APIChecker: Make interface generic, pass user and not just role

Signed-off-by: Rohit Yadav <bhaisaab@apache.org>

api/src/org/apache/cloudstack/acl/APIChecker.java

@@ -17,11 +17,11 @@
 package org.apache.cloudstack.acl;
 
 import com.cloud.exception.PermissionDeniedException;
-import org.apache.cloudstack.acl.RoleType;
+import com.cloud.user.User;
 import com.cloud.utils.component.Adapter;
 
 // APIChecker checks the ownership and access control to API requests
 public interface APIChecker extends Adapter {
     // Interface for checking access for a role using apiname
-    boolean checkAccess(RoleType roleType, String apiCommandName) throws PermissionDeniedException;
+    boolean checkAccess(User user, String apiCommandName) throws PermissionDeniedException;
 }

plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java

@@ -18,6 +18,9 @@ package org.apache.cloudstack.acl;
 
 import com.cloud.exception.PermissionDeniedException;
 import com.cloud.server.ManagementServer;
+import com.cloud.user.Account;
+import com.cloud.user.AccountService;
+import com.cloud.user.User;
 import com.cloud.utils.component.AdapterBase;
 import com.cloud.utils.component.ComponentLocator;
 import com.cloud.utils.component.PluggableService;
@@ -42,6 +45,8 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIC
     private static Map<RoleType, Set<String>> s_roleBasedApisMap =
             new HashMap<RoleType, Set<String>>();
 
+    private static AccountService s_accountService;
+
     protected StaticRoleBasedAPIAccessChecker() {
         super();
         for (RoleType roleType: RoleType.values())
@@ -49,8 +54,10 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIC
     }
 
     @Override
-    public boolean checkAccess(RoleType roleType, String commandName)
+    public boolean checkAccess(User user, String commandName)
             throws PermissionDeniedException {
+        Account account = s_accountService.getAccount(user.getAccountId());
+        RoleType roleType = s_accountService.getRoleType(account);
         boolean isAllowed = s_roleBasedApisMap.get(roleType).contains(commandName);
         if (!isAllowed) {
             throw new PermissionDeniedException("The API does not exist or is blacklisted. Role type=" + roleType.toString() + " is not allowed to request the api: " + commandName);
@@ -64,6 +71,9 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIC
 
         // Read command properties files to build the static map per role.
         ComponentLocator locator = ComponentLocator.getLocator(ManagementServer.Name);
+
+        s_accountService = locator.getManager(AccountService.class);
+
         List<PluggableService> services = locator.getAllPluggableServices();
         services.add((PluggableService) ComponentLocator.getComponent(ManagementServer.Name));
 

server/src/com/cloud/api/ApiServer.java

@@ -785,11 +785,9 @@ public class ApiServer implements HttpRequestHandler {
             throw new PermissionDeniedException("User is null for role based API access check for command" + commandName);
         }
 
-        Account account = _accountMgr.getAccount(user.getAccountId());
-        RoleType roleType = _accountMgr.getRoleType(account);
         for (APIChecker apiChecker : _apiAccessCheckers) {
             // Fail the checking if any checker fails to verify
-            if (!apiChecker.checkAccess(roleType, commandName))
+            if (!apiChecker.checkAccess(user, commandName))
                 return false;
         }
         return true;