cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] rhtyd closed pull request #2352: CLOUDSTACK-10175: prevent VPC list leakage
Date Thu, 01 Jan 1970 00:00:00 GMT
rhtyd closed pull request #2352: CLOUDSTACK-10175: prevent VPC list leakage
URL: https://github.com/apache/cloudstack/pull/2352
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index e3209474563..294bc6e84ef 100644
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -16,6 +16,54 @@
 // under the License.
 package com.cloud.user;
 
+import java.net.InetAddress;
+import java.net.URLEncoder;
+import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.TimeUnit;
+
+import javax.crypto.KeyGenerator;
+import javax.crypto.Mac;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+
+import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.lang.StringUtils;
+import org.apache.log4j.Logger;
+
+import org.apache.cloudstack.acl.ControlledEntity;
+import org.apache.cloudstack.acl.QuerySelector;
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.acl.SecurityChecker;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.affinity.AffinityGroup;
+import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
+import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd;
+import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd;
+import org.apache.cloudstack.api.command.admin.user.GetUserKeysCmd;
+import org.apache.cloudstack.api.command.admin.user.RegisterCmd;
+import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
+import org.apache.cloudstack.context.CallContext;
+import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
+import org.apache.cloudstack.framework.config.ConfigKey;
+import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
+import org.apache.cloudstack.framework.messagebus.MessageBus;
+import org.apache.cloudstack.framework.messagebus.PublishScope;
+import org.apache.cloudstack.managed.context.ManagedContextRunnable;
+import org.apache.cloudstack.region.gslb.GlobalLoadBalancerRuleDao;
+import org.apache.cloudstack.utils.baremetal.BaremetalUtils;
+
 import com.cloud.api.ApiDBUtils;
 import com.cloud.api.query.vo.ControlledViewEntity;
 import com.cloud.configuration.Config;
@@ -123,53 +171,6 @@
 import com.cloud.vm.snapshot.VMSnapshotManager;
 import com.cloud.vm.snapshot.VMSnapshotVO;
 import com.cloud.vm.snapshot.dao.VMSnapshotDao;
-import org.apache.cloudstack.acl.ControlledEntity;
-import org.apache.cloudstack.acl.QuerySelector;
-import org.apache.cloudstack.acl.RoleType;
-import org.apache.cloudstack.acl.SecurityChecker;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.affinity.AffinityGroup;
-import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
-import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd;
-import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd;
-import org.apache.cloudstack.api.command.admin.user.GetUserKeysCmd;
-import org.apache.cloudstack.api.command.admin.user.RegisterCmd;
-import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
-import org.apache.cloudstack.framework.config.ConfigKey;
-import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
-import org.apache.cloudstack.framework.messagebus.MessageBus;
-import org.apache.cloudstack.framework.messagebus.PublishScope;
-import org.apache.cloudstack.managed.context.ManagedContextRunnable;
-import org.apache.cloudstack.region.gslb.GlobalLoadBalancerRuleDao;
-import org.apache.cloudstack.utils.baremetal.BaremetalUtils;
-import org.apache.commons.codec.binary.Base64;
-import org.apache.commons.lang.StringUtils;
-import org.apache.log4j.Logger;
-
-import javax.crypto.KeyGenerator;
-import javax.crypto.Mac;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-import javax.inject.Inject;
-import javax.naming.ConfigurationException;
-import java.net.InetAddress;
-import java.net.URLEncoder;
-import java.security.NoSuchAlgorithmException;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.UUID;
-import java.util.concurrent.Executors;
-import java.util.concurrent.ScheduledExecutorService;
-import java.util.concurrent.TimeUnit;
-
-
 
 public class AccountManagerImpl extends ManagerBase implements AccountManager, Manager {
     public static final Logger s_logger = Logger.getLogger(AccountManagerImpl.class);
@@ -350,7 +351,7 @@ public boolean configure(final String name, final Map<String, Object>
params) th
     public UserVO getSystemUser() {
         if (_systemUser == null) {
             _systemUser = _userDao.findById(User.UID_SYSTEM);
-    }
+        }
         return _systemUser;
     }
 
