use of com.cloud.legacymodel.exceptions.PermissionDeniedException in project cosmic by MissionCriticalCloud.
the class TemplateManagerImpl method listTemplatePermissions.
@Override
public List<String> listTemplatePermissions(final BaseListTemplateOrIsoPermissionsCmd cmd) {
final Account caller = CallContext.current().getCallingAccount();
final Long id = cmd.getId();
if (id.equals(Long.valueOf(1))) {
throw new PermissionDeniedException("unable to list permissions for " + cmd.getMediaType() + " with id " + id);
}
final VirtualMachineTemplate template = this._tmpltDao.findById(id);
if (template == null) {
throw new InvalidParameterValueException("unable to find " + cmd.getMediaType() + " with id " + id);
}
if (cmd instanceof ListTemplatePermissionsCmd) {
if (template.getFormat().equals(ImageFormat.ISO)) {
throw new InvalidParameterValueException("Please provide a valid template");
}
} else if (cmd instanceof ListIsoPermissionsCmd) {
if (!template.getFormat().equals(ImageFormat.ISO)) {
throw new InvalidParameterValueException("Please provide a valid iso");
}
}
if (!template.isPublicTemplate()) {
this._accountMgr.checkAccess(caller, null, true, template);
}
final List<String> accountNames = new ArrayList<>();
final List<LaunchPermissionVO> permissions = this._launchPermissionDao.findByTemplate(id);
if (permissions != null && !permissions.isEmpty()) {
for (final LaunchPermissionVO permission : permissions) {
final Account acct = this._accountDao.findById(permission.getAccountId());
accountNames.add(acct.getAccountName());
}
}
// also add the owner if not public
if (!template.isPublicTemplate()) {
final Account templateOwner = this._accountDao.findById(template.getAccountId());
accountNames.add(templateOwner.getAccountName());
}
return accountNames;
}
use of com.cloud.legacymodel.exceptions.PermissionDeniedException in project cosmic by MissionCriticalCloud.
the class QueryManagerImpl method searchForUsersInternal.
private Pair<List<UserAccountJoinVO>, Integer> searchForUsersInternal(final ListUsersCmd cmd) throws PermissionDeniedException {
final Account caller = CallContext.current().getCallingAccount();
final List<Long> permittedAccounts = new ArrayList<>();
final boolean listAll = cmd.listAll();
Long id = cmd.getId();
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
final long currentId = CallContext.current().getCallingUser().getId();
if (id != null && currentId != id.longValue()) {
throw new PermissionDeniedException("Calling user is not authorized to see the user requested by id");
}
id = currentId;
}
final Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<>(cmd.getDomainId(), cmd.isRecursive(), null);
_accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), null, permittedAccounts, domainIdRecursiveListProject, listAll, false);
final Long domainId = domainIdRecursiveListProject.first();
final Boolean isRecursive = domainIdRecursiveListProject.second();
final ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
final Filter searchFilter = new Filter(UserAccountJoinVO.class, "id", true, cmd.getStartIndex(), cmd.getPageSizeVal());
final Object username = cmd.getUsername();
final Object type = cmd.getAccountType();
final Object accountName = cmd.getAccountName();
final Object state = cmd.getState();
final Object keyword = cmd.getKeyword();
final SearchBuilder<UserAccountJoinVO> sb = _userAccountJoinDao.createSearchBuilder();
_accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
sb.and("username", sb.entity().getUsername(), SearchCriteria.Op.LIKE);
if (id != null && id == 1) {
// system user should NOT be searchable
final List<UserAccountJoinVO> emptyList = new ArrayList<>();
return new Pair<>(emptyList, 0);
} else if (id != null) {
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
} else {
// this condition is used to exclude system user from the search
// results
sb.and("id", sb.entity().getId(), SearchCriteria.Op.NEQ);
}
sb.and("type", sb.entity().getAccountType(), SearchCriteria.Op.EQ);
sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
sb.and("accountName", sb.entity().getAccountName(), SearchCriteria.Op.EQ);
sb.and("state", sb.entity().getState(), SearchCriteria.Op.EQ);
