Hide CloudStack version from XML response when unauthenticated

[gpordeus]

This PR hides the cloudstack version field of XML responses when the caller is unauthenticated (checks if it is SYSTEM account).

It also adds the expose.cloudstack.version.api.list.capabilities to allow hiding the field from the listCapabilities API call and expose.cloudstack.version.api.xml.response to allow hiding the field from XML responses, both are true by default as to not change compatibility.

It does not change the version information in system VMs and VRs.

Fixes: #10072

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

Unauthenticated:

<loginresponse>
<errorcode>531</errorcode>
<errortext>
Your authenticated user is not authorized for SAML Single Sign-On, please contact your administrator
</errortext>
</loginresponse>

Authenticated and configs:

• expose.cloudstack.version.api.list.capabilities = true;
  expose.cloudstack.version.api.xml.response = true;

<listcapabilitiesresponse cloud-stack-version="4.21.0.0-SNAPSHOT">
<capability>
<securitygroupsenabled>false</securitygroupsenabled>
<dynamicrolesenabled>true</dynamicrolesenabled>
<cloudstackversion>4.21.0.0-SNAPSHOT</cloudstackversion>
<userpublictemplateenabled>true</userpublictemplateenabled>
<supportELB>false</supportELB>
<projectinviterequired>false</projectinviterequired>
<allowusercreateprojects>true</allowusercreateprojects>
<customdiskofferingminsize>1</customdiskofferingminsize>
<customdiskofferingmaxsize>1024</customdiskofferingmaxsize>
<regionsecondaryenabled>false</regionsecondaryenabled>
<kvmsnapshotenabled>false</kvmsnapshotenabled>
<allowuserviewdestroyedvm>true</allowuserviewdestroyedvm>
<allowuserexpungerecovervm>true</allowuserexpungerecovervm>
<allowuserexpungerecovervolume>true</allowuserexpungerecovervolume>
<allowuserviewalldomainaccounts>false</allowuserviewalldomainaccounts>
<allowuserforcestopvm>true</allowuserforcestopvm>
<kubernetesserviceenabled>true</kubernetesserviceenabled>
<kubernetesclusterexperimentalfeaturesenabled>false</kubernetesclusterexperimentalfeaturesenabled>
<customhypervisordisplayname>Custom</customhypervisordisplayname>
<defaultuipagesize>20</defaultuipagesize>
<instancesstatsretentiontime>720</instancesstatsretentiontime>
<instancesstatsuseronly>false</instancesstatsuseronly>
<instancesdisksstatsretentionenabled>false</instancesdisksstatsretentionenabled>
<instancesdisksstatsretentiontime>720</instancesdisksstatsretentiontime>
<sharedfsvmmincpucount>2</sharedfsvmmincpucount>
<sharedfsvmminramsize>1024</sharedfsvmminramsize>
</capability>
</listcapabilitiesresponse>

• expose.cloudstack.version.api.list.capabilities = false;
  expose.cloudstack.version.api.xml.response = false;

<listcapabilitiesresponse>
<capability>
<securitygroupsenabled>false</securitygroupsenabled>
<dynamicrolesenabled>true</dynamicrolesenabled>
<userpublictemplateenabled>true</userpublictemplateenabled>
<supportELB>false</supportELB>
<projectinviterequired>false</projectinviterequired>
<allowusercreateprojects>true</allowusercreateprojects>
<customdiskofferingminsize>1</customdiskofferingminsize>
<customdiskofferingmaxsize>1024</customdiskofferingmaxsize>
<regionsecondaryenabled>false</regionsecondaryenabled>
<kvmsnapshotenabled>false</kvmsnapshotenabled>
<allowuserviewdestroyedvm>true</allowuserviewdestroyedvm>
<allowuserexpungerecovervm>true</allowuserexpungerecovervm>
<allowuserexpungerecovervolume>true</allowuserexpungerecovervolume>
<allowuserviewalldomainaccounts>false</allowuserviewalldomainaccounts>
<allowuserforcestopvm>true</allowuserforcestopvm>
<kubernetesserviceenabled>true</kubernetesserviceenabled>
<kubernetesclusterexperimentalfeaturesenabled>false</kubernetesclusterexperimentalfeaturesenabled>
<customhypervisordisplayname>Custom</customhypervisordisplayname>
<defaultuipagesize>20</defaultuipagesize>
<instancesstatsretentiontime>720</instancesstatsretentiontime>
<instancesstatsuseronly>false</instancesstatsuseronly>
<instancesdisksstatsretentionenabled>false</instancesdisksstatsretentionenabled>
<instancesdisksstatsretentiontime>720</instancesdisksstatsretentiontime>
<sharedfsvmmincpucount>2</sharedfsvmmincpucount>
<sharedfsvmminramsize>1024</sharedfsvmminramsize>
</capability>
</listcapabilitiesresponse>

