Example 11 with Domain
use of com.cloud.legacymodel.domain.Domain in project cosmic by MissionCriticalCloud.
the class AddVpnUserCmd method execute.
@Override
public void execute() {
final VpnUser vpnUser = _entityMgr.findById(VpnUser.class, getEntityId());
final Account account = _entityMgr.findById(Account.class, vpnUser.getAccountId());
if (!_ravService.applyVpnUsers(vpnUser.getAccountId(), userName)) {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to add vpn user");
}
final VpnUsersResponse vpnResponse = new VpnUsersResponse();
vpnResponse.setId(vpnUser.getUuid());
vpnResponse.setUserName(vpnUser.getUsername());
vpnResponse.setAccountName(account.getAccountName());
final Domain domain = _entityMgr.findById(Domain.class, account.getDomainId());
if (domain != null) {
vpnResponse.setDomainId(domain.getUuid());
vpnResponse.setDomainName(domain.getName());
}
vpnResponse.setResponseName(getCommandName());
vpnResponse.setObjectName("vpnuser");
setResponseObject(vpnResponse);
}
Also used :
Account(com.cloud.legacymodel.user.Account)
VpnUser(com.cloud.legacymodel.network.VpnUser)
ServerApiException(com.cloud.api.ServerApiException)
Domain(com.cloud.legacymodel.domain.Domain)
VpnUsersResponse(com.cloud.api.response.VpnUsersResponse)
Example 12 with Domain
use of com.cloud.legacymodel.domain.Domain in project cosmic by MissionCriticalCloud.
the class AccountManagerImpl method checkAccess.
@Override
public void checkAccess(final Account caller, final AccessType accessType, final boolean sameOwner, final String apiName, final ControlledEntity... entities) {
// check for the same owner
Long ownerId = null;
ControlledEntity prevEntity = null;
if (sameOwner) {
for (final ControlledEntity entity : entities) {
if (sameOwner) {
if (ownerId == null) {
ownerId = entity.getAccountId();
} else if (ownerId.longValue() != entity.getAccountId()) {
throw new PermissionDeniedException("Entity " + entity + " and entity " + prevEntity + " belong to different accounts");
}
prevEntity = entity;
}
}
}
if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getId())) {
// no need to make permission checks if the system/root admin makes the call
if (s_logger.isTraceEnabled()) {
s_logger.trace("No need to make permission check for System/RootAdmin account, returning true");
}
return;
}
final HashMap<Long, List<ControlledEntity>> domains = new HashMap<>();
for (final ControlledEntity entity : entities) {
long domainId = entity.getDomainId();
if (entity.getAccountId() != -1 && domainId == -1) {
// If account exists domainId should too so calculate
// it. This condition might be hit for templates or entities which miss domainId in their tables
final Account account = ApiDBUtils.findAccountById(entity.getAccountId());
domainId = account != null ? account.getDomainId() : -1;
}
if (entity.getAccountId() != -1 && domainId != -1 && !(entity instanceof VirtualMachineTemplate) && !(entity instanceof Network && accessType != null && accessType == AccessType.UseEntry) && !(entity instanceof AffinityGroup)) {
List<ControlledEntity> toBeChecked = domains.get(entity.getDomainId());
// for templates, we don't have to do cross domains check
if (toBeChecked == null) {
toBeChecked = new ArrayList<>();
domains.put(domainId, toBeChecked);
}
toBeChecked.add(entity);
}
boolean granted = false;
for (final SecurityChecker checker : _securityCheckers) {
if (checker.checkAccess(caller, entity, accessType, apiName)) {
if (s_logger.isDebugEnabled()) {
s_logger.debug("Access to " + entity + " granted to " + caller + " by " + checker.getName());
}
granted = true;
break;
}
}
if (!granted) {
assert false : "How can all of the security checkers pass on checking this check: " + entity;
throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to " + entity);
}
}
for (final Map.Entry<Long, List<ControlledEntity>> domain : domains.entrySet()) {
for (final SecurityChecker checker : _securityCheckers) {
final Domain d = _domainMgr.getDomain(domain.getKey());
if (d == null || d.getRemoved() != null) {
throw new PermissionDeniedException("Domain is not found.", caller, domain.getValue());
}
try {
checker.checkAccess(caller, d);
} catch (final PermissionDeniedException e) {
e.addDetails(caller, domain.getValue());
throw e;
}
}
}
// check that resources belong to the same account
}
Also used :
UserAccount(com.cloud.legacymodel.user.UserAccount)
Account(com.cloud.legacymodel.user.Account)
VirtualMachineTemplate(com.cloud.legacymodel.storage.VirtualMachineTemplate)
HashMap(java.util.HashMap)
SecurityChecker(com.cloud.acl.SecurityChecker)
AffinityGroup(com.cloud.affinity.AffinityGroup)
ControlledEntity(com.cloud.legacymodel.acl.ControlledEntity)
Network(com.cloud.legacymodel.network.Network)
PermissionDeniedException(com.cloud.legacymodel.exceptions.PermissionDeniedException)
ArrayList(java.util.ArrayList)
List(java.util.List)
Domain(com.cloud.legacymodel.domain.Domain)
Map(java.util.Map)
HashMap(java.util.HashMap)
Example 13 with Domain
use of com.cloud.legacymodel.domain.Domain in project cosmic by MissionCriticalCloud.
the class AccountManagerImpl method buildACLSearchParameters.
