Search in sources :

Example 1 with SecurityChecker

use of org.apache.cloudstack.acl.SecurityChecker in project cloudstack by apache.

the class AccountManagerImpl method checkAccess.

@Override
public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, String apiName, ControlledEntity... entities) {
    // check for the same owner
    Long ownerId = null;
    ControlledEntity prevEntity = null;
    if (sameOwner) {
        for (ControlledEntity entity : entities) {
            if (ownerId == null) {
                ownerId = entity.getAccountId();
            } else if (ownerId.longValue() != entity.getAccountId()) {
                throw new PermissionDeniedException("Entity " + entity + " and entity " + prevEntity + " belong to different accounts");
            }
            prevEntity = entity;
        }
    }
    if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getId())) {
        // no need to make permission checks if the system/root admin makes the call
        if (s_logger.isTraceEnabled()) {
            s_logger.trace("No need to make permission check for System/RootAdmin account, returning true");
        }
        return;
    }
    HashMap<Long, List<ControlledEntity>> domains = new HashMap<Long, List<ControlledEntity>>();
    for (ControlledEntity entity : entities) {
        long domainId = entity.getDomainId();
        if (entity.getAccountId() != -1 && domainId == -1) {
            // If account exists domainId should too so calculate
            // it. This condition might be hit for templates or entities which miss domainId in their tables
            Account account = ApiDBUtils.findAccountById(entity.getAccountId());
            domainId = account != null ? account.getDomainId() : -1;
        }
        if (entity.getAccountId() != -1 && domainId != -1 && !(entity instanceof VirtualMachineTemplate) && !(entity instanceof Network && accessType != null && accessType == AccessType.UseEntry) && !(entity instanceof AffinityGroup)) {
            List<ControlledEntity> toBeChecked = domains.get(entity.getDomainId());
            // for templates, we don't have to do cross domains check
            if (toBeChecked == null) {
                toBeChecked = new ArrayList<ControlledEntity>();
                domains.put(domainId, toBeChecked);
            }
            toBeChecked.add(entity);
        }
        boolean granted = false;
        for (SecurityChecker checker : _securityCheckers) {
            if (checker.checkAccess(caller, entity, accessType, apiName)) {
                if (s_logger.isDebugEnabled()) {
                    s_logger.debug("Access to " + entity + " granted to " + caller + " by " + checker.getName());
                }
                granted = true;
                break;
            }
        }
        if (!granted) {
            assert false : "How can all of the security checkers pass on checking this check: " + entity;
            throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to " + entity);
        }
    }
    for (Map.Entry<Long, List<ControlledEntity>> domain : domains.entrySet()) {
        for (SecurityChecker checker : _securityCheckers) {
            Domain d = _domainMgr.getDomain(domain.getKey());
            if (d == null || d.getRemoved() != null) {
                throw new PermissionDeniedException("Domain is not found.", caller, domain.getValue());
            }
            try {
                checker.checkAccess(caller, d);
            } catch (PermissionDeniedException e) {
                e.addDetails(caller, domain.getValue());
                throw e;
            }
        }
    }
// check that resources belong to the same account
}
Also used : VirtualMachineTemplate(com.cloud.template.VirtualMachineTemplate) HashMap(java.util.HashMap) SecurityChecker(org.apache.cloudstack.acl.SecurityChecker) AffinityGroup(org.apache.cloudstack.affinity.AffinityGroup) ControlledEntity(org.apache.cloudstack.acl.ControlledEntity) Network(com.cloud.network.Network) PermissionDeniedException(com.cloud.exception.PermissionDeniedException) ArrayList(java.util.ArrayList) List(java.util.List) Domain(com.cloud.domain.Domain) Map(java.util.Map) HashMap(java.util.HashMap)

Aggregations

Domain (com.cloud.domain.Domain)1 PermissionDeniedException (com.cloud.exception.PermissionDeniedException)1 Network (com.cloud.network.Network)1 VirtualMachineTemplate (com.cloud.template.VirtualMachineTemplate)1 ArrayList (java.util.ArrayList)1 HashMap (java.util.HashMap)1 List (java.util.List)1 Map (java.util.Map)1 ControlledEntity (org.apache.cloudstack.acl.ControlledEntity)1 SecurityChecker (org.apache.cloudstack.acl.SecurityChecker)1 AffinityGroup (org.apache.cloudstack.affinity.AffinityGroup)1