Merge release branch 4.14 to 4.15

Daan Hoogland · Daan Hoogland · commit 66d49c5c0de9 · 2021-02-02T09:16:34.000Z
* 4.14: server: prevent update vm read-only details (#4629)
diff --git a/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java b/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java
@@ -2529,12 +2529,16 @@ public UserVm updateVirtualMachine(UpdateVMCmd cmd) throws ResourceUnavailableEx
         final List<String> userBlacklistedSettings = Stream.of(QueryService.UserVMBlacklistedDetails.value().split(","))
                 .map(item -> (item).trim())
                 .collect(Collectors.toList());
+        final List<String> userReadOnlySettings = Stream.of(QueryService.UserVMReadOnlyUIDetails.value().split(","))
+                .map(item -> (item).trim())
+                .collect(Collectors.toList());
         if (cleanupDetails){
             if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_ADMIN) {
                 userVmDetailsDao.removeDetails(id);
             } else {
                 for (final UserVmDetailVO detail : userVmDetailsDao.listDetails(id)) {
-                    if (detail != null && !userBlacklistedSettings.contains(detail.getName())) {
+                    if (detail != null && !userBlacklistedSettings.contains(detail.getName())
+                            && !userReadOnlySettings.contains(detail.getName())) {
                         userVmDetailsDao.removeDetail(id, detail.getName());
                     }
                 }
@@ -2546,15 +2550,18 @@ public UserVm updateVirtualMachine(UpdateVMCmd cmd) throws ResourceUnavailableEx
                 }
 
                 if (caller != null && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
-                    // Ensure blacklisted detail is not passed by non-root-admin user
+                    // Ensure blacklisted or read-only detail is not passed by non-root-admin user
                     for (final String detailName : details.keySet()) {
                         if (userBlacklistedSettings.contains(detailName)) {
                             throw new InvalidParameterValueException("You're not allowed to add or edit the restricted setting: " + detailName);
                         }
+                        if (userReadOnlySettings.contains(detailName)) {
+                            throw new InvalidParameterValueException("You're not allowed to add or edit the read-only setting: " + detailName);
+                        }
                     }
-                    // Add any hidden/blacklisted detail
+                    // Add any hidden/blacklisted or read-only detail
                     for (final UserVmDetailVO detail : userVmDetailsDao.listDetails(id)) {
-                        if (userBlacklistedSettings.contains(detail.getName())) {
+                        if (userBlacklistedSettings.contains(detail.getName()) || userReadOnlySettings.contains(detail.getName())) {
                             details.put(detail.getName(), detail.getValue());
                         }
                     }
diff --git a/ui/legacy/scripts/instances.js b/ui/legacy/scripts/instances.js
@@ -3995,9 +3995,15 @@
                                         // It could happen that a stale web page has been opened up when VM was stopped but
                                         // vm was turned on through another route - UI or API. so we should check again.
                                         var existingDetails = virtualMachine.details;
+                                        var readOnlyUIDetails = [];
+                                        if (virtualMachine.readonlyuidetails && virtualMachine.readonlyuidetails.length > 0) {
+                                            $.each(virtualMachine.readonlyuidetails.split(","), function(){
+                                                readOnlyUIDetails.push($.trim(this));
+                                            });
+                                        }
                                         var newDetails = {};
                                         for (d in existingDetails) {
-                                            if (d != data.name) {
+                                            if (d != data.name && $.inArray(d, readOnlyUIDetails) < 0) {
                                                 newDetails['details[0].' + d] = existingDetails[d];
                                             }
                                         }
@@ -4043,9 +4049,15 @@
                                         // vm was turned on through another route - UI or API. so we should check again.
                                         var detailToDelete = args.data.jsonObj.name;
                                         var existingDetails = virtualMachine.details;
+                                        var readOnlyUIDetails = [];
+                                        if (virtualMachine.readonlyuidetails && virtualMachine.readonlyuidetails.length > 0) {
+                                            $.each(virtualMachine.readonlyuidetails.split(","), function(){
+                                                readOnlyUIDetails.push($.trim(this));
+                                            });
+                                        }
                                         var newDetails = {};
                                         for (detail in existingDetails) {
-                                            if (detail != detailToDelete) {
+                                            if (detail != detailToDelete && $.inArray(detail, readOnlyUIDetails) < 0) {
                                                 newDetails['details[0].' + detail] = existingDetails[detail];
                                             }
                                         }
@@ -4078,12 +4090,20 @@
 									var value = args.data.value;
 									
