Example 1 with AccessType
use of com.cloud.acl.SecurityChecker.AccessType in project cosmic by MissionCriticalCloud.
the class ParamProcessWorker method processParameters.
public void processParameters(final BaseCmd cmd, final Map params) {
final Map<Object, AccessType> entitiesToAccess = new HashMap<>();
final List<Field> cmdFields = cmd.getParamFields();
for (final Field field : cmdFields) {
final Parameter parameterAnnotation = field.getAnnotation(Parameter.class);
final Object paramObj = params.get(parameterAnnotation.name());
if (paramObj == null) {
if (parameterAnnotation.required()) {
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Unable to execute API command " + cmd.getCommandName().substring(0, cmd.getCommandName().length() - 8) + " due to missing parameter " + parameterAnnotation.name());
}
continue;
}
// marshall the parameter into the correct type and set the field value
try {
setFieldValue(field, cmd, paramObj, parameterAnnotation);
} catch (final IllegalArgumentException argEx) {
if (s_logger.isDebugEnabled()) {
s_logger.debug("Unable to execute API command " + cmd.getCommandName() + " due to invalid value " + paramObj + " for parameter " + parameterAnnotation.name());
}
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Unable to execute API command " + cmd.getCommandName().substring(0, cmd.getCommandName().length() - 8) + " due to invalid value " + paramObj + " for parameter " + parameterAnnotation.name());
} catch (final ParseException parseEx) {
if (s_logger.isDebugEnabled()) {
s_logger.debug("Invalid date parameter " + paramObj + " passed to command " + cmd.getCommandName().substring(0, cmd.getCommandName().length() - 8));
}
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Unable to parse date " + paramObj + " for command " + cmd.getCommandName().substring(0, cmd.getCommandName().length() - 8) + ", please pass dates in the format mentioned in the api documentation");
} catch (final InvalidParameterValueException invEx) {
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Unable to execute API command " + cmd.getCommandName().substring(0, cmd.getCommandName().length() - 8) + " due to invalid value. " + invEx.getMessage());
} catch (final CloudRuntimeException cloudEx) {
s_logger.error("CloudRuntimeException", cloudEx);
// and IllegalAccessException setting one of the parameters.
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Internal error executing API command " + cmd.getCommandName().substring(0, cmd.getCommandName().length() - 8));
}
// check access on the resource this field points to
try {
final ACL checkAccess = field.getAnnotation(ACL.class);
final CommandType fieldType = parameterAnnotation.type();
if (checkAccess != null) {
if (parameterAnnotation.entityType() != null && parameterAnnotation.entityType().length > 0 && parameterAnnotation.entityType()[0].getAnnotation(EntityReference.class) != null) {
final Class<?>[] entityList = parameterAnnotation.entityType()[0].getAnnotation(EntityReference.class).value();
// Id or list of id's/name's
switch(fieldType) {
case LIST:
final CommandType listType = parameterAnnotation.collectionType();
switch(listType) {
case LONG:
case UUID:
final List<Long> listParam = (List<Long>) field.get(cmd);
for (final Long entityId : listParam) {
for (final Class entity : entityList) {
final Object entityObj = _entityMgr.findById(entity, entityId);
if (entityObj != null) {
entitiesToAccess.put(entityObj, checkAccess.accessType());
break;
}
}
}
break;
/*
* case STRING: List<String> listParam = new
* ArrayList<String>(); listParam =
* (List)field.get(cmd); for(String entityName:
* listParam){ ControlledEntity entityObj =
* (ControlledEntity )daoClassInstance(entityId);
* entitiesToAccess.add(entityObj); } break;
*/
default:
break;
}
break;
case LONG:
case UUID:
for (final Class entity : entityList) {
