diff --git a/api/src/org/apache/cloudstack/acl/AclEntityType.java b/api/src/org/apache/cloudstack/acl/AclEntityType.java index 096fcd2073b..2546709d089 100644 --- a/api/src/org/apache/cloudstack/acl/AclEntityType.java +++ b/api/src/org/apache/cloudstack/acl/AclEntityType.java @@ -4,37 +4,38 @@ public enum AclEntityType { // currently supported entity, to be added one by one after we support acl on the entity VirtualMachine, Volume, - ResourceTag, - Account, - AffinityGroup, - AutoScalePolicy, - AutoScaleVmGroup, - AutoScaleVmProfile, - Condition, - Vpc, - VpcGateway, - VpnUser, - VMSnapshot, - VirtualMachineTemplate, - UserIpv6Address, - StaticRoute, - SSHKeyPair, - Snapshot, - Site2SiteVpnGateway, - Site2SiteVpnConnection, - Site2SiteCustomerGateway, - SecurityGroup, - RemoteAccessVpn, - PublicIpAddress, - ProjectInvitation, - NicSecondaryIp, - NicIpAlias, - Network, - IpAddress, - InstanceGroup, - GlobalLoadBalancerRule, - FirewallRule, - Event, - AclPolicy, + ResourceTag, + Account, + AffinityGroup, + AutoScalePolicy, + AutoScaleVmGroup, + AutoScaleVmProfile, + Condition, + Vpc, + VpcGateway, + VpnUser, + VMSnapshot, + VirtualMachineTemplate, + UserIpv6Address, + StaticRoute, + SSHKeyPair, + Snapshot, + Site2SiteVpnGateway, + Site2SiteVpnConnection, + Site2SiteCustomerGateway, + SecurityGroup, + RemoteAccessVpn, + PublicIpAddress, + ProjectInvitation, + NicSecondaryIp, + NicIpAlias, + Network, + IpAddress, + InstanceGroup, + GlobalLoadBalancerRule, + FirewallRule, + Event, + AsyncJob, + AclPolicy, AclGroup; } diff --git a/framework/db/src/com/cloud/utils/db/SearchBase.java b/framework/db/src/com/cloud/utils/db/SearchBase.java index eb2b64b5d15..c011dae89f8 100644 --- a/framework/db/src/com/cloud/utils/db/SearchBase.java +++ b/framework/db/src/com/cloud/utils/db/SearchBase.java @@ -232,7 +232,17 @@ public abstract class SearchBase, T, K> { if (_entity == null || _specifiedAttrs == null || _specifiedAttrs.size() != 1) { throw new RuntimeException("Now now, better specify an attribute or else we can't help you"); } - return _specifiedAttrs.get(0); + if (_specifiedAttrs.size() > 0) { + return _specifiedAttrs.get(0); + } + // look for attributes from joins + for (JoinBuilder> join : _joins.values()) { + SearchBase sb = join.getT(); + if (sb.getSpecifiedAttribute() != null) { + return sb.getSpecifiedAttribute(); + } + } + throw new CloudRuntimeException("Unable to find any specified attributes. You sure you know what you're doing?"); } protected List getSpecifiedAttributes() { diff --git a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java index 0af65e3fe06..a814805c85e 100644 --- a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java +++ b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java @@ -206,31 +206,6 @@ public class MockAccountManager extends ManagerBase implements AccountManager { return null; } - @Override - public void buildACLSearchBuilder( - SearchBuilder arg0, Long arg1, - boolean arg2, List arg3, ListProjectResourcesCriteria arg4) { - // TODO Auto-generated method stub - - } - - @Override - public void buildACLSearchCriteria( - SearchCriteria arg0, Long arg1, - boolean arg2, List arg3, ListProjectResourcesCriteria arg4) { - // TODO Auto-generated method stub - - } - - @Override - public void buildACLSearchParameters(Account arg0, Long arg1, String arg2, - Long arg3, List arg4, - Ternary arg5, - boolean arg6, boolean arg7) { - // TODO Auto-generated method stub - - } - @Override public Long checkAccessAndSpecifyAuthority(Account arg0, Long arg1) { @@ -383,6 +358,19 @@ public class MockAccountManager extends ManagerBase implements AccountManager { } + @Override + public void buildACLSearchBuilder(SearchBuilder sb, boolean isRecursive, List permittedDomains, List permittedAccounts, + List permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) { + // TODO Auto-generated method stub + + } + + @Override + public void buildACLSearchCriteria(SearchCriteria sc, boolean isRecursive, List permittedDomains, List permittedAccounts, + List permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) { + // TODO Auto-generated method stub + + } } diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java index fd1804a8a99..13064230eb9 100644 --- a/server/src/com/cloud/api/query/QueryManagerImpl.java +++ b/server/src/com/cloud/api/query/QueryManagerImpl.java @@ -1897,17 +1897,20 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { Account caller = CallContext.current().getCallingAccount(); + List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); + List permittedResources = new ArrayList(); Ternary domainIdRecursiveListProject = new Ternary( cmd.getDomainId(), cmd.isRecursive(), null); - _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), null, permittedAccounts, - domainIdRecursiveListProject, cmd.listAll(), false); + _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), null, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, + cmd.listAll(), false, "listAsyncJobs"); Long domainId = domainIdRecursiveListProject.first(); Boolean isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); Filter searchFilter = new Filter(AsyncJobJoinVO.class, "id", true, cmd.getStartIndex(), cmd.getPageSizeVal()); + /* SearchBuilder sb = _jobJoinDao.createSearchBuilder(); sb.and("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN); SearchBuilder accountSearch = null; @@ -1932,8 +1935,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { } } - Object keyword = cmd.getKeyword(); - Object startDate = cmd.getStartDate(); + SearchCriteria sc = sb.create(); if (listProjectResourcesCriteria != null) { @@ -1950,6 +1952,17 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { sc.setParameters("domainId", domainId); } } + */ + + Object keyword = cmd.getKeyword(); + Object startDate = cmd.getStartDate(); + + // populate the search criteria with the values passed in + SearchCriteria sc = _jobJoinDao.createSearchCriteria(); + SearchCriteria aclSc = _jobJoinDao.createSearchCriteria(); + + // building ACL search criteria + _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); if (keyword != null) { sc.addAnd("cmd", SearchCriteria.Op.LIKE, "%" + keyword + "%"); diff --git a/server/src/com/cloud/api/query/vo/AsyncJobJoinVO.java b/server/src/com/cloud/api/query/vo/AsyncJobJoinVO.java index a30e253f4d5..b1cd5e347d2 100644 --- a/server/src/com/cloud/api/query/vo/AsyncJobJoinVO.java +++ b/server/src/com/cloud/api/query/vo/AsyncJobJoinVO.java @@ -25,15 +25,14 @@ import javax.persistence.Enumerated; import javax.persistence.Id; import javax.persistence.Table; +import org.apache.cloudstack.acl.AclEntityType; import org.apache.cloudstack.api.ApiCommandJobType; -import org.apache.cloudstack.api.Identity; -import org.apache.cloudstack.api.InternalIdentity; import com.cloud.utils.db.GenericDao; @Entity @Table(name="async_job_view") -public class AsyncJobJoinVO extends BaseViewVO implements InternalIdentity, Identity { +public class AsyncJobJoinVO extends BaseViewVO implements ControlledViewEntity { //InternalIdentity, Identity { @Id @Column(name="id") @@ -116,34 +115,42 @@ public class AsyncJobJoinVO extends BaseViewVO implements InternalIdentity, Iden return uuid; } + @Override public long getAccountId() { return accountId; } + @Override public String getAccountUuid() { return accountUuid; } + @Override public String getAccountName() { return accountName; } + @Override public short getAccountType() { return accountType; } + @Override public long getDomainId() { return domainId; } + @Override public String getDomainUuid() { return domainUuid; } + @Override public String getDomainName() { return domainName; } + @Override public String getDomainPath() { return domainPath; } @@ -195,4 +202,22 @@ public class AsyncJobJoinVO extends BaseViewVO implements InternalIdentity, Iden public String getInstanceUuid() { return instanceUuid; } + + @Override + public AclEntityType getEntityType() { + return AclEntityType.AsyncJob; + } + + @Override + public String getProjectUuid() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getProjectName() { + // TODO Auto-generated method stub + return null; + } + } diff --git a/server/src/com/cloud/network/as/AutoScaleManagerImpl.java b/server/src/com/cloud/network/as/AutoScaleManagerImpl.java index 58a90bb1116..d32d31c7e66 100644 --- a/server/src/com/cloud/network/as/AutoScaleManagerImpl.java +++ b/server/src/com/cloud/network/as/AutoScaleManagerImpl.java @@ -95,9 +95,9 @@ import com.cloud.utils.db.GenericDao; import com.cloud.utils.db.JoinBuilder; import com.cloud.utils.db.SearchBuilder; import com.cloud.utils.db.SearchCriteria; -import com.cloud.utils.db.TransactionCallback; import com.cloud.utils.db.SearchCriteria.Op; import com.cloud.utils.db.Transaction; +import com.cloud.utils.db.TransactionCallback; import com.cloud.utils.db.TransactionStatus; import