bug 6755: adding checks for commands before they hit the ms; to ensure they are valid. Also returning the right error msg if the command is not valid

status 6755: resolved fixed

server/src/com/cloud/api/ApiServer.java

@@ -31,6 +31,7 @@ import java.net.ServerSocket;
 import java.net.Socket;
 import java.net.URLDecoder;
 import java.net.URLEncoder;
+import java.security.InvalidParameterException;
 import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.Collections;
@@ -87,6 +88,7 @@ import com.cloud.domain.Domain;
 import com.cloud.domain.DomainVO;
 import com.cloud.event.EventUtils;
 import com.cloud.exception.CloudAuthenticationException;
+import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.maid.StackMaid;
 import com.cloud.server.ManagementServer;
 import com.cloud.user.Account;
@@ -125,6 +127,7 @@ public class ApiServer implements HttpRequestHandler {
     private static List<String> s_resellerCommands = null; // AKA domain-admin
     private static List<String> s_adminCommands = null;
     private static List<String> s_readOnlyAdminCommands = null;
+    private static List<String> s_allCommands = null;
     
     private static ExecutorService _executor = new ThreadPoolExecutor(10, 150, 60, TimeUnit.SECONDS, new LinkedBlockingQueue<Runnable>(), new NamedThreadFactory("ApiServer"));
 
@@ -133,6 +136,7 @@ public class ApiServer implements HttpRequestHandler {
         s_resellerCommands = new ArrayList<String>();
         s_adminCommands = new ArrayList<String>();
         s_readOnlyAdminCommands = new ArrayList<String>();
+        s_allCommands = new ArrayList<String>();
     }
 
     private ApiServer() { }
@@ -182,6 +186,11 @@ public class ApiServer implements HttpRequestHandler {
                         }
                     }
                 }
+                
+                s_allCommands.addAll(s_adminCommands);
+                s_allCommands.addAll(s_readOnlyAdminCommands);
+                s_allCommands.addAll(s_userCommands);
+                s_allCommands.addAll(s_resellerCommands);
             }
         } catch (FileNotFoundException fnfex) {
             s_logger.error("Unable to find properites file", fnfex);
@@ -441,8 +450,13 @@ public class ApiServer implements HttpRequestHandler {
         }
         */
     }
+	   private static boolean isCommandAvailable(String commandName) {
+	       boolean isCommandAvailable = false;
+           isCommandAvailable = s_allCommands.contains(commandName);
+	       return isCommandAvailable;
+	   }
     
-    public boolean verifyRequest(Map<String, Object[]> requestParameters, Long userId) {
+    public boolean verifyRequest(Map<String, Object[]> requestParameters, Long userId) throws InvalidParameterException {
         try {
             String apiKey = null;
             String secretKey = null;
@@ -467,8 +481,16 @@ public class ApiServer implements HttpRequestHandler {
             		return false;
             	}
             	return true;
+            }else{
+            	//check against every available command to see if the command exists or not
+            	if(!isCommandAvailable(commandName)){
+            		s_logger.warn("The given command:"+commandName+" does not exist");
+            		throw new InvalidParameterException("The given command:"+commandName+" does not exist");
             	}
             	
+            }
+            
+
             // - build a request string with sorted params, make sure it's all lowercase
             // - sign the request, verify the signature is the same
             List<String> parameterNames = new ArrayList<String>();
@@ -552,6 +574,9 @@ public class ApiServer implements HttpRequestHandler {
             }
             return equalSig;
         } catch (Exception ex) {
+        	if(ex instanceof InvalidParameterException){
+        		throw new InvalidParameterException(ex.getMessage());
+        	}
             s_logger.error("unable to verifty request signature", ex);
         }
         return false;

server/src/com/cloud/api/ApiServlet.java

@@ -20,6 +20,7 @@ package com.cloud.api;
 
 import java.io.IOException;
 import java.io.OutputStream;
+import java.security.InvalidParameterException;
 import java.util.Enumeration;
 import java.util.HashMap;
 import java.util.Map;
@@ -32,6 +33,7 @@ import javax.servlet.http.HttpSession;
 import org.apache.log4j.Logger;
 
 import com.cloud.exception.CloudAuthenticationException;
+import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.maid.StackMaid;
 import com.cloud.user.Account;
 import com.cloud.user.UserContext;
@@ -266,6 +268,14 @@ public class ApiServlet extends HttpServlet {
                 s_logger.trace("exception processing request: " + ioex);
             }
             auditTrailSb.append(" exception processing request" );
+        }catch (InvalidParameterException ipe){
+            auditTrailSb.append(" " + HttpServletResponse.SC_NOT_FOUND +  " " + ipe.getMessage());
+            try {
+				resp.sendError(HttpServletResponse.SC_NOT_FOUND, ipe.getMessage());
+			} catch (IOException e) {
+				s_logger.error("Unable to send back error response for invalid command");
+				auditTrailSb.append(" " + HttpServletResponse.SC_NOT_FOUND +  " " + "Unable to send back error response for "+ipe.getMessage());
+			}        	
         }catch (Exception ex) {
             s_logger.error("unknown exception writing api response", ex);
             auditTrailSb.append(" unknown exception writing api response");