(getUserAccountById(userId).getAccountId()); //Extracting the Account from the userID of the requested user. checkAccess(CallContext.current().getCallingUser(), account); - Map <String, String> keys = new HashMap<String, String>(); + Map<String, String> keys = new HashMap<String, String>(); keys.put("apikey", user.getApiKey()); keys.put("secretkey", user.getSecretKey()); @@ -2277,8 +2271,8 @@ private UserAccount getUserAccount(String username, String password, Long domain Transaction.execute(new TransactionCallbackNoReturn() { @Override public void doInTransactionWithoutResult(TransactionStatus status) { - keys[0] = createUserApiKey(userId); - keys[1] = createUserSecretKey(userId); + keys[0] = createUserApiKey(userId); + keys[1] = createUserSecretKey(userId); } }); @@ -2359,18 +2353,16 @@ private String createUserSecretKey(long userId) { return null; } - - @Override - public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb, - Long domainId, boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) { + public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb, Long domainId, boolean isRecursive, List<Long> permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria) { if (sb.entity() instanceof IPAddressVO) { - sb.and("accountIdIN", ((IPAddressVO) sb.entity()).getAllocatedToAccountId(), SearchCriteria.Op.IN); - sb.and("domainId", ((IPAddressVO) sb.entity()).getAllocatedInDomainId(), SearchCriteria.Op.EQ); + sb.and("accountIdIN", ((IPAddressVO)sb.entity()).getAllocatedToAccountId(), SearchCriteria.Op.IN); + sb.and("domainId", ((IPAddressVO)sb.entity()).getAllocatedInDomainId(), SearchCriteria.Op.EQ); } else if (sb.entity() instanceof ProjectInvitationVO) { - sb.and("accountIdIN", ((ProjectInvitationVO) sb.entity()).getForAccountId(), SearchCriteria.Op.IN); - sb.and("domainId", ((ProjectInvitationVO) sb.entity()).getInDomainId(), SearchCriteria.Op.EQ); + sb.and("accountIdIN", ((ProjectInvitationVO)sb.entity()).getForAccountId(), SearchCriteria.Op.IN); + sb.and("domainId", ((ProjectInvitationVO)sb.entity()).getInDomainId(), SearchCriteria.Op.EQ); } else { sb.and("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN); sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ); @@ -2382,9 +2374,9 @@ public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb, domainSearch.and("path", domainSearch.entity().getPath(), SearchCriteria.Op.LIKE); if (sb.entity() instanceof IPAddressVO) { - sb.join("domainSearch", domainSearch, ((IPAddressVO) sb.entity()).getAllocatedInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER); + sb.join("domainSearch", domainSearch, ((IPAddressVO)sb.entity()).getAllocatedInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER); } else if (sb.entity() instanceof ProjectInvitationVO) { - sb.join("domainSearch", domainSearch, ((ProjectInvitationVO) sb.entity()).getInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER); + sb.join("domainSearch", domainSearch, ((ProjectInvitationVO)sb.entity()).getInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER); } else { sb.join("domainSearch", domainSearch, sb.entity().getDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER); } @@ -2399,9 +2391,9 @@ public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb, } if (sb.entity() instanceof IPAddressVO) { - sb.join("accountSearch", accountSearch, ((IPAddressVO) sb.entity()).getAllocatedToAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER); + sb.join("accountSearch", accountSearch, ((IPAddressVO)sb.entity()).getAllocatedToAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER); } else if (sb.entity() instanceof ProjectInvitationVO) { - sb.join("accountSearch", accountSearch, ((ProjectInvitationVO) sb.entity()).getForAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER); + sb.join("accountSearch", accountSearch, ((ProjectInvitationVO)sb.entity()).getForAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER); } else { sb.join("accountSearch", accountSearch, sb.entity().getAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER); } @@ -2409,8 +2401,8 @@ public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb, } @Override - public void buildACLSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, - Long domainId, boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) { + public void buildACLSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, Long domainId, boolean isRecursive, List<Long> permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria) { if (listProjectResourcesCriteria != null) { sc.setJoinParameters("accountSearch", "type", Account.ACCOUNT_TYPE_PROJECT); @@ -2472,6 +2464,11 @@ public void buildACLSearchParameters(Account caller, Long id, String accountName if (projectId.longValue() == -1) { if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) { permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId())); + + //permittedAccounts can be empty when the caller is not a part of any project (a domain account) + if (permittedAccounts.isEmpty()) { + permittedAccounts.add(caller.getId()); + } } else { domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly); } @@ -2516,10 +2513,9 @@ public void buildACLSearchParameters(Account caller, Long id, String accountName } - @Override - public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId, - boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) { + public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId, boolean isRecursive, List<Long> permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria) { sb.and("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN); sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ); @@ -2540,10 +2536,9 @@ public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEnti } - @Override - public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledViewEntity> sc, - Long domainId, boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) { + public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledViewEntity> sc, Long domainId, boolean isRecursive, List<Long> permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria) { if (listProjectResourcesCriteria != null) { sc.setParameters("accountType", Account.ACCOUNT_TYPE_PROJECT); } @@ -2561,13 +2556,11 @@ public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledViewEn } - @Override public UserAccount getUserByApiKey(String apiKey) { return _userAccountDao.getUserByApiKey(apiKey); } - @Override public List<String> listAclGroupsByAccount(Long accountId) { if (_querySelectors == null || _querySelectors.size() == 0) @@ -2594,8 +2587,8 @@ public Long finalyzeAccountId(final String accountName, final Long domainId, fin if (!enabledOnly || account.getState() == Account.State.enabled) { return account.getId(); } else { - throw new PermissionDeniedException("Can't add resources to the account id=" + account.getId() + " in state=" + account.getState() + - " as it's no longer active"); + throw new PermissionDeniedException( + "Can't add resources to the account id=" + account.getId() + " in state=" + account.getState() + " as it's no longer active"); } } else { // idList is not used anywhere, so removed it now @@ -2611,9 +2604,8 @@ public Long finalyzeAccountId(final String accountName, final Long domainId, fin if (!enabledOnly || project.getState() == Project.State.Active) { return project.getProjectAccountId(); } else { - final PermissionDeniedException ex = - new PermissionDeniedException("Can't add resources to the project with specified projectId in state=" + project.getState() + - " as it's no longer active"); + final PermissionDeniedException ex = new PermissionDeniedException( + "Can't add resources to the project with specified projectId in state=" + project.getState() + " as it's no longer active"); ex.addProxyObject(project.getUuid(), "projectId"); throw ex; } @@ -2630,8 +2622,7 @@ public UserAccount getUserAccountById(Long userId) { } @Override - public void checkAccess(Account account, ServiceOffering so) - throws PermissionDeniedException { + public void checkAccess(Account account, ServiceOffering so) throws PermissionDeniedException { for (SecurityChecker checker : _securityCheckers) { if (checker.checkAccess(account, so)) { if (s_logger.isDebugEnabled()) { @@ -2646,8 +2637,7 @@ public void checkAccess(Account account, ServiceOffering so) } @Override - public void checkAccess(Account account, DiskOffering dof) - throws PermissionDeniedException { + public void checkAccess(Account account, DiskOffering dof) throws PermissionDeniedException { for (SecurityChecker checker : _securityCheckers) { if (checker.checkAccess(account, dof)) { if (s_logger.isDebugEnabled()) { @@ -2662,11 +2652,10 @@ public void checkAccess(Account account, DiskOffering dof) } @Override - public void checkAccess(User user, ControlledEntity entity) - throws PermissionDeniedException { - for(SecurityChecker checker : _securityCheckers){ - if(checker.checkAccess(user,entity)){ - if(s_logger.isDebugEnabled()){ + public void checkAccess(User user, ControlledEntity entity) throws PermissionDeniedException { + for (SecurityChecker checker : _securityCheckers) { + if (checker.checkAccess(user, entity)) { + if (s_logger.isDebugEnabled()) { s_logger.debug("Access granted to " + user + "to " + entity + "by " + checker.getName()); } return; @@ -2682,6 +2671,6 @@ public String getConfigComponentName() { @Override public ConfigKey<?>[] getConfigKeys() { - return new ConfigKey<?>[]{UseSecretKeyInResponse}; + return new ConfigKey<?>[] {UseSecretKeyInResponse}; } } ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Listing VPCs with a domain account and project id -1 returns all the VPCs in > the syste > -------------------------------------------------------------------------------------- > > Key: CLOUDSTACK-10175 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10175 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Affects Versions: 4.10.0.0 > Reporter: Khosrow Moossavi > Fix For: Future > > -- This message was sent by Atlassian JIRA (v6.4.14#64029)