com.cloud.utils.net.NetUtils; @@ -409,7 +409,8 @@ public class AutoScaleManagerImpl extends ManagerBase implements AutoScale Long templateId = cmd.getTemplateId(); String otherDeployParams = cmd.getOtherDeployParams(); - SearchWrapper searchWrapper = new SearchWrapper(_autoScaleVmProfileDao, AutoScaleVmProfileVO.class, cmd, cmd.getId()); + SearchWrapper searchWrapper = new SearchWrapper(_autoScaleVmProfileDao, AutoScaleVmProfileVO.class, cmd, cmd.getId(), + "listAutoScaleVmProfiles"); SearchBuilder sb = searchWrapper.getSearchBuilder(); sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ); @@ -561,11 +562,14 @@ public class AutoScaleManagerImpl extends ManagerBase implements AutoScale SearchCriteria searchCriteria; Long domainId; boolean isRecursive; + List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); + List permittedResources = new ArrayList(); + ListProjectResourcesCriteria listProjectResourcesCriteria; Filter searchFilter; - public SearchWrapper(GenericDao dao, Class entityClass, BaseListAccountResourcesCmd cmd, Long id) + public SearchWrapper(GenericDao dao, Class entityClass, BaseListAccountResourcesCmd cmd, Long id, String action) { this.dao = dao; this.searchBuilder = dao.createSearchBuilder(); @@ -579,12 +583,12 @@ public class AutoScaleManagerImpl extends ManagerBase implements AutoScale Ternary domainIdRecursiveListProject = new Ternary(domainId, isRecursive, null); - _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedAccounts, domainIdRecursiveListProject, - listAll, false); - domainId = domainIdRecursiveListProject.first(); + _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll, + false, action); + //domainId = domainIdRecursiveListProject.first(); isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); - _accountMgr.buildACLSearchBuilder(searchBuilder, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchBuilder(searchBuilder, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); searchFilter = new Filter(entityClass, "id", false, startIndex, pageSizeVal); } @@ -595,7 +599,7 @@ public class AutoScaleManagerImpl extends ManagerBase implements AutoScale public SearchCriteria buildSearchCriteria() { searchCriteria = searchBuilder.create(); - _accountMgr.buildACLSearchCriteria(searchCriteria, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchCriteria(searchCriteria, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); return searchCriteria; } @@ -606,7 +610,8 @@ public class AutoScaleManagerImpl extends ManagerBase implements AutoScale @Override public List listAutoScalePolicies(ListAutoScalePoliciesCmd cmd) { - SearchWrapper searchWrapper = new SearchWrapper(_autoScalePolicyDao, AutoScalePolicyVO.class, cmd, cmd.getId()); + SearchWrapper searchWrapper = new SearchWrapper(_autoScalePolicyDao, AutoScalePolicyVO.class, cmd, cmd.getId(), + "listAutoScalePolicies"); SearchBuilder sb = searchWrapper.getSearchBuilder(); Long id = cmd.getId(); Long conditionId = cmd.getConditionId(); @@ -805,7 +810,8 @@ public class AutoScaleManagerImpl extends ManagerBase implements AutoScale Long profileId = cmd.getProfileId(); Long zoneId = cmd.getZoneId(); - SearchWrapper searchWrapper = new SearchWrapper(_autoScaleVmGroupDao, AutoScaleVmGroupVO.class, cmd, cmd.getId()); + SearchWrapper searchWrapper = new SearchWrapper(_autoScaleVmGroupDao, AutoScaleVmGroupVO.class, cmd, cmd.getId(), + "listAutoScaleVmGroups"); SearchBuilder sb = searchWrapper.getSearchBuilder(); sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ); @@ -1078,7 +1084,7 @@ public class AutoScaleManagerImpl extends ManagerBase implements AutoScale Long id = cmd.getId(); Long counterId = cmd.getCounterId(); Long policyId = cmd.getPolicyId(); - SearchWrapper searchWrapper = new SearchWrapper(_conditionDao, ConditionVO.class, cmd, cmd.getId()); + SearchWrapper searchWrapper = new SearchWrapper(_conditionDao, ConditionVO.class, cmd, cmd.getId(), "listConditions"); SearchBuilder sb = searchWrapper.getSearchBuilder(); if (policyId != null) { SearchBuilder asPolicyConditionSearch = _autoScalePolicyConditionMapDao.createSearchBuilder(); diff --git a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java index 89f24c6109d..8cb45746967 100644 --- a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java +++ b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java @@ -29,6 +29,7 @@ import javax.naming.ConfigurationException; import org.apache.log4j.Logger; import org.springframework.stereotype.Component; + import org.apache.cloudstack.api.command.user.firewall.ListEgressFirewallRulesCmd; import org.apache.cloudstack.api.command.user.firewall.ListFirewallRulesCmd; import org.apache.cloudstack.context.CallContext; @@ -70,7 +71,6 @@ import com.cloud.network.rules.FirewallRule.State; import com.cloud.network.rules.FirewallRuleVO; import com.cloud.network.rules.PortForwardingRule; import com.cloud.network.rules.PortForwardingRuleVO; -import com.cloud.network.rules.StaticNat; import com.cloud.network.rules.dao.PortForwardingRulesDao; import com.cloud.network.vpc.VpcManager; import com.cloud.projects.Project.ListProjectResourcesCriteria; @@ -88,11 +88,11 @@ import com.cloud.utils.db.Filter; import com.cloud.utils.db.JoinBuilder; import com.cloud.utils.db.SearchBuilder; import com.cloud.utils.db.SearchCriteria; +import com.cloud.utils.db.SearchCriteria.Op; +import com.cloud.utils.db.Transaction; import com.cloud.utils.db.TransactionCallbackNoReturn; import com.cloud.utils.db.TransactionCallbackWithException; import com.cloud.utils.db.TransactionStatus; -import com.cloud.utils.db.SearchCriteria.Op; -import com.cloud.utils.db.Transaction; import com.cloud.utils.exception.CloudRuntimeException; import com.cloud.utils.net.NetUtils; import com.cloud.vm.UserVmVO; @@ -261,7 +261,9 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService, FirewallRule.TrafficType trafficType = cmd.getTrafficType(); Account caller = CallContext.current().getCallingAccount(); + List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); + List permittedResources = new ArrayList(); if (ipId != null) { IPAddressVO ipAddressVO = _ipAddressDao.findById(ipId); @@ -272,14 +274,13 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService, } Ternary domainIdRecursiveListProject = new Ternary(cmd.getDomainId(), cmd.isRecursive(), null); - _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, cmd.listAll(), false); - Long domainId = domainIdRecursiveListProject.first(); + _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, cmd.listAll(), false, "listFirewallRules"); Boolean isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); Filter filter = new Filter(FirewallRuleVO.class, "id", false, cmd.getStartIndex(), cmd.getPageSizeVal()); SearchBuilder sb = _firewallDao.createSearchBuilder(); - _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); sb.and("id", sb.entity().getId(), Op.EQ); sb.and("trafficType", sb.entity().getTrafficType(), Op.EQ); @@ -305,7 +306,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService, } SearchCriteria sc = sb.create(); - _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); if (id != null) { sc.setParameters("id", id); @@ -942,7 +943,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService, @Inject public void setFirewallElements(List firewallElements) { - this._firewallElements = firewallElements; + _firewallElements = firewallElements; } public List getPfElements() { @@ -951,7 +952,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService, @Inject public void setPfElements(List pfElements) { - this._pfElements = pfElements; + _pfElements = pfElements; } public List getStaticNatElements() { @@ -960,7 +961,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService, @Inject public void setStaticNatElements(List staticNatElements) { - this._staticNatElements = staticNatElements; + _staticNatElements = staticNatElements; } public List getNetworkAclElements() { @@ -969,7 +970,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService, @Inject public void setNetworkAclElements(List networkAclElements) { - this._networkAclElements = networkAclElements; + _networkAclElements = networkAclElements; } } diff --git a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java index 0d434784505..36c1540b9c7 100755 --- a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java +++ b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java @@ -1971,19 +1971,21 @@ public class LoadBalancingRulesManagerImpl extends ManagerBase implements Map tags = cmd.getTags(); Account caller = CallContext.current().getCallingAccount(); + List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); + List permittedResources = new ArrayList(); Ternary domainIdRecursiveListProject = new Ternary( cmd.getDomainId(), cmd.isRecursive(), null); - _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, - domainIdRecursiveListProject, cmd.listAll(), false); - Long