apache
diff --git a/‎api/src/main/java/com/cloud/user/AccountService.java‎
Lines changed: 2 additions & 0 deletions b/‎api/src/main/java/com/cloud/user/AccountService.java‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎engine/storage/datamotion/src/main/java/org/apache/cloudstack/storage/motion/StorageSystemDataMotionStrategy.java‎
Lines changed: 3 additions & 0 deletions b/‎engine/storage/datamotion/src/main/java/org/apache/cloudstack/storage/motion/StorageSystemDataMotionStrategy.java‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaBalanceCmd.java‎
Lines changed: 13 additions & 1 deletion b/‎plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaBalanceCmd.java‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaCreditsCmd.java‎
Lines changed: 6 additions & 0 deletions b/‎plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaCreditsCmd.java‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaStatementCmd.java‎
Lines changed: 6 additions & 0 deletions b/‎plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaStatementCmd.java‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/MockAccountManager.java‎
Lines changed: 5 additions & 0 deletions b/‎plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/MockAccountManager.java‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎plugins/storage/object/ceph/src/main/java/org/apache/cloudstack/storage/datastore/driver/CephObjectStoreDriverImpl.java‎
Lines changed: 5 additions & 8 deletions b/‎plugins/storage/object/ceph/src/main/java/org/apache/cloudstack/storage/datastore/driver/CephObjectStoreDriverImpl.java‎
Lines changed: 5 additions & 8 deletions
diff --git a/‎plugins/storage/object/ceph/src/main/java/org/apache/cloudstack/storage/datastore/lifecycle/CephObjectStoreLifeCycleImpl.java‎
Lines changed: 5 additions & 5 deletions b/‎plugins/storage/object/ceph/src/main/java/org/apache/cloudstack/storage/datastore/lifecycle/CephObjectStoreLifeCycleImpl.java‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/api/command/ListAndSwitchSAMLAccountCmd.java‎
Lines changed: 6 additions & 1 deletion b/‎plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/api/command/ListAndSwitchSAMLAccountCmd.java‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAML2AuthManager.java‎
Lines changed: 3 additions & 0 deletions b/‎plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAML2AuthManager.java‎
Lines changed: 3 additions & 0 deletions
@@ -116,6 +116,8 @@ User createUser(String userName, String password, String firstName, String lastN
 
     void checkAccess(Account account, AccessType accessType, boolean sameOwner, String apiName, ControlledEntity... entities) throws PermissionDeniedException;
 
+    void validateAccountHasAccessToResource(Account account, AccessType accessType, Object resource);
+
     Long finalyzeAccountId(String accountName, Long domainId, Long projectId, boolean enabledOnly);
 
     /**
 
@@ -2029,6 +2029,9 @@ public void copyAsync(Map<VolumeInfo, DataStore> volumeDataStoreMap, VirtualMach
                 MigrationOptions.Type migrationType = decideMigrationTypeAndCopyTemplateIfNeeded(destHost, vmInstance, srcVolumeInfo, sourceStoragePool, destStoragePool, destDataStore);
                 migrateNonSharedInc = migrateNonSharedInc || MigrationOptions.Type.LinkedClone.equals(migrationType);
 
+                MigrationOptions.Type migrationType = decideMigrationTypeAndCopyTemplateIfNeeded(destHost, vmInstance, srcVolumeInfo, sourceStoragePool, destStoragePool, destDataStore);
+                migrateNonSharedInc = migrateNonSharedInc || MigrationOptions.Type.LinkedClone.equals(migrationType);
+
                 VolumeVO destVolume = duplicateVolumeOnAnotherStorage(srcVolume, destStoragePool);
                 VolumeInfo destVolumeInfo = _volumeDataFactory.getVolume(destVolume.getId(), destDataStore);
 
 
@@ -21,6 +21,9 @@
 
 import javax.inject.Inject;
 
+import com.cloud.user.Account;
+
+import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.BaseCmd;
@@ -40,6 +43,7 @@ public class QuotaBalanceCmd extends BaseCmd {
     @Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, required = true, description = "Account Id for which statement needs to be generated")
     private String accountName;
 
+    @ACL
     @Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, required = true, entityType = DomainResponse.class, description = "If domain Id is given and the caller is domain admin then the statement is generated for domain.")
     private Long domainId;
 
@@ -51,6 +55,7 @@ public class QuotaBalanceCmd extends BaseCmd {
             ApiConstants.PARAMETER_DESCRIPTION_START_DATE_POSSIBLE_FORMATS)
     private Date startDate;
 
+    @ACL
     @Parameter(name = ApiConstants.ACCOUNT_ID, type = CommandType.UUID, entityType = AccountResponse.class, description = "List usage records for the specified account")
     private Long accountId;
 
@@ -104,7 +109,14 @@ public void setStartDate(Date startDate) {
 
     @Override
     public long getEntityOwnerId() {
-       return _accountService.getActiveAccountByName(accountName, domainId).getAccountId();
+        if (accountId != null) {
+            return accountId;
+        }
+        Account account = _accountService.getActiveAccountByName(accountName, domainId);
+        if (account != null) {
+            return account.getAccountId();
+        }
+        return Account.ACCOUNT_ID_SYSTEM;
     }
 