How did you try to break this feature and the system with this change?

[codecov]

Codecov Report

Attention: Patch coverage is 15.38462% with 11 lines in your changes missing coverage. Please review.

Project coverage is 16.26%. Comparing base (9c6f2a9) to head (5d18410).
Report is 275 commits behind head on main.

Files with missing lines	Patch %	Lines
.../com/cloud/api/response/ApiResponseSerializer.java	0.00%	8 Missing ⚠️
...in/java/com/cloud/server/ManagementServerImpl.java	40.00%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##               main   #10575   +/-   ##
=========================================
  Coverage     16.26%   16.26%           
+ Complexity    13388    13387    -1     
=========================================
  Files          5674     5674           
  Lines        498929   498938    +9     
  Branches      60338    60341    +3     
=========================================
+ Hits          81154    81157    +3     
- Misses       408736   408741    +5     
- Partials       9039     9040    +1     

Flag	Coverage Δ
uitests	3.99% <ø> (ø)
unittests	17.12% <15.38%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[DaanHoogland]

code looks good @gpordeus , but can I ask you to remove all the log.append() calls and only append sb to log, just before returning at line 211?

Not your doing for sure, but the code looks a bit silly like this.

[winterhazel]

Tested manually:

• Verified that XML responses do not contain the version when the user is not authenticated, independently of expose.cloudstack.version.api.xml.response
• Verified that XML responses contain the version when user is authenticated and expose.cloudstack.version.api.xml.response is set to true
• Verified that XML responses do not contain the version when user is authenticated and expose.cloudstack.version.api.xml.response is set to false
• Verified that listCapabilities returns the version when expose.cloudstack.version.api.list.capabilities is set to true
• Verified that listCapabilities does not return the version when expose.cloudstack.version.api.list.capabilities is set to false

[gpordeus]

@DaanHoogland
I went over it, and the reason for the duplicated builders is that they have different Gson strategies (ApiResponseExclusionStrategy vs LogExclusionStrategy in ApiResponseGsonHelper); the response strategy checks for user permission, while the log strategy hides fields with "isSensitive". So, if we append after serializeResponseObjXML, we'd have passwords being logged.

While I agree it is silly, it would take bigger changes to clean it up and demand more testing.

[JoaoJandre]

@blueorangutan package

[blueorangutan]

@JoaoJandre a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 13583

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian Build Failed (tid-13461)

[JoaoJandre]

@blueorangutan package

[blueorangutan]