domainId = domainIdRecursiveListProject.first(); + _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources, + domainIdRecursiveListProject, cmd.listAll(), false, "listLoadBalancerRules"); + //Long domainId = domainIdRecursiveListProject.first(); Boolean isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); Filter searchFilter = new Filter(LoadBalancerVO.class, "id", true, cmd.getStartIndex(), cmd.getPageSizeVal()); SearchBuilder sb = _lbDao.createSearchBuilder(); - _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ); sb.and("name", sb.entity().getName(), SearchCriteria.Op.LIKE); @@ -2019,7 +2021,7 @@ public class LoadBalancingRulesManagerImpl extends ManagerBase implements } SearchCriteria sc = sb.create(); - _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); if (keyword != null) { SearchCriteria ssc = _lbDao.createSearchCriteria(); diff --git a/server/src/com/cloud/network/rules/RulesManagerImpl.java b/server/src/com/cloud/network/rules/RulesManagerImpl.java index 2ea10211cce..29875e2c0d6 100755 --- a/server/src/com/cloud/network/rules/RulesManagerImpl.java +++ b/server/src/com/cloud/network/rules/RulesManagerImpl.java @@ -26,6 +26,7 @@ import javax.ejb.Local; import javax.inject.Inject; import org.apache.log4j.Logger; + import org.apache.cloudstack.api.command.user.firewall.ListPortForwardingRulesCmd; import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService; @@ -75,10 +76,10 @@ import com.cloud.utils.db.Filter; import com.cloud.utils.db.JoinBuilder; import com.cloud.utils.db.SearchBuilder; import com.cloud.utils.db.SearchCriteria; -import com.cloud.utils.db.TransactionCallbackNoReturn; -import com.cloud.utils.db.TransactionCallbackWithException; import com.cloud.utils.db.SearchCriteria.Op; import com.cloud.utils.db.Transaction; +import com.cloud.utils.db.TransactionCallbackNoReturn; +import com.cloud.utils.db.TransactionCallbackWithException; import com.cloud.utils.db.TransactionCallbackWithExceptionNoReturn; import com.cloud.utils.db.TransactionStatus; import com.cloud.utils.exception.CloudRuntimeException; @@ -785,7 +786,9 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules Map tags = cmd.getTags(); Account caller = CallContext.current().getCallingAccount(); + List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); + List permittedResources = new ArrayList(); if (ipId != null) { IPAddressVO ipAddressVO = _ipAddressDao.findById(ipId); @@ -796,14 +799,14 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules } Ternary domainIdRecursiveListProject = new Ternary(cmd.getDomainId(), cmd.isRecursive(), null); - _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, cmd.listAll(), false); - Long domainId = domainIdRecursiveListProject.first(); + _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources, + domainIdRecursiveListProject, cmd.listAll(), false, "listPortForwardingRules"); Boolean isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); Filter filter = new Filter(PortForwardingRuleVO.class, "id", false, cmd.getStartIndex(), cmd.getPageSizeVal()); SearchBuilder sb = _portForwardingDao.createSearchBuilder(); - _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); sb.and("id", sb.entity().getId(), Op.EQ); sb.and("ip", sb.entity().getSourceIpAddressId(), Op.EQ); @@ -823,7 +826,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules SearchCriteria sc = sb.create(); - _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); if (id != null) { sc.setParameters("id", id); @@ -992,7 +995,9 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules @Override public Pair, Integer> searchStaticNatRules(Long ipId, Long id, Long vmId, Long start, Long size, String accountName, Long domainId, Long projectId, boolean isRecursive, boolean listAll) { Account caller = CallContext.current().getCallingAccount(); + List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); + List permittedResources = new ArrayList(); if (ipId != null) { IPAddressVO ipAddressVO = _ipAddressDao.findById(ipId); @@ -1003,14 +1008,15 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules } Ternary domainIdRecursiveListProject = new Ternary(domainId, isRecursive, null); - _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts, domainIdRecursiveListProject, listAll, false); + _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll, + false, "listIpForwardingRules"); domainId = domainIdRecursiveListProject.first(); isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); Filter filter = new Filter(PortForwardingRuleVO.class, "id", false, start, size); SearchBuilder sb = _firewallDao.createSearchBuilder(); - _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); sb.and("ip", sb.entity().getSourceIpAddressId(), Op.EQ); sb.and("purpose", sb.entity().getPurpose(), Op.EQ); @@ -1023,7 +1029,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules } SearchCriteria sc = sb.create(); - _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); sc.setParameters("purpose", Purpose.StaticNat); if (id != null) { diff --git a/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java b/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java index d12e57701cc..d2b1b4a078c 100644 --- a/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java +++ b/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java @@ -16,7 +16,6 @@ // under the License. package com.cloud.network.vpc; -import java.util.ArrayList; import java.util.List; import java.util.Map; @@ -42,14 +41,12 @@ import com.cloud.network.dao.NetworkDao; import com.cloud.network.dao.NetworkVO; import com.cloud.network.vpc.dao.NetworkACLDao; import com.cloud.network.vpc.dao.VpcGatewayDao; -import com.cloud.projects.Project.ListProjectResourcesCriteria; import com.cloud.server.ResourceTag.ResourceObjectType; import com.cloud.tags.ResourceTagVO; import com.cloud.tags.dao.ResourceTagDao; import com.cloud.user.Account; import com.cloud.user.AccountManager; import com.cloud.utils.Pair; -import com.cloud.utils.Ternary; import com.cloud.utils.component.ManagerBase; import com.cloud.utils.db.EntityManager; import com.cloud.utils.db.Filter; @@ -422,6 +419,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ Map tags = cmd.getTags(); Account caller = CallContext.current().getCallingAccount(); + /* NetworkACLItem is not ControlledEntity, no ACL built criteria List permittedAccounts = new ArrayList(); Ternary domainIdRecursiveListProject = @@ -431,6 +429,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ Long domainId = domainIdRecursiveListProject.first(); Boolean isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); + */ Filter filter = new Filter(NetworkACLItemVO.class, "id", false, cmd.getStartIndex(), cmd.getPageSizeVal()); SearchBuilder sb = _networkACLItemDao.createSearchBuilder(); diff --git a/server/src/com/cloud/network/vpc/VpcManagerImpl.java b/server/src/com/cloud/network/vpc/VpcManagerImpl.java index 0b9d306143b..471e53bca5a 100644 --- a/server/src/com/cloud/network/vpc/VpcManagerImpl.java +++ b/server/src/com/cloud/network/vpc/VpcManagerImpl.java @@ -31,6 +31,8 @@ import javax.ejb.Local; import javax.inject.Inject; import javax.naming.ConfigurationException; +import org.apache.log4j.Logger; + import org.apache.cloudstack.acl.ControlledEntity.ACLType; import org.apache.cloudstack.api.command.user.vpc.ListPrivateGatewaysCmd; import org.apache.cloudstack.api.command.user.vpc.ListStaticRoutesCmd; @@ -39,7 +41,6 @@ import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationSe import org.apache.cloudstack.framework.config.ConfigDepot; import org.apache.cloudstack.framework.config.dao.ConfigurationDao; import org.apache.cloudstack.managed.context.ManagedContextRunnable; -import org.apache.log4j.Logger; import com.cloud.configuration.Config; import com.cloud.configuration.ConfigurationManager; @@ -118,13 +119,13 @@ import com.cloud.utils.db.GlobalLock; import com.cloud.utils.db.JoinBuilder; import com.cloud.utils.db.SearchBuilder; import com.cloud.utils.db.SearchCriteria; +import com.cloud.utils.db.SearchCriteria.Op; +import com.cloud.utils.db.Transaction; import com.cloud.utils.db.TransactionCallback; import com.cloud.utils.db.TransactionCallbackNoReturn; import com.cloud.utils.db.TransactionCallbackWithException; import com.cloud.utils.db.TransactionCallbackWithExceptionNoReturn; import com.cloud.utils.db.TransactionStatus; -import com.cloud.utils.db.SearchCriteria.Op; -import com.cloud.utils.db.Transaction; import com.cloud.utils.exception.CloudRuntimeException; import com.cloud.utils.exception.ExceptionUtil; import com.cloud.utils.net.NetUtils; @@ -819,19 +820,20 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis String cidr, Long vpcOffId, String state, String accountName, Long domainId, String keyword, Long startIndex, Long