[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16038538#comment-16038538 ] ASF subversion and git services commented on CLOUDSTACK-9099: - Commit 68d50fbfd86dae20ff1b78e7a054b0fdee2605d7 in cloudstack's branch refs/heads/master from [~rajanik] [ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=68d50fb ] Merge pull request #1996 from Accelerite/secretkey CLOUDSTACK-9099: SecretKey is returned from the APIs > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Affects Versions: 4.9.0 >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > Fix For: 4.10.0.0, 4.9.3.0 > > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16038534#comment-16038534 ] ASF subversion and git services commented on CLOUDSTACK-9099: - Commit 87cf33ac5cf7de1537f6b0c9cf752fd12a7a1e32 in cloudstack's branch refs/heads/master from Jayapal [ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=87cf33a ] CLOUDSTACK-9099: Added a separate API to apikey and secretkey > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Affects Versions: 4.9.0 >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > Fix For: 4.10.0.0, 4.9.3.0 > > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15968620#comment-15968620 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user jayapalu commented on the issue: https://github.com/apache/cloudstack/pull/1996 In the travis ci the tests are failing it could be because of timeout. But when I run some of the test locally it is passing. The same test test_invalid_gw_nm is failing in travis ci. =my local xenserver setup test run == nosetests-2.7 --with-marvin --marvin-config=/Users/jayapal_uradi/dev/advanced.cfg --with-xunit --xunit-file=/tmp/test/testslog /Users/jayapal_uradi/dev/github/cloudstack/test/integration/component/test_invalid_gw_nm.py --zone=zone1 --hypervisor=xenserver Marvin Init Started === Marvin Parse Config Successful === === Marvin Setting TestData Successful=== Log Folder Path: /tmp//MarvinLogs//Apr_14_2017_10_30_49_WKRPUW. All logs will be available here === Marvin Init Logging Successful=== Marvin Init Successful ===final results are now copied to: /tmp//MarvinLogs/test_invalid_gw_nm_XQRFQU=== HSL007948:cloudstack jayapal_uradi$ vi /tmp//MarvinLogs/test_invalid_gw_nm_XQRFQU/ failed_plus_exceptions.txt results.txt runinfo.txt HSL007948:cloudstack jayapal_uradi$ vi /tmp//MarvinLogs/test_invalid_gw_nm_XQRFQU/results.txt HSL007948:cloudstack jayapal_uradi$ cat /tmp//MarvinLogs/test_invalid_gw_nm_XQRFQU/results.txt test_isolated_nw_invalid_gw (integration.component.test_invalid_gw_nm.TestIsolatedNetworkInvalidGw) ... === TestName: test_isolated_nw_invalid_gw | Status : SUCCESS === ok -- Ran 1 test in 5.837s OK == End of my local setup test run == https://travis-ci.org/apache/cloudstack/jobs/221647779 The command ./tools/travis/script.sh component/test_cpu_max_limits component/test_cpu_project_limits component/test_deploy_vm_userdata_multi_nic component/test_egress_fw_rules component/test_invalid_gw_nm component/test_ip_reservation component/test_lb_secondary_ip exited with 1 ContextSuite context=TestIsolatedNetw | exceptions.T | 0 | test_invalid_gw_nm | | orkInvalidGw>:setup | ypeError || > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Affects Versions: 4.9.0 >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > Fix For: 4.10.0.0, 4.9.3.0 > > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15965800#comment-15965800 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user jayapalu commented on the issue: https://github.com/apache/cloudstack/pull/1996 @koushik-das I have updated for your review comments. > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Affects Versions: 4.9.0 >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > Fix For: 4.10.0.0, 4.9.3.0 > > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15965487#comment-15965487 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user koushik-das commented on a diff in the pull request: https://github.com/apache/cloudstack/pull/1996#discussion_r111075076 --- Diff: api/src/org/apache/cloudstack/api/command/admin/user/GetUserKeysCmd.java --- @@ -0,0 +1,76 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package org.apache.cloudstack.api.command.admin.user; + + +import com.cloud.user.Account; +import com.cloud.user.User; +import org.apache.cloudstack.acl.RoleType; +import org.apache.cloudstack.api.APICommand; +import org.apache.cloudstack.api.ApiConstants; +import org.apache.cloudstack.api.BaseCmd; +import org.apache.cloudstack.api.Parameter; +import org.apache.cloudstack.api.response.RegisterResponse; +import org.apache.cloudstack.api.response.UserResponse; + +import java.util.List; +import java.util.logging.Logger; + +@APICommand(name = "getUserKeys", +description = "This command allows the user to query the seceret and API keys for the account", +responseObject = RegisterResponse.class, +requestHasSensitiveInfo = false, +responseHasSensitiveInfo = true, +authorized = {RoleType.User}) --- End diff -- Can you add the 'since' parameter? > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Affects Versions: 4.9.0 >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > Fix For: 4.10.0.0, 4.9.3.0 > > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15965488#comment-15965488 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user koushik-das commented on a diff in the pull request: https://github.com/apache/cloudstack/pull/1996#discussion_r111075302 --- Diff: api/src/org/apache/cloudstack/api/command/admin/user/GetUserKeysCmd.java --- @@ -0,0 +1,76 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package org.apache.cloudstack.api.command.admin.user; + + +import com.cloud.user.Account; +import com.cloud.user.User; +import org.apache.cloudstack.acl.RoleType; +import org.apache.cloudstack.api.APICommand; +import org.apache.cloudstack.api.ApiConstants; +import org.apache.cloudstack.api.BaseCmd; +import org.apache.cloudstack.api.Parameter; +import org.apache.cloudstack.api.response.RegisterResponse; +import org.apache.cloudstack.api.response.UserResponse; + +import java.util.List; +import java.util.logging.Logger; + +@APICommand(name = "getUserKeys", +description = "This command allows the user to query the seceret and API keys for the account", +responseObject = RegisterResponse.class, +requestHasSensitiveInfo = false, +responseHasSensitiveInfo = true, +authorized = {RoleType.User}) + +public class GetUserKeysCmd extends BaseCmd{ + +@Parameter(name= ApiConstants.ID, type = CommandType.UUID, entityType = UserResponse.class, required = true, description = "ID of the user whose keys are required") +private Long id; + +public static final Logger s_logger = Logger.getLogger(RegisterCmd.class.getName()); +public static final String s_name = "getuserkeysresponse"; + +public Long getID(){ +return id; +} + +public String getCommandName(){ +return s_name; +} + +public long getEntityOwnerId(){ +User user = _entityMgr.findById(User.class, getID()); +if(user != null){ +return user.getAccountId(); +} +else return Account.ACCOUNT_ID_SYSTEM; +} +public void execute(){ +List keys = _accountService.getKeys(this); +RegisterResponse response = new RegisterResponse(); +if(keys != null){ +response.setApiKey(keys.get(0)); +response.setSecretKey(keys.get(1)); +} + +response.setObjectName("listkeys"); --- End diff -- Should this be 'userKeys'? > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Affects Versions: 4.9.0 >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > Fix For: 4.10.0.0, 4.9.3.0 > > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15965486#comment-15965486 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user koushik-das commented on a diff in the pull request: https://github.com/apache/cloudstack/pull/1996#discussion_r111078382 --- Diff: server/src/com/cloud/api/ApiDBUtils.java --- @@ -559,6 +561,8 @@ @Inject private VpcManager vpcMgr; @Inject +private AccountManager accountManager; --- End diff -- Why there is a need to inject AccountManager? If the config key is a static it can be accessed as AccountManager. > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Affects Versions: 4.9.0 >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > Fix For: 4.10.0.0, 4.9.3.0 > > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15960396#comment-15960396 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user rhtyd commented on the issue: https://github.com/apache/cloudstack/pull/1996 @jayapalu can you push -f to kick Travis? > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Affects Versions: 4.9.0 >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > Fix For: 4.10.0.0, 4.9.3.0 > > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15960384#comment-15960384 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user jayapalu commented on the issue: https://github.com/apache/cloudstack/pull/1996 It seems there is issue in CI due to that test are failing. > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Affects Versions: 4.9.0 >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > Fix For: 4.10.0.0, 4.9.3.0 > > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15956349#comment-15956349 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user kishankavala commented on a diff in the pull request: https://github.com/apache/cloudstack/pull/1996#discussion_r109835294 --- Diff: server/src/com/cloud/user/AccountManager.java --- @@ -198,4 +200,11 @@ void buildACLViewSearchCriteria(SearchCriteria s public static final String MESSAGE_ADD_ACCOUNT_EVENT = "Message.AddAccount.Event"; public static final String MESSAGE_REMOVE_ACCOUNT_EVENT = "Message.RemoveAccount.Event"; +public static final ConfigKey UseSecretKeyInResponse = new ConfigKey( +"Advanced", +Boolean.class, +"use.secret.key.in.response", +"true", --- End diff -- As per discussion in PR # 1152, default value should be false. Any failing tests due to this change have to be