From 2bbe6f59376a96022f873d11066874d5cb802552 Mon Sep 17 00:00:00 2001
From: Prachi Damle <prachi@cloud.com>
Date: Thu, 3 Oct 2013 13:28:19 -0700
Subject: [PATCH] APIChecker helper methods implemented

---
 .../acl/api/RoleBasedAPIAccessChecker.java    | 11 +---
 .../apache/cloudstack/acl/AclServiceImpl.java | 53 +++++++++++++++++--
 2 files changed, 51 insertions(+), 13 deletions(-)
diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java
index 18fcdf9cd04..027ff580128 100644
--- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java
+++ b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java
@@ -16,15 +16,10 @@
 // under the License.
 package org.apache.cloudstack.acl.api;
 
-import java.util.HashMap;
-import java.util.HashSet;
 import java.util.List;
-import java.util.Map;
-import java.util.Set;
 
 import javax.ejb.Local;
 import javax.inject.Inject;
-import javax.naming.ConfigurationException;
 
 import org.apache.cloudstack.acl.APIChecker;
 import org.apache.cloudstack.acl.AclRole;
@@ -35,12 +30,10 @@ import com.cloud.exception.PermissionDeniedException;
 import com.cloud.user.Account;
 import com.cloud.user.AccountService;
 import com.cloud.user.User;
-import com.cloud.utils.PropertiesUtil;
 import com.cloud.utils.component.AdapterBase;
-import com.cloud.utils.component.PluggableService;
 
-// This is the default API access checker that grab's the user's account
-// based on the account type, access is granted
+// This is the Role Based API access checker that grab's the  account's roles
+// based on the set of roles, access is granted if any of the role has access to the api
 @Local(value=APIChecker.class)
 public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker {
 
diff --git a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
index c8fc54cf59a..69f9d3d5568 100644
--- a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
+++ b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
@@ -16,6 +16,7 @@
 // under the License.
 package org.apache.cloudstack.acl;
 
+import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 
@@ -49,6 +50,11 @@ import com.cloud.utils.component.Manager;
 import com.cloud.utils.component.ManagerBase;
 import com.cloud.utils.db.DB;
 import com.cloud.utils.db.EntityManager;
+import com.cloud.utils.db.GenericSearchBuilder;
+import com.cloud.utils.db.JoinBuilder.JoinType;
+import com.cloud.utils.db.SearchBuilder;
+import com.cloud.utils.db.SearchCriteria;
+import com.cloud.utils.db.SearchCriteria.Op;
 import com.cloud.utils.db.Transaction;
 
 @Local(value = {AclService.class})
@@ -507,14 +513,53 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
 
     @Override
     public List<AclRole> getAclRoles(long accountId) {
-        // TODO Auto-generated method stub
-        return null;
+
+        SearchBuilder<AclGroupAccountMapVO> groupSB = _aclGroupAccountMapDao.createSearchBuilder();
+        groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
+
+        GenericSearchBuilder<AclGroupRoleMapVO, Long> roleSB = _aclGroupRoleMapDao.createSearchBuilder(Long.class);
+        roleSB.selectField(roleSB.entity().getAclRoleId());
+        roleSB.join("accountgroupjoin", groupSB, groupSB.entity().getAclGroupId(), roleSB.entity().getAclGroupId(),
+                JoinType.INNER);
+        roleSB.done();
+        SearchCriteria<Long> roleSc = roleSB.create();
+        roleSc.setJoinParameters("accountgroupjoin", "account", accountId);
+
+        List<Long> roleIds = _aclGroupRoleMapDao.customSearch(roleSc, null);
+
+        SearchBuilder<AclRoleVO> sb = _aclRoleDao.createSearchBuilder();
+        sb.and("ids", sb.entity().getId(), Op.IN);
+        SearchCriteria<AclRoleVO> sc = sb.create();
+        sc.setParameters("ids", roleIds.toArray(new Object[roleIds.size()]));
+        List<AclRoleVO> roles = _aclRoleDao.customSearch(sc, null);
+
+        return new ArrayList<AclRole>(roles);
     }
 
     @Override
     public boolean isAPIAccessibleForRoles(String apiName, List<AclRole> roles) {
-        // TODO Auto-generated method stub
-        return false;
+
+        boolean accessible = false;
+
+        List<Long> roleIds = new ArrayList<Long>();
+        for (AclRole role : roles) {
+            roleIds.add(role.getId());
+        }
+
+        SearchBuilder<AclApiPermissionVO> sb = _apiPermissionDao.createSearchBuilder();
+        sb.and("apiName", sb.entity().getApiName(), Op.EQ);
+        sb.and("roleId", sb.entity().getAclRoleId(), Op.IN);
+
+        SearchCriteria<AclApiPermissionVO> sc = sb.create();
+        sc.setParameters("roleId", roleIds.toArray(new Object[roleIds.size()]));
+
+        List<AclApiPermissionVO> permissions = _apiPermissionDao.customSearch(sc, null);
+
+        if (permissions != null && !permissions.isEmpty()) {
+            accessible = true;
+        }
+
+        return accessible;
     }
 
 }
