Merge remote-tracking branch 'origin/4.17'

Signed-off-by: Rohit Yadav <[email protected]>

Author: rohityadavcloud

api/src/main/java/org/apache/cloudstack/api/response/VpcResponse.java

@@ -253,4 +253,8 @@ public void setResourceIconResponse(ResourceIconResponse icon) {
     public void setIpv6Routes(Set<Ipv6RouteResponse> ipv6Routes) {
         this.ipv6Routes = ipv6Routes;
     }
+
+    public Set<Ipv6RouteResponse> getIpv6Routes() {
+        return ipv6Routes;
+    }
 }

debian/changelog

@@ -4,6 +4,12 @@ cloudstack (4.18.0.0) unstable; urgency=low
 
  -- the Apache CloudStack project <[email protected]>  Tue, 31 May 2022 14:33:47 -0300
 
+cloudstack (4.17.0.1) unstable; urgency=low
+
+  * Update the version to 4.17.0.1
+
+ -- the Apache CloudStack project <[email protected]>  Fri, 15 Jul 2022 18:18:39 +0530
+
 cloudstack (4.17.0.0) unstable; urgency=low
 
   * Update the version to 4.17.0.0

engine/schema/src/main/java/com/cloud/offerings/dao/NetworkOfferingDaoImpl.java

@@ -279,7 +279,7 @@ public NetUtils.InternetProtocol getNetworkOfferingInternetProtocol(long offerin
     }
 
     @Override
-    public NetUtils.InternetProtocol getNetworkOfferingInternetProtocol(long offeringId,NetUtils.InternetProtocol defaultProtocol) {
+    public NetUtils.InternetProtocol getNetworkOfferingInternetProtocol(long offeringId, NetUtils.InternetProtocol defaultProtocol) {
         NetUtils.InternetProtocol protocol = getNetworkOfferingInternetProtocol(offeringId);
         if (protocol == null) {
             return defaultProtocol;

engine/schema/src/test/java/com/cloud/offerings/dao/NetworkOfferingDaoImplTest.java

@@ -0,0 +1,93 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package com.cloud.offerings.dao;
+
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.MockitoAnnotations;
+
+import com.cloud.offering.NetworkOffering;
+import com.cloud.utils.net.NetUtils;
+
+public class NetworkOfferingDaoImplTest {
+    @Mock
+    NetworkOfferingDetailsDao detailsDao;
+
+    @InjectMocks
+    NetworkOfferingDaoImpl networkOfferingDao = new NetworkOfferingDaoImpl();
+
+    final long offeringId = 1L;
+
+    @Before
+    public void setup() {
+        MockitoAnnotations.initMocks(this);
+    }
+
+    @Test
+    public void testGetNetworkOfferingInternetProtocol() {
+        Mockito.when(detailsDao.getDetail(offeringId, NetworkOffering.Detail.internetProtocol)).thenReturn(null);
+        NetUtils.InternetProtocol protocol = networkOfferingDao.getNetworkOfferingInternetProtocol(offeringId);
+        Assert.assertNull(protocol);
+
+        Mockito.when(detailsDao.getDetail(offeringId, NetworkOffering.Detail.internetProtocol)).thenReturn("IPv4");
+        protocol = networkOfferingDao.getNetworkOfferingInternetProtocol(offeringId);
+        Assert.assertEquals(NetUtils.InternetProtocol.IPv4, protocol);
+
+        Mockito.when(detailsDao.getDetail(offeringId, NetworkOffering.Detail.internetProtocol)).thenReturn("IPv6");
+        protocol = networkOfferingDao.getNetworkOfferingInternetProtocol(offeringId);
+        Assert.assertEquals(NetUtils.InternetProtocol.IPv6, protocol);
+
+        Mockito.when(detailsDao.getDetail(offeringId, NetworkOffering.Detail.internetProtocol)).thenReturn("DualStack");
+        protocol = networkOfferingDao.getNetworkOfferingInternetProtocol(offeringId);
+        Assert.assertEquals(NetUtils.InternetProtocol.DualStack, protocol);
+    }
+
+    @Test
+    public void testGetNetworkOfferingInternetProtocolWithDefault() {
+        Mockito.when(detailsDao.getDetail(offeringId, NetworkOffering.Detail.internetProtocol)).thenReturn(null);
+        NetUtils.InternetProtocol protocol = networkOfferingDao.getNetworkOfferingInternetProtocol(offeringId, NetUtils.InternetProtocol.IPv4);
+        Assert.assertEquals(NetUtils.InternetProtocol.IPv4, protocol);
+
+        Mockito.when(detailsDao.getDetail(offeringId, NetworkOffering.Detail.internetProtocol)).thenReturn("IPv6");
+        protocol = networkOfferingDao.getNetworkOfferingInternetProtocol(offeringId, NetUtils.InternetProtocol.IPv4);
+        Assert.assertEquals(NetUtils.InternetProtocol.IPv6, protocol);
+    }
+
+    @Test
+    public void testIsIpv6Supported() {
+        Mockito.when(detailsDao.getDetail(offeringId, NetworkOffering.Detail.internetProtocol)).thenReturn("");
+        boolean result = networkOfferingDao.isIpv6Supported(offeringId);
+        Assert.assertFalse(result);
+
+        Mockito.when(detailsDao.getDetail(offeringId, NetworkOffering.Detail.internetProtocol)).thenReturn("IPv4");
+        result = networkOfferingDao.isIpv6Supported(offeringId);
+        Assert.assertFalse(result);
+
+        Mockito.when(detailsDao.getDetail(offeringId, NetworkOffering.Detail.internetProtocol)).thenReturn("IPv6");
+        result = networkOfferingDao.isIpv6Supported(offeringId);
+        Assert.assertTrue(result);
+
+        Mockito.when(detailsDao.getDetail(offeringId, NetworkOffering.Detail.internetProtocol)).thenReturn("DualStack");
+        result = networkOfferingDao.isIpv6Supported(offeringId);
+        Assert.assertTrue(result);
+    }
+}

