Search in sources :

Example 1 with ControlledEntity

use of com.cloud.acl.ControlledEntity in project cosmic by MissionCriticalCloud.

the class AccountManagerImpl method checkAccess.

@Override
public void checkAccess(final Account caller, final AccessType accessType, final boolean sameOwner, final String apiName, final ControlledEntity... entities) {
    // check for the same owner
    Long ownerId = null;
    ControlledEntity prevEntity = null;
    if (sameOwner) {
        for (final ControlledEntity entity : entities) {
            if (sameOwner) {
                if (ownerId == null) {
                    ownerId = entity.getAccountId();
                } else if (ownerId.longValue() != entity.getAccountId()) {
                    throw new PermissionDeniedException("Entity " + entity + " and entity " + prevEntity + " belong to different accounts");
                }
                prevEntity = entity;
            }
        }
    }
    if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getId())) {
        // no need to make permission checks if the system/root admin makes the call
        if (s_logger.isTraceEnabled()) {
            s_logger.trace("No need to make permission check for System/RootAdmin account, returning true");
        }
        return;
    }
    final HashMap<Long, List<ControlledEntity>> domains = new HashMap<>();
    for (final ControlledEntity entity : entities) {
        long domainId = entity.getDomainId();
        if (entity.getAccountId() != -1 && domainId == -1) {
            // If account exists domainId should too so calculate
            // it. This condition might be hit for templates or entities which miss domainId in their tables
            final Account account = ApiDBUtils.findAccountById(entity.getAccountId());
            domainId = account != null ? account.getDomainId() : -1;
        }
        if (entity.getAccountId() != -1 && domainId != -1 && !(entity instanceof VirtualMachineTemplate) && !(entity instanceof Network && accessType != null && accessType == AccessType.UseEntry) && !(entity instanceof AffinityGroup)) {
            List<ControlledEntity> toBeChecked = domains.get(entity.getDomainId());
            // for templates, we don't have to do cross domains check
            if (toBeChecked == null) {
                toBeChecked = new ArrayList<>();
                domains.put(domainId, toBeChecked);
            }
            toBeChecked.add(entity);
        }
        boolean granted = false;
        for (final SecurityChecker checker : _securityCheckers) {
            if (checker.checkAccess(caller, entity, accessType, apiName)) {
                if (s_logger.isDebugEnabled()) {
                    s_logger.debug("Access to " + entity + " granted to " + caller + " by " + checker.getName());
                }
                granted = true;
                break;
            }
        }
        if (!granted) {
            assert false : "How can all of the security checkers pass on checking this check: " + entity;
            throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to " + entity);
        }
    }
    for (final Map.Entry<Long, List<ControlledEntity>> domain : domains.entrySet()) {
        for (final SecurityChecker checker : _securityCheckers) {
            final Domain d = _domainMgr.getDomain(domain.getKey());
            if (d == null || d.getRemoved() != null) {
                throw new PermissionDeniedException("Domain is not found.", caller, domain.getValue());
            }
            try {
                checker.checkAccess(caller, d);
            } catch (final PermissionDeniedException e) {
                e.addDetails(caller, domain.getValue());
                throw e;
            }
        }
    }
// check that resources belong to the same account
}
Also used : VirtualMachineTemplate(com.cloud.template.VirtualMachineTemplate) HashMap(java.util.HashMap) SecurityChecker(com.cloud.acl.SecurityChecker) AffinityGroup(com.cloud.affinity.AffinityGroup) ControlledEntity(com.cloud.acl.ControlledEntity) Network(com.cloud.network.Network) PermissionDeniedException(com.cloud.exception.PermissionDeniedException) ArrayList(java.util.ArrayList) List(java.util.List) Domain(com.cloud.domain.Domain) Map(java.util.Map) HashMap(java.util.HashMap)

Example 2 with ControlledEntity

use of com.cloud.acl.ControlledEntity in project cosmic by MissionCriticalCloud.

the class ManagementServerImpl method archiveEvents.

@Override
public boolean archiveEvents(final ArchiveEventsCmd cmd) {
    final Account caller = getCaller();
    final List<Long> ids = cmd.getIds();
    boolean result = true;
    final List<Long> permittedAccountIds = computePermitedAccounts(caller);
    final List<EventVO> events = _eventDao.listToArchiveOrDeleteEvents(ids, cmd.getType(), cmd.getStartDate(), cmd.getEndDate(), permittedAccountIds);
    final ControlledEntity[] sameOwnerEvents = events.toArray(new ControlledEntity[events.size()]);
    _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, sameOwnerEvents);
    if (ids != null && events.size() < ids.size()) {
        result = false;
        return result;
    }
    _eventDao.archiveEvents(events);
    return result;
}
Also used : Account(com.cloud.user.Account) ControlledEntity(com.cloud.acl.ControlledEntity) EventVO(com.cloud.event.EventVO)

Example 3 with ControlledEntity

use of com.cloud.acl.ControlledEntity in project cosmic by MissionCriticalCloud.

the class ManagementServerImpl method deleteEvents.

