Examples with ControlledEntity org.apache.cloudstack.acl.ControlledEntity used on opensource projects

Example 6 with ControlledEntity

use of org.apache.cloudstack.acl.ControlledEntity in project cloudstack by apache.

the class ManagementServerImpl method deleteEvents.

@Override
public boolean deleteEvents(final DeleteEventsCmd cmd) {
    final Account caller = getCaller();
    final List<Long> ids = cmd.getIds();
    boolean result = true;
    List<Long> permittedAccountIds = new ArrayList<Long>();
    if (_accountMgr.isNormalUser(caller.getId()) || caller.getType() == Account.ACCOUNT_TYPE_PROJECT) {
        permittedAccountIds.add(caller.getId());
    } else {
        final DomainVO domain = _domainDao.findById(caller.getDomainId());
        final List<Long> permittedDomainIds = _domainDao.getDomainChildrenIds(domain.getPath());
        permittedAccountIds = _accountDao.getAccountIdsForDomains(permittedDomainIds);
    }
    final List<EventVO> events = _eventDao.listToArchiveOrDeleteEvents(ids, cmd.getType(), cmd.getStartDate(), cmd.getEndDate(), permittedAccountIds);
    final ControlledEntity[] sameOwnerEvents = events.toArray(new ControlledEntity[events.size()]);
    _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, sameOwnerEvents);
    if (ids != null && events.size() < ids.size()) {
        result = false;
        return result;
    }
    for (final EventVO event : events) {
        _eventDao.remove(event.getId());
    }
    return result;
}

Example 7 with ControlledEntity

use of org.apache.cloudstack.acl.ControlledEntity in project cloudstack by apache.

the class AccountManagerImpl method getKeys.

@Override
public Map<String, String> getKeys(Long userId) {
    User user = getActiveUser(userId);
    if (user == null) {
        throw new InvalidParameterValueException("Unable to find user by id");
    }
    // Extracting the Account from the userID of the requested user.
    final ControlledEntity account = getAccount(getUserAccountById(userId).getAccountId());
    checkAccess(CallContext.current().getCallingUser(), account);
    Map<String, String> keys = new HashMap<String, String>();
    keys.put("apikey", user.getApiKey());
    keys.put("secretkey", user.getSecretKey());
    return keys;
}

Example 8 with ControlledEntity

use of org.apache.cloudstack.acl.ControlledEntity in project cloudstack by apache.

the class UserVmManagerImpl method destroyVm.

@Override
@ActionEvent(eventType = EventTypes.EVENT_VM_DESTROY, eventDescription = "destroying Vm", async = true)
public UserVm destroyVm(DestroyVMCmd cmd) throws ResourceUnavailableException, ConcurrentOperationException {
    CallContext ctx = CallContext.current();
    long vmId = cmd.getId();
    boolean expunge = cmd.getExpunge();
    // When trying to expunge, permission is denied when the caller is not an admin and the AllowUserExpungeRecoverVm is false for the caller.
    if (expunge && !_accountMgr.isAdmin(ctx.getCallingAccount().getId()) && !AllowUserExpungeRecoverVm.valueIn(cmd.getEntityOwnerId())) {
        throw new PermissionDeniedException("Parameter " + ApiConstants.EXPUNGE + " can be passed by Admin only. Or when the allow.user.expunge.recover.vm key is set.");
    }
    // check if VM exists
    UserVmVO vm = _vmDao.findById(vmId);
    if (vm == null || vm.getRemoved() != null) {
        throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId);
    }
    if ((vm.getState() == State.Destroyed && !expunge) || vm.getState() == State.Expunging) {
        s_logger.debug("Vm id=" + vmId + " is already destroyed");
        return vm;
    }
    // check if there are active volume snapshots tasks
    s_logger.debug("Checking if there are any ongoing snapshots on the ROOT volumes associated with VM with ID " + vmId);
    if (checkStatusOfVolumeSnapshots(vmId, Volume.Type.ROOT)) {
        throw new CloudRuntimeException("There is/are unbacked up snapshot(s) on ROOT volume, vm destroy is not permitted, please try again later.");
    }
    s_logger.debug("Found no ongoing snapshots on volume of type ROOT, for the vm with id " + vmId);
    List<VolumeVO> volumesToBeDeleted = getVolumesFromIds(cmd);
    checkForUnattachedVolumes(vmId, volumesToBeDeleted);
    validateVolumes(volumesToBeDeleted);
    final ControlledEntity[] volumesToDelete = volumesToBeDeleted.toArray(new ControlledEntity[0]);
    _accountMgr.checkAccess(ctx.getCallingAccount(), null, true, volumesToDelete);
    stopVirtualMachine(vmId, VmDestroyForcestop.value());
    // Detach all data disks from VM
    List<VolumeVO> dataVols = _volsDao.findByInstanceAndType(vmId, Volume.Type.DATADISK);
    detachVolumesFromVm(dataVols);
    UserVm destroyedVm = destroyVm(vmId, expunge);
    if (expunge) {
        if (!expunge(vm, ctx.getCallingUserId(), ctx.getCallingAccount())) {
            throw new CloudRuntimeException("Failed to expunge vm " + destroyedVm);
        }
    }
    deleteVolumesFromVm(volumesToBeDeleted, expunge);
    return destroyedVm;
}