@JoaoJandre a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 14044

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-13692)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 89457 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10575-t13692-kvm-ol8.zip
Smoke tests completed. 102 look OK, 39 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_nic_secondaryip_add_remove	Error	21.84	test_multipleips_per_nic.py
test_network_acl	Error	2.40	test_network_acl.py
test_01_verify_ipv6_network	Error	3.23	test_network_ipv6.py
test_01_verify_ipv6_network	Error	3.23	test_network_ipv6.py
test_03_network_operations_on_created_vm_of_otheruser	Error	2.61	test_network_permissions.py
test_03_network_operations_on_created_vm_of_otheruser	Error	2.61	test_network_permissions.py
test_04_deploy_vm_for_other_user_and_test_vm_operations	Failure	1.49	test_network_permissions.py
ContextSuite context=TestNetworkPermissions>:teardown	Error	1.52	test_network_permissions.py
test_delete_account	Error	21.95	test_network.py
test_delete_network_while_vm_on_it	Error	2.45	test_network.py
test_delete_network_while_vm_on_it	Error	2.45	test_network.py
test_deploy_vm_l2network	Error	2.52	test_network.py
test_deploy_vm_l2network	Error	2.52	test_network.py
test_l2network_restart	Error	2.57	test_network.py
test_l2network_restart	Error	2.58	test_network.py
ContextSuite context=TestL2Networks>:teardown	Error	3.70	test_network.py
ContextSuite context=TestPortForwarding>:setup	Error	10.83	test_network.py
ContextSuite context=TestPublicIP>:setup	Error	11.77	test_network.py
test_reboot_router	Error	6.99	test_network.py
test_releaseIP	Error	6.54	test_network.py
test_releaseIP_using_IP	Error	6.68	test_network.py
ContextSuite context=TestRouterRules>:setup	Error	13.72	test_network.py
test_01_deployVMInSharedNetwork	Failure	1.27	test_network.py
test_02_verifyRouterIpAfterNetworkRestart	Failure	1.10	test_network.py
test_03_destroySharedNetwork	Failure	1.09	test_network.py
ContextSuite context=TestSharedNetwork>:teardown	Error	1.19	test_network.py
test_01_deployVMInSharedNetwork	Failure	1.29	test_network.py
ContextSuite context=TestSharedNetworkWithConfigDrive>:teardown	Error	2.38	test_network.py
test_01_nic	Error	55.51	test_nic.py
test_01_non_strict_host_anti_affinity	Error	2.53	test_nonstrict_affinity_group.py
test_02_non_strict_host_affinity	Error	2.49	test_nonstrict_affinity_group.py
ContextSuite context=TestIsolatedNetworksPasswdServer>:setup	Error	0.00	test_password_server.py
test_01_isolated_persistent_network	Error	0.24	test_persistent_network.py
test_02_L2_persistent_network	Error	1.27	test_persistent_network.py
test_03_deploy_and_destroy_VM_and_verify_network_resources_persist	Failure	2.48	test_persistent_network.py
test_03_deploy_and_destroy_VM_and_verify_network_resources_persist	Error	2.49	test_persistent_network.py
ContextSuite context=TestL2PersistentNetworks>:teardown	Error	2.54	test_persistent_network.py
test_01_create_delete_portforwarding_fornonvpc	Error	6.94	test_portforwardingrules.py
test_01_add_primary_storage_disabled_host	Error	0.23	test_primary_storage.py
test_01_primary_storage_nfs	Error	0.18	test_primary_storage.py
ContextSuite context=TestStorageTags>:setup	Error	0.32	test_primary_storage.py
test_01_primary_storage_scope_change	Error	0.09	test_primary_storage_scope.py
test_01_vpc_privategw_acl	Failure	9.04	test_privategw_acl.py
test_02_vpc_privategw_static_routes	Failure	8.50	test_privategw_acl.py
test_03_vpc_privategw_restart_vpc_cleanup	Failure	8.29	test_privategw_acl.py
test_04_rvpc_privategw_static_routes	Failure	7.55	test_privategw_acl.py
test_09_project_suspend	Error	2.58	test_projects.py
test_10_project_activation	Error	2.49	test_projects.py
test_01_purge_expunged_api_vm_start_date	Error	3.60	test_purge_expunged_vms.py
