apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity
38,112 Commits 304 Branches 324 Tags
Commit Graph

417 Commits

Author SHA1 Message Date
Rohit Yadav
b7415bf127 saml: Safer DocumentBuilderFactory and ParserPool configuration 
This implements safer DocumentBuilderFactory and ParserPool utilities
to be used throughout the codebase to prevent potential XXE exploits.

References:
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit 8e0e68ef368ebe2793ef80e2c3821eaecb47b593)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
 2022-07-14 16:58:08 +05:30
Rohit Yadav
e57a0f9980 Merge remote-tracking branch 'origin/4.17' 2022-07-06 09:34:02 +05:30
Luis Moreira
c6b611433b
saml: Fix SAML SSO plugin redirect URL (#6457) 
This PR fixes the issue #6427 -> SAML request must be appended to an IdP URL as a query param with an ampersand, if the URL already contains a question mark, as opposed to always assume that IdP URLs don't have any query params.
Google's IdP URL for instance looks like this: https://accounts.google.com/o/saml2/idp?idpid=<ID>, therefore the expected redirect URL would be https://accounts.google.com/o/saml2/idp?idpid=<ID>&SAMLRequest=<SAMLRequest>

This code change is backwards compatible with the current behaviour.
 2022-07-06 09:28:37 +05:30
Daan Hoogland
a470f3353a Merge branch '4.17' 2022-07-05 09:11:45 +02:00
John Bampton
7d23a0a759
Fix spelling (#6272) 2022-07-05 09:08:53 +02:00
nvazquez
0bcc609f05
Updating pom.xml version numbers for release 4.18.0.0-SNAPSHOT 
Signed-off-by: nvazquez <nicovazquez90@gmail.com>
 2022-06-06 12:25:35 -03:00
nvazquez
038a669d6b
Updating pom.xml version numbers for release 4.17.1.0-SNAPSHOT 
Signed-off-by: nvazquez <nicovazquez90@gmail.com>
 2022-06-06 12:19:44 -03:00
nvazquez
c56220fcf2
Updating pom.xml version numbers for release 4.17.0.0 
Signed-off-by: nvazquez <nicovazquez90@gmail.com>
 2022-05-31 14:33:47 -03:00
dahn
c123c3fd2f
remove request listener to prevent untimely session invalidation (#6393) 
* login/-out constants

* no request listener

* store session as value, using id as key

* Apply suggestions from sonarcloud.io code review

three instances of unsafe parameters to logging

* new sonar issues

* sonar issues
 2022-05-24 10:00:06 -03:00
Marcus Sorensen
3dcb93d981
maven: Move apache DS dependencies to test scope (#6347) 
Fixes: #6346

Move LDAP embedded server dependencies to test scope so they aren't packaged in final management server jar.

Co-authored-by: Marcus Sorensen <mls@apple.com>
 2022-05-04 11:49:29 +05:30
Abhishek Kumar
523805c8bc
schema,server,api: events improvement (#5997) 
* schema,server,api: events improvement

Add resource ID and resource type to event.

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* wip

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* refactor resourcetype association with API class

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* add resource anme to the response

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* changes

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* test

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* more tests

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* new line

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* add resource test

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* changes

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* fix

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* smoke test for events resource

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* fix

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* changes

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* fix

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* ui improvements

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* refactor

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* api,ui: add support for listing events for a resource

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* since key

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* tests and permission changes

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* missing test

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* events for domain

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* improvements

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* fix

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* add missing license

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* ui: fix js console errors

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* sort enumeration

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* fix event resource for vpc

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* feedback changes

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* fix order

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* events with parent resource

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* missing UI labels

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* donot call cmd resource methods before dispatch

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* add restore vm to procedure

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* add missing imports

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* resource details for more events

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* add test for changes

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* more test, license fix

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* wrong merge fix

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* fix for more event types

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
 2022-04-25 09:05:17 -03:00
Leo
70122007bb
Updated SAML2 auth sessionkey cookie path (#6149) 
This change will set the sessionkey under the /client/api path. This commit should prevent duplicate sessionkey cookies from being set on both /client (incorrect) and /client/api (correct). Prior to this commit, the /client version was being set while the /client/api version remained unchanged with an invalid sessionkey. As a result, subsequent requests after the SAML2 authentication would immediately fail with an invalid session and results in the user being logged out.