@@ -493,7 +494,6 @@ public void checkAccess(Account caller, Domain domain) throws PermissionDeniedEx
         throw new PermissionDeniedException("There's no way to confirm " + caller + " has
access to " + domain);
     }
 
-
     @Override
     public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, ControlledEntity...
entities) {
         checkAccess(caller, accessType, sameOwner, null, entities);
@@ -535,8 +535,8 @@ public void checkAccess(Account caller, AccessType accessType, boolean
sameOwner
                 Account account = ApiDBUtils.findAccountById(entity.getAccountId());
                 domainId = account != null ? account.getDomainId() : -1;
             }
-            if (entity.getAccountId() != -1 && domainId != -1 && !(entity
instanceof VirtualMachineTemplate) &&
-                !(entity instanceof Network && accessType != null && accessType
== AccessType.UseEntry) && !(entity instanceof AffinityGroup)) {
+            if (entity.getAccountId() != -1 && domainId != -1 && !(entity
instanceof VirtualMachineTemplate)
+                    && !(entity instanceof Network && accessType != null
&& accessType == AccessType.UseEntry) && !(entity instanceof AffinityGroup))
{
                 List<ControlledEntity> toBeChecked = domains.get(entity.getDomainId());
                 // for templates, we don't have to do cross domains check
                 if (toBeChecked == null) {
@@ -614,13 +614,13 @@ public void updateLoginAttempts(final Long id, final int attempts, final
boolean
             Transaction.execute(new TransactionCallbackNoReturn() {
                 @Override
                 public void doInTransactionWithoutResult(TransactionStatus status) {
-            UserAccountVO user = null;
-            user = _userAccountDao.lockRow(id, true);
-            user.setLoginAttempts(attempts);
+                    UserAccountVO user = null;
+                    user = _userAccountDao.lockRow(id, true);
+                    user.setLoginAttempts(attempts);
                     if (toDisable) {
-                user.setState(State.disabled.toString());
-            }
-            _userAccountDao.update(id, user);
+                        user.setState(State.disabled.toString());
+                    }
+                    _userAccountDao.update(id, user);
                 }
             });
         } catch (Exception e) {
@@ -855,9 +855,7 @@ protected boolean cleanupAccount(AccountVO account, long callerUserId,
Account c
                 for (IpAddress ip : ipsToRelease) {
                     s_logger.debug("Releasing ip " + ip + " as a part of account id=" + accountId
+ " cleanup");
                     if (!_ipAddrMgr.disassociatePublicIpAddress(ip.getId(), callerUserId,
caller)) {
-                        s_logger.warn("Failed to release ip address " + ip
-                                + " as a part of account id=" + accountId
-                                + " clenaup");
+                        s_logger.warn("Failed to release ip address " + ip + " as a part
of account id=" + accountId + " clenaup");
                         accountCleanupNeeded = true;
                     }
                 }
@@ -900,8 +898,8 @@ protected boolean cleanupAccount(AccountVO account, long callerUserId,
Account c
             List<? extends IpAddress> ipsToRelease = _ipAddressDao.listByAccount(accountId);
             for (IpAddress ip : ipsToRelease) {
                 if (ip.isPortable()) {
-                s_logger.debug("Releasing portable ip " + ip + " as a part of account id="
+ accountId + " cleanup");
-                _ipAddrMgr.releasePortableIpAddress(ip.getId());
+                    s_logger.debug("Releasing portable ip " + ip + " as a part of account
id=" + accountId + " cleanup");
+                    _ipAddrMgr.releasePortableIpAddress(ip.getId());
                 }
             }
 
@@ -930,7 +928,7 @@ protected boolean cleanupAccount(AccountVO account, long callerUserId,
Account c
 