if (accountName == null && domainId != null) {
sb.and("domainPath", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE);
}
final SearchCriteria<UserAccountJoinVO> sc = sb.create();
// building ACL condition
_accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
if (keyword != null) {
final SearchCriteria<UserAccountJoinVO> ssc = _userAccountJoinDao.createSearchCriteria();
ssc.addOr("username", SearchCriteria.Op.LIKE, "%" + keyword + "%");
ssc.addOr("firstname", SearchCriteria.Op.LIKE, "%" + keyword + "%");
ssc.addOr("lastname", SearchCriteria.Op.LIKE, "%" + keyword + "%");
ssc.addOr("email", SearchCriteria.Op.LIKE, "%" + keyword + "%");
ssc.addOr("state", SearchCriteria.Op.LIKE, "%" + keyword + "%");
ssc.addOr("accountName", SearchCriteria.Op.LIKE, "%" + keyword + "%");
ssc.addOr("accountType", SearchCriteria.Op.LIKE, "%" + keyword + "%");
sc.addAnd("username", SearchCriteria.Op.SC, ssc);
}
if (username != null) {
sc.setParameters("username", username);
}
if (id != null) {
sc.setParameters("id", id);
} else {
// Don't return system user, search builder with NEQ
sc.setParameters("id", 1);
}
if (type != null) {
sc.setParameters("type", type);
}
if (accountName != null) {
sc.setParameters("accountName", accountName);
if (domainId != null) {
sc.setParameters("domainId", domainId);
}
} else if (domainId != null) {
final DomainVO domainVO = _domainDao.findById(domainId);
sc.setParameters("domainPath", domainVO.getPath() + "%");
}
if (state != null) {
sc.setParameters("state", state);
}
return _userAccountJoinDao.searchAndCount(sc, searchFilter);
}
use of com.cloud.legacymodel.exceptions.PermissionDeniedException in project cosmic by MissionCriticalCloud.
the class QueryManagerImpl method searchForDiskOfferingsInternal.
private Pair<List<DiskOfferingJoinVO>, Integer> searchForDiskOfferingsInternal(final ListDiskOfferingsCmd cmd) {
// Note
// The list method for offerings is being modified in accordance with
// discussion with Will/Kevin
// For now, we will be listing the following based on the usertype
// 1. For root, we will list all offerings
// 2. For domainAdmin and regular users, we will list everything in
// their domains+parent domains ... all the way
// till
// root
Boolean isAscending = Boolean.parseBoolean(_configDao.getValue("sortkey.algorithm"));
isAscending = isAscending == null ? true : isAscending;
final Filter searchFilter = new Filter(DiskOfferingJoinVO.class, "sortKey", isAscending, cmd.getStartIndex(), cmd.getPageSizeVal());
final SearchCriteria<DiskOfferingJoinVO> sc = _diskOfferingJoinDao.createSearchCriteria();
sc.addAnd("type", Op.EQ, DiskOfferingVO.Type.Disk);
final Account account = CallContext.current().getCallingAccount();
final Object name = cmd.getDiskOfferingName();
final Object id = cmd.getId();
final Object keyword = cmd.getKeyword();
final Long domainId = cmd.getDomainId();
final Boolean isRootAdmin = _accountMgr.isRootAdmin(account.getAccountId());
final Boolean isRecursive = cmd.isRecursive();
// associated with this domain
if (domainId != null) {
if (_accountMgr.isRootAdmin(account.getId()) || isPermissible(account.getDomainId(), domainId)) {
// check if the user's domain == do's domain || user's domain is
// a child of so's domain for non-root users
sc.addAnd("domainId", SearchCriteria.Op.EQ, domainId);
if (!isRootAdmin) {
sc.addAnd("displayOffering", SearchCriteria.Op.EQ, 1);
}
return _diskOfferingJoinDao.searchAndCount(sc, searchFilter);
} else {
throw new PermissionDeniedException("The account:" + account.getAccountName() + " does not fall in the same domain hierarchy as the disk offering");
}
}
final List<Long> domainIds;
// and everything above till root
if (_accountMgr.isNormalUser(account.getId()) || _accountMgr.isDomainAdmin(account.getId()) || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
if (isRecursive) {
// domain + all sub-domains
if (account.getType() == Account.ACCOUNT_TYPE_NORMAL) {
throw new InvalidParameterValueException("Only ROOT admins and Domain admins can list disk offerings with isrecursive=true");
}
final DomainVO domainRecord = _domainDao.findById(account.getDomainId());
sc.addAnd("domainPath", SearchCriteria.Op.LIKE, domainRecord.getPath() + "%");
