You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by al...@apache.org on 2012/10/08 20:03:23 UTC
[2/2] git commit: Fixed CLOUDSTACK-287
Fixed CLOUDSTACK-287
1) Always fail to authenticate system user.
2) DB - always create system user with RANDOM not null password
3) Don't allow modifying (setting api/secretKeys, etc) system user via API
Conflicts:
server/src/com/cloud/user/AccountManagerImpl.java
setup/db/db/schema-305to306.sql
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/cfd20913
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/cfd20913
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/cfd20913
Branch: refs/heads/4.0
Commit: cfd2091337534f0ff7edcacd404c776fa202c5c7
Parents: 098a78a
Author: Alena Prokharchyk <al...@citrix.com>
Authored: Mon Oct 8 09:45:38 2012 -0700
Committer: Alena Prokharchyk <al...@citrix.com>
Committed: Mon Oct 8 10:51:41 2012 -0700
----------------------------------------------------------------------
.../com/cloud/server/ConfigurationServerImpl.java | 3 +-
server/src/com/cloud/test/DatabaseConfig.java | 3 +-
server/src/com/cloud/user/AccountManagerImpl.java | 24 ++++++++++-----
3 files changed, 20 insertions(+), 10 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/cfd20913/server/src/com/cloud/server/ConfigurationServerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/server/ConfigurationServerImpl.java b/server/src/com/cloud/server/ConfigurationServerImpl.java
index a0d10b6..3368c9b 100755
--- a/server/src/com/cloud/server/ConfigurationServerImpl.java
+++ b/server/src/com/cloud/server/ConfigurationServerImpl.java
@@ -333,7 +333,8 @@ public class ConfigurationServerImpl implements ConfigurationServer {
} catch (SQLException ex) {
}
// insert system user
- insertSql = "INSERT INTO `cloud`.`user` (id, username, password, account_id, firstname, lastname, created) VALUES (1, 'system', '', 1, 'system', 'cloud', now())";
+ insertSql = "INSERT INTO `cloud`.`user` (id, username, password, account_id, firstname, lastname, created)" +
+ " VALUES (1, 'system', RAND(), 1, 'system', 'cloud', now())";
txn = Transaction.currentTxn();
try {
PreparedStatement stmt = txn.prepareAutoCloseStatement(insertSql);
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/cfd20913/server/src/com/cloud/test/DatabaseConfig.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/test/DatabaseConfig.java b/server/src/com/cloud/test/DatabaseConfig.java
index 4e21870..5668a33 100755
--- a/server/src/com/cloud/test/DatabaseConfig.java
+++ b/server/src/com/cloud/test/DatabaseConfig.java
@@ -1090,7 +1090,8 @@ public class DatabaseConfig {
}
// insert system user
- insertSql = "INSERT INTO `cloud`.`user` (id, username, password, account_id, firstname, lastname, created) VALUES (1, 'system', '', 1, 'system', 'cloud', now())";
+ insertSql = "INSERT INTO `cloud`.`user` (id, username, password, account_id, firstname, lastname, created)" +
+ " VALUES (1, 'system', RAND(), 1, 'system', 'cloud', now())";
txn = Transaction.currentTxn();
try {
PreparedStatement stmt = txn.prepareAutoCloseStatement(insertSql);
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/cfd20913/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 4d3f45c..0df6ada 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -74,15 +74,10 @@ import com.cloud.network.IpAddress;
import com.cloud.network.NetworkManager;
import com.cloud.network.NetworkVO;
import com.cloud.network.RemoteAccessVpnVO;
-import com.cloud.network.Site2SiteCustomerGatewayVO;
-import com.cloud.network.Site2SiteVpnConnectionVO;
import com.cloud.network.VpnUserVO;
import com.cloud.network.dao.IPAddressDao;
import com.cloud.network.dao.NetworkDao;
import com.cloud.network.dao.RemoteAccessVpnDao;
-import com.cloud.network.dao.Site2SiteCustomerGatewayDao;
-import com.cloud.network.dao.Site2SiteVpnConnectionDao;
-import com.cloud.network.dao.Site2SiteVpnGatewayDao;
import com.cloud.network.dao.VpnUserDao;
import com.cloud.network.security.SecurityGroupManager;
import com.cloud.network.security.dao.SecurityGroupDao;
@@ -881,6 +876,7 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
throw new InvalidParameterValueException("unable to find user by id");
}
+ //don't allow updating system account
if (account != null && (account.getId() == Account.ACCOUNT_ID_SYSTEM)) {
throw new PermissionDeniedException("user id : " + id + " is system account, update is not allowed");
}
@@ -1713,7 +1709,7 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
String singleSignOnTolerance = _configDao.getValue("security.singlesignon.tolerance.millis");
if (singleSignOnTolerance == null) {
// the SSO tolerance is gone (how much time before/after system time we'll allow the login request to be
-// valid),
+ // valid),
// don't authenticate
return null;
}
@@ -1798,6 +1794,12 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
}
if (user != null) {
+ //don't allow to authenticate system user
+ if (user.getId() == User.UID_SYSTEM) {
+ s_logger.error("Failed to authenticate user: " + username + " in domain " + domainId);
+ return null;
+ }
+
if (s_logger.isDebugEnabled()) {
s_logger.debug("User: " + username + " in domain " + domainId + " has successfully logged in");
}
@@ -1895,8 +1897,14 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
public String[] createApiKeyAndSecretKey(RegisterCmd cmd) {
Long userId = cmd.getId();
- if (getUserIncludingRemoved(userId) == null) {
- throw new InvalidParameterValueException("unable to find user for id : " + userId);
+ User user = getUserIncludingRemoved(userId);
+ if (user == null) {
+ throw new InvalidParameterValueException("unable to find user by id");
+ }
+
+ //don't allow updating system user
+ if (user.getId() == User.UID_SYSTEM) {
+ throw new PermissionDeniedException("user id : " + user.getId() + " is system account, update is not allowed");
}
// generate both an api key and a secret key, update the user table with the keys, return the keys to the user