apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove usage of sameOwner checkAccess invocation, and convert to

Browse Source 
OperateEntry IAM check.
This commit is contained in:
Min Chen 2014-04-04 15:33:55 -07:00
parent df302bdb3e
commit 94ebc90877
54 changed files with 416 additions and 346 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
api/src/com/cloud/network/NetworkModel.java
View File

@ -22,6 +22,8 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import com.cloud.dc.Vlan;
import com.cloud.exception.InsufficientAddressCapacityException;
import com.cloud.exception.InvalidParameterValueException;
@ -273,4 +275,6 @@ public interface NetworkModel {
boolean isNetworkReadyForGc(long networkId);
boolean getNetworkEgressDefaultPolicy(Long networkId);
void checkNetworkPermissions(Account owner, Network network, AccessType accessType);
}

5
api/src/com/cloud/user/AccountService.java
View File

@ -106,6 +106,11 @@ public interface AccountService {
void checkAccess(Account account, Domain domain) throws PermissionDeniedException;
void checkAccess(Account account, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException;
void checkAccess(Account account, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException;
// TODO: the following two interfaces will be deprecated by the above two counterparts when securityChecker implementation is in place
void checkAccess(Account account, AccessType accessType, boolean sameOwner, ControlledEntity... entities) throws PermissionDeniedException;
void checkAccess(Account account, AccessType accessType, boolean sameOwner, String apiName,

5
api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java
View File

@ -31,8 +31,11 @@ import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceAllocationException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.IpAddress;
import com.cloud.network.vpc.Vpc;
@APICommand(name = "associateIpAddress", description = "Acquires and associates a public IP to an account.", responseObject = IPAddressResponse.class, responseView = ResponseView.Full)
@APICommand(name = "associateIpAddress", description = "Acquires and associates a public IP to an account.", responseObject = IPAddressResponse.class, responseView = ResponseView.Full,
entityType = {IpAddress.class, Vpc.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class AssociateIPAddrCmdByAdmin extends AssociateIPAddrCmd {
public static final Logger s_logger = Logger.getLogger(AssociateIPAddrCmdByAdmin.class.getName());

4
api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
View File

@ -32,8 +32,8 @@ import org.apache.cloudstack.context.CallContext;
import com.cloud.uservm.UserVm;
@APICommand(name = "addNicToVirtualMachine", description = "Adds VM to specified network by creating a NIC", responseObject = UserVmResponse.class, responseView = ResponseView.Full)
@APICommand(name = "addNicToVirtualMachine", description = "Adds VM to specified network by creating a NIC", responseObject = UserVmResponse.class, responseView = ResponseView.Full,
requestHasSensitiveInfo = false, responseHasSensitiveInfo = true)
public class AddNicToVMCmdByAdmin extends AddNicToVMCmd {
public static final Logger s_logger = Logger.getLogger(AddNicToVMCmdByAdmin.class);

1
api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java
View File

@ -58,6 +58,7 @@ import com.cloud.projects.Project;
import com.cloud.user.Account;
@APICommand(name = "associateIpAddress", description = "Acquires and associates a public IP to an account.", responseObject = IPAddressResponse.class, responseView = ResponseView.Restricted,
entityType = {IpAddress.class, Vpc.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class AssociateIPAddrCmd extends BaseAsyncCreateCmd {
public static final Logger s_logger = Logger.getLogger(AssociateIPAddrCmd.class.getName());

4
api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
View File

@ -45,8 +45,10 @@ import com.cloud.network.rules.PortForwardingRule;
import com.cloud.user.Account;
import com.cloud.utils.net.Ip;
import com.cloud.utils.net.NetUtils;
import com.cloud.vm.VirtualMachine;
@APICommand(name = "createPortForwardingRule", description = "Creates a port forwarding rule", responseObject = FirewallRuleResponse.class, entityType = {PortForwardingRule.class},
@APICommand(name = "createPortForwardingRule", description = "Creates a port forwarding rule", responseObject = FirewallRuleResponse.class, entityType = {FirewallRule.class,
VirtualMachine.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class CreatePortForwardingRuleCmd extends BaseAsyncCreateCmd implements PortForwardingRule {
public static final Logger s_logger = Logger.getLogger(CreatePortForwardingRuleCmd.class.getName());

16
api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java
View File

@ -16,15 +16,17 @@
// under the License.
package org.apache.cloudstack.api.command.user.loadbalancer;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Collection;
import java.util.Iterator;
import java.util.ArrayList;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
@ -38,13 +40,15 @@ import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.network.rules.FirewallRule;
import com.cloud.network.rules.LoadBalancer;
import com.cloud.user.Account;
import com.cloud.utils.StringUtils;
import com.cloud.vm.VirtualMachine;
@APICommand(name = "assignToLoadBalancerRule",
description = "Assigns virtual machine or a list of virtual machines to a load balancer rule.",
responseObject = SuccessResponse.class,
responseObject = SuccessResponse.class, entityType = {FirewallRule.class, VirtualMachine.class},
requestHasSensitiveInfo = false,
responseHasSensitiveInfo = false)
public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd {
@ -56,6 +60,7 @@ public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd {
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.ID,
type = CommandType.UUID,
entityType = FirewallRuleResponse.class,
@ -63,6 +68,7 @@ public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd {
description = "the ID of the load balancer rule")
private Long id;
@ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.VIRTUAL_MACHINE_IDS,
type = CommandType.LIST,
collectionType = CommandType.UUID,
@ -157,7 +163,7 @@ public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd {
boolean result = _lbService.assignToLoadBalancer(getLoadBalancerId(), virtualMachineIds, vmIdIpsMap);
if (result) {
SuccessResponse response = new SuccessResponse(getCommandName());
this.setResponseObject(response);
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to assign load balancer rule");
}

4
api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java
View File

@ -76,7 +76,7 @@ public class ListLBStickinessPoliciesCmd extends BaseListCmd {
if (lb != null) {
//check permissions
Account caller = CallContext.current().getCallingAccount();
_accountService.checkAccess(caller, null, true, lb);
_accountService.checkAccess(caller, null, lb);
List<? extends StickinessPolicy> stickinessPolicies = _lbService.searchForLBStickinessPolicies(this);
LBStickinessResponse spResponse = _responseGenerator.createLBStickinessPolicyResponse(stickinessPolicies, lb);
spResponses.add(spResponse);
@ -84,7 +84,7 @@ public class ListLBStickinessPoliciesCmd extends BaseListCmd {
}
response.setResponseName(getCommandName());
this.setResponseObject(response);
setResponseObject(response);
}
}

8
api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java
View File

@ -18,6 +18,8 @@ package org.apache.cloudstack.api.command.user.nat;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
@ -35,8 +37,10 @@ import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.IpAddress;
import com.cloud.user.Account;
import com.cloud.uservm.UserVm;
import com.cloud.vm.VirtualMachine;
@APICommand(name = "enableStaticNat", description = "Enables static nat for given ip address", responseObject = SuccessResponse.class,
entityType = {IpAddress.class, VirtualMachine.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class EnableStaticNatCmd extends BaseCmd {
public static final Logger s_logger = Logger.getLogger(CreateIpForwardingRuleCmd.class.getName());
@ -47,10 +51,12 @@ public class EnableStaticNatCmd extends BaseCmd {
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.IP_ADDRESS_ID, type = CommandType.UUID, entityType = IPAddressResponse.class, required = true, description = "the public IP "
+ "address id for which static nat feature is being enabled")
private Long ipAddressId;
@ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID, type = CommandType.UUID, entityType = UserVmResponse.class, required = true, description = "the ID of "
+ "the virtual machine for enabling static nat feature")
private Long virtualMachineId;
@ -133,7 +139,7 @@ public class EnableStaticNatCmd extends BaseCmd {
boolean result = _rulesService.enableStaticNat(ipAddressId, virtualMachineId, getNetworkId(), getVmSecondaryIp());
if (result) {
SuccessResponse response = new SuccessResponse(getCommandName());
this.setResponseObject(response);
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to enable static nat");
}

2
api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java
View File

@ -18,6 +18,7 @@ package org.apache.cloudstack.api.command.user.snapshot;
import org.apache.log4j.Logger;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
@ -62,6 +63,7 @@ public class CreateSnapshotCmd extends BaseAsyncCreateCmd {
description = "The domain ID of the snapshot. If used with the account parameter, specifies a domain for the account associated with the disk volume.")
private Long domainId;
@ACL
@Parameter(name = ApiConstants.VOLUME_ID, type = CommandType.UUID, entityType = VolumeResponse.class, required = true, description = "The ID of the disk volume")
private Long volumeId;

1
api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java
View File

@ -54,6 +54,7 @@ public class AddNicToVMCmd extends BaseAsyncCmd {
required=true, description="Virtual Machine ID")
private Long vmId;
@ACL
@Parameter(name = ApiConstants.NETWORK_ID, type = CommandType.UUID, entityType = NetworkResponse.class, required = true, description = "Network ID")
private Long netId;

3
api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java
View File

@ -19,7 +19,6 @@ package org.apache.cloudstack.api.command.user.vmsnapshot;
import java.util.logging.Logger;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
@ -43,7 +42,7 @@ public class CreateVMSnapshotCmd extends BaseAsyncCreateCmd {
public static final Logger s_logger = Logger.getLogger(CreateVMSnapshotCmd.class.getName());
private static final String s_name = "createvmsnapshotresponse";
@ACL(accessType = AccessType.OperateEntry)
@ACL
@Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID, type = CommandType.UUID, required = true, entityType = UserVmResponse.class, description = "The ID of the vm")
private Long vmId;

