From daadc45122b9ee6010f7cbe79d3b960b04a0efba Mon Sep 17 00:00:00 2001 From: Min Chen Date: Fri, 9 May 2014 18:24:54 -0700 Subject: [PATCH] CLOUDSTACK-6628:[Automation] Create PF rulw API failing with error "database id can only provided by VO objects". --- .../command/user/firewall/CreatePortForwardingRuleCmd.java | 7 ++++++- server/src/com/cloud/network/rules/RulesManagerImpl.java | 5 +++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java b/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java index f18767e1da6..91146ac32f4 100644 --- a/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java @@ -19,8 +19,11 @@ package org.apache.cloudstack.api.command.user.firewall; import java.util.List; import org.apache.log4j.Logger; +import org.bouncycastle.util.IPAddress; import org.apache.cloudstack.acl.RoleType; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; +import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; import org.apache.cloudstack.api.ApiConstants; @@ -48,7 +51,7 @@ import com.cloud.utils.net.NetUtils; import com.cloud.vm.VirtualMachine; @APICommand(name = "createPortForwardingRule", description = "Creates a port forwarding rule", responseObject = FirewallRuleResponse.class, entityType = {FirewallRule.class, - VirtualMachine.class}, + VirtualMachine.class, IPAddress.class}, requestHasSensitiveInfo = false, responseHasSensitiveInfo = false) public class CreatePortForwardingRuleCmd extends BaseAsyncCreateCmd implements PortForwardingRule { public static final Logger s_logger = Logger.getLogger(CreatePortForwardingRuleCmd.class.getName()); @@ -59,6 +62,7 @@ public class CreatePortForwardingRuleCmd extends BaseAsyncCreateCmd implements P // ////////////// API parameters ///////////////////// // /////////////////////////////////////////////////// + @ACL(accessType = AccessType.OperateEntry) @Parameter(name = ApiConstants.IP_ADDRESS_ID, type = CommandType.UUID, entityType = IPAddressResponse.class, @@ -96,6 +100,7 @@ public class CreatePortForwardingRuleCmd extends BaseAsyncCreateCmd implements P description = "the ending port of port forwarding rule's private port range") private Integer publicEndPort; + @ACL(accessType = AccessType.OperateEntry) @Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID, type = CommandType.UUID, entityType = UserVmResponse.class, diff --git a/server/src/com/cloud/network/rules/RulesManagerImpl.java b/server/src/com/cloud/network/rules/RulesManagerImpl.java index 5d56451fd41..a0d6cd6510b 100755 --- a/server/src/com/cloud/network/rules/RulesManagerImpl.java +++ b/server/src/com/cloud/network/rules/RulesManagerImpl.java @@ -195,6 +195,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules throw new InvalidParameterValueException("Invalid user vm: " + userVm.getId()); } + // This same owner check is actually not needed, since multiple entities OperateEntry trick guarantee that if (rule.getAccountId() != userVm.getAccountId()) { throw new InvalidParameterValueException("New rule " + rule + " and vm id=" + userVm.getId() + " belong to different accounts"); } @@ -267,8 +268,8 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules if (vm == null) { throw new InvalidParameterValueException("Unable to create port forwarding rule on address " + ipAddress + ", invalid virtual machine id specified (" + vmId + ")."); - } else { - checkRuleAndUserVm(rule, vm, caller); + } else if (vm.getState() == VirtualMachine.State.Destroyed || vm.getState() == VirtualMachine.State.Expunging) { + throw new InvalidParameterValueException("Invalid user vm: " + vm.getId()); } // Verify that vm has nic in the network