You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ro...@apache.org on 2017/12/28 09:17:18 UTC
[cloudstack] branch master updated: CLOUDSTACK-10175: Prevent VPC
list leakage if project=-1 specified on API (#2352)
This is an automated email from the ASF dual-hosted git repository.
rohit pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
The following commit(s) were added to refs/heads/master by this push:
new 2ab5ab1 CLOUDSTACK-10175: Prevent VPC list leakage if project=-1 specified on API (#2352)
2ab5ab1 is described below
commit 2ab5ab1c90191307e2b8a9576aad91670e2ac09c
Author: Khosrow Moossavi <37...@users.noreply.github.com>
AuthorDate: Thu Dec 28 04:17:13 2017 -0500
CLOUDSTACK-10175: Prevent VPC list leakage if project=-1 specified on API (#2352)
This PR fixes the issue in which there's a leak when doing API call for listing VPC with domain account and projectId=-1.
Note for reviewers: The code formatting changed so many lines in the commit but the actual change is in line 2467-2471.
---
server/src/com/cloud/user/AccountManagerImpl.java | 313 +++++++++++-----------
1 file changed, 151 insertions(+), 162 deletions(-)
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index e320947..294bc6e 100644
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -16,6 +16,54 @@
// under the License.
package com.cloud.user;
+import java.net.InetAddress;
+import java.net.URLEncoder;
+import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.TimeUnit;
+
+import javax.crypto.KeyGenerator;
+import javax.crypto.Mac;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+
+import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.lang.StringUtils;
+import org.apache.log4j.Logger;
+
+import org.apache.cloudstack.acl.ControlledEntity;
+import org.apache.cloudstack.acl.QuerySelector;
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.acl.SecurityChecker;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.affinity.AffinityGroup;
+import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
+import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd;
+import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd;
+import org.apache.cloudstack.api.command.admin.user.GetUserKeysCmd;
+import org.apache.cloudstack.api.command.admin.user.RegisterCmd;
+import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
+import org.apache.cloudstack.context.CallContext;
+import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
+import org.apache.cloudstack.framework.config.ConfigKey;
+import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
+import org.apache.cloudstack.framework.messagebus.MessageBus;
+import org.apache.cloudstack.framework.messagebus.PublishScope;
+import org.apache.cloudstack.managed.context.ManagedContextRunnable;
+import org.apache.cloudstack.region.gslb.GlobalLoadBalancerRuleDao;
+import org.apache.cloudstack.utils.baremetal.BaremetalUtils;
+
import com.cloud.api.ApiDBUtils;
import com.cloud.api.query.vo.ControlledViewEntity;
import com.cloud.configuration.Config;
@@ -123,53 +171,6 @@ import com.cloud.vm.snapshot.VMSnapshot;
import com.cloud.vm.snapshot.VMSnapshotManager;
import com.cloud.vm.snapshot.VMSnapshotVO;
import com.cloud.vm.snapshot.dao.VMSnapshotDao;
-import org.apache.cloudstack.acl.ControlledEntity;
-import org.apache.cloudstack.acl.QuerySelector;
-import org.apache.cloudstack.acl.RoleType;
-import org.apache.cloudstack.acl.SecurityChecker;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.affinity.AffinityGroup;
-import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
-import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd;
-import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd;
-import org.apache.cloudstack.api.command.admin.user.GetUserKeysCmd;
-import org.apache.cloudstack.api.command.admin.user.RegisterCmd;
-import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
-import org.apache.cloudstack.framework.config.ConfigKey;
-import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
-import org.apache.cloudstack.framework.messagebus.MessageBus;
-import org.apache.cloudstack.framework.messagebus.PublishScope;
-import org.apache.cloudstack.managed.context.ManagedContextRunnable;
-import org.apache.cloudstack.region.gslb.GlobalLoadBalancerRuleDao;
-import org.apache.cloudstack.utils.baremetal.BaremetalUtils;
