apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity
37,197 Commits 304 Branches 324 Tags
Commit Graph

385 Commits

Author SHA1 Message Date
dahn
dffbc87278
escapes for injection prtection (#7069) 2023-01-10 11:54:51 +01:00
Eduardo Zanetta
a9b49f3ae9
Cleanup APIs getCommandName (#7022) 
Co-authored-by: Eduardo Zanetta <eduardo.zanetta@scclouds.com.br>
 2023-01-03 12:11:52 +01:00
Rohit Yadav
458883575a Updating pom.xml version numbers for release 4.17.3.0-SNAPSHOT 
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
 2022-12-16 15:25:16 +00:00
Rohit Yadav
5b9a989ab0 Updating pom.xml version numbers for release 4.17.2.0 
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
 2022-12-14 05:22:52 +00:00
John Bampton
def7ce655d
Fix spelling (#6898) 
Co-authored-by: davidjumani <dj.davidjumani1994@gmail.com>
 2022-12-13 14:58:14 +01:00
John Bampton
e65c22d883
Fix spelling (#6860) 2022-11-13 10:56:15 +01:00
Abhishek Kumar
d724a9d15c Updating pom.xml version numbers for release 4.17.2.0-SNAPSHOT 
Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
 2022-09-19 16:21:35 +05:30
Abhishek Kumar
350ef38e1c Updating pom.xml version numbers for release 4.17.1.0 
Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
 2022-09-14 12:58:03 +05:30
John Bampton
f9347ecf2c
Fix spelling (#6597) 2022-08-03 15:43:47 +05:30
Rohit Yadav
5f04018bf0 Merge remote-tracking branch 'origin/4.17' 2022-07-27 12:41:31 +02:00
Rohit Yadav
441edf3ca7
utils: use safer parsing utility across codebase (#6562) 
This addresses SonarQube/SonarCloud quality checks to use safer xml
parser to resist potential XXE attacks.

https://sonarcloud.io/organizations/apache/rules?open=java%3AS2755&rule_key=java%3AS2755

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
 2022-07-27 14:31:51 +05:30
Harikrishna
d4460a8afc
Scope setting changes in ldap and utils pom.xml files (#6557) 2022-07-20 13:42:44 +05:30
Rohit Yadav
4baaf736b9 Merge remote-tracking branch 'origin/4.17' 
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
 2022-07-18 19:42:44 +05:30
Rohit Yadav
7a3e97d67e Tagging release 4.17.0.1 on branch b30a4a99d1b530efbf652373eda229f2cd5133b1. 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEXtHhEi3F6KSkURLCSEJIIQ7j2IQFAmLRYi0ACgkQSEJIIQ7j
 2ISTWxAAlozJuDMoRnr4D1TDbNCr2hzWSgVn5AK+IZGwnd22OnaZnS7tVQUheTCq
 t9aQgRLb7oUGAzNngHEjDaQBnxlHdLHMKby+QGe+RjX/d9urFoEyHe2xyvCJPkwM
 hFM1uesMqtH/HKwhIL3l8fATGPHlucdhQEZ+XA4bu91IVzxog0gikSnm7SjbaljF
 yYNkn9CgOWtZYFek7lcOM7iuKB79QSdpYxN8PYLpE7esyQSu4KjU4Ekufv1u6Tql
 ILsY5PA5tzzxS7ArfW5PICgSxkXOUIkflBbPHObGgduKw9Q36bmnRM/701lNb2re
 EWE4NMlM2PDn8kKZ2zULD2VBIq5tVdJuZjXbjDyD17z/KiU9pd6hGeHABSitnpDW
 vAS6rLJVY3YT9eqoVDVhpkpFQZmvdfDC8L4nYU2E7dCHj4lF9FlsgYO08SCfSgvP
 InAnfg1jZvbhA9EDL+LiuhxCStn6ZpjRuRCC89hYfRfRM1ZdrT2FazDj8KwPuC0P
 xfEr8eTnMm7xM+B9JCBQ2Lskl3jxQk3KAYQX13LtZCUj05Y1f3crx/iq6t0qIrAH
 PU9keojKMZffLz5MBlFU8qor32stw+uNMky8dZgtDIx6kRjnuYuPYOxpcPDzl+Cs
 KBRcwpIP+GR9mePU8PKBNDClLA45vDE1XqeK6KnOOf7MBSprU5o=
 =ETOD
 -----END PGP SIGNATURE-----

