From cb7b6867c623569b79f220adcc1f0bdc92baeea4 Mon Sep 17 00:00:00 2001
From: Kelven Yang <kelven@cloud.com>
Date: Tue, 4 Jan 2011 23:42:42 -0800
Subject: [PATCH] Bug 7370: Give domain admin permission to view user VM under
 its domain scope

---
 .../com/cloud/server/ManagementServer.java    |  3 +-
 .../cloud/servlet/ConsoleProxyServlet.java    | 48 ++++++++++++-------
 2 files changed, 33 insertions(+), 18 deletions(-)

diff --git a/server/src/com/cloud/server/ManagementServer.java b/server/src/com/cloud/server/ManagementServer.java
index a0ba9d1c7b6..5b7114db26d 100755
--- a/server/src/com/cloud/server/ManagementServer.java
+++ b/server/src/com/cloud/server/ManagementServer.java
@@ -542,6 +542,5 @@ public interface ManagementServer extends ManagementService {
     long getPsMaintenanceCount(long podId);
     boolean isPoolUp(long instanceId);
     boolean checkIfMaintenable(long hostId);
-    public String getHashKey();
-
+    String getHashKey();
 }
diff --git a/server/src/com/cloud/servlet/ConsoleProxyServlet.java b/server/src/com/cloud/servlet/ConsoleProxyServlet.java
index 1936173b106..3914ee5e036 100644
--- a/server/src/com/cloud/servlet/ConsoleProxyServlet.java
+++ b/server/src/com/cloud/servlet/ConsoleProxyServlet.java
@@ -36,6 +36,8 @@ import javax.servlet.http.HttpSession;
 
 import org.apache.log4j.Logger;
 
+import com.cloud.domain.dao.DomainDao;
+import com.cloud.domain.dao.DomainDaoImpl;
 import com.cloud.host.HostVO;
 import com.cloud.server.ManagementServer;
 import com.cloud.user.Account;
@@ -58,8 +60,8 @@ public class ConsoleProxyServlet extends HttpServlet {
 	private static final int DEFAULT_THUMBNAIL_WIDTH = 144;
 	private static final int DEFAULT_THUMBNAIL_HEIGHT = 110;
 	
-	private final static ManagementServer _ms = (ManagementServer)ComponentLocator.getComponent(ManagementServer.Name);
-	
+	private final static ManagementServer _ms = (ManagementServer)ComponentLocator.getComponent(ManagementServer.Name);
+	
 	@Override
     protected void doPost(HttpServletRequest req, HttpServletResponse resp) {
 		doGet(req, resp);
@@ -359,32 +361,46 @@ public class ConsoleProxyServlet extends HttpServlet {
 	
 	private boolean checkSessionPermision(HttpServletRequest req, long vmId, Account accountObj) {
 
+		if(accountObj.getType() == Account.ACCOUNT_TYPE_ADMIN)
+    		return true;
+
         VMInstanceVO vm = _ms.findVMInstanceById(vmId);
         UserVmVO userVm;
         switch(vm.getType())
         {
         case User :
         	userVm = _ms.findUserVMInstanceById(vmId);
-        	if(userVm.getAccountId() != accountObj.getId() && accountObj.getType() != Account.ACCOUNT_TYPE_ADMIN) {
-        		if(s_logger.isDebugEnabled()) {
-                    s_logger.debug("VM access is denied. VM owner account " + userVm.getAccountId() 
-	        			+ " does not match the account id in session " + accountObj.getId());
-                }
-        		return false;
+        	if(userVm.getAccountId() != accountObj.getId()) {
+        		
+        		// access from another normal user
+        		if(accountObj.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+	        		if(s_logger.isDebugEnabled()) {
+	                    s_logger.debug("VM access is denied. VM owner account " + userVm.getAccountId() 
+		        			+ " does not match the account id in session " + accountObj.getId() + " and caller is a normal user");
+	                }
+	        		return false;
+        		}
+        		
+        		if(accountObj.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || accountObj.getType() == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN) {
+        			if(!_ms.isChildDomain(accountObj.getDomainId(), userVm.getDomainId())) {
+    	        		if(s_logger.isDebugEnabled()) {
+    	                    s_logger.debug("VM access is denied. VM owner account " + userVm.getAccountId() 
+    		        			+ " does not match the account id in session " + accountObj.getId() + " and the domain-admin caller does not manage the target domain");
+    	                }
+        				return false;
+        			}
+        		}
         	}
         	break;
         	
         case ConsoleProxy :
         case DomainRouter :
         case SecondaryStorageVm:
-        	// only root admin is allowed to access system vm and domR
-        	if(accountObj.getType() != Account.ACCOUNT_TYPE_ADMIN) {
-        		if(s_logger.isDebugEnabled()) {
-                    s_logger.debug("VM access is denied. Accessing restricted VM requires admin privilege");
-                }
-        		return false;
-        	}
-        	break;
+    		return false;
+    		
+    	default :
+    		s_logger.warn("Unrecoginized virtual machine type, deny access by default. type: " + vm.getType());
+    		return false;
         }
         
 		return true;