3
api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
View File

@ -19,6 +19,7 @@ package org.apache.cloudstack.api.command.user.volume;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.RoleType;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
@ -89,6 +90,7 @@ public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd {
@Parameter(name = ApiConstants.MAX_IOPS, type = CommandType.LONG, description = "max iops")
private Long maxIops;
@ACL
@Parameter(name = ApiConstants.SNAPSHOT_ID,
type = CommandType.UUID,
entityType = SnapshotResponse.class,
@ -101,6 +103,7 @@ public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd {
@Parameter(name = ApiConstants.DISPLAY_VOLUME, type = CommandType.BOOLEAN, description = "an optional field, whether to display the volume to the end user or not.", authorized = {RoleType.Admin})
private Boolean displayVolume;
@ACL
@Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID,
type = CommandType.UUID,
entityType = UserVmResponse.class,

9
plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java
View File

@ -27,11 +27,12 @@ import javax.ejb.Local;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
import org.apache.log4j.Logger;
import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import org.apache.cloudstack.lb.ApplicationLoadBalancerRuleVO;
import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;
import org.apache.log4j.Logger;
import com.cloud.agent.AgentManager;
import com.cloud.agent.api.Answer;
@ -519,7 +520,7 @@ public class InternalLoadBalancerVMManagerImpl extends ManagerBase implements In
return true;
}
_accountMgr.checkAccess(caller, null, true, internalLbVm);
_accountMgr.checkAccess(caller, null, internalLbVm);
_itMgr.expunge(internalLbVm.getUuid());
_internalLbVmDao.remove(internalLbVm.getId());
@ -534,7 +535,7 @@ public class InternalLoadBalancerVMManagerImpl extends ManagerBase implements In
}
//check permissions
_accountMgr.checkAccess(caller, null, true, internalLbVm);
_accountMgr.checkAccess(caller, null, internalLbVm);
return stopInternalLbVm(internalLbVm, forced, caller, callerUserId);
}
@ -912,7 +913,7 @@ public class InternalLoadBalancerVMManagerImpl extends ManagerBase implements In
}
//check permissions
_accountMgr.checkAccess(caller, null, true, internalLbVm);
_accountMgr.checkAccess(caller, null, internalLbVm);
return startInternalLbVm(internalLbVm, caller, callerUserId, null);
}

12
plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
View File

@ -381,4 +381,16 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
return null;
}
@Override
public void checkAccess(Account account, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException {
// TODO Auto-generated method stub
}
@Override
public void checkAccess(Account account, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException {
// TODO Auto-generated method stub
}
}

2
server/src/com/cloud/api/ApiResponseHelper.java
View File

@ -1543,7 +1543,7 @@ public class ApiResponseHelper implements ResponseGenerator {
throw new PermissionDeniedException("Account " + caller + " is not authorized to see job id=" + job.getId());
}
} else if (_accountMgr.isDomainAdmin(caller.getId())) {
_accountMgr.checkAccess(caller, null, true, jobOwner);
_accountMgr.checkAccess(caller, null, jobOwner);
}
return createAsyncJobResponse(_jobMgr.queryJob(cmd.getId(), true));

4
server/src/com/cloud/api/dispatch/ParamProcessWorker.java
View File

@ -43,11 +43,11 @@ import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseCmd;
import org.apache.cloudstack.api.BaseCmd.CommandType;
import org.apache.cloudstack.api.EntityReference;
import org.apache.cloudstack.api.InternalIdentity;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.BaseCmd.CommandType;
import org.apache.cloudstack.api.command.admin.resource.ArchiveAlertsCmd;
import org.apache.cloudstack.api.command.admin.resource.DeleteAlertsCmd;
import org.apache.cloudstack.api.command.user.event.ArchiveEventsCmd;
@ -244,7 +244,7 @@ public class ParamProcessWorker implements DispatchWorker {
if (AccessType.OperateEntry == entitiesToAccess.get(entity)) {
entitiesToOperate.add((ControlledEntity) entity);
} else {
_accountMgr.checkAccess(caller, entitiesToAccess.get(entity), false, apiName,
_accountMgr.checkAccess(caller, entitiesToAccess.get(entity), apiName,
(ControlledEntity) entity);
}
} else if (entity instanceof InfrastructureEntity) {

17
server/src/com/cloud/api/query/QueryManagerImpl.java
View File

@ -26,6 +26,9 @@ import java.util.Set;
import javax.ejb.Local;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
import org.apache.cloudstack.affinity.AffinityGroupDomainMapVO;
import org.apache.cloudstack.affinity.AffinityGroupResponse;
@ -95,8 +98,6 @@ import org.apache.cloudstack.engine.subsystem.api.storage.DataStoreManager;
import org.apache.cloudstack.engine.subsystem.api.storage.TemplateState;
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import org.apache.cloudstack.query.QueryService;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
import com.cloud.api.query.dao.AccountJoinDao;
import com.cloud.api.query.dao.AffinityGroupJoinDao;
@ -1005,7 +1006,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
if (userVM == null) {
throw new InvalidParameterValueException("Unable to list network groups for virtual machine instance " + instanceId + "; instance not found.");
}
_accountMgr.checkAccess(caller, null, true, userVM);
_accountMgr.checkAccess(caller, null, userVM);
return listSecurityGroupRulesByVM(instanceId.longValue(), cmd.getStartIndex(), cmd.getPageSizeVal());
}
@ -1847,7 +1848,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
throw new InvalidParameterValueException("Unable to find account by id " + accountId);
}
_accountMgr.checkAccess(caller, null, true, account);
_accountMgr.checkAccess(caller, null, account);
}
if (domainId != null) {
@ -1863,7 +1864,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
if (account == null || account.getId() == Account.ACCOUNT_ID_SYSTEM) {
throw new InvalidParameterValueException("Unable to find account by name " + accountName + " in domain " + domainId);
}
_accountMgr.checkAccess(caller, null, true, account);
_accountMgr.checkAccess(caller, null, account);
}
}
@ -2488,7 +2489,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
throw ex;
}
_accountMgr.checkAccess(caller, null, true, vmInstance);
_accountMgr.checkAccess(caller, null, vmInstance);
ServiceOfferingVO offering = _srvOfferingDao.findByIdIncludingRemoved(vmInstance.getId(), vmInstance.getServiceOfferingId());
sc.addAnd("id", SearchCriteria.Op.NEQ, offering.getId());
@ -2913,7 +2914,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
// if template is not public, perform permission check here
if (!template.isPublicTemplate() && !_accountMgr.isRootAdmin(caller.getId())) {
Account owner = _accountMgr.getAccount(template.getAccountId());
_accountMgr.checkAccess(caller, null, true, owner);
_accountMgr.checkAccess(caller, null, owner);
}
// if templateId is specified, then we will just use the id to
@ -3181,7 +3182,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
if (userVM == null) {
throw new InvalidParameterValueException("Unable to list affinity groups for virtual machine instance " + vmId + "; instance not found.");
}
_accountMgr.checkAccess(caller, null, true, userVM);
_accountMgr.checkAccess(caller, null, userVM);
return listAffinityGroupsByVM(vmId.longValue(), startIndex, pageSize);
}

4
server/src/com/cloud/configuration/ConfigurationManagerImpl.java
View File

@ -16,7 +16,6 @@
// under the License.
package com.cloud.configuration;
import com.cloud.network.element.NetworkElement;
import java.net.URI;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
@ -154,6 +153,7 @@ import com.cloud.network.dao.PhysicalNetworkDao;
import com.cloud.network.dao.PhysicalNetworkTrafficTypeDao;
import com.cloud.network.dao.PhysicalNetworkTrafficTypeVO;
import com.cloud.network.dao.PhysicalNetworkVO;
import com.cloud.network.element.NetworkElement;
import com.cloud.network.rules.LoadBalancerContainer.Scheme;
import com.cloud.network.vpc.VpcManager;
import com.cloud.offering.DiskOffering;
@ -4337,7 +4337,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
throw new InvalidParameterValueException("Can't update system networks");
}
_accountMgr.checkAccess(caller, null, true, network);
_accountMgr.checkAccess(caller, null, network);
List<Long> offeringIds = _networkModel.listNetworkOfferingsForUpgrade(networkId);