The sessionkey is now set explicitly for the /client/api path which should fix this issue, regardless of the SSO URL and path that's being used.
 2022-04-18 17:16:20 +05:30
nvazquez
1c238e101d
Merge branch '4.16' 2022-03-30 00:00:34 -03:00
Wei Zhou
ee27708ffb
SAML: replace first number with random alphabet if request ID starts with a number (#6165) 2022-03-29 23:59:44 -03:00
JoaoJandre
5f07ddaca9
Refactor account type (#6048) 
* Refactor account type

* Added license.

* Address reviews

* Address review.

Co-authored-by: João Paraquetti <joao@scclouds.com.br>
Co-authored-by: Joao <JoaoJandre@gitlab.com>
 2022-03-09 11:14:19 -03:00
Suresh Kumar Anaparti
bc70535ee5
Updating pom.xml version numbers for release 4.16.2.0-SNAPSHOT 
Signed-off-by: Suresh Kumar Anaparti <suresh.anaparti@shapeblue.com>
 2022-03-03 18:15:33 +05:30
Suresh Kumar Anaparti
cad9332082
Updating pom.xml version numbers for release 4.16.1.0 
Signed-off-by: Suresh Kumar Anaparti <suresh.anaparti@shapeblue.com>
 2022-02-25 19:01:16 +05:30
Suresh Kumar Anaparti
208ae84dd7
Merge branch '4.16' into main 2022-02-08 19:01:34 +05:30
Rohit Yadav
da56a2a806
maven: migrate short-term to reload4j v1.2.18 (#5878) 
* maven: migrate short-term to reload4j v1.2.18

This migrate to log4j 1.x fork, reload4j 1.2.18.0 which is drop-in
replacement and addresses some immediate CVE and issues.

* log4j migration to reload4j in pom xmls

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>

* Exclude log4j from transitive dependencies (#73)

Co-authored-by: Marcus Sorensen <shadowsor@gmail.com>
Co-authored-by: Marcus Sorensen <mls@apple.com>
 2022-02-08 15:00:38 +05:30
Suresh Kumar Anaparti
30ae9eedad
Merge branch '4.16' into main 2022-01-05 10:14:47 +05:30
dahn
e06a66ba14
ldap: truststore per domain (#5816) 
Co-authored-by: Daan Hoogland <dahn@onecht.net>
 2022-01-03 21:01:51 +05:30
Daniel Augusto Veronezi Salvador
b4aabadc4d
Replace string libraries with org.apache.commons.lang3.StringUtils (#5386) 
* Replace google lib for lang3 and adjust methods calls

* Replace string libs by lang3

* Prohibit others string libs

Co-authored-by: GutoVeronezi <daniel@scclouds.com.br>
 2021-11-18 13:41:48 +05:30
nicolas
3f79436840
Updating pom.xml version numbers for release 4.17.0.0-SNAPSHOT 
Signed-off-by: nicolas <nicovazquez90@gmail.com>
 2021-11-09 22:55:52 -03:00
nicolas
93c3c3b9ac
Updating pom.xml version numbers for release 4.16.1.0-SNAPSHOT 
Signed-off-by: nicolas <nicovazquez90@gmail.com>
 2021-11-09 22:50:22 -03:00
nicolas
44c08b5acc
Updating pom.xml version numbers for release 4.16.0.0 
Signed-off-by: nicolas <nicovazquez90@gmail.com>
 2021-11-04 14:14:57 -03:00
Rohit Yadav
a1a3aff2b5 Merge remote-tracking branch 'origin/4.15' into main 2021-08-31 14:29:30 +05:30
Rafael
14323c9db5
updated maven dependency due to #5363 (#5366) 
Co-authored-by: Rafael del Valle <rvalle@privaz.io>
 2021-08-31 12:39:18 +05:30
Rohit Yadav
d916e416ec Updating pom.xml version numbers for release 4.15.2.0-SNAPSHOT 
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
 2021-07-02 22:59:07 +05:30
Rohit Yadav
379454caae Updating pom.xml version numbers for release 4.15.1.0 
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
 2021-06-28 15:27:27 +05:30
Abhishek Kumar
cce736709e Merge remote-tracking branch 'apache/4.15' 2021-04-12 11:43:57 +05:30
Nicolas Vazquez
e47dc9c25e
ldap: Fix orphan entry on ldap trust map after account removal (#4899) 
Fixes: #4673

