You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2017/12/27 09:19:13 UTC
[GitHub] yvsubhash commented on a change in pull request #2350: Cloudstack 10170 - fixes resource tags security bugs and adds account tags support
yvsubhash commented on a change in pull request #2350: Cloudstack 10170 - fixes resource tags security bugs and adds account tags support
URL: https://github.com/apache/cloudstack/pull/2350#discussion_r158785251
##########
File path: server/src/com/cloud/tags/TaggedResourceManagerImpl.java
##########
@@ -279,83 +308,77 @@ public void doInTransactionWithoutResult(TransactionStatus status) {
return resourceTags;
}
- @Override
- public String getUuid(String resourceId, ResourceObjectType resourceType) {
- if (!StringUtils.isNumeric(resourceId)) {
- return resourceId;
- }
-
- Class<?> clazz = s_typeMap.get(resourceType);
-
- Object entity = _entityMgr.findById(clazz, resourceId);
- if (entity != null && entity instanceof Identity) {
- return ((Identity)entity).getUuid();
- }
+ private List<? extends ResourceTag> searchResourceTags(List<String> resourceIds, ResourceObjectType resourceType) {
+ List<String> resourceUuids = resourceIds.stream().map(resourceId -> getUuid(resourceId, resourceType)).collect(Collectors.toList());
+ SearchBuilder<ResourceTagVO> sb = _resourceTagDao.createSearchBuilder();
+ sb.and("resourceUuid", sb.entity().getResourceUuid(), SearchCriteria.Op.IN);
+ sb.and("resourceType", sb.entity().getResourceType(), SearchCriteria.Op.EQ);
- return resourceId;
- }
+ SearchCriteria<ResourceTagVO> sc = sb.create();
+ sc.setParameters("resourceUuid", resourceUuids.toArray());
+ sc.setParameters("resourceType", resourceType);
+ return _resourceTagDao.search(sc, null);
+ }
@Override
@DB
@ActionEvent(eventType = EventTypes.EVENT_TAGS_DELETE, eventDescription = "deleting resource tags")
public boolean deleteTags(List<String> resourceIds, ResourceObjectType resourceType, Map<String, String> tags) {
Account caller = CallContext.current().getCallingAccount();
-
- SearchBuilder<ResourceTagVO> sb = _resourceTagDao.createSearchBuilder();
- sb.and().op("resourceId", sb.entity().getResourceId(), SearchCriteria.Op.IN);
- sb.or("resourceUuid", sb.entity().getResourceUuid(), SearchCriteria.Op.IN);
- sb.cp();
- sb.and("resourceType", sb.entity().getResourceType(), SearchCriteria.Op.EQ);
-
- SearchCriteria<ResourceTagVO> sc = sb.create();
- sc.setParameters("resourceId", resourceIds.toArray());
- sc.setParameters("resourceUuid", resourceIds.toArray());
- sc.setParameters("resourceType", resourceType);
-
- List<? extends ResourceTag> resourceTags = _resourceTagDao.search(sc, null);
- ;
- final List<ResourceTag> tagsToRemove = new ArrayList<ResourceTag>();
+ if(s_logger.isDebugEnabled()) {
+ s_logger.debug("ResourceIds to Find " + String.join(", ", resourceIds));
+ }
+ List<? extends ResourceTag> resourceTags = searchResourceTags(resourceIds, resourceType);
+ final List<ResourceTag> tagsToDelete = new ArrayList<>();
// Finalize which tags should be removed
for (ResourceTag resourceTag : resourceTags) {
//1) validate the permissions
+ if(s_logger.isDebugEnabled()) {
+ s_logger.debug("Resource Tag Id: " + resourceTag.getResourceId());
+ s_logger.debug("Resource Tag AccountId: " + resourceTag.getAccountId());
+ }
Account owner = _accountMgr.getAccount(resourceTag.getAccountId());
+ if(s_logger.isDebugEnabled()) {
+ s_logger.debug("Resource Owner: " + owner);
+ }
_accountMgr.checkAccess(caller, null, false, owner);
//2) Only remove tag if it matches key value pairs
- if (tags != null && !tags.isEmpty()) {
+ if (MapUtils.isEmpty(tags)) {
+ tagsToDelete.add(resourceTag);
+ } else {
for (String key : tags.keySet()) {
- boolean canBeRemoved = false;
+ boolean deleteTag = false;
if (resourceTag.getKey().equalsIgnoreCase(key)) {
String value = tags.get(key);
if (value != null) {
if (resourceTag.getValue().equalsIgnoreCase(value)) {
- canBeRemoved = true;
+ deleteTag = true;
}
} else {
- canBeRemoved = true;
+ deleteTag = true;
}
- if (canBeRemoved) {
- tagsToRemove.add(resourceTag);
+ if (deleteTag) {
+ tagsToDelete.add(resourceTag);
break;
}
}
}
- } else {
- tagsToRemove.add(resourceTag);
}
}
- if (tagsToRemove.isEmpty()) {
- throw new InvalidParameterValueException("Unable to find tags by parameters specified");
+ if (tagsToDelete.isEmpty()) {
+ throw new InvalidParameterValueException("Unable to find any tags which conform to specified delete parameters.");
}
//Remove the tags
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
Review comment:
@bwsw Is there any reason for this transaction? underlying update that is part of remove already having a trasaction. Also each tag removal is independent. So they need not be in a single transaction
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services