-import org.apache.commons.codec.binary.Base64;
-import org.apache.commons.lang.StringUtils;
-import org.apache.log4j.Logger;
-
-import javax.crypto.KeyGenerator;
-import javax.crypto.Mac;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-import javax.inject.Inject;
-import javax.naming.ConfigurationException;
-import java.net.InetAddress;
-import java.net.URLEncoder;
-import java.security.NoSuchAlgorithmException;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.UUID;
-import java.util.concurrent.Executors;
-import java.util.concurrent.ScheduledExecutorService;
-import java.util.concurrent.TimeUnit;
-
-
public class AccountManagerImpl extends ManagerBase implements AccountManager, Manager {
public static final Logger s_logger = Logger.getLogger(AccountManagerImpl.class);
@@ -350,7 +351,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
public UserVO getSystemUser() {
if (_systemUser == null) {
_systemUser = _userDao.findById(User.UID_SYSTEM);
- }
+ }
return _systemUser;
}
@@ -493,7 +494,6 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to " + domain);
}
-
@Override
public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, ControlledEntity... entities) {
checkAccess(caller, accessType, sameOwner, null, entities);
@@ -535,8 +535,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
Account account = ApiDBUtils.findAccountById(entity.getAccountId());
domainId = account != null ? account.getDomainId() : -1;
}
- if (entity.getAccountId() != -1 && domainId != -1 && !(entity instanceof VirtualMachineTemplate) &&
- !(entity instanceof Network && accessType != null && accessType == AccessType.UseEntry) && !(entity instanceof AffinityGroup)) {
+ if (entity.getAccountId() != -1 && domainId != -1 && !(entity instanceof VirtualMachineTemplate)
+ && !(entity instanceof Network && accessType != null && accessType == AccessType.UseEntry) && !(entity instanceof AffinityGroup)) {
List<ControlledEntity> toBeChecked = domains.get(entity.getDomainId());
// for templates, we don't have to do cross domains check
if (toBeChecked == null) {
@@ -614,13 +614,13 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
- UserAccountVO user = null;
- user = _userAccountDao.lockRow(id, true);
- user.setLoginAttempts(attempts);
+ UserAccountVO user = null;
+ user = _userAccountDao.lockRow(id, true);
+ user.setLoginAttempts(attempts);
if (toDisable) {
- user.setState(State.disabled.toString());
- }
- _userAccountDao.update(id, user);
+ user.setState(State.disabled.toString());
+ }
+ _userAccountDao.update(id, user);
}
});
} catch (Exception e) {
@@ -855,9 +855,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
for (IpAddress ip : ipsToRelease) {
s_logger.debug("Releasing ip " + ip + " as a part of account id=" + accountId + " cleanup");
if (!_ipAddrMgr.disassociatePublicIpAddress(ip.getId(), callerUserId, caller)) {
- s_logger.warn("Failed to release ip address " + ip
- + " as a part of account id=" + accountId
- + " clenaup");
+ s_logger.warn("Failed to release ip address " + ip + " as a part of account id=" + accountId + " clenaup");
accountCleanupNeeded = true;
}
}
@@ -900,8 +898,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
List<? extends IpAddress> ipsToRelease = _ipAddressDao.listByAccount(accountId);
for (IpAddress ip : ipsToRelease) {
if (ip.isPortable()) {
- s_logger.debug("Releasing portable ip " + ip + " as a part of account id=" + accountId + " cleanup");
- _ipAddrMgr.releasePortableIpAddress(ip.getId());
+ s_logger.debug("Releasing portable ip " + ip + " as a part of account id=" + accountId + " cleanup");
+ _ipAddrMgr.releasePortableIpAddress(ip.getId());
}
}
@@ -930,7 +928,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
// Delete ssh keypairs
List<SSHKeyPairVO> sshkeypairs = _sshKeyPairDao.listKeyPairs(accountId, account.getDomainId());
- for (SSHKeyPairVO keypair: sshkeypairs) {
+ for (SSHKeyPairVO keypair : sshkeypairs) {
_sshKeyPairDao.remove(keypair.getId());
}
return true;
@@ -994,9 +992,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
try {
_itMgr.advanceStop(vm.getUuid(), false);
} catch (OperationTimedoutException ote) {
- s_logger.warn(
- "Operation for stopping vm timed out, unable to stop vm "
- + vm.getHostName(), ote);
+ s_logger.warn("Operation for stopping vm timed out, unable to stop vm " + vm.getHostName(), ote);