     @Override
 
@@ -18,6 +18,7 @@
 
 import com.cloud.user.Account;
 
+import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
@@ -46,6 +47,7 @@ public class QuotaCreditsCmd extends BaseCmd {
     @Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, required = true, description = "Account Id for which quota credits need to be added")
     private String accountName;
 
+    @ACL
     @Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, required = true, entityType = DomainResponse.class, description = "Domain for which quota credits need to be added")
     private Long domainId;
 
@@ -130,6 +132,10 @@ public void execute() {
 
     @Override
     public long getEntityOwnerId() {
+        Account account = _accountService.getActiveAccountByName(accountName, domainId);
+        if (account != null) {
+            return account.getAccountId();
+        }
         return Account.ACCOUNT_ID_SYSTEM;
     }
 
 
@@ -21,6 +21,7 @@
 
 import javax.inject.Inject;
 
+import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.BaseCmd;
@@ -42,6 +43,7 @@ public class QuotaStatementCmd extends BaseCmd {
     @Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, required = true, description = "Optional, Account Id for which statement needs to be generated")
     private String accountName;
 
+    @ACL
     @Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, required = true, entityType = DomainResponse.class, description = "Optional, If domain Id is given and the caller is domain admin then the statement is generated for domain.")
     private Long domainId;
 
@@ -56,6 +58,7 @@ public class QuotaStatementCmd extends BaseCmd {
     @Parameter(name = ApiConstants.TYPE, type = CommandType.INTEGER, description = "List quota usage records for the specified usage type")
     private Integer usageType;
 
+    @ACL
     @Parameter(name = ApiConstants.ACCOUNT_ID, type = CommandType.UUID, entityType = AccountResponse.class, description = "List usage records for the specified account")
     private Long accountId;
 
@@ -112,6 +115,9 @@ public void setStartDate(Date startDate) {
 
     @Override
     public long getEntityOwnerId() {
+        if (accountId != null) {
+            return accountId;
+        }
         Account activeAccountByName = _accountService.getActiveAccountByName(accountName, domainId);
         if (activeAccountByName != null) {
             return activeAccountByName.getAccountId();
 
@@ -454,6 +454,11 @@ public void checkAccess(Account account, AccessType accessType, boolean sameOwne
         // TODO Auto-generated method stub
     }
 
+    @Override
+    public void validateAccountHasAccessToResource(Account account, AccessType accessType, Object resource) {
+        // TODO Auto-generated method stub
+    }
+
     @Override
     public Long finalyzeAccountId(String accountName, Long domainId, Long projectId, boolean enabledOnly) {
         // TODO Auto-generated method stub
 
@@ -46,8 +46,6 @@
 import org.apache.cloudstack.storage.datastore.db.ObjectStoreVO;
 import org.apache.cloudstack.storage.object.BaseObjectStoreDriverImpl;
 import org.apache.cloudstack.storage.object.BucketObject;
-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.Logger;
 import org.twonote.rgwadmin4j.RgwAdmin;
 import org.twonote.rgwadmin4j.RgwAdminBuilder;
 import org.twonote.rgwadmin4j.model.BucketInfo;
@@ -62,7 +60,6 @@
 import java.util.HashMap;
 
 public class CephObjectStoreDriverImpl extends BaseObjectStoreDriverImpl {
-    private static final Logger s_logger = LogManager.getLogger(CephObjectStoreDriverImpl.class);
 
     @Inject
     AccountDao _accountDao;
@@ -168,7 +165,7 @@ public void setBucketPolicy(BucketTO bucket, String policy, long storeId) {
         String policyConfig;
 
         if (policy.equalsIgnoreCase("public")) {
-            s_logger.debug("Setting public policy on bucket " + bucket.getName());
+            logger.debug("Setting public policy on bucket " + bucket.getName());
             StringBuilder builder = new StringBuilder();
             builder.append("{\n");
             builder.append("    \"Statement\": [\n");
@@ -192,7 +189,7 @@ public void setBucketPolicy(BucketTO bucket, String policy, long storeId) {
             builder.append("}\n");
             policyConfig = builder.toString();
         } else {
-            s_logger.debug("Setting private policy on bucket " + bucket.getName());
+            logger.debug("Setting private policy on bucket " + bucket.getName());
             policyConfig = "{\"Version\":\"2012-10-17\",\"Statement\":[]}";
         }
 
@@ -218,15 +215,15 @@ public boolean createUser(long accountId, long storeId) {
         RgwAdmin rgwAdmin = getRgwAdminClient(storeId);
         String username = account.getUuid();
 