fixed. > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Affects Versions: 4.9.0 >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > Fix For: 4.10.0.0, 4.9.3.0 > > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15954666#comment-15954666 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user jayapalu commented on the issue: https://github.com/apache/cloudstack/pull/1996 @rhtyd Once this PR got the LGTMs, I can rebase it on 4.9. Can you please review this PR > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Affects Versions: 4.9.0 >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > Fix For: 4.10.0.0, 4.9.3.0 > > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15944724#comment-15944724 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user rhtyd commented on the issue: https://github.com/apache/cloudstack/pull/1996 @jayapalu this is a useful security fix for 4.9 as well, can you please rebase against the 4.9 branch and edit the base branch of the PR to 4.9? > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15902776#comment-15902776 ] ASF GitHub Bot commented on CLOUDSTACK-9099: GitHub user jayapalu opened a pull request: https://github.com/apache/cloudstack/pull/1996 CLOUDSTACK-9099: SecretKey is returned from the APIs This PR closes the PR #1152 You can merge this pull request into a Git repository by running: $ git pull https://github.com/Accelerite/cloudstack secretkey Alternatively you can review and apply these changes as the patch at: https://github.com/apache/cloudstack/pull/1996.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1996 > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15274111#comment-15274111 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user jburwell commented on a diff in the pull request: https://github.com/apache/cloudstack/pull/1152#discussion_r62337172 --- Diff: server/test/com/cloud/user/MockAccountManagerImpl.java --- @@ -401,5 +403,24 @@ public Long finalyzeAccountId(String accountName, Long domainId, Long projectId, return null; } +@Override +public List getKeys(GetUserKeysCmd cmd) { +return null; +} + +@Override +public void checkAccess(User user, ControlledEntity entity) +throws PermissionDeniedException { + +} +@Override +public String getConfigComponentName() { +return null; +} + +@Override +public ConfigKey[] getConfigKeys() { +return null; --- End diff -- Please return an empty array to avoid NPEs. > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15274108#comment-15274108 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user jburwell commented on a diff in the pull request: https://github.com/apache/cloudstack/pull/1152#discussion_r62337077 --- Diff: server/test/com/cloud/user/MockAccountManagerImpl.java --- @@ -401,5 +403,24 @@ public Long finalyzeAccountId(String accountName, Long domainId, Long projectId, return null; } +@Override +public List getKeys(GetUserKeysCmd cmd) { +return null; --- End diff -- Please return a ``Collections.emptyList()`` to avoid NPEs. > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15274109#comment-15274109 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user jburwell commented on a diff in the pull request: https://github.com/apache/cloudstack/pull/1152#discussion_r62337130 --- Diff: server/test/com/cloud/user/MockAccountManagerImpl.java --- @@ -401,5 +403,24 @@ public Long finalyzeAccountId(String accountName, Long domainId, Long projectId, return null; } +@Override +public List getKeys(GetUserKeysCmd cmd) { +return null; +} + +@Override +public void checkAccess(User user, ControlledEntity entity) +throws PermissionDeniedException { + +} +@Override +public String getConfigComponentName() { +return null; --- End diff -- Please return a blank string to avoid NPEs. > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15274102#comment-15274102 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user jburwell commented on a diff in the pull request: https://github.com/apache/cloudstack/pull/1152#discussion_r62336941 --- Diff: server/src/com/cloud/user/AccountManager.java --- @@ -198,4 +200,11 @@ void buildACLViewSearchCriteria(SearchCriteria s public static final String MESSAGE_ADD_ACCOUNT_EVENT = "Message.AddAccount.Event"; public static final String MESSAGE_REMOVE_ACCOUNT_EVENT = "Message.RemoveAccount.Event"; +public static final ConfigKey UseSecretKeyInResponse = new ConfigKey( +"Advanced", +Boolean.class, +"use.secret.key.in.response", +"true", --- End diff -- @kansal I agree with @DaanHoogland and @remibergsma -- it's about reasonable and secure defaults. We should not configure a management server insecurely by default. > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15274101#comment-15274101 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user jburwell commented on a diff in the pull request: https://github.com/apache/cloudstack/pull/1152#discussion_r62336714 --- Diff: api/src/org/apache/cloudstack/api/command/admin/user/GetUserKeysCmd.java --- @@ -0,0 +1,74 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package org.apache.cloudstack.api.command.admin.user; + + +import com.cloud.user.Account; +import com.cloud.user.User; +import org.apache.cloudstack.api.APICommand; +import org.apache.cloudstack.api.ApiConstants; +import org.apache.cloudstack.api.BaseCmd; +import org.apache.cloudstack.api.Parameter; +import org.apache.cloudstack.api.response.RegisterResponse; +import org.apache.cloudstack.api.response.UserResponse; + +import java.util.List; +import java.util.logging.Logger; + +@APICommand(name = "getUserKeys", +description = "This command allows the user to query the seceret and API keys for the account", +responseObject = RegisterResponse.class, +requestHasSensitiveInfo = false, +responseHasSensitiveInfo = true) --- End diff -- Please add the version annotation to indicate that this command was added for 4.9. > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15266461#comment-15266461 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user kansal commented on the pull request: https://github.com/apache/cloudstack/pull/1152#issuecomment-216217062 @DaanHoogland sure. Will rebase and keep the default value to false. > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15266455#comment-15266455 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user DaanHoogland commented on the pull request: https://github.com/apache/cloudstack/pull/1152#issuecomment-216215437 @kansal please go ahead and remove the key from the response. We'll test run it and add fixes to tests if needed. (cc @rhtyd my last comment is still valid) > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15266416#comment-15266416 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user rhtyd commented on the pull request: https://github.com/apache/cloudstack/pull/1152#issuecomment-216206238 @kansal can you rebase against latest master and share state of your PR, thanks @DaanHoogland @jburwell do we still have outstanding issues on PR; do we want this or not? thanks > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15215887#comment-15215887 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user DaanHoogland commented on the pull request: https://github.com/apache/cloudstack/pull/1152#issuecomment-202852425 @kansal as the complexity is unknown I would just go ahead and update the pr. We'll see the damage and think of fixes as we go. As for setting the value to true for existing tests, fine. as long as the default is false. the fix (setting it to true for some test cases) is trivial and will probably not be needed very often. Who is going to check a response for a private key unless they really need it. > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15215879#comment-15215879 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user kansal commented on the pull request: https://github.com/apache/cloudstack/pull/1152#issuecomment-202844861 @DaanHoogland I am not sure of the amount of work that needs to be done for fixing all the existing test cases. Will revisit this and update. I still personally think that going with the optional parameter presently and assuming( and making sure) that the new test cases are written in compliance with this API will be a good way to go forward. Your views? PS: I am still not very versed with the test case suits. Will check and revisit this. > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15215807#comment-15215807 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user DaanHoogland commented on the pull request: https://github.com/apache/cloudstack/pull/1152#issuecomment-202822605 @kansal did you get to this yet? > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15080649#comment-15080649 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user jburwell commented on the pull request: https://github.com/apache/cloudstack/pull/1152#issuecomment-168570237 @DaanHoogland I complete agree with you regarding exposing credential information. The best practice when credentials are lost is to require that they be changed. This approach makes the access to the sensitive information obvious to all users -- making it impossible for an attacker to hide such a breach. In the past, we have removed sensitive data from existing API responses. For example, for CVE-2015-3251, we removed exposure of KVM credentials from the [listHosts call](https://github.com/apache/cloudstack/pull/682). Therefore, as a project, we have previously determined that security should trump API backwards compatibility. It should most certainly be prioritized over making the task of integration testing easier. > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15080700#comment-15080700 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user kansal commented on the pull request: https://github.com/apache/cloudstack/pull/1152#issuecomment-168581991 cc @DaanHoogland @jburwell Okay. Agreed with that. So I