etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

APIChecker helper methods implemented

This commit is contained in:
Prachi Damle 2013-10-03 13:28:19 -07:00
parent ddd4f80911
commit 2bbe6f5937
2 changed files with 51 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java
View File

@ -16,15 +16,10 @@
// under the License.
package org.apache.cloudstack.acl.api;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.ejb.Local;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
import org.apache.cloudstack.acl.APIChecker;
import org.apache.cloudstack.acl.AclRole;
@ -35,12 +30,10 @@ import com.cloud.exception.PermissionDeniedException;
import com.cloud.user.Account;
import com.cloud.user.AccountService;
import com.cloud.user.User;
import com.cloud.utils.PropertiesUtil;
import com.cloud.utils.component.AdapterBase;
import com.cloud.utils.component.PluggableService;
// This is the default API access checker that grab's the user's account
// based on the account type, access is granted
// This is the Role Based API access checker that grab's the account's roles
// based on the set of roles, access is granted if any of the role has access to the api
@Local(value=APIChecker.class)
public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker {

53
server/src/org/apache/cloudstack/acl/AclServiceImpl.java
View File

@ -16,6 +16,7 @@
// under the License.
package org.apache.cloudstack.acl;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
@ -49,6 +50,11 @@ import com.cloud.utils.component.Manager;
import com.cloud.utils.component.ManagerBase;
import com.cloud.utils.db.DB;
import com.cloud.utils.db.EntityManager;
import com.cloud.utils.db.GenericSearchBuilder;
import com.cloud.utils.db.JoinBuilder.JoinType;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
import com.cloud.utils.db.SearchCriteria.Op;
import com.cloud.utils.db.Transaction;
@Local(value = {AclService.class})
@ -507,14 +513,53 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
@Override
public List<AclRole> getAclRoles(long accountId) {
// TODO Auto-generated method stub
return null;
SearchBuilder<AclGroupAccountMapVO> groupSB = _aclGroupAccountMapDao.createSearchBuilder();
groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
GenericSearchBuilder<AclGroupRoleMapVO, Long> roleSB = _aclGroupRoleMapDao.createSearchBuilder(Long.class);
roleSB.selectField(roleSB.entity().getAclRoleId());
roleSB.join("accountgroupjoin", groupSB, groupSB.entity().getAclGroupId(), roleSB.entity().getAclGroupId(),
JoinType.INNER);
roleSB.done();
SearchCriteria<Long> roleSc = roleSB.create();
roleSc.setJoinParameters("accountgroupjoin", "account", accountId);
List<Long> roleIds = _aclGroupRoleMapDao.customSearch(roleSc, null);
SearchBuilder<AclRoleVO> sb = _aclRoleDao.createSearchBuilder();
sb.and("ids", sb.entity().getId(), Op.IN);
SearchCriteria<AclRoleVO> sc = sb.create();
sc.setParameters("ids", roleIds.toArray(new Object[roleIds.size()]));
List<AclRoleVO> roles = _aclRoleDao.customSearch(sc, null);
return new ArrayList<AclRole>(roles);
}
@Override
public boolean isAPIAccessibleForRoles(String apiName, List<AclRole> roles) {
// TODO Auto-generated method stub
return false;
boolean accessible = false;
List<Long> roleIds = new ArrayList<Long>();
for (AclRole role : roles) {
roleIds.add(role.getId());
}
SearchBuilder<AclApiPermissionVO> sb = _apiPermissionDao.createSearchBuilder();
sb.and("apiName", sb.entity().getApiName(), Op.EQ);
sb.and("roleId", sb.entity().getAclRoleId(), Op.IN);
SearchCriteria<AclApiPermissionVO> sc = sb.create();
sc.setParameters("roleId", roleIds.toArray(new Object[roleIds.size()]));
List<AclApiPermissionVO> permissions = _apiPermissionDao.customSearch(sc, null);
if (permissions != null && !permissions.isEmpty()) {
accessible = true;
}
return accessible;
}
}