From 345c179e77dce7ba471f6846fac785bd34bda294 Mon Sep 17 00:00:00 2001 From: Rohit Yadav Date: Thu, 10 Jan 2013 15:53:18 -0800 Subject: [PATCH] plugins: Check access based on roleType, remove unnecessary properties.in file - Fix StaticRoleBasedAPIAccessChecker to check api access based on roletype - Remove properties file which is not needed now for api discovery plugin Signed-off-by: Rohit Yadav --- .../api-discovery_commands.properties.in | 23 --- .../acl/StaticRoleBasedAPIAccessChecker.java | 136 +++++++----------- 2 files changed, 48 insertions(+), 111 deletions(-) delete mode 100644 client/tomcatconf/api-discovery_commands.properties.in diff --git a/client/tomcatconf/api-discovery_commands.properties.in b/client/tomcatconf/api-discovery_commands.properties.in deleted file mode 100644 index 49ddfde42d8..00000000000 --- a/client/tomcatconf/api-discovery_commands.properties.in +++ /dev/null @@ -1,23 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. - -# bitmap of permissions at the end of each classname, 1 = ADMIN, 2 = -# RESOURCE_DOMAIN_ADMIN, 4 = DOMAIN_ADMIN, 8 = USER -# Please standardize naming conventions to camel-case (even for acronyms). - -# CloudStack API Discovery service command -listApis=15 diff --git a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java index 43ca403f890..689540aa291 100644 --- a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java +++ b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java @@ -16,28 +16,23 @@ // under the License. package org.apache.cloudstack.acl; -import java.io.File; -import java.io.FileInputStream; -import java.io.FileNotFoundException; -import java.io.IOException; -import java.io.InputStream; -import java.util.*; - -import javax.ejb.Local; -import javax.naming.ConfigurationException; - -import org.apache.cloudstack.acl.APIAccessChecker; -import org.apache.cloudstack.acl.RoleType; -import static org.apache.cloudstack.acl.RoleType.*; -import org.apache.log4j.Logger; - import com.cloud.exception.PermissionDeniedException; import com.cloud.server.ManagementServer; -import com.cloud.utils.PropertiesUtil; import com.cloud.utils.component.AdapterBase; import com.cloud.utils.component.ComponentLocator; import com.cloud.utils.component.PluggableService; +import javax.ejb.Local; +import javax.naming.ConfigurationException; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; + +import static org.apache.cloudstack.acl.RoleType.*; +import org.apache.log4j.Logger; + // This is the default API access checker that grab's the user's account // based on the account type, access is granted @Local(value=APIAccessChecker.class) @@ -60,35 +55,29 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIA } @Override - public boolean canAccessAPI(RoleType roleType, String apiCommandName) - throws PermissionDeniedException{ + public boolean canAccessAPI(RoleType roleType, String commandName) + throws PermissionDeniedException { - boolean commandExists = s_allCommands.contains(apiCommandName); + boolean commandExists = s_allCommands.contains(commandName); + boolean commandAccessible = false; - if(commandExists) { - return isCommandAvailableForAccount(roleType, apiCommandName); + if (commandExists) { + switch (roleType) { + case Admin: + commandAccessible = s_adminCommands.contains(commandName); + break; + case DomainAdmin: + commandAccessible = s_resellerCommands.contains(commandName); + break; + case ResourceAdmin: + commandAccessible = s_resourceDomainAdminCommands.contains(commandName); + break; + case User: + commandAccessible = s_userCommands.contains(commandName); + break; + } } - - return commandExists; - } - - private static boolean isCommandAvailableForAccount(RoleType roleType, String commandName) { - boolean isCommandAvailable = false; - switch (roleType) { - case Admin: - isCommandAvailable = s_adminCommands.contains(commandName); - break; - case DomainAdmin: - isCommandAvailable = s_resellerCommands.contains(commandName); - break; - case ResourceAdmin: - isCommandAvailable = s_resourceDomainAdminCommands.contains(commandName); - break; - case User: - isCommandAvailable = s_userCommands.contains(commandName); - break; - } - return isCommandAvailable; + return commandExists && commandAccessible; } @Override @@ -100,69 +89,40 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIA List services = locator.getAllPluggableServices(); services.add((PluggableService) ComponentLocator.getComponent(ManagementServer.Name)); - List configFiles = new ArrayList(); + Map configPropertiesMap = new HashMap(); for (PluggableService service : services) { - configFiles.addAll(Arrays.asList(service.getPropertiesFiles())); + configPropertiesMap.putAll(service.getProperties()); } - processConfigFiles(configFiles); + processConfigFiles(configPropertiesMap); return true; } - private void processConfigFiles(List configFiles) { - Properties preProcessedCommands = new Properties(); - - for (String configFile : configFiles) { - File commandsFile = PropertiesUtil.findConfigFile(configFile); - if (commandsFile != null) { - try { - preProcessedCommands.load(new FileInputStream(commandsFile)); - } catch (FileNotFoundException fnfex) { - // in case of a file within a jar in classpath, try to open stream using url - InputStream stream = PropertiesUtil.openStreamFromURL(configFile); - if (stream != null) { - try { - preProcessedCommands.load(stream); - } catch (IOException e) { - s_logger.error("IO Exception, unable to find properties file:", fnfex); - } - } else { - s_logger.error("Unable to find properites file", fnfex); - } - } catch (IOException ioe) { - s_logger.error("IO Exception loading properties file", ioe); - } - } - } - - for (Object key : preProcessedCommands.keySet()) { - String preProcessedCommand = preProcessedCommands.getProperty((String) key); - int splitIndex = preProcessedCommand.lastIndexOf(";"); - // Backward compatible to old style, apiname=pkg;mask - String mask = preProcessedCommand.substring(splitIndex+1); - + private void processConfigFiles(Map config) { + for (Map.Entry entry: config.entrySet()) { + String apiName = entry.getKey(); + String roleMask = entry.getValue(); try { - short cmdPermissions = Short.parseShort(mask); + short cmdPermissions = Short.parseShort(roleMask); if ((cmdPermissions & Admin.getValue()) != 0) { - s_adminCommands.add((String) key); + s_adminCommands.add(apiName); } if ((cmdPermissions & ResourceAdmin.getValue()) != 0) { - s_resourceDomainAdminCommands.add((String) key); + s_resourceDomainAdminCommands.add(apiName); } if ((cmdPermissions & DomainAdmin.getValue()) != 0) { - s_resellerCommands.add((String) key); + s_resellerCommands.add(apiName); } if ((cmdPermissions & User.getValue()) != 0) { - s_userCommands.add((String) key); + s_userCommands.add(apiName); } - s_allCommands.addAll(s_adminCommands); - s_allCommands.addAll(s_resourceDomainAdminCommands); - s_allCommands.addAll(s_userCommands); - s_allCommands.addAll(s_resellerCommands); } catch (NumberFormatException nfe) { - s_logger.info("Malformed command.properties permissions value, key = " + key + ", value = " + preProcessedCommand); + s_logger.info("Malformed commands.properties permissions value, for entry: " + entry.toString()); } } + s_allCommands.addAll(s_adminCommands); + s_allCommands.addAll(s_resourceDomainAdminCommands); + s_allCommands.addAll(s_userCommands); + s_allCommands.addAll(s_resellerCommands); } - }