@Override
public boolean deleteEvents(final DeleteEventsCmd cmd) {
    final Account caller = getCaller();
    final List<Long> ids = cmd.getIds();
    boolean result = true;
    final List<Long> permittedAccountIds = computePermitedAccounts(caller);
    final List<EventVO> events = _eventDao.listToArchiveOrDeleteEvents(ids, cmd.getType(), cmd.getStartDate(), cmd.getEndDate(), permittedAccountIds);
    final ControlledEntity[] sameOwnerEvents = events.toArray(new ControlledEntity[events.size()]);
    _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, sameOwnerEvents);
    if (ids != null && events.size() < ids.size()) {
        result = false;
        return result;
    }
    for (final EventVO event : events) {
        _eventDao.remove(event.getId());
    }
    return result;
}
Also used : Account(com.cloud.user.Account) ControlledEntity(com.cloud.acl.ControlledEntity) EventVO(com.cloud.event.EventVO)

Example 4 with ControlledEntity

use of com.cloud.acl.ControlledEntity in project cosmic by MissionCriticalCloud.

the class ApiDispatcher method doAccessChecks.

private void doAccessChecks(final BaseCmd cmd, final Map<Object, AccessType> entitiesToAccess) {
    final Account caller = CallContext.current().getCallingAccount();
    final APICommand commandAnnotation = cmd.getClass().getAnnotation(APICommand.class);
    final String apiName = commandAnnotation != null ? commandAnnotation.name() : null;
    if (!entitiesToAccess.isEmpty()) {
        for (final Object entity : entitiesToAccess.keySet()) {
            if (entity instanceof ControlledEntity) {
                _accountMgr.checkAccess(caller, entitiesToAccess.get(entity), false, apiName, (ControlledEntity) entity);
            } else if (entity instanceof InfrastructureEntity) {
            // FIXME: Move this code in adapter, remove code from Account manager
            }
        }
    }
}
Also used : Account(com.cloud.user.Account) ControlledEntity(com.cloud.acl.ControlledEntity) InfrastructureEntity(com.cloud.acl.InfrastructureEntity)

Example 5 with ControlledEntity

use of com.cloud.acl.ControlledEntity in project cosmic by MissionCriticalCloud.

the class ParamProcessWorker method doAccessChecks.

private void doAccessChecks(final BaseCmd cmd, final Map<Object, AccessType> entitiesToAccess) {
    final Account caller = CallContext.current().getCallingAccount();
    // due to deleteAccount design flaw CLOUDSTACK-6588, we should still include those removed account as well to clean up leftover resources from that account
    final Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
    if (cmd instanceof BaseAsyncCreateCmd) {
        // check that caller can access the owner account.
        _accountMgr.checkAccess(caller, null, false, owner);
    }
    if (!entitiesToAccess.isEmpty()) {
        // check that caller can access the owner account.
        _accountMgr.checkAccess(caller, null, false, owner);
        for (final Map.Entry<Object, AccessType> entry : entitiesToAccess.entrySet()) {
            final Object entity = entry.getKey();
            if (entity instanceof ControlledEntity) {
                _accountMgr.checkAccess(caller, entry.getValue(), true, (ControlledEntity) entity);
            } else if (entity instanceof InfrastructureEntity) {
            // FIXME: Move this code in adapter, remove code from
            // Account manager
            }
        }
    }
}
Also used : Account(com.cloud.user.Account) ControlledEntity(com.cloud.acl.ControlledEntity) BaseAsyncCreateCmd(com.cloud.api.BaseAsyncCreateCmd) InfrastructureEntity(com.cloud.acl.InfrastructureEntity) HashMap(java.util.HashMap) Map(java.util.Map) AccessType(com.cloud.acl.SecurityChecker.AccessType)

Aggregations

ControlledEntity (com.cloud.acl.ControlledEntity)5 Account (com.cloud.user.Account)4 InfrastructureEntity (com.cloud.acl.InfrastructureEntity)2 EventVO (com.cloud.event.EventVO)2 HashMap (java.util.HashMap)2 Map (java.util.Map)2 SecurityChecker (com.cloud.acl.SecurityChecker)1 AccessType (com.cloud.acl.SecurityChecker.AccessType)1 AffinityGroup (com.cloud.affinity.AffinityGroup)1 BaseAsyncCreateCmd (com.cloud.api.BaseAsyncCreateCmd)1 Domain (com.cloud.domain.Domain)1 PermissionDeniedException (com.cloud.exception.PermissionDeniedException)1 Network (com.cloud.network.Network)1 VirtualMachineTemplate (com.cloud.template.VirtualMachineTemplate)1 ArrayList (java.util.ArrayList)1 List (java.util.List)1