             // Delete ssh keypairs
             List<SSHKeyPairVO> sshkeypairs = _sshKeyPairDao.listKeyPairs(accountId,
account.getDomainId());
-            for (SSHKeyPairVO keypair: sshkeypairs) {
+            for (SSHKeyPairVO keypair : sshkeypairs) {
                 _sshKeyPairDao.remove(keypair.getId());
             }
             return true;
@@ -994,9 +992,7 @@ private boolean doDisableAccount(long accountId) throws ConcurrentOperationExcep
                 try {
                     _itMgr.advanceStop(vm.getUuid(), false);
                 } catch (OperationTimedoutException ote) {
-                    s_logger.warn(
-                            "Operation for stopping vm timed out, unable to stop vm "
-                                    + vm.getHostName(), ote);
+                    s_logger.warn("Operation for stopping vm timed out, unable to stop vm
" + vm.getHostName(), ote);
                     success = false;
                 }
             } catch (AgentUnavailableException aue) {
@@ -1009,15 +1005,14 @@ private boolean doDisableAccount(long accountId) throws ConcurrentOperationExcep
     }
 
     @Override
-    @ActionEvents({
-        @ActionEvent(eventType = EventTypes.EVENT_ACCOUNT_CREATE, eventDescription = "creating
Account"),
-        @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating
User")
-    })
+    @ActionEvents({@ActionEvent(eventType = EventTypes.EVENT_ACCOUNT_CREATE, eventDescription
= "creating Account"),
+            @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating
User")})
     public UserAccount createUserAccount(final String userName, final String password, final
String firstName, final String lastName, final String email, final String timezone,
-            String accountName, final short accountType, final Long roleId, Long domainId,
final String networkDomain, final Map<String, String> details, String accountUUID, final
String userUUID) {
+            String accountName, final short accountType, final Long roleId, Long domainId,
final String networkDomain, final Map<String, String> details, String accountUUID,
+            final String userUUID) {
 
-        return createUserAccount(userName, password, firstName, lastName, email, timezone,
accountName, accountType, roleId, domainId, networkDomain, details, accountUUID, userUUID,
-                User.Source.UNKNOWN);
+        return createUserAccount(userName, password, firstName, lastName, email, timezone,
accountName, accountType, roleId, domainId, networkDomain, details, accountUUID,
+                userUUID, User.Source.UNKNOWN);
     }
 
     // ///////////////////////////////////////////////////
@@ -1026,13 +1021,11 @@ public UserAccount createUserAccount(final String userName, final
String passwor
 
     @Override
     @DB
-    @ActionEvents({
-        @ActionEvent(eventType = EventTypes.EVENT_ACCOUNT_CREATE, eventDescription = "creating
Account"),
-        @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating
User")
-    })
-    public UserAccount createUserAccount(final String userName, final String password, final
String firstName, final String lastName, final String email,
-        final String timezone, String accountName, final short accountType, final Long roleId,
Long domainId, final String networkDomain, final Map<String, String> details,
-        String accountUUID, final String userUUID, final User.Source source) {
+    @ActionEvents({@ActionEvent(eventType = EventTypes.EVENT_ACCOUNT_CREATE, eventDescription
= "creating Account"),
+            @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating
User")})
+    public UserAccount createUserAccount(final String userName, final String password, final
String firstName, final String lastName, final String email, final String timezone,
+            String accountName, final short accountType, final Long roleId, Long domainId,
final String networkDomain, final Map<String, String> details, String accountUUID,
+            final String userUUID, final User.Source source) {
 
         if (accountName == null) {
             accountName = userName;
@@ -1120,8 +1113,8 @@ public UserAccount createUserAccount(final String userName, final String
passwor
 
     @Override
     @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User")
-    public UserVO createUser(String userName, String password, String firstName, String lastName,
String email, String timeZone, String accountName, Long domainId,
-                             String userUUID, User.Source source) {
+    public UserVO createUser(String userName, String password, String firstName, String lastName,
String email, String timeZone, String accountName, Long domainId, String userUUID,
+            User.Source source) {
         // default domain to ROOT if not specified
         if (domainId == null) {
             domainId = Domain.ROOT_DOMAIN;
@@ -1156,14 +1149,15 @@ public UserVO createUser(String userName, String password, String
firstName, Str
     @Override
     @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User")
     public UserVO createUser(String userName, String password, String firstName, String lastName,
String email, String timeZone, String accountName, Long domainId,
-        String userUUID) {
+            String userUUID) {
 