-        s_logger.debug("Attempting to create Ceph RGW user for account " + account.getAccountName() + " with UUID " + username);
+        logger.debug("Attempting to create Ceph RGW user for account " + account.getAccountName() + " with UUID " + username);
         try {
             Optional<User> user = rgwAdmin.getUserInfo(username);
             if (user.isPresent()) {
-                s_logger.info("User already exists in Ceph RGW: " + username);
+                logger.info("User already exists in Ceph RGW: " + username);
                 return true;
             }
         } catch (Exception e) {
-            s_logger.debug("User does not exist. Creating user in Ceph RGW: " + username);
+            logger.debug("User does not exist. Creating user in Ceph RGW: " + username);
         }
 
         try {
 
@@ -39,7 +39,7 @@
 
 public class CephObjectStoreLifeCycleImpl implements ObjectStoreLifeCycle {
 
-    private static final Logger s_logger = LogManager.getLogger(CephObjectStoreLifeCycleImpl.class);
+    private Logger logger = LogManager.getLogger(CephObjectStoreLifeCycleImpl.class);
 
     @Inject
     ObjectStoreHelper objectStoreHelper;
@@ -72,7 +72,7 @@ public DataStore initialize(Map<String, Object> dsInfos) {
         objectStoreParameters.put("accesskey", accessKey);
         objectStoreParameters.put("secretkey", secretKey);
 
-        s_logger.info("Attempting to connect to Ceph RGW at " + url + " with access key " + accessKey);
+        logger.info("Attempting to connect to Ceph RGW at " + url + " with access key " + accessKey);
 
         RgwAdmin rgwAdmin = new RgwAdminBuilder()
                 .accessKey(accessKey)
@@ -81,10 +81,10 @@ public DataStore initialize(Map<String, Object> dsInfos) {
                 .build();
         try {
             List<String> buckets = rgwAdmin.listBucket();
-            s_logger.debug("Found " + buckets + " buckets at Ceph RGW: " + url);
-            s_logger.info("Successfully connected to Ceph RGW: " + url);
+            logger.debug("Found " + buckets + " buckets at Ceph RGW: " + url);
+            logger.info("Successfully connected to Ceph RGW: " + url);
         } catch (Exception e) {
-            s_logger.debug("Error while initializing Ceph RGW Object Store: " + e.getMessage());
+            logger.debug("Error while initializing Ceph RGW Object Store: " + e.getMessage());
             throw new RuntimeException("Error while initializing Ceph RGW Object Store. Invalid credentials or URL");
         }
 
 
@@ -47,6 +47,7 @@
 import org.apache.cloudstack.saml.SAML2AuthManager;
 import org.apache.cloudstack.saml.SAMLUtils;
 
+import com.cloud.api.ApiServer;
 import com.cloud.api.response.ApiResponseSerializer;
 import com.cloud.domain.Domain;
 import com.cloud.domain.dao.DomainDao;
@@ -59,6 +60,8 @@
 import com.cloud.user.dao.UserDao;
 import com.cloud.utils.HttpUtils;
 
+import org.apache.commons.lang3.EnumUtils;
+
 @APICommand(name = "listAndSwitchSamlAccount", description = "Lists and switches to other SAML accounts owned by the SAML user", responseObject = SuccessResponse.class, requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
 public class ListAndSwitchSAMLAccountCmd extends BaseCmd implements APIAuthenticator {
 
@@ -102,7 +105,9 @@ public String authenticate(final String command, final Map<String, Object[]> par
                     params, responseType));
         }
 
-        if (!HttpUtils.validateSessionKey(session, params, req.getCookies(), ApiConstants.SESSIONKEY)) {
+        HttpUtils.ApiSessionKeyCheckOption sessionKeyCheckOption = EnumUtils.getEnumIgnoreCase(HttpUtils.ApiSessionKeyCheckOption.class,
+                ApiServer.ApiSessionKeyCheckLocations.value(), HttpUtils.ApiSessionKeyCheckOption.CookieAndParameter);
+        if (!HttpUtils.validateSessionKey(session, params, req.getCookies(), ApiConstants.SESSIONKEY, sessionKeyCheckOption)) {
             throw new ServerApiException(ApiErrorCode.UNAUTHORIZED, _apiServer.getSerializedApiError(ApiErrorCode.UNAUTHORIZED.getHttpCode(),
                     "Unauthorized session, please re-login",
                     params, responseType));
 
@@ -73,6 +73,9 @@ public interface SAML2AuthManager extends PluggableAPIAuthenticator, PluggableSe
     ConfigKey<Boolean> SAMLCheckSignature = new ConfigKey<Boolean>("Advanced", Boolean.class, "saml2.check.signature", "true",
             "When enabled (default and recommended), SAML2 signature checks are enforced and lack of signature in the SAML SSO response will cause login exception. Disabling this is not advisable but provided for backward compatibility for users who are able to accept the risks.", false);
 
+    ConfigKey<String> SAMLUserSessionKeyPathAttribute = new ConfigKey<String>("Advanced", String.class, "saml2.user.sessionkey.path", "",
+            "The Path attribute of sessionkey cookie when SAML users have logged in. If not set, it will be set to the path of SAML redirection URL (saml2.redirect.url).", true);
+
     SAMLProviderMetadata getSPMetadata();
     SAMLProviderMetadata getIdPMetadata(String entityId);
     Collection<SAMLProviderMetadata> getAllIdPMetadata();