You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by bh...@apache.org on 2016/11/08 09:52:31 UTC
[1/5] git commit: updated refs/heads/4.9 to c09fc27
Repository: cloudstack
Updated Branches:
refs/heads/4.9 6f609e694 -> c09fc2725
CLOUDSTACK-9544: Check access on account trying to generate user API keys
This fixes CVE-2016-6813
Signed-off-by: Marc-Aur�le Brothier <m...@brothier.org>
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
(cherry picked from commit 158497d68a92ab1e1f864a77371ea1de5c4dc5bb)
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/0f89a893
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/0f89a893
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/0f89a893
Branch: refs/heads/4.9
Commit: 0f89a8939fa618aa516523f21933fc7cabfe8a3a
Parents: 9127af6
Author: Marc-Aur�le Brothier <m...@brothier.org>
Authored: Tue Oct 18 15:33:38 2016 +0200
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Fri Oct 28 11:45:38 2016 +0530
----------------------------------------------------------------------
.../src/com/cloud/user/AccountManagerImpl.java | 4 +
test/integration/component/test_accounts.py | 161 +++++++++++++++++++
2 files changed, 165 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0f89a893/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index d3eb40c..34c5270 100644
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -2231,6 +2231,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
@DB
@ActionEvent(eventType = EventTypes.EVENT_REGISTER_FOR_SECRET_API_KEY, eventDescription = "register for the developer API keys")
public String[] createApiKeyAndSecretKey(RegisterCmd cmd) {
+ Account caller = CallContext.current().getCallingAccount();
final Long userId = cmd.getId();
User user = getUserIncludingRemoved(userId);
@@ -2238,6 +2239,9 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new InvalidParameterValueException("unable to find user by id");
}
+ Account account = _accountDao.findById(user.getAccountId());
+ checkAccess(caller, null, true, account);
+
// don't allow updating system user
if (user.getId() == User.UID_SYSTEM) {
throw new PermissionDeniedException("user id : " + user.getId() + " is system account, update is not allowed");
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0f89a893/test/integration/component/test_accounts.py
----------------------------------------------------------------------
diff --git a/test/integration/component/test_accounts.py b/test/integration/component/test_accounts.py
index d0341dd..60421d9 100644
--- a/test/integration/component/test_accounts.py
+++ b/test/integration/component/test_accounts.py
@@ -1531,6 +1531,167 @@ class TestUserLogin(cloudstackTestCase):
return
+class TestUserAPIKeys(cloudstackTestCase):
+
+ @classmethod
+ def setUpClass(cls):
+ cls.testClient = super(TestUserAPIKeys, cls).getClsTestClient()
+ cls.api_client = cls.testClient.getApiClient()
+
+ cls.services = Services().services
+ cls.domain = get_domain(cls.api_client)
+ cls.zone = get_zone(cls.api_client, cls.testClient.getZoneForTests())
+ cls.services['mode'] = cls.zone.networktype
+ # Create an account, domain etc
+ cls.domain = Domain.create(
+ cls.api_client,
+ cls.services["domain"],
+ )
+ cls.account = Account.create(
+ cls.api_client,
+ cls.services["account"],
+ admin=False,
+ domainid=cls.domain.id
+ )
+ cls.domain_2 = Domain.create(
+ cls.api_client,
+ cls.services["domain"],
+ )
+ cls.account_2 = Account.create(
+ cls.api_client,
+ cls.services["account"],
+ admin=False,
+ domainid=cls.domain_2.id
+ )
+ cls._cleanup = [
+ cls.account,
+ cls.domain,
+ cls.account_2,
+ cls.domain_2
+ ]
+ return
+
+ @classmethod
+ def tearDownClass(cls):
+ try:
+ # Cleanup resources used
+ cleanup_resources(cls.api_client, cls._cleanup)
+ except Exception as e:
+ raise Exception("Warning: Exception during cleanup : %s" % e)
+ return
+
+ def setUp(self):
+ self.apiclient = self.testClient.getApiClient()
+ self.dbclient = self.testClient.getDbConnection()
+ self.cleanup = []
+ return
+
+ def tearDown(self):
+ try:
+ # Clean up, terminate the created network offerings
+ cleanup_resources(self.apiclient, self.cleanup)
+ except Exception as e:
+ raise Exception("Warning: Exception during cleanup : %s" % e)
+ return
+
+ @attr(tags=[
+ "role",
+ "accounts",
+ "simulator",
+ "advanced",
+ "advancedns",
+ "basic",
+ "eip",
+ "sg"
+ ])
+ def test_user_key_renew_same_account(self):
+ # Create an User associated with the account
+ user_1 = User.create(
+ self.apiclient,
+ self.services["user"],
+ account=self.account.name,
+ domainid=self.domain.id
+ )
+ self.cleanup.append(user_1)
+ account_response = list_accounts(
+ self.apiclient,
+ id=self.account.id
+ )[0]
+ self.assertEqual(
+ hasattr(account_response, 'user'),
+ True,
+ "Users are included in account response")
+
+ account_users = account_response.user
+ self.assertEqual(
+ isinstance(account_users, list),
+ True,
+ "Check account for valid data"
+ )
+ self.assertNotEqual(
+ len(account_users),
+ 0,
+ "Check number of User in Account")
+ [user] = [u for u in account_users if u.username == user_1.username]
+ self.assertEqual(
+ user.apikey,
+ None,
+ "Check that the user don't have an API key yet")
+
+ self.debug("Register API keys for user")
+ userkeys = User.registerUserKeys(self.apiclient, user_1.id)
+ users = list_accounts(
+ self.apiclient,
+ id=self.account.id
+ )[0].user
+ [user] = [u for u in users if u.id == user_1.id]
+ self.assertEqual(
+ user.apikey,
+ userkeys.apikey,
+ "Check User api key")
+ self.assertEqual(
+ user.secretkey,
+ userkeys.secretkey,
+ "Check User having secret key")
+
+ self.debug("Get test client with user keys")
+ cs_api = self.testClient.getUserApiClient(
+ UserName=self.account.name,
+ DomainName=self.account.domain)
+ self.debug("Renew API keys for user using current keys")
+ new_keys = User.registerUserKeys(cs_api, user_1.id)
+ self.assertNotEqual(
+ userkeys.apikey,
+ new_keys.apikey,
+ "Check API key is different")
+ self.assertNotEqual(
+ userkeys.secretkey,
+ new_keys.secretkey,
+ "Check secret key is different")
+
+ @attr(tags=[
+ "role",
+ "accounts",
+ "simulator",
+ "advanced",
+ "advancedns",
+ "basic",
+ "eip",
+ "sg"
+ ])
+ def test_user_cannot_renew_other_keys(self):
+ cs_api = self.testClient.getUserApiClient(
+ UserName=self.account.name,
+ DomainName=self.account.domain)
+ self.debug("Try to change API key of an account in another domain")
+ users = list_accounts(
+ self.apiclient,
+ id=self.account_2.id
+ )[0].user
+ with self.assertRaises(CloudstackAPIException) as e:
+ User.registerUserKeys(cs_api, users[0].id)
+
+
class TestDomainForceRemove(cloudstackTestCase):
@classmethod
[4/5] git commit: updated refs/heads/4.9 to c09fc27
Posted by bh...@apache.org.
Merge branch '4.7' into 4.8
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/b704cefc
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/b704cefc
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/b704cefc
Branch: refs/heads/4.9
Commit: b704cefc1fafe56712e4066aa02525f399a4eb8c
Parents: c0a6fc2 0279ac2
Author: Rohit Yadav <ro...@shapeblue.com>
Authored: Tue Nov 8 15:20:07 2016 +0530
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Tue Nov 8 15:20:07 2016 +0530
----------------------------------------------------------------------
.../config/opt/cloud/bin/getRouterAlerts.sh | 55 ++++++++++++++++++++
1 file changed, 55 insertions(+)
----------------------------------------------------------------------
[2/5] git commit: updated refs/heads/4.9 to c09fc27
Posted by bh...@apache.org.