 									var details;
+                                    var readOnlyUIDetails = [];
 									$.ajax({
 										url: createURL('listVirtualMachines&id=' + args.context.instances[0].id),
 										async:false,
 										success: function(json) {
-											var dets = json.listvirtualmachinesresponse.virtualmachine[0].details;
-											details = dets;
+                                            var virtualMachine = json.listvirtualmachinesresponse.virtualmachine[0]
+										    if (virtualMachine) {
+                                                details = virtualMachine.details;
+                                                if (virtualMachine.readonlyuidetails && virtualMachine.readonlyuidetails.length > 0) {
+                                                    $.each(virtualMachine.readonlyuidetails.split(","), function(){
+                                                        readOnlyUIDetails.push($.trim(this));
+                                                    });
+                                                }
+                                            }
 										},
 
 										error: function(json) {
@@ -4093,7 +4113,9 @@
 									
 									var detailsFormat = '';
 									for (key in details) {
-										detailsFormat += "details[0]." + key + "=" + details[key] + "&";
+									    if ($.inArray(key, readOnlyUIDetails) < 0) {
+									        detailsFormat += "details[0]." + key + "=" + details[key] + "&";
+									    }
 									}
 									// Add new detail to the existing ones
 									detailsFormat += "details[0]." + name + "=" + value;

Original file line number	Diff line number	Diff line change
`@@ -2529,12 +2529,16 @@ public UserVm updateVirtualMachine(UpdateVMCmd cmd) throws ResourceUnavailableEx`
`2529`	`2529`	`final List<String> userBlacklistedSettings = Stream.of(QueryService.UserVMBlacklistedDetails.value().split(","))`
`2530`	`2530`	`.map(item -> (item).trim())`
`2531`	`2531`	`.collect(Collectors.toList());`
	`2532`	`+ final List<String> userReadOnlySettings = Stream.of(QueryService.UserVMReadOnlyUIDetails.value().split(","))`
	`2533`	`+ .map(item -> (item).trim())`
	`2534`	`+ .collect(Collectors.toList());`
`2532`	`2535`	`if (cleanupDetails){`
`2533`	`2536`	`if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_ADMIN) {`
`2534`	`2537`	`userVmDetailsDao.removeDetails(id);`
`2535`	`2538`	`} else {`
`2536`	`2539`	`for (final UserVmDetailVO detail : userVmDetailsDao.listDetails(id)) {`
`2537`		`- if (detail != null && !userBlacklistedSettings.contains(detail.getName())) {`
	`2540`	`+ if (detail != null && !userBlacklistedSettings.contains(detail.getName())`
	`2541`	`+ && !userReadOnlySettings.contains(detail.getName())) {`
`2538`	`2542`	`userVmDetailsDao.removeDetail(id, detail.getName());`
`2539`	`2543`	`}`
`2540`	`2544`	`}`
`@@ -2546,15 +2550,18 @@ public UserVm updateVirtualMachine(UpdateVMCmd cmd) throws ResourceUnavailableEx`
`2546`	`2550`	`}`
`2547`	`2551`
`2548`	`2552`	`if (caller != null && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {`
`2549`		`- // Ensure blacklisted detail is not passed by non-root-admin user`
	`2553`	`+ // Ensure blacklisted or read-only detail is not passed by non-root-admin user`
`2550`	`2554`	`for (final String detailName : details.keySet()) {`
`2551`	`2555`	`if (userBlacklistedSettings.contains(detailName)) {`
`2552`	`2556`	`throw new InvalidParameterValueException("You're not allowed to add or edit the restricted setting: " + detailName);`
`2553`	`2557`	`}`
	`2558`	`+ if (userReadOnlySettings.contains(detailName)) {`
	`2559`	`+ throw new InvalidParameterValueException("You're not allowed to add or edit the read-only setting: " + detailName);`
	`2560`	`+ }`
`2554`	`2561`	`}`
`2555`		`- // Add any hidden/blacklisted detail`
	`2562`	`+ // Add any hidden/blacklisted or read-only detail`
`2556`	`2563`	`for (final UserVmDetailVO detail : userVmDetailsDao.listDetails(id)) {`
`2557`		`- if (userBlacklistedSettings.contains(detail.getName())) {`
	`2564`	`+ if (userBlacklistedSettings.contains(detail.getName()) \|\| userReadOnlySettings.contains(detail.getName())) {`
`2558`	`2565`	`details.put(detail.getName(), detail.getValue());`
`2559`	`2566`	`}`
`2560`	`2567`	`}`