pageSizeVal, Long zoneId, Boolean isRecursive, Boolean listAll, Boolean restartRequired, Map tags, Long projectId) { Account caller = CallContext.current().getCallingAccount(); + List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); + List permittedResources = new ArrayList(); Ternary domainIdRecursiveListProject = new Ternary(domainId, isRecursive, null); - _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts, domainIdRecursiveListProject, - listAll, false); - domainId = domainIdRecursiveListProject.first(); + _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll, + false, "listVPCs"); isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); Filter searchFilter = new Filter(VpcVO.class, "created", false, startIndex, pageSizeVal); SearchBuilder sb = _vpcDao.createSearchBuilder(); - _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); sb.and("name", sb.entity().getName(), SearchCriteria.Op.LIKE); sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ); @@ -856,7 +858,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis // now set the SC criteria... SearchCriteria sc = sb.create(); - _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); if (keyword != null) { SearchCriteria ssc = _vpcDao.createSearchCriteria(); @@ -1422,7 +1424,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis if (privateNtwk == null) { s_logger.info("creating new network for vpc " + vpc + " using broadcast uri: " + broadcastUri); String networkName = "vpc-" + vpc.getName() + "-privateNetwork"; - privateNtwk = _ntwkSvc.createPrivateNetwork(networkName, networkName, physicalNetworkIdFinal, + privateNtwk = _ntwkSvc.createPrivateNetwork(networkName, networkName, physicalNetworkIdFinal, broadcastUri, ipAddress, null, gateway, netmask, gatewayOwnerId, vpcId, isSourceNat, networkOfferingId); } else { // create the nic/ip as createPrivateNetwork doesn''t do that work for us now DataCenterVO dc = _dcDao.lockRow(physNetFinal.getDataCenterId(), true); @@ -1617,21 +1619,22 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis Long domainId = cmd.getDomainId(); String accountName = cmd.getAccountName(); Account caller = CallContext.current().getCallingAccount(); + List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); + List permittedResources = new ArrayList(); String state = cmd.getState(); Long projectId = cmd.getProjectId(); Filter searchFilter = new Filter(VpcGatewayVO.class, "id", false, cmd.getStartIndex(), cmd.getPageSizeVal()); Ternary domainIdRecursiveListProject = new Ternary(domainId, isRecursive, null); - _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts, domainIdRecursiveListProject, - listAll, false); - domainId = domainIdRecursiveListProject.first(); + _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll, + false, "listPrivateGateways"); isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); SearchBuilder sb = _vpcGatewayDao.createSearchBuilder(); - _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); if (vlan != null) { SearchBuilder ntwkSearch = _ntwkDao.createSearchBuilder(); @@ -1640,7 +1643,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis } SearchCriteria sc = sb.create(); - _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); if (id != null) { sc.addAnd("id", Op.EQ, id); @@ -1869,21 +1872,23 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis Boolean listAll = cmd.listAll(); String accountName = cmd.getAccountName(); Account caller = CallContext.current().getCallingAccount(); + List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); + List permittedResources = new ArrayList(); + Map tags = cmd.getTags(); Long projectId = cmd.getProjectId(); Ternary domainIdRecursiveListProject = new Ternary(domainId, isRecursive, null); - _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts, domainIdRecursiveListProject, - listAll, false); - domainId = domainIdRecursiveListProject.first(); + _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll, + false, "listStaticRoutes"); isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); Filter searchFilter = new Filter(StaticRouteVO.class, "created", false, cmd.getStartIndex(), cmd.getPageSizeVal()); SearchBuilder sb = _staticRouteDao.createSearchBuilder(); - _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ); sb.and("vpcId", sb.entity().getVpcId(), SearchCriteria.Op.EQ); @@ -1902,7 +1907,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis } SearchCriteria sc = sb.create(); - _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); if (id != null) { sc.addAnd("id", Op.EQ, id); @@ -2038,7 +2043,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis s_logger.debug("Associating ip " + ipToAssoc + " to vpc " + vpc); - final boolean isSourceNatFinal = isSourceNat; + final boolean isSourceNatFinal = isSourceNat; Transaction.execute(new TransactionCallbackNoReturn() { @Override public void doInTransactionWithoutResult(TransactionStatus status) { diff --git a/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java b/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java index 504e5e88f45..5c4241d105c 100755 --- a/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java +++ b/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java @@ -26,6 +26,7 @@ import javax.inject.Inject; import javax.naming.ConfigurationException; import org.apache.log4j.Logger; + import org.apache.cloudstack.api.command.user.vpn.ListRemoteAccessVpnsCmd; import org.apache.cloudstack.api.command.user.vpn.ListVpnUsersCmd; import org.apache.cloudstack.context.CallContext; @@ -81,10 +82,10 @@ import com.cloud.utils.db.Filter; import com.cloud.utils.db.JoinBuilder; import com.cloud.utils.db.SearchBuilder; import com.cloud.utils.db.SearchCriteria; -import com.cloud.utils.db.TransactionCallback; -import com.cloud.utils.db.TransactionCallbackNoReturn; import com.cloud.utils.db.SearchCriteria.Op; import com.cloud.utils.db.Transaction; +import com.cloud.utils.db.TransactionCallback; +import com.cloud.utils.db.TransactionCallbackNoReturn; import com.cloud.utils.db.TransactionCallbackWithException; import com.cloud.utils.db.TransactionStatus; import com.cloud.utils.net.NetUtils; @@ -202,7 +203,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc throw new InvalidParameterValueException("Vpn service is not supported in network id=" + ipAddr.getAssociatedWithNetworkId()); } cidr = NetUtils.getCidr(network.getCidr()); - } else { // Don't need to check VPC because there is only one IP(source NAT IP) available for VPN + } else { // Don't need to check VPC because there is only one IP(source NAT IP) available for VPN Vpc vpc = _vpcDao.findById(vpcId); cidr = NetUtils.getCidr(vpc.getCidr()); } @@ -553,24 +554,26 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc String username = cmd.getUsername(); Long id = cmd.getId(); Account caller = CallContext.current().getCallingAccount(); + List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); + List permittedResources = new ArrayList(); Ternary domainIdRecursiveListProject = new Ternary(cmd.getDomainId(), cmd.isRecursive(), null); - _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, cmd.listAll(), false); - Long domainId = domainIdRecursiveListProject.first(); + _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources, + domainIdRecursiveListProject, cmd.listAll(), false, "listVpnUsers"); + //Long domainId = domainIdRecursiveListProject.first(); Boolean isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); Filter searchFilter = new Filter(VpnUserVO.class, "username", true, cmd.getStartIndex(), cmd.getPageSizeVal()); SearchBuilder sb = _vpnUsersDao.createSearchBuilder(); - _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); - + _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ); sb.and("username", sb.entity().getUsername(), SearchCriteria.Op.EQ); sb.and("state", sb.entity().getState(), Op.IN); SearchCriteria sc = sb.create(); - _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); //list only active users sc.setParameters("state", State.Active, State.Add); @@ -592,7 +595,9 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc // do some parameter validation Account caller = CallContext.current().getCallingAccount(); Long ipAddressId = cmd.getPublicIpId(); + List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); + List permittedResources = new ArrayList(); if (ipAddressId != null) { PublicIpAddress publicIp = _networkMgr.getPublicIpAddress(ipAddressId); @@ -609,21 +614,21 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc } Ternary domainIdRecursiveListProject = new Ternary(cmd.getDomainId(), cmd.isRecursive(), null); - _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, cmd.listAll(), false); - Long domainId = domainIdRecursiveListProject.first(); + _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources, + domainIdRecursiveListProject, cmd.listAll(), false, "listRemoteAccessVpns"); + //Long