-        return createUser(userName, password, firstName,lastName, email, timeZone, accountName,
domainId, userUUID, User.Source.UNKNOWN);
+        return createUser(userName, password, firstName, lastName, email, timeZone, accountName,
domainId, userUUID, User.Source.UNKNOWN);
     }
 
     @Override
     @ActionEvent(eventType = EventTypes.EVENT_USER_UPDATE, eventDescription = "updating User")
-    public UserAccount updateUser(Long userId, String firstName, String lastName, String
email, String userName, String password, String apiKey, String secretKey, String timeZone)
{
+    public UserAccount updateUser(Long userId, String firstName, String lastName, String
email, String userName, String password, String apiKey, String secretKey,
+            String timeZone) {
         // Input validation
         UserVO user = _userDao.getUser(userId);
 
@@ -1298,7 +1292,7 @@ public UserAccount updateUser(UpdateUserCmd cmd) {
         String timeZone = cmd.getTimezone();
         String userName = cmd.getUsername();
 
-       return updateUser(id, firstName, lastName, email, userName, password, apiKey, secretKey,
timeZone);
+        return updateUser(id, firstName, lastName, email, userName, password, apiKey, secretKey,
timeZone);
     }
 
     @Override
@@ -1556,8 +1550,7 @@ public AccountVO lockAccount(String accountName, Long domainId, Long
accountId)
         }
 
         if (account == null || account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
-            throw new InvalidParameterValueException("Unable to find active account by accountId:
" + accountId + " OR by name: " + accountName + " in domain " +
-                domainId);
+            throw new InvalidParameterValueException("Unable to find active account by accountId:
" + accountId + " OR by name: " + accountName + " in domain " + domainId);
         }
 
         if (account.getId() == Account.ACCOUNT_ID_SYSTEM) {
@@ -1645,8 +1638,8 @@ public AccountVO updateAccount(UpdateAccountCmd cmd) {
                                                                                         //
to
                                                                                         //
update
                                                                                         //
itself
-            throw new InvalidParameterValueException("There already exists an account with
the name:" + newAccountName + " in the domain:" + domainId +
-                " with existing account id:" + duplicateAcccount.getId());
+            throw new InvalidParameterValueException(
+                    "There already exists an account with the name:" + newAccountName + "
in the domain:" + domainId + " with existing account id:" + duplicateAcccount.getId());
         }
 
         if (networkDomain != null && !networkDomain.isEmpty()) {
@@ -1674,9 +1667,9 @@ public AccountVO updateAccount(UpdateAccountCmd cmd) {
             public Boolean doInTransaction(TransactionStatus status) {
                 boolean success = _accountDao.update(accountFinal.getId(), acctForUpdate);
 
-        if (details != null && success) {
+                if (details != null && success) {
                     _accountDetailsDao.update(accountFinal.getId(), details);
-        }
+                }
 
                 return success;
             }
@@ -1919,8 +1912,8 @@ public void markUserRegistered(long userId) {
 
     @Override
     @DB
-    public AccountVO createAccount(final String accountName, final short accountType, final
Long roleId, final Long domainId, final String networkDomain, final Map<String, String>
details,
-        final String uuid) {
+    public AccountVO createAccount(final String accountName, final short accountType, final
Long roleId, final Long domainId, final String networkDomain,
+            final Map<String, String> details, final String uuid) {
         // Validate domain
         Domain domain = _domainMgr.getDomain(domainId);
         if (domain == null) {
@@ -1932,7 +1925,8 @@ public AccountVO createAccount(final String accountName, final short
accountType
         }
 
         if ((domainId != Domain.ROOT_DOMAIN) && (accountType == Account.ACCOUNT_TYPE_ADMIN))
{
-            throw new InvalidParameterValueException("Invalid account type " + accountType
+ " given for an account in domain " + domainId + "; unable to create user of admin role type
in non-ROOT domain.");
+            throw new InvalidParameterValueException(
+                    "Invalid account type " + accountType + " given for an account in domain
" + domainId + "; unable to create user of admin role type in non-ROOT domain.");
         }
 