17
server/src/com/cloud/network/IpAddressManagerImpl.java
View File

@ -29,6 +29,8 @@ import java.util.UUID;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.context.CallContext;
@ -40,7 +42,6 @@ import org.apache.cloudstack.region.PortableIp;
import org.apache.cloudstack.region.PortableIpDao;
import org.apache.cloudstack.region.PortableIpVO;
import org.apache.cloudstack.region.Region;
import org.apache.log4j.Logger;
import com.cloud.agent.AgentManager;
import com.cloud.alert.AlertManager;
@ -409,7 +410,7 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
Account caller = CallContext.current().getCallingAccount();
long callerUserId = CallContext.current().getCallingUserId();
// check permissions
_accountMgr.checkAccess(caller, null, false, ipOwner);
_accountMgr.checkAccess(caller, null, ipOwner);
DataCenter zone = _entityMgr.findById(DataCenter.class, zoneId);
@ -1164,15 +1165,14 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
if (zone.getNetworkType() == NetworkType.Advanced) {
if (network.getGuestType() == Network.GuestType.Shared) {
if (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId())) {
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, false,
network);
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, network);
} else {
throw new InvalidParameterValueException("IP can be associated with guest network of 'shared' type only if "
+ "network services Source Nat, Static Nat, Port Forwarding, Load balancing, firewall are enabled in the network");
}
}
} else {
_accountMgr.checkAccess(caller, null, true, ipToAssoc);
_accountMgr.checkAccess(caller, null, ipToAssoc);
}
owner = _accountMgr.getAccount(ipToAssoc.getAllocatedToAccountId());
} else {
@ -1187,7 +1187,7 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
Network network = _networksDao.findById(networkId);
if (network != null) {
_accountMgr.checkAccess(owner, AccessType.UseEntry, false, network);
_accountMgr.checkAccess(owner, AccessType.UseEntry, network);
} else {
s_logger.debug("Unable to find ip address by id: " + ipId);
return null;
@ -1319,11 +1319,10 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
if (zone.getNetworkType() == NetworkType.Advanced) {
if (network.getGuestType() == Network.GuestType.Shared) {
assert (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId()));
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, false,
network);
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, network);
}
} else {
_accountMgr.checkAccess(caller, null, true, ipToAssoc);
_accountMgr.checkAccess(caller, null, ipToAssoc);
}
owner = _accountMgr.getAccount(ipToAssoc.getAllocatedToAccountId());
} else {

25
server/src/com/cloud/network/NetworkModelImpl.java
View File

@ -35,6 +35,7 @@ import javax.naming.ConfigurationException;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;
@ -97,6 +98,7 @@ import com.cloud.offerings.dao.NetworkOfferingServiceMapDao;
import com.cloud.projects.dao.ProjectAccountDao;
import com.cloud.server.ConfigurationServer;
import com.cloud.user.Account;
import com.cloud.user.AccountManager;
import com.cloud.user.AccountVO;
import com.cloud.user.DomainManager;
import com.cloud.user.dao.AccountDao;
@ -137,6 +139,8 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
@Inject
DomainDao _domainDao = null;
@Inject
AccountManager _accountMgr;
@Inject
ConfigurationDao _configDao;
@Inject
@ -1566,6 +1570,27 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
}
}
@Override
public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) {
if (network == null) {
throw new CloudRuntimeException("cannot check permissions on (Network) <null>");
}
AccountVO networkOwner = _accountDao.findById(network.getAccountId());
if (networkOwner == null) {
throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO) network).getUuid()
+ ", network does not have an owner");
}
if (owner.getType() != Account.ACCOUNT_TYPE_PROJECT && networkOwner.getType() == Account.ACCOUNT_TYPE_PROJECT) {
if (!_projectAccountDao.canAccessProjectAccount(owner.getAccountId(), network.getAccountId())) {
throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO) network).getUuid()
+ ", permission denied");
}
} else {
_accountMgr.checkAccess(owner, accessType, network);
}
}
@Override
public String getDefaultPublicTrafficLabel(long dcId, HypervisorType hypervisorType) {
try {

26
server/src/com/cloud/network/NetworkServiceImpl.java
View File

@ -40,7 +40,6 @@ import javax.ejb.Local;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
import com.cloud.network.lb.LoadBalancingRulesService;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
@ -123,6 +122,7 @@ import com.cloud.network.element.OvsProviderVO;
import com.cloud.network.element.VirtualRouterElement;
import com.cloud.network.element.VpcVirtualRouterElement;
import com.cloud.network.guru.NetworkGuru;
import com.cloud.network.lb.LoadBalancingRulesService;
import com.cloud.network.rules.FirewallRule.Purpose;
import com.cloud.network.rules.FirewallRuleVO;
import com.cloud.network.rules.RulesManager;
@ -542,7 +542,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
// if shared network in the advanced zone, then check the caller against the network for 'AccessType.UseNetwork'
if (zone.getNetworkType() == NetworkType.Advanced) {
if (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId())) {
_accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
_accountMgr.checkAccess(caller, AccessType.UseEntry, network);
if (s_logger.isDebugEnabled()) {
s_logger.debug("Associate IP address called by the user " + callerUserId + " account " + ipOwner.getId());
}
@ -554,7 +554,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
}
}
} else {
_accountMgr.checkAccess(caller, null, false, ipOwner);
_accountMgr.checkAccess(caller, null, ipOwner);
}
return _ipAddrMgr.allocateIp(ipOwner, false, caller, callerUserId, zone, displayIp);
@ -585,7 +585,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
// if shared network in the advanced zone, then check the caller against the network for 'AccessType.UseNetwork'
if (zone.getNetworkType() == NetworkType.Advanced) {
if (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId())) {
_accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
_accountMgr.checkAccess(caller, AccessType.UseEntry, network);
if (s_logger.isDebugEnabled()) {
s_logger.debug("Associate IP address called by the user " + callerUserId + " account " + ipOwner.getId());
}
@ -605,7 +605,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
}
}
_accountMgr.checkAccess(caller, null, false, ipOwner);
_accountMgr.checkAccess(caller, null, ipOwner);
return _ipAddrMgr.allocatePortableIp(ipOwner, caller, zoneId, null, null);
}
@ -671,7 +671,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
final Account ipOwner = _accountMgr.getAccount(vm.getAccountId());
// verify permissions
_accountMgr.checkAccess(caller, null, true, vm);
_accountMgr.checkAccess(caller, null, vm);
Network network = _networksDao.findById(networkId);
if (network == null) {
@ -767,7 +767,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
throw new InvalidParameterValueException("There is no vm with the given secondary ip");
}
// verify permissions
_accountMgr.checkAccess(caller, null, true, vm);
_accountMgr.checkAccess(caller, null, vm);
Network network = _networksDao.findById(secIpVO.getNetworkId());
@ -891,7 +891,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
// verify permissions
if (ipVO.getAllocatedToAccountId() != null) {
_accountMgr.checkAccess(caller, null, true, ipVO);
_accountMgr.checkAccess(caller, null, ipVO);
}
if (ipVO.isSourceNat()) {
@ -1620,7 +1620,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
Account owner = _accountMgr.getAccount(network.getAccountId());
// Perform permission check
_accountMgr.checkAccess(caller, null, true, network);
_accountMgr.checkAccess(caller, null, network);
if (forced && !_accountMgr.isRootAdmin(caller.getId())) {
throw new InvalidParameterValueException("Delete network with 'forced' option can only be called by root admins");
@ -1664,7 +1664,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
throw new InvalidParameterException("Unable to restart a running SDN network.");
}
_accountMgr.checkAccess(callerAccount, null, true, network);
_accountMgr.checkAccess(callerAccount, null, network);
boolean success = _networkMgr.restartNetwork(networkId, callerAccount, callerUser, cleanup);
@ -1800,7 +1800,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
throw new InvalidParameterValueException("Can't allow networks which traffic type is not " + TrafficType.Guest);
}
_accountMgr.checkAccess(callerAccount, null, true, network);
_accountMgr.checkAccess(callerAccount, null, network);
if (name != null) {
network.setName(name);
@ -3845,7 +3845,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
throw ex;
}
_accountMgr.checkAccess(caller, null, true, userVm);
_accountMgr.checkAccess(caller, null, userVm);
return _networkMgr.listVmNics(vmId, nicId, networkId);
}
@ -3869,7 +3869,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
// verify permissions
if (ipVO.getAllocatedToAccountId() != null) {
_accountMgr.checkAccess(caller, null, true, ipVO);
_accountMgr.checkAccess(caller, null, ipVO);
} else if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
throw new PermissionDeniedException("Only Root admin can update non-allocated ip addresses");
}

10
server/src/com/cloud/network/as/AutoScaleManagerImpl.java
View File

@ -240,7 +240,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
throw new InvalidParameterValueException("Unable to find " + paramName);
}
_accountMgr.checkAccess(caller, null, false, (ControlledEntity)vo);
_accountMgr.checkAccess(caller, null, (ControlledEntity)vo);
return vo;
}
@ -342,7 +342,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
Account owner = _accountDao.findById(cmd.getAccountId());
Account caller = CallContext.current().getCallingAccount();
_accountMgr.checkAccess(caller, null, true, owner);
_accountMgr.checkAccess(caller, null, owner);
long zoneId = cmd.getZoneId();
long serviceOfferingId = cmd.getServiceOfferingId();
@ -527,7 +527,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
ControlledEntity[] sameOwnerEntities = conditions.toArray(new ControlledEntity[conditions.size() + 1]);
sameOwnerEntities[sameOwnerEntities.length - 1] = autoScalePolicyVO;
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, sameOwnerEntities);
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEntities);
if (conditionIds.size() != conditions.size()) {
// TODO report the condition id which could not be found
@ -621,7 +621,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
idList.add(ApiDBUtils.findDomainById(domainId).getUuid());
throw new InvalidParameterValueException("Unable to find account " + accountName + " in domain with specifed domainId");
}
_accountMgr.checkAccess(caller, null, false, owner);
_accountMgr.checkAccess(caller, null, owner);
}
private class SearchWrapper<VO extends ControlledEntity> {
@ -980,7 +980,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
ControlledEntity[] sameOwnerEntities = policies.toArray(new ControlledEntity[policies.size() + 2]);
sameOwnerEntities[sameOwnerEntities.length - 2] = loadBalancer;
sameOwnerEntities[sameOwnerEntities.length - 1] = profileVO;
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, sameOwnerEntities);
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEntities);
return Transaction.execute(new TransactionCallback<AutoScaleVmGroupVO>() {
@Override