success = false;
}
} catch (AgentUnavailableException aue) {
@@ -1009,15 +1005,14 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
@Override
- @ActionEvents({
- @ActionEvent(eventType = EventTypes.EVENT_ACCOUNT_CREATE, eventDescription = "creating Account"),
- @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User")
- })
+ @ActionEvents({@ActionEvent(eventType = EventTypes.EVENT_ACCOUNT_CREATE, eventDescription = "creating Account"),
+ @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User")})
public UserAccount createUserAccount(final String userName, final String password, final String firstName, final String lastName, final String email, final String timezone,
- String accountName, final short accountType, final Long roleId, Long domainId, final String networkDomain, final Map<String, String> details, String accountUUID, final String userUUID) {
+ String accountName, final short accountType, final Long roleId, Long domainId, final String networkDomain, final Map<String, String> details, String accountUUID,
+ final String userUUID) {
- return createUserAccount(userName, password, firstName, lastName, email, timezone, accountName, accountType, roleId, domainId, networkDomain, details, accountUUID, userUUID,
- User.Source.UNKNOWN);
+ return createUserAccount(userName, password, firstName, lastName, email, timezone, accountName, accountType, roleId, domainId, networkDomain, details, accountUUID,
+ userUUID, User.Source.UNKNOWN);
}
// ///////////////////////////////////////////////////
@@ -1026,13 +1021,11 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
@Override
@DB
- @ActionEvents({
- @ActionEvent(eventType = EventTypes.EVENT_ACCOUNT_CREATE, eventDescription = "creating Account"),
- @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User")
- })
- public UserAccount createUserAccount(final String userName, final String password, final String firstName, final String lastName, final String email,
- final String timezone, String accountName, final short accountType, final Long roleId, Long domainId, final String networkDomain, final Map<String, String> details,
- String accountUUID, final String userUUID, final User.Source source) {
+ @ActionEvents({@ActionEvent(eventType = EventTypes.EVENT_ACCOUNT_CREATE, eventDescription = "creating Account"),
+ @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User")})
+ public UserAccount createUserAccount(final String userName, final String password, final String firstName, final String lastName, final String email, final String timezone,
+ String accountName, final short accountType, final Long roleId, Long domainId, final String networkDomain, final Map<String, String> details, String accountUUID,
+ final String userUUID, final User.Source source) {
if (accountName == null) {
accountName = userName;
@@ -1120,8 +1113,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
@Override
@ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User")
- public UserVO createUser(String userName, String password, String firstName, String lastName, String email, String timeZone, String accountName, Long domainId,
- String userUUID, User.Source source) {
+ public UserVO createUser(String userName, String password, String firstName, String lastName, String email, String timeZone, String accountName, Long domainId, String userUUID,
+ User.Source source) {
// default domain to ROOT if not specified
if (domainId == null) {
domainId = Domain.ROOT_DOMAIN;
@@ -1156,14 +1149,15 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
@Override
@ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User")
public UserVO createUser(String userName, String password, String firstName, String lastName, String email, String timeZone, String accountName, Long domainId,
- String userUUID) {
+ String userUUID) {
- return createUser(userName, password, firstName,lastName, email, timeZone, accountName, domainId, userUUID, User.Source.UNKNOWN);
+ return createUser(userName, password, firstName, lastName, email, timeZone, accountName, domainId, userUUID, User.Source.UNKNOWN);
}
@Override
@ActionEvent(eventType = EventTypes.EVENT_USER_UPDATE, eventDescription = "updating User")
- public UserAccount updateUser(Long userId, String firstName, String lastName, String email, String userName, String password, String apiKey, String secretKey, String timeZone) {