         // Validate account/user/domain settings
@@ -1964,37 +1958,37 @@ public AccountVO createAccount(final String accountName, final short
accountType
         return Transaction.execute(new TransactionCallback<AccountVO>() {
             @Override
             public AccountVO doInTransaction(TransactionStatus status) {
-        AccountVO account = _accountDao.persist(new AccountVO(accountName, domainId, networkDomain,
accountType, roleId, uuid));
+                AccountVO account = _accountDao.persist(new AccountVO(accountName, domainId,
networkDomain, accountType, roleId, uuid));
 
-        if (account == null) {
-            throw new CloudRuntimeException("Failed to create account name " + accountName
+ " in domain id=" + domainId);
-        }
+                if (account == null) {
+                    throw new CloudRuntimeException("Failed to create account name " + accountName
+ " in domain id=" + domainId);
+                }
 
-        Long accountId = account.getId();
+                Long accountId = account.getId();
 
-        if (details != null) {
-            _accountDetailsDao.persist(accountId, details);
-        }
+                if (details != null) {
+                    _accountDetailsDao.persist(accountId, details);
+                }
 
-        // Create resource count records for the account
-        _resourceCountDao.createResourceCounts(accountId, ResourceLimit.ResourceOwnerType.Account);
+                // Create resource count records for the account
+                _resourceCountDao.createResourceCounts(accountId, ResourceLimit.ResourceOwnerType.Account);
 
-        // Create default security group
-        _networkGroupMgr.createDefaultSecurityGroup(accountId);
+                // Create default security group
+                _networkGroupMgr.createDefaultSecurityGroup(accountId);
 
-        return account;
-    }
+                return account;
+            }
         });
     }
 
     protected UserVO createUser(long accountId, String userName, String password, String
firstName, String lastName, String email, String timezone, String userUUID,
-                                User.Source source) {
+            User.Source source) {
         if (s_logger.isDebugEnabled()) {
             s_logger.debug("Creating user: " + userName + ", accountId: " + accountId + "
timezone:" + timezone);
         }
 
         String encodedPassword = null;
-        for (UserAuthenticator  authenticator : _userPasswordEncoders) {
+        for (UserAuthenticator authenticator : _userPasswordEncoders) {
             encodedPassword = authenticator.encode(password);
             if (encodedPassword != null) {
                 break;
@@ -2005,7 +1999,7 @@ protected UserVO createUser(long accountId, String userName, String
password, St
         }
 
         if (userUUID == null) {
-            userUUID =  UUID.randomUUID().toString();
+            userUUID = UUID.randomUUID().toString();
         }
         UserVO user = _userDao.persist(new UserVO(accountId, userName, encodedPassword, firstName,
lastName, email, timezone, userUUID, source));
         CallContext.current().putContextParameter(User.class, user.getUuid());
@@ -2135,8 +2129,8 @@ public UserAccount authenticateUser(String username, String password,
Long domai
                 s_logger.debug("User: " + username + " in domain " + domainId + " has successfully
logged in");
             }
 
-            ActionEventUtils.onActionEvent(user.getId(), user.getAccountId(), user.getDomainId(),
EventTypes.EVENT_USER_LOGIN, "user has logged in from IP Address " +
-                    loginIpAddress);
+            ActionEventUtils.onActionEvent(user.getId(), user.getAccountId(), user.getDomainId(),
EventTypes.EVENT_USER_LOGIN,
+                    "user has logged in from IP Address " + loginIpAddress);
 
             return user;
         } else {
@@ -2155,10 +2149,10 @@ private UserAccount getUserAccount(String username, String password,
Long domain
 
         boolean authenticated = false;
         HashSet<ActionOnFailedAuthentication> actionsOnFailedAuthenticaion = new HashSet<ActionOnFailedAuthentication>();
-        User.Source userSource = userAccount != null ? userAccount.getSource(): User.Source.UNKNOWN;
+        User.Source userSource = userAccount != null ? userAccount.getSource() : User.Source.UNKNOWN;
         for (UserAuthenticator authenticator : _userAuthenticators) {
-            if(userSource != User.Source.UNKNOWN) {
-                if(!authenticator.getName().equalsIgnoreCase(userSource.name())){
+            if (userSource != User.Source.UNKNOWN) {
+                if (!authenticator.getName().equalsIgnoreCase(userSource.name())) {
                     continue;
                 }
             }
@@ -2182,12 +2176,12 @@ private UserAccount getUserAccount(String username, String password,
Long domain
             }
             userAccount = _userAccountDao.getUserAccount(username, domainId);
 