am setting the default value to false but for running tests and maybe some other existing integration we will have to make that value to true. Is that fine? Of course we need to fix the existing test cases so that maybe from the next release we can get away with this thing completely? > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15080702#comment-15080702 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user kansal commented on a diff in the pull request: https://github.com/apache/cloudstack/pull/1152#discussion_r48704472 --- Diff: server/src/com/cloud/user/AccountManager.java --- @@ -198,4 +200,11 @@ void buildACLViewSearchCriteria(SearchCriteria s public static final String MESSAGE_ADD_ACCOUNT_EVENT = "Message.AddAccount.Event"; public static final String MESSAGE_REMOVE_ACCOUNT_EVENT = "Message.RemoveAccount.Event"; +public static final ConfigKey UseSecretKeyInResponse = new ConfigKey( +"Advanced", +Boolean.class, +"use.secret.key.in.response", +"true", --- End diff -- @remibergsma It is a part of global config and the admin can change it. > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15080496#comment-15080496 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user DaanHoogland commented on the pull request: https://github.com/apache/cloudstack/pull/1152#issuecomment-168527559 @kansal I don't agree that making noise first is the way to go. We should disable the return of the key first and document it. Security demands that we play it that way. We can allow users to enable this insecure bahaviour by setting a flag somewhere but it should not be default and catch the unaware users of guard. It will be work in the integration tests but that just will have to happen. > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15080506#comment-15080506 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user remibergsma commented on a diff in the pull request: https://github.com/apache/cloudstack/pull/1152#discussion_r48695937 --- Diff: server/src/com/cloud/user/AccountManager.java --- @@ -198,4 +200,11 @@ void buildACLViewSearchCriteria(SearchCriteria s public static final String MESSAGE_ADD_ACCOUNT_EVENT = "Message.AddAccount.Event"; public static final String MESSAGE_REMOVE_ACCOUNT_EVENT = "Message.RemoveAccount.Event"; +public static final ConfigKey UseSecretKeyInResponse = new ConfigKey( +"Advanced", +Boolean.class, +"use.secret.key.in.response", +"true", --- End diff -- Agree with @DaanHoogland, it is easy enough to enable again should people need it. Is this setting available to the user or does it need to be added to the database as well? > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15076260#comment-15076260 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user kansal commented on the pull request: https://github.com/apache/cloudstack/pull/1152#issuecomment-168295517 @DaanHoogland Agreed with that point. But its not only about the testing. I'm sure many people will be using it in their own integration. I think we should not change the response immediately like this without informing or making a noise about it. And it is because of this concern only, I added a flag for enabling/disabling the secret key in response. > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15075956#comment-15075956 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user DaanHoogland commented on the pull request: https://github.com/apache/cloudstack/pull/1152#issuecomment-168200764 @kansal when you say 'I have deprecated that as many regressions were using the secret key from those APIs for authentication', I think we should adjust those regression test to set the setting to true. Let's not do consessions to security for the sake of testing. > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15075955#comment-15075955 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user DaanHoogland commented on a diff in the pull request: https://github.com/apache/cloudstack/pull/1152#discussion_r48657695 --- Diff: server/src/com/cloud/user/AccountManager.java --- @@ -198,4 +200,11 @@ void buildACLViewSearchCriteria(SearchCriteria s public static final String MESSAGE_ADD_ACCOUNT_EVENT = "Message.AddAccount.Event"; public static final String MESSAGE_REMOVE_ACCOUNT_EVENT = "Message.RemoveAccount.Event"; +public static final ConfigKey UseSecretKeyInResponse = new ConfigKey( +"Advanced", +Boolean.class, +"use.secret.key.in.response", +"true", --- End diff -- default should be false! this is a security issue. > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15061916#comment-15061916 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user kansal commented on the pull request: https://github.com/apache/cloudstack/pull/1152#issuecomment-165426036 Have updated this PR. Instead of directly removing the secret key from response, I have deprecated that as many regressions were using the secret key from those APIs for authentication. Maybe from next major release we can