test_02_purge_expunged_api_vm_end_date	Error	2.62	test_purge_expunged_vms.py
test_03_purge_expunged_api_vm_start_end_date	Error	2.10	test_purge_expunged_vms.py
test_04_purge_expunged_api_vm_no_date	Error	3.13	test_purge_expunged_vms.py
test_05_purge_expunged_vm_service_offering	Error	1.49	test_purge_expunged_vms.py
test_06_purge_expunged_vm_background_task	Error	357.45	test_purge_expunged_vms.py
test_CRUD_operations_userdata	Error	1523.90	test_register_userdata.py
test_deploy_vm_with_registered_userdata	Error	8.94	test_register_userdata.py
test_deploy_vm_with_registered_userdata_with_override_policy_allow	Error	8.50	test_register_userdata.py
test_deploy_vm_with_registered_userdata_with_override_policy_append	Error	8.15	test_register_userdata.py
test_deploy_vm_with_registered_userdata_with_override_policy_deny	Error	7.46	test_register_userdata.py
test_deploy_vm_with_registered_userdata_with_params	Error	8.22	test_register_userdata.py
test_link_and_unlink_userdata_to_template	Error	7.51	test_register_userdata.py
test_user_userdata_crud	Error	8.58	test_register_userdata.py
ContextSuite context=TestResetVmOnReboot>:setup	Error	0.00	test_reset_vm_on_reboot.py
ContextSuite context=TestRAMCPUResourceAccounting>:setup	Error	0.00	test_resource_accounting.py
ContextSuite context=TestResourceNames>:setup	Error	0.00	test_resource_names.py
ContextSuite context=TestRestoreVM>:setup	Error	0.00	test_restore_vm.py
ContextSuite context=TestRouterDHCPHosts>:setup	Error	0.00	test_router_dhcphosts.py
ContextSuite context=TestRouterDHCPOpts>:setup	Error	0.00	test_router_dhcphosts.py
ContextSuite context=TestRouterDns>:setup	Error	0.00	test_router_dns.py
ContextSuite context=TestRouterDnsService>:setup	Error	0.00	test_router_dnsservice.py
ContextSuite context=TestRouterIpTablesPolicies>:setup	Error	0.00	test_routers_iptables_default_policy.py
ContextSuite context=TestVPCIpTablesPolicies>:setup	Error	0.00	test_routers_iptables_default_policy.py
test_01_migrate_vm_strict_tags_success	Error	0.23	test_vm_strict_host_tags.py
test_02_migrate_vm_strict_tags_failure	Error	0.22	test_vm_strict_host_tags.py
test_01_restore_vm_strict_tags_success	Error	0.23	test_vm_strict_host_tags.py
test_02_restore_vm_strict_tags_failure	Error	0.22	test_vm_strict_host_tags.py
test_01_scale_vm_strict_tags_success	Error	0.26	test_vm_strict_host_tags.py
test_02_scale_vm_strict_tags_failure	Error	0.29	test_vm_strict_host_tags.py
test_01_deploy_vm_on_specific_host_without_strict_tags	Error	0.25	test_vm_strict_host_tags.py
test_02_deploy_vm_on_any_host_without_strict_tags	Error	2.88	test_vm_strict_host_tags.py
test_03_deploy_vm_on_specific_host_with_strict_tags_success	Error	0.25	test_vm_strict_host_tags.py
test_04_deploy_vm_on_any_host_with_strict_tags_success	Error	4.90	test_vm_strict_host_tags.py
test_05_deploy_vm_on_specific_host_with_strict_tags_failure	Failure	0.26	test_vm_strict_host_tags.py
ContextSuite context=TestIsolatedNetworks>:setup	Error	0.00	test_routers_network_ops.py
ContextSuite context=TestRedundantIsolateNetworks>:setup	Error	0.00	test_routers_network_ops.py
ContextSuite context=TestRouterServices>:setup	Error	0.00	test_routers.py
test_01_sys_vm_start	Failure	0.10	test_secondary_storage.py
ContextSuite context=TestCpuCapServiceOfferings>:setup	Error	0.00	test_service_offerings.py
ContextSuite context=TestServiceOfferings>:setup	Error	0.31	test_service_offerings.py
ContextSuite context=TestSetSourceNatIp>:setup	Error	0.00	test_set_sourcenat.py
ContextSuite context=TestSharedFSLifecycle>:setup	Error	0.00	test_sharedfs_lifecycle.py
ContextSuite context=TestSnapshotRootDisk>:setup	Error	0.00	test_snapshots.py
ContextSuite context=TestSnapshotStandaloneBackup>:setup	Error	0.00	test_snapshots.py
test_01_list_sec_storage_vm	Failure	0.04	test_ssvm.py