+ public UserAccount updateUser(Long userId, String firstName, String lastName, String email, String userName, String password, String apiKey, String secretKey,
+ String timeZone) {
// Input validation
UserVO user = _userDao.getUser(userId);
@@ -1298,7 +1292,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
String timeZone = cmd.getTimezone();
String userName = cmd.getUsername();
- return updateUser(id, firstName, lastName, email, userName, password, apiKey, secretKey, timeZone);
+ return updateUser(id, firstName, lastName, email, userName, password, apiKey, secretKey, timeZone);
}
@Override
@@ -1556,8 +1550,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
if (account == null || account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
- throw new InvalidParameterValueException("Unable to find active account by accountId: " + accountId + " OR by name: " + accountName + " in domain " +
- domainId);
+ throw new InvalidParameterValueException("Unable to find active account by accountId: " + accountId + " OR by name: " + accountName + " in domain " + domainId);
}
if (account.getId() == Account.ACCOUNT_ID_SYSTEM) {
@@ -1645,8 +1638,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
// to
// update
// itself
- throw new InvalidParameterValueException("There already exists an account with the name:" + newAccountName + " in the domain:" + domainId +
- " with existing account id:" + duplicateAcccount.getId());
+ throw new InvalidParameterValueException(
+ "There already exists an account with the name:" + newAccountName + " in the domain:" + domainId + " with existing account id:" + duplicateAcccount.getId());
}
if (networkDomain != null && !networkDomain.isEmpty()) {
@@ -1674,9 +1667,9 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
public Boolean doInTransaction(TransactionStatus status) {
boolean success = _accountDao.update(accountFinal.getId(), acctForUpdate);
- if (details != null && success) {
+ if (details != null && success) {
_accountDetailsDao.update(accountFinal.getId(), details);
- }
+ }
return success;
}
@@ -1919,8 +1912,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
@Override
@DB
- public AccountVO createAccount(final String accountName, final short accountType, final Long roleId, final Long domainId, final String networkDomain, final Map<String, String> details,
- final String uuid) {
+ public AccountVO createAccount(final String accountName, final short accountType, final Long roleId, final Long domainId, final String networkDomain,
+ final Map<String, String> details, final String uuid) {
// Validate domain
Domain domain = _domainMgr.getDomain(domainId);
if (domain == null) {
@@ -1932,7 +1925,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
if ((domainId != Domain.ROOT_DOMAIN) && (accountType == Account.ACCOUNT_TYPE_ADMIN)) {
- throw new InvalidParameterValueException("Invalid account type " + accountType + " given for an account in domain " + domainId + "; unable to create user of admin role type in non-ROOT domain.");
+ throw new InvalidParameterValueException(
+ "Invalid account type " + accountType + " given for an account in domain " + domainId + "; unable to create user of admin role type in non-ROOT domain.");
}
// Validate account/user/domain settings
@@ -1964,37 +1958,37 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
return Transaction.execute(new TransactionCallback<AccountVO>() {
@Override
public AccountVO doInTransaction(TransactionStatus status) {
- AccountVO account = _accountDao.persist(new AccountVO(accountName, domainId, networkDomain, accountType, roleId, uuid));
+ AccountVO account = _accountDao.persist(new AccountVO(accountName, domainId, networkDomain, accountType, roleId, uuid));
- if (account == null) {
- throw new CloudRuntimeException("Failed to create account name " + accountName + " in domain id=" + domainId);
- }
+ if (account == null) {
+ throw new CloudRuntimeException("Failed to create account name " + accountName + " in domain id=" + domainId);
+ }
- Long accountId = account.getId();
+ Long accountId = account.getId();
- if (details != null) {
- _accountDetailsDao.persist(accountId, details);
- }
+ if (details != null) {
+ _accountDetailsDao.persist(accountId, details);
+ }
- // Create resource count records for the account