remove that. @DaanHoogland marvin test cases on the way!!! > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15050404#comment-15050404 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user kansal commented on the pull request: https://github.com/apache/cloudstack/pull/1152#issuecomment-163539799 @DaanHoogland Sure will try. Will take some time as I have to go through the documentation first. > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15046817#comment-15046817 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user DaanHoogland commented on the pull request: https://github.com/apache/cloudstack/pull/1152#issuecomment-162869020 @kansal looks good, but for a change like this I would like a marvin test to prove it and guarantee it's continued functioning/functionality Do you see chance to add that? > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15046815#comment-15046815 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user DaanHoogland commented on a diff in the pull request: https://github.com/apache/cloudstack/pull/1152#discussion_r46947731 --- Diff: api/src/org/apache/cloudstack/api/command/admin/user/ListKeysCmd.java --- @@ -0,0 +1,74 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package org.apache.cloudstack.api.command.admin.user; + + +import com.cloud.user.Account; +import com.cloud.user.User; +import org.apache.cloudstack.api.APICommand; +import org.apache.cloudstack.api.ApiConstants; +import org.apache.cloudstack.api.BaseCmd; +import org.apache.cloudstack.api.Parameter; +import org.apache.cloudstack.api.response.RegisterResponse; +import org.apache.cloudstack.api.response.UserResponse; + +import java.util.List; +import java.util.logging.Logger; + +@APICommand(name = "listUserKeys", +description = "This command allows the user to query the seceret and API keys for the account", +responseObject = RegisterResponse.class, +requestHasSensitiveInfo = false, +responseHasSensitiveInfo = true) + +public class ListKeysCmd extends BaseCmd{ + +@Parameter(name= ApiConstants.ID, type = CommandType.UUID, entityType = UserResponse.class, required = true, description = "ID of the user whose keys are required") +private Long id; + +public static final Logger s_logger = Logger.getLogger(RegisterCmd.class.getName()); +public static final String s_name = "listuserkeysresponse"; --- End diff -- same here > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15046814#comment-15046814 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user DaanHoogland commented on a diff in the pull request: https://github.com/apache/cloudstack/pull/1152#discussion_r46947711 --- Diff: api/src/org/apache/cloudstack/api/command/admin/user/ListKeysCmd.java --- @@ -0,0 +1,74 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package org.apache.cloudstack.api.command.admin.user; + + +import com.cloud.user.Account; +import com.cloud.user.User; +import org.apache.cloudstack.api.APICommand; +import org.apache.cloudstack.api.ApiConstants; +import org.apache.cloudstack.api.BaseCmd; +import org.apache.cloudstack.api.Parameter; +import org.apache.cloudstack.api.response.RegisterResponse; +import org.apache.cloudstack.api.response.UserResponse; + +import java.util.List; +import java.util.logging.Logger; + +@APICommand(name = "listUserKeys", +description = "This command allows the user to query the seceret and API keys for the account", +responseObject = RegisterResponse.class, +requestHasSensitiveInfo = false, +responseHasSensitiveInfo = true) + +public class ListKeysCmd extends BaseCmd{ + +@Parameter(name= ApiConstants.ID, type = CommandType.UUID, entityType = UserResponse.class, required = true, description = "ID of the user whose keys are required") +private Long id; + +public static final Logger s_logger = Logger.getLogger(RegisterCmd.class.getName()); --- End diff -- how about using LOGGER as a name for this static final? would be more in line with standards > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15046810#comment-15046810 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user kansal commented on the pull request: https://github.com/apache/cloudstack/pull/1152#issuecomment-162867278 @jburwell @DaanHoogland @kishankavala Have included some changes related to the UI. Now after generating the keys from UI, after ListUserCmd() api, listKeysCmd() will be called to fill the secret key as I have removed it from the response value of other API's. Also added a test in which a normal user tries to call the listKeysCmd() for the admin account and hence giving a permission denied exception. > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15044104#comment-15044104 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user DaanHoogland commented on the pull request: https://github.com/apache/cloudstack/pull/1152#issuecomment-162342597 @kansal looking forward to your update. your intended change makes sense > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15044102#comment-15044102 