Fix role escalation prevention

[hsato03]

Description

While checking an account access to prevent the role escalation, the checkAccess method is using both DynamicRoleBasedAPIAccessChecker and StaticRoleBasedAPIAccessChecker (legacy) classes and that is causing some inconsistences in the validations, consequently allowing the role escalation.

For this reason, the StaticRoleBasedAPIAccessChecker was disabled if DynamicRoleBasedAPIAccessChecker is enabled.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

• I have created a domain admin custom role (DA2) and allowed all API's to it using the * regex;
• Removed an API that it had in common with default domain admin role;
• Tried to create a default domain admin account using a DA2 account;
• Received an exception from the role eslacation prevention.

[yadvr]

Hi @hsato03 thanks for the PR. The dynamic checker is used by default and we don't ship commands.properties with cloudstack for several years now, how can we test/verify your claims?

[hsato03]

Hello @rohityadavcloud. You can test it by doing the same tests I did. Before the changes, the account will be created and no exception will be thrown.

• Create a domain admin custom role (DA2) and allow all APIs to it using the * regex;
• Still in DA2, remove an API that it has in common with the default domain admin role (listProjects for an example);
• Login into a DA2 account and try to create an account that has the default domain admin role;
• The account should not be created as the caller role (DA2) does not have a permission (listProjects) that the role's account being created has (default domain admin).

[kiranchavala]

@blueorangutan package

[codecov]

Codecov Report

Merging #7853 (a4d0f20) into 4.18 (b4032d9) will increase coverage by 0.00%.
Report is 23 commits behind head on 4.18.
The diff coverage is 0.00%.

@@            Coverage Diff            @@
##               4.18    #7853   +/-   ##
=========================================
  Coverage     13.02%   13.02%           
- Complexity     9029     9039   +10     
=========================================
  Files          2720     2720           
  Lines        257010   257096   +86     
  Branches      40083    40093   +10     
=========================================
+ Hits          33467    33489   +22     
- Misses       219342   219403   +61     
- Partials       4201     4204    +3     

Files Changed	Coverage Δ
...loudstack/acl/StaticRoleBasedAPIAccessChecker.java	0.00% <0.00%> (ø)

... and 18 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[DaanHoogland]

if this prevents the escalation talked about fine, but it seems illogical to return true to prevent access. would return false not make more sense?

[hsato03]

@DaanHoogland I don't think so. Actually this isEnabled method checks if DynamicRoleBasedAPIAccessChecker is enabled. Returning true here is just passing the check responsibility to another class.

[DaanHoogland]

yes @hsato03 I think you are right. I consider it a bug that the StaticRoleBasedAPIAccessChecker.isEnabled() would return true if it is disabled (but the dynamic one is enabled). Maybe this is a discussion out of scope for your change. As said, "if this prevents the escalation talked about (it is) fine"

[weizhouapache]

yes, it looks like a bug @DaanHoogland
we should change the return value of isEnabled in this class

[DaanHoogland]

cc @rohityadavcloud ^

[weizhouapache]

code lgtm

It should be better to change the return value of method isEnabled, but it might have large impact.

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SF] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 6785

[weizhouapache]

@blueorangutan test

[blueorangutan]

@weizhouapache a [SF] Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SF] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 6810

[weizhouapache]

@blueorangutan test

[blueorangutan]

@weizhouapache a [SF] Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-7434)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 47901 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7853-t7434-kvm-centos7.zip
Smoke tests completed. 107 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_list_vms_metrics_admin	Error	3608.79	test_metrics_api.py
test_list_vms_metrics_history	Error	5.39	test_metrics_api.py
test_list_volumes_metrics_history	Error	7.45	test_metrics_api.py

[blueorangutan]

[SF] Trillian test result (tid-7451)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 39277 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7853-t7451-kvm-centos7.zip
Smoke tests completed. 108 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[weizhouapache]

@DaanHoogland @rohityadavcloud
@hsato03 has changed the return value of isEnabled method in the class, the code lgtm and trillian test results look good. do you have any other concerns ?

[DaanHoogland]

code looks good

[boring-cyborg]

Awesome work, congrats on your first merged pull request!