Skip to content

vpc,network: fix createLoadBalancer access on user network #6591

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
yadvr merged 2 commits into from
Aug 9, 2022
Merged

vpc,network: fix createLoadBalancer access on user network #6591

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b7094ff
vpc,network: fix createLoadBalancer access on user network
shwstppr Jul 30, 2022
3934b85
add some tests
shwstppr Aug 5, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 10 additions & 10 deletions server/src/main/java/com/cloud/network/NetworkModelImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1659,7 +1659,7 @@ public void checkCapabilityForProvider(Set<Provider> providers, Service service,
}

@Override
public void checkNetworkPermissions(Account owner, Network network) {
public void checkNetworkPermissions(Account caller, Network network) {
Copy link
Copy Markdown
Member

@yadvr yadvr Aug 3, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could we explore if a unit test is written

Copy link
Copy Markdown
Contributor Author

@shwstppr shwstppr Aug 5, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added some unit tests

// dahn 20140310: I was thinking of making this an assert but
// as we hardly ever test with asserts I think
// we better make sure at runtime.
Expand All @@ -1672,25 +1672,25 @@ public void checkNetworkPermissions(Account owner, Network network) {
if (networkOwner == null)
throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO)network).getUuid() +
", network does not have an owner");
if (owner.getType() != Account.Type.PROJECT && networkOwner.getType() == Account.Type.PROJECT) {
checkProjectNetworkPermissions(owner, networkOwner, network);
if (!Account.Type.PROJECT.equals(caller.getType()) && Account.Type.PROJECT.equals(networkOwner.getType())) {
checkProjectNetworkPermissions(caller, networkOwner, network);
} else {
List<NetworkVO> networkMap = _networksDao.listBy(owner.getId(), network.getId());
NetworkPermissionVO networkPermission = _networkPermissionDao.findByNetworkAndAccount(network.getId(), owner.getId());
List<NetworkVO> networkMap = _networksDao.listBy(caller.getId(), network.getId());
NetworkPermissionVO networkPermission = _networkPermissionDao.findByNetworkAndAccount(network.getId(), caller.getId());
if (CollectionUtils.isEmpty(networkMap) && networkPermission == null) {
throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO)network).getUuid() +
", permission denied");
}
}

} else {
if (!isNetworkAvailableInDomain(network.getId(), owner.getDomainId())) {
DomainVO ownerDomain = _domainDao.findById(owner.getDomainId());
if (ownerDomain == null) {
throw new CloudRuntimeException("cannot check permission on account " + owner.getAccountName() + " whose domain does not exist");
if (!isNetworkAvailableInDomain(network.getId(), caller.getDomainId())) {
DomainVO callerDomain = _domainDao.findById(caller.getDomainId());
if (callerDomain == null) {
throw new CloudRuntimeException("cannot check permission on account " + caller.getAccountName() + " whose domain does not exist");
}
throw new PermissionDeniedException("Shared network id=" + ((NetworkVO)network).getUuid() + " is not available in domain id=" +
ownerDomain.getUuid());
callerDomain.getUuid());
}
}
}
Expand Down
2 changes: 1 addition & 1 deletion ...er/src/main/java/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ public ApplicationLoadBalancerRule createApplicationLoadBalancer(String name, St
}

Account caller = CallContext.current().getCallingAccount();
_accountMgr.checkAccess(caller, AccessType.UseEntry, false, guestNtwk);
_accountMgr.checkAccess(caller, AccessType.OperateEntry, false, guestNtwk);

Network sourceIpNtwk = _networkModel.getNetwork(sourceIpNetworkId);
if (sourceIpNtwk == null) {
Expand Down
169 changes: 155 additions & 14 deletions server/src/test/java/com/cloud/network/NetworkModelTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,34 +31,49 @@
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Set;

import org.apache.cloudstack.network.NetworkPermissionVO;
import org.apache.cloudstack.network.dao.NetworkPermissionDao;
import org.junit.Before;
import org.junit.Test;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.MockitoAnnotations;
import org.mockito.Spy;