-            if (!userAccount.getState().equalsIgnoreCase(Account.State.enabled.toString())
||
-                !userAccount.getAccountState().equalsIgnoreCase(Account.State.enabled.toString()))
{
+            if (!userAccount.getState().equalsIgnoreCase(Account.State.enabled.toString())
|| !userAccount.getAccountState().equalsIgnoreCase(Account.State.enabled.toString())) {
                 if (s_logger.isInfoEnabled()) {
                     s_logger.info("User " + username + " in domain " + domainName + " is
disabled/locked (or account is disabled/locked)");
                 }
-                throw new CloudAuthenticationException("User " + username + " (or their account)
in domain " + domainName + " is disabled/locked. Please contact the administrator.");
+                throw new CloudAuthenticationException(
+                        "User " + username + " (or their account) in domain " + domainName
+ " is disabled/locked. Please contact the administrator.");
             }
             // Whenever the user is able to log in successfully, reset the login attempts
to zero
             if (!isInternalAccount(userAccount.getId()))
@@ -2231,17 +2225,17 @@ private UserAccount getUserAccount(String username, String password,
Long domain
     }
 
     @Override
-    public Map<String, String> getKeys(GetUserKeysCmd cmd){
+    public Map<String, String> getKeys(GetUserKeysCmd cmd) {
         final long userId = cmd.getID();
 
         User user = getActiveUser(userId);
-        if(user==null){
+        if (user == null) {
             throw new InvalidParameterValueException("Unable to find user by id");
         }
         final ControlledEntity account = getAccount(getUserAccountById(userId).getAccountId());
//Extracting the Account from the userID of the requested user.
         checkAccess(CallContext.current().getCallingUser(), account);
 
-        Map <String, String> keys = new HashMap<String, String>();
+        Map<String, String> keys = new HashMap<String, String>();
         keys.put("apikey", user.getApiKey());
         keys.put("secretkey", user.getSecretKey());
 
@@ -2277,8 +2271,8 @@ private UserAccount getUserAccount(String username, String password,
Long domain
         Transaction.execute(new TransactionCallbackNoReturn() {
             @Override
             public void doInTransactionWithoutResult(TransactionStatus status) {
-        keys[0] = createUserApiKey(userId);
-        keys[1] = createUserSecretKey(userId);
+                keys[0] = createUserApiKey(userId);
+                keys[1] = createUserSecretKey(userId);
             }
         });
 
@@ -2359,18 +2353,16 @@ private String createUserSecretKey(long userId) {
         return null;
     }
 
-
-
     @Override
-    public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb,
-            Long domainId, boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria
listProjectResourcesCriteria) {
+    public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb,
Long domainId, boolean isRecursive, List<Long> permittedAccounts,
+            ListProjectResourcesCriteria listProjectResourcesCriteria) {
 
         if (sb.entity() instanceof IPAddressVO) {
-            sb.and("accountIdIN", ((IPAddressVO) sb.entity()).getAllocatedToAccountId(),
SearchCriteria.Op.IN);
-            sb.and("domainId", ((IPAddressVO) sb.entity()).getAllocatedInDomainId(), SearchCriteria.Op.EQ);
+            sb.and("accountIdIN", ((IPAddressVO)sb.entity()).getAllocatedToAccountId(), SearchCriteria.Op.IN);
+            sb.and("domainId", ((IPAddressVO)sb.entity()).getAllocatedInDomainId(), SearchCriteria.Op.EQ);
         } else if (sb.entity() instanceof ProjectInvitationVO) {
-            sb.and("accountIdIN", ((ProjectInvitationVO) sb.entity()).getForAccountId(),
SearchCriteria.Op.IN);
-            sb.and("domainId", ((ProjectInvitationVO) sb.entity()).getInDomainId(), SearchCriteria.Op.EQ);
+            sb.and("accountIdIN", ((ProjectInvitationVO)sb.entity()).getForAccountId(), SearchCriteria.Op.IN);
+            sb.and("domainId", ((ProjectInvitationVO)sb.entity()).getInDomainId(), SearchCriteria.Op.EQ);
         } else {
             sb.and("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN);
             sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
@@ -2382,9 +2374,9 @@ public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity>
sb,
             domainSearch.and("path", domainSearch.entity().getPath(), SearchCriteria.Op.LIKE);
 
