[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16449800#comment-16449800
]
ASF GitHub Bot commented on CLOUDSTACK-10327:
---------------------------------------------
rhtyd closed pull request #2498: CLOUDSTACK-10327: Do not invalidate the
session when API command not found
URL: https://github.com/apache/cloudstack/pull/2498
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git
a/api/src/main/java/com/cloud/exception/UnavailableCommandException.java
b/api/src/main/java/com/cloud/exception/UnavailableCommandException.java
new file mode 100644
index 00000000000..d5b7faa8f36
--- /dev/null
+++ b/api/src/main/java/com/cloud/exception/UnavailableCommandException.java
@@ -0,0 +1,36 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.exception;
+
+import com.cloud.utils.SerialVersionUID;
+
+public class UnavailableCommandException extends PermissionDeniedException {
+
+ private static final long serialVersionUID =
SerialVersionUID.UnavailableCommandException;
+
+ protected UnavailableCommandException() {
+ super();
+ }
+
+ public UnavailableCommandException(String msg) {
+ super(msg);
+ }
+
+ public UnavailableCommandException(String msg, Throwable cause) {
+ super(msg, cause);
+ }
+}
diff --git
a/plugins/acl/dynamic-role-based/src/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
b/plugins/acl/dynamic-role-based/src/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
index 3dfdb01b2e5..d10c191151f 100644
---
a/plugins/acl/dynamic-role-based/src/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
+++
b/plugins/acl/dynamic-role-based/src/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
@@ -25,6 +25,7 @@
import javax.inject.Inject;
import javax.naming.ConfigurationException;
+import com.cloud.exception.UnavailableCommandException;
import org.apache.cloudstack.api.APICommand;
import com.cloud.exception.PermissionDeniedException;
@@ -53,8 +54,7 @@ protected DynamicRoleBasedAPIAccessChecker() {
}
private void denyApiAccess(final String commandName) throws
PermissionDeniedException {
- throw new PermissionDeniedException("The API does not exist or is
blacklisted for the account's role. " +
- "The account with is not allowed to request the api: " +
commandName);
+ throw new PermissionDeniedException("The API " + commandName + " is
blacklisted for the account's role.");
}
public boolean isDisabled() {
@@ -99,8 +99,7 @@ public boolean checkAccess(User user, String commandName)
throws PermissionDenie
}
// Default deny all
- denyApiAccess(commandName);
- return false;
+ throw new UnavailableCommandException("The API " + commandName + "
does not exist or is not available for this account.");
}
public void addApiToRoleBasedAnnotationsMap(final RoleType roleType, final
String commandName) {
diff --git
a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
index f3dc3a3b8d7..4a33a0876c3 100644
---
a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
+++
b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
@@ -25,6 +25,7 @@
import javax.inject.Inject;
import javax.naming.ConfigurationException;
+import com.cloud.exception.UnavailableCommandException;
import org.apache.log4j.Logger;
import org.apache.cloudstack.api.APICommand;
@@ -45,6 +46,7 @@
protected static final Logger LOGGER =
Logger.getLogger(StaticRoleBasedAPIAccessChecker.class);
private Set<String> commandPropertyFiles = new HashSet<String>();
+ private Set<String> commandNames = new HashSet<String>();
private Set<String> commandsPropertiesOverrides = new HashSet<String>();
private Map<RoleType, Set<String>> commandsPropertiesRoleBasedApisMap =
new HashMap<RoleType, Set<String>>();
private Map<RoleType, Set<String>> annotationRoleBasedApisMap = new
HashMap<RoleType, Set<String>>();
@@ -87,7 +89,11 @@ public boolean checkAccess(User user, String commandName)
throws PermissionDenie
return true;
}
- throw new PermissionDeniedException("The API does not exist or is
blacklisted. Role type=" + roleType.toString() + " is not allowed to request
the api: " + commandName);
+ if (commandNames.contains(commandName)) {
+ throw new PermissionDeniedException("The API is blacklisted. Role
type=" + roleType.toString() + " is not allowed to request the api: " +
commandName);
+ } else {