Merge tag '4.17.0.1' into 4.17

Tagging release 4.17.0.1 on branch b30a4a99d1b530efbf652373eda229f2cd5133b1.
 2022-07-18 19:40:53 +05:30
Rohit Yadav
4ed1be821c Tagging release 4.16.1.1 on branch b7415bf127ee3317554af752c0f83e2b580dd7bd. 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEXtHhEi3F6KSkURLCSEJIIQ7j2IQFAmLQBOkACgkQSEJIIQ7j
 2IS+nRAAl8qEGHMCtbh64Uc517UwsATEZwEqm+s5cWrbi6GpkuJ00ITnchgK1QvY
 q9NQudL548oYWB8pvmeql8eeVJFGx4loh8e32GXdW5dNDcmIC/0YZ7VJFokPuHf6
 79GEDfcui5A15mvIL8DyTSHlZd/6x3LKusfM5Nu3f88B75yy1AkfxH8JcVTM8P9/
 ijtVTpy8zWkBWO+nnFUiwRjcQStOwNKd1jHxoapJIpFlNcUZw2DkRlaVIV7uU+ne
 Z7Y4JAJHzvki4ewkl/F5XwkRPiZlEMXVgEAb4dUmt5hg4GCWQvuDvHDio4fQ6Ws1
 CSNdiSV5rKMxa/fcE4l/oxvZ5oGxA7afbyJWo6Y4/s+UENKmZ3LiehkTptuOTSh0
 rgBTUKO7ZPtYuqD6kwaKYoxL431zYRJsdF1TUnts4nJTQQsWn6JlA3oTsX7nxlte
 qdxRtqmE7NTcpNH/+sU8MDKBYaHEqF3VOfzhw5Ta8ztQhebrGMHPJX0i3ypDBAll
 QEVH+cMpIoo5MQZWRFnIeKW/uTZuEZAMcJ8a/AS7gHSjLtiNGJExE5qvVXVnP8Im
 PruZSmk1ZovQ/XbtN0SD0DDS93CppYFH6fJRAeq6yqkEnYUm+dxFkBvEZqp8nr/X
 Z3vySZlH08+iz3fLlpbkGJRZSUfFXYKrGyZjLaFvKIf0FpedfOM=
 =/arX
 -----END PGP SIGNATURE-----

Merge tag '4.16.1.1' into 4.16

Tagging release 4.16.1.1 on branch b7415bf127ee3317554af752c0f83e2b580dd7bd.
 2022-07-18 19:34:32 +05:30
Rohit Yadav
1c7efcbd0d Updating pom.xml version numbers for release 4.17.0.1 
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
 2022-07-15 18:18:40 +05:30
Rohit Yadav
f27de63644 saml: Safer DocumentBuilderFactory and ParserPool configuration 
This implements safer DocumentBuilderFactory and ParserPool utilities
to be used throughout the codebase to prevent potential XXE exploits.

References:
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit 8e0e68ef368ebe2793ef80e2c3821eaecb47b593)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
 2022-07-14 17:31:12 +05:30
Rohit Yadav
ebfdef5777 Updating pom.xml version numbers for release 4.16.1.1 
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
 2022-07-14 17:28:08 +05:30
Rohit Yadav
b7415bf127 saml: Safer DocumentBuilderFactory and ParserPool configuration 
This implements safer DocumentBuilderFactory and ParserPool utilities
to be used throughout the codebase to prevent potential XXE exploits.