19
server/src/com/cloud/network/firewall/FirewallManagerImpl.java
View File

@ -27,12 +27,13 @@ import javax.ejb.Local;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
import org.apache.cloudstack.api.command.user.firewall.ListFirewallRulesCmd;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
import com.cloud.configuration.Config;
import com.cloud.domain.dao.DomainDao;
@ -271,7 +272,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
if (ipAddressVO == null || !ipAddressVO.readyToUse()) {
throw new InvalidParameterValueException("Ip address id=" + ipId + " not ready for firewall rules yet");
}
_accountMgr.checkAccess(caller, null, true, ipAddressVO);
_accountMgr.checkAccess(caller, null, ipAddressVO);
}
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
@ -463,7 +464,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
}
// Validate ip address
_accountMgr.checkAccess(caller, null, true, ipAddress);
_accountMgr.checkAccess(caller, null, ipAddress);
}
//network id either has to be passed explicitly, or implicitly as a part of ipAddress object
@ -475,7 +476,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
assert network != null : "Can't create rule as network associated with public ip address is null?";
if (trafficType == FirewallRule.TrafficType.Egress) {
_accountMgr.checkAccess(caller, null, true, network);
_accountMgr.checkAccess(caller, null, network);
}
// Verify that the network guru supports the protocol specified
@ -638,7 +639,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
}
if (caller != null) {
_accountMgr.checkAccess(caller, null, true, rules.toArray(new FirewallRuleVO[rules.size()]));
_accountMgr.checkAccess(caller, null, rules.toArray(new FirewallRuleVO[rules.size()]));
}
try {
@ -692,7 +693,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
throw new InvalidParameterValueException("Only root admin can delete the system wide firewall rule");
}
_accountMgr.checkAccess(caller, null, true, rule);
_accountMgr.checkAccess(caller, null, rule);
revokeRule(rule, caller, userId, false);
@ -742,7 +743,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
throw new InvalidParameterValueException("Only root admin can update the system wide firewall rule");
}
_accountMgr.checkAccess(caller, null, true, rule);
_accountMgr.checkAccess(caller, null, rule);
if (customId != null) {
rule.setUuid(customId);
@ -761,7 +762,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
@DB
public void revokeRule(final FirewallRuleVO rule, Account caller, long userId, final boolean needUsageEvent) {
if (caller != null) {
_accountMgr.checkAccess(caller, null, true, rule);
_accountMgr.checkAccess(caller, null, rule);
}
Transaction.execute(new TransactionCallbackNoReturn() {

36
server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
View File

@ -30,7 +30,11 @@ import java.util.Set;
import javax.ejb.Local;
import javax.inject.Inject;
import com.cloud.vm.dao.NicSecondaryIpDao;
import org.apache.log4j.Logger;
import com.google.gson.Gson;
import com.google.gson.reflect.TypeToken;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.command.user.loadbalancer.CreateLBHealthCheckPolicyCmd;
import org.apache.cloudstack.api.command.user.loadbalancer.CreateLBStickinessPolicyCmd;
@ -46,7 +50,6 @@ import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationSe
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import org.apache.cloudstack.lb.ApplicationLoadBalancerRuleVO;
import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;
import org.apache.log4j.Logger;
import com.cloud.agent.api.to.LoadBalancerTO;
import com.cloud.configuration.ConfigurationManager;
@ -164,9 +167,8 @@ import com.cloud.vm.Nic;
import com.cloud.vm.UserVmVO;
import com.cloud.vm.VirtualMachine.State;
import com.cloud.vm.dao.NicDao;
import com.cloud.vm.dao.NicSecondaryIpDao;
import com.cloud.vm.dao.UserVmDao;
import com.google.gson.Gson;
import com.google.gson.reflect.TypeToken;
@Local(value = {LoadBalancingRulesManager.class, LoadBalancingRulesService.class})
public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements LoadBalancingRulesManager, LoadBalancingRulesService {
@ -527,7 +529,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " not present ");
}
_accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
_accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
if (loadBalancer.getState() == FirewallRule.State.Revoke) {
throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " is in deleting state: ");
}
@ -582,7 +584,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " not present ");
}
_accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
_accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
if (loadBalancer.getState() == FirewallRule.State.Revoke) {
throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " is in deleting state: ");
@ -739,7 +741,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
}
long loadBalancerId = loadBalancer.getId();
FirewallRule.State backupState = loadBalancer.getState();
_accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
_accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
if (apply) {
if (loadBalancer.getState() == FirewallRule.State.Active) {
@ -792,7 +794,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
}
final long loadBalancerId = loadBalancer.getId();
FirewallRule.State backupState = loadBalancer.getState();
_accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
_accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
if (apply) {
if (loadBalancer.getState() == FirewallRule.State.Active) {
@ -1165,7 +1167,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterException("Invalid certificate id: " + certId);
}
_accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
_accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
// check if LB and Cert belong to the same account
if (loadBalancer.getAccountId() != certVO.getAccountId()) {
@ -1228,7 +1230,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterException("No certificate is bound to lb with id: " + lbRuleId);
}
_accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
_accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
boolean success = false;
FirewallRule.State backupState = loadBalancer.getState();
@ -1272,7 +1274,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterException("Invalid load balancer value: " + loadBalancerId);
}
_accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
_accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
if (instanceIds == null && vmIdIpMap.isEmpty()) {
throw new InvalidParameterValueException("Both instanceids and vmidipmap can't be null");
@ -1434,7 +1436,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
if (rule == null) {
throw new InvalidParameterValueException("Unable to find load balancer rule " + loadBalancerId);
}
_accountMgr.checkAccess(caller, null, true, rule);
_accountMgr.checkAccess(caller, null, rule);
boolean result = deleteLoadBalancerRule(loadBalancerId, apply, caller, ctx.getCallingUserId(), true);
if (!result) {
@ -1658,7 +1660,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw ex;
}
_accountMgr.checkAccess(caller.getCallingAccount(), null, true, ipAddr);
_accountMgr.checkAccess(caller.getCallingAccount(), null, ipAddr);
final Long networkId = ipAddr.getAssociatedWithNetworkId();
if (networkId == null) {
@ -2032,7 +2034,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
}
// check permissions
_accountMgr.checkAccess(caller, null, true, lb);
_accountMgr.checkAccess(caller, null, lb);
if (name != null) {
lb.setName(name);
@ -2111,7 +2113,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
return null;
}
_accountMgr.checkAccess(caller, null, true, loadBalancer);
_accountMgr.checkAccess(caller, null, loadBalancer);
List<UserVmVO> loadBalancerInstances = new ArrayList<UserVmVO>();
List<String> serviceStates = new ArrayList<String>();
@ -2188,7 +2190,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
return null;
}
_accountMgr.checkAccess(caller, null, true, loadBalancer);
_accountMgr.checkAccess(caller, null, loadBalancer);
List<LBStickinessPolicyVO> sDbpolicies = _lb2stickinesspoliciesDao.listByLoadBalancerId(cmd.getLbRuleId());
@ -2203,7 +2205,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
if (loadBalancer == null) {
return null;
}
_accountMgr.checkAccess(caller, null, true, loadBalancer);
_accountMgr.checkAccess(caller, null, loadBalancer);
List<LBHealthCheckPolicyVO> hcDbpolicies = _lb2healthcheckDao.listByLoadBalancerId(cmd.getLbRuleId());
return hcDbpolicies;
}