import com.cloud.dc.DataCenter;
import com.cloud.dc.DataCenterVO;
import com.cloud.dc.VlanVO;
import com.cloud.dc.dao.DataCenterDao;
import com.cloud.dc.dao.VlanDao;
import com.cloud.domain.DomainVO;
import com.cloud.domain.dao.DomainDao;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.PermissionDeniedException;
import com.cloud.network.Network.Provider;
import com.cloud.network.dao.IPAddressDao;
import com.cloud.network.dao.IPAddressVO;
import com.cloud.network.dao.NetworkDao;
import com.cloud.network.dao.NetworkDomainDao;
import com.cloud.network.dao.NetworkDomainVO;
import com.cloud.network.dao.NetworkVO;
import com.cloud.network.dao.PhysicalNetworkDao;
import com.cloud.network.dao.PhysicalNetworkServiceProviderDao;
import com.cloud.network.dao.PhysicalNetworkServiceProviderVO;
import com.cloud.network.dao.PhysicalNetworkVO;
import junit.framework.Assert;

import org.junit.Before;
import org.junit.Test;

import com.cloud.dc.VlanVO;
import com.cloud.dc.dao.VlanDao;
import com.cloud.network.dao.IPAddressDao;
import com.cloud.network.dao.IPAddressVO;
import com.cloud.projects.dao.ProjectDao;
import com.cloud.user.Account;
import com.cloud.user.AccountVO;
import com.cloud.user.DomainManager;
import com.cloud.user.dao.AccountDao;
import com.cloud.utils.db.Filter;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
import com.cloud.utils.exception.CloudRuntimeException;
import com.cloud.utils.net.Ip;
import com.cloud.network.Network.Provider;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.MockitoAnnotations;
import org.mockito.Spy;

import junit.framework.Assert;

public class NetworkModelTest {

Expand All @@ -85,6 +100,20 @@ public class NetworkModelTest {
private PhysicalNetworkVO physicalNetworkZone2;
@Mock
private PhysicalNetworkServiceProviderVO providerVO;
@Mock
private AccountDao accountDao;
@Mock
private NetworkDao networkDao;
@Mock
private NetworkPermissionDao networkPermissionDao;
@Mock
private NetworkDomainDao networkDomainDao;
@Mock
private DomainManager domainManager;
@Mock
private DomainDao domainDao;
@Mock
private ProjectDao projectDao;

private static final long ZONE_1_ID = 1L;
private static final long ZONE_2_ID = 2L;
Expand Down Expand Up @@ -263,4 +292,116 @@ public void checkIp6ParametersTestNullStartAndEndIpv6() {
networkModel.checkIp6Parameters(null, null, IPV6_GATEWAY,IPV6_CIDR);
}

@Test
public void testCheckNetworkPermissions() {
long accountId = 1L;
AccountVO caller = mock(AccountVO.class);
when(caller.getId()).thenReturn(accountId);
when(caller.getType()).thenReturn(Account.Type.NORMAL);
NetworkVO network = mock(NetworkVO.class);
when(network.getGuestType()).thenReturn(Network.GuestType.Isolated);
when(network.getAccountId()).thenReturn(accountId);
when(accountDao.findById(accountId)).thenReturn(caller);
when(networkDao.listBy(caller.getId(), network.getId())).thenReturn(List.of(network));
when(networkPermissionDao.findByNetworkAndAccount(network.getId(), caller.getId())).thenReturn(mock(NetworkPermissionVO.class));
networkModel.checkNetworkPermissions(caller, network);
}

@Test(expected = CloudRuntimeException.class)
public void testCheckNetworkPermissionsNullNetwork() {
AccountVO caller = mock(AccountVO.class);
NetworkVO network = null;
networkModel.checkNetworkPermissions(caller, network);
}

@Test(expected = PermissionDeniedException.class)
public void testCheckNetworkPermissionsNoOwner() {
long accountId = 1L;
AccountVO caller = mock(AccountVO.class);
when(caller.getId()).thenReturn(accountId);
when(caller.getType()).thenReturn(Account.Type.NORMAL);
NetworkVO network = mock(NetworkVO.class);
when(network.getGuestType()).thenReturn(Network.GuestType.Isolated);
when(network.getAccountId()).thenReturn(accountId);
when(accountDao.findById(accountId)).thenReturn(null);
networkModel.checkNetworkPermissions(caller, network);
}

