DaanHoogland commented on a change in pull request #5879:
URL: https://github.com/apache/cloudstack/pull/5879#discussion_r799479664
##########
File path: server/src/main/java/com/cloud/user/AccountManagerImpl.java
##########
@@ -1110,6 +1183,75 @@ public UserAccount createUserAccount(final String
userName, final String passwor
return _userAccountDao.findById(userId);
}
+ /**
+ * if there is any permission under the requested role that is not
permitted for the caller, refuse
+ */
+ private void checkRoleEscalation(Account caller, Account requested) {
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug(String.format("checking if user of account %s [%s]
with role-id [%d] can create an account of type %s [%s] with role-id [%d]",
+ caller.getAccountName(),
+ caller.getUuid(),
+ caller.getRoleId(),
+ requested.getAccountName(),
+ requested.getUuid(),
+ requested.getRoleId()));
+ }
+ List<APIChecker> apiCheckers = getEnabledApiCheckers();
+ for (String command : apiNameList) {
+ try {
+ checkApiAccess(apiCheckers, requested, command);
+ } catch (PermissionDeniedException pde) {
+ if (s_logger.isTraceEnabled()) {
+ s_logger.trace(String.format("checking for permission to
\"%s\" is irrelevant as it is not requested for %s [%s]",
+ command,
+ pde.getAccount().getAccountName(),
+ pde.getAccount().getUuid(),
+ pde.getEntitiesInViolation()
+ ));
+ }
+ continue;
+ }
+ // so requested can, now make sure caller can as well
+ try {
+ if (s_logger.isTraceEnabled()) {
+ s_logger.trace(String.format("permission to \"%s\" is
requested",
+ command));
+ }
+ checkApiAccess(apiCheckers, caller, command);
+ } catch (PermissionDeniedException pde) {
+ String msg = String.format("user of account %s/%s (%s) can not
create an account with access to %s",
+ caller.getAccountName(),
+ caller.getDomainId(),
+ caller.getUuid(),
+ command);
+ s_logger.warn(msg);
+ throw new PermissionDeniedException(msg,pde);
+ }
+ }
+ }
+
+ private void checkApiAccess(List<APIChecker> apiCheckers, Account caller,
String command) {
+ for (final APIChecker apiChecker : apiCheckers) {
+ apiChecker.checkAccess(caller, command);
+ }
+ }
+
+ @NotNull
+ private List<APIChecker> getEnabledApiCheckers() {
+ // we are really only interested in the dynamic access checker
+ List<APIChecker> usableApiCheckera = new ArrayList<>();
Review comment:
yes
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