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user DaanHoogland commented on a diff in the pull request: https://github.com/apache/cloudstack/pull/1152#discussion_r46775072 --- Diff: api/src/com/cloud/user/AccountService.java --- @@ -136,4 +140,6 @@ void checkAccess(Account account, AccessType accessType, boolean sameOwner, Stri */ UserAccount getUserAccountById(Long userId); +public String[] getKeys(ListKeysCmd cmd); --- End diff -- I agree with @jburwell > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15041454#comment-15041454 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user kansal commented on the pull request: https://github.com/apache/cloudstack/pull/1152#issuecomment-161944643 @jburwell Sure!! Will look into these. Adding the test cases and some UI changes for this to work. Will update the PR. > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15039749#comment-15039749 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user jburwell commented on a diff in the pull request: https://github.com/apache/cloudstack/pull/1152#discussion_r46649508 --- Diff: api/src/com/cloud/user/AccountService.java --- @@ -136,4 +140,6 @@ void checkAccess(Account account, AccessType accessType, boolean sameOwner, Stri */ UserAccount getUserAccountById(Long userId); +public String[] getKeys(ListKeysCmd cmd); --- End diff -- Why is the return type defined as an array and not a ``List``? > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15039748#comment-15039748 ] ASF GitHub Bot commented on CLOUDSTACK-9099: Github user jburwell commented on a diff in the pull request: https://github.com/apache/cloudstack/pull/1152#discussion_r46649429 --- Diff: api/src/org/apache/cloudstack/api/command/admin/user/ListKeysCmd.java --- @@ -0,0 +1,72 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package org.apache.cloudstack.api.command.admin.user; + + +import com.cloud.user.Account; +import com.cloud.user.User; +import org.apache.cloudstack.api.APICommand; +import org.apache.cloudstack.api.ApiConstants; +import org.apache.cloudstack.api.BaseCmd; +import org.apache.cloudstack.api.Parameter; +import org.apache.cloudstack.api.response.RegisterResponse; +import org.apache.cloudstack.api.response.UserResponse; + +import java.util.logging.Logger; + +@APICommand(name = "listUserKeys", +description = "This command allows the user to query the seceret and API keys for the account", +responseObject = RegisterResponse.class, +requestHasSensitiveInfo = false, +responseHasSensitiveInfo = true) + +public class ListKeysCmd extends BaseCmd{ + +@Parameter(name= ApiConstants.ID, type = CommandType.UUID, entityType = UserResponse.class, required = true, description = "ID of the user whose keys are required") +private Long id; + +public static final Logger s_logger = Logger.getLogger(RegisterCmd.class.getName()); +public static final String s_name = "listuserkeysresponse"; + +public Long getID(){ +return id; +} + +public String getCommandName(){ +return s_name; +} + +public long getEntityOwnerId(){ +User user = _entityMgr.findById(User.class, getID()); +if(user != null){ +return user.getAccountId(); +} +else return Account.ACCOUNT_ID_SYSTEM; +} +public void execute(){ +String[] keys = _accountService.getKeys(this); +RegisterResponse response = new RegisterResponse(); +if(keys != null){ --- End diff -- Add an check before setting the keys to check that ``keys`` has a length = 2 to avoid an ``ArrayIndexOutOfBoundsException``. If the length is not equal to 2, throw an ``IllegalStateException``. > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15035740#comment-15035740 ] ASF GitHub Bot commented on CLOUDSTACK-9099: GitHub user kansal opened a pull request: https://github.com/apache/cloudstack/pull/1152 CLOUDSTACK-9099: SecretKey is returned from the APIs - Fixed The current implementation of User and account management API (in general) return the secret key as a user or account response. Fix: Added a new API to explicitly return the secretKey and removed it from the user and account response. You can merge this pull request into a Git repository by running: $ git pull https://github.com/kansal/cloudstack CLOUDSTACK-9099 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/cloudstack/pull/1152.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1152 commit 410045a97a75fd1e43972c66bc4882a30a5098bf Author: Kshitij KansalDate: 2015-12-02T10:43:45Z CLOUDSTACK-9099: SecretKey is returned from the APIs - Fixed > SecretKey is returned from the APIs > --- > > Key: CLOUDSTACK-9099 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Kshitij Kansal >Assignee: Kshitij Kansal > > The sercreKey parameter is returned from the following APIs: > createAccount > createUser > disableAccount > disableUser > enableAccount > enableUser > listAccounts > listUsers > lockAccount > lockUser > registerUserKeys > updateAccount > updateUser -- This message was sent by Atlassian JIRA (v6.3.4#6332)