             if (sb.entity() instanceof IPAddressVO) {
-                sb.join("domainSearch", domainSearch, ((IPAddressVO) sb.entity()).getAllocatedInDomainId(),
domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
+                sb.join("domainSearch", domainSearch, ((IPAddressVO)sb.entity()).getAllocatedInDomainId(),
domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
             } else if (sb.entity() instanceof ProjectInvitationVO) {
-                sb.join("domainSearch", domainSearch, ((ProjectInvitationVO) sb.entity()).getInDomainId(),
domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
+                sb.join("domainSearch", domainSearch, ((ProjectInvitationVO)sb.entity()).getInDomainId(),
domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
             } else {
                 sb.join("domainSearch", domainSearch, sb.entity().getDomainId(), domainSearch.entity().getId(),
JoinBuilder.JoinType.INNER);
             }
@@ -2399,9 +2391,9 @@ public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity>
sb,
             }
 
             if (sb.entity() instanceof IPAddressVO) {
-                sb.join("accountSearch", accountSearch, ((IPAddressVO) sb.entity()).getAllocatedToAccountId(),
accountSearch.entity().getId(), JoinBuilder.JoinType.INNER);
+                sb.join("accountSearch", accountSearch, ((IPAddressVO)sb.entity()).getAllocatedToAccountId(),
accountSearch.entity().getId(), JoinBuilder.JoinType.INNER);
             } else if (sb.entity() instanceof ProjectInvitationVO) {
-                sb.join("accountSearch", accountSearch, ((ProjectInvitationVO) sb.entity()).getForAccountId(),
accountSearch.entity().getId(), JoinBuilder.JoinType.INNER);
+                sb.join("accountSearch", accountSearch, ((ProjectInvitationVO)sb.entity()).getForAccountId(),
accountSearch.entity().getId(), JoinBuilder.JoinType.INNER);
             } else {
                 sb.join("accountSearch", accountSearch, sb.entity().getAccountId(), accountSearch.entity().getId(),
JoinBuilder.JoinType.INNER);
             }
@@ -2409,8 +2401,8 @@ public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity>
sb,
     }
 
     @Override
-    public void buildACLSearchCriteria(SearchCriteria<? extends ControlledEntity> sc,
-            Long domainId, boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria
listProjectResourcesCriteria) {
+    public void buildACLSearchCriteria(SearchCriteria<? extends ControlledEntity> sc,
Long domainId, boolean isRecursive, List<Long> permittedAccounts,
+            ListProjectResourcesCriteria listProjectResourcesCriteria) {
 
         if (listProjectResourcesCriteria != null) {
             sc.setJoinParameters("accountSearch", "type", Account.ACCOUNT_TYPE_PROJECT);
@@ -2472,6 +2464,11 @@ public void buildACLSearchParameters(Account caller, Long id, String
accountName
                 if (projectId.longValue() == -1) {
                     if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
                         permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId()));
+
+                        //permittedAccounts can be empty when the caller is not a part of
any project (a domain account)
+                        if (permittedAccounts.isEmpty()) {
+                            permittedAccounts.add(caller.getId());
+                        }
                     } else {
                         domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly);
                     }
@@ -2516,10 +2513,9 @@ public void buildACLSearchParameters(Account caller, Long id, String
accountName
 
     }
 
-
     @Override
-    public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity>
sb, Long domainId,
-            boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria
listProjectResourcesCriteria) {
+    public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity>
sb, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
+            ListProjectResourcesCriteria listProjectResourcesCriteria) {
 
         sb.and("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN);
         sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
@@ -2540,10 +2536,9 @@ public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEnti
 