domainId = domainIdRecursiveListProject.first(); Boolean isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); Filter filter = new Filter(RemoteAccessVpnVO.class, "serverAddressId", false, cmd.getStartIndex(), cmd.getPageSizeVal()); SearchBuilder sb = _remoteAccessVpnDao.createSearchBuilder(); - _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); sb.and("serverAddressId", sb.entity().getServerAddressId(), Op.EQ); sb.and("state", sb.entity().getState(), Op.EQ); SearchCriteria sc = sb.create(); - _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); - + _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); sc.setParameters("state", RemoteAccessVpn.State.Running); diff --git a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java index 94d2dc3e223..f42a5a07d8e 100644 --- a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java +++ b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java @@ -5,7 +5,7 @@ // to you under the Apache License, Version 2.0 (the // "License"); you may not use this file except in compliance // with the License. You may obtain a copy of the License at -// +// // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, @@ -24,6 +24,9 @@ import javax.ejb.Local; import javax.inject.Inject; import javax.naming.ConfigurationException; +import org.apache.log4j.Logger; +import org.springframework.stereotype.Component; + import org.apache.cloudstack.api.command.user.vpn.CreateVpnConnectionCmd; import org.apache.cloudstack.api.command.user.vpn.CreateVpnCustomerGatewayCmd; import org.apache.cloudstack.api.command.user.vpn.CreateVpnGatewayCmd; @@ -37,8 +40,6 @@ import org.apache.cloudstack.api.command.user.vpn.ResetVpnConnectionCmd; import org.apache.cloudstack.api.command.user.vpn.UpdateVpnCustomerGatewayCmd; import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.framework.config.dao.ConfigurationDao; -import org.apache.log4j.Logger; -import org.springframework.stereotype.Component; import com.cloud.configuration.Config; import com.cloud.event.ActionEvent; @@ -69,7 +70,6 @@ import com.cloud.user.dao.AccountDao; import com.cloud.utils.NumbersUtil; import com.cloud.utils.Pair; import com.cloud.utils.Ternary; -import com.cloud.utils.component.Manager; import com.cloud.utils.component.ManagerBase; import com.cloud.utils.db.DB; import com.cloud.utils.db.Filter; @@ -250,7 +250,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn } if (_vpnConnectionDao.findByVpnGatewayIdAndCustomerGatewayId(vpnGatewayId, customerGatewayId) != null) { - throw new InvalidParameterValueException("The vpn connection with customer gateway id " + customerGatewayId + " or vpn gateway id " + throw new InvalidParameterValueException("The vpn connection with customer gateway id " + customerGatewayId + " or vpn gateway id " + vpnGatewayId + " already existed!"); } if (_vpnConnectionDao.findByCustomerGatewayId(customerGatewayId) != null) { @@ -564,23 +564,26 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn long pageSizeVal = cmd.getPageSizeVal(); Account caller = CallContext.current().getCallingAccount(); + List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); + List permittedResources = new ArrayList(); - Ternary domainIdRecursiveListProject = new Ternary domainIdRecursiveListProject = new Ternary(domainId, isRecursive, null); - _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedAccounts, domainIdRecursiveListProject, listAll, false); - domainId = domainIdRecursiveListProject.first(); + _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll, false, + "listVpnCustomerGateways"); + //domainId = domainIdRecursiveListProject.first(); isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); Filter searchFilter = new Filter(Site2SiteCustomerGatewayVO.class, "id", false, startIndex, pageSizeVal); SearchBuilder sb = _customerGatewayDao.createSearchBuilder(); - _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ); SearchCriteria sc = sb.create(); - _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); if (id != null) { sc.addAnd("id", SearchCriteria.Op.EQ, id); @@ -603,24 +606,27 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn long pageSizeVal = cmd.getPageSizeVal(); Account caller = CallContext.current().getCallingAccount(); + List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); + List permittedResources = new ArrayList(); - Ternary domainIdRecursiveListProject = new Ternary domainIdRecursiveListProject = new Ternary(domainId, isRecursive, null); - _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedAccounts, domainIdRecursiveListProject, listAll, false); - domainId = domainIdRecursiveListProject.first(); + _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll, false, + "listVpnGateways"); + //domainId = domainIdRecursiveListProject.first(); isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); Filter searchFilter = new Filter(Site2SiteVpnGatewayVO.class, "id", false, startIndex, pageSizeVal); SearchBuilder sb = _vpnGatewayDao.createSearchBuilder(); - _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ); sb.and("vpcId", sb.entity().getVpcId(), SearchCriteria.Op.EQ); SearchCriteria sc = sb.create(); - _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); if (id != null) { sc.addAnd("id", SearchCriteria.Op.EQ, id); @@ -647,18 +653,21 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn long pageSizeVal = cmd.getPageSizeVal(); Account caller = CallContext.current().getCallingAccount(); + List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); + List permittedResources = new ArrayList(); - Ternary domainIdRecursiveListProject = new Ternary domainIdRecursiveListProject = new Ternary(domainId, isRecursive, null); - _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedAccounts, domainIdRecursiveListProject, listAll, false); - domainId = domainIdRecursiveListProject.first(); + _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll, false, + "listVpnConnections"); + //domainId = domainIdRecursiveListProject.first(); isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); Filter searchFilter = new Filter(Site2SiteVpnConnectionVO.class, "id", false, startIndex, pageSizeVal); SearchBuilder sb = _vpnConnectionDao.createSearchBuilder(); - _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ); @@ -669,7 +678,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn } SearchCriteria sc = sb.create(); - _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); if (id != null) { sc.addAnd("id", SearchCriteria.Op.EQ, id); @@ -771,6 +780,6 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn @Inject public void setS2sProviders(List s2sProviders) { - this._s2sProviders = s2sProviders; + _s2sProviders = s2sProviders; } } diff --git a/server/src/com/cloud/server/ManagementServerImpl.java b/server/src/com/cloud/server/ManagementServerImpl.java index 22e72b4b0f8..dbbafad5d2f 100755 --- a/server/src/com/cloud/server/ManagementServerImpl.java +++ b/server/src/com/cloud/server/ManagementServerImpl.java @@ -1934,19 +1934,22 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe SearchBuilder sb = _publicIpAddressDao.createSearchBuilder(); Long domainId = null; Boolean isRecursive = null; + List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); + List permittedResources = new ArrayList(); + ListProjectResourcesCriteria listProjectResourcesCriteria = null; if (isAllocated) { Account caller = CallContext.current().getCallingAccount(); Ternary domainIdRecursiveListProject = new Ternary( cmd.getDomainId(), cmd.isRecursive(), null); - _accountMgr.buildACLSearchParameters(caller, cmd.getId(), cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, - domainIdRecursiveListProject, cmd.listAll(), false); - domainId = domainIdRecursiveListProject.first(); + _accountMgr.buildACLSearchParameters(caller, cmd.getId(), cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources, + domainIdRecursiveListProject, cmd.listAll(), false, "listPublicIpAddresses"); + //domainId = domainIdRecursiveListProject.first(); isRecursive = domainIdRecursiveListProject.second(); listProjectResourcesCriteria = domainIdRecursiveListProject.third(); - _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); } sb.and("dataCenterId", sb.entity().getDataCenterId(), SearchCriteria.Op.EQ); @@ -2000,7 +2003,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe SearchCriteria sc = sb.create(); if (isAllocated) { - _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); } sc.setJoinParameters("vlanSearch", "vlanType", vlanType); @@ -3563,21 +3566,22 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe String fingerPrint = cmd.getFingerprint(); Account caller = CallContext.current().getCallingAccount(); + List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); + List permittedResources = new ArrayList(); Ternary