23
server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
View File

@ -41,10 +41,14 @@ import java.util.concurrent.TimeUnit;
import javax.ejb.Local;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
import org.apache.log4j.Logger;
import org.apache.cloudstack.alert.AlertService.AlertType;
import org.apache.cloudstack.api.command.admin.router.RebootRouterCmd;
import org.apache.cloudstack.api.command.admin.router.UpgradeRouterCmd;
import org.apache.cloudstack.api.command.admin.router.UpgradeRouterTemplateCmd;
import org.apache.cloudstack.config.ApiServiceConfiguration;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
import org.apache.cloudstack.framework.config.ConfigDepot;
@ -55,7 +59,7 @@ import org.apache.cloudstack.framework.jobs.AsyncJobManager;
import org.apache.cloudstack.framework.jobs.impl.AsyncJobVO;
import org.apache.cloudstack.managed.context.ManagedContextRunnable;
import org.apache.cloudstack.utils.identity.ManagementServerNode;
import org.apache.cloudstack.alert.AlertService.AlertType;
import com.cloud.agent.AgentManager;
import com.cloud.agent.Listener;
import com.cloud.agent.api.AgentControlAnswer;
@ -69,13 +73,12 @@ import com.cloud.agent.api.CheckS2SVpnConnectionsCommand;
import com.cloud.agent.api.Command;
import com.cloud.agent.api.GetDomRVersionAnswer;
import com.cloud.agent.api.GetDomRVersionCmd;
import com.cloud.agent.api.GetRouterAlertsAnswer;
import com.cloud.agent.api.ModifySshKeysCommand;
import com.cloud.agent.api.NetworkUsageAnswer;
import com.cloud.agent.api.NetworkUsageCommand;
import com.cloud.agent.api.PvlanSetupCommand;
import com.cloud.agent.api.StartupCommand;
import com.cloud.agent.api.routing.GetRouterAlertsCommand;
import com.cloud.agent.api.GetRouterAlertsAnswer;
import com.cloud.agent.api.check.CheckSshAnswer;
import com.cloud.agent.api.check.CheckSshCommand;
import com.cloud.agent.api.routing.AggregationControlCommand;
@ -84,6 +87,7 @@ import com.cloud.agent.api.routing.CreateIpAliasCommand;
import com.cloud.agent.api.routing.DeleteIpAliasCommand;
import com.cloud.agent.api.routing.DhcpEntryCommand;
import com.cloud.agent.api.routing.DnsMasqConfigCommand;
import com.cloud.agent.api.routing.GetRouterAlertsCommand;
import com.cloud.agent.api.routing.IpAliasTO;
import com.cloud.agent.api.routing.IpAssocCommand;
import com.cloud.agent.api.routing.LoadBalancerConfigCommand;
@ -183,6 +187,7 @@ import com.cloud.network.dao.MonitoringServiceVO;
import com.cloud.network.dao.NetworkDao;
import com.cloud.network.dao.NetworkVO;
import com.cloud.network.dao.OpRouterMonitorServiceDao;
import com.cloud.network.dao.OpRouterMonitorServiceVO;
import com.cloud.network.dao.PhysicalNetworkServiceProviderDao;
import com.cloud.network.dao.RemoteAccessVpnDao;
import com.cloud.network.dao.Site2SiteCustomerGatewayDao;
@ -192,7 +197,6 @@ import com.cloud.network.dao.Site2SiteVpnGatewayDao;
import com.cloud.network.dao.UserIpv6AddressDao;
import com.cloud.network.dao.VirtualRouterProviderDao;
import com.cloud.network.dao.VpnUserDao;
import com.cloud.network.dao.OpRouterMonitorServiceVO;
import com.cloud.network.lb.LoadBalancingRule;
import com.cloud.network.lb.LoadBalancingRule.LbDestination;
import com.cloud.network.lb.LoadBalancingRule.LbHealthCheckPolicy;
@ -281,7 +285,6 @@ import com.cloud.vm.dao.NicIpAliasVO;
import com.cloud.vm.dao.UserVmDao;
import com.cloud.vm.dao.UserVmDetailsDao;
import com.cloud.vm.dao.VMInstanceDao;
import org.apache.cloudstack.config.ApiServiceConfiguration;
/**
* VirtualNetworkApplianceManagerImpl manages the different types of virtual network appliances available in the Cloud Stack.
@ -457,7 +460,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
return null;
}
_accountMgr.checkAccess(caller, null, true, router);
_accountMgr.checkAccess(caller, null, router);
_itMgr.expunge(router.getUuid());
_routerDao.remove(router.getId());
@ -476,7 +479,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
throw new InvalidParameterValueException("Unable to find router with id " + routerId);
}
_accountMgr.checkAccess(caller, null, true, router);
_accountMgr.checkAccess(caller, null, router);
if (router.getServiceOfferingId() == serviceOfferingId) {
s_logger.debug("Router: " + routerId + "already has service offering: " + serviceOfferingId);
@ -591,7 +594,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
throw new InvalidParameterValueException("Unable to find router by id " + routerId + ".");
}
_accountMgr.checkAccess(account, null, true, router);
_accountMgr.checkAccess(account, null, router);
final UserVO user = _userDao.findById(CallContext.current().getCallingUserId());
@ -650,7 +653,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
throw new InvalidParameterValueException("Unable to find domain router with id " + routerId + ".");
}
_accountMgr.checkAccess(caller, null, true, router);
_accountMgr.checkAccess(caller, null, router);
// Can reboot domain router only in Running state
if (router == null || router.getState() != State.Running) {
@ -3252,7 +3255,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
if (router == null) {
throw new InvalidParameterValueException("Unable to find router by id " + routerId + ".");
}
_accountMgr.checkAccess(caller, null, true, router);
_accountMgr.checkAccess(caller, null, router);
final Account owner = _accountMgr.getAccount(router.getAccountId());

30
server/src/com/cloud/network/rules/RulesManagerImpl.java
View File

@ -25,10 +25,12 @@ import java.util.Set;
import javax.ejb.Local;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.command.user.firewall.ListPortForwardingRulesCmd;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
import org.apache.log4j.Logger;
import com.cloud.configuration.ConfigurationManager;
import com.cloud.domain.dao.DomainDao;
@ -162,7 +164,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
}
_accountMgr.checkAccess(caller, null, true, ipAddress, userVm);
_accountMgr.checkAccess(caller, AccessType.OperateEntry, ipAddress, userVm);
// validate that IP address and userVM belong to the same account
if (ipAddress.getAllocatedToAccountId().longValue() != userVm.getAccountId()) {
@ -187,7 +189,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
return;
}
_accountMgr.checkAccess(caller, null, true, rule, userVm);
_accountMgr.checkAccess(caller, AccessType.OperateEntry, rule, userVm);
if (userVm.getState() == VirtualMachine.State.Destroyed || userVm.getState() == VirtualMachine.State.Expunging) {
throw new InvalidParameterValueException("Invalid user vm: " + userVm.getId());
@ -680,7 +682,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
throw new InvalidParameterValueException("Unable to find " + ruleId);
}
_accountMgr.checkAccess(caller, null, true, rule);
_accountMgr.checkAccess(caller, null, rule);
if (!revokePortForwardingRuleInternal(ruleId, caller, ctx.getCallingUserId(), apply)) {
throw new CloudRuntimeException("Failed to delete port forwarding rule");
@ -715,7 +717,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
throw new InvalidParameterValueException("Unable to find " + ruleId);
}
_accountMgr.checkAccess(caller, null, true, rule);
_accountMgr.checkAccess(caller, null, rule);
if (!revokeStaticNatRuleInternal(ruleId, caller, ctx.getCallingUserId(), apply)) {
throw new CloudRuntimeException("Failed to revoke forwarding rule");
@ -791,7 +793,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
if (ipAddressVO == null || !ipAddressVO.readyToUse()) {
throw new InvalidParameterValueException("Ip address id=" + ipId + " not ready for port forwarding rules yet");
}
_accountMgr.checkAccess(caller, null, true, ipAddressVO);
_accountMgr.checkAccess(caller, null, ipAddressVO);
}
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
@ -866,7 +868,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
_accountMgr.checkAccess(caller, null, true, rules.toArray(new PortForwardingRuleVO[rules.size()]));
_accountMgr.checkAccess(caller, null, rules.toArray(new PortForwardingRuleVO[rules.size()]));
}
try {
@ -895,7 +897,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
_accountMgr.checkAccess(caller, null, true, staticNatRules.toArray(new StaticNatRule[staticNatRules.size()]));
_accountMgr.checkAccess(caller, null, staticNatRules.toArray(new StaticNatRule[staticNatRules.size()]));
}
try {
@ -919,7 +921,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
_accountMgr.checkAccess(caller, null, true, rules.toArray(new PortForwardingRuleVO[rules.size()]));
_accountMgr.checkAccess(caller, null, rules.toArray(new PortForwardingRuleVO[rules.size()]));
}
try {
@ -945,7 +947,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
_accountMgr.checkAccess(caller, null, true, rules.toArray(new FirewallRule[rules.size()]));
_accountMgr.checkAccess(caller, null, rules.toArray(new FirewallRule[rules.size()]));
}
for (FirewallRuleVO rule : rules) {
@ -973,7 +975,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
_accountMgr.checkAccess(caller, null, true, ips.toArray(new IPAddressVO[ips.size()]));
_accountMgr.checkAccess(caller, null, ips.toArray(new IPAddressVO[ips.size()]));
}
List<StaticNat> staticNats = new ArrayList<StaticNat>();
@ -1009,7 +1011,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
if (ipAddressVO == null || !ipAddressVO.readyToUse()) {
throw new InvalidParameterValueException("Ip address id=" + ipId + " not ready for port forwarding rules yet");
}
_accountMgr.checkAccess(caller, null, true, ipAddressVO);
_accountMgr.checkAccess(caller, null, ipAddressVO);
}
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(domainId, isRecursive, null);
@ -1385,7 +1387,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
_accountMgr.checkAccess(caller, null, true, sourceIp);
_accountMgr.checkAccess(caller, null, sourceIp);
}
// create new static nat rule
@ -1504,7 +1506,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
if (rule == null) {
throw new InvalidParameterValueException("Unable to find " + id);
}
_accountMgr.checkAccess(caller, null, true, rule);
_accountMgr.checkAccess(caller, null, rule);
if (customId != null) {
rule.setUuid(customId);

