From 57ddf63676883727bd6129f9b460d1cc2817bf67 Mon Sep 17 00:00:00 2001
From: Alena Prokharchyk <Alena.Prokharchyk@citrix.com>
Date: Fri, 20 Jan 2012 10:55:59 -0800
Subject: [PATCH] Special permission check for networks

---
 server/src/com/cloud/acl/DomainChecker.java   |  5 ++++
 .../src/com/cloud/network/NetworkManager.java |  2 ++
 .../com/cloud/network/NetworkManagerImpl.java | 16 ++++++++++++
 .../src/com/cloud/vm/UserVmManagerImpl.java   | 25 ++-----------------
 4 files changed, 25 insertions(+), 23 deletions(-)

diff --git a/server/src/com/cloud/acl/DomainChecker.java b/server/src/com/cloud/acl/DomainChecker.java
index e04af242bac..3f75a98746a 100755
--- a/server/src/com/cloud/acl/DomainChecker.java
+++ b/server/src/com/cloud/acl/DomainChecker.java
@@ -25,6 +25,8 @@ import com.cloud.domain.Domain;
 import com.cloud.domain.DomainVO;
 import com.cloud.domain.dao.DomainDao;
 import com.cloud.exception.PermissionDeniedException;
+import com.cloud.network.Network;
+import com.cloud.network.NetworkManager;
 import com.cloud.offering.DiskOffering;
 import com.cloud.offering.ServiceOffering;
 import com.cloud.projects.ProjectManager;
@@ -46,6 +48,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
     @Inject LaunchPermissionDao _launchPermissionDao;
     @Inject ProjectManager _projectMgr;
     @Inject ProjectAccountDao _projecAccountDao;
+    @Inject NetworkManager _networkMgr;
     
     protected DomainChecker() {
         super();
@@ -106,6 +109,8 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
             }
             
             return true;
+        } else if (entity instanceof Network) {
+        	_networkMgr.checkNetworkPermissions(caller, (Network)entity);
         } else {
             if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
                 Account account = _accountDao.findById(entity.getAccountId());
diff --git a/server/src/com/cloud/network/NetworkManager.java b/server/src/com/cloud/network/NetworkManager.java
index c75e53c9ff3..9e56369d1cf 100755
--- a/server/src/com/cloud/network/NetworkManager.java
+++ b/server/src/com/cloud/network/NetworkManager.java
@@ -285,4 +285,6 @@ public interface NetworkManager extends NetworkService {
 			throws InsufficientAddressCapacityException;
 
 	boolean handleElasticIpRelease(IpAddress ip);
+
+	void checkNetworkPermissions(Account owner, Network network);
 }
diff --git a/server/src/com/cloud/network/NetworkManagerImpl.java b/server/src/com/cloud/network/NetworkManagerImpl.java
index 1b8ebf5bbc7..cffa995a685 100755
--- a/server/src/com/cloud/network/NetworkManagerImpl.java
+++ b/server/src/com/cloud/network/NetworkManagerImpl.java
@@ -932,6 +932,7 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag
         
         //check permissions
         _accountMgr.checkAccess(caller, null, false, ipOwner, network);
+        _accountMgr.checkAccess(ipOwner, null, false, network);
         
         DataCenter zone = _configMgr.getZone(network.getDataCenterId());
         
@@ -5900,4 +5901,19 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag
 		return success;
 	}
 	
+	@Override
+	public void checkNetworkPermissions(Account owner, Network network) {
+		// Perform account permission check
+		if (network.getGuestType() != Network.GuestType.Shared) {
+		    List<NetworkVO> networkMap = _networksDao.listBy(owner.getId(), network.getId());
+		    if (networkMap == null || networkMap.isEmpty()) {
+		        throw new PermissionDeniedException("Unable to create a vm using network with id " + network.getId() + ", permission denied");
+		    }
+		} else {
+		    if (!isNetworkAvailableInDomain(network.getId(), owner.getDomainId())) {
+		        throw new PermissionDeniedException("Shared network id=" + network.getId() + " is not available in domain id=" + owner.getDomainId());
+		    }
+		}
+	}
+	
 }
diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java
index e05a699ea7d..7bb49e539aa 100755
--- a/server/src/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/com/cloud/vm/UserVmManagerImpl.java
@@ -111,7 +111,6 @@ import com.cloud.exception.PermissionDeniedException;
 import com.cloud.exception.ResourceAllocationException;
 import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.exception.StorageUnavailableException;
-import com.cloud.exception.UnsupportedServiceException;
 import com.cloud.exception.VirtualMachineMigrationException;
 import com.cloud.ha.HighAvailabilityManager;
 import com.cloud.host.Host;
@@ -2241,17 +2240,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager
                     throw new InvalidParameterValueException("Unable to find network by id " + networkIdList.get(0).longValue());
                 }
 
-                // Perform account permission check
-                if (network.getGuestType() != Network.GuestType.Shared) {
-                    List<NetworkVO> networkMap = _networkDao.listBy(owner.getId(), network.getId());
-                    if (networkMap == null || networkMap.isEmpty()) {
-                        throw new PermissionDeniedException("Unable to create a vm using network with id " + network.getId() + ", permission denied");
-                    }
-                } else {
-                    if (!_networkMgr.isNetworkAvailableInDomain(networkId, owner.getDomainId())) {
-                        throw new PermissionDeniedException("Shared network id=" + networkId + " is not available in domain id=" + owner.getDomainId());
-                    }
-                }
+                _networkMgr.checkNetworkPermissions(owner, network);
 
                 //don't allow to use system networks 
                 NetworkOffering networkOffering = _configMgr.getNetworkOffering(network.getNetworkOfferingId());
@@ -3444,17 +3433,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager
 	                        throw new InvalidParameterValueException("Unable to find network by id " + networkId);
 	                    }
 	
-	                    // Perform account permission check
-	                    if (network.getGuestType() != Network.GuestType.Shared) {
-	                        List<NetworkVO> networkMap = _networkDao.listBy(newAccount.getId(), network.getId());
-	                        if (networkMap == null || networkMap.isEmpty()) {
-	                            throw new PermissionDeniedException("Unable to create a vm using network with id " + network.getId() + ", permission denied");
-	                        }
-	                    } else {
-	                        if (!_networkMgr.isNetworkAvailableInDomain(networkId, newAccount.getDomainId())) {
-	                            throw new PermissionDeniedException("Shared network id=" + networkId + " is not available in domain id=" + newAccount.getDomainId());
-	                        }
-	                    }
+	                    _networkMgr.checkNetworkPermissions(newAccount, network);
 	
 	                    //don't allow to use system networks 
 	                    NetworkOffering networkOffering = _configMgr.getNetworkOffering(network.getNetworkOfferingId());