domainIdRecursiveListProject = new Ternary( cmd.getDomainId(), cmd.isRecursive(), null); - _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, - cmd.listAll(), false); - Long domainId = domainIdRecursiveListProject.first(); + _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources, + domainIdRecursiveListProject, cmd.listAll(), false, "listSSHKeyPairs"); Boolean isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); SearchBuilder sb = _sshKeyPairDao.createSearchBuilder(); - _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); Filter searchFilter = new Filter(SSHKeyPairVO.class, "id", false, cmd.getStartIndex(), cmd.getPageSizeVal()); SearchCriteria sc = sb.create(); - _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); if (name != null) { sc.addAnd("name", SearchCriteria.Op.EQ, name); diff --git a/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java b/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java index e11b959ef65..f3d7997c034 100755 --- a/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java +++ b/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java @@ -466,7 +466,10 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager, Map tags = cmd.getTags(); Long zoneId = cmd.getZoneId(); Account caller = CallContext.current().getCallingAccount(); + List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); + List permittedResources = new ArrayList(); + // Verify parameters if (volumeId != null) { @@ -477,14 +480,14 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager, } Ternary domainIdRecursiveListProject = new Ternary(cmd.getDomainId(), cmd.isRecursive(), null); - _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, cmd.listAll(), false); - Long domainId = domainIdRecursiveListProject.first(); + _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources, + domainIdRecursiveListProject, cmd.listAll(), false, "listSnapshots"); Boolean isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); Filter searchFilter = new Filter(SnapshotVO.class, "created", false, cmd.getStartIndex(), cmd.getPageSizeVal()); SearchBuilder sb = _snapshotDao.createSearchBuilder(); - _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); sb.and("statusNEQ", sb.entity().getState(), SearchCriteria.Op.NEQ); //exclude those Destroyed snapshot, not showing on UI sb.and("volumeId", sb.entity().getVolumeId(), SearchCriteria.Op.EQ); @@ -507,7 +510,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager, } SearchCriteria sc = sb.create(); - _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); sc.setParameters("statusNEQ", Snapshot.State.Destroyed); diff --git a/server/src/com/cloud/user/AccountManager.java b/server/src/com/cloud/user/AccountManager.java index a06e2bae40a..5a95327296f 100755 --- a/server/src/com/cloud/user/AccountManager.java +++ b/server/src/com/cloud/user/AccountManager.java @@ -83,21 +83,20 @@ public interface AccountManager extends AccountService { boolean enableAccount(long accountId); - void buildACLSearchBuilder(SearchBuilder sb, Long domainId, - boolean isRecursive, List permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria); - - void buildACLSearchCriteria(SearchCriteria sc, - Long domainId, boolean isRecursive, List permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria); - - - void buildACLSearchParameters(Account caller, Long id, - String accountName, Long projectId, List permittedAccounts, Ternary domainIdRecursiveListProject, boolean listAll, boolean forProjectInvitation); // new ACL model routine for query api based on db views void buildACLSearchParameters(Account caller, Long id, String accountName, Long projectId, List permittedDomains, List permittedAccounts, List permittedResources, Ternary domainIdRecursiveListProject, boolean listAll, boolean forProjectInvitation, String action); + void buildACLSearchBuilder(SearchBuilder sb, boolean isRecursive, + List permittedDomains, + List permittedAccounts, List permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria); + + void buildACLSearchCriteria(SearchCriteria sc, boolean isRecursive, + List permittedDomains, + List permittedAccounts, List permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria); + void buildACLViewSearchCriteria(SearchCriteria sc, SearchCriteria aclSc, boolean isRecursive, List permittedDomains, List permittedAccounts, List permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria); diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java index 1701464378e..183353cb327 100755 --- a/server/src/com/cloud/user/AccountManagerImpl.java +++ b/server/src/com/cloud/user/AccountManagerImpl.java @@ -48,6 +48,7 @@ import org.apache.cloudstack.acl.SecurityChecker; import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.affinity.AffinityGroup; import org.apache.cloudstack.affinity.dao.AffinityGroupDao; +import org.apache.cloudstack.api.InternalIdentity; import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd; import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd; import org.apache.cloudstack.api.command.admin.user.RegisterCmd; @@ -107,7 +108,6 @@ import com.cloud.network.vpn.RemoteAccessVpnService; import com.cloud.network.vpn.Site2SiteVpnManager; import com.cloud.projects.Project; import com.cloud.projects.Project.ListProjectResourcesCriteria; -import com.cloud.projects.ProjectInvitationVO; import com.cloud.projects.ProjectManager; import com.cloud.projects.ProjectVO; import com.cloud.projects.dao.ProjectAccountDao; @@ -2169,251 +2169,6 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M } - - @Override - public void buildACLSearchBuilder(SearchBuilder sb, - Long domainId, boolean isRecursive, List permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) { - - if (sb.entity() instanceof IPAddressVO) { - sb.and("accountIdIN", ((IPAddressVO) sb.entity()).getAllocatedToAccountId(), SearchCriteria.Op.IN); - sb.and("domainId", ((IPAddressVO) sb.entity()).getAllocatedInDomainId(), SearchCriteria.Op.EQ); - } else if (sb.entity() instanceof ProjectInvitationVO) { - sb.and("accountIdIN", ((ProjectInvitationVO) sb.entity()).getForAccountId(), SearchCriteria.Op.IN); - sb.and("domainId", ((ProjectInvitationVO) sb.entity()).getInDomainId(), SearchCriteria.Op.EQ); - } else { - sb.and("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN); - sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ); - } - - if (((permittedAccounts.isEmpty()) && (domainId != null) && isRecursive)) { - // if accountId isn't specified, we can do a domain match for the admin case if isRecursive is true - SearchBuilder domainSearch = _domainDao.createSearchBuilder(); - domainSearch.and("path", domainSearch.entity().getPath(), SearchCriteria.Op.LIKE); - - if (sb.entity() instanceof IPAddressVO) { - sb.join("domainSearch", domainSearch, ((IPAddressVO) sb.entity()).getAllocatedInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER); - } else if (sb.entity() instanceof ProjectInvitationVO) { - sb.join("domainSearch", domainSearch, ((ProjectInvitationVO) sb.entity()).getInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER); - } else { - sb.join("domainSearch", domainSearch, sb.entity().getDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER); - } - - } - if (listProjectResourcesCriteria != null) { - SearchBuilder accountSearch = _accountDao.createSearchBuilder(); - if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) { - accountSearch.and("type", accountSearch.entity().getType(), SearchCriteria.Op.EQ); - } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) { - accountSearch.and("type", accountSearch.entity().getType(), SearchCriteria.Op.NEQ); - } - - if (sb.entity() instanceof IPAddressVO) { - sb.join("accountSearch", accountSearch, ((IPAddressVO) sb.entity()).getAllocatedToAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER); - } else if (sb.entity() instanceof ProjectInvitationVO) { - sb.join("accountSearch", accountSearch, ((ProjectInvitationVO) sb.entity()).getForAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER); - } else { - sb.join("accountSearch", accountSearch, sb.entity().getAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER); - } - } - } - - @Override - public void buildACLSearchCriteria(SearchCriteria sc, - Long domainId, boolean isRecursive, List permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) { - - if (listProjectResourcesCriteria != null) { - sc.setJoinParameters("accountSearch", "type", Account.ACCOUNT_TYPE_PROJECT); - } - - if (!permittedAccounts.isEmpty()) { - sc.setParameters("accountIdIN", permittedAccounts.toArray()); - } else if (domainId != null) { - DomainVO domain = _domainDao.findById(domainId); - if (isRecursive) { - sc.setJoinParameters("domainSearch", "path", domain.getPath() + "%"); - } else { - sc.setParameters("domainId", domainId); - } - } - } - -// @Override -// public void buildACLSearchParameters(Account caller, Long id, String accountName, Long projectId, List -// permittedAccounts, Ternary domainIdRecursiveListProject, -// boolean listAll, boolean forProjectInvitation) { -// Long domainId = domainIdRecursiveListProject.first(); -// if (domainId != null) { -// Domain domain = _domainDao.findById(domainId); -// if (domain == null) { -// throw new InvalidParameterValueException("Unable to find domain by id " + domainId); -// } -// // check permissions -// checkAccess(caller, domain); -// } -// -// if (accountName != null) { -// if (projectId != null) { -// throw new InvalidParameterValueException("Account and projectId can't be specified together"); -// } -// -// Account userAccount = null; -// Domain domain = null; -// if (domainId != null) { -// userAccount = _accountDao.findActiveAccount(accountName, domainId); -// domain = _domainDao.findById(domainId); -// } else { -// userAccount = _accountDao.findActiveAccount(accountName, caller.getDomainId()); -// domain = _domainDao.findById(caller.getDomainId()); -// } -// -// if (userAccount != null) { -// checkAccess(caller, null, false, userAccount); -// //check permissions -// permittedAccounts.add(userAccount.getId()); -// } else { -// throw new InvalidParameterValueException("could not find account " + accountName + " in domain " + domain.getUuid()); -// } -// } -// -// // set project information -// if (projectId != null) { -// if (!forProjectInvitation) { -// if (projectId.longValue() == -1) { -// if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) { -// permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId())); -// } else { -// domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly); -// } -// } else { -// Project project = _projectMgr.getProject(projectId); -// if (project == null) { -// throw new InvalidParameterValueException("Unable to find project by id " + projectId); -// } -// if (!_projectMgr.canAccessProjectAccount(caller, project.getProjectAccountId())) { -// throw new PermissionDeniedException("Account " + caller + " can't access project id=" + projectId); -// } -// permittedAccounts.add(project.getProjectAccountId()); -// } -// } -// } else { -// if (id == null) { -// domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.SkipProjectResources); -// } -// if (permittedAccounts.isEmpty() && domainId == null) { -// if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) { -// permittedAccounts.add(caller.getId()); -// } else if (!listAll) { -// if (id == null) { -// permittedAccounts.add(caller.getId()); -// } else if (!isRootAdmin(caller.getId())) { -// domainIdRecursiveListProject.first(caller.getDomainId()); -// domainIdRecursiveListProject.second(true); -// } -// } else if (domainId == null) { -// if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { -// domainIdRecursiveListProject.first(caller.getDomainId()); -// domainIdRecursiveListProject.second(true); -// } -// } -// } else if (domainId != null) { -// if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) { -// permittedAccounts.add(caller.getId()); -// } -// } -// -// } -// } - - //TODO: deprecate this to use the new buildACLSearchParameters with permittedDomains, permittedAccounts, and permittedResources as return - @Override - public void buildACLSearchParameters(Account caller, Long id, String accountName, Long projectId, List - permittedAccounts, Ternary domainIdRecursiveListProject, - boolean listAll, boolean forProjectInvitation) { - Long domainId = domainIdRecursiveListProject.first(); - if (domainId != null) { - Domain domain = _domainDao.findById(domainId); - if (domain == null) { - throw new InvalidParameterValueException("Unable to find domain by id " + domainId); - } - // check permissions - checkAccess(caller, domain); - } - - if (accountName != null) { - if (projectId != null) { - throw new InvalidParameterValueException("Account and projectId can't be specified together"); - } - - Account userAccount = null; - Domain domain = null; - if (domainId != null) { - userAccount = _accountDao.findActiveAccount(accountName, domainId); - domain = _domainDao.findById(domainId); - } else { - userAccount = _accountDao.findActiveAccount(accountName, caller.getDomainId()); - domain = _domainDao.findById(caller.getDomainId()); - } - - if (userAccount != null) { - checkAccess(caller, null, false, userAccount); - // check permissions - permittedAccounts.add(userAccount.getId()); - } else { - throw new InvalidParameterValueException("could not find account " + accountName + " in domain " + domain.getUuid()); - } - } - - // set project information - if (projectId != null) { - if (!forProjectInvitation) { - if (projectId.longValue() == -1) { - if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) { - permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId())); - } else { - domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly); - } - } else { - Project project = _projectMgr.getProject(projectId); - if (project == null) { - throw new InvalidParameterValueException("Unable to find project by id " + projectId); - } - if (!_projectMgr.canAccessProjectAccount(caller, project.getProjectAccountId())) { - throw new PermissionDeniedException("Account " + caller + " can't access project id=" + projectId); - } - permittedAccounts.add(project.getProjectAccountId()); - } - } - } else { - if (id == null) { - domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.SkipProjectResources); - } - if (permittedAccounts.isEmpty() && domainId == null) { - if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) { - permittedAccounts.add(caller.getId()); - } else if (!listAll) { - if (id == null) { - permittedAccounts.add(caller.getId()); - } else if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { - domainIdRecursiveListProject.first(caller.getDomainId()); - domainIdRecursiveListProject.second(true); - } - } else if (domainId == null) { - if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { - domainIdRecursiveListProject.first(caller.getDomainId()); - domainIdRecursiveListProject.second(true); - } - } - } else if (domainId != null) { - if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) { - permittedAccounts.add(caller.getId()); - } - } - - } - - } - - @Override public UserAccount getUserByApiKey(String apiKey) { return _userAccountDao.getUserByApiKey(apiKey); @@ -2526,6 +2281,119 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M } + @Override + public void buildACLSearchBuilder(SearchBuilder sb, boolean isRecursive, + List permittedDomains, + List permittedAccounts, List permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) { + + if (listProjectResourcesCriteria != null) { + // add criteria for project or not + SearchBuilder accountSearch = _accountDao.createSearchBuilder(); + if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) { + accountSearch.and("type", accountSearch.entity().getType(), SearchCriteria.Op.EQ); + } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) { + accountSearch.and("type", accountSearch.entity().getType(), SearchCriteria.Op.NEQ); + } + + if (sb.entity() instanceof IPAddressVO) { + sb.join("accountSearch", accountSearch, ((IPAddressVO)sb.entity()).getAllocatedToAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER); + } else { + sb.join("accountSearch", accountSearch, sb.entity().getAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER); + } + } + if (permittedDomains.isEmpty() && permittedAccounts.isEmpty() && permittedResources.isEmpty()) + // can access everything + return; + + if (!permittedAccounts.isEmpty() || !permittedResources.isEmpty()) { + if (!permittedAccounts.isEmpty()) { + if (sb.entity() instanceof IPAddressVO) { + sb.and().op("accountIdIn", ((IPAddressVO)sb.entity()).getAllocatedToAccountId(), SearchCriteria.Op.IN); + } else { + sb.and().op("accountIdIn", sb.entity().getAccountId(), SearchCriteria.Op.IN); + } + if (!permittedResources.isEmpty()) { + sb.or("idIn", ((InternalIdentity)sb.entity()).getId(), SearchCriteria.Op.IN); + } + } else { + // permittedResources is not empty + sb.and().op("idIn", ((InternalIdentity)sb.entity()).getId(), SearchCriteria.Op.IN); + } + if (!permittedDomains.isEmpty()) { + if (isRecursive) { + SearchBuilder domainSearch = _domainDao.createSearchBuilder(); + for (int i = 0; i < permittedDomains.size(); i++) { + domainSearch.or("path" + i, domainSearch.entity().getPath(), SearchCriteria.Op.LIKE); + } + if (sb.entity() instanceof IPAddressVO) { + sb.join("domainSearch", domainSearch, ((IPAddressVO)sb.entity()).getAllocatedInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER); + } else { + sb.join("domainSearch", domainSearch, sb.entity().getDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER); + } + } else { + if (sb.entity() instanceof