} else {
// domain + all ancestors
// find all domain Id up to root domain for this account
domainIds = new ArrayList<>();
DomainVO domainRecord = _domainDao.findById(account.getDomainId());
if (domainRecord == null) {
s_logger.error("Could not find the domainId for account:" + account.getAccountName());
throw new CloudAuthenticationException("Could not find the domainId for account:" + account.getAccountName());
}
domainIds.add(domainRecord.getId());
while (domainRecord.getParent() != null) {
domainRecord = _domainDao.findById(domainRecord.getParent());
domainIds.add(domainRecord.getId());
}
final SearchCriteria<DiskOfferingJoinVO> spc = _diskOfferingJoinDao.createSearchCriteria();
spc.addOr("domainId", SearchCriteria.Op.IN, domainIds.toArray());
// include public offering as where
spc.addOr("domainId", SearchCriteria.Op.NULL);
sc.addAnd("domainId", SearchCriteria.Op.SC, spc);
// non-root users should not see system offering at all
sc.addAnd("systemUse", SearchCriteria.Op.EQ, false);
}
}
if (keyword != null) {
final SearchCriteria<DiskOfferingJoinVO> ssc = _diskOfferingJoinDao.createSearchCriteria();
ssc.addOr("displayText", SearchCriteria.Op.LIKE, "%" + keyword + "%");
ssc.addOr("name", SearchCriteria.Op.LIKE, "%" + keyword + "%");
sc.addAnd("name", SearchCriteria.Op.SC, ssc);
}
if (id != null) {
sc.addAnd("id", SearchCriteria.Op.EQ, id);
}
if (name != null) {
sc.addAnd("name", SearchCriteria.Op.EQ, name);
}
return _diskOfferingJoinDao.searchAndCount(sc, searchFilter);
}
use of com.cloud.legacymodel.exceptions.PermissionDeniedException in project cosmic by MissionCriticalCloud.
the class QueryManagerImpl method listProjectsInternal.
private Pair<List<ProjectJoinVO>, Integer> listProjectsInternal(final ListProjectsCmd cmd) {
final Long id = cmd.getId();
final String name = cmd.getName();
final String displayText = cmd.getDisplayText();
final String state = cmd.getState();
final String accountName = cmd.getAccountName();
final Long domainId = cmd.getDomainId();
final String keyword = cmd.getKeyword();
final Long startIndex = cmd.getStartIndex();
final Long pageSize = cmd.getPageSizeVal();
final boolean listAll = cmd.listAll();
final boolean isRecursive = cmd.isRecursive();
cmd.getTags();
final Account caller = CallContext.current().getCallingAccount();
Long accountId = null;
String path = null;
final Filter searchFilter = new Filter(ProjectJoinVO.class, "id", false, startIndex, pageSize);
final SearchBuilder<ProjectJoinVO> sb = _projectJoinDao.createSearchBuilder();
// select distinct
sb.select(null, Func.DISTINCT, sb.entity().getId());
if (_accountMgr.isAdmin(caller.getId())) {
if (domainId != null) {
final DomainVO domain = _domainDao.findById(domainId);
if (domain == null) {
throw new InvalidParameterValueException("Domain id=" + domainId + " doesn't exist in the system");
}
_accountMgr.checkAccess(caller, domain);
if (accountName != null) {
final Account owner = _accountMgr.getActiveAccountByName(accountName, domainId);
if (owner == null) {
throw new InvalidParameterValueException("Unable to find account " + accountName + " in domain " + domainId);
}
accountId = owner.getId();
}
} else {
// domainId == null
if (accountName != null) {
throw new InvalidParameterValueException("could not find account " + accountName + " because domain is not specified");
}
}
} else {
if (accountName != null && !accountName.equals(caller.getAccountName())) {
throw new PermissionDeniedException("Can't list account " + accountName + " projects; unauthorized");
}
if (domainId != null && !domainId.equals(caller.getDomainId())) {
throw new PermissionDeniedException("Can't list domain id= " + domainId + " projects; unauthorized");
}
accountId = caller.getId();
}
if (domainId == null && accountId == null && (_accountMgr.isNormalUser(caller.getId()) || !listAll)) {
accountId = caller.getId();
} else if (_accountMgr.isDomainAdmin(caller.getId()) || isRecursive && !listAll) {
final DomainVO domain = _domainDao.findById(caller.getDomainId());
path = domain.getPath();
}
if (path != null) {
sb.and("domainPath", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE);
}
if (accountId != null) {
sb.and("accountId", sb.entity().getAccountId(), SearchCriteria.Op.EQ);
