Role escalation prevention (apache#5879)

* prevent role access escallation

* hierarchy issue fixed

* create api list in account manager for checking new account access

* full api list check

* strange role restriction removed for BareMetal

* add role check on upfdate account as well

* more selective use of api checkers

* error msg and var name

Co-authored-by: Daan Hoogland <dahn@onecht.net>

Author: DaanHoogland

api/src/main/java/com/cloud/user/AccountService.java

@@ -21,6 +21,7 @@
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.api.command.admin.account.CreateAccountCmd;
 import org.apache.cloudstack.api.command.admin.user.GetUserKeysCmd;
 import org.apache.cloudstack.api.command.admin.user.RegisterCmd;
 import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
@@ -39,8 +40,7 @@ public interface AccountService {
      * Creates a new user and account, stores the password as is so encrypted passwords are recommended.
      * @return the user if created successfully, null otherwise
      */
-    UserAccount createUserAccount(String userName, String password, String firstName, String lastName, String email, String timezone, String accountName, short accountType, Long roleId, Long domainId,
-            String networkDomain, Map<String, String> details, String accountUUID, String userUUID);
+    UserAccount createUserAccount(CreateAccountCmd accountCmd);
 
     UserAccount createUserAccount(String userName, String password, String firstName, String lastName, String email, String timezone, String accountName, short accountType, Long roleId, Long domainId,
             String networkDomain, Map<String, String> details, String accountUUID, String userUUID, User.Source source);

api/src/main/java/org/apache/cloudstack/acl/APIChecker.java

@@ -17,6 +17,7 @@
 package org.apache.cloudstack.acl;
 
 import com.cloud.exception.PermissionDeniedException;
+import com.cloud.user.Account;
 import com.cloud.user.User;
 import com.cloud.utils.component.Adapter;
 
@@ -27,4 +28,6 @@ public interface APIChecker extends Adapter {
     // If false, apiChecker is unable to handle the operation or not implemented
     // On exception, checkAccess failed don't allow
     boolean checkAccess(User user, String apiCommandName) throws PermissionDeniedException;
+    boolean checkAccess(Account account, String apiCommandName) throws PermissionDeniedException;
+    boolean isEnabled();
 }

api/src/main/java/org/apache/cloudstack/api/command/admin/account/CreateAccountCmd.java

@@ -186,8 +186,7 @@ public void execute() {
         validateParams();
         CallContext.current().setEventDetails("Account Name: " + getUsername() + ", Domain Id:" + getDomainId());
         UserAccount userAccount =
-            _accountService.createUserAccount(getUsername(), getPassword(), getFirstName(), getLastName(), getEmail(), getTimeZone(), getAccountName(), getAccountType(), getRoleId(),
-                getDomainId(), getNetworkDomain(), getDetails(), getAccountUUID(), getUserUUID());
+            _accountService.createUserAccount(this);
         if (userAccount != null) {
             AccountResponse response = _responseGenerator.createUserAccountResponse(ResponseView.Full, userAccount);
             response.setResponseName(getCommandName());

api/src/test/java/org/apache/cloudstack/api/command/admin/account/CreateAccountCmdTest.java

@@ -73,7 +73,7 @@ public void testExecuteWithNotBlankPassword() {
         } catch (ServerApiException e) {
             Assert.assertTrue("Received exception as the mock accountService createUserAccount returns null user", true);
         }
-        Mockito.verify(accountService, Mockito.times(1)).createUserAccount(null, "Test", null, null, null, null, null, accountType, roleId, domainId, null, null, null, null);
+        Mockito.verify(accountService, Mockito.times(1)).createUserAccount(createAccountCmd);
     }
 
     @Test
@@ -86,7 +86,7 @@ public void testExecuteWithNullPassword() {
             Assert.assertEquals(ApiErrorCode.PARAM_ERROR, e.getErrorCode());
             Assert.assertEquals("Empty passwords are not allowed", e.getMessage());
         }
-        Mockito.verify(accountService, Mockito.never()).createUserAccount(null, null, null, null, null, null, null, accountType, roleId, domainId, null, null, null, null);
+        Mockito.verify(accountService, Mockito.never()).createUserAccount(createAccountCmd);
     }
 
     @Test
@@ -99,6 +99,6 @@ public void testExecuteWithEmptyPassword() {
             Assert.assertEquals(ApiErrorCode.PARAM_ERROR, e.getErrorCode());
             Assert.assertEquals("Empty passwords are not allowed", e.getMessage());
         }
-        Mockito.verify(accountService, Mockito.never()).createUserAccount(null, null, null, null, null, null, null, accountType, roleId, domainId, null, null, null, null);
+        Mockito.verify(accountService, Mockito.never()).createUserAccount(createAccountCmd);
     }
 }

plugins/acl/dynamic-role-based/src/main/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java

@@ -75,6 +75,10 @@ public boolean checkAccess(User user, String commandName) throws PermissionDenie
             throw new PermissionDeniedException("The account id=" + user.getAccountId() + "for user id=" + user.getId() + "is null");
         }
 
+        return checkAccess(account, commandName);
+    }
+
+    public boolean checkAccess(Account account, String commandName) {
         final Role accountRole = roleService.findRole(account.getRoleId());
         if (accountRole == null || accountRole.getId() < 1L) {
             denyApiAccess(commandName);
@@ -106,6 +110,11 @@ public boolean checkAccess(User user, String commandName) throws PermissionDenie
         throw new UnavailableCommandException("The API " + commandName + " does not exist or is not available for this account.");
     }
 
