server: use resource UUID instead of resource ID in API response (#2527) (#3099)

anuragaw · yadvr · commit 1a6eb4b856a4 · 2019-01-15T14:05:16.000+05:30
List resourcedetails was adding DB ID instead of UUID. This is a security risk and needs fix. Fixes: #2527
diff --git a/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java b/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java
@@ -153,7 +153,6 @@
 import com.cloud.api.query.vo.UserVmJoinVO;
 import com.cloud.api.query.vo.VolumeJoinVO;
 import com.cloud.dc.DedicatedResourceVO;
-import com.cloud.dc.dao.DataCenterDetailsDao;
 import com.cloud.dc.dao.DedicatedResourceDao;
 import com.cloud.domain.Domain;
 import com.cloud.domain.DomainVO;
@@ -205,6 +204,7 @@
 import com.cloud.utils.Pair;
 import com.cloud.utils.StringUtils;
 import com.cloud.utils.Ternary;
+import com.cloud.utils.db.EntityManager;
 import com.cloud.utils.db.Filter;
 import com.cloud.utils.db.JoinBuilder;
 import com.cloud.utils.db.SearchBuilder;
@@ -330,7 +330,7 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q
     private DomainRouterDao _routerDao;
 
     @Inject
-    UserVmDetailsDao _userVmDetailDao;
+    private UserVmDetailsDao _userVmDetailDao;
 
     @Inject
     private HighAvailabilityManager _haMgr;
@@ -342,15 +342,15 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q
     private TemplateJoinDao _templateJoinDao;
 
     @Inject
-    ResourceManager _resourceMgr;
+    private ResourceManager _resourceMgr;
     @Inject
     private ResourceMetaDataService _resourceMetaDataMgr;
 
     @Inject
     private TaggedResourceService _taggedResourceMgr;
 
     @Inject
-    AffinityGroupVMMapDao _affinityGroupVMMapDao;
+    private AffinityGroupVMMapDao _affinityGroupVMMapDao;
 
     @Inject
     private AffinityGroupJoinDao _affinityGroupJoinDao;
@@ -359,22 +359,22 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q
     private DedicatedResourceDao _dedicatedDao;
 
     @Inject
-    DataCenterDetailsDao _dcDetailsDao;
+    private DomainManager _domainMgr;
 
     @Inject
-    DomainManager _domainMgr;
+    private AffinityGroupDomainMapDao _affinityGroupDomainMapDao;
 
     @Inject
-    AffinityGroupDomainMapDao _affinityGroupDomainMapDao;
+    private NetworkDetailsDao _networkDetailsDao;
 
     @Inject
-    NetworkDetailsDao _networkDetailsDao;
+    private ResourceTagDao _resourceTagDao;
 
     @Inject
-    ResourceTagDao _resourceTagDao;
+    private DataStoreManager dataStoreManager;
 
     @Inject
-    DataStoreManager dataStoreManager;
+    private EntityManager _entityMgr;
 
     /*
      * (non-Javadoc)
@@ -3674,7 +3674,7 @@ public List<ResourceDetailResponse> listResourceDetails(ListResourceDetailsCmd c
 
     protected ResourceDetailResponse createResourceDetailsResponse(ResourceDetail requestedDetail, ResourceTag.ResourceObjectType resourceType) {
         ResourceDetailResponse resourceDetailResponse = new ResourceDetailResponse();
-        resourceDetailResponse.setResourceId(String.valueOf(requestedDetail.getResourceId()));
+        resourceDetailResponse.setResourceId(_taggedResourceMgr.getUuid(String.valueOf(requestedDetail.getResourceId()), resourceType));
         resourceDetailResponse.setName(requestedDetail.getName());
         resourceDetailResponse.setValue(requestedDetail.getValue());
         resourceDetailResponse.setForDisplay(requestedDetail.isDisplay());
