From 7ebb972885e7dc5714f376168425f3c25aec065e Mon Sep 17 00:00:00 2001 From: Prachi Damle Date: Mon, 7 Oct 2013 16:29:49 -0700 Subject: [PATCH] SecurityChecker checking against the acl_entity_permission table --- .../entity/RoleBasedEntityAccessChecker.java | 35 ++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java index fa8bed103aa..21ced06b28a 100644 --- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java +++ b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java @@ -20,16 +20,21 @@ import java.util.List; import javax.inject.Inject; +import org.apache.cloudstack.acl.AclEntityPermissionVO; import org.apache.cloudstack.acl.AclGroupAccountMapVO; import org.apache.cloudstack.acl.AclRole; import org.apache.cloudstack.acl.AclService; import org.apache.cloudstack.acl.ControlledEntity; import org.apache.cloudstack.acl.SecurityChecker; import org.apache.cloudstack.acl.SecurityChecker.AccessType; +import org.apache.cloudstack.acl.dao.AclEntityPermissionDao; import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao; import org.apache.cloudstack.acl.dao.AclGroupDao; +import org.apache.cloudstack.api.InternalIdentity; +import org.apache.log4j.Logger; import com.cloud.acl.DomainChecker; +import com.cloud.api.ApiDispatcher; import com.cloud.exception.PermissionDeniedException; import com.cloud.user.Account; import com.cloud.user.AccountService; @@ -37,6 +42,8 @@ import com.cloud.vm.VirtualMachine; public class RoleBasedEntityAccessChecker extends DomainChecker implements SecurityChecker { + private static final Logger s_logger = Logger.getLogger(RoleBasedEntityAccessChecker.class.getName()); + @Inject AccountService _accountService; @Inject @@ -45,15 +52,41 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur @Inject AclGroupAccountMapDao _aclGroupAccountMapDao; + @Inject + AclEntityPermissionDao _entityPermissionDao; + @Override public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType) throws PermissionDeniedException { + String entityType = ""; + // check if explicit allow/deny is present for this entity in // acl_entity_permission - List acctGroups = _aclGroupAccountMapDao.listByAccountId(caller.getId()); + if (entity instanceof InternalIdentity) { + InternalIdentity entityWithId = (InternalIdentity) entity; + List acctGroups = _aclGroupAccountMapDao.listByAccountId(caller.getId()); + + for (AclGroupAccountMapVO groupMapping : acctGroups) { + AclEntityPermissionVO entityPermission = _entityPermissionDao.findByGroupAndEntity( + groupMapping.getAclGroupId(), entityType, entityWithId.getId(), accessType); + + if (entityPermission != null) { + if (entityPermission.isAllowed()) { + return true; + } else { + if (s_logger.isDebugEnabled()) { + s_logger.debug("Account " + caller + " does not have permission to access resource " + + entity + " for access type: " + accessType); + } + throw new PermissionDeniedException(caller + " does not have permission to access resource " + + entity); + } + } + } + } // Is Caller RootAdmin? Yes, granted true if (_accountService.isRootAdmin(caller.getId())) {