test_02_list_cpvm_vm	Failure	0.04	test_ssvm.py
test_03_ssvm_internals	Failure	0.03	test_ssvm.py
test_04_cpvm_internals	Failure	0.04	test_ssvm.py
test_05_stop_ssvm	Failure	0.04	test_ssvm.py
test_06_stop_cpvm	Failure	0.03	test_ssvm.py
test_07_reboot_ssvm	Failure	0.05	test_ssvm.py
test_08_reboot_cpvm	Failure	0.03	test_ssvm.py
test_09_reboot_ssvm_forced	Failure	0.03	test_ssvm.py
test_10_reboot_cpvm_forced	Failure	0.03	test_ssvm.py
test_11_destroy_ssvm	Failure	0.04	test_ssvm.py
test_12_destroy_cpvm	Failure	0.04	test_ssvm.py
ContextSuite context=TestVMWareStoragePolicies>:setup	Error	0.00	test_storage_policy.py
test_02_create_template_with_checksum_sha1	Error	65.71	test_templates.py
test_03_create_template_with_checksum_sha256	Error	65.63	test_templates.py
test_04_create_template_with_checksum_md5	Error	65.68	test_templates.py
test_05_create_template_with_no_checksum	Error	65.65	test_templates.py
test_01_register_template_direct_download_flag	Error	0.05	test_templates.py
test_02_deploy_vm_from_direct_download_template	Error	0.00	test_templates.py
test_03_deploy_vm_wrong_checksum	Error	0.05	test_templates.py
ContextSuite context=TestTemplates>:setup	Error	13.48	test_templates.py
ContextSuite context=TestISOUsage>:setup	Error	0.00	test_usage.py
ContextSuite context=TestLBRuleUsage>:setup	Error	0.00	test_usage.py
ContextSuite context=TestNatRuleUsage>:setup	Error	0.00	test_usage.py
ContextSuite context=TestPublicIPUsage>:setup	Error	0.00	test_usage.py
ContextSuite context=TestSnapshotUsage>:setup	Error	0.00	test_usage.py
ContextSuite context=TestVmUsage>:setup	Error	0.00	test_usage.py
ContextSuite context=TestVolumeUsage>:setup	Error	0.00	test_usage.py
ContextSuite context=TestVpnUsage>:setup	Error	0.00	test_usage.py
test_01_scale_up_verify	Failure	35.05	test_vm_autoscaling.py
test_02_update_vmprofile_and_vmgroup	Failure	244.63	test_vm_autoscaling.py
test_03_scale_down_verify	Failure	304.66	test_vm_autoscaling.py
test_04_stop_remove_vm_in_vmgroup	Failure	0.03	test_vm_autoscaling.py
test_06_autoscaling_vmgroup_on_project_network	Failure	43.85	test_vm_autoscaling.py
test_06_autoscaling_vmgroup_on_project_network	Error	43.85	test_vm_autoscaling.py
test_07_autoscaling_vmgroup_on_vpc_network	Error	1.23	test_vm_autoscaling.py
ContextSuite context=TestVmAutoScaling>:teardown	Error	7.15	test_vm_autoscaling.py
test_01_deploy_vm_on_specific_host	Error	0.11	test_vm_deployment_planner.py
test_02_deploy_vm_on_specific_cluster	Error	1.36	test_vm_deployment_planner.py
test_03_deploy_vm_on_specific_pod	Error	1.31	test_vm_deployment_planner.py
test_04_deploy_vm_on_host_override_pod_and_cluster	Error	0.12	test_vm_deployment_planner.py
test_05_deploy_vm_on_cluster_override_pod	Error	1.29	test_vm_deployment_planner.py
test_01_migrate_VM_and_root_volume	Error	100.61	test_vm_life_cycle.py
test_02_migrate_VM_with_two_data_disks	Error	53.86	test_vm_life_cycle.py
test_01_secure_vm_migration	Error	81.34	test_vm_life_cycle.py
test_02_unsecure_vm_migration	Error	223.92	test_vm_life_cycle.py
test_04_nonsecured_to_secured_vm_migration	Error	153.72	test_vm_life_cycle.py
test_08_migrate_vm	Error	0.07	test_vm_life_cycle.py

[nvazquez]

@blueorangutan package

[blueorangutan]

@nvazquez a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 14139

[nvazquez]

@blueorangutan test

[blueorangutan]

@nvazquez a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-13753)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 54320 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10575-t13753-kvm-ol8.zip
Smoke tests completed. 140 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_01_deployVMInSharedNetwork	Failure	406.41	test_network.py

[DaanHoogland]

no response from original author but it looks ready, @nvazquez and had been marked so by @winterhazel. merging.