etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

bug 9858: added missing security checks to listAsyncJobs command 

status 9858: resolved fixed
This commit is contained in:
alena 2011-05-21 14:57:37 -07:00
parent cd99334d4f
commit 2e5e12df54
2 changed files with 51 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
server/src/com/cloud/api/ApiServer.java
View File

@ -366,8 +366,8 @@ public class ApiServer implements HttpRequestHandler {
private String queueCommand(BaseCmd cmdObj, Map<String, String> params) {
UserContext ctx = UserContext.current();
Long userId = ctx.getCallerUserId();
Account account = ctx.getCaller();
Long callerUserId = ctx.getCallerUserId();
Account caller = ctx.getCaller();
if (cmdObj instanceof BaseAsyncCmd) {
Long objectId = null;
if (cmdObj instanceof BaseAsyncCreateCmd) {
@ -381,18 +381,18 @@ public class ApiServer implements HttpRequestHandler {
BaseAsyncCmd asyncCmd = (BaseAsyncCmd)cmdObj;
if (userId != null) {
params.put("ctxUserId", userId.toString());
if (callerUserId != null) {
params.put("ctxUserId", callerUserId.toString());
}
if (account != null) {
params.put("ctxAccountId", String.valueOf(account.getId()));
if (caller != null) {
params.put("ctxAccountId", String.valueOf(caller.getId()));
}
long startEventId = ctx.getStartEventId();
asyncCmd.setStartEventId(startEventId);
// save the scheduled event
Long eventId = EventUtils.saveScheduledEvent((userId == null) ? User.UID_SYSTEM : userId, asyncCmd.getEntityOwnerId(),
Long eventId = EventUtils.saveScheduledEvent((callerUserId == null) ? User.UID_SYSTEM : callerUserId, asyncCmd.getEntityOwnerId(),
asyncCmd.getEventType(), asyncCmd.getEventDescription(), startEventId);
if(startEventId == 0){
//There was no create event before, set current event id as start eventId
@ -407,8 +407,8 @@ public class ApiServer implements HttpRequestHandler {
AsyncJobVO job = new AsyncJobVO();
job.setInstanceId((objectId == null) ? asyncCmd.getInstanceId() : objectId);
job.setInstanceType(asyncCmd.getInstanceType());
job.setUserId(userId);
job.setAccountId(asyncCmd.getEntityOwnerId());
job.setUserId(callerUserId);
job.setAccountId(caller.getId());
job.setCmd(cmdObj.getClass().getName());
job.setCmdInfo(ApiGsonHelper.getBuilder().create().toJson(params));
@ -431,7 +431,7 @@ public class ApiServer implements HttpRequestHandler {
// if the command is of the listXXXCommand, we will need to also return the
// the job id and status if possible
if (cmdObj instanceof BaseListCmd) {
buildAsyncListResponse((BaseListCmd)cmdObj, account);
buildAsyncListResponse((BaseListCmd)cmdObj, caller);
}
return ApiResponseSerializer.toSerializedString((ResponseObject)cmdObj.getResponseObject(), cmdObj.getResponseType());
}

58
server/src/com/cloud/server/ManagementServerImpl.java
View File

@ -3916,8 +3916,8 @@ public class ManagementServerImpl implements ManagementServer {
Object accountId = null;
Long domainId = cmd.getDomainId();
Account account = UserContext.current().getCaller();
if ((account == null) || isAdmin(account.getType())) {
Account caller = UserContext.current().getCaller();
if (isAdmin(caller.getType())) {
String accountName = cmd.getAccountName();
if ((accountName != null) && (domainId != null)) {
@ -3928,36 +3928,60 @@ public class ManagementServerImpl implements ManagementServer {
throw new InvalidParameterValueException("Failed to list async jobs for account " + accountName + " in domain " + domainId + "; account not found.");
}
} else if (domainId != null) {
if ((account != null) && !_domainDao.isChildDomain(account.getDomainId(), domainId)) {
if (!_domainDao.isChildDomain(caller.getDomainId(), domainId)) {
throw new PermissionDeniedException("Failed to list async jobs for domain " + domainId + "; permission denied.");
}
// we can do a domain match for the admin case
SearchBuilder<DomainVO> domainSearch = _domainDao.createSearchBuilder();
domainSearch.and("path", domainSearch.entity().getPath(), SearchCriteria.Op.LIKE);
SearchBuilder<AccountVO> accountSearch = _accountDao.createSearchBuilder();
accountSearch.join("domainSearch", domainSearch, accountSearch.entity().getDomainId(), domainSearch.entity().getId(), JoinType.INNER);
sb.join("accountSearch", accountSearch, sb.entity().getAccountId(), accountSearch.entity().getId(), JoinType.INNER);
}
if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN && domainId == null) {
domainId = caller.getDomainId();
}
} else {
accountId = account.getId();
accountId = caller.getId();
}
// we should do domain based search for domain admin
if (domainId != null) {
sb.and("accountsIn", sb.entity().getAccountId(), SearchCriteria.Op.IN);
}
Object keyword = cmd.getKeyword();
Object startDate = cmd.getStartDate();
SearchCriteria<AsyncJobVO> sc = _jobDao.createSearchCriteria();
SearchCriteria<AsyncJobVO> sc = sb.create();
if (keyword != null) {
sc.addAnd("cmd", SearchCriteria.Op.LIKE, "%" + keyword + "%");
}
if (accountId != null) {
sc.addAnd("accountId", SearchCriteria.Op.EQ, accountId);
} else if (domainId != null) {
}
if (domainId != null) {
SearchBuilder<DomainVO> domainSearch = _domainDao.createSearchBuilder();
domainSearch.and("path", domainSearch.entity().getPath(), SearchCriteria.Op.LIKE);
SearchBuilder<AccountVO> accountSearch = _accountDao.createSearchBuilder();
accountSearch.join("domainSearch", domainSearch, accountSearch.entity().getDomainId(), domainSearch.entity().getId(), JoinType.INNER);
SearchCriteria<AccountVO> accountSc = accountSearch.create();
DomainVO domain = _domainDao.findById(domainId);
sc.setJoinParameters("domainSearch", "path", domain.getPath() + "%");
accountSc.setJoinParameters("domainSearch", "path", domain.getPath() + "%");
List<AccountVO> allowedAccounts = _accountDao.search(accountSc, null);
if (!allowedAccounts.isEmpty()) {
Long[] accountIds = new Long[allowedAccounts.size()];
for (int i = 0; i < allowedAccounts.size(); i++) {
AccountVO allowedAccount = allowedAccounts.get(i);
accountIds[i] = allowedAccount.getId();
}
sc.setParameters("accountsIn", (Object[])accountIds);
}
}
if (startDate != null) {