     }
 
-
     @Override
-    public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledViewEntity>
sc,
-            Long domainId, boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria
listProjectResourcesCriteria) {
+    public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledViewEntity>
sc, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
+            ListProjectResourcesCriteria listProjectResourcesCriteria) {
         if (listProjectResourcesCriteria != null) {
             sc.setParameters("accountType", Account.ACCOUNT_TYPE_PROJECT);
         }
@@ -2561,13 +2556,11 @@ public void buildACLViewSearchCriteria(SearchCriteria<? extends
ControlledViewEn
 
     }
 
-
     @Override
     public UserAccount getUserByApiKey(String apiKey) {
         return _userAccountDao.getUserByApiKey(apiKey);
     }
 
-
     @Override
     public List<String> listAclGroupsByAccount(Long accountId) {
         if (_querySelectors == null || _querySelectors.size() == 0)
@@ -2594,8 +2587,8 @@ public Long finalyzeAccountId(final String accountName, final Long domainId,
fin
                 if (!enabledOnly || account.getState() == Account.State.enabled) {
                     return account.getId();
                 } else {
-                    throw new PermissionDeniedException("Can't add resources to the account
id=" + account.getId() + " in state=" + account.getState() +
-                            " as it's no longer active");
+                    throw new PermissionDeniedException(
+                            "Can't add resources to the account id=" + account.getId() +
" in state=" + account.getState() + " as it's no longer active");
                 }
             } else {
                 // idList is not used anywhere, so removed it now
@@ -2611,9 +2604,8 @@ public Long finalyzeAccountId(final String accountName, final Long domainId,
fin
                 if (!enabledOnly || project.getState() == Project.State.Active) {
                     return project.getProjectAccountId();
                 } else {
-                    final PermissionDeniedException ex =
-                            new PermissionDeniedException("Can't add resources to the project
with specified projectId in state=" + project.getState() +
-                                    " as it's no longer active");
+                    final PermissionDeniedException ex = new PermissionDeniedException(
+                            "Can't add resources to the project with specified projectId
in state=" + project.getState() + " as it's no longer active");
                     ex.addProxyObject(project.getUuid(), "projectId");
                     throw ex;
                 }
@@ -2630,8 +2622,7 @@ public UserAccount getUserAccountById(Long userId) {
     }
 
     @Override
-    public void checkAccess(Account account, ServiceOffering so)
-            throws PermissionDeniedException {
+    public void checkAccess(Account account, ServiceOffering so) throws PermissionDeniedException
{
         for (SecurityChecker checker : _securityCheckers) {
             if (checker.checkAccess(account, so)) {
                 if (s_logger.isDebugEnabled()) {
@@ -2646,8 +2637,7 @@ public void checkAccess(Account account, ServiceOffering so)
     }
 
     @Override
-    public void checkAccess(Account account, DiskOffering dof)
-            throws PermissionDeniedException {
+    public void checkAccess(Account account, DiskOffering dof) throws PermissionDeniedException
{
         for (SecurityChecker checker : _securityCheckers) {
             if (checker.checkAccess(account, dof)) {
                 if (s_logger.isDebugEnabled()) {
@@ -2662,11 +2652,10 @@ public void checkAccess(Account account, DiskOffering dof)
     }
 
     @Override
-    public void checkAccess(User user, ControlledEntity entity)
-        throws PermissionDeniedException {
-        for(SecurityChecker checker : _securityCheckers){
-            if(checker.checkAccess(user,entity)){
-                if(s_logger.isDebugEnabled()){
+    public void checkAccess(User user, ControlledEntity entity) throws PermissionDeniedException
{
+        for (SecurityChecker checker : _securityCheckers) {
+            if (checker.checkAccess(user, entity)) {
+                if (s_logger.isDebugEnabled()) {
                     s_logger.debug("Access granted to " + user + "to " + entity + "by " +
checker.getName());
                 }
                 return;
@@ -2682,6 +2671,6 @@ public String getConfigComponentName() {
 
     @Override
     public ConfigKey<?>[] getConfigKeys() {
-        return new ConfigKey<?>[]{UseSecretKeyInResponse};
+        return new ConfigKey<?>[] {UseSecretKeyInResponse};
     }
 }


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

Mime
View raw message