Search in sources :

Example 1 with ControlledEntity

use of com.cloud.legacymodel.acl.ControlledEntity in project cosmic by MissionCriticalCloud.

the class AccountManagerImpl method checkAccess.

@Override
public void checkAccess(final Account caller, final AccessType accessType, final boolean sameOwner, final String apiName, final ControlledEntity... entities) {
    // check for the same owner
    Long ownerId = null;
    ControlledEntity prevEntity = null;
    if (sameOwner) {
        for (final ControlledEntity entity : entities) {
            if (sameOwner) {
                if (ownerId == null) {
                    ownerId = entity.getAccountId();
                } else if (ownerId.longValue() != entity.getAccountId()) {
                    throw new PermissionDeniedException("Entity " + entity + " and entity " + prevEntity + " belong to different accounts");
                }
                prevEntity = entity;
            }
        }
    }
    if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getId())) {
        // no need to make permission checks if the system/root admin makes the call
        if (s_logger.isTraceEnabled()) {
            s_logger.trace("No need to make permission check for System/RootAdmin account, returning true");
        }
        return;
    }
    final HashMap<Long, List<ControlledEntity>> domains = new HashMap<>();
    for (final ControlledEntity entity : entities) {
        long domainId = entity.getDomainId();
        if (entity.getAccountId() != -1 && domainId == -1) {
            // If account exists domainId should too so calculate
            // it. This condition might be hit for templates or entities which miss domainId in their tables
            final Account account = ApiDBUtils.findAccountById(entity.getAccountId());
            domainId = account != null ? account.getDomainId() : -1;
        }
        if (entity.getAccountId() != -1 && domainId != -1 && !(entity instanceof VirtualMachineTemplate) && !(entity instanceof Network && accessType != null && accessType == AccessType.UseEntry) && !(entity instanceof AffinityGroup)) {
            List<ControlledEntity> toBeChecked = domains.get(entity.getDomainId());
            // for templates, we don't have to do cross domains check
            if (toBeChecked == null) {
                toBeChecked = new ArrayList<>();
                domains.put(domainId, toBeChecked);
            }
            toBeChecked.add(entity);
        }
        boolean granted = false;
        for (final SecurityChecker checker : _securityCheckers) {
            if (checker.checkAccess(caller, entity, accessType, apiName)) {
                if (s_logger.isDebugEnabled()) {
                    s_logger.debug("Access to " + entity + " granted to " + caller + " by " + checker.getName());
                }
                granted = true;
                break;
            }
        }
        if (!granted) {
            assert false : "How can all of the security checkers pass on checking this check: " + entity;
            throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to " + entity);
        }
    }
    for (final Map.Entry<Long, List<ControlledEntity>> domain : domains.entrySet()) {
        for (final SecurityChecker checker : _securityCheckers) {
            final Domain d = _domainMgr.getDomain(domain.getKey());
            if (d == null || d.getRemoved() != null) {
                throw new PermissionDeniedException("Domain is not found.", caller, domain.getValue());
            }
            try {
                checker.checkAccess(caller, d);
            } catch (final PermissionDeniedException e) {
                e.addDetails(caller, domain.getValue());
                throw e;
            }
        }
    }
// check that resources belong to the same account
}
Also used : UserAccount(com.cloud.legacymodel.user.UserAccount) Account(com.cloud.legacymodel.user.Account) VirtualMachineTemplate(com.cloud.legacymodel.storage.VirtualMachineTemplate) HashMap(java.util.HashMap) SecurityChecker(com.cloud.acl.SecurityChecker) AffinityGroup(com.cloud.affinity.AffinityGroup) ControlledEntity(com.cloud.legacymodel.acl.ControlledEntity) Network(com.cloud.legacymodel.network.Network) PermissionDeniedException(com.cloud.legacymodel.exceptions.PermissionDeniedException) ArrayList(java.util.ArrayList) List(java.util.List) Domain(com.cloud.legacymodel.domain.Domain) Map(java.util.Map) HashMap(java.util.HashMap)

Example 2 with ControlledEntity

use of com.cloud.legacymodel.acl.ControlledEntity in project cosmic by MissionCriticalCloud.

the class ParamProcessWorker method doAccessChecks.

private void doAccessChecks(final BaseCmd cmd, final Map<Object, AccessType> entitiesToAccess) {
    final Account caller = CallContext.current().getCallingAccount();
    // due to deleteAccount design flaw CLOUDSTACK-6588, we should still include those removed account as well to clean up leftover resources from that account
    final Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
    if (cmd instanceof BaseAsyncCreateCmd) {
        // check that caller can access the owner account.
        _accountMgr.checkAccess(caller, null, false, owner);
    }
    if (!entitiesToAccess.isEmpty()) {
        // check that caller can access the owner account.
        _accountMgr.checkAccess(caller, null, false, owner);
        for (final Map.Entry<Object, AccessType> entry : entitiesToAccess.entrySet()) {
            final Object entity = entry.getKey();
            if (entity instanceof ControlledEntity) {
                _accountMgr.checkAccess(caller, entry.getValue(), true, (ControlledEntity) entity);
            }
        }
    }
}
Also used : Account(com.cloud.legacymodel.user.Account) ControlledEntity(com.cloud.legacymodel.acl.ControlledEntity) BaseAsyncCreateCmd(com.cloud.api.BaseAsyncCreateCmd) HashMap(java.util.HashMap) Map(java.util.Map) AccessType(com.cloud.acl.SecurityChecker.AccessType)

