Examples with PermissionDeniedException com.cloud.exception.PermissionDeniedException used on opensource projects

Example 31 with PermissionDeniedException

use of com.cloud.exception.PermissionDeniedException in project cloudstack by apache.

the class QuotaServiceImpl method findQuotaBalanceVO.

@Override
public List<QuotaBalanceVO> findQuotaBalanceVO(Long accountId, String accountName, Long domainId, Date startDate, Date endDate) {
    if ((accountId == null) && (accountName != null) && (domainId != null)) {
        Account userAccount = null;
        Account caller = CallContext.current().getCallingAccount();
        if (_domainDao.isChildDomain(caller.getDomainId(), domainId)) {
            Filter filter = new Filter(AccountVO.class, "id", Boolean.FALSE, null, null);
            List<AccountVO> accounts = _accountDao.listAccounts(accountName, domainId, filter);
            if (!accounts.isEmpty()) {
                userAccount = accounts.get(0);
            }
            if (userAccount != null) {
                accountId = userAccount.getId();
            } else {
                throw new InvalidParameterValueException("Unable to find account " + accountName + " in domain " + domainId);
            }
        } else {
            throw new PermissionDeniedException("Invalid Domain Id or Account");
        }
    }
    startDate = startDate == null ? new Date() : startDate;
    if (endDate == null) {
        // adjust start date to end of day as there is no end date
        Date adjustedStartDate = computeAdjustedTime(_respBldr.startOfNextDay(startDate));
        if (s_logger.isDebugEnabled()) {
            s_logger.debug("getQuotaBalance1: Getting quota balance records for account: " + accountId + ", domainId: " + domainId + ", on or before " + adjustedStartDate);
        }
        List<QuotaBalanceVO> qbrecords = _quotaBalanceDao.lastQuotaBalanceVO(accountId, domainId, adjustedStartDate);
        if (s_logger.isDebugEnabled()) {
            s_logger.debug("Found records size=" + qbrecords.size());
        }
        if (qbrecords.isEmpty()) {
            s_logger.info("Incorrect Date there are no quota records before this date " + adjustedStartDate);
            return qbrecords;
        } else {
            return qbrecords;
        }
    } else {
        Date adjustedStartDate = computeAdjustedTime(startDate);
        if (endDate.after(_respBldr.startOfNextDay())) {
            throw new InvalidParameterValueException("Incorrect Date Range. End date:" + endDate + " should not be in future. ");
        } else if (startDate.before(endDate)) {
            Date adjustedEndDate = computeAdjustedTime(endDate);
            if (s_logger.isDebugEnabled()) {
                s_logger.debug("getQuotaBalance2: Getting quota balance records for account: " + accountId + ", domainId: " + domainId + ", between " + adjustedStartDate + " and " + adjustedEndDate);
            }
            List<QuotaBalanceVO> qbrecords = _quotaBalanceDao.findQuotaBalance(accountId, domainId, adjustedStartDate, adjustedEndDate);
            if (s_logger.isDebugEnabled()) {
                s_logger.debug("getQuotaBalance3: Found records size=" + qbrecords.size());
            }
            if (qbrecords.isEmpty()) {
                s_logger.info("There are no quota records between these dates start date " + adjustedStartDate + " and end date:" + endDate);
                return qbrecords;
            } else {
                return qbrecords;
            }
        } else {
            throw new InvalidParameterValueException("Incorrect Date Range. Start date: " + startDate + " is after end date:" + endDate);
        }
    }
}

Example 32 with PermissionDeniedException

use of com.cloud.exception.PermissionDeniedException in project cloudstack by apache.

the class QueryManagerImpl method searchForDiskOfferingsInternal.

