diff --git a/api/src/main/java/org/apache/cloudstack/query/QueryService.java b/api/src/main/java/org/apache/cloudstack/query/QueryService.java index 57ac963bb8b1..0cdf7d29a776 100644 --- a/api/src/main/java/org/apache/cloudstack/query/QueryService.java +++ b/api/src/main/java/org/apache/cloudstack/query/QueryService.java @@ -92,8 +92,8 @@ public interface QueryService { ConfigKey AllowUserViewDestroyedVM = new ConfigKey<>("Advanced", Boolean.class, "allow.user.view.destroyed.vm", "false", "Determines whether users can view their destroyed or expunging vm ", true, ConfigKey.Scope.Account); - static final ConfigKey UserVMBlacklistedDetails = new ConfigKey("Advanced", String.class, - "user.vm.blacklisted.details", "rootdisksize, cpuOvercommitRatio, memoryOvercommitRatio, Message.ReservedCapacityFreed.Flag", + static final ConfigKey UserVMDenyListedDetails = new ConfigKey("Advanced", String.class, + "user.vm.denylisted.details", "rootdisksize, cpuOvercommitRatio, memoryOvercommitRatio, Message.ReservedCapacityFreed.Flag", "Determines whether users can view certain VM settings. When set to empty, default value used is: rootdisksize, cpuOvercommitRatio, memoryOvercommitRatio, Message.ReservedCapacityFreed.Flag.", true); static final ConfigKey UserVMReadOnlyDetails = new ConfigKey("Advanced", String.class, diff --git a/engine/schema/src/main/resources/META-INF/db/schema-41510to41600.sql b/engine/schema/src/main/resources/META-INF/db/schema-41510to41600.sql index eec9bcd671b3..d687de0dc9c3 100644 --- a/engine/schema/src/main/resources/META-INF/db/schema-41510to41600.sql +++ b/engine/schema/src/main/resources/META-INF/db/schema-41510to41600.sql @@ -303,3 +303,9 @@ from -- Update name for global configuration user.vm.readonly.ui.details Update configuration set name='user.vm.readonly.details' where name='user.vm.readonly.ui.details'; + +-- Update name for global configuration 'user.vm.readonly.ui.details' to 'user.vm.denied.details' +UPDATE `cloud`.`configuration` SET name='user.vm.denied.details' WHERE name='user.vm.blacklisted.details'; + +-- Update name for global configuration 'blacklisted.routes' to 'denied.routes' +UPDATE `cloud`.`configuration` SET name='denied.routes', description='Routes that are denied, can not be used for Static Routes creation for the VPC Private Gateway' WHERE name='blacklisted.routes'; diff --git a/plugins/acl/dynamic-role-based/src/main/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java b/plugins/acl/dynamic-role-based/src/main/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java index 02cdf2a9df4c..f693bae8c33c 100644 --- a/plugins/acl/dynamic-role-based/src/main/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java +++ b/plugins/acl/dynamic-role-based/src/main/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java @@ -58,7 +58,7 @@ protected DynamicRoleBasedAPIAccessChecker() { } private void denyApiAccess(final String commandName) throws PermissionDeniedException { - throw new PermissionDeniedException("The API " + commandName + " is blacklisted for the account's role."); + throw new PermissionDeniedException("The API " + commandName + " is denied for the account's role."); } public boolean isDisabled() { diff --git a/plugins/acl/project-role-based/src/main/java/org/apache/cloudstack/acl/ProjectRoleBasedApiAccessChecker.java b/plugins/acl/project-role-based/src/main/java/org/apache/cloudstack/acl/ProjectRoleBasedApiAccessChecker.java index 5a17bb993eb3..5648a96ea666 100644 --- a/plugins/acl/project-role-based/src/main/java/org/apache/cloudstack/acl/ProjectRoleBasedApiAccessChecker.java +++ b/plugins/acl/project-role-based/src/main/java/org/apache/cloudstack/acl/ProjectRoleBasedApiAccessChecker.java @@ -55,7 +55,7 @@ protected ProjectRoleBasedApiAccessChecker() { } private void denyApiAccess(final String commandName) throws PermissionDeniedException { - throw new PermissionDeniedException("The API " + commandName + " is blacklisted for the user's/account's project role."); + throw new PermissionDeniedException("The API " + commandName + " is denied for the user's/account's project role."); } diff --git a/plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java b/plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java index 6b40ab4ddffe..7550483b2306 100644 --- a/plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java +++ b/plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java @@ -90,7 +90,7 @@ public boolean checkAccess(User user, String commandName) throws PermissionDenie } if (commandNames.contains(commandName)) { - throw new PermissionDeniedException("The API is blacklisted. Role type=" + roleType.toString() + " is not allowed to request the api: " + commandName); + throw new PermissionDeniedException("The API is denied. Role type=" + roleType.toString() + " is not allowed to request the api: " + commandName); } else { throw new UnavailableCommandException("The API " + commandName + " does not exist or is not available for this account."); } diff --git a/plugins/database/mysql-ha/src/main/java/com/cloud/utils/db/StaticStrategy.java b/plugins/database/mysql-ha/src/main/java/com/cloud/utils/db/StaticStrategy.java index b3536523a06e..90a6dad16740 100644 --- a/plugins/database/mysql-ha/src/main/java/com/cloud/utils/db/StaticStrategy.java +++ b/plugins/database/mysql-ha/src/main/java/com/cloud/utils/db/StaticStrategy.java @@ -44,21 +44,21 @@ public JdbcConnection pickConnection(InvocationHandler proxy, List confi SQLException ex = null; - List whiteList = new ArrayList(numHosts); - whiteList.addAll(configuredHosts); + List allowList = new ArrayList(numHosts); + allowList.addAll(configuredHosts); - Map blackList = ((LoadBalancedConnectionProxy) proxy).getGlobalBlacklist(); + Map denylist = ((LoadBalancedConnectionProxy) proxy).getGlobalBlacklist(); - whiteList.removeAll(blackList.keySet()); + allowList.removeAll(denylist.keySet()); - Map whiteListMap = this.getArrayIndexMap(whiteList); + Map allowListMap = this.getArrayIndexMap(allowList); for (int attempts = 0; attempts < numRetries;) { - if (whiteList.size() == 0) { + if (allowList.size() == 0) { throw SQLError.createSQLException("No hosts configured", null); } - String hostPortSpec = whiteList.get(0); //Always take the first host + String hostPortSpec = allowList.get(0); //Always take the first host ConnectionImpl conn = (ConnectionImpl) liveConnections.get(hostPortSpec); @@ -70,16 +70,16 @@ public JdbcConnection pickConnection(InvocationHandler proxy, List confi if (((LoadBalancedConnectionProxy) proxy).shouldExceptionTriggerFailover(sqlEx)) { - Integer whiteListIndex = whiteListMap.get(hostPortSpec); + Integer allowListIndex = allowListMap.get(hostPortSpec); // exclude this host from being picked again - if (whiteListIndex != null) { - whiteList.remove(whiteListIndex.intValue()); - whiteListMap = this.getArrayIndexMap(whiteList); + if (allowListIndex != null) { + allowList.remove(allowListIndex.intValue()); + allowListMap = this.getArrayIndexMap(allowList); } ((LoadBalancedConnectionProxy) proxy).addToGlobalBlacklist(hostPortSpec); - if (whiteList.size() == 0) { + if (allowList.size() == 0) { attempts++; try { Thread.sleep(250); @@ -88,12 +88,12 @@ public JdbcConnection pickConnection(InvocationHandler proxy, List confi } // start fresh - whiteListMap = new HashMap(numHosts); - whiteList.addAll(configuredHosts); - blackList = ((LoadBalancedConnectionProxy) proxy).getGlobalBlacklist(); + allowListMap = new HashMap(numHosts); + allowList.addAll(configuredHosts); + denylist = ((LoadBalancedConnectionProxy) proxy).getGlobalBlacklist(); - whiteList.removeAll(blackList.keySet()); - whiteListMap = this.getArrayIndexMap(whiteList); + allowList.removeAll(denylist.keySet()); + allowListMap = this.getArrayIndexMap(allowList); } continue; diff --git a/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java b/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java index 70875eb2694b..2b93ebb50a76 100644 --- a/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java +++ b/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java @@ -3740,10 +3740,10 @@ public DetailOptionsResponse listDetailOptions(final ListDetailOptionsCmd cmd) { throw new CloudRuntimeException("Resource type not supported."); } if (CallContext.current().getCallingAccount().getType() != Account.ACCOUNT_TYPE_ADMIN) { - final List userBlacklistedSettings = Stream.of(QueryService.UserVMBlacklistedDetails.value().split(",")) + final List userDenyListedSettings = Stream.of(QueryService.UserVMDenyListedDetails.value().split(",")) .map(item -> (item).trim()) .collect(Collectors.toList()); - for (final String detail : userBlacklistedSettings) { + for (final String detail : userDenyListedSettings) { if (options.containsKey(detail)) { options.remove(detail); } @@ -4143,6 +4143,6 @@ public String getConfigComponentName() { @Override public ConfigKey[] getConfigKeys() { - return new ConfigKey[] {AllowUserViewDestroyedVM, UserVMBlacklistedDetails, UserVMReadOnlyDetails, SortKeyAscending, AllowUserViewAllDomainAccounts}; + return new ConfigKey[] {AllowUserViewDestroyedVM, UserVMDenyListedDetails, UserVMReadOnlyDetails, SortKeyAscending, AllowUserViewAllDomainAccounts}; } } diff --git a/server/src/main/java/com/cloud/api/query/dao/UserVmJoinDaoImpl.java b/server/src/main/java/com/cloud/api/query/dao/UserVmJoinDaoImpl.java index 3d75ff7f1604..be4e60dcdea3 100644 --- a/server/src/main/java/com/cloud/api/query/dao/UserVmJoinDaoImpl.java +++ b/server/src/main/java/com/cloud/api/query/dao/UserVmJoinDaoImpl.java @@ -344,9 +344,9 @@ public UserVmResponse newUserVmResponse(ResponseView view, String objectName, Us userVmResponse.setPoolType(userVm.getPoolType().toString()); } - // Remove blacklisted settings if user is not admin + // Remove deny listed settings if user is not admin if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { - String[] userVmSettingsToHide = QueryService.UserVMBlacklistedDetails.value().split(","); + String[] userVmSettingsToHide = QueryService.UserVMDenyListedDetails.value().split(","); for (String key : userVmSettingsToHide) { resourceDetails.remove(key.trim()); } diff --git a/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java b/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java index f5de35af3ed2..3a1654f2099c 100755 --- a/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java +++ b/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java @@ -1021,7 +1021,7 @@ private String validateConfigurationValue(final String name, String value, final if (route != null) { final String routeToVerify = route.trim(); if (!NetUtils.isValidIp4Cidr(routeToVerify)) { - throw new InvalidParameterValueException("Invalid value for blacklisted route: " + route + ". Valid format is list" + throw new InvalidParameterValueException("Invalid value for route: " + route + " in deny list. Valid format is list" + " of cidrs separated by coma. Example: 10.1.1.0/24,192.168.0.0/24"); } } diff --git a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java index a03e3deb1030..469196802fce 100644 --- a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java +++ b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java @@ -2293,9 +2293,9 @@ public StaticRoute createStaticRoute(final long gatewayId, final String cidr) th throw new InvalidParameterValueException("CIDR should be outside of link local cidr " + NetUtils.getLinkLocalCIDR()); } - // 3) Verify against blacklisted routes - if (isCidrBlacklisted(cidr, vpc.getZoneId())) { - throw new InvalidParameterValueException("The static gateway cidr overlaps with one of the blacklisted routes of the zone the VPC belongs to"); + // 3) Verify against denied routes + if (isCidrDenylisted(cidr, vpc.getZoneId())) { + throw new InvalidParameterValueException("The static gateway cidr overlaps with one of the denied routes of the zone the VPC belongs to"); } return Transaction.execute(new TransactionCallbackWithException() { @@ -2317,14 +2317,14 @@ public StaticRouteVO doInTransaction(final TransactionStatus status) throws Netw }); } - protected boolean isCidrBlacklisted(final String cidr, final long zoneId) { + protected boolean isCidrDenylisted(final String cidr, final long zoneId) { final String routesStr = NetworkOrchestrationService.GuestDomainSuffix.valueIn(zoneId); if (routesStr != null && !routesStr.isEmpty()) { - final String[] cidrBlackList = routesStr.split(","); + final String[] cidrDenyList = routesStr.split(","); - if (cidrBlackList != null && cidrBlackList.length > 0) { - for (final String blackListedRoute : cidrBlackList) { - if (NetUtils.isNetworksOverlap(blackListedRoute, cidr)) { + if (cidrDenyList != null && cidrDenyList.length > 0) { + for (final String denyListedRoute : cidrDenyList) { + if (NetUtils.isNetworksOverlap(denyListedRoute, cidr)) { return true; } } diff --git a/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java b/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java index 65776ab59b9b..520690642417 100644 --- a/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java +++ b/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java @@ -2534,7 +2534,6 @@ protected void runInContext() { scanLock.releaseRef(); } } - } @Override @@ -2563,7 +2562,7 @@ public UserVm updateVirtualMachine(UpdateVMCmd cmd) throws ResourceUnavailableEx updateDisplayVmFlag(isDisplayVm, id, vmInstance); } final Account caller = CallContext.current().getCallingAccount(); - final List userBlacklistedSettings = Stream.of(QueryService.UserVMBlacklistedDetails.value().split(",")) + final List userDenyListedSettings = Stream.of(QueryService.UserVMDenyListedDetails.value().split(",")) .map(item -> (item).trim()) .collect(Collectors.toList()); final List userReadOnlySettings = Stream.of(QueryService.UserVMReadOnlyDetails.value().split(",")) @@ -2574,7 +2573,7 @@ public UserVm updateVirtualMachine(UpdateVMCmd cmd) throws ResourceUnavailableEx userVmDetailsDao.removeDetails(id); } else { for (final UserVmDetailVO detail : userVmDetailsDao.listDetails(id)) { - if (detail != null && !userBlacklistedSettings.contains(detail.getName()) + if (detail != null && !userDenyListedSettings.contains(detail.getName()) && !userReadOnlySettings.contains(detail.getName())) { userVmDetailsDao.removeDetail(id, detail.getName()); } @@ -2587,18 +2586,18 @@ public UserVm updateVirtualMachine(UpdateVMCmd cmd) throws ResourceUnavailableEx } if (caller != null && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { - // Ensure blacklisted or read-only detail is not passed by non-root-admin user + // Ensure denied or read-only detail is not passed by non-root-admin user for (final String detailName : details.keySet()) { - if (userBlacklistedSettings.contains(detailName)) { + if (userDenyListedSettings.contains(detailName)) { throw new InvalidParameterValueException("You're not allowed to add or edit the restricted setting: " + detailName); } if (userReadOnlySettings.contains(detailName)) { throw new InvalidParameterValueException("You're not allowed to add or edit the read-only setting: " + detailName); } } - // Add any hidden/blacklisted or read-only detail + // Add any hidden/denied or read-only detail for (final UserVmDetailVO detail : userVmDetailsDao.listDetails(id)) { - if (userBlacklistedSettings.contains(detail.getName()) || userReadOnlySettings.contains(detail.getName())) { + if (userDenyListedSettings.contains(detail.getName()) || userReadOnlySettings.contains(detail.getName())) { details.put(detail.getName(), detail.getValue()); } } @@ -5553,7 +5552,7 @@ protected boolean isValidXenOrVmwareConfiguration(String cfg, String[] allowedKe * @param vm */ protected void persistExtraConfigKvm(String decodedUrl, UserVm vm) { - // validate config against blacklisted cfg commands + // validate config against denied cfg commands validateKvmExtraConfig(decodedUrl); String[] extraConfigs = decodedUrl.split("\n\n"); for (String cfg : extraConfigs) { @@ -5575,7 +5574,7 @@ protected void persistExtraConfigKvm(String decodedUrl, UserVm vm) { /** * This method is called by the persistExtraConfigKvm - * Validates passed extra configuration data for KVM and validates against blacklist of unwanted commands + * Validates passed extra configuration data for KVM and validates against deny-list of unwanted commands * controlled by Root admin * @param decodedUrl string containing xml configuration to be validated */ diff --git a/systemvm/agent/noVNC/vendor/pako/lib/zlib/trees.js b/systemvm/agent/noVNC/vendor/pako/lib/zlib/trees.js index a69b8a592fe0..be5d0a9675b9 100644 --- a/systemvm/agent/noVNC/vendor/pako/lib/zlib/trees.js +++ b/systemvm/agent/noVNC/vendor/pako/lib/zlib/trees.js @@ -951,9 +951,9 @@ function send_all_trees(s, lcodes, dcodes, blcodes) * Check if the data type is TEXT or BINARY, using the following algorithm: * - TEXT if the two conditions below are satisfied: * a) There are no non-portable control characters belonging to the - * "black list" (0..6, 14..25, 28..31). + * "deny list" (0..6, 14..25, 28..31). * b) There is at least one printable character belonging to the - * "white list" (9 {TAB}, 10 {LF}, 13 {CR}, 32..255). + * "allow list" (9 {TAB}, 10 {LF}, 13 {CR}, 32..255). * - BINARY otherwise. * - The following partially-portable control characters form a * "gray list" that is ignored in this detection algorithm: @@ -961,21 +961,21 @@ function send_all_trees(s, lcodes, dcodes, blcodes) * IN assertion: the fields Freq of dyn_ltree are set. */ function detect_data_type(s) { - /* black_mask is the bit mask of black-listed bytes + /* deny_mask is the bit mask of deny-listed bytes * set bits 0..6, 14..25, and 28..31 * 0xf3ffc07f = binary 11110011111111111100000001111111 */ - var black_mask = 0xf3ffc07f; + var deny_mask = 0xf3ffc07f; var n; - /* Check for non-textual ("black-listed") bytes. */ - for (n = 0; n <= 31; n++, black_mask >>>= 1) { - if ((black_mask & 1) && (s.dyn_ltree[n * 2]/*.Freq*/ !