Changes to SecurityChecker

2025-10-26 08:42:29 +01:00 · 2013-12-02 15:27:44 -08:00 · 2013-12-02 15:27:44 -08:00 · 1a985227b5
commit 1a985227b5
parent 67b97539ac
5 changed files with 43 additions and 7 deletions
--- a/api/src/org/apache/cloudstack/acl/SecurityChecker.java
+++ b/api/src/org/apache/cloudstack/acl/SecurityChecker.java
@ -67,18 +67,40 @@ public interface SecurityChecker extends Adapter {

    /**
     * Checks if the account can access the object.
-     *
+     * 
     * @param caller
     *            account to check against.
     * @param entity
     *            object that the account is trying to access.
     * @param accessType
     *            TODO
-     * @return true if access allowed. false if this adapter cannot provide permission.
+     * @return true if access allowed. false if this adapter cannot provide
+     *         permission.
     * @throws PermissionDeniedException
-     *             if this adapter is suppose to authenticate ownership and the check failed.
+     *             if this adapter is suppose to authenticate ownership and the
+     *             check failed.
     */
-    boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType) throws PermissionDeniedException;
+    boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType)
+            throws PermissionDeniedException;
+
+    /**
+     * Checks if the account can access the object.
+     * 
+     * @param caller
+     *            account to check against.
+     * @param entity
+     *            object that the account is trying to access.
+     * @param accessType
+     *            TODO
+     * @param action
+     *            name of the API
+     * @return true if access allowed. false if this adapter cannot provide
+     *         permission.
+     * @throws PermissionDeniedException
+     *             if this adapter is suppose to authenticate ownership and the
+     *             check failed.
+     */
+    boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action) throws PermissionDeniedException;

    /**
     * Checks if the user belongs to an account that can access the object.
--- a/api/src/org/apache/cloudstack/api/ACL.java
+++ b/api/src/org/apache/cloudstack/api/ACL.java
@ -30,6 +30,8 @@ public @interface ACL {

    AccessType accessType() default AccessType.ListEntry;

+    String action() default "";
+
    boolean checkKeyAccess() default false;
    boolean checkValueAccess() default false;
 }
--- a/api/src/org/apache/cloudstack/api/command/user/vm/StartVMCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/vm/StartVMCmd.java
@ -18,7 +18,6 @@ package org.apache.cloudstack.api.command.user.vm;

 import org.apache.log4j.Logger;

-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiCommandJobType;
@ -53,7 +52,7 @@ public class StartVMCmd extends BaseAsyncCmd {
    // ////////////// API parameters /////////////////////
    // ///////////////////////////////////////////////////

-    @ACL(accessType = AccessType.OperateEntry)
+    @ACL
    @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType=UserVmResponse.class,
            required = true, description = "The ID of the virtual machine")
    private Long id;
--- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
+++ b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
@ -70,6 +70,12 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
    @Override
    public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType)
            throws PermissionDeniedException {
+        return checkAccess(caller, entity, accessType, null);
+    }
+
+    @Override
+    public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action)
+            throws PermissionDeniedException {
        if (entity instanceof VirtualMachine) {

            String entityType = AclEntityType.VM.toString();
--- a/server/src/com/cloud/acl/DomainChecker.java
+++ b/server/src/com/cloud/acl/DomainChecker.java
@ -93,7 +93,8 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
    }

    @Override
-    public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType) throws PermissionDeniedException {
+    public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType)
+            throws PermissionDeniedException {
        if (entity instanceof VirtualMachineTemplate) {
            
            VirtualMachineTemplate template = (VirtualMachineTemplate) entity;
@ -315,4 +316,10 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
 		}
 		return false;
 	}
+
+    @Override
+    public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action)
+            throws PermissionDeniedException {
+        return checkAccess(caller, entity, accessType);
+    }
 }