final Object entityObj = _entityMgr.findById(entity, (Long) field.get(cmd));
if (entityObj != null) {
entitiesToAccess.put(entityObj, checkAccess.accessType());
break;
}
}
break;
default:
break;
}
}
}
} catch (final IllegalArgumentException e) {
s_logger.error("Error initializing command " + cmd.getCommandName() + ", field " + field.getName() + " is not accessible.");
throw new CloudRuntimeException("Internal error initializing parameters for command " + cmd.getCommandName() + " [field " + field.getName() + " is not accessible]");
} catch (final IllegalAccessException e) {
s_logger.error("Error initializing command " + cmd.getCommandName() + ", field " + field.getName() + " is not accessible.");
throw new CloudRuntimeException("Internal error initializing parameters for command " + cmd.getCommandName() + " [field " + field.getName() + " is not accessible]");
}
}
doAccessChecks(cmd, entitiesToAccess);
}
Also used :
HashMap(java.util.HashMap)
ACL(com.cloud.api.ACL)
Field(java.lang.reflect.Field)
ServerApiException(com.cloud.api.ServerApiException)
InvalidParameterValueException(com.cloud.utils.exception.InvalidParameterValueException)
CommandType(com.cloud.api.BaseCmd.CommandType)
CloudRuntimeException(com.cloud.utils.exception.CloudRuntimeException)
EntityReference(com.cloud.api.EntityReference)
Parameter(com.cloud.api.Parameter)
ArrayList(java.util.ArrayList)
List(java.util.List)
ParseException(java.text.ParseException)
AccessType(com.cloud.acl.SecurityChecker.AccessType)
Example 2 with AccessType
use of com.cloud.acl.SecurityChecker.AccessType in project cosmic by MissionCriticalCloud.
the class ParamProcessWorker method doAccessChecks.
private void doAccessChecks(final BaseCmd cmd, final Map<Object, AccessType> entitiesToAccess) {
final Account caller = CallContext.current().getCallingAccount();
// due to deleteAccount design flaw CLOUDSTACK-6588, we should still include those removed account as well to clean up leftover resources from that account
final Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
if (cmd instanceof BaseAsyncCreateCmd) {
// check that caller can access the owner account.
_accountMgr.checkAccess(caller, null, false, owner);
}
if (!entitiesToAccess.isEmpty()) {
// check that caller can access the owner account.
_accountMgr.checkAccess(caller, null, false, owner);
for (final Map.Entry<Object, AccessType> entry : entitiesToAccess.entrySet()) {
final Object entity = entry.getKey();
if (entity instanceof ControlledEntity) {
_accountMgr.checkAccess(caller, entry.getValue(), true, (ControlledEntity) entity);
} else if (entity instanceof InfrastructureEntity) {
// FIXME: Move this code in adapter, remove code from
// Account manager
}
}
}
}
Also used :
Account(com.cloud.user.Account)
ControlledEntity(com.cloud.acl.ControlledEntity)
BaseAsyncCreateCmd(com.cloud.api.BaseAsyncCreateCmd)
InfrastructureEntity(com.cloud.acl.InfrastructureEntity)
HashMap(java.util.HashMap)
Map(java.util.Map)
AccessType(com.cloud.acl.SecurityChecker.AccessType)
Aggregations
AccessType (com.cloud.acl.SecurityChecker.AccessType)2
HashMap (java.util.HashMap)2
ControlledEntity (com.cloud.acl.ControlledEntity)1
InfrastructureEntity (com.cloud.acl.InfrastructureEntity)1
ACL (com.cloud.api.ACL)1
BaseAsyncCreateCmd (com.cloud.api.BaseAsyncCreateCmd)1
CommandType (com.cloud.api.BaseCmd.CommandType)1
EntityReference (com.cloud.api.EntityReference)1
Parameter (com.cloud.api.Parameter)1
ServerApiException (com.cloud.api.ServerApiException)1
Account (com.cloud.user.Account)1
CloudRuntimeException (com.cloud.utils.exception.CloudRuntimeException)1
InvalidParameterValueException (com.cloud.utils.exception.InvalidParameterValueException)1
Field (java.lang.reflect.Field)1
ParseException (java.text.ParseException)1
ArrayList (java.util.ArrayList)1
List (java.util.List)1
Map (java.util.Map)1