8
server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
View File

@ -612,7 +612,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
}
// Verify permissions
_accountMgr.checkAccess(caller, null, true, securityGroup);
_accountMgr.checkAccess(caller, null, securityGroup);
Long domainId = owner.getDomainId();
if (protocol == null) {
@ -819,7 +819,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
// Check permissions
SecurityGroup securityGroup = _securityGroupDao.findById(rule.getSecurityGroupId());
_accountMgr.checkAccess(caller, AccessType.OperateEntry, true, securityGroup);
_accountMgr.checkAccess(caller, AccessType.OperateEntry, securityGroup);
long securityGroupId = rule.getSecurityGroupId();
Boolean result = Transaction.execute(new TransactionCallback<Boolean>() {
@ -1120,7 +1120,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
}
// check permissions
_accountMgr.checkAccess(caller, null, true, group);
_accountMgr.checkAccess(caller, null, group);
return Transaction.execute(new TransactionCallbackWithException<Boolean, ResourceInUseException>() {
@Override
@ -1359,7 +1359,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
}
// Verify permissions
_accountMgr.checkAccess(caller, null, false, vm);
_accountMgr.checkAccess(caller, null, vm);
// Validate parameters
List<SecurityGroupVO> vmSgGrps = getSecurityGroupsForVm(vmId);

22
server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
View File

@ -103,7 +103,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find VPC");
}
_accountMgr.checkAccess(caller, null, true, vpc);
_accountMgr.checkAccess(caller, null, vpc);
return _networkAclMgr.createNetworkACL(name, description, vpcId, forDisplay);
}
@ -161,7 +161,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find VPC");
}
_accountMgr.checkAccess(caller, null, true, vpc);
_accountMgr.checkAccess(caller, null, vpc);
//Include vpcId 0 to list default ACLs
sc.setParameters("vpcId", vpcId, 0);
} else {
@ -225,7 +225,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find specified VPC associated with the ACL");
}
_accountMgr.checkAccess(caller, null, true, vpc);
_accountMgr.checkAccess(caller, null, vpc);
return _networkAclMgr.deleteNetworkACL(acl);
}
@ -256,14 +256,14 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find Vpc associated with the NetworkACL");
}
_accountMgr.checkAccess(caller, null, true, vpc);
_accountMgr.checkAccess(caller, null, vpc);
if (!gateway.getVpcId().equals(acl.getVpcId())) {
throw new InvalidParameterValueException("private gateway: " + privateGatewayId + " and ACL: " + aclId + " do not belong to the same VPC");
}
}
PrivateGateway privateGateway = _vpcSvc.getVpcPrivateGateway(gateway.getId());
_accountMgr.checkAccess(caller, null, true, privateGateway);
_accountMgr.checkAccess(caller, null, privateGateway);
return _networkAclMgr.replaceNetworkACLForPrivateGw(acl, privateGateway);
@ -299,7 +299,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
throw new InvalidParameterValueException("Unable to find Vpc associated with the NetworkACL");
}
_accountMgr.checkAccess(caller, null, true, vpc);
_accountMgr.checkAccess(caller, null, vpc);
if (!network.getVpcId().equals(acl.getVpcId())) {
throw new InvalidParameterValueException("Network: " + networkId + " and ACL: " + aclId + " do not belong to the same VPC");
}
@ -371,7 +371,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find Vpc associated with the NetworkACL");
}
_accountMgr.checkAccess(caller, null, true, vpc);
_accountMgr.checkAccess(caller, null, vpc);
//Ensure that number is unique within the ACL
if (aclItemCmd.getNumber() != null) {
@ -546,7 +546,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find VPC associated with acl");
}
_accountMgr.checkAccess(caller, null, true, vpc);
_accountMgr.checkAccess(caller, null, vpc);
}
sc.setParameters("aclId", aclId);
} else {
@ -615,7 +615,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
Account caller = CallContext.current().getCallingAccount();
_accountMgr.checkAccess(caller, null, true, vpc);
_accountMgr.checkAccess(caller, null, vpc);
if((aclItem.getAclId() == NetworkACL.DEFAULT_ALLOW) || (aclItem.getAclId() == NetworkACL.DEFAULT_DENY)){
throw new InvalidParameterValueException("ACL Items in default ACL cannot be deleted");
@ -642,7 +642,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
Account caller = CallContext.current().getCallingAccount();
_accountMgr.checkAccess(caller, null, true, vpc);
_accountMgr.checkAccess(caller, null, vpc);
if (number != null) {
//Check if ACL Item with specified number already exists
@ -664,7 +664,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
NetworkACLVO acl = _networkACLDao.findById(id);
Vpc vpc = _entityMgr.findById(Vpc.class, acl.getVpcId());
Account caller = CallContext.current().getCallingAccount();
_accountMgr.checkAccess(caller, null, true, vpc);
_accountMgr.checkAccess(caller, null, vpc);
if (customId != null) {
acl.setUuid(customId);

24
server/src/com/cloud/network/vpc/VpcManagerImpl.java
View File

@ -38,6 +38,7 @@ import javax.naming.ConfigurationException;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.command.user.vpc.ListPrivateGatewaysCmd;
import org.apache.cloudstack.api.command.user.vpc.ListStaticRoutesCmd;
import org.apache.cloudstack.context.CallContext;
@ -761,7 +762,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
Account owner = _accountMgr.getAccount(vpcOwnerId);
//Verify that caller can perform actions in behalf of vpc owner
_accountMgr.checkAccess(caller, null, false, owner);
_accountMgr.checkAccess(caller, null, owner);
//check resource limit
_resourceLimitMgr.checkResourceLimit(owner, ResourceType.vpc);
@ -894,7 +895,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
}
//verify permissions
_accountMgr.checkAccess(ctx.getCallingAccount(), null, false, vpc);
_accountMgr.checkAccess(ctx.getCallingAccount(), null, vpc);
return destroyVpc(vpc, ctx.getCallingAccount(), ctx.getCallingUserId());
}
@ -962,7 +963,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
throw new InvalidParameterValueException("Unable to find vpc by id " + vpcId);
}
_accountMgr.checkAccess(caller, null, false, vpcToUpdate);
_accountMgr.checkAccess(caller, null, vpcToUpdate);
VpcVO vpc = _vpcDao.createForUpdate(vpcId);
@ -1154,7 +1155,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
}
//permission check
_accountMgr.checkAccess(caller, null, false, vpc);
_accountMgr.checkAccess(caller, null, vpc);
DataCenter dc = _entityMgr.findById(DataCenter.class, vpc.getZoneId());
@ -1214,7 +1215,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
}
//permission check
_accountMgr.checkAccess(caller, null, false, vpc);
_accountMgr.checkAccess(caller, null, vpc);
//shutdown provider
s_logger.debug("Shutting down vpc " + vpc);
@ -1480,7 +1481,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
throw ex;
}
_accountMgr.checkAccess(caller, null, false, vpc);
_accountMgr.checkAccess(caller, null, vpc);
s_logger.debug("Restarting VPC " + vpc);
boolean restartRequired = false;
@ -1927,7 +1928,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
throw new InvalidParameterValueException("Unable to find static route by id");
}
_accountMgr.checkAccess(caller, null, false, route);
_accountMgr.checkAccess(caller, null, route);
markStaticRouteForRevoke(route, caller);
@ -1975,7 +1976,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
if (vpc == null) {
throw new InvalidParameterValueException("Can't add static route to VPC that is being deleted");
}
_accountMgr.checkAccess(caller, null, false, vpc);
_accountMgr.checkAccess(caller, null, vpc);
if (!NetUtils.isValidCIDR(cidr)) {
throw new InvalidParameterValueException("Invalid format for cidr " + cidr);
@ -2127,7 +2128,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
protected void markStaticRouteForRevoke(StaticRouteVO route, Account caller) {
s_logger.debug("Revoking static route " + route);
if (caller != null) {
_accountMgr.checkAccess(caller, null, false, route);
_accountMgr.checkAccess(caller, null, route);
}
if (route.getState() == StaticRoute.State.Staged) {
@ -2191,7 +2192,6 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
IpAddress ipToAssoc = _ntwkModel.getIp(ipId);
if (ipToAssoc != null) {
_accountMgr.checkAccess(caller, null, true, ipToAssoc);
owner = _accountMgr.getAccount(ipToAssoc.getAllocatedToAccountId());
} else {
s_logger.debug("Unable to find ip address by id: " + ipId);
@ -2204,7 +2204,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
}
// check permissions
_accountMgr.checkAccess(caller, null, true, owner, vpc);
_accountMgr.checkAccess(caller, AccessType.OperateEntry, ipToAssoc, vpc);
boolean isSourceNat = false;
if (getExistingSourceNatInVpc(owner.getId(), vpcId) == null) {
@ -2284,7 +2284,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
ex.addProxyObject(String.valueOf(vpcId), "VPC");
throw ex;
}
_accountMgr.checkAccess(caller, null, false, vpc);
_accountMgr.checkAccess(caller, null, vpc);
if (networkDomain == null) {
networkDomain = vpc.getNetworkDomain();