- _resourceCountDao.createResourceCounts(accountId, ResourceLimit.ResourceOwnerType.Account);
+ // Create resource count records for the account
+ _resourceCountDao.createResourceCounts(accountId, ResourceLimit.ResourceOwnerType.Account);
- // Create default security group
- _networkGroupMgr.createDefaultSecurityGroup(accountId);
+ // Create default security group
+ _networkGroupMgr.createDefaultSecurityGroup(accountId);
- return account;
- }
+ return account;
+ }
});
}
protected UserVO createUser(long accountId, String userName, String password, String firstName, String lastName, String email, String timezone, String userUUID,
- User.Source source) {
+ User.Source source) {
if (s_logger.isDebugEnabled()) {
s_logger.debug("Creating user: " + userName + ", accountId: " + accountId + " timezone:" + timezone);
}
String encodedPassword = null;
- for (UserAuthenticator authenticator : _userPasswordEncoders) {
+ for (UserAuthenticator authenticator : _userPasswordEncoders) {
encodedPassword = authenticator.encode(password);
if (encodedPassword != null) {
break;
@@ -2005,7 +1999,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
if (userUUID == null) {
- userUUID = UUID.randomUUID().toString();
+ userUUID = UUID.randomUUID().toString();
}
UserVO user = _userDao.persist(new UserVO(accountId, userName, encodedPassword, firstName, lastName, email, timezone, userUUID, source));
CallContext.current().putContextParameter(User.class, user.getUuid());
@@ -2135,8 +2129,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
s_logger.debug("User: " + username + " in domain " + domainId + " has successfully logged in");
}
- ActionEventUtils.onActionEvent(user.getId(), user.getAccountId(), user.getDomainId(), EventTypes.EVENT_USER_LOGIN, "user has logged in from IP Address " +
- loginIpAddress);
+ ActionEventUtils.onActionEvent(user.getId(), user.getAccountId(), user.getDomainId(), EventTypes.EVENT_USER_LOGIN,
+ "user has logged in from IP Address " + loginIpAddress);
return user;
} else {
@@ -2155,10 +2149,10 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
boolean authenticated = false;
HashSet<ActionOnFailedAuthentication> actionsOnFailedAuthenticaion = new HashSet<ActionOnFailedAuthentication>();
- User.Source userSource = userAccount != null ? userAccount.getSource(): User.Source.UNKNOWN;
+ User.Source userSource = userAccount != null ? userAccount.getSource() : User.Source.UNKNOWN;
for (UserAuthenticator authenticator : _userAuthenticators) {
- if(userSource != User.Source.UNKNOWN) {
- if(!authenticator.getName().equalsIgnoreCase(userSource.name())){
+ if (userSource != User.Source.UNKNOWN) {
+ if (!authenticator.getName().equalsIgnoreCase(userSource.name())) {
continue;
}
}
@@ -2182,12 +2176,12 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
userAccount = _userAccountDao.getUserAccount(username, domainId);
- if (!userAccount.getState().equalsIgnoreCase(Account.State.enabled.toString()) ||
- !userAccount.getAccountState().equalsIgnoreCase(Account.State.enabled.toString())) {
+ if (!userAccount.getState().equalsIgnoreCase(Account.State.enabled.toString()) || !userAccount.getAccountState().equalsIgnoreCase(Account.State.enabled.toString())) {
if (s_logger.isInfoEnabled()) {
s_logger.info("User " + username + " in domain " + domainName + " is disabled/locked (or account is disabled/locked)");
}
- throw new CloudAuthenticationException("User " + username + " (or their account) in domain " + domainName + " is disabled/locked. Please contact the administrator.");
+ throw new CloudAuthenticationException(
+ "User " + username + " (or their account) in domain " + domainName + " is disabled/locked. Please contact the administrator.");
}
// Whenever the user is able to log in successfully, reset the login attempts to zero
if (!isInternalAccount(userAccount.getId()))
@@ -2231,17 +2225,17 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
@Override
- public Map<String, String> getKeys(GetUserKeysCmd cmd){
+ public Map<String, String> getKeys(GetUserKeysCmd cmd) {
final long userId = cmd.getID();
User user = getActiveUser(userId);
- if(user==null){
+ if (user == null) {
throw new InvalidParameterValueException("Unable to find user by id");
}
final ControlledEntity account = getAccount(getUserAccountById(userId).getAccountId()); //Extracting the Account from the userID of the requested user.
