Fixes to ensure Network entity checkAccess invokes the IAM service

2014-03-24 17:08:09 -07:00 · 2014-03-24 17:08:09 -07:00 · a5b9814f7a
parent 0c2f808b75
commit a5b9814f7a
9 changed files with 56 additions and 21 deletions
--- a/api/src/com/cloud/network/NetworkModel.java
+++ b/api/src/com/cloud/network/NetworkModel.java
@ -22,6 +22,8 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;

+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+
 import com.cloud.dc.Vlan;
 import com.cloud.exception.InsufficientAddressCapacityException;
 import com.cloud.exception.InvalidParameterValueException;
@ -273,4 +275,6 @@ public interface NetworkModel {
    boolean isNetworkReadyForGc(long networkId);

    boolean getNetworkEgressDefaultPolicy(Long networkId);
+
+    void checkNetworkPermissions(Account owner, Network network, AccessType accessType);
 }
--- a/engine/schema/src/com/cloud/network/dao/NetworkVO.java
+++ b/engine/schema/src/com/cloud/network/dao/NetworkVO.java
@ -513,7 +513,7 @@ public class NetworkVO implements Network {
    @Override
    public String toString() {
        StringBuilder buf = new StringBuilder("Ntwk[");
-        buf.append(id).append("|").append(trafficType).append("|").append(networkOfferingId).append("]");
+        buf.append(uuid).append("|").append(trafficType).append("|").append(networkOfferingId).append("]");
        return buf.toString();
    }

--- a/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java
+++ b/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java
@ -30,6 +30,7 @@ import javax.inject.Inject;
 import net.juniper.contrail.api.ApiConnector;
 import net.juniper.contrail.api.types.ServiceInstance;

+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.network.contrail.api.response.ServiceInstanceResponse;
 import org.apache.cloudstack.network.contrail.model.ServiceInstanceModel;
@ -136,10 +137,10 @@ public class ServiceManagerImpl implements ServiceManager {
        // TODO: permission model.
        // service instances need to be able to access the public network.
        if (left.getTrafficType() == TrafficType.Guest) {
-            _networkModel.checkNetworkPermissions(owner, left);
+            _networkModel.checkNetworkPermissions(owner, left, AccessType.UseEntry);
        }
        if (right.getTrafficType() == TrafficType.Guest) {
-            _networkModel.checkNetworkPermissions(owner, right);
+            _networkModel.checkNetworkPermissions(owner, right, AccessType.UseEntry);
        }

        final ApiConnector api = _manager.getApiConnector();
--- a/server/src/com/cloud/network/NetworkModelImpl.java
+++ b/server/src/com/cloud/network/NetworkModelImpl.java
@ -35,6 +35,7 @@ import javax.naming.ConfigurationException;
 import org.apache.log4j.Logger;

 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;

@ -97,6 +98,7 @@ import com.cloud.offerings.dao.NetworkOfferingServiceMapDao;
 import com.cloud.projects.dao.ProjectAccountDao;
 import com.cloud.server.ConfigurationServer;
 import com.cloud.user.Account;
+import com.cloud.user.AccountManager;
 import com.cloud.user.AccountVO;
 import com.cloud.user.DomainManager;
 import com.cloud.user.dao.AccountDao;
@ -173,7 +175,8 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
    FirewallRulesDao _firewallDao;
    @Inject
    DomainManager _domainMgr;
-
+    @Inject
+    AccountManager _accountMgr;
    @Inject
    NetworkOfferingServiceMapDao _ntwkOfferingSrvcDao;
    @Inject
@ -1566,6 +1569,27 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
        }
    }

+    @Override
+    public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) {
+        if (network == null) {
+            throw new CloudRuntimeException("cannot check permissions on (Network) <null>");
+        }
+
+        AccountVO networkOwner = _accountDao.findById(network.getAccountId());
+        if (networkOwner == null) {
+            throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO) network).getUuid()
+                    + ", network does not have an owner");
+        }
+        if (owner.getType() != Account.ACCOUNT_TYPE_PROJECT && networkOwner.getType() == Account.ACCOUNT_TYPE_PROJECT) {
+            if (!_projectAccountDao.canAccessProjectAccount(owner.getAccountId(), network.getAccountId())) {
+                throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO) network).getUuid()
+                        + ", permission denied");
+            }
+        } else {
+            _accountMgr.checkAccess(owner, accessType, true, network);
+        }
+    }
+
    @Override
    public String getDefaultPublicTrafficLabel(long dcId, HypervisorType hypervisorType) {
        try {
--- a/server/src/com/cloud/server/ManagementServerImpl.java
+++ b/server/src/com/cloud/server/ManagementServerImpl.java
@ -2756,6 +2756,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
        cmdList.add(ListIpForwardingRulesCmd.class);
        cmdList.add(CreateNetworkACLCmd.class);
        cmdList.add(CreateNetworkCmd.class);
+        cmdList.add(CreateNetworkCmdByAdmin.class);
        cmdList.add(DeleteNetworkACLCmd.class);
        cmdList.add(DeleteNetworkCmd.class);
        cmdList.add(ListNetworkACLsCmd.class);
--- a/server/src/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/com/cloud/vm/UserVmManagerImpl.java
@ -972,12 +972,6 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
            throw new InvalidParameterValueException("unable to find a network with id " + networkId);
        }