private Pair<List<DiskOfferingJoinVO>, Integer> searchForDiskOfferingsInternal(ListDiskOfferingsCmd cmd) {
    // Note
    // The list method for offerings is being modified in accordance with
    // discussion with Will/Kevin
    // For now, we will be listing the following based on the usertype
    // 1. For root, we will list all offerings
    // 2. For domainAdmin and regular users, we will list everything in
    // their domains+parent domains ... all the way
    // till
    // root
    Boolean isAscending = Boolean.parseBoolean(_configDao.getValue("sortkey.algorithm"));
    isAscending = (isAscending == null ? true : isAscending);
    Filter searchFilter = new Filter(DiskOfferingJoinVO.class, "sortKey", isAscending, cmd.getStartIndex(), cmd.getPageSizeVal());
    SearchCriteria<DiskOfferingJoinVO> sc = _diskOfferingJoinDao.createSearchCriteria();
    sc.addAnd("type", Op.EQ, DiskOfferingVO.Type.Disk);
    Account account = CallContext.current().getCallingAccount();
    Object name = cmd.getDiskOfferingName();
    Object id = cmd.getId();
    Object keyword = cmd.getKeyword();
    Long domainId = cmd.getDomainId();
    Boolean isRootAdmin = _accountMgr.isRootAdmin(account.getAccountId());
    Boolean isRecursive = cmd.isRecursive();
    // associated with this domain
    if (domainId != null) {
        if (_accountMgr.isRootAdmin(account.getId()) || isPermissible(account.getDomainId(), domainId)) {
            // check if the user's domain == do's domain || user's domain is
            // a child of so's domain for non-root users
            sc.addAnd("domainId", SearchCriteria.Op.EQ, domainId);
            if (!isRootAdmin) {
                sc.addAnd("displayOffering", SearchCriteria.Op.EQ, 1);
            }
            return _diskOfferingJoinDao.searchAndCount(sc, searchFilter);
        } else {
            throw new PermissionDeniedException("The account:" + account.getAccountName() + " does not fall in the same domain hierarchy as the disk offering");
        }
    }
    List<Long> domainIds = null;
    // and everything above till root
    if ((_accountMgr.isNormalUser(account.getId()) || _accountMgr.isDomainAdmin(account.getId())) || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
        if (isRecursive) {
            // domain + all sub-domains
            if (account.getType() == Account.ACCOUNT_TYPE_NORMAL)
                throw new InvalidParameterValueException("Only ROOT admins and Domain admins can list disk offerings with isrecursive=true");
            DomainVO domainRecord = _domainDao.findById(account.getDomainId());
            sc.addAnd("domainPath", SearchCriteria.Op.LIKE, domainRecord.getPath() + "%");
        } else {
            // domain + all ancestors
            // find all domain Id up to root domain for this account
            domainIds = new ArrayList<Long>();
            DomainVO domainRecord = _domainDao.findById(account.getDomainId());
            if (domainRecord == null) {
                s_logger.error("Could not find the domainId for account:" + account.getAccountName());
                throw new CloudAuthenticationException("Could not find the domainId for account:" + account.getAccountName());
            }
            domainIds.add(domainRecord.getId());
            while (domainRecord.getParent() != null) {
                domainRecord = _domainDao.findById(domainRecord.getParent());
                domainIds.add(domainRecord.getId());
            }
            SearchCriteria<DiskOfferingJoinVO> spc = _diskOfferingJoinDao.createSearchCriteria();
            spc.addOr("domainId", SearchCriteria.Op.IN, domainIds.toArray());
            // include public offering as where
            spc.addOr("domainId", SearchCriteria.Op.NULL);
            sc.addAnd("domainId", SearchCriteria.Op.SC, spc);
            // non-root users should not see system offering at all
            sc.addAnd("systemUse", SearchCriteria.Op.EQ, false);
        }
    }
    if (keyword != null) {
        SearchCriteria<DiskOfferingJoinVO> ssc = _diskOfferingJoinDao.createSearchCriteria();
        ssc.addOr("displayText", SearchCriteria.Op.LIKE, "%" + keyword + "%");
        ssc.addOr("name", SearchCriteria.Op.LIKE, "%" + keyword + "%");
        sc.addAnd("name", SearchCriteria.Op.SC, ssc);
    }
    if (id != null) {
        sc.addAnd("id", SearchCriteria.Op.EQ, id);
    }
    if (name != null) {
        sc.addAnd("name", SearchCriteria.Op.EQ, name);
    }
    return _diskOfferingJoinDao.searchAndCount(sc, searchFilter);
}

Example 33 with PermissionDeniedException

use of com.cloud.exception.PermissionDeniedException in project cloudstack by apache.

the class QueryManagerImpl method listProjectAccountsInternal.

