Search in sources :

Example 1 with AccessType

use of com.cloud.acl.SecurityChecker.AccessType in project cosmic by MissionCriticalCloud.

the class ParamProcessWorker method processParameters.

public void processParameters(final BaseCmd cmd, final Map params) {
    final Map<Object, AccessType> entitiesToAccess = new HashMap<>();
    final List<Field> cmdFields = cmd.getParamFields();
    for (final Field field : cmdFields) {
        final Parameter parameterAnnotation = field.getAnnotation(Parameter.class);
        final Object paramObj = params.get(parameterAnnotation.name());
        if (paramObj == null) {
            if (parameterAnnotation.required()) {
                throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Unable to execute API command " + cmd.getCommandName().substring(0, cmd.getCommandName().length() - 8) + " due to missing parameter " + parameterAnnotation.name());
            }
            continue;
        }
        // marshall the parameter into the correct type and set the field value
        try {
            setFieldValue(field, cmd, paramObj, parameterAnnotation);
        } catch (final IllegalArgumentException argEx) {
            if (s_logger.isDebugEnabled()) {
                s_logger.debug("Unable to execute API command " + cmd.getCommandName() + " due to invalid value " + paramObj + " for parameter " + parameterAnnotation.name());
            }
            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Unable to execute API command " + cmd.getCommandName().substring(0, cmd.getCommandName().length() - 8) + " due to invalid value " + paramObj + " for parameter " + parameterAnnotation.name());
        } catch (final ParseException parseEx) {
            if (s_logger.isDebugEnabled()) {
                s_logger.debug("Invalid date parameter " + paramObj + " passed to command " + cmd.getCommandName().substring(0, cmd.getCommandName().length() - 8));
            }
            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Unable to parse date " + paramObj + " for command " + cmd.getCommandName().substring(0, cmd.getCommandName().length() - 8) + ", please pass dates in the format mentioned in the api documentation");
        } catch (final InvalidParameterValueException invEx) {
            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Unable to execute API command " + cmd.getCommandName().substring(0, cmd.getCommandName().length() - 8) + " due to invalid value. " + invEx.getMessage());
        } catch (final CloudRuntimeException cloudEx) {
            s_logger.error("CloudRuntimeException", cloudEx);
            // and IllegalAccessException setting one of the parameters.
            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Internal error executing API command " + cmd.getCommandName().substring(0, cmd.getCommandName().length() - 8));
        }
        // check access on the resource this field points to
        try {
            final ACL checkAccess = field.getAnnotation(ACL.class);
            final CommandType fieldType = parameterAnnotation.type();
            if (checkAccess != null) {
                if (parameterAnnotation.entityType() != null && parameterAnnotation.entityType().length > 0 && parameterAnnotation.entityType()[0].getAnnotation(EntityReference.class) != null) {
                    final Class<?>[] entityList = parameterAnnotation.entityType()[0].getAnnotation(EntityReference.class).value();
                    // Id or list of id's/name's
                    switch(fieldType) {
                        case LIST:
                            final CommandType listType = parameterAnnotation.collectionType();
                            switch(listType) {
                                case LONG:
                                case UUID:
                                    final List<Long> listParam = (List<Long>) field.get(cmd);
                                    for (final Long entityId : listParam) {
                                        for (final Class entity : entityList) {
                                            final Object entityObj = _entityMgr.findById(entity, entityId);
                                            if (entityObj != null) {
                                                entitiesToAccess.put(entityObj, checkAccess.accessType());
                                                break;
                                            }
                                        }
                                    }
                                    break;
                                /*
                                     * case STRING: List<String> listParam = new
                                     * ArrayList<String>(); listParam =
                                     * (List)field.get(cmd); for(String entityName:
                                     * listParam){ ControlledEntity entityObj =
                                     * (ControlledEntity )daoClassInstance(entityId);
                                     * entitiesToAccess.add(entityObj); } break;
                                     */
                                default:
                                    break;
                            }
                            break;
                        case LONG:
                        case UUID:
                            for (final Class entity : entityList) {
                                final Object entityObj = _entityMgr.findById(entity, (Long) field.get(cmd));
                                if (entityObj != null) {
                                    entitiesToAccess.put(entityObj, checkAccess.accessType());
                                    break;
                                }
                            }
                            break;
                        default:
                            break;
                    }
                }
            }
        } catch (final IllegalArgumentException e) {
            s_logger.error("Error initializing command " + cmd.getCommandName() + ", field " + field.getName() + " is not accessible.");
            throw new CloudRuntimeException("Internal error initializing parameters for command " + cmd.getCommandName() + " [field " + field.getName() + " is not accessible]");
        } catch (final IllegalAccessException e) {
            s_logger.error("Error initializing command " + cmd.getCommandName() + ", field " + field.getName() + " is not accessible.");
            throw new CloudRuntimeException("Internal error initializing parameters for command " + cmd.getCommandName() + " [field " + field.getName() + " is not accessible]");
        }
    }
    doAccessChecks(cmd, entitiesToAccess);
}
Also used : HashMap(java.util.HashMap) ACL(com.cloud.api.ACL) Field(java.lang.reflect.Field) ServerApiException(com.cloud.api.ServerApiException) InvalidParameterValueException(com.cloud.utils.exception.InvalidParameterValueException) CommandType(com.cloud.api.BaseCmd.CommandType) CloudRuntimeException(com.cloud.utils.exception.CloudRuntimeException) EntityReference(com.cloud.api.EntityReference) Parameter(com.cloud.api.Parameter) ArrayList(java.util.ArrayList) List(java.util.List) ParseException(java.text.ParseException) AccessType(com.cloud.acl.SecurityChecker.AccessType)

