diff --git a/server/src/main/java/com/cloud/user/AccountManagerImpl.java b/server/src/main/java/com/cloud/user/AccountManagerImpl.java index 09ef9fe8bec9..ec990ac5f749 100644 --- a/server/src/main/java/com/cloud/user/AccountManagerImpl.java +++ b/server/src/main/java/com/cloud/user/AccountManagerImpl.java @@ -178,6 +178,7 @@ import com.cloud.utils.ConstantTimeComparator; import com.cloud.utils.NumbersUtil; import com.cloud.utils.Pair; +import com.cloud.utils.StringUtils; import com.cloud.utils.Ternary; import com.cloud.utils.UuidUtils; import com.cloud.utils.StringUtils; @@ -728,12 +729,7 @@ public void checkAccess(Account caller, AccessType accessType, boolean sameOwner HashMap> domains = new HashMap<>(); for (ControlledEntity entity : entities) { - long domainId = entity.getDomainId(); - if (entity.getAccountId() != -1 && domainId == -1) { // If account exists domainId should too so calculate - // it. This condition might be hit for templates or entities which miss domainId in their tables - Account account = ApiDBUtils.findAccountById(entity.getAccountId()); - domainId = account != null ? account.getDomainId() : -1; - } + long domainId = getDomainIdFor(entity); if (entity.getAccountId() != -1 && domainId != -1 && !(entity instanceof VirtualMachineTemplate) && !(entity instanceof Network && (accessType == AccessType.UseEntry || accessType == AccessType.OperateEntry)) && !(entity instanceof AffinityGroup) && !(entity instanceof VirtualRouter)) { @@ -785,6 +781,17 @@ public void checkAccess(Account caller, AccessType accessType, boolean sameOwner } + private static long getDomainIdFor(ControlledEntity entity) { + long domainId = entity.getDomainId(); + if (entity.getAccountId() != -1 && domainId == -1) { + // If account exists domainId should too so calculate it. + // This condition might be hit for templates or entities which miss domainId in their tables + Account account = ApiDBUtils.findAccountById(entity.getAccountId()); + domainId = account != null ? account.getDomainId() : -1; + } + return domainId; + } + @Override public void validateAccountHasAccessToResource(Account account, AccessType accessType, Object resource) { Class resourceClass = resource.getClass(); @@ -2870,11 +2877,11 @@ public UserAccount authenticateUser(final String username, final String password final Boolean ApiSourceCidrChecksEnabled = ApiServiceConfiguration.ApiSourceCidrChecksEnabled.value(); if (ApiSourceCidrChecksEnabled) { - logger.debug("CIDRs from which account '{}' is allowed to perform API calls: {}", account.toString(), accessAllowedCidrs); + logger.debug("CIDRs from which account '{}' is allowed to perform API calls: {}", account, accessAllowedCidrs); // Block when is not in the list of allowed IPs if (!NetUtils.isIpInCidrList(loginIpAddress, accessAllowedCidrs.split(","))) { - logger.warn("Request by account '{}' was denied since {} does not match {}", account.toString(), loginIpAddress.toString().replace("/", ""), accessAllowedCidrs); + logger.warn("Request by account '{}' was denied since {} does not match {}", account , loginIpAddress.toString().replace("/", ""), accessAllowedCidrs); throw new CloudAuthenticationException("Failed to authenticate user '" + username + "' in domain '" + domain.getPath() + "' from ip " + loginIpAddress.toString().replace("/", "") + "; please provide valid credentials"); } @@ -3044,7 +3051,7 @@ private UserAccount getUserAccountForSSO(String username, Long domainId, Map