public Pair<List<ProjectAccountJoinVO>, Integer> listProjectAccountsInternal(ListProjectAccountsCmd cmd) {
    long projectId = cmd.getProjectId();
    String accountName = cmd.getAccountName();
    String role = cmd.getRole();
    Long startIndex = cmd.getStartIndex();
    Long pageSizeVal = cmd.getPageSizeVal();
    // long projectId, String accountName, String role, Long startIndex,
    // Long pageSizeVal) {
    Account caller = CallContext.current().getCallingAccount();
    // check that the project exists
    Project project = _projectDao.findById(projectId);
    if (project == null) {
        throw new InvalidParameterValueException("Unable to find the project id=" + projectId);
    }
    // project's account
    if (!_accountMgr.isAdmin(caller.getId()) && _projectAccountDao.findByProjectIdAccountId(projectId, caller.getAccountId()) == null) {
        throw new PermissionDeniedException("Account " + caller + " is not authorized to list users of the project id=" + projectId);
    }
    Filter searchFilter = new Filter(ProjectAccountJoinVO.class, "id", false, startIndex, pageSizeVal);
    SearchBuilder<ProjectAccountJoinVO> sb = _projectAccountJoinDao.createSearchBuilder();
    sb.and("accountRole", sb.entity().getAccountRole(), Op.EQ);
    sb.and("projectId", sb.entity().getProjectId(), Op.EQ);
    if (accountName != null) {
        sb.and("accountName", sb.entity().getAccountName(), Op.EQ);
    }
    SearchCriteria<ProjectAccountJoinVO> sc = sb.create();
    sc.setParameters("projectId", projectId);
    if (role != null) {
        sc.setParameters("accountRole", role);
    }
    if (accountName != null) {
        sc.setParameters("accountName", accountName);
    }
    return _projectAccountJoinDao.searchAndCount(sc, searchFilter);
}

Example 34 with PermissionDeniedException

use of com.cloud.exception.PermissionDeniedException in project cloudstack by apache.

the class RoleManagerImpl method checkCallerAccess.

private void checkCallerAccess() {
    if (!isEnabled()) {
        throw new PermissionDeniedException("Dynamic api checker is not enabled, aborting role operation");
    }
    Account caller = CallContext.current().getCallingAccount();
    if (caller == null || caller.getRoleId() == null) {
        throw new PermissionDeniedException("Restricted API called by an invalid user account");
    }
    Role callerRole = findRole(caller.getRoleId());
    if (callerRole == null || callerRole.getRoleType() != RoleType.Admin) {
        throw new PermissionDeniedException("Restricted API called by an user account of non-Admin role type");
    }
}

Example 35 with PermissionDeniedException

use of com.cloud.exception.PermissionDeniedException in project cloudstack by apache.

the class AffinityGroupServiceImpl method createAffinityGroup.

@DB
@Override
public AffinityGroup createAffinityGroup(final String accountName, final Long projectId, final Long domainId, final String affinityGroupName, final String affinityGroupType, final String description) {
    // validate the affinityGroupType
    Map<String, AffinityGroupProcessor> typeProcessorMap = getAffinityTypeToProcessorMap();
    if (typeProcessorMap == null || typeProcessorMap.isEmpty()) {
        throw new InvalidParameterValueException("Unable to create affinity group, no Affinity Group Types configured");
    }
    AffinityGroupProcessor processor = typeProcessorMap.get(affinityGroupType);
    if (processor == null) {
        throw new InvalidParameterValueException("Unable to create affinity group, invalid affinity group type" + affinityGroupType);
    }
    Account caller = CallContext.current().getCallingAccount();
    if (processor.isAdminControlledGroup() && !_accountMgr.isRootAdmin(caller.getId())) {
        throw new PermissionDeniedException("Cannot create the affinity group");
    }
    ControlledEntity.ACLType aclType = null;
    Account owner = null;
    boolean domainLevel = false;
    if (projectId == null && domainId != null && accountName == null) {
        verifyAccessToDomainWideProcessor(caller, processor);
        DomainVO domain = getDomain(domainId);
        _accountMgr.checkAccess(caller, domain);
        // domain level group, owner is SYSTEM.
        owner = _accountMgr.getAccount(Account.ACCOUNT_ID_SYSTEM);
        aclType = ControlledEntity.ACLType.Domain;
        domainLevel = true;
    } else {
        owner = _accountMgr.finalizeOwner(caller, accountName, domainId, projectId);
        aclType = ControlledEntity.ACLType.Account;
    }
    verifyAffinityGroupNameInUse(owner.getAccountId(), owner.getDomainId(), affinityGroupName);
    verifyDomainLevelAffinityGroupName(domainLevel, owner.getDomainId(), affinityGroupName);
    AffinityGroupVO group = createAffinityGroup(processor, owner, aclType, affinityGroupName, affinityGroupType, description);
    if (s_logger.isDebugEnabled()) {
        s_logger.debug("Created affinity group =" + affinityGroupName);
    }
    return group;
}