small refactors on account manager #11784

Original file line number	Diff line number	Diff line change
Expand Up		@@ -86,7 +86,6 @@
		import org.apache.commons.codec.binary.Base64;
		import org.apache.commons.collections.CollectionUtils;
		import org.apache.commons.lang3.BooleanUtils;
	import org.apache.commons.lang3.StringUtils;
		import org.jetbrains.annotations.NotNull;
		import org.springframework.beans.factory.NoSuchBeanDefinitionException;

Expand Down Expand Up		@@ -177,6 +176,7 @@
		import com.cloud.utils.ConstantTimeComparator;
		import com.cloud.utils.NumbersUtil;
		import com.cloud.utils.Pair;
	import com.cloud.utils.StringUtils;
		import com.cloud.utils.Ternary;
		import com.cloud.utils.UuidUtils;
		import com.cloud.utils.component.ComponentContext;
Expand Down Expand Up		@@ -592,10 +592,9 @@ public boolean isAdmin(Long accountId) {
		}
		if ((isRootAdmin(accountId)) \|\| (isDomainAdmin(accountId)) \|\| (isResourceDomainAdmin(accountId))) {
		return true;
	} else if (acct.getType() == Account.Type.READ_ONLY_ADMIN) {
	return true;
	} else {
	return acct.getType() == Account.Type.READ_ONLY_ADMIN;
		}

		}
		return false;
		}
Expand Down Expand Up		@@ -649,10 +648,7 @@ public boolean isDomainAdmin(Long accountId) {
		@Override
		public boolean isNormalUser(long accountId) {
		AccountVO acct = _accountDao.findById(accountId);
	if (acct != null && acct.getType() == Account.Type.NORMAL) {
	return true;
	}
	return false;
	return acct != null && acct.getType() == Account.Type.NORMAL;
		}

		@Override
Expand Down Expand Up		@@ -683,10 +679,7 @@ public boolean isInternalAccount(long accountId) {
		if (account == null) {
		return false; //account is deleted or does not exist
		}
	if (isRootAdmin(accountId) \|\| (account.getType() == Account.Type.ADMIN)) {
	return true;
	}
	return false;
	return isRootAdmin(accountId) \|\| (account.getType() == Account.Type.ADMIN);
		}

		@Override
Expand Down Expand Up		@@ -736,12 +729,7 @@ public void checkAccess(Account caller, AccessType accessType, boolean sameOwner
		HashMap<Long, List<ControlledEntity>> domains = new HashMap<>();

		for (ControlledEntity entity : entities) {
	long domainId = entity.getDomainId();
	if (entity.getAccountId() != -1 && domainId == -1) { // If account exists domainId should too so calculate
	// it. This condition might be hit for templates or entities which miss domainId in their tables
	Account account = ApiDBUtils.findAccountById(entity.getAccountId());
	domainId = account != null ? account.getDomainId() : -1;
	}
	long domainId = getDomainIdFor(entity);
		if (entity.getAccountId() != -1 && domainId != -1 && !(entity instanceof VirtualMachineTemplate)
		&& !(entity instanceof Network && accessType != null && (accessType == AccessType.UseEntry \|\| accessType == AccessType.OperateEntry))
		&& !(entity instanceof AffinityGroup) && !(entity instanceof VirtualRouter)) {
Expand Down Expand Up		@@ -793,6 +781,17 @@ public void checkAccess(Account caller, AccessType accessType, boolean sameOwner

		}

	private static long getDomainIdFor(ControlledEntity entity) {
Copy link Collaborator @hsato03 hsato03 Dec 9, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. Suggested change private staticlong getDomainIdFor(ControlledEntity entity) { private long getDomainIdFor(ControlledEntity entity) { Can `static` be removed? Copy link Contributor Author @DaanHoogland DaanHoogland Dec 10, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. sure, I think it can. Any pressing reason? It is a bit of a utility method and has no bearing on the manager internals. Copy link Collaborator @hsato03 hsato03 Dec 10, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. I don't think the keyword is useful here, but it's just a nitpicking. ;)
	long domainId = entity.getDomainId();
	if (entity.getAccountId() != -1 && domainId == -1) {
	// If account exists domainId should too so calculate it.
	// This condition might be hit for templates or entities which miss domainId in their tables
	Account account = ApiDBUtils.findAccountById(entity.getAccountId());
	domainId = account != null ? account.getDomainId() : -1;
	}
	return domainId;
	}

		@Override
		public void validateAccountHasAccessToResource(Account account, AccessType accessType, Object resource) {
		Class<?> resourceClass = resource.getClass();
Expand Down Expand Up		@@ -2830,11 +2829,11 @@ public UserAccount authenticateUser(final String username, final String password
		final Boolean ApiSourceCidrChecksEnabled = ApiServiceConfiguration.ApiSourceCidrChecksEnabled.value();

		if (ApiSourceCidrChecksEnabled) {
	logger.debug("CIDRs from which account '" + account.toString() + "' is allowed to perform API calls: " + accessAllowedCidrs);
	logger.debug("CIDRs from which account '{}' is allowed to perform API calls: {}", account, accessAllowedCidrs);

		// Block when is not in the list of allowed IPs
		if (!NetUtils.isIpInCidrList(loginIpAddress, accessAllowedCidrs.split(","))) {
	logger.warn("Request by account '" + account.toString() + "' was denied since " + loginIpAddress.toString().replace("/", "") + " does not match " + accessAllowedCidrs);
	logger.warn("Request by account '{}' was denied since {} does not match {}", account , loginIpAddress.toString().replace("/", ""), accessAllowedCidrs);
Copy link Copilot AI Dec 12, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. There's an extra space before the comma after the first placeholder. The code has "account ," but it should be "account," for consistent formatting. Suggested change logger.warn("Request by account '{}' was denied since {} does not match {}", account, loginIpAddress.toString().replace("/", ""), accessAllowedCidrs); logger.warn("Request by account '{}' was denied since {} does not match {}", account, loginIpAddress.toString().replace("/", ""), accessAllowedCidrs); Copilot uses AI. Check for mistakes.
		throw new CloudAuthenticationException("Failed to authenticate user '" + username + "' in domain '" + domain.getPath() + "' from ip "
		+ loginIpAddress.toString().replace("/", "") + "; please provide valid credentials");
		}
Expand Down Expand Up		@@ -3007,7 +3006,7 @@ private UserAccount getUserAccountForSSO(String username, Long domainId, Map<Str
		if (unsignedRequestBuffer.length() != 0) {
		unsignedRequestBuffer.append("&");
		}
	unsignedRequestBuffer.append(paramName).append("=").append(URLEncoder.encode(paramValue, "UTF-8"));
	unsignedRequestBuffer.append(paramName).append("=").append(URLEncoder.encode(paramValue, StringUtils.getPreferredCharset()));
DaanHoogland marked this conversation as resolved. Show resolved Hide resolved
		}
		}

Expand Down

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

small refactors on account manager #11784

Are you sure you want to change the base?

small refactors on account manager #11784

Filter by extension

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

@hsato03 hsato03 Dec 9, 2025

Choose a reason for hiding this comment

Uh oh!

@DaanHoogland DaanHoogland Dec 10, 2025

Choose a reason for hiding this comment

Uh oh!

@hsato03 hsato03 Dec 10, 2025

Choose a reason for hiding this comment

Uh oh!

Copilot AI Dec 12, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!