checkAccess(CallContext.current().getCallingUser(), account);
- Map <String, String> keys = new HashMap<String, String>();
+ Map<String, String> keys = new HashMap<String, String>();
keys.put("apikey", user.getApiKey());
keys.put("secretkey", user.getSecretKey());
@@ -2277,8 +2271,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
- keys[0] = createUserApiKey(userId);
- keys[1] = createUserSecretKey(userId);
+ keys[0] = createUserApiKey(userId);
+ keys[1] = createUserSecretKey(userId);
}
});
@@ -2359,18 +2353,16 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
return null;
}
-
-
@Override
- public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb,
- Long domainId, boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) {
+ public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
+ ListProjectResourcesCriteria listProjectResourcesCriteria) {
if (sb.entity() instanceof IPAddressVO) {
- sb.and("accountIdIN", ((IPAddressVO) sb.entity()).getAllocatedToAccountId(), SearchCriteria.Op.IN);
- sb.and("domainId", ((IPAddressVO) sb.entity()).getAllocatedInDomainId(), SearchCriteria.Op.EQ);
+ sb.and("accountIdIN", ((IPAddressVO)sb.entity()).getAllocatedToAccountId(), SearchCriteria.Op.IN);
+ sb.and("domainId", ((IPAddressVO)sb.entity()).getAllocatedInDomainId(), SearchCriteria.Op.EQ);
} else if (sb.entity() instanceof ProjectInvitationVO) {
- sb.and("accountIdIN", ((ProjectInvitationVO) sb.entity()).getForAccountId(), SearchCriteria.Op.IN);
- sb.and("domainId", ((ProjectInvitationVO) sb.entity()).getInDomainId(), SearchCriteria.Op.EQ);
+ sb.and("accountIdIN", ((ProjectInvitationVO)sb.entity()).getForAccountId(), SearchCriteria.Op.IN);
+ sb.and("domainId", ((ProjectInvitationVO)sb.entity()).getInDomainId(), SearchCriteria.Op.EQ);
} else {
sb.and("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN);
sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
@@ -2382,9 +2374,9 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
domainSearch.and("path", domainSearch.entity().getPath(), SearchCriteria.Op.LIKE);
if (sb.entity() instanceof IPAddressVO) {
- sb.join("domainSearch", domainSearch, ((IPAddressVO) sb.entity()).getAllocatedInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
+ sb.join("domainSearch", domainSearch, ((IPAddressVO)sb.entity()).getAllocatedInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
} else if (sb.entity() instanceof ProjectInvitationVO) {
- sb.join("domainSearch", domainSearch, ((ProjectInvitationVO) sb.entity()).getInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
+ sb.join("domainSearch", domainSearch, ((ProjectInvitationVO)sb.entity()).getInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
} else {
sb.join("domainSearch", domainSearch, sb.entity().getDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
}
@@ -2399,9 +2391,9 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
if (sb.entity() instanceof IPAddressVO) {
- sb.join("accountSearch", accountSearch, ((IPAddressVO) sb.entity()).getAllocatedToAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER);
+ sb.join("accountSearch", accountSearch, ((IPAddressVO)sb.entity()).getAllocatedToAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER);
} else if (sb.entity() instanceof ProjectInvitationVO) {
- sb.join("accountSearch", accountSearch, ((ProjectInvitationVO) sb.entity()).getForAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER);
+ sb.join("accountSearch", accountSearch, ((ProjectInvitationVO)sb.entity()).getForAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER);
} else {
sb.join("accountSearch", accountSearch, sb.entity().getAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER);
}
@@ -2409,8 +2401,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
@Override
- public void buildACLSearchCriteria(SearchCriteria<? extends ControlledEntity> sc,
- Long domainId, boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) {
+ public void buildACLSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
+ ListProjectResourcesCriteria listProjectResourcesCriteria) {
if (listProjectResourcesCriteria != null) {
sc.setJoinParameters("accountSearch", "type", Account.ACCOUNT_TYPE_PROJECT);
@@ -2472,6 +2464,11 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
if (projectId.longValue() == -1) {
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId()));
+
+ //permittedAccounts can be empty when the caller is not a part of any project (a domain account)
+ if (permittedAccounts.isEmpty()) {