plugins/user-authenticators/saml2/pom.xml

@@ -31,6 +31,7 @@
         <dependency>
             <groupId>org.opensaml</groupId>
             <artifactId>opensaml</artifactId>
+            <version>${cs.opensaml.version}</version>
         </dependency>
         <dependency>
             <groupId>org.apache.cloudstack</groupId>

plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java

@@ -30,6 +30,7 @@
 import org.apache.cloudstack.api.response.SAMLMetaDataResponse;
 import org.apache.cloudstack.saml.SAML2AuthManager;
 import org.apache.cloudstack.saml.SAMLProviderMetadata;
+import org.apache.cloudstack.utils.security.ParserUtils;
 import org.apache.log4j.Logger;
 import org.opensaml.Configuration;
 import org.opensaml.DefaultBootstrap;
@@ -239,7 +240,7 @@ public String authenticate(String command, Map<String, Object[]> params, HttpSes
 
         StringWriter stringWriter = new StringWriter();
         try {
-            DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            DocumentBuilderFactory factory = ParserUtils.getSaferDocumentBuilderFactory();
             DocumentBuilder builder = factory.newDocumentBuilder();
             Document document = builder.newDocument();
             Marshaller out = Configuration.getMarshallerFactory().getMarshaller(spEntityDescriptor);

plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java

@@ -78,7 +78,6 @@
 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
 import org.opensaml.xml.ConfigurationException;
 import org.opensaml.xml.XMLObject;
-import org.opensaml.xml.parse.BasicParserPool;
 import org.opensaml.xml.security.credential.UsageType;
 import org.opensaml.xml.security.keyinfo.KeyInfoHelper;
 import org.springframework.stereotype.Component;
@@ -389,7 +388,7 @@ private boolean setup() {
                 }
             }
             _idpMetaDataProvider.setRequireValidMetadata(true);
-            _idpMetaDataProvider.setParserPool(new BasicParserPool());
+            _idpMetaDataProvider.setParserPool(SAMLUtils.getSaferParserPool());
             _idpMetaDataProvider.initialize();
             _timer.scheduleAtFixedRate(new MetadataRefreshTask(), 0, _refreshInterval * 1000);
 

plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java

@@ -42,12 +42,15 @@
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.security.spec.X509EncodedKeySpec;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.zip.Deflater;
 import java.util.zip.DeflaterOutputStream;
 
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletResponse;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -56,6 +59,7 @@
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.response.LoginCmdResponse;
 import org.apache.cloudstack.utils.security.CertUtils;
+import org.apache.cloudstack.utils.security.ParserUtils;
 import org.apache.log4j.Logger;
 import org.bouncycastle.operator.OperatorCreationException;
 import org.joda.time.DateTime;
@@ -88,6 +92,7 @@
 import org.opensaml.xml.io.Unmarshaller;
 import org.opensaml.xml.io.UnmarshallerFactory;
 import org.opensaml.xml.io.UnmarshallingException;
+import org.opensaml.xml.parse.BasicParserPool;
 import org.opensaml.xml.signature.SignatureConstants;
 import org.opensaml.xml.util.Base64;
 import org.opensaml.xml.util.XMLHelper;
@@ -231,7 +236,7 @@ public static String encodeSAMLRequest(XMLObject authnRequest)
     public static Response decodeSAMLResponse(String responseMessage)
             throws ConfigurationException, ParserConfigurationException,
             SAXException, IOException, UnmarshallingException {
-        DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
+        DocumentBuilderFactory documentBuilderFactory = ParserUtils.getSaferDocumentBuilderFactory();
         documentBuilderFactory.setNamespaceAware(true);
         DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
         byte[] base64DecodedResponse = Base64.decode(responseMessage);
@@ -365,4 +370,19 @@ public static X509Certificate generateRandomX509Certificate(KeyPair keyPair) thr
                 "CN=ApacheCloudStack", "CN=ApacheCloudStack",
                 3, "SHA256WithRSA");
     }
+
+    public static BasicParserPool getSaferParserPool() {
+        final Map<String, Boolean> features = new HashMap<>();
+        features.put(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        features.put("http://apache.org/xml/features/disallow-doctype-decl", true);
+        features.put("http://xml.org/sax/features/external-general-entities", false);
+        features.put("http://xml.org/sax/features/external-parameter-entities", false);
+        features.put("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        final BasicParserPool parserPool = new BasicParserPool();
+        parserPool.setXincludeAware(false);
+        parserPool.setIgnoreComments(true);
+        parserPool.setExpandEntityReferences(false);
+        parserPool.setBuilderFeatures(features);
+        return parserPool;
+    }
 }