Example 1 with RoleType
use of org.apache.cloudstack.acl.RoleType in project cloudstack by apache.
the class BaseCmd method getParamFields.
/**
* This method doesn't return all the @{link Parameter}, but only the ones exposed
* and allowed for current @{link RoleType}. This method will get the fields for a given
* Cmd class only once and never again, so in case of a dynamic update the result would
* be obsolete (this might be a plugin update. It is agreed upon that we will not do
* upgrades dynamically but in case we come back on that decision we need to revisit this)
*
* @return
*/
public List<Field> getParamFields() {
final List<Field> allFields = getAllFieldsForClass(this.getClass());
final List<Field> validFields = new ArrayList<Field>();
final Account caller = CallContext.current().getCallingAccount();
for (final Field field : allFields) {
final Parameter parameterAnnotation = field.getAnnotation(Parameter.class);
//TODO: Annotate @Validate on API Cmd classes, FIXME how to process Validate
final RoleType[] allowedRoles = parameterAnnotation.authorized();
boolean roleIsAllowed = true;
if (allowedRoles.length > 0) {
roleIsAllowed = false;
for (final RoleType allowedRole : allowedRoles) {
if (allowedRole.getAccountType() == caller.getType()) {
roleIsAllowed = true;
break;
}
}
}
if (roleIsAllowed) {
validFields.add(field);
} else {
s_logger.debug("Ignoring paremeter " + parameterAnnotation.name() + " as the caller is not authorized to pass it in");
}
}
return validFields;
}Example 2 with RoleType
use of org.apache.cloudstack.acl.RoleType in project cloudstack by apache.
the class ApiResponseSerializer method serializeResponseObjFieldsXML.
private static void serializeResponseObjFieldsXML(StringBuilder sb, StringBuilder log, ResponseObject obj) {
boolean isAsync = false;
if (obj instanceof AsyncJobResponse)
isAsync = true;
Field[] fields = getFlattenFields(obj.getClass());
for (Field field : fields) {
if ((field.getModifiers() & Modifier.TRANSIENT) != 0) {
// skip transient fields
continue;
}
SerializedName serializedName = field.getAnnotation(SerializedName.class);
if (serializedName == null) {
// skip fields w/o serialized name
continue;
}
boolean logField = true;
Param param = field.getAnnotation(Param.class);
if (param != null) {
RoleType[] allowedRoles = param.authorized();
if (allowedRoles.length > 0) {
boolean permittedParameter = false;
Account caller = CallContext.current().getCallingAccount();
for (RoleType allowedRole : allowedRoles) {
if (allowedRole.getAccountType() == caller.getType()) {
permittedParameter = true;
break;
}
}
if (!permittedParameter) {
s_logger.trace("Ignoring parameter " + param.name() + " as the caller is not authorized to see it");
continue;
}
}
if (param.isSensitive()) {
logField = false;
}
}
field.setAccessible(true);
Object fieldValue = null;
try {
fieldValue = field.get(obj);
} catch (IllegalArgumentException e) {
throw new CloudRuntimeException("how illegal is it?", e);
} catch (IllegalAccessException e) {
throw new CloudRuntimeException("come on...we set accessible already", e);
}
if (fieldValue != null) {
if (fieldValue instanceof ResponseObject) {
ResponseObject subObj = (ResponseObject) fieldValue;
if (isAsync) {
sb.append("<jobresult>");
log.append("<jobresult>");
}
serializeResponseObjXML(sb, log, subObj);
if (isAsync) {
sb.append("</jobresult>");
log.append("</jobresult>");
}
} else if (fieldValue instanceof Collection<?>) {
Collection<?> subResponseList = (Collection<?>) fieldValue;
boolean usedUuidList = false;
for (Object value : subResponseList) {
if (value instanceof ResponseObject) {
ResponseObject subObj = (ResponseObject) value;
if (serializedName != null) {
subObj.setObjectName(serializedName.value());
}
serializeResponseObjXML(sb, log, subObj);
} else if (value instanceof ExceptionProxyObject) {
// Only exception reponses carry a list of
// ExceptionProxyObject objects.
ExceptionProxyObject idProxy = (ExceptionProxyObject) value;
// encountered, put in a uuidList tag.
if (!usedUuidList) {
sb.append("<" + serializedName.value() + ">");
log.append("<" + serializedName.value() + ">");
usedUuidList = true;
}
sb.append("<" + "uuid" + ">" + idProxy.getUuid() + "</" + "uuid" + ">");
log.append("<" + "uuid" + ">" + idProxy.getUuid() + "</" + "uuid" + ">");
// Append the new descriptive property also.
String idFieldName = idProxy.getDescription();
if (idFieldName != null) {
sb.append("<" + "uuidProperty" + ">" + idFieldName + "</" + "uuidProperty" + ">");
log.append("<" + "uuidProperty" + ">" + idFieldName + "</" + "uuidProperty" + ">");
}
} else if (value instanceof String) {
sb.append("<").append(serializedName.value()).append(">").append(value).append("</").append(serializedName.value()).append(">");
if (logField) {
log.append("<").append(serializedName.value()).append(">").append(value).append("</").append(serializedName.value()).append(">");
}
}
}
if (usedUuidList) {
// close the uuidList.
