fix invalid access validation performed to the domainId attribute

bernardodemarco · bernardodemarco · commit 470211bde347 · 2025-06-24T09:01:46.000-03:00
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/ListConsoleSessionsCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/ListConsoleSessionsCmd.java
@@ -53,7 +53,6 @@ public class ListConsoleSessionsCmd extends BaseListCmd {
     @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = ConsoleSessionResponse.class, description = "The ID of the console session.")
     private Long id;
 
-    @ACL
     @Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, entityType = DomainResponse.class, description = "The domain ID of the account that created the console endpoint.")
     private Long domainId;
 
diff --git a/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java b/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java
@@ -215,7 +215,7 @@ public ListResponse<ConsoleSessionResponse> listConsoleSessions(ListConsoleSessi
 
     protected Pair<List<ConsoleSessionVO>, Integer> listConsoleSessionsInternal(ListConsoleSessionsCmd cmd) {
         CallContext caller = CallContext.current();
-        long domainId = cmd.getDomainId() != null ? cmd.getDomainId() : caller.getCallingAccount().getDomainId();
+        long domainId = getBaseDomainIdToListConsoleSessions(cmd.getDomainId());
         Long accountId = cmd.getAccountId();
         Long userId = cmd.getUserId();
         boolean isRecursive = cmd.isRecursive();
@@ -239,6 +239,26 @@ protected Pair<List<ConsoleSessionVO>, Integer> listConsoleSessionsInternal(List
                 cmd.getPageSizeVal(), cmd.getStartIndex());
     }
 
+    /**
+     * Determines the base domain ID for listing console sessions.
+     *
+     * If no domain ID is provided, returns the caller's domain ID. Otherwise,
+     * checks if the caller has access to that domain and returns the provided domain ID.
+     *
+     * @param domainId The domain ID to check, can be null
+     * @return The base domain ID to use for listing console sessions
+     * @throws PermissionDeniedException if the caller does not have access to the specified domain
+     */
+    protected long getBaseDomainIdToListConsoleSessions(Long domainId) {
+        Account caller = CallContext.current().getCallingAccount();
+        if (domainId == null) {
+            return caller.getDomainId();
+        }
+
+        accountManager.checkAccess(caller, domainDao.findById(domainId));
+        return domainId;
+    }
+
     @Override
     public ConsoleSession listConsoleSessionById(long id) {
         return consoleSessionDao.findById(id);
diff --git a/server/src/test/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImplTest.java b/server/src/test/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImplTest.java
@@ -17,6 +17,7 @@
 package org.apache.cloudstack.consoleproxy;
 
 import com.cloud.agent.AgentManager;
+import com.cloud.domain.DomainVO;
 import com.cloud.domain.dao.DomainDao;
 import com.cloud.exception.PermissionDeniedException;
 import com.cloud.server.ManagementServer;
@@ -81,6 +82,8 @@ public class ConsoleAccessManagerImplTest {
     @Mock
     private DomainDao domainDaoMock;
     @Mock
+    private DomainVO domainMock;
+    @Mock
     private ConsoleSessionVO consoleSessionMock;
     @Mock
     private ConsoleSessionDao consoleSessionDaoMock;
@@ -242,7 +245,9 @@ public void listConsoleSessionsInternalTestShouldFetchConsoleSessionsRecursively
 
     @Test
     public void listConsoleSessionsTestShouldCreateResponsesWithFullViewForRootAdmins() {
-        Mockito.when(consoleAccessManager.listConsoleSessionsInternal(listConsoleSessionsCmdMock)).thenReturn(new Pair<>(List.of(consoleSessionMock), 1));
+        Mockito.doReturn(new Pair<>(List.of(consoleSessionMock), 1))
+                .when(consoleAccessManager)
+                .listConsoleSessionsInternal(listConsoleSessionsCmdMock);
 
         try (MockedStatic<CallContext> callContextStaticMock = Mockito.mockStatic(CallContext.class)) {
             callContextStaticMock.when(CallContext::current).thenReturn(callContextMock);
@@ -257,7 +262,9 @@ public void listConsoleSessionsTestShouldCreateResponsesWithFullViewForRootAdmin
 
     @Test
     public void listConsoleSessionsTestShouldCreateResponsesWithRestrictedViewForNonRootAdmins() {
-        Mockito.when(consoleAccessManager.listConsoleSessionsInternal(listConsoleSessionsCmdMock)).thenReturn(new Pair<>(List.of(consoleSessionMock), 1));
+        Mockito.doReturn(new Pair<>(List.of(consoleSessionMock), 1))
+                .when(consoleAccessManager)
+                .listConsoleSessionsInternal(listConsoleSessionsCmdMock);
 
         try (MockedStatic<CallContext> callContextStaticMock = Mockito.mockStatic(CallContext.class)) {
             callContextStaticMock.when(CallContext::current).thenReturn(callContextMock);
@@ -271,6 +278,31 @@ public void listConsoleSessionsTestShouldCreateResponsesWithRestrictedViewForNon
         Mockito.verify(responseGeneratorMock).createConsoleSessionResponse(consoleSessionMock, ResponseObject.ResponseView.Restricted);
     }
 
+    @Test
+    public void getBaseDomainIdToListConsoleSessionsTestIfNoDomainIdIsProvidedReturnCallersDomainId() {
+        long callerDomainId = 5L;
+
+        try (MockedStatic<CallContext> callContextStaticMock = Mockito.mockStatic(CallContext.class)) {
+            callContextStaticMock.when(CallContext::current).thenReturn(callContextMock);
+            Mockito.when(callContextMock.getCallingAccount()).thenReturn(account);
+            Mockito.when(account.getDomainId()).thenReturn(callerDomainId);
+            Assert.assertEquals(callerDomainId, consoleAccessManager.getBaseDomainIdToListConsoleSessions(null));
+        }
+    }
+
+    @Test
+    public void getBaseDomainIdToListConsoleSessionsTestPerformAccessValidationWhenDomainIsProvided() {
+        long domainId = 5L;
+
+        try (MockedStatic<CallContext> callContextStaticMock = Mockito.mockStatic(CallContext.class)) {
+            callContextStaticMock.when(CallContext::current).thenReturn(callContextMock);
+            Mockito.when(callContextMock.getCallingAccount()).thenReturn(account);
+            Mockito.when(domainDaoMock.findById(domainId)).thenReturn(domainMock);
+            Assert.assertEquals(domainId, consoleAccessManager.getBaseDomainIdToListConsoleSessions(domainId));
+            Mockito.verify(accountManager).checkAccess(account, domainMock);
+        }
+    }
+
     @Test
     public void listConsoleSessionByIdTestShouldCallDbLayer() {
         consoleAccessManager.listConsoleSessionById(1L);
