Skip to content
Open
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 13 additions & 6 deletions server/src/main/java/com/cloud/user/AccountManagerImpl.java
Original file line number Diff line number Diff line change
Expand Up @@ -3202,7 +3202,7 @@ public Pair<Boolean, Map<String, String>> getKeys(GetUserKeysCmd cmd) {
ApiKeyPair keyPair;
if (accessingApiKey != null) {
ApiKeyPair accessingKeyPair = apiKeyPairService.findByApiKey(accessingApiKey);
if (userId == accessingKeyPair.getUserId()) {
if (accessingKeyPair != null && userId == accessingKeyPair.getUserId()) {

@weizhouapache weizhouapache Jul 8, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be better to throw an exception here, if apikeypair is not found
similar to change with getAllKeypairPermissions method

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it would be nice

@winterhazel winterhazel Jul 9, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (accessingKeyPair != null && userId == accessingKeyPair.getUserId()) {
if (accessingKeyPair == null) {
throw new CloudRuntimeException(String.format("Unable to find pair of API key [%s].", accessingApiKey));
}
if (userId == accessingKeyPair.getUserId()) {

@sureshanaparti it makes more sense to throw an exception here. Although unlikely, the way this if is structured right now can result in the key of user A of account X leaking when the caller is using a key to access user B of account X if accessingKeyPair is null.

keyPair = apiKeyPairService.findByApiKey(accessingApiKey);
Comment thread
sureshanaparti marked this conversation as resolved.
Comment on lines 3204 to 3206

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As for this suggestion, we could apply it in this PR, if you're willing to, @sureshanaparti. But it is nitpicking IMO

} else {
keyPair = _accountService.getLatestUserKeyPair(userId);
Expand Down Expand Up @@ -3320,6 +3320,10 @@ private Boolean isAccessingKeypairSuperset(ApiKeyPair accessedKeyPair, BaseCmd c
return Boolean.TRUE;
}
ApiKeyPair accessingKeyPair = apiKeyPairService.findByApiKey(apiKey);
if (accessingKeyPair == null) {
logger.warn("Unable to find API key pair for the accessing API key: {}", apiKey);
return Boolean.FALSE;
}
Comment thread
sureshanaparti marked this conversation as resolved.
return isApiKeySupersetOfPermission(new ArrayList<>(getAllKeypairPermissions(accessingKeyPair.getApiKey())), new ArrayList<>(getAllKeypairPermissions(accessedKeyPair.getApiKey())));
}

Expand All @@ -3335,7 +3339,7 @@ public String getAccessingApiKey(BaseCmd cmd) {
return accessingApiKey;
}
} catch (NullPointerException e) {
logger.info("Accessing API through session.");
logger.info("Accessing API through session.", e);
}
Comment on lines +3341 to 3343

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Copilot suggestion does not make sense in the context of this method

return null;
Comment thread
sureshanaparti marked this conversation as resolved.
}
Expand Down Expand Up @@ -3582,6 +3586,10 @@ public List<RolePermissionEntity> getAllKeypairPermissions(String apiKey) {
throw new InvalidParameterValueException("API key not present in the request's URL and, thus, unable to fetch API key rules.");
}
ApiKeyPair apiKeyPair = keyPairManager.findByApiKey(apiKey);
Comment on lines 3584 to 3588

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does not need to be applied in this PR

if (apiKeyPair == null) {
logger.warn("Unable to find API key pair by API key: {}", apiKey);
return new ArrayList<>();
}
Comment thread
sureshanaparti marked this conversation as resolved.
Comment on lines +3589 to +3592
Account account = _accountDao.findById(apiKeyPair.getAccountId());
List<ApiKeyPairPermission> keyPairPermissions = keyPairManager.findAllPermissionsByKeyPairId(apiKeyPair.getId(), account.getRoleId());
return new ArrayList<>(keyPairPermissions);
Expand Down Expand Up @@ -3848,12 +3856,11 @@ public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledViewEn
@Override
public UserAccount getUserByApiKey(String apiKey) {
ApiKeyPairVO keyPair = apiKeyPairDao.findByApiKey(apiKey);

if (keyPair == null) {
return null;
if (keyPair != null) {
return userAccountDao.findById(keyPair.getUserId());
}

return userAccountDao.findById(keyPair.getUserId());
return null;
}

@Override
Expand Down
Loading