== 0)) { + /* Check for non-textual ("deny-listed") bytes. */ + for (n = 0; n <= 31; n++, deny_mask >>>= 1) { + if ((deny_mask & 1) && (s.dyn_ltree[n * 2]/*.Freq*/ !== 0)) { return Z_BINARY; } } - /* Check for textual ("white-listed") bytes. */ + /* Check for textual ("allow-listed") bytes. */ if (s.dyn_ltree[9 * 2]/*.Freq*/ !== 0 || s.dyn_ltree[10 * 2]/*.Freq*/ !== 0 || s.dyn_ltree[13 * 2]/*.Freq*/ !== 0) { return Z_TEXT; @@ -986,7 +986,7 @@ function detect_data_type(s) { } } - /* There are no "black-listed" or "white-listed" bytes: + /* There are no "deny-listed" or "allow-listed" bytes: * this stream either is empty or has tolerated ("gray-listed") bytes only. */ return Z_BINARY; diff --git a/tools/ngui/static/js/lib/angular.js b/tools/ngui/static/js/lib/angular.js index a860c8594f4d..e3ab8842893d 100644 --- a/tools/ngui/static/js/lib/angular.js +++ b/tools/ngui/static/js/lib/angular.js @@ -3687,7 +3687,7 @@ function $CompileProvider($provide) { COMMENT_DIRECTIVE_REGEXP = /^\s*directive\:\s*([\d\w\-_]+)\s+(.*)$/, CLASS_DIRECTIVE_REGEXP = /(([\d\w\-_]+)(?:\:([^;]+))?;?)/, MULTI_ROOT_TEMPLATE_ERROR = 'Template must have exactly one root element. was: ', - urlSanitizationWhitelist = /^\s*(https?|ftp|mailto|file):/; + urlSanitizationAllowlist = /^\s*(https?|ftp|mailto|file):/; /** @@ -3743,31 +3743,31 @@ function $CompileProvider($provide) { /** * @ngdoc function - * @name ng.$compileProvider#urlSanitizationWhitelist + * @name ng.$compileProvider#urlSanitizationAllowlist * @methodOf ng.$compileProvider * @function * * @description - * Retrieves or overrides the default regular expression that is used for whitelisting of safe + * Retrieves or overrides the default regular expression that is used for allow listing of safe * urls during a[href] sanitization. * * The sanitization is a security measure aimed at prevent XSS attacks via html links. * * Any url about to be assigned to a[href] via data-binding is first normalized and turned into an - * absolute url. Afterwards the url is matched against the `urlSanitizationWhitelist` regular + * absolute url. Afterwards the url is matched against the `urlSanitizationAllowlist` regular * expression. If a match is found the original url is written into the dom. Otherwise the * absolute url is prefixed with `'unsafe:'` string and only then it is written into the DOM. * - * @param {RegExp=} regexp New regexp to whitelist urls with. + * @param {RegExp=} regexp New regexp to allow list urls with. * @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for * chaining otherwise. */ - this.urlSanitizationWhitelist = function(regexp) { + this.urlSanitizationAllowlist = function(regexp) { if (isDefined(regexp)) { - urlSanitizationWhitelist = regexp; + urlSanitizationAllowlist = regexp; return this; } - return urlSanitizationWhitelist; + return urlSanitizationAllowlist; }; @@ -3824,7 +3824,7 @@ function $CompileProvider($provide) { // href property always returns normalized absolute url, so we can match against that normalizedVal = urlSanitizationNode.href; - if (!normalizedVal.match(urlSanitizationWhitelist)) { + if (!normalizedVal.match(urlSanitizationAllowlist)) { this[key] = value = 'unsafe:' + normalizedVal; } } diff --git a/ui/src/permission.js b/ui/src/permission.js index 8e975118611e..3e866382c9e0 100644 --- a/ui/src/permission.js +++ b/ui/src/permission.js @@ -30,7 +30,7 @@ import { ACCESS_TOKEN, APIS } from '@/store/mutation-types' NProgress.configure({ showSpinner: false }) // NProgress Configuration -const whiteList = ['login'] // no redirect whitelist +const allowList = ['login'] // no redirect allowlist router.beforeEach((to, from, next) => { // start progress bar @@ -78,7 +78,7 @@ router.beforeEach((to, from, next) => { } } } else { - if (whiteList.includes(to.name)) { + if (allowList.includes(to.name)) { next() } else { next({ path: '/user/login', query: { redirect: to.fullPath } })