IPAddressVO) { + sb.or("domainIdIn", ((IPAddressVO)sb.entity()).getAllocatedInDomainId(), SearchCriteria.Op.IN); + } else { + sb.or("domainIdIn", sb.entity().getDomainId(), SearchCriteria.Op.IN); + } + } + } + sb.cp(); + } else { + // permittedDomains is not empty + if (isRecursive) { + SearchBuilder domainSearch = _domainDao.createSearchBuilder(); + domainSearch.and().op("path0", domainSearch.entity().getPath(), SearchCriteria.Op.LIKE); + for (int i = 1; i < permittedDomains.size(); i++) { + domainSearch.or("path" + i, domainSearch.entity().getPath(), SearchCriteria.Op.LIKE); + } + domainSearch.cp(); + if (sb.entity() instanceof IPAddressVO) { + sb.join("domainSearch", domainSearch, ((IPAddressVO)sb.entity()).getAllocatedInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER); + } else { + sb.join("domainSearch", domainSearch, sb.entity().getDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER); + } + } else { + if (sb.entity() instanceof IPAddressVO) { + sb.and().op("domainIdIn", ((IPAddressVO)sb.entity()).getAllocatedInDomainId(), SearchCriteria.Op.IN); + } else { + sb.and().op("domainIdIn", sb.entity().getDomainId(), SearchCriteria.Op.IN); + } + sb.cp(); + } + } + } + + @Override + public void buildACLSearchCriteria(SearchCriteria sc, boolean isRecursive, + List permittedDomains, + List permittedAccounts, List permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) { + + if (listProjectResourcesCriteria != null) { + sc.setJoinParameters("accountSearch", "type", Account.ACCOUNT_TYPE_PROJECT); + } + + if (permittedDomains.isEmpty() && permittedAccounts.isEmpty() && permittedResources.isEmpty()) + // can access everything + return; + + if (!permittedAccounts.isEmpty()) { + sc.setParameters("accountIdIn", permittedAccounts.toArray()); + } + if (!permittedResources.isEmpty()) { + sc.setParameters("idIn", permittedResources.toArray()); + } + if (!permittedDomains.isEmpty()) { + if (isRecursive) { + for (int i = 0; i < permittedDomains.size(); i++) { + DomainVO domain = _domainDao.findById(permittedDomains.get(i)); + sc.setJoinParameters("domainSearch", "path" + i, domain.getPath() + "%"); + } + } else { + sc.setParameters("domainIdIn", permittedDomains.toArray()); + } + } + } @Override public void buildACLViewSearchCriteria(SearchCriteria sc, SearchCriteria aclSc, boolean isRecursive, diff --git a/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java b/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java index 3e6d7f96010..ca9f69a158f 100644 --- a/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java +++ b/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java @@ -27,14 +27,15 @@ import javax.ejb.Local; import javax.inject.Inject; import javax.naming.ConfigurationException; +import org.apache.log4j.Logger; +import org.springframework.stereotype.Component; + import org.apache.cloudstack.api.command.user.vmsnapshot.ListVMSnapshotCmd; import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.engine.subsystem.api.storage.StorageStrategyFactory; import org.apache.cloudstack.engine.subsystem.api.storage.VMSnapshotOptions; import org.apache.cloudstack.engine.subsystem.api.storage.VMSnapshotStrategy; import org.apache.cloudstack.framework.config.dao.ConfigurationDao; -import org.apache.log4j.Logger; -import org.springframework.stereotype.Component; import com.cloud.event.ActionEvent; import com.cloud.event.EventTypes; @@ -124,7 +125,9 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana @Override public List listVMSnapshots(ListVMSnapshotCmd cmd) { Account caller = getCaller(); + List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); + List permittedResources = new ArrayList(); boolean listAll = cmd.listAll(); Long id = cmd.getId(); @@ -137,15 +140,14 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana Ternary domainIdRecursiveListProject = new Ternary( cmd.getDomainId(), cmd.isRecursive(), null); - _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, listAll, - false); - Long domainId = domainIdRecursiveListProject.first(); + _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources, + domainIdRecursiveListProject, listAll, false, "listVMSnapshot"); Boolean isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); Filter searchFilter = new Filter(VMSnapshotVO.class, "created", false, cmd.getStartIndex(), cmd.getPageSizeVal()); SearchBuilder sb = _vmSnapshotDao.createSearchBuilder(); - _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); sb.and("vm_id", sb.entity().getVmId(), SearchCriteria.Op.EQ); sb.and("domain_id", sb.entity().getDomainId(), SearchCriteria.Op.EQ); @@ -157,7 +159,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana sb.done(); SearchCriteria sc = sb.create(); - _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); if (accountName != null && cmd.getDomainId() != null) { Account account = _accountMgr.getActiveAccountByName(accountName, cmd.getDomainId()); @@ -168,8 +170,8 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana sc.setParameters("vm_id", vmId); } - if (domainId != null) { - sc.setParameters("domain_id", domainId); + if (cmd.getDomainId() != null) { + sc.setParameters("domain_id", cmd.getDomainId()); } if (state == null) { diff --git a/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java b/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java index b7cd231831c..49187b35580 100644 --- a/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java +++ b/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java @@ -26,6 +26,7 @@ import javax.inject.Inject; import org.apache.log4j.Logger; import org.springframework.stereotype.Component; + import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.api.command.user.loadbalancer.ListApplicationLoadBalancersCmd; import org.apache.cloudstack.context.CallContext; @@ -385,19 +386,20 @@ public class ApplicationLoadBalancerManagerImpl extends ManagerBase implements A Map tags = cmd.getTags(); Account caller = CallContext.current().getCallingAccount(); + List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); + List permittedResources = new ArrayList(); Ternary domainIdRecursiveListProject = new Ternary( cmd.getDomainId(), cmd.isRecursive(), null); - _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, - domainIdRecursiveListProject, cmd.listAll(), false); - Long domainId = domainIdRecursiveListProject.first(); + _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources, + domainIdRecursiveListProject, cmd.listAll(), false, "listLoadBalancers"); Boolean isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); Filter searchFilter = new Filter(ApplicationLoadBalancerRuleVO.class, "id", true, cmd.getStartIndex(), cmd.getPageSizeVal()); SearchBuilder sb = _lbDao.createSearchBuilder(); - _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ); sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ); @@ -424,7 +426,7 @@ public class ApplicationLoadBalancerManagerImpl extends ManagerBase implements A } SearchCriteria sc = sb.create(); - _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); + _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); if (keyword != null) { SearchCriteria ssc = _lbDao.createSearchCriteria(); diff --git a/server/test/com/cloud/user/MockAccountManagerImpl.java b/server/test/com/cloud/user/MockAccountManagerImpl.java index 588ae74e7bc..271d9ae753b 100644 --- a/server/test/com/cloud/user/MockAccountManagerImpl.java +++ b/server/test/com/cloud/user/MockAccountManagerImpl.java @@ -260,24 +260,6 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco return false; } - @Override - public void buildACLSearchBuilder(SearchBuilder sb, Long domainId, boolean isRecursive, List permittedAccounts, - ListProjectResourcesCriteria listProjectResourcesCriteria) { - // TODO Auto-generated method stub - - } - - @Override - public void buildACLSearchCriteria(SearchCriteria sc, Long domainId, boolean isRecursive, List permittedAccounts, - ListProjectResourcesCriteria listProjectResourcesCriteria) { - // TODO Auto-generated method stub - - } - - @Override - public void buildACLSearchParameters(Account caller, Long id, String accountName, Long projectId, List permittedAccounts, Ternary domainIdRecursiveListProject, boolean listAll, boolean forProjectInvitation) { - // TODO Auto-generated method stub - } /* (non-Javadoc) @@ -351,5 +333,18 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco } + @Override + public void buildACLSearchBuilder(SearchBuilder sb, boolean isRecursive, List permittedDomains, List permittedAccounts, + List permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) { + // TODO Auto-generated method stub + + } + + @Override + public void buildACLSearchCriteria(SearchCriteria sc, boolean isRecursive, List permittedDomains, List permittedAccounts, + List permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) { + // TODO Auto-generated method stub + + } }