// TODO: deprecate this to use the new buildACLSearchParameters with permittedDomains, permittedAccounts, and permittedResources as return
@Override
public void buildACLSearchParameters(final Account caller, final Long id, final String accountName, final Long projectId, final List<Long> permittedAccounts, final Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject, final boolean listAll, final boolean forProjectInvitation) {
final Long domainId = domainIdRecursiveListProject.first();
if (domainId != null) {
final Domain domain = _domainDao.findById(domainId);
if (domain == null) {
throw new InvalidParameterValueException("Unable to find domain by id " + domainId);
}
// check permissions
checkAccess(caller, domain);
}
if (accountName != null) {
if (projectId != null) {
throw new InvalidParameterValueException("Account and projectId can't be specified together");
}
final Account userAccount;
final Domain domain;
if (domainId != null) {
userAccount = _accountDao.findActiveAccount(accountName, domainId);
domain = _domainDao.findById(domainId);
} else {
userAccount = _accountDao.findActiveAccount(accountName, caller.getDomainId());
domain = _domainDao.findById(caller.getDomainId());
}
if (userAccount != null) {
checkAccess(caller, null, false, userAccount);
// check permissions
permittedAccounts.add(userAccount.getId());
} else {
throw new InvalidParameterValueException("could not find account " + accountName + " in domain " + domain.getUuid());
}
}
// set project information
if (projectId != null) {
if (!forProjectInvitation) {
if (projectId.longValue() == -1) {
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId()));
} else {
domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly);
}
} else {
final Project project = _projectMgr.getProject(projectId);
if (project == null) {
throw new InvalidParameterValueException("Unable to find project by id " + projectId);
}
if (!_projectMgr.canAccessProjectAccount(caller, project.getProjectAccountId())) {
throw new PermissionDeniedException("Account " + caller + " can't access project id=" + projectId);
}
permittedAccounts.add(project.getProjectAccountId());
}
}
} else {
if (id == null) {
domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.SkipProjectResources);
}
if (permittedAccounts.isEmpty() && domainId == null) {
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
permittedAccounts.add(caller.getId());
} else if (!listAll) {
if (id == null) {
permittedAccounts.add(caller.getId());
} else if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
domainIdRecursiveListProject.first(caller.getDomainId());
domainIdRecursiveListProject.second(true);
}
} else if (domainId == null) {
if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
domainIdRecursiveListProject.first(caller.getDomainId());
domainIdRecursiveListProject.second(true);
}
}
} else if (domainId != null) {
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
permittedAccounts.add(caller.getId());
}
}
}
}
Also used :
UserAccount(com.cloud.legacymodel.user.UserAccount)
Account(com.cloud.legacymodel.user.Account)
Project(com.cloud.projects.Project)
InvalidParameterValueException(com.cloud.legacymodel.exceptions.InvalidParameterValueException)
PermissionDeniedException(com.cloud.legacymodel.exceptions.PermissionDeniedException)
Domain(com.cloud.legacymodel.domain.Domain)
Example 14 with Domain
use of com.cloud.legacymodel.domain.Domain in project cosmic by MissionCriticalCloud.
the class AccountManagerImpl method finalyzeAccountId.
@Override
public Long finalyzeAccountId(final String accountName, final Long domainId, final Long projectId, final boolean enabledOnly) {
if (accountName != null) {
if (domainId == null) {
throw new InvalidParameterValueException("Account must be specified with domainId parameter");
}
final Domain domain = _domainMgr.getDomain(domainId);
if (domain == null) {
throw new InvalidParameterValueException("Unable to find domain by id");
}
final Account account = getActiveAccountByName(accountName, domainId);
if (account != null && account.getType() != Account.ACCOUNT_TYPE_PROJECT) {
if (!enabledOnly || account.getState() == Account.State.enabled) {
return account.getId();
} else {
throw new PermissionDeniedException("Can't add resources to the account id=" + account.getId() + " in state=" + account.getState() + " as it's no longer active");
}
} else {
// idList.add(new IdentityProxy("domain", domainId, "domainId"));
throw new InvalidParameterValueException("Unable to find account by name " + accountName + " in domain with specified id");
}
}
if (projectId != null) {
final Project project = _projectMgr.getProject(projectId);
if (project != null) {
if (!enabledOnly || project.getState() == Project.State.Active) {
return project.getProjectAccountId();
} else {
final PermissionDeniedException ex = new PermissionDeniedException("Can't add resources to the project with specified projectId in state=" + project.getState() + " as it's no longer active");
ex.addProxyObject(project.getUuid(), "projectId");
throw ex;
}
} else {
throw new InvalidParameterValueException("Unable to find project by id");
}
}
return null;
}
Also used :
UserAccount(com.cloud.legacymodel.user.UserAccount)
Account(com.cloud.legacymodel.user.Account)
Project(com.cloud.projects.Project)
InvalidParameterValueException(com.cloud.legacymodel.exceptions.InvalidParameterValueException)
PermissionDeniedException(com.cloud.legacymodel.exceptions.PermissionDeniedException)
Domain(com.cloud.legacymodel.domain.Domain)
Example 15 with Domain
use of com.cloud.legacymodel.domain.Domain in project cosmic by MissionCriticalCloud.