+ throw new UnavailableCommandException("The API " + commandName + "
does not exist or is not available for this account.");
+ }
}
@Override
@@ -110,6 +116,9 @@ public boolean start() {
if (!commands.contains(command.name()))
commands.add(command.name());
}
+ if (!commandNames.contains(command.name())) {
+ commandNames.add(command.name());
+ }
}
}
return super.start();
@@ -119,6 +128,9 @@ private void processMapping(Map<String, String> configMap) {
for (Map.Entry<String, String> entry : configMap.entrySet()) {
String apiName = entry.getKey();
String roleMask = entry.getValue();
+ if (!commandNames.contains(apiName)) {
+ commandNames.add(apiName);
+ }
commandsPropertiesOverrides.add(apiName);
try {
short cmdPermissions = Short.parseShort(roleMask);
diff --git a/server/src/com/cloud/api/ApiServer.java
b/server/src/com/cloud/api/ApiServer.java
index 6411fe07367..a97984a2be2 100644
--- a/server/src/com/cloud/api/ApiServer.java
+++ b/server/src/com/cloud/api/ApiServer.java
@@ -34,6 +34,7 @@
import com.cloud.exception.RequestLimitException;
import com.cloud.exception.ResourceAllocationException;
import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.exception.UnavailableCommandException;
import com.cloud.user.Account;
import com.cloud.user.AccountManager;
import com.cloud.user.DomainManager;
@@ -958,6 +959,9 @@ private boolean commandAvailable(final InetAddress
remoteAddress, final String c
} catch (final RequestLimitException ex) {
s_logger.debug(ex.getMessage());
throw new ServerApiException(ApiErrorCode.API_LIMIT_EXCEED,
ex.getMessage());
+ } catch (final UnavailableCommandException ex) {
+ s_logger.debug(ex.getMessage());
+ throw new
ServerApiException(ApiErrorCode.UNSUPPORTED_ACTION_ERROR, ex.getMessage());
} catch (final PermissionDeniedException ex) {
final String errorMessage = "The given command '" + commandName +
"' either does not exist, is not available" +
" for user, or not available from ip address '" +
remoteAddress + "'.";
diff --git a/utils/src/main/java/com/cloud/utils/SerialVersionUID.java
b/utils/src/main/java/com/cloud/utils/SerialVersionUID.java
index 4dd5add28dd..413ca1a417f 100644
--- a/utils/src/main/java/com/cloud/utils/SerialVersionUID.java
+++ b/utils/src/main/java/com/cloud/utils/SerialVersionUID.java
@@ -68,4 +68,5 @@
public static final long NioConnectionException = Base | 0x2c;
public static final long TaskExecutionException = Base | 0x2d;
public static final long SnapshotBackupException = Base | 0x2e;
+ public static final long UnavailableCommandException = Base | 0x2f;
}
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SSO fails with error "Session Expired", except for root admin
> -------------------------------------------------------------
>
> Key: CLOUDSTACK-10327
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
> Affects Versions: 4.11.0.0
> Reporter: Olivier Lemasle
> Assignee: Olivier Lemasle
> Priority: Critical
>
> CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore
> with CloudStack 4.11, since commit
> [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
> This commit introduced a new feature (the ability to limit admin API calls to
> a network CIDR), but also a regression due to a refactoring: every API
> request that is not "validated" generates the same error (401 - Unauthorized)
> and *invalidates the session*.
> However, during an SSO login, CloudStack executes (since ACS 4.7), a [call to
> "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172],
> an API command reserved for root admins. When the user is not a root admin,
> he does not have the privileges for this command.
> With CloudStack up to 4.10, an error 432 was returned (and ignored):
> {noformat}
> {"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":9999,"errortext":"The
> user is not allowed to request the API command or the API command does not
> exist"}}
> {noformat}
> With CloudStack 4.11, the error 432 is replaced by an error 401 and the
> session is invalidated. Then the next API calls lead to an error "Session
> Expired" and the user cannot log in.
> {noformat}
> {"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
> to verify user credentials and/or request signature"}}
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
