Fix being able to expunge a VM through destroyVirtualMachine even when role rule does not allow

[gp-santos]

Description

This PR adds a role access check to the expungeVirtualMachine command when calling destroyVirtualMachine with the expunge parameter.

Currently, if you are an admin (even if not Root), it bypasses the allow.user.expunge.recover.vm verification and you are always allowed to expunge when calling for destroyVirtualMachine.

The use case that called for this change was a need for a role of type domain admin to be unable to expunge VMs. It was then found that even with the DENY rule, the user could still expunge through destroyVirtualMachine (even on already destroyed VMs, with an API call) and the setting allow.user.expunge.recover.vm did nothing.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI

Feature/Enhancement Scale or Bug Severity

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

I created a role, based on the default Domain Admin, and changed the expungeVirtualMachine rule to DENY. I then created an account with said role.

I created two VMs and destroyed one of them, verifying that the expunge option did not show up on the GUI.

I then ran destroy virtualmachine on cloudmonkey with expunge = true on both VMs and both returned the error Account does not have permission for expunging. Calling the same command without the parameter destroyed the running VM successfully.

I repeated the tests with a role based on default User:

With allow.user.expunge.recover.vm = true, it behaved the same as the DomainAdmin-based one.

With allow.user.expunge.recover.vm = false, it did not allow the expunge action, no matter the role rules. Without the expunge parameter, the destroy action worked as expected.

[codecov]

Codecov Report

Attention: Patch coverage is 50.00000% with 8 lines in your changes are missing coverage. Please review.

Project coverage is 23.13%. Comparing base (592038a) to head (007f1e1).
Report is 81 commits behind head on main.

Files	Patch %	Lines
.../src/main/java/com/cloud/vm/UserVmManagerImpl.java	38.46%	4 Missing and 4 partials ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #8689      +/-   ##
============================================
- Coverage     23.14%   23.13%   -0.02%     
- Complexity    23348    23485     +137     
============================================
  Files          5219     5234      +15     
  Lines        353412   355729    +2317     
  Branches      50883    51238     +355     
============================================
+ Hits          81805    82294     +489     
- Misses       259762   261540    +1778     
- Partials      11845    11895      +50     

Flag	Coverage Δ
simulator-marvin-tests	24.80% <50.00%> (-0.02%)	⬇️
uitests	4.34% <ø> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[DaanHoogland]

clgtm

[DaanHoogland]

@blueorangutan package

[blueorangutan]

@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el7 ✖️ el8 ✖️ el9 ✔️ debian ✖️ suse15. SL-JID 8745

[blueorangutan]

Packaging result [SF]: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 8755

[DaanHoogland]

@gpordeus , this sounds like a good use case for an integration test. Will you consider that?

[gp-santos]

@gpordeus , this sounds like a good use case for an integration test. Will you consider that?

Sure, on it.

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✖️ el7 ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 8764

[blueorangutan]

Packaging result [SF]: ✖️ el7 ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 8780

[blueorangutan]

Packaging result [SF]: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 8787

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 8874

[DaanHoogland]

@blueorangutan test alma9 kvm-alma9

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (alma9 mgmt + kvm-alma9) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian Build Failed (tid-9434)

[DaanHoogland]

not sure why the bot removed the conflict sticker, but you still have some @gpordeus

[gp-santos]

@DaanHoogland Fixed, thanks for letting me know.

[BryanMLima]

@weizhouapache, are your concerns met?

@DaanHoogland, could you trigger the CI one last time?

[BryanMLima]

@DaanHoogland, my bad, I did not see the comment at #8878 (comment), you can ignore my other comments.

[JoaoJandre]

@blueorangutan package

[blueorangutan]

@JoaoJandre a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 10459

[JoaoJandre]

@blueorangutan package

[blueorangutan]

@JoaoJandre a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 10642

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 10661

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 10680

[DaanHoogland]

@blueorangutan LLtest

[blueorangutan]

@DaanHoogland a [LL] Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[blueorangutan]

[LL] Trillian Build Failed (tid-6968)

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-11094)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 52183 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr8689-t11094-kvm-ol8.zip
Smoke tests completed. 137 look OK, 2 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_DeployVmAffinityGroup	Error	1.45	test_affinity_groups.py
test_01_non_strict_host_anti_affinity	Error	2.63	test_nonstrict_affinity_group.py
test_02_non_strict_host_affinity	Error	1.58	test_nonstrict_affinity_group.py

[DaanHoogland]

@weizhouapache are you alright with this one, now?

[weizhouapache]

@DaanHoogland
code lgtm

not tested

[DaanHoogland]

@DaanHoogland code lgtm

not tested

good, @lucas-a-martins has: #8689 (review)