From c3ee01cca1f82501d076ed9c838f8b7139527447 Mon Sep 17 00:00:00 2001
From: Prachi Damle <prachi@cloud.com>
Date: Tue, 18 Mar 2014 17:04:27 -0700
Subject: [PATCH] More changes to support 'readOnly' access

---
 api/src/org/apache/cloudstack/api/ApiConstants.java   |  2 +-
 server/src/com/cloud/acl/DomainChecker.java           | 11 +++++++++++
 .../command/iam/AddIAMPermissionToIAMPolicyCmd.java   |  1 -
 .../org/apache/cloudstack/iam/IAMApiServiceImpl.java  |  3 ++-
 .../apache/cloudstack/iam/test/IAMApiServiceTest.java |  4 ++--
 5 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/api/src/org/apache/cloudstack/api/ApiConstants.java b/api/src/org/apache/cloudstack/api/ApiConstants.java
index b8f720a8c54..97b1cd75eaa 100755
--- a/api/src/org/apache/cloudstack/api/ApiConstants.java
+++ b/api/src/org/apache/cloudstack/api/ApiConstants.java
@@ -591,7 +591,7 @@ public class ApiConstants {
     public static final String VGPUTYPE = "vgputype";
     public static final String REMAININGCAPACITY = "remainingcapacity";
     public static final String DISTRIBUTED_VPC_ROUTER = "distributedvpcrouter";
-    public static final String READ_ONLY = "readOnly";
+    public static final String READ_ONLY = "readonly";
 
 
     public enum HostDetails {
diff --git a/server/src/com/cloud/acl/DomainChecker.java b/server/src/com/cloud/acl/DomainChecker.java
index cb6921d9fae..ea129f7aefe 100755
--- a/server/src/com/cloud/acl/DomainChecker.java
+++ b/server/src/com/cloud/acl/DomainChecker.java
@@ -328,6 +328,17 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
     @Override
     public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action)
             throws PermissionDeniedException {
+
+        if (action != null && ("SystemCapability".equals(action))) {
+            if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_ADMIN) {
+                return true;
+            }
+
+        } else if (action != null && ("DomainCapability".equals(action))) {
+            if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
+                return true;
+            }
+        }
         return checkAccess(caller, entity, accessType);
     }
 }
diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java
index e7c5650ed2c..d69f3d0a0b9 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java
@@ -29,7 +29,6 @@ import org.apache.cloudstack.api.ApiErrorCode;
 import org.apache.cloudstack.api.BaseAsyncCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.BaseCmd.CommandType;
 import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.iam.IAMApiService;
diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
index 467caed3d70..5d35ee27943 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
@@ -721,7 +721,8 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Man
             String description = "Policy to grant permission to " + entityType + entityId;
             policy = createIAMPolicy(caller, aclPolicyName, description, null);
             // add permission to this policy
-            addIAMPermissionToIAMPolicy(policy.getId(), entityType, PermissionScope.RESOURCE, entityId, action, Permission.Allow, false);
+            addIAMPermissionToIAMPolicy(policy.getId(), entityType, PermissionScope.RESOURCE, entityId, action,
+                    Permission.Allow, false, false);
         }
         // attach this policy to list of accounts if not attached already
         Long policyId = policy.getId();
diff --git a/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java b/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java
index 49c4c9f4ca5..1f0972066dd 100644
--- a/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java
+++ b/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java
@@ -295,8 +295,8 @@ public class IAMApiServiceTest {
                 _iamSrv.addIAMPermissionToIAMPolicy(policyId, VirtualMachine.class.getSimpleName(),
                         PermissionScope.RESOURCE.toString(), resId, "listVirtualMachines",
                         AccessType.UseEntry.toString(), Permission.Allow, false)).thenReturn(policy);
-        _aclSrv.addIAMPermissionToIAMPolicy(policyId, VirtualMachine.class.getSimpleName(),
-                PermissionScope.RESOURCE, resId, "listVirtualMachines", Permission.Allow, false);
+        _aclSrv.addIAMPermissionToIAMPolicy(policyId, IAMEntityType.VirtualMachine.toString(),
+                PermissionScope.RESOURCE, resId, "listVirtualMachines", Permission.Allow, false, false);
         Pair<List<IAMPolicy>, Integer> policyList = new Pair<List<IAMPolicy>, Integer>(policies, 1);
         List<IAMPolicyPermission> policyPerms = new ArrayList<IAMPolicyPermission>();
         IAMPolicyPermission perm = new IAMPolicyPermissionVO(policyId, "listVirtualMachines",