+    @Override
+    public boolean isEnabled() {
+        return roleService.isEnabled();
+    }
+
     public void addApiToRoleBasedAnnotationsMap(final RoleType roleType, final String commandName) {
         if (roleType == null || Strings.isNullOrEmpty(commandName)) {
             return;

plugins/acl/project-role-based/src/main/java/org/apache/cloudstack/acl/ProjectRoleBasedApiAccessChecker.java

@@ -58,9 +58,13 @@ private void denyApiAccess(final String commandName) throws PermissionDeniedExce
         throw new PermissionDeniedException("The API " + commandName + " is denied for the user's/account's project role.");
     }
 
+    @Override
+    public boolean isEnabled() {
+        return roleService.isEnabled();
+    }
 
     public boolean isDisabled() {
-        return !roleService.isEnabled();
+        return !isEnabled();
     }
 
     @Override
@@ -103,6 +107,11 @@ public boolean checkAccess(User user, String apiCommandName) throws PermissionDe
         throw new UnavailableCommandException("The API " + apiCommandName + " does not exist or is not available for this account/user in project "+project.getUuid());
     }
 
+    @Override
+    public boolean checkAccess(Account account, String apiCommandName) throws PermissionDeniedException {
+        return true;
+    }
+
     private boolean isPermitted(Project project, ProjectAccount projectUser, String apiCommandName) {
         ProjectRole projectRole = null;
         if(projectUser.getProjectRoleId() != null) {

plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java

@@ -65,6 +65,10 @@ public StaticRoleBasedAPIAccessChecker() {
         }
     }
 
+    @Override
+    public boolean isEnabled() {
+        return !isDisabled();
+    }
     public boolean isDisabled() {
         return roleService.isEnabled();
     }
@@ -80,6 +84,10 @@ public boolean checkAccess(User user, String commandName) throws PermissionDenie
             throw new PermissionDeniedException("The account id=" + user.getAccountId() + "for user id=" + user.getId() + "is null");
         }
 
+        return checkAccess(account, commandName);
+    }
+
+    public boolean checkAccess(Account account, String commandName) {
         RoleType roleType = accountService.getRoleType(account);
         boolean isAllowed =
             commandsPropertiesOverrides.contains(commandName) ? commandsPropertiesRoleBasedApisMap.get(roleType).contains(commandName) : annotationRoleBasedApisMap.get(

plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryService.java

@@ -16,12 +16,17 @@
 // under the License.
 package org.apache.cloudstack.discovery;
 
+import com.cloud.user.Account;
 import org.apache.cloudstack.api.BaseResponse;
 import org.apache.cloudstack.api.response.ListResponse;
 
 import com.cloud.user.User;
 import com.cloud.utils.component.PluggableService;
 
+import java.util.List;
+
 public interface ApiDiscoveryService extends PluggableService {
+    List<String> listApiNames(Account account);
+
     ListResponse<? extends BaseResponse> listApis(User user, String apiName);
 }

plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryServiceImpl.java

@@ -27,6 +27,7 @@
 
 import javax.inject.Inject;
 
+import com.cloud.user.Account;
 import org.apache.cloudstack.acl.APIChecker;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.BaseAsyncCmd;
@@ -210,6 +211,24 @@ private ApiDiscoveryResponse getCmdRequestMap(Class<?> cmdClass, APICommand apiC
         return response;
     }
 
+    @Override
+    public List<String> listApiNames(Account account) {
+        List<String> apiNames = new ArrayList<>();
+        for (String apiName : s_apiNameDiscoveryResponseMap.keySet()) {
+            boolean isAllowed = true;
+            for (APIChecker apiChecker : _apiAccessCheckers) {
+                try {
+                    apiChecker.checkAccess(account, apiName);
+                } catch (Exception ex) {
+                    isAllowed = false;
+                }
+            }
+            if (isAllowed)
+                apiNames.add(apiName);
+        }
+        return apiNames;
+    }
+
     @Override
     public ListResponse<? extends BaseResponse> listApis(User user, String name) {
         ListResponse<ApiDiscoveryResponse> response = new ListResponse<ApiDiscoveryResponse>();

plugins/api/rate-limit/src/main/java/org/apache/cloudstack/ratelimit/ApiRateLimitServiceImpl.java

@@ -147,16 +147,20 @@ public boolean checkAccess(User user, String apiCommandName) throws PermissionDe
         }
         Long accountId = user.getAccountId();
         Account account = _accountService.getAccount(accountId);
+        return checkAccess(account, apiCommandName);
+    }
+
+    public boolean checkAccess(Account account, String commandName) {
         if (_accountService.isRootAdmin(account.getId())) {
             // no API throttling on root admin
             return true;
         }
-        StoreEntry entry = _store.get(accountId);
+        StoreEntry entry = _store.get(account.getId());
 
         if (entry == null) {
 
             /* Populate the entry, thus unlocking any underlying mutex */
-            entry = _store.create(accountId, timeToLive);
+            entry = _store.create(account.getId(), timeToLive);
         }
 
         /* Increment the client count and see whether we have hit the maximum allowed clients yet. */
@@ -174,6 +178,11 @@ public boolean checkAccess(User user, String apiCommandName) throws PermissionDe
         }
     }
 
+    @Override
+    public boolean isEnabled() {
+        return enabled;
+    }
+
     @Override
     public List<Class<?>> getCommands() {
         List<Class<?>> cmdList = new ArrayList<Class<?>>();