Example 1 with APIChecker
use of com.cloud.acl.APIChecker in project cosmic by MissionCriticalCloud.
the class ApiDiscoveryServiceImpl method listApis.
@Override
public ListResponse<? extends BaseResponse> listApis(final User user, final String name) {
final ListResponse<ApiDiscoveryResponse> response = new ListResponse<>();
final List<ApiDiscoveryResponse> responseList = new ArrayList<>();
if (user == null) {
return null;
}
if (name != null) {
if (!s_apiNameDiscoveryResponseMap.containsKey(name)) {
return null;
}
for (final APIChecker apiChecker : _apiAccessCheckers) {
try {
apiChecker.checkAccess(user, name);
} catch (final Exception ex) {
s_logger.debug("API discovery access check failed for " + name + " with " + ex.getMessage());
return null;
}
}
responseList.add(s_apiNameDiscoveryResponseMap.get(name));
} else {
for (final String apiName : s_apiNameDiscoveryResponseMap.keySet()) {
boolean isAllowed = true;
for (final APIChecker apiChecker : _apiAccessCheckers) {
try {
apiChecker.checkAccess(user, apiName);
} catch (final Exception ex) {
isAllowed = false;
}
}
if (isAllowed) {
responseList.add(s_apiNameDiscoveryResponseMap.get(apiName));
}
}
}
response.setResponses(responseList);
return response;
}
Also used :
ListResponse(com.cloud.api.response.ListResponse)
ArrayList(java.util.ArrayList)
ApiDiscoveryResponse(com.cloud.api.response.ApiDiscoveryResponse)
APIChecker(com.cloud.acl.APIChecker)
Example 2 with APIChecker
use of com.cloud.acl.APIChecker in project cosmic by MissionCriticalCloud.
the class ApiServer method checkCommandAvailable.
private void checkCommandAvailable(final User user, final String commandName, final String remoteAddress) throws PermissionDeniedException {
if (user == null) {
throw new PermissionDeniedException("User is null for role based API access check for command" + commandName);
}
// Get the CIDRs from where this account is allowed to make calls
final Account account = _accountMgr.getAccount(user.getAccountId());
final String accessAllowedCidrs = ApiServiceConfiguration.ApiAllowedSourceCidrList.valueIn(account.getId()).replaceAll("\\s", "");
final Boolean ApiSourceCidrChecksEnabled = ApiServiceConfiguration.ApiSourceCidrChecksEnabled.value();
if (ApiSourceCidrChecksEnabled) {
s_logger.debug("CIDRs from which account '" + account.toString() + "' is allowed to perform API calls: " + accessAllowedCidrs);
InetAddress hostName = null;
try {
hostName = InetAddress.getByName(remoteAddress);
} catch (final UnknownHostException e) {
s_logger.warn("UnknownHostException when trying to lookup ip-address. Something is seriously wrong here. Blocking access.", e);
}
// Block when is not in the list of allowed IPs, or when hostname is unknown (didn't resolve to ip address)
if (hostName == null || !NetUtils.isIpInCidrList(hostName, accessAllowedCidrs.split(","))) {
s_logger.warn("Request by account '" + account.toString() + "' was denied since " + remoteAddress + " does not match " + accessAllowedCidrs);
throw new PermissionDeniedException("Calls for domain '" + account.getAccountName() + "' are not allowed from ip address '" + remoteAddress.replaceAll("/", "") + "'.");
}
}
for (final APIChecker apiChecker : _apiAccessCheckers) {
apiChecker.checkAccess(user, commandName);
}
}
Also used :
UserAccount(com.cloud.user.UserAccount)
Account(com.cloud.user.Account)
UnknownHostException(java.net.UnknownHostException)
PermissionDeniedException(com.cloud.exception.PermissionDeniedException)
InetAddress(java.net.InetAddress)
APIChecker(com.cloud.acl.APIChecker)
Aggregations
APIChecker (com.cloud.acl.APIChecker)2
ApiDiscoveryResponse (com.cloud.api.response.ApiDiscoveryResponse)1
ListResponse (com.cloud.api.response.ListResponse)1
PermissionDeniedException (com.cloud.exception.PermissionDeniedException)1
Account (com.cloud.user.Account)1
UserAccount (com.cloud.user.UserAccount)1
InetAddress (java.net.InetAddress)1
UnknownHostException (java.net.UnknownHostException)1
ArrayList (java.util.ArrayList)1