Example 2 with AccessType

use of com.cloud.acl.SecurityChecker.AccessType in project cosmic by MissionCriticalCloud.

the class ParamProcessWorker method doAccessChecks.

private void doAccessChecks(final BaseCmd cmd, final Map<Object, AccessType> entitiesToAccess) {
    final Account caller = CallContext.current().getCallingAccount();
    // due to deleteAccount design flaw CLOUDSTACK-6588, we should still include those removed account as well to clean up leftover resources from that account
    final Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
    if (cmd instanceof BaseAsyncCreateCmd) {
        // check that caller can access the owner account.
        _accountMgr.checkAccess(caller, null, false, owner);
    }
    if (!entitiesToAccess.isEmpty()) {
        // check that caller can access the owner account.
        _accountMgr.checkAccess(caller, null, false, owner);
        for (final Map.Entry<Object, AccessType> entry : entitiesToAccess.entrySet()) {
            final Object entity = entry.getKey();
            if (entity instanceof ControlledEntity) {
                _accountMgr.checkAccess(caller, entry.getValue(), true, (ControlledEntity) entity);
            } else if (entity instanceof InfrastructureEntity) {
            // FIXME: Move this code in adapter, remove code from
            // Account manager
            }
        }
    }
}
Also used : Account(com.cloud.user.Account) ControlledEntity(com.cloud.acl.ControlledEntity) BaseAsyncCreateCmd(com.cloud.api.BaseAsyncCreateCmd) InfrastructureEntity(com.cloud.acl.InfrastructureEntity) HashMap(java.util.HashMap) Map(java.util.Map) AccessType(com.cloud.acl.SecurityChecker.AccessType)

Aggregations

AccessType (com.cloud.acl.SecurityChecker.AccessType)2 HashMap (java.util.HashMap)2 ControlledEntity (com.cloud.acl.ControlledEntity)1 InfrastructureEntity (com.cloud.acl.InfrastructureEntity)1 ACL (com.cloud.api.ACL)1 BaseAsyncCreateCmd (com.cloud.api.BaseAsyncCreateCmd)1 CommandType (com.cloud.api.BaseCmd.CommandType)1 EntityReference (com.cloud.api.EntityReference)1 Parameter (com.cloud.api.Parameter)1 ServerApiException (com.cloud.api.ServerApiException)1 Account (com.cloud.user.Account)1 CloudRuntimeException (com.cloud.utils.exception.CloudRuntimeException)1 InvalidParameterValueException (com.cloud.utils.exception.InvalidParameterValueException)1 Field (java.lang.reflect.Field)1 ParseException (java.text.ParseException)1 ArrayList (java.util.ArrayList)1 List (java.util.List)1 Map (java.util.Map)1