}
final SearchCriteria<ProjectJoinVO> sc = sb.create();
if (id != null) {
sc.addAnd("id", Op.EQ, id);
}
if (domainId != null && !isRecursive) {
sc.addAnd("domainId", Op.EQ, domainId);
}
if (name != null) {
sc.addAnd("name", Op.EQ, name);
}
if (displayText != null) {
sc.addAnd("displayText", Op.EQ, displayText);
}
if (accountId != null) {
sc.setParameters("accountId", accountId);
}
if (state != null) {
sc.addAnd("state", Op.EQ, state);
}
if (keyword != null) {
final SearchCriteria<ProjectJoinVO> ssc = _projectJoinDao.createSearchCriteria();
ssc.addOr("name", SearchCriteria.Op.LIKE, "%" + keyword + "%");
ssc.addOr("displayText", SearchCriteria.Op.LIKE, "%" + keyword + "%");
sc.addAnd("name", SearchCriteria.Op.SC, ssc);
}
if (path != null) {
sc.setParameters("domainPath", path);
}
// search distinct projects to get count
final Pair<List<ProjectJoinVO>, Integer> uniquePrjPair = _projectJoinDao.searchAndCount(sc, searchFilter);
final Integer count = uniquePrjPair.second();
if (count.intValue() == 0) {
// handle empty result cases
return uniquePrjPair;
}
final List<ProjectJoinVO> uniquePrjs = uniquePrjPair.first();
final Long[] prjIds = new Long[uniquePrjs.size()];
int i = 0;
for (final ProjectJoinVO v : uniquePrjs) {
prjIds[i++] = v.getId();
}
final List<ProjectJoinVO> prjs = _projectJoinDao.searchByIds(prjIds);
return new Pair<>(prjs, count);
}
use of com.cloud.legacymodel.exceptions.PermissionDeniedException in project cosmic by MissionCriticalCloud.
the class QueryManagerImpl method searchForServiceOfferingsInternal.
private Pair<List<ServiceOfferingJoinVO>, Integer> searchForServiceOfferingsInternal(final ListServiceOfferingsCmd cmd) {
// Note
// The filteredOfferings method for offerings is being modified in accordance with
// discussion with Will/Kevin
// For now, we will be listing the following based on the usertype
// 1. For root, we will filteredOfferings all offerings
// 2. For domainAdmin and regular users, we will filteredOfferings everything in
// their domains+parent domains ... all the way
// till
// root
Boolean isAscending = Boolean.parseBoolean(_configDao.getValue("sortkey.algorithm"));
isAscending = isAscending == null ? true : isAscending;
final Filter searchFilter = new Filter(ServiceOfferingJoinVO.class, "sortKey", isAscending, cmd.getStartIndex(), cmd.getPageSizeVal());
final Account caller = CallContext.current().getCallingAccount();
final Object name = cmd.getServiceOfferingName();
final Object id = cmd.getId();
final Object keyword = cmd.getKeyword();
final Long vmId = cmd.getVirtualMachineId();
final Long domainId = cmd.getDomainId();
final Boolean isSystem = cmd.getIsSystem();
final String vmTypeStr = cmd.getSystemVmType();
final ServiceOfferingVO currentVmOffering;
final Boolean isRecursive = cmd.isRecursive();
final SearchCriteria<ServiceOfferingJoinVO> sc = _srvOfferingJoinDao.createSearchCriteria();
if (!_accountMgr.isRootAdmin(caller.getId()) && isSystem) {
throw new InvalidParameterValueException("Only ROOT admins can access system's offering");
}
// domain
if (domainId != null && !_accountMgr.isRootAdmin(caller.getId())) {
// child of so's domain
if (!isPermissible(caller.getDomainId(), domainId)) {
throw new PermissionDeniedException("The account:" + caller.getAccountName() + " does not fall in the same domain hierarchy as the service offering");
}
}
if (vmId != null) {
final VMInstanceVO vmInstance = _vmInstanceDao.findById(vmId);
if (vmInstance == null || vmInstance.getRemoved() != null) {
final InvalidParameterValueException ex = new InvalidParameterValueException("unable to find a virtual machine with specified id");
ex.addProxyObject(vmId.toString(), "vmId");
throw ex;
}
_accountMgr.checkAccess(caller, null, true, vmInstance);
currentVmOffering = _srvOfferingDao.findByIdIncludingRemoved(vmInstance.getId(), vmInstance.getServiceOfferingId());
sc.addAnd("id", SearchCriteria.Op.NEQ, currentVmOffering.getId());
// 1. Only return offerings with the same storage type
sc.addAnd("useLocalStorage", SearchCriteria.Op.EQ, currentVmOffering.getUseLocalStorage());
// 2.In case vm is running return only offerings greater than equal to current offering compute.