References:
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit 8e0e68ef368ebe2793ef80e2c3821eaecb47b593)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
 2022-07-14 16:58:08 +05:30
Rohit Yadav
e57a0f9980 Merge remote-tracking branch 'origin/4.17' 2022-07-06 09:34:02 +05:30
Luis Moreira
c6b611433b
saml: Fix SAML SSO plugin redirect URL (#6457) 
This PR fixes the issue #6427 -> SAML request must be appended to an IdP URL as a query param with an ampersand, if the URL already contains a question mark, as opposed to always assume that IdP URLs don't have any query params.
Google's IdP URL for instance looks like this: https://accounts.google.com/o/saml2/idp?idpid=<ID>, therefore the expected redirect URL would be https://accounts.google.com/o/saml2/idp?idpid=<ID>&SAMLRequest=<SAMLRequest>

This code change is backwards compatible with the current behaviour.
 2022-07-06 09:28:37 +05:30
Daan Hoogland
a470f3353a Merge branch '4.17' 2022-07-05 09:11:45 +02:00
John Bampton
7d23a0a759
Fix spelling (#6272) 2022-07-05 09:08:53 +02:00
nvazquez
0bcc609f05
Updating pom.xml version numbers for release 4.18.0.0-SNAPSHOT 
Signed-off-by: nvazquez <nicovazquez90@gmail.com>
 2022-06-06 12:25:35 -03:00
nvazquez
038a669d6b
Updating pom.xml version numbers for release 4.17.1.0-SNAPSHOT 
Signed-off-by: nvazquez <nicovazquez90@gmail.com>
 2022-06-06 12:19:44 -03:00
nvazquez
c56220fcf2
Updating pom.xml version numbers for release 4.17.0.0 
Signed-off-by: nvazquez <nicovazquez90@gmail.com>
 2022-05-31 14:33:47 -03:00
dahn
c123c3fd2f
remove request listener to prevent untimely session invalidation (#6393) 
* login/-out constants

* no request listener

* store session as value, using id as key

* Apply suggestions from sonarcloud.io code review

three instances of unsafe parameters to logging

* new sonar issues

* sonar issues
 2022-05-24 10:00:06 -03:00
Marcus Sorensen
3dcb93d981
maven: Move apache DS dependencies to test scope (#6347) 
Fixes: #6346

Move LDAP embedded server dependencies to test scope so they aren't packaged in final management server jar.

Co-authored-by: Marcus Sorensen <mls@apple.com>
 2022-05-04 11:49:29 +05:30
Abhishek Kumar
523805c8bc
schema,server,api: events improvement (#5997) 
* schema,server,api: events improvement

Add resource ID and resource type to event.

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* wip

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* refactor resourcetype association with API class

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* add resource anme to the response

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* changes

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* test

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* more tests

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* new line

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* add resource test

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* changes

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* fix

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* smoke test for events resource

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* fix

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* changes

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* fix

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* ui improvements

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* refactor

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* api,ui: add support for listing events for a resource

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* since key

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* tests and permission changes

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* missing test

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* events for domain

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* improvements

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* fix

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* add missing license

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* ui: fix js console errors

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* sort enumeration

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* fix event resource for vpc

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* feedback changes

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* fix order

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* events with parent resource

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* missing UI labels

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* donot call cmd resource methods before dispatch

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* add restore vm to procedure

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* add missing imports

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* resource details for more events

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* add test for changes

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* more test, license fix

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* wrong merge fix

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

* fix for more event types

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
 2022-04-25 09:05:17 -03:00
Leo
70122007bb
Updated SAML2 auth sessionkey cookie path (#6149) 
This change will set the sessionkey under the /client/api path. This commit should prevent duplicate sessionkey cookies from being set on both /client (incorrect) and /client/api (correct). Prior to this commit, the /client version was being set while the /client/api version remained unchanged with an invalid sessionkey. As a result, subsequent requests after the SAML2 authentication would immediately fail with an invalid session and results in the user being logged out.

The sessionkey is now set explicitly for the /client/api path which should fix this issue, regardless of the SSO URL and path that's being used.
 2022-04-18 17:16:20 +05:30
nvazquez
1c238e101d
Merge branch '4.16' 2022-03-30 00:00:34 -03:00
Wei Zhou
ee27708ffb
SAML: replace first number with random alphabet if request ID starts with a number (#6165) 2022-03-29 23:59:44 -03:00
JoaoJandre
5f07ddaca9
Refactor account type (#6048) 
* Refactor account type

* Added license.

