-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Role escalation prevention #5879
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
cca1f3a
fb37d92
7cab7b8
777d6bf
b3e9b14
4f744e4
9ccc476
d7b6c27
eb78064
7ee5114
91bf7b1
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -58,9 +58,13 @@ private void denyApiAccess(final String commandName) throws PermissionDeniedExce | |
| throw new PermissionDeniedException("The API " + commandName + " is denied for the user's/account's project role."); | ||
| } | ||
|
|
||
| @Override | ||
| public boolean isEnabled() { | ||
| return roleService.isEnabled(); | ||
| } | ||
|
|
||
| public boolean isDisabled() { | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not an issue but an improvement request - can we leave only one of these methods?
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. both are used, so no ;) |
||
| return !roleService.isEnabled(); | ||
| return !isEnabled(); | ||
| } | ||
|
|
||
| @Override | ||
|
|
@@ -103,6 +107,11 @@ public boolean checkAccess(User user, String apiCommandName) throws PermissionDe | |
| throw new UnavailableCommandException("The API " + apiCommandName + " does not exist or is not available for this account/user in project "+project.getUuid()); | ||
| } | ||
|
|
||
| @Override | ||
| public boolean checkAccess(Account account, String apiCommandName) throws PermissionDeniedException { | ||
| return true; | ||
|
sureshanaparti marked this conversation as resolved.
|
||
| } | ||
|
|
||
| private boolean isPermitted(Project project, ProjectAccount projectUser, String apiCommandName) { | ||
| ProjectRole projectRole = null; | ||
| if(projectUser.getProjectRoleId() != null) { | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -27,6 +27,7 @@ | |
|
|
||
| import javax.inject.Inject; | ||
|
|
||
| import com.cloud.user.Account; | ||
| import org.apache.cloudstack.acl.APIChecker; | ||
| import org.apache.cloudstack.api.APICommand; | ||
| import org.apache.cloudstack.api.BaseAsyncCmd; | ||
|
|
@@ -210,6 +211,24 @@ private ApiDiscoveryResponse getCmdRequestMap(Class<?> cmdClass, APICommand apiC | |
| return response; | ||
| } | ||
|
|
||
| @Override | ||
| public List<String> listApiNames(Account account) { | ||
| List<String> apiNames = new ArrayList<>(); | ||
| for (String apiName : s_apiNameDiscoveryResponseMap.keySet()) { | ||
| boolean isAllowed = true; | ||
| for (APIChecker apiChecker : _apiAccessCheckers) { | ||
| try { | ||
| apiChecker.checkAccess(account, apiName); | ||
| } catch (Exception ex) { | ||
| isAllowed = false; | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we won't need this variable - after the checkAccess method we can add the element to the list and on the catch block we can log the exception describing the error. Then the next if won't be needed either
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. no, multiple access checkers can be called and any one may deny. |
||
| } | ||
| } | ||
| if (isAllowed) | ||
| apiNames.add(apiName); | ||
| } | ||
| return apiNames; | ||
| } | ||
|
|
||
| @Override | ||
| public ListResponse<? extends BaseResponse> listApis(User user, String name) { | ||
| ListResponse<ApiDiscoveryResponse> response = new ListResponse<ApiDiscoveryResponse>(); | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.