From 95efad359ef808a4b8755c8b6e0fe9efbb265e2b Mon Sep 17 00:00:00 2001
From: Prachi Damle <prachi@cloud.com>
Date: Tue, 6 May 2014 15:58:05 -0700
Subject: [PATCH] CLOUDSTACK-6581: IAM - Shared Network -Root Admin user is
 allowed to deploy VM in a shared network that is scoped for a specific
 domain/account.

Changes:
- Strict access check in NetworkModel is needed as CS 4.3
- We cannot go through accountMgr since accountMgr is relaxed for rootAdmin
---
 .../spring-server-core-managers-context.xml   |  1 +
 .../com/cloud/network/NetworkModelImpl.java   | 21 ++++++++++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml b/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml
index fc1c7e23b92..09abcb767b4 100644
--- a/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml
+++ b/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml
@@ -74,6 +74,7 @@
 
     <bean id="networkModelImpl" class="com.cloud.network.NetworkModelImpl">
         <property name="networkElements" value="#{networkElementsRegistry.registered}" />
+        <property name="securityCheckers" value="#{securityCheckersRegistry.registered}" />
     </bean>
 
     <bean id="configurationServerImpl" class="com.cloud.server.ConfigurationServerImpl" />
diff --git a/server/src/com/cloud/network/NetworkModelImpl.java b/server/src/com/cloud/network/NetworkModelImpl.java
index 4267967f5ab..f84eccd9afe 100755
--- a/server/src/com/cloud/network/NetworkModelImpl.java
+++ b/server/src/com/cloud/network/NetworkModelImpl.java
@@ -34,6 +34,7 @@ import javax.naming.ConfigurationException;
 
 import org.apache.log4j.Logger;
 
+import org.apache.cloudstack.acl.SecurityChecker;
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
@@ -219,6 +220,16 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
     static HashMap<Service, List<Provider>> s_serviceToImplementedProvidersMap = new HashMap<Service, List<Provider>>();
     static HashMap<String, String> s_providerToNetworkElementMap = new HashMap<String, String>();
 
+    List<SecurityChecker> _securityCheckers;
+
+    public List<SecurityChecker> getSecurityCheckers() {
+        return _securityCheckers;
+    }
+
+    public void setSecurityCheckers(List<SecurityChecker> securityCheckers) {
+        _securityCheckers = securityCheckers;
+    }
+
     /**
      *
      */
@@ -1586,7 +1597,15 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
                         + ", permission denied");
             }
         } else {
-            _accountMgr.checkAccess(owner, accessType, network);
+            // Go through IAM (SecurityCheckers)
+            for (SecurityChecker checker : _securityCheckers) {
+                if (checker.checkAccess(owner, accessType, null, network)) {
+                    if (s_logger.isDebugEnabled()) {
+                        s_logger.debug("Access to " + network + " granted to " + owner + " by " + checker.getName());
+                    }
+                    break;
+                }
+            }
         }
     }