-        if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
-        if (!(network.getGuestType() == Network.GuestType.Shared && network.getAclType() == ACLType.Domain)
-                && !(network.getAclType() == ACLType.Account && network.getAccountId() == vmInstance.getAccountId())) {
-            throw new InvalidParameterValueException("only shared network or isolated network with the same account_id can be added to vmId: " + vmId);
-        }
-        }

        List<NicVO> allNics = _nicDao.listByVmId(vmInstance.getId());
        for (NicVO nic : allNics) {
@ -2527,7 +2521,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
                    }
                }

-                _networkModel.checkNetworkPermissions(owner, network);
+                _networkModel.checkNetworkPermissions(owner, network, AccessType.UseEntry);

                // don't allow to use system networks
                NetworkOffering networkOffering = _entityMgr.findById(NetworkOffering.class, network.getNetworkOfferingId());
@ -2726,13 +2720,8 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
                throw new InvalidParameterValueException("Network id=" + network.getId() + " doesn't belong to zone " + zone.getId());
            }

-            //relax the check if the caller is admin account
-            if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
-            if (!(network.getGuestType() == Network.GuestType.Shared && network.getAclType() == ACLType.Domain)
-                    && !(network.getAclType() == ACLType.Account && network.getAccountId() == accountId)) {
-                throw new InvalidParameterValueException("only shared network or isolated network with the same account_id can be added to vm");
-            }
-            }
+            // Perform account permission check on network
+            _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);

            IpAddresses requestedIpPair = null;
            if (requestedIps != null && !requestedIps.isEmpty()) {
@ -4441,7 +4430,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
                            throw ex;
                        }

-                        _networkModel.checkNetworkPermissions(newAccount, network);
+                        _networkModel.checkNetworkPermissions(newAccount, network, AccessType.UseEntry);

                        // don't allow to use system networks
                        NetworkOffering networkOffering = _entityMgr.findById(NetworkOffering.class, network.getNetworkOfferingId());
--- a/server/test/com/cloud/network/MockNetworkModelImpl.java
+++ b/server/test/com/cloud/network/MockNetworkModelImpl.java
@ -25,6 +25,8 @@ import java.util.Set;
 import javax.ejb.Local;
 import javax.naming.ConfigurationException;

+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+
 import com.cloud.dc.Vlan;
 import com.cloud.exception.InsufficientAddressCapacityException;
 import com.cloud.exception.InvalidParameterValueException;
@ -878,4 +880,10 @@ public class MockNetworkModelImpl extends ManagerBase implements NetworkModel {
    public boolean getNetworkEgressDefaultPolicy(Long networkId) {
        return false;  //To change body of implemented methods use File | Settings | File Templates.
    }
+
+    @Override
+    public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) {
+        // TODO Auto-generated method stub
+
+    }
 }
--- a/server/test/com/cloud/vpc/MockNetworkModelImpl.java
+++ b/server/test/com/cloud/vpc/MockNetworkModelImpl.java
@ -26,6 +26,8 @@ import javax.ejb.Local;
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;

+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+
 import com.cloud.dc.Vlan;
 import com.cloud.exception.InsufficientAddressCapacityException;
 import com.cloud.exception.InvalidParameterValueException;
@ -893,4 +895,10 @@ public class MockNetworkModelImpl extends ManagerBase implements NetworkModel {
    public boolean getNetworkEgressDefaultPolicy(Long networkId) {
        return false;  //To change body of implemented methods use File | Settings | File Templates.
    }
+
+    @Override
+    public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) {
+        // TODO Auto-generated method stub
+
+    }
 }
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
@ -363,10 +363,10 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Man
        Boolean isRecursive = (Boolean) params.get(ApiConstants.SUBDOMAIN_ACCESS);

        if (entityType == Network.class) {
-            createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide network", entityType.toString(),
+            createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide network", entityType.getSimpleName(),
                    entityId, "listNetworks", AccessType.UseEntry, domainId, isRecursive);
        } else if (entityType == AffinityGroup.class) {
-            createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide affinityGroup", entityType.toString(),
+            createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide affinityGroup", entityType.getSimpleName(),
                    entityId, "listAffinityGroups", AccessType.UseEntry, domainId, isRecursive);
        }