From 896e505da6de08e723b339e748064de10d250c8c Mon Sep 17 00:00:00 2001 From: Rohit Yadav Date: Mon, 14 Jan 2013 15:06:46 -0800 Subject: [PATCH] APIChecker: Make interface generic, pass user and not just role Signed-off-by: Rohit Yadav --- api/src/org/apache/cloudstack/acl/APIChecker.java | 4 ++-- .../acl/StaticRoleBasedAPIAccessChecker.java | 12 +++++++++++- server/src/com/cloud/api/ApiServer.java | 4 +--- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/api/src/org/apache/cloudstack/acl/APIChecker.java b/api/src/org/apache/cloudstack/acl/APIChecker.java index b14dfe101ba..9e5c6c61108 100644 --- a/api/src/org/apache/cloudstack/acl/APIChecker.java +++ b/api/src/org/apache/cloudstack/acl/APIChecker.java @@ -17,11 +17,11 @@ package org.apache.cloudstack.acl; import com.cloud.exception.PermissionDeniedException; -import org.apache.cloudstack.acl.RoleType; +import com.cloud.user.User; import com.cloud.utils.component.Adapter; // APIChecker checks the ownership and access control to API requests public interface APIChecker extends Adapter { // Interface for checking access for a role using apiname - boolean checkAccess(RoleType roleType, String apiCommandName) throws PermissionDeniedException; + boolean checkAccess(User user, String apiCommandName) throws PermissionDeniedException; } diff --git a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java index affd69ed89c..55db2880664 100644 --- a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java +++ b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java @@ -18,6 +18,9 @@ package org.apache.cloudstack.acl; import com.cloud.exception.PermissionDeniedException; import com.cloud.server.ManagementServer; +import com.cloud.user.Account; +import com.cloud.user.AccountService; +import com.cloud.user.User; import com.cloud.utils.component.AdapterBase; import com.cloud.utils.component.ComponentLocator; import com.cloud.utils.component.PluggableService; @@ -42,6 +45,8 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIC private static Map> s_roleBasedApisMap = new HashMap>(); + private static AccountService s_accountService; + protected StaticRoleBasedAPIAccessChecker() { super(); for (RoleType roleType: RoleType.values()) @@ -49,8 +54,10 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIC } @Override - public boolean checkAccess(RoleType roleType, String commandName) + public boolean checkAccess(User user, String commandName) throws PermissionDeniedException { + Account account = s_accountService.getAccount(user.getAccountId()); + RoleType roleType = s_accountService.getRoleType(account); boolean isAllowed = s_roleBasedApisMap.get(roleType).contains(commandName); if (!isAllowed) { throw new PermissionDeniedException("The API does not exist or is blacklisted. Role type=" + roleType.toString() + " is not allowed to request the api: " + commandName); @@ -64,6 +71,9 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIC // Read command properties files to build the static map per role. ComponentLocator locator = ComponentLocator.getLocator(ManagementServer.Name); + + s_accountService = locator.getManager(AccountService.class); + List services = locator.getAllPluggableServices(); services.add((PluggableService) ComponentLocator.getComponent(ManagementServer.Name)); diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java index 03462e488ef..c8511b2991d 100755 --- a/server/src/com/cloud/api/ApiServer.java +++ b/server/src/com/cloud/api/ApiServer.java @@ -785,11 +785,9 @@ public class ApiServer implements HttpRequestHandler { throw new PermissionDeniedException("User is null for role based API access check for command" + commandName); } - Account account = _accountMgr.getAccount(user.getAccountId()); - RoleType roleType = _accountMgr.getRoleType(account); for (APIChecker apiChecker : _apiAccessCheckers) { // Fail the checking if any checker fails to verify - if (!apiChecker.checkAccess(roleType, commandName)) + if (!apiChecker.checkAccess(user, commandName)) return false; } return true;