if (vmInstance.getState() == VirtualMachine.State.Running) {
sc.addAnd("cpu", Op.GTEQ, currentVmOffering.getCpu());
sc.addAnd("ramSize", Op.GTEQ, currentVmOffering.getRamSize());
}
}
// boolean includePublicOfferings = false;
if (_accountMgr.isNormalUser(caller.getId()) || _accountMgr.isDomainAdmin(caller.getId()) || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
// For non-root users.
if (isSystem) {
throw new InvalidParameterValueException("Only root admins can access system's offering");
}
if (isRecursive) {
// domain + all sub-domains
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
throw new InvalidParameterValueException("Only ROOT admins and Domain admins can list service offerings with isrecursive=true");
}
final DomainVO domainRecord = _domainDao.findById(caller.getDomainId());
sc.addAnd("domainPath", SearchCriteria.Op.LIKE, domainRecord.getPath() + "%");
} else {
// domain + all ancestors
// find all domain Id up to root domain for this account
final List<Long> domainIds = new ArrayList<>();
DomainVO domainRecord;
if (vmId != null) {
final UserVmVO vmInstance = _userVmDao.findById(vmId);
domainRecord = _domainDao.findById(vmInstance.getDomainId());
if (domainRecord == null) {
s_logger.error("Could not find the domainId for vmId:" + vmId);
throw new CloudAuthenticationException("Could not find the domainId for vmId:" + vmId);
}
} else {
domainRecord = _domainDao.findById(caller.getDomainId());
if (domainRecord == null) {
s_logger.error("Could not find the domainId for account:" + caller.getAccountName());
throw new CloudAuthenticationException("Could not find the domainId for account:" + caller.getAccountName());
}
}
domainIds.add(domainRecord.getId());
while (domainRecord.getParent() != null) {
domainRecord = _domainDao.findById(domainRecord.getParent());
domainIds.add(domainRecord.getId());
}
final SearchCriteria<ServiceOfferingJoinVO> spc = _srvOfferingJoinDao.createSearchCriteria();
spc.addOr("domainId", SearchCriteria.Op.IN, domainIds.toArray());
// include public offering as well
spc.addOr("domainId", SearchCriteria.Op.NULL);
sc.addAnd("domainId", SearchCriteria.Op.SC, spc);
}
} else {
// for root users
if (caller.getDomainId() != 1 && isSystem) {
// NON ROOT admin
throw new InvalidParameterValueException("Non ROOT admins cannot access system's offering");
}
if (domainId != null) {
sc.addAnd("domainId", SearchCriteria.Op.EQ, domainId);
}
}
if (keyword != null) {
final SearchCriteria<ServiceOfferingJoinVO> ssc = _srvOfferingJoinDao.createSearchCriteria();
ssc.addOr("displayText", SearchCriteria.Op.LIKE, "%" + keyword + "%");
ssc.addOr("name", SearchCriteria.Op.LIKE, "%" + keyword + "%");
sc.addAnd("name", SearchCriteria.Op.SC, ssc);
}
if (id != null) {
sc.addAnd("id", SearchCriteria.Op.EQ, id);
}
if (isSystem != null) {
// note that for non-root users, isSystem is always false when
// control comes to here
sc.addAnd("systemUse", SearchCriteria.Op.EQ, isSystem);
}
if (name != null) {
sc.addAnd("name", SearchCriteria.Op.EQ, name);
}
if (vmTypeStr != null) {
sc.addAnd("vmType", SearchCriteria.Op.EQ, vmTypeStr);
}
final Pair<List<ServiceOfferingJoinVO>, Integer> result = _srvOfferingJoinDao.searchAndCount(sc, searchFilter);
return result;
}
Aggregations