[GitHub] [cloudstack] sureshanaparti commented on a change in pull request #5879: Role escalation prevention

Fri, 04 Feb 2022 05:08:04 -0800 


sureshanaparti commented on a change in pull request #5879:
URL: https://github.com/apache/cloudstack/pull/5879#discussion_r799449368



##########
File path: server/src/main/java/com/cloud/user/AccountManagerImpl.java
##########
@@ -1110,6 +1183,75 @@ public UserAccount createUserAccount(final String 
userName, final String passwor
         return _userAccountDao.findById(userId);
     }
 
+    /**
+     * if there is any permission under the requested role that is not 
permitted for the caller, refuse
+     */
+    private void checkRoleEscalation(Account caller, Account requested) {
+        if (s_logger.isDebugEnabled()) {
+            s_logger.debug(String.format("checking if user of account %s [%s] 
with role-id [%d] can create an account of type %s [%s] with role-id [%d]",
+                    caller.getAccountName(),
+                    caller.getUuid(),
+                    caller.getRoleId(),
+                    requested.getAccountName(),
+                    requested.getUuid(),
+                    requested.getRoleId()));
+        }
+        List<APIChecker> apiCheckers = getEnabledApiCheckers();
+        for (String command : apiNameList) {
+            try {
+                checkApiAccess(apiCheckers, requested, command);
+            } catch (PermissionDeniedException pde) {
+                if (s_logger.isTraceEnabled()) {
+                    s_logger.trace(String.format("checking for permission to 
\"%s\" is irrelevant as it is not requested for %s [%s]",
+                            command,
+                            pde.getAccount().getAccountName(),
+                            pde.getAccount().getUuid(),
+                            pde.getEntitiesInViolation()
+                            ));
+                }
+                continue;
+            }
+            // so requested can, now make sure caller can as well
+            try {
+                if (s_logger.isTraceEnabled()) {
+                    s_logger.trace(String.format("permission to \"%s\" is 
requested",
+                            command));
+                }
+                checkApiAccess(apiCheckers, caller, command);
+            } catch (PermissionDeniedException pde) {
+                String msg = String.format("user of account %s/%s (%s) can not 
create an account with access to %s",

Review comment:
       @DaanHoogland Update the message as appropriate (do not include any API 
name which the user doesn't have access to)




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to