18
server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
View File

@ -150,7 +150,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
throw new InvalidParameterValueException("Unable to create remote access vpn, invalid public IP address id" + publicIpId);
}
_accountMgr.checkAccess(caller, null, true, ipAddr);
_accountMgr.checkAccess(caller, null, ipAddr);
if (!ipAddr.readyToUse()) {
throw new InvalidParameterValueException("The Ip address is not ready to be used yet: " + ipAddr.getAddress());
@ -292,7 +292,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
return;
}
_accountMgr.checkAccess(caller, AccessType.OperateEntry, true, vpn);
_accountMgr.checkAccess(caller, AccessType.OperateEntry, vpn);
vpn.setState(RemoteAccessVpn.State.Removed);
_remoteAccessVpnDao.update(vpn.getId(), vpn);
@ -387,7 +387,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
if (owner == null) {
throw new InvalidParameterValueException("Unable to add vpn user: Another operation active");
}
_accountMgr.checkAccess(caller, null, true, owner);
_accountMgr.checkAccess(caller, null, owner);
//don't allow duplicated user names for the same account
VpnUserVO vpnUser = _vpnUsersDao.findByAccountAndUsername(owner.getId(), username);
@ -416,7 +416,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
if (user == null) {
throw new InvalidParameterValueException("Could not find vpn user " + username);
}
_accountMgr.checkAccess(caller, null, true, user);
_accountMgr.checkAccess(caller, null, user);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
@ -435,7 +435,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
public List<? extends VpnUser> listVpnUsers(long vpnOwnerId, String userName) {
Account caller = CallContext.current().getCallingAccount();
Account owner = _accountDao.findById(vpnOwnerId);
_accountMgr.checkAccess(caller, null, true, owner);
_accountMgr.checkAccess(caller, null, owner);
return _vpnUsersDao.listByAccount(vpnOwnerId);
}
@ -453,7 +453,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
openFirewall = false;
}
_accountMgr.checkAccess(caller, null, true, vpn);
_accountMgr.checkAccess(caller, null, vpn);
boolean started = false;
try {
@ -499,7 +499,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
public boolean applyVpnUsers(long vpnOwnerId, String userName) {
Account caller = CallContext.current().getCallingAccount();
Account owner = _accountDao.findById(vpnOwnerId);
_accountMgr.checkAccess(caller, null, true, owner);
_accountMgr.checkAccess(caller, null, owner);
s_logger.debug("Applying vpn users for " + owner);
List<RemoteAccessVpnVO> vpns = _remoteAccessVpnDao.findByAccount(vpnOwnerId);
@ -636,7 +636,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
throw new InvalidParameterValueException("Unable to list remote access vpns, IP address " + ipAddressId + " is not associated with an account.");
}
}
_accountMgr.checkAccess(caller, null, true, publicIp);
_accountMgr.checkAccess(caller, null, publicIp);
}
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
@ -747,7 +747,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
throw new InvalidParameterValueException("Can't find remote access vpn by id " + id);
}
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, vpn);
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, vpn);
if (customId != null) {
vpn.setUuid(customId);
}

29
server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
View File

@ -24,6 +24,9 @@ import javax.ejb.Local;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
import org.apache.cloudstack.api.command.user.vpn.CreateVpnConnectionCmd;
import org.apache.cloudstack.api.command.user.vpn.CreateVpnCustomerGatewayCmd;
import org.apache.cloudstack.api.command.user.vpn.CreateVpnGatewayCmd;
@ -37,8 +40,6 @@ import org.apache.cloudstack.api.command.user.vpn.ResetVpnConnectionCmd;
import org.apache.cloudstack.api.command.user.vpn.UpdateVpnCustomerGatewayCmd;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
import com.cloud.configuration.Config;
import com.cloud.event.ActionEvent;
@ -124,7 +125,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
//Verify that caller can perform actions in behalf of vpc owner
_accountMgr.checkAccess(caller, null, false, owner);
_accountMgr.checkAccess(caller, null, owner);
Long vpcId = cmd.getVpcId();
VpcVO vpc = _vpcDao.findById(vpcId);
@ -174,7 +175,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
//Verify that caller can perform actions in behalf of vpc owner
_accountMgr.checkAccess(caller, null, false, owner);
_accountMgr.checkAccess(caller, null, owner);
String name = cmd.getName();
String gatewayIp = cmd.getGatewayIp();
@ -242,21 +243,21 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
//Verify that caller can perform actions in behalf of vpc owner
_accountMgr.checkAccess(caller, null, false, owner);
_accountMgr.checkAccess(caller, null, owner);
Long customerGatewayId = cmd.getCustomerGatewayId();
Site2SiteCustomerGateway customerGateway = _customerGatewayDao.findById(customerGatewayId);
if (customerGateway == null) {
throw new InvalidParameterValueException("Unable to found specified Site to Site VPN customer gateway " + customerGatewayId + " !");
}
_accountMgr.checkAccess(caller, null, false, customerGateway);
_accountMgr.checkAccess(caller, null, customerGateway);
Long vpnGatewayId = cmd.getVpnGatewayId();
Site2SiteVpnGateway vpnGateway = _vpnGatewayDao.findById(vpnGatewayId);
if (vpnGateway == null) {
throw new InvalidParameterValueException("Unable to found specified Site to Site VPN gateway " + vpnGatewayId + " !");
}
_accountMgr.checkAccess(caller, null, false, vpnGateway);
_accountMgr.checkAccess(caller, null, vpnGateway);
if (customerGateway.getAccountId() != vpnGateway.getAccountId() || customerGateway.getDomainId() != vpnGateway.getDomainId()) {
throw new InvalidParameterValueException("VPN connection can only be esitablished between same account's VPN gateway and customer gateway!");
@ -366,7 +367,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
if (customerGateway == null) {
throw new InvalidParameterValueException("Fail to find customer gateway with " + id + " !");
}
_accountMgr.checkAccess(caller, null, false, customerGateway);
_accountMgr.checkAccess(caller, null, customerGateway);
return doDeleteCustomerGateway(customerGateway);
}
@ -401,7 +402,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
throw new InvalidParameterValueException("Fail to find vpn gateway with " + id + " !");
}
_accountMgr.checkAccess(caller, null, false, vpnGateway);
_accountMgr.checkAccess(caller, null, vpnGateway);
doDeleteVpnGateway(vpnGateway);
return true;
@ -418,7 +419,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
if (gw == null) {
throw new InvalidParameterValueException("Find to find customer gateway with id " + id);
}
_accountMgr.checkAccess(caller, null, false, gw);
_accountMgr.checkAccess(caller, null, gw);
List<Site2SiteVpnConnectionVO> conns = _vpnConnectionDao.listByCustomerGatewayId(id);
if (conns != null) {
@ -508,7 +509,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
throw new InvalidParameterValueException("Fail to find site to site VPN connection " + id + " to delete!");
}
_accountMgr.checkAccess(caller, null, false, conn);
_accountMgr.checkAccess(caller, null, conn);
if (conn.getState() == State.Connected) {
stopVpnConnection(id);
@ -557,7 +558,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
if (conn == null) {
throw new InvalidParameterValueException("Fail to find site to site VPN connection " + id + " to reset!");
}
_accountMgr.checkAccess(caller, null, false, conn);
_accountMgr.checkAccess(caller, null, conn);
if (conn.getState() == State.Pending) {
throw new InvalidParameterValueException("VPN connection " + id + " cannot be reseted when state is Pending!");
@ -821,7 +822,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
throw new InvalidParameterValueException("Fail to find site to site VPN connection " + id);
}
_accountMgr.checkAccess(caller, null, false, conn);
_accountMgr.checkAccess(caller, null, conn);
if (customId != null) {
conn.setUuid(customId);
}
@ -844,7 +845,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
throw new InvalidParameterValueException("Fail to find vpn gateway with " + id);
}
_accountMgr.checkAccess(caller, null, false, vpnGateway);
_accountMgr.checkAccess(caller, null, vpnGateway);
if (customId != null) {
vpnGateway.setUuid(customId);
}

18
server/src/com/cloud/projects/ProjectManagerImpl.java
View File

@ -244,7 +244,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
throw new InvalidParameterValueException("Unable to find project by id " + projectId);
}
_accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
_accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
//at this point enabling project doesn't require anything, so just update the state
project.setState(State.Active);
@ -264,7 +264,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
throw new InvalidParameterValueException("Unable to find project by id " + projectId);
}
_accountMgr.checkAccess(ctx.getCallingAccount(), AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
_accountMgr.checkAccess(ctx.getCallingAccount(), AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
return deleteProject(ctx.getCallingAccount(), ctx.getCallingUserId(), project);
}
@ -463,7 +463,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
}
//verify permissions
_accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
_accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
Transaction.execute(new TransactionCallbackWithExceptionNoReturn<ResourceAllocationException>() {
@Override
@ -550,7 +550,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
}
//verify permissions - only project owner can assign
_accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
_accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
//Check if the account already added to the project
ProjectAccount projectAccount = _projectAccountDao.findByProjectIdAccountId(projectId, account.getId());
@ -628,7 +628,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
}
//verify permissions
_accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
_accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
//Check if the account exists in the project
ProjectAccount projectAccount = _projectAccountDao.findByProjectIdAccountId(projectId, account.getId());
@ -750,7 +750,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
}
//verify permissions
_accountMgr.checkAccess(caller, null, true, account);
_accountMgr.checkAccess(caller, null, account);
accountId = account.getId();
} else {
@ -830,7 +830,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
}
//verify permissions
_accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
_accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
//allow project activation only when it's in Suspended state
Project.State currentState = project.getState();
@ -870,7 +870,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
throw ex;
}
_accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
_accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
if (suspendProject(project)) {
s_logger.debug("Successfully suspended project id=" + projectId);
@ -1012,7 +1012,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
Project project = getProject(invitation.getProjectId());
//check permissions - only project owner can remove the invitations
_accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
_accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
if (_projectInvitationDao.remove(id)) {
s_logger.debug("Project Invitation id=" + id + " is removed");