* Address reviews

* Address review.

Co-authored-by: João Paraquetti <joao@scclouds.com.br>
Co-authored-by: Joao <JoaoJandre@gitlab.com>
 2022-03-09 11:14:19 -03:00
Suresh Kumar Anaparti
bc70535ee5
Updating pom.xml version numbers for release 4.16.2.0-SNAPSHOT 
Signed-off-by: Suresh Kumar Anaparti <suresh.anaparti@shapeblue.com>
 2022-03-03 18:15:33 +05:30
Suresh Kumar Anaparti
cad9332082
Updating pom.xml version numbers for release 4.16.1.0 
Signed-off-by: Suresh Kumar Anaparti <suresh.anaparti@shapeblue.com>
 2022-02-25 19:01:16 +05:30
Suresh Kumar Anaparti
208ae84dd7
Merge branch '4.16' into main 2022-02-08 19:01:34 +05:30
Rohit Yadav
da56a2a806
maven: migrate short-term to reload4j v1.2.18 (#5878) 
* maven: migrate short-term to reload4j v1.2.18

This migrate to log4j 1.x fork, reload4j 1.2.18.0 which is drop-in
replacement and addresses some immediate CVE and issues.

* log4j migration to reload4j in pom xmls

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>

* Exclude log4j from transitive dependencies (#73)

Co-authored-by: Marcus Sorensen <shadowsor@gmail.com>
Co-authored-by: Marcus Sorensen <mls@apple.com>
 2022-02-08 15:00:38 +05:30
Suresh Kumar Anaparti
30ae9eedad
Merge branch '4.16' into main 2022-01-05 10:14:47 +05:30
dahn
e06a66ba14
ldap: truststore per domain (#5816) 
Co-authored-by: Daan Hoogland <dahn@onecht.net>
 2022-01-03 21:01:51 +05:30
Daniel Augusto Veronezi Salvador
b4aabadc4d
Replace string libraries with org.apache.commons.lang3.StringUtils (#5386) 
* Replace google lib for lang3 and adjust methods calls

* Replace string libs by lang3

* Prohibit others string libs

Co-authored-by: GutoVeronezi <daniel@scclouds.com.br>
 2021-11-18 13:41:48 +05:30
nicolas
3f79436840
Updating pom.xml version numbers for release 4.17.0.0-SNAPSHOT 
Signed-off-by: nicolas <nicovazquez90@gmail.com>
 2021-11-09 22:55:52 -03:00
nicolas
93c3c3b9ac
Updating pom.xml version numbers for release 4.16.1.0-SNAPSHOT 
Signed-off-by: nicolas <nicovazquez90@gmail.com>
 2021-11-09 22:50:22 -03:00
nicolas
44c08b5acc
Updating pom.xml version numbers for release 4.16.0.0 
Signed-off-by: nicolas <nicovazquez90@gmail.com>
 2021-11-04 14:14:57 -03:00
Rohit Yadav
a1a3aff2b5 Merge remote-tracking branch 'origin/4.15' into main 2021-08-31 14:29:30 +05:30
Rafael
14323c9db5
updated maven dependency due to #5363 (#5366) 
Co-authored-by: Rafael del Valle <rvalle@privaz.io>
 2021-08-31 12:39:18 +05:30
Rohit Yadav
d916e416ec Updating pom.xml version numbers for release 4.15.2.0-SNAPSHOT 
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
 2021-07-02 22:59:07 +05:30
Rohit Yadav
379454caae Updating pom.xml version numbers for release 4.15.1.0 
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
 2021-06-28 15:27:27 +05:30
Abhishek Kumar
cce736709e Merge remote-tracking branch 'apache/4.15' 2021-04-12 11:43:57 +05:30
Nicolas Vazquez
e47dc9c25e
ldap: Fix orphan entry on ldap trust map after account removal (#4899) 
Fixes: #4673

Fix orphan entry on ldap trust map after account removal
 2021-04-10 13:26:50 +05:30
Rohit Yadav
b482da8c91 Updating pom.xml version numbers for release 4.15.1.0-SNAPSHOT 
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
 2021-01-11 13:58:30 +05:30