sb.append("</").append(serializedName.value()).append(">");
log.append("</").append(serializedName.value()).append(">");
}
} else if (fieldValue instanceof Date) {
sb.append("<").append(serializedName.value()).append(">").append(BaseCmd.getDateString((Date) fieldValue)).append("</").append(serializedName.value()).append(">");
log.append("<").append(serializedName.value()).append(">").append(BaseCmd.getDateString((Date) fieldValue)).append("</").append(serializedName.value()).append(">");
} else {
String resultString = escapeSpecialXmlChars(fieldValue.toString());
if (!(obj instanceof ExceptionResponse)) {
resultString = encodeParam(resultString);
}
sb.append("<").append(serializedName.value()).append(">").append(resultString).append("</").append(serializedName.value()).append(">");
if (logField) {
log.append("<").append(serializedName.value()).append(">").append(resultString).append("</").append(serializedName.value()).append(">");
}
}
}
}
}
Also used :
Account(com.cloud.user.Account)
ExceptionResponse(org.apache.cloudstack.api.response.ExceptionResponse)
RoleType(org.apache.cloudstack.acl.RoleType)
AsyncJobResponse(org.apache.cloudstack.api.response.AsyncJobResponse)
SerializedName(com.google.gson.annotations.SerializedName)
Date(java.util.Date)
Field(java.lang.reflect.Field)
CloudRuntimeException(com.cloud.utils.exception.CloudRuntimeException)
Param(com.cloud.serializer.Param)
ResponseObject(org.apache.cloudstack.api.ResponseObject)
Collection(java.util.Collection)
ExceptionProxyObject(com.cloud.utils.exception.ExceptionProxyObject)
ResponseObject(org.apache.cloudstack.api.ResponseObject)
ExceptionProxyObject(com.cloud.utils.exception.ExceptionProxyObject)
Example 3 with RoleType
use of org.apache.cloudstack.acl.RoleType in project cloudstack by apache.
the class RoleBasedAPIAccessChecker method start.
@Override
public boolean start() {
for (RoleType role : RoleType.values()) {
Long policyId = getDefaultPolicyId(role);
if (policyId != null) {
_iamSrv.resetIAMPolicy(policyId);
}
}
// add the system-domain capability
_iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_ADMIN + 1), null, null, null, "SystemCapability", null, Permission.Allow, false);
_iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), null, null, null, "DomainCapability", null, Permission.Allow, false);
_iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN + 1), null, null, null, "DomainResourceCapability", null, Permission.Allow, false);
// add permissions for public templates
List<VMTemplateVO> pTmplts = _templateDao.listByPublic();
for (VMTemplateVO tmpl : pTmplts) {
_iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(), PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
_iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(), PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
_iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(), PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
}
for (PluggableService service : _services) {
for (Class<?> cmdClass : service.getCommands()) {
APICommand command = cmdClass.getAnnotation(APICommand.class);
if (!commandsPropertiesOverrides.contains(command.name())) {
for (RoleType role : command.authorized()) {
addDefaultAclPolicyPermission(command.name(), cmdClass, role);
}
}
}
}
for (String apiName : commandsPropertiesOverrides) {
Class<?> cmdClass = _apiServer.getCmdClass(apiName);
for (RoleType role : RoleType.values()) {
if (commandsPropertiesRoleBasedApisMap.get(role).contains(apiName)) {
// insert permission for this role for this api
addDefaultAclPolicyPermission(apiName, cmdClass, role);
}
}
}
return super.start();
}
Also used :
VirtualMachineTemplate(com.cloud.template.VirtualMachineTemplate)
RoleType(org.apache.cloudstack.acl.RoleType)
VMTemplateVO(com.cloud.storage.VMTemplateVO)
PluggableService(com.cloud.utils.component.PluggableService)
APICommand(org.apache.cloudstack.api.APICommand)
Example 4 with RoleType
use of org.apache.cloudstack.acl.RoleType in project cloudstack by apache.
the class RoleBasedAPIAccessChecker method processMapping.
private void processMapping(Map<String, String> configMap) {
for (Map.Entry<String, String> entry : configMap.entrySet()) {
String apiName = entry.getKey();
String roleMask = entry.getValue();
commandsPropertiesOverrides.add(apiName);
try {
short cmdPermissions = Short.parseShort(roleMask);
for (RoleType roleType : RoleType.values()) {
if ((cmdPermissions & roleType.getMask()) != 0)
commandsPropertiesRoleBasedApisMap.get(roleType).add(apiName);
}
} catch (NumberFormatException nfe) {
s_logger.info("Malformed key=value pair for entry: " + entry.toString());
}
}
}Aggregations
RoleType (org.apache.cloudstack.acl.RoleType)4
Account (com.cloud.user.Account)2
Field (java.lang.reflect.Field)2
Param (com.cloud.serializer.Param)1
VMTemplateVO (com.cloud.storage.VMTemplateVO)1
VirtualMachineTemplate (com.cloud.template.VirtualMachineTemplate)1
PluggableService (com.cloud.utils.component.PluggableService)1
CloudRuntimeException (com.cloud.utils.exception.CloudRuntimeException)1
ExceptionProxyObject (com.cloud.utils.exception.ExceptionProxyObject)1
SerializedName (com.google.gson.annotations.SerializedName)1
ArrayList (java.util.ArrayList)1
Collection (java.util.Collection)1
Date (java.util.Date)1
HashMap (java.util.HashMap)1
Map (java.util.Map)1
APICommand (org.apache.cloudstack.api.APICommand)1
ResponseObject (org.apache.cloudstack.api.ResponseObject)1
AsyncJobResponse (org.apache.cloudstack.api.response.AsyncJobResponse)1
ExceptionResponse (org.apache.cloudstack.api.response.ExceptionResponse)1