the class AccountManagerImpl method finalizeOwner.
@Override
public Account finalizeOwner(final Account caller, final String accountName, final Long domainId, final Long projectId) {
// don't default the owner to the system account
if (caller.getId() == Account.ACCOUNT_ID_SYSTEM && ((accountName == null || domainId == null) && projectId == null)) {
throw new InvalidParameterValueException("Account and domainId are needed for resource creation");
}
// projectId and account/domainId can't be specified together
if ((accountName != null && domainId != null) && projectId != null) {
throw new InvalidParameterValueException("ProjectId and account/domainId can't be specified together");
}
if (projectId != null) {
final Project project = _projectMgr.getProject(projectId);
if (project == null) {
throw new InvalidParameterValueException("Unable to find project by id=" + projectId);
}
if (!_projectMgr.canAccessProjectAccount(caller, project.getProjectAccountId())) {
throw new PermissionDeniedException("Account " + caller + " is unauthorised to use project id=" + projectId);
}
return getAccount(project.getProjectAccountId());
}
if (isAdmin(caller.getId()) && accountName != null && domainId != null) {
final Domain domain = _domainMgr.getDomain(domainId);
if (domain == null) {
throw new InvalidParameterValueException("Unable to find the domain by id=" + domainId);
}
final Account owner = _accountDao.findActiveAccount(accountName, domainId);
if (owner == null) {
throw new InvalidParameterValueException("Unable to find account " + accountName + " in domain " + domainId);
}
checkAccess(caller, domain);
return owner;
} else if (!isAdmin(caller.getId()) && accountName != null && domainId != null) {
if (!accountName.equals(caller.getAccountName()) || domainId.longValue() != caller.getDomainId()) {
throw new PermissionDeniedException("Can't create/list resources for account " + accountName + " in domain " + domainId + ", permission denied");
} else {
return caller;
}
} else {
if ((accountName == null && domainId != null) || (accountName != null && domainId == null)) {
throw new InvalidParameterValueException("AccountName and domainId must be specified together");
}
// regular user can't create/list resources for other people
return caller;
}
}
Also used :
Project(com.cloud.projects.Project)
UserAccount(com.cloud.legacymodel.user.UserAccount)
Account(com.cloud.legacymodel.user.Account)
InvalidParameterValueException(com.cloud.legacymodel.exceptions.InvalidParameterValueException)
PermissionDeniedException(com.cloud.legacymodel.exceptions.PermissionDeniedException)
Domain(com.cloud.legacymodel.domain.Domain)
Aggregations
Domain (com.cloud.legacymodel.domain.Domain)55
Account (com.cloud.legacymodel.user.Account)37
InvalidParameterValueException (com.cloud.legacymodel.exceptions.InvalidParameterValueException)20
UserAccount (com.cloud.legacymodel.user.UserAccount)19
ArrayList (java.util.ArrayList)16
PermissionDeniedException (com.cloud.legacymodel.exceptions.PermissionDeniedException)11
Project (com.cloud.projects.Project)11
DomainVO (com.cloud.domain.DomainVO)10
Network (com.cloud.legacymodel.network.Network)10
DomainResponse (com.cloud.api.response.DomainResponse)8
Pair (com.cloud.legacymodel.utils.Pair)7
PhysicalNetworkVO (com.cloud.network.dao.PhysicalNetworkVO)7
HostVO (com.cloud.host.HostVO)6
List (java.util.List)6
Filter (com.cloud.utils.db.Filter)5
HashSet (java.util.HashSet)5
Test (org.junit.Test)5
AffinityGroupResponse (com.cloud.affinity.AffinityGroupResponse)4
CloudAuthenticationException (com.cloud.legacymodel.exceptions.CloudAuthenticationException)4
NetworkVO (com.cloud.network.dao.NetworkVO)4
