api: avoid sending sensitive data in api response

- UI: use post when updating user
- S3: don't send s3 key in the response
- VPN: don't send preshared key in remoteaccessvpn api response
- Snapshot response should set zone id not volume's device id

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>

api/src/org/apache/cloudstack/api/response/RemoteAccessVpnResponse.java

@@ -41,10 +41,6 @@ public class RemoteAccessVpnResponse extends BaseResponse implements ControlledE
     @Param(description = "the range of ips to allocate to the clients")
     private String ipRange;
 
-    @SerializedName("presharedkey")
-    @Param(description = "the ipsec preshared key")
-    private String presharedKey;
-
     @SerializedName(ApiConstants.ACCOUNT)
     @Param(description = "the account of the remote access vpn")
     private String accountName;
@@ -85,10 +81,6 @@ public class RemoteAccessVpnResponse extends BaseResponse implements ControlledE
         this.ipRange = ipRange;
     }
 
-    public void setPresharedKey(String presharedKey) {
-        this.presharedKey = presharedKey;
-    }
-
     @Override
     public void setAccountName(String accountName) {
         this.accountName = accountName;

server/src/com/cloud/api/ApiResponseHelper.java

@@ -452,7 +452,7 @@ public class ApiResponseHelper implements ResponseGenerator {
             snapshotResponse.setVolumeId(volume.getUuid());
             snapshotResponse.setVolumeName(volume.getName());
             snapshotResponse.setVolumeType(volume.getVolumeType().name());
-            DataCenter zone = ApiDBUtils.findZoneById(volume.getDeviceId());
+            DataCenter zone = ApiDBUtils.findZoneById(volume.getDataCenterId());
             if (zone != null) {
                 snapshotResponse.setZoneId(zone.getUuid());
             }
@@ -1300,7 +1300,6 @@ public class ApiResponseHelper implements ResponseGenerator {
             vpnResponse.setPublicIp(ip.getAddress().addr());
         }
         vpnResponse.setIpRange(vpn.getIpRange());
-        vpnResponse.setPresharedKey(vpn.getIpsecPresharedKey());
         populateOwner(vpnResponse, vpn);
         vpnResponse.setState(vpn.getState().toString());
         vpnResponse.setId(vpn.getUuid());

server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java

@@ -84,7 +84,8 @@ public class ImageStoreJoinDaoImpl extends GenericDaoBase<ImageStoreJoinVO, Long
         if ( detailName != null && detailName.length() > 0 && !detailName.equals(ApiConstants.PASSWORD)) {
             String detailValue = ids.getDetailValue();
             if (detailName.equals(ApiConstants.KEY) || detailName.equals(ApiConstants.S3_SECRET_KEY)) {
-                detailValue = DBEncryptionUtil.decrypt(detailValue);
+                // ALWAYS return an empty value for the S3 secret key since that key is managed by Amazon and not CloudStack
+                detailValue = "";
             }
             ImageStoreDetailResponse osdResponse = new ImageStoreDetailResponse(detailName, detailValue);
             osResponse.addDetail(osdResponse);
@@ -99,7 +100,8 @@ public class ImageStoreJoinDaoImpl extends GenericDaoBase<ImageStoreJoinVO, Long
         if ( detailName != null && detailName.length() > 0 && !detailName.equals(ApiConstants.PASSWORD)) {
             String detailValue = ids.getDetailValue();
             if (detailName.equals(ApiConstants.KEY) || detailName.equals(ApiConstants.S3_SECRET_KEY)) {
-                detailValue = DBEncryptionUtil.decrypt(detailValue);
+                // ALWAYS return an empty value for the S3 secret key since that key is managed by Amazon and not CloudStack
+                detailValue = "";
             }
             ImageStoreDetailResponse osdResponse = new ImageStoreDetailResponse(detailName, detailValue);
             response.addDetail(osdResponse);

ui/scripts/installWizard.js

@@ -37,6 +37,7 @@
                     id: cloudStack.context.users[0].userid,
                     password: md5Hashed ? $.md5(args.data.password) : args.data.password
                 },
+                type: 'POST',
                 dataType: 'json',
                 async: true,
                 success: function(data) {