fix users being able to delete keypairs by updating their keys

Author: bernardodemarco

engine/schema/src/main/java/org/apache/cloudstack/acl/dao/ApiKeyPairDaoImpl.java

@@ -85,24 +85,4 @@ public Pair<List<ApiKeyPairVO>, Integer> listByUserIdsPaginated(List<Long> userI
         }
         return apiKeyPairVOList;
     }
-
-    @Override
-    public boolean update(Long id, ApiKeyPairVO apiKeyPair) {
-        ApiKeyPairVO ub = createForUpdate();
-
-        ub.setUuid(apiKeyPair.getUuid());
-        ub.setUserId(apiKeyPair.getUserId());
-        ub.setName(apiKeyPair.getName());
-        ub.setDomainId(apiKeyPair.getDomainId());
-        ub.setAccountId(apiKeyPair.getAccountId());
-        ub.setStartDate(apiKeyPair.getStartDate());
-        ub.setEndDate(apiKeyPair.getEndDate());
-        ub.setCreated(apiKeyPair.getCreated());
-        ub.setDescription(apiKeyPair.getDescription());
-        ub.setApiKey(apiKeyPair.getApiKey());
-        ub.setSecretKey(apiKeyPair.getSecretKey());
-        ub.setRemoved(apiKeyPair.getRemoved());
-
-        return super.update(id, ub);
-    }
 }

server/src/main/java/com/cloud/api/query/QueryManagerImpl.java

@@ -43,7 +43,6 @@
 import com.cloud.user.UserVO;
 import org.apache.cloudstack.acl.RoleService;
 import org.apache.cloudstack.acl.RoleVO;
-import org.apache.cloudstack.acl.apikeypair.ApiKeyPairService;
 import org.apache.cloudstack.acl.dao.RoleDao;
 import com.cloud.dc.Pod;
 import com.cloud.dc.dao.DataCenterDao;
@@ -56,7 +55,6 @@
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
 import org.apache.cloudstack.acl.SecurityChecker;
-import org.apache.cloudstack.acl.dao.ApiKeyPairDao;
 import org.apache.cloudstack.affinity.AffinityGroupDomainMapVO;
 import org.apache.cloudstack.affinity.AffinityGroupResponse;
 import org.apache.cloudstack.affinity.AffinityGroupVMMapVO;
@@ -656,12 +654,6 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q
     @Inject
     ExtensionHelper extensionHelper;
 
-    @Inject
-    ApiKeyPairDao apiKeyPairDao;
-
-    @Inject
-    ApiKeyPairService apiKeyPairService;
-
     @Inject
     RoleDao roleDao;
 

server/src/main/java/com/cloud/server/ManagementServerImpl.java

@@ -47,7 +47,6 @@
 import com.cloud.network.vpc.VpcVO;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.SecurityChecker;
-import org.apache.cloudstack.acl.dao.ApiKeyPairDao;
 import org.apache.cloudstack.affinity.AffinityGroupProcessor;
 import org.apache.cloudstack.affinity.dao.AffinityGroupVMMapDao;
 import org.apache.cloudstack.annotation.AnnotationService;
@@ -984,8 +983,6 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
     @Inject
     protected SSHKeyPairDao _sshKeyPairDao;
     @Inject
-    protected ApiKeyPairDao _apiKeyPairDao;
-    @Inject
     private LoadBalancerDao _loadbalancerDao;
     @Inject
     private HypervisorCapabilitiesDao _hypervisorCapabilitiesDao;

server/src/main/java/com/cloud/user/AccountManagerImpl.java

@@ -1619,7 +1619,7 @@ public UserAccount updateUser(UpdateUserCmd updateUserCmd) {
 
         logger.debug("Updating user {}", user);
 
-        ApiKeyPairVO keyPair = validateAndUpdateApiAndSecretKeyIfNeeded(updateUserCmd, user);
+        validateAndUpdateApiAndSecretKeyIfNeeded(updateUserCmd, user);
         validateAndUpdateUserApiKeyAccess(updateUserCmd, user);
 
         validateAndUpdateFirstNameIfNeeded(updateUserCmd, user);
@@ -1640,9 +1640,6 @@ public UserAccount updateUser(UpdateUserCmd updateUserCmd) {
             user.setUser2faEnabled(true);
         }
         validateAndUpdatePasswordChangeRequired(caller, updateUserCmd, user, account);
-        if (keyPair != null) {
-            apiKeyPairDao.update(keyPair.getId(), keyPair);
-        }
         _userDao.update(user.getId(), user);
         return userAccountDao.findById(user.getId());
     }
@@ -1946,7 +1943,7 @@ protected Account getCurrentCallingAccount() {
      * <li>If a pair of keys is provided, we validate to see if there is an user already using the provided API key. If there is someone else using, we throw an {@link InvalidParameterValueException} because two users cannot have the same API key.
      * </ul>
      */
-    protected ApiKeyPairVO validateAndUpdateApiAndSecretKeyIfNeeded(UpdateUserCmd updateUserCmd, UserVO user) {
+    protected void validateAndUpdateApiAndSecretKeyIfNeeded(UpdateUserCmd updateUserCmd, UserVO user) {
         String apiKey = updateUserCmd.getApiKey();
         String secretKey = updateUserCmd.getSecretKey();
 
@@ -1956,7 +1953,7 @@ protected ApiKeyPairVO validateAndUpdateApiAndSecretKeyIfNeeded(UpdateUserCmd up
             throw new InvalidParameterValueException("Please provide a userApiKey/userSecretKey pair");
         }
         if (isApiKeyBlank && isSecretKeyBlank) {
-            return null;
+            return;
         }
         Ternary<User, Account, ApiKeyPair> keyPairTernary = findUserByApiKey(apiKey);
         if (keyPairTernary == null) {
@@ -1969,15 +1966,9 @@ protected ApiKeyPairVO validateAndUpdateApiAndSecretKeyIfNeeded(UpdateUserCmd up
         }
 
         ApiKeyPairVO keyPair = (ApiKeyPairVO) keyPairTernary.third();
-
-        Account account = _accountDao.findById(user.getAccountId());
         keyPair.setApiKey(apiKey);
         keyPair.setSecretKey(secretKey);
-        keyPair.setDomainId(account.getDomainId());
-        keyPair.setUserId(user.getId());
-        keyPair.setAccountId(account.getId());
-        keyPair.setName(keyPair.getUuid());
-        return keyPair;
+        apiKeyPairDao.update(keyPair.getId(), keyPair);
     }
 
     protected void validateAndUpdateUserApiKeyAccess(UpdateUserCmd updateUserCmd, UserVO user) {