20bcb4b673
CLOUDSTACK-7063, CLOUDSTACK-7064: Add security headers on HTTP response
...
- Adds X-XSS-Protection header
- Adds X-Content-Type-Options header
- Fixes to use json content type defined from global settings
- Uses secure cookie if enabled in global settings
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit b6b3494782
2015-02-28 18:14:49 +05:30
b2393c31ed
move ConstantTimeComparator to utils
2015-01-14 12:14:00 +01:00
9b4e39e837
Use constant-time comparison functions when checking signatures
...
This limits the likeliness of timing attacks against the API.
See http://codahale.com/a-lesson-in-timing-attacks/ for the
full rationale.
Conflicts:
server/src/com/cloud/api/ApiServer.java
server/src/com/cloud/user/AccountManagerImpl.java
2015-01-14 11:32:29 +01:00
21a6bef53b
CLOUDSTACK-7989: Ignore Auth API calls in unauthenticated HTTP handlers
...
If an auth API call (such as login, logout) is called on unauthenticated port
such as the 8096 integration server port, we need to ignore such API calls
as calling auth APIs on 8096 is un-necessary and is undefined.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
2014-11-28 15:43:29 +05:30
7ff31f1b22
Merge remote-tracking branch 'origin/inetaddress'
...
- Tested locally against unit tests
- TravisCI build passed: https://travis-ci.org/apache/cloudstack/builds/41990351
- Manual QA passed for basic auth and saml auth using default IDP settings
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
Conflicts:
server/src/com/cloud/api/ApiServlet.java
2014-11-25 14:32:09 +05:30
3577423da9
removed executable flags from java classes
...
Signed-off-by: Laszlo Hornyak <laszlo.hornyak@gmail.com>
2014-11-23 19:49:01 +01:00
4bd49df3f5
Use InetAddress for passing Remote Address instead of String
2014-11-21 12:10:35 +01:00
ef6ec7b276
Fixed few coverity issues like invalid boxing unboxing issues, resource leaks, null dereferences
2014-11-13 17:26:24 +05:30
50a3c0b2e3
CLOUDSTACK-7886: cloudstackoperations like deployvm,deleteNW are failing if CS fail to contact rabbit mq server. This is happening in case of Async API calls.
...
Signed-off-by: Koushik Das <koushik@apache.org>
2014-11-12 10:12:15 +05:30
4f43839dae
CLOUDSTACK-7797: listSupportedNetworkServices API takes more than 1 second to
...
complete, slow compared to previous 4.3 release.
2014-10-27 16:27:17 -07:00
bfa36c0280
CID-1233090, CID-1233089: Synchronize on session object in ApiServer
...
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
2014-09-18 11:26:20 +02:00
37d696db80
ApiServer: Fix imports order, use org.apache.cloudstack.api.ApiServerService
...
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
2014-08-28 19:45:23 +02:00
1a3813a342
ApiServer: change loginUser method signature to return ResponseObject
...
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
2014-08-28 19:45:20 +02:00
384acffff4
ApiServer: take UTF_8 and other static vars from HttpUtils
...
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
2014-08-12 12:01:32 +02:00
97d296bfbd
Fixed Coverity reported performance issues like inefficient string concatenations, wrong boxing or unboxing types, inefficent map element retrievals
...
Signed-off-by: Daan Hoogland <daan@onecht.net>
2014-07-01 22:06:25 +02:00
60f4203cbc
Protect event interpretion from causing NPE exception
2014-06-20 10:16:04 -07:00
c2a0fb4e52
CLOUDSTACK-6895: 1. Populate firstclass entities as uuids in the context instead of dbids for performance.
...
2. Add ctxDetails in the ParamGenericValidationWorker to avoid warning for api validation
3. Add some missing events.
4. Correcting mapping for ResourceObjectType.NetworkACL and ResourceObjectType.NetworkACLItem
(cherry picked from commit 8a9092c3cd
2014-06-11 15:24:56 -07:00
20a31b43d6
CLOUDSTACK-6784: Expose data types via API so consumers of API can validate data
2014-05-27 15:23:23 -06:00
96055058b0
CLOUDSTACK-6785: changed async job param injectedjobid to customjobid and check for unique/uuid
2014-05-27 15:23:12 -06:00
2a5bf65c78
CLOUDSTACK-6785: Allow async jobs to supply an injectedjobid
2014-05-27 15:23:02 -06:00
0f79223f28
CLOUDSTACK-6613:IAM: authorizeSecurityGroupIngress fails when SG Name is
...
passed.
2014-05-08 23:19:28 -07:00
521ac796dd
Move EventBus hookup on job framework to ApiServer to decouple job framework away from business logic related hookups. The decoupling is done through internal messaging facility provided inside management server.
2014-05-06 15:48:22 -07:00
dd55095fd5
CLOUDSTACK-6530: Populate the first class entities in the context to be available for publishing more information for the event bus, checking the displayable property etc.
...
(cherry picked from commit 3e7ea4e8d9
2014-04-28 18:21:48 -07:00
c6d2549939
StringBuffer replaced with StringBuilder in ApiServerService
...
Signed-off-by: Laszlo Hornyak <laszlo.hornyak@gmail.com>
2014-03-24 21:04:06 +01:00
2c4ac5e4d3
removed some redundant Boolean isntantiations
...
Signed-off-by: Laszlo Hornyak <laszlo.hornyak@gmail.com>
2014-03-22 18:34:45 +01:00
99bdc8d875
Merge branch 'master' into rbac.