Fix orphan entry on ldap trust map after account removal
 2021-04-10 13:26:50 +05:30
Rohit Yadav
b482da8c91 Updating pom.xml version numbers for release 4.15.1.0-SNAPSHOT 
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
 2021-01-11 13:58:30 +05:30
Daan Hoogland
280c13a4bb Updating pom.xml version numbers for release 4.15.0.0 
Signed-off-by: Daan Hoogland <dahn@onecht.net>
 2021-01-05 15:51:02 +00:00
Daan Hoogland
81e9e6809b Updating pom.xml version numbers for release 4.15.1.0-SNAPSHOT 
Signed-off-by: Daan Hoogland <dahn@onecht.net>
 2021-01-04 11:34:46 +00:00
Daan Hoogland
e26202f23e Updating pom.xml version numbers for release 4.16.0.0-SNAPSHOT 
Signed-off-by: Daan Hoogland <dahn@onecht.net>
 2021-01-04 11:32:10 +00:00
Daan Hoogland
01b3e361c7 Updating pom.xml version numbers for release 4.15.0.0 
Signed-off-by: Daan Hoogland <dahn@onecht.net>
 2020-12-23 16:32:25 +00:00
Pearl Dsilva
fb78fb24c7
fix login issue post upgrade (#4465) 
Co-authored-by: Pearl Dsilva <pearl.dsilva@shapeblue.com>
 2020-11-12 13:09:25 +00:00
Rohit Yadav
dfc76e0278 Merge remote-tracking branch 'origin/4.14' 2020-07-08 11:37:14 +05:30
Rohit Yadav
ba767783bd Merge remote-tracking branch 'origin/4.13' into 4.14 2020-07-08 11:36:30 +05:30
Rohit Yadav
139aa13e6a
server: Purge all cookies on logout, set /client path on login (#4176) 
This will purge all the cookies on logout including multiple sessionkey
cookies if passed. On login, this will restrict sessionkey cookie
(httponly) to the / path.

Fixes #4136

Co-authored-by: Pearl Dsilva <pearl.dsilva@shapeblue.com>
 2020-07-08 08:03:51 +05:30
Rohit Yadav
cbbb4016af Merge remote-tracking branch 'origin/4.14' 2020-06-24 19:26:44 +05:30
Rohit Yadav
9642392a0a Merge remote-tracking branch 'origin/4.13' into 4.14 
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
 2020-06-24 19:25:30 +05:30
davidjumani
c03f8a1acb
server: Adding listall to listLdapConfigurations (#4164) 
Adds the listall parameter to listLdapConfigurations.
If set to true, and no domainid specified, list all LDAP configurations irrespective of the linked domain
 2020-06-24 19:15:57 +05:30
Gabriel Beims Bräscher
6e47c49fbf
server: Fix String.format arguments (#3980) 
Simple log fix. I have found out a few log messages that hold unused/misused arguments on their respective String.format building.
 2020-06-12 10:28:04 +05:30
andrijapanicsb
5f926c3353 Updating pom.xml version numbers for release 4.15.0.0-SNAPSHOT 
Signed-off-by: andrijapanicsb <andrija.panic@shapeblue.com>
 2020-05-23 10:18:39 +01:00
andrijapanicsb
05e9b11694 Updating pom.xml version numbers for release 4.14.1.0-SNAPSHOT 
Signed-off-by: andrijapanicsb <andrija.panic@shapeblue.com>
 2020-05-23 09:59:32 +01:00
andrijapanicsb
6f96b3b2b3 Updating pom.xml version numbers for release 4.14.0.0 
Signed-off-by: andrijapanicsb <andrija.panic@shapeblue.com>
 2020-05-11 15:03:14 +01:00
andrijapanicsb
398e685e01 Updating pom.xml version numbers for release 4.13.2.0-SNAPSHOT 
Signed-off-by: andrijapanicsb <andrija.panic@shapeblue.com>
 2020-04-29 12:29:12 +01:00
andrijapanicsb
b2ffa3efa5 Updating pom.xml version numbers for release 4.13.1.0 
Signed-off-by: andrijapanicsb <andrija.panic@shapeblue.com>
 2020-04-23 19:17:09 +01:00
Rohit Yadav
2cb34de741
maven: update dependencies (#3928) 
Updates few maven dependencies

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
 2020-03-05 12:27:30 +05:30