CLOUDSTACK-9183: bash: /opt/cloud/bin/getRouterAlerts.sh: No such file or directory
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/420d06f4
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/420d06f4
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/420d06f4
Branch: refs/heads/4.9
Commit: 420d06f4d371e31761440c3d3957bab737531af3
Parents: 5ccebf0
Author: �lafur Stef�n Arnarsson <ol...@greenqloud.com>
Authored: Mon Oct 31 21:44:15 2016 +0000
Committer: �lafur Stef�n Arnarsson <ol...@greenqloud.com>
Committed: Mon Oct 31 21:44:15 2016 +0000
----------------------------------------------------------------------
.../config/opt/cloud/bin/getRouterAlerts.sh | 55 ++++++++++++++++++++
1 file changed, 55 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/420d06f4/systemvm/patches/debian/config/opt/cloud/bin/getRouterAlerts.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/getRouterAlerts.sh b/systemvm/patches/debian/config/opt/cloud/bin/getRouterAlerts.sh
new file mode 100644
index 0000000..3f5f4a3
--- /dev/null
+++ b/systemvm/patches/debian/config/opt/cloud/bin/getRouterAlerts.sh
@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# getRouterAlerts.sh --- Send the alerts from routerServiceMonitor.log to Management Server
+
+#set -x
+
+filename=/var/log/routerServiceMonitor.log #Monitor service log file
+if [ -n "$1" -a -n "$2" ]
+then
+ reqDateVal=$(date -d "$1 $2" "+%s");
+else
+ reqDateVal=0
+fi
+if [ -f $filename ]
+then
+ while read line
+ do
+ if [ -n "$line" ]
+ then
+ dateval=`echo $line |awk '{print $1, $2}'`
+ IFS=',' read -a array <<< "$dateval"
+ dateval=${array[0]}
+
+ toDateVal=$(date -d "$dateval" "+%s")
+
+ if [ "$toDateVal" -gt "$reqDateVal" ]
+ then
+ alerts="$line\n$alerts"
+ else
+ break
+ fi
+ fi
+ done < <(tac $filename)
+fi
+if [ -n "$alerts" ]; then
+ echo $alerts
+else
+ echo "No Alerts"
+fi
\ No newline at end of file
[3/5] git commit: updated refs/heads/4.9 to c09fc27
Posted by bh...@apache.org.
Merge pull request #1744 from greenqloud/4.7
CLOUDSTACK-9183: bash: /opt/cloud/bin/getRouterAlerts.sh: No such file or directory
* pr/1744:
CLOUDSTACK-9183: bash: /opt/cloud/bin/getRouterAlerts.sh: No such file or directory
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/0279ac20
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/0279ac20
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/0279ac20
Branch: refs/heads/4.9
Commit: 0279ac20e46cbbc7f699dc41eafbe31fe0c4797b
Parents: 0f89a89 420d06f
Author: Rohit Yadav <ro...@shapeblue.com>
Authored: Tue Nov 8 15:19:28 2016 +0530
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Tue Nov 8 15:19:28 2016 +0530
----------------------------------------------------------------------
.../config/opt/cloud/bin/getRouterAlerts.sh | 55 ++++++++++++++++++++
1 file changed, 55 insertions(+)
----------------------------------------------------------------------
[5/5] git commit: updated refs/heads/4.9 to c09fc27
Posted by bh...@apache.org.
Merge branch '4.8' into 4.9
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/c09fc272
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/c09fc272
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/c09fc272
Branch: refs/heads/4.9
Commit: c09fc272551446d70b9e53f0b13418365f804ef1
Parents: 6f609e6 b704cef
Author: Rohit Yadav <ro...@shapeblue.com>
Authored: Tue Nov 8 15:20:45 2016 +0530
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Tue Nov 8 15:20:45 2016 +0530
----------------------------------------------------------------------
.../config/opt/cloud/bin/getRouterAlerts.sh | 55 ++++++++++++++++++++
1 file changed, 55 insertions(+)
----------------------------------------------------------------------