Example 9 with ControlledEntity

use of org.apache.cloudstack.acl.ControlledEntity in project cloudstack by apache.

the class AnnotationManagerImpl method setResponseEntityName.

private void setResponseEntityName(AnnotationResponse response, String entityUuid, EntityType entityType) {
    String entityName = null;
    if (entityType.isUserAllowed()) {
        ControlledEntity entity = getEntityFromUuidAndType(entityUuid, entityType);
        if (entity != null) {
            LOGGER.debug(String.format("Could not find an entity with type: %s and ID: %s", entityType.name(), entityUuid));
            entityName = entity.getName();
        }
    } else {
        entityName = getInfrastructureEntityName(entityUuid, entityType);
    }
    response.setEntityName(entityName);
}

Example 10 with ControlledEntity

use of org.apache.cloudstack.acl.ControlledEntity in project cloudstack by apache.

the class AccountManagerImpl method checkAccess.

@Override
public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, String apiName, ControlledEntity... entities) {
    // check for the same owner
    Long ownerId = null;
    ControlledEntity prevEntity = null;
    if (sameOwner) {
        for (ControlledEntity entity : entities) {
            if (ownerId == null) {
                ownerId = entity.getAccountId();
            } else if (ownerId.longValue() != entity.getAccountId()) {
                throw new PermissionDeniedException("Entity " + entity + " and entity " + prevEntity + " belong to different accounts");
            }
            prevEntity = entity;
        }
    }
    if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getId())) {
        // no need to make permission checks if the system/root admin makes the call
        if (s_logger.isTraceEnabled()) {
            s_logger.trace("No need to make permission check for System/RootAdmin account, returning true");
        }
        return;
    }
    HashMap<Long, List<ControlledEntity>> domains = new HashMap<Long, List<ControlledEntity>>();
    for (ControlledEntity entity : entities) {
        long domainId = entity.getDomainId();
        if (entity.getAccountId() != -1 && domainId == -1) {
            // If account exists domainId should too so calculate
            // it. This condition might be hit for templates or entities which miss domainId in their tables
            Account account = ApiDBUtils.findAccountById(entity.getAccountId());
            domainId = account != null ? account.getDomainId() : -1;
        }
        if (entity.getAccountId() != -1 && domainId != -1 && !(entity instanceof VirtualMachineTemplate) && !(entity instanceof Network && accessType != null && accessType == AccessType.UseEntry) && !(entity instanceof AffinityGroup)) {
            List<ControlledEntity> toBeChecked = domains.get(entity.getDomainId());
            // for templates, we don't have to do cross domains check
            if (toBeChecked == null) {
                toBeChecked = new ArrayList<ControlledEntity>();
                domains.put(domainId, toBeChecked);
            }
            toBeChecked.add(entity);
        }
        boolean granted = false;
        for (SecurityChecker checker : _securityCheckers) {
            if (checker.checkAccess(caller, entity, accessType, apiName)) {
                if (s_logger.isDebugEnabled()) {
                    s_logger.debug("Access to " + entity + " granted to " + caller + " by " + checker.getName());
                }
                granted = true;
                break;
            }
        }
        if (!granted) {
            assert false : "How can all of the security checkers pass on checking this check: " + entity;
            throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to " + entity);
        }
    }
    for (Map.Entry<Long, List<ControlledEntity>> domain : domains.entrySet()) {
        for (SecurityChecker checker : _securityCheckers) {
            Domain d = _domainMgr.getDomain(domain.getKey());
            if (d == null || d.getRemoved() != null) {
                throw new PermissionDeniedException("Domain is not found.", caller, domain.getValue());
            }
            try {
                checker.checkAccess(caller, d);
            } catch (PermissionDeniedException e) {
                e.addDetails(caller, domain.getValue());
                throw e;
            }
        }
    }
// check that resources belong to the same account
}