2014-03-13 11:05:03 -07:00
33a0dec965
CLOUDSTACK-6221:
...
Publish first class objects involved in an operation (for now vm uuid) on the event bus . Example - during attach/detachIso along with iso id, vm id should be available as well.
2014-03-10 16:22:34 -07:00
ded7e682dc
CLOUDSTACK-5478: Enable publishing uuid for all the async apis in the CallContext.
...
The advantage would be that event publishing can pick up the uuid and publish them.
2014-03-07 16:50:21 -08:00
7b0c5cfcbe
Removed unused methods from BaseCmd class. Moved some helper methods to AccountManagerImpl class
2014-03-07 11:33:10 -08:00
c211f0bbbe
Dispatcher corrections, refactoring and tests
...
Corrects problems from previous attempt. Fixes based on help comments from
the community and conflict resolution
Signed-off-by: Daan Hoogland <daan@onecht.net>
2014-03-07 19:12:07 +01:00
48e08fe676
Merge branch 'master' into rbac.
2014-03-06 14:02:20 -08:00
830328b63d
CLOUDSTACK-6199: Hide action events for Vm/Volume commands when the resources have display flag=0.
...
Introduce generic BaseAsync(Vm/Volume)Cmd to make get the flag value for logging action events.
Rename the db field as display rather than display_event in keeping with the convention
2014-03-05 16:40:44 -08:00
793becf524
CLOUDSTACK-5920: Add some interface methods and constants required by
...
IAM.
2014-03-05 09:40:55 -08:00
339c4f4c3f
CLOUDSTACK-6199: Action Events - hide them when display flag is off in the context of "Ability to have better control over first class objects in CS" feature.
...
For root admin - s/he should be able to see all the events despite the value of the flag.
2014-03-04 14:59:30 -08:00
537bf7ced1
add job path to help associate an API job to related internal job. Reviewed-By: Self
2014-02-28 15:35:59 -08:00
e431538b0a
findbugs possible nullpointer mitigated
2014-02-26 11:56:49 +01:00
b0c6d47347
- Updated APICommand annotation to add new flags that indicate if API request or response carry sensitive info - Updated all API classes with the new annotation flag values as per the API's sensitivity - Updated server code to check response annotation before audit logging
...
Signed-off-by: Daan Hoogland <daan@onecht.net>
(cherry picked from commit df270d6387c362b960064ee5123c14782e767a19)
Signed-off-by: Daan Hoogland <daan@onecht.net>
2014-02-25 22:59:10 +01:00
782c530685
Revert "CLOUDSTACK-6003 fixing plus refactoring dispatcher" as it breaks API dispatching for commands having Map<String,String> as a parameter type
...
This reverts commit 447430c3df
2014-02-06 14:46:58 -08:00
f84375442e
Merge branch 'master' into rbac
...
Conflicts:
api/src/org/apache/cloudstack/api/command/user/autoscale/ListAutoScaleVmProfilesCmd.java
api/src/org/apache/cloudstack/api/command/user/volume/ResizeVolumeCmd.java
plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
server/src/com/cloud/api/ApiServer.java
server/src/com/cloud/api/query/QueryManagerImpl.java
server/src/com/cloud/template/TemplateAdapterBase.java
setup/db/db/schema-430to440.sql
tools/apidoc/gen_toc.py
2014-02-04 12:07:32 -08:00
447430c3df
CLOUDSTACK-6003 fixing plus refactoring dispatcher
...
Signed-off-by: Daan Hoogland <daan@onecht.net>
(cherry picked from commit a9bcc1ea3b7dfd3fcc5c795b0095c77851ebe618)
Signed-off-by: Daan Hoogland <daan@onecht.net>
2014-02-04 13:37:08 +01:00
a71871d11c
findbugs: fixes for ApiServer, ApiSerializerHelper and
...
ApiXmlDocWriter(cherry picked from commit
9aced41d70
2014-01-28 14:47:06 +01:00
33cd1ab921
Merge branch 'master' into rbac
2014-01-22 11:23:51 -08:00
3689f72f27
CLOUDSTACK-5913:API rate limiting throws a different error than expected
...
when Throttle limit hit in the API.
2014-01-20 15:49:19 -08:00
929fbabaa2
Merge branch 'master' into rbac.
2014-01-17 14:37:08 -08:00
16d36dd75f
Fix checkstyle
2014-01-14 14:04:57 +05:30
e5512960af
CLOUDSTACK-5865. Unable to use login API if domainId parameter is id and not uuid
2014-01-14 13:47:27 +05:30
43f0f901dd
Remove VO and DAO from cloud-engine-schema.
2014-01-10 15:57:39 -08:00
e5b4a1d869
Moved the loading of commands.properties to the IAM plugin
2014-01-02 18:39:18 -08:00
ce774e184e
Fixing the management server startup
2013-12-18 14:14:55 -08:00
3f092d14cc
Adding the AclEntityType attribute to APICommand annotation
2013-12-13 16:04:25 -08:00
Rohit Yadav
Pierre-Yves Ritschard
Laszlo Hornyak
Wido den Hollander
Santhosh Edukulla
Damodar
Min Chen
Kelven Yang
Nitin Mehta
Marcus Sorensen
Alena Prokharchyk
Antonio Fornie
Daan Hoogland
Mandar Barve
Prachi Damle
Daan Hoogland
Likitha Shetty