@Test(expected = PermissionDeniedException.class)
public void testCheckNetworkPermissionsNoPermission() {
long accountId = 1L;
AccountVO caller = mock(AccountVO.class);
when(caller.getId()).thenReturn(accountId);
when(caller.getType()).thenReturn(Account.Type.NORMAL);
NetworkVO network = mock(NetworkVO.class);
when(network.getGuestType()).thenReturn(Network.GuestType.Isolated);
when(network.getAccountId()).thenReturn(accountId);
when(accountDao.findById(accountId)).thenReturn(caller);
when(networkDao.listBy(caller.getId(), network.getId())).thenReturn(null);
when(networkPermissionDao.findByNetworkAndAccount(network.getId(), caller.getId())).thenReturn(null);
networkModel.checkNetworkPermissions(caller, network);
}

@Test
public void testCheckNetworkPermissionsSharedNetwork() {
long id = 1L;
long subDomainId = 2L;
AccountVO caller = mock(AccountVO.class);
when(caller.getId()).thenReturn(id);
when(caller.getDomainId()).thenReturn(id);
when(caller.getType()).thenReturn(Account.Type.NORMAL);
NetworkVO network = mock(NetworkVO.class);
when(network.getGuestType()).thenReturn(Network.GuestType.Shared);
when(network.getId()).thenReturn(id);
when(networkDao.findById(network.getId())).thenReturn(network);
NetworkDomainVO networkDomainVO = mock(NetworkDomainVO.class);
when(networkDomainVO.getDomainId()).thenReturn(id);
when(networkDomainDao.getDomainNetworkMapByNetworkId(id)).thenReturn(networkDomainVO);
networkModel.checkNetworkPermissions(caller, network);
when(caller.getDomainId()).thenReturn(subDomainId);
networkDomainVO.subdomainAccess = Boolean.TRUE;
when(domainManager.getDomainParentIds(subDomainId)).thenReturn(Set.of(id));
networkModel.checkNetworkPermissions(caller, network);
}

@Test(expected = PermissionDeniedException.class)
public void testCheckNetworkPermissionsSharedNetworkNoSubDomainAccess() {
long id = 1L;
long subDomainId = 2L;
AccountVO caller = mock(AccountVO.class);
when(caller.getId()).thenReturn(id);
when(caller.getDomainId()).thenReturn(subDomainId);
when(caller.getType()).thenReturn(Account.Type.NORMAL);
NetworkVO network = mock(NetworkVO.class);
when(network.getGuestType()).thenReturn(Network.GuestType.Shared);
when(network.getId()).thenReturn(id);
when(networkDao.findById(network.getId())).thenReturn(network);
when(domainDao.findById(caller.getDomainId())).thenReturn(mock(DomainVO.class));
NetworkDomainVO networkDomainVO = mock(NetworkDomainVO.class);
when(networkDomainVO.getDomainId()).thenReturn(id);
networkDomainVO.subdomainAccess = Boolean.FALSE;
when(networkDomainDao.getDomainNetworkMapByNetworkId(id)).thenReturn(networkDomainVO);
networkModel.checkNetworkPermissions(caller, network);
}

@Test(expected = PermissionDeniedException.class)
public void testCheckNetworkPermissionsSharedNetworkNotSubDomain() {
long id = 1L;
long subDomainId = 2L;
AccountVO caller = mock(AccountVO.class);
when(caller.getId()).thenReturn(id);
when(caller.getDomainId()).thenReturn(subDomainId);
when(caller.getType()).thenReturn(Account.Type.NORMAL);
NetworkVO network = mock(NetworkVO.class);
when(network.getGuestType()).thenReturn(Network.GuestType.Shared);
when(network.getId()).thenReturn(id);
when(networkDao.findById(network.getId())).thenReturn(network);
when(domainDao.findById(caller.getDomainId())).thenReturn(mock(DomainVO.class));
NetworkDomainVO networkDomainVO = mock(NetworkDomainVO.class);
when(networkDomainVO.getDomainId()).thenReturn(id);
networkDomainVO.subdomainAccess = Boolean.TRUE;
when(networkDomainDao.getDomainNetworkMapByNetworkId(id)).thenReturn(networkDomainVO);
when(domainManager.getDomainParentIds(subDomainId)).thenReturn(Set.of(0L));
networkModel.checkNetworkPermissions(caller, network);
}
}