Example 3 with ControlledEntity

use of com.cloud.legacymodel.acl.ControlledEntity in project cosmic by MissionCriticalCloud.

the class ApiDispatcher method doAccessChecks.

private void doAccessChecks(final BaseCmd cmd, final Map<Object, AccessType> entitiesToAccess) {
    final Account caller = CallContext.current().getCallingAccount();
    final APICommand commandAnnotation = cmd.getClass().getAnnotation(APICommand.class);
    final String apiName = commandAnnotation != null ? commandAnnotation.name() : null;
    if (!entitiesToAccess.isEmpty()) {
        for (final Object entity : entitiesToAccess.keySet()) {
            if (entity instanceof ControlledEntity) {
                _accountMgr.checkAccess(caller, entitiesToAccess.get(entity), false, apiName, (ControlledEntity) entity);
            }
        }
    }
}
Also used : Account(com.cloud.legacymodel.user.Account) ControlledEntity(com.cloud.legacymodel.acl.ControlledEntity)

Example 4 with ControlledEntity

use of com.cloud.legacymodel.acl.ControlledEntity in project cosmic by MissionCriticalCloud.

the class ManagementServerImpl method archiveEvents.

@Override
public boolean archiveEvents(final ArchiveEventsCmd cmd) {
    final Account caller = getCaller();
    final List<Long> ids = cmd.getIds();
    boolean result = true;
    final List<Long> permittedAccountIds = computePermitedAccounts(caller);
    final List<EventVO> events = _eventDao.listToArchiveOrDeleteEvents(ids, cmd.getType(), cmd.getStartDate(), cmd.getEndDate(), permittedAccountIds);
    final ControlledEntity[] sameOwnerEvents = events.toArray(new ControlledEntity[events.size()]);
    _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, sameOwnerEvents);
    if (ids != null && events.size() < ids.size()) {
        result = false;
        return result;
    }
    _eventDao.archiveEvents(events);
    return result;
}
Also used : Account(com.cloud.legacymodel.user.Account) ControlledEntity(com.cloud.legacymodel.acl.ControlledEntity) EventVO(com.cloud.event.EventVO)

Example 5 with ControlledEntity

use of com.cloud.legacymodel.acl.ControlledEntity in project cosmic by MissionCriticalCloud.

the class ManagementServerImpl method deleteEvents.

@Override
public boolean deleteEvents(final DeleteEventsCmd cmd) {
    final Account caller = getCaller();
    final List<Long> ids = cmd.getIds();
    boolean result = true;
    final List<Long> permittedAccountIds = computePermitedAccounts(caller);
    final List<EventVO> events = _eventDao.listToArchiveOrDeleteEvents(ids, cmd.getType(), cmd.getStartDate(), cmd.getEndDate(), permittedAccountIds);
    final ControlledEntity[] sameOwnerEvents = events.toArray(new ControlledEntity[events.size()]);
    _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, sameOwnerEvents);
    if (ids != null && events.size() < ids.size()) {
        result = false;
        return result;
    }
    for (final EventVO event : events) {
        _eventDao.remove(event.getId());
    }
    return result;
}
Also used : Account(com.cloud.legacymodel.user.Account) ControlledEntity(com.cloud.legacymodel.acl.ControlledEntity) EventVO(com.cloud.event.EventVO)

Aggregations

ControlledEntity (com.cloud.legacymodel.acl.ControlledEntity)5 Account (com.cloud.legacymodel.user.Account)5 EventVO (com.cloud.event.EventVO)2 HashMap (java.util.HashMap)2 Map (java.util.Map)2 SecurityChecker (com.cloud.acl.SecurityChecker)1 AccessType (com.cloud.acl.SecurityChecker.AccessType)1 AffinityGroup (com.cloud.affinity.AffinityGroup)1 BaseAsyncCreateCmd (com.cloud.api.BaseAsyncCreateCmd)1 Domain (com.cloud.legacymodel.domain.Domain)1 PermissionDeniedException (com.cloud.legacymodel.exceptions.PermissionDeniedException)1 Network (com.cloud.legacymodel.network.Network)1 VirtualMachineTemplate (com.cloud.legacymodel.storage.VirtualMachineTemplate)1 UserAccount (com.cloud.legacymodel.user.UserAccount)1 ArrayList (java.util.ArrayList)1 List (java.util.List)1