+ permittedAccounts.add(caller.getId());
+ }
} else {
domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly);
}
@@ -2516,10 +2513,9 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
-
@Override
- public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId,
- boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) {
+ public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
+ ListProjectResourcesCriteria listProjectResourcesCriteria) {
sb.and("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN);
sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
@@ -2540,10 +2536,9 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
-
@Override
- public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledViewEntity> sc,
- Long domainId, boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) {
+ public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledViewEntity> sc, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
+ ListProjectResourcesCriteria listProjectResourcesCriteria) {
if (listProjectResourcesCriteria != null) {
sc.setParameters("accountType", Account.ACCOUNT_TYPE_PROJECT);
}
@@ -2561,13 +2556,11 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
-
@Override
public UserAccount getUserByApiKey(String apiKey) {
return _userAccountDao.getUserByApiKey(apiKey);
}
-
@Override
public List<String> listAclGroupsByAccount(Long accountId) {
if (_querySelectors == null || _querySelectors.size() == 0)
@@ -2594,8 +2587,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
if (!enabledOnly || account.getState() == Account.State.enabled) {
return account.getId();
} else {
- throw new PermissionDeniedException("Can't add resources to the account id=" + account.getId() + " in state=" + account.getState() +
- " as it's no longer active");
+ throw new PermissionDeniedException(
+ "Can't add resources to the account id=" + account.getId() + " in state=" + account.getState() + " as it's no longer active");
}
} else {
// idList is not used anywhere, so removed it now
@@ -2611,9 +2604,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
if (!enabledOnly || project.getState() == Project.State.Active) {
return project.getProjectAccountId();
} else {
- final PermissionDeniedException ex =
- new PermissionDeniedException("Can't add resources to the project with specified projectId in state=" + project.getState() +
- " as it's no longer active");
+ final PermissionDeniedException ex = new PermissionDeniedException(
+ "Can't add resources to the project with specified projectId in state=" + project.getState() + " as it's no longer active");
ex.addProxyObject(project.getUuid(), "projectId");
throw ex;
}
@@ -2630,8 +2622,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
@Override
- public void checkAccess(Account account, ServiceOffering so)
- throws PermissionDeniedException {
+ public void checkAccess(Account account, ServiceOffering so) throws PermissionDeniedException {
for (SecurityChecker checker : _securityCheckers) {
if (checker.checkAccess(account, so)) {
if (s_logger.isDebugEnabled()) {
@@ -2646,8 +2637,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
@Override
- public void checkAccess(Account account, DiskOffering dof)
- throws PermissionDeniedException {
+ public void checkAccess(Account account, DiskOffering dof) throws PermissionDeniedException {
for (SecurityChecker checker : _securityCheckers) {
if (checker.checkAccess(account, dof)) {
if (s_logger.isDebugEnabled()) {
@@ -2662,11 +2652,10 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
@Override
- public void checkAccess(User user, ControlledEntity entity)
- throws PermissionDeniedException {
- for(SecurityChecker checker : _securityCheckers){
- if(checker.checkAccess(user,entity)){
- if(s_logger.isDebugEnabled()){
+ public void checkAccess(User user, ControlledEntity entity) throws PermissionDeniedException {
+ for (SecurityChecker checker : _securityCheckers) {
+ if (checker.checkAccess(user, entity)) {
+ if (s_logger.isDebugEnabled()) {
s_logger.debug("Access granted to " + user + "to " + entity + "by " + checker.getName());
}
return;
@@ -2682,6 +2671,6 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
@Override
public ConfigKey<?>[] getConfigKeys() {
- return new ConfigKey<?>[]{UseSecretKeyInResponse};
+ return new ConfigKey<?>[] {UseSecretKeyInResponse};
}
}
--
To stop receiving notification emails like this one, please contact
['"commits@cloudstack.apache.org" <co...@cloudstack.apache.org>'].