8
server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
View File

@ -480,7 +480,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
return limits;
}
_accountMgr.checkAccess(caller, null, true, account);
_accountMgr.checkAccess(caller, null, account);
domainId = null;
}
}
@ -500,7 +500,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
if (id != null) {
ResourceLimitVO vo = _resourceLimitDao.findById(id);
if (vo.getAccountId() != null) {
_accountMgr.checkAccess(caller, null, true, _accountDao.findById(vo.getAccountId()));
_accountMgr.checkAccess(caller, null, _accountDao.findById(vo.getAccountId()));
limits.add(vo);
} else if (vo.getDomainId() != null) {
_accountMgr.checkAccess(caller, _domainDao.findById(vo.getDomainId()));
@ -650,9 +650,9 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
}
if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
_accountMgr.checkAccess(caller, AccessType.ModifyProject, true, account);
_accountMgr.checkAccess(caller, AccessType.ModifyProject, account);
} else {
_accountMgr.checkAccess(caller, null, true, account);
_accountMgr.checkAccess(caller, null, account);
}
ownerType = ResourceOwnerType.Account;

12
server/src/com/cloud/server/ManagementServerImpl.java
View File

@ -953,7 +953,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
List<EventVO> events = _eventDao.listToArchiveOrDeleteEvents(ids, cmd.getType(), cmd.getStartDate(), cmd.getEndDate(), permittedAccountIds);
ControlledEntity[] sameOwnerEvents = events.toArray(new ControlledEntity[events.size()]);
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, sameOwnerEvents);
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEvents);
if (ids != null && events.size() < ids.size()) {
result = false;
@ -980,7 +980,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
List<EventVO> events = _eventDao.listToArchiveOrDeleteEvents(ids, cmd.getType(), cmd.getStartDate(), cmd.getEndDate(), permittedAccountIds);
ControlledEntity[] sameOwnerEvents = events.toArray(new ControlledEntity[events.size()]);
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, sameOwnerEvents);
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEvents);
if (ids != null && events.size() < ids.size()) {
result = false;
@ -3294,7 +3294,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
}
// check permissions
_accountMgr.checkAccess(caller, null, true, _accountMgr.getAccount(user.getAccountId()));
_accountMgr.checkAccess(caller, null, _accountMgr.getAccount(user.getAccountId()));
String cloudIdentifier = _configDao.getValue("cloud.identifier");
if (cloudIdentifier == null) {
@ -3401,7 +3401,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
throw ex;
}
_accountMgr.checkAccess(caller, null, true, group);
_accountMgr.checkAccess(caller, null, group);
// Check if name is already in use by this account (exclude this group)
boolean isNameInUse = _vmGroupDao.isNameInUse(group.getAccountId(), groupName);
@ -3646,7 +3646,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
}
// make permission check
_accountMgr.checkAccess(caller, null, true, vm);
_accountMgr.checkAccess(caller, null, vm);
_userVmDao.loadDetails(vm);
String password = vm.getDetail("Encrypted.Password");
@ -3819,7 +3819,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
throw new InvalidParameterValueException("Unable to find SystemVm with id " + systemVmId);
}
_accountMgr.checkAccess(caller, null, true, systemVm);
_accountMgr.checkAccess(caller, null, systemVm);
// Check that the specified service offering ID is valid
ServiceOfferingVO newServiceOffering = _offeringDao.findById(serviceOfferingId);

2
server/src/com/cloud/servlet/ConsoleProxyServlet.java
View File

@ -522,7 +522,7 @@ public class ConsoleProxyServlet extends HttpServlet {
switch (vm.getType()) {
case User:
try {
_accountMgr.checkAccess(accountObj, null, true, vm);
_accountMgr.checkAccess(accountObj, null, vm);
} catch (PermissionDeniedException ex) {
if (_accountMgr.isNormalUser(accountObj.getId())) {
if (s_logger.isDebugEnabled()) {

29
server/src/com/cloud/storage/VolumeApiServiceImpl.java
View File

@ -26,6 +26,9 @@ import java.util.concurrent.ExecutionException;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.command.user.volume.AttachVolumeCmd;
import org.apache.cloudstack.api.command.user.volume.CreateVolumeCmd;
import org.apache.cloudstack.api.command.user.volume.DetachVolumeCmd;
@ -68,7 +71,6 @@ import org.apache.cloudstack.storage.datastore.db.VolumeDataStoreDao;
import org.apache.cloudstack.storage.datastore.db.VolumeDataStoreVO;
import org.apache.cloudstack.storage.image.datastore.ImageStoreEntity;
import org.apache.cloudstack.utils.identity.ManagementServerNode;
import org.apache.log4j.Logger;
import com.cloud.agent.AgentManager;
import com.cloud.agent.api.Answer;
@ -263,7 +265,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
private boolean validateVolume(Account caller, long ownerId, Long zoneId, String volumeName, String url, String format) throws ResourceAllocationException {
// permission check
_accountMgr.checkAccess(caller, null, true, _accountMgr.getActiveAccountById(ownerId));
_accountMgr.checkAccess(caller, null, _accountMgr.getActiveAccountById(ownerId));
// Check that the resource limit for volumes won't be exceeded
_resourceLimitMgr.checkResourceLimit(_accountMgr.getAccount(ownerId), ResourceType.volume);
@ -372,10 +374,11 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
Boolean displayVolume = cmd.getDisplayVolume();
// permission check
_accountMgr.checkAccess(caller, null, true, _accountMgr.getActiveAccountById(ownerId));
_accountMgr.checkAccess(caller, null, _accountMgr.getActiveAccountById(ownerId));
if (displayVolume == null) {
displayVolume = true;
} else {
if (!_accountMgr.isRootAdmin(caller.getId())) {
throw new PermissionDeniedException("Cannot update parameter displayvolume, only admin permitted ");
@ -499,9 +502,6 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
size = snapshotCheck.getSize(); // ; disk offering is used for tags
// purposes
// check snapshot permissions
_accountMgr.checkAccess(caller, null, true, snapshotCheck);
// one step operation - create volume in VM's cluster and attach it
// to the VM
Long vmId = cmd.getVirtualMachineId();
@ -516,9 +516,6 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
if (vm.getState() != State.Running && vm.getState() != State.Stopped) {
throw new InvalidParameterValueException("Please specify a VM that is either running or stopped.");
}
// permission check
_accountMgr.checkAccess(caller, null, false, vm);
}
}
@ -766,7 +763,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
}
/* does the caller have the authority to act on this volume? */
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
long currentSize = volume.getSize();
@ -929,7 +926,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
throw new InvalidParameterValueException("There are snapshot creating on it, Unable to delete the volume");
}
_accountMgr.checkAccess(caller, null, true, volume);
_accountMgr.checkAccess(caller, null, volume);
if (volume.getInstanceId() != null) {
throw new InvalidParameterValueException("Please specify a volume that is not attached to any VM.");
@ -1136,7 +1133,11 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
throw new InvalidParameterValueException("Unable to attach volume, please specify a VM that does not have VM snapshots");
}
if (!(Volume.State.Allocated.equals(volumeToAttach.getState()) || Volume.State.Ready.equals(volumeToAttach.getState()) || Volume.State.Uploaded.equals(volumeToAttach.getState()))) {
// permission check
_accountMgr.checkAccess(caller, AccessType.OperateEntry, volumeToAttach, vm);
if (!(Volume.State.Allocated.equals(volumeToAttach.getState()) || Volume.State.Ready.equals(volumeToAttach.getState()) || Volume.State.Uploaded.equals(volumeToAttach
.getState()))) {
throw new InvalidParameterValueException("Volume state must be in Allocated, Ready or in Uploaded state");
}
@ -1356,7 +1357,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
}
// Permissions check
_accountMgr.checkAccess(caller, null, true, volume);
_accountMgr.checkAccess(caller, null, volume);
// Check that the volume is currently attached to a VM
@ -1823,7 +1824,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
}
// perform permission check
_accountMgr.checkAccess(account, null, true, volume);
_accountMgr.checkAccess(account, null, volume);
if (_dcDao.findById(zoneId) == null) {
throw new InvalidParameterValueException("Please specify a valid zone.");

15
server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java
View File

@ -286,7 +286,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
boolean backedUp = false;
// does the caller have the authority to act on this volume
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
SnapshotInfo snapshot = snapshotFactory.getSnapshot(snapshotId, DataStoreRole.Primary);
@ -391,7 +391,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
throw new InvalidParameterValueException("unable to find a snapshot with id " + snapshotId);
}
_accountMgr.checkAccess(caller, null, true, snapshotCheck);
_accountMgr.checkAccess(caller, null, snapshotCheck);
SnapshotStrategy snapshotStrategy = _storageStrategyFactory.getSnapshotStrategy(snapshotCheck, SnapshotOperation.DELETE);
if (snapshotStrategy == null) {
s_logger.error("Unable to find snaphot strategy to handle snapshot with id '" + snapshotId + "'");
@ -450,7 +450,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
if (volumeId != null) {
VolumeVO volume = _volsDao.findById(volumeId);
if (volume != null) {
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
}
}
@ -624,7 +624,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
throw new InvalidParameterValueException("Failed to create snapshot policy, unable to find a volume with id " + volumeId);
}
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
if (volume.getState() != Volume.State.Ready) {
throw new InvalidParameterValueException("VolumeId: " + volumeId + " is not in " + Volume.State.Ready + " state but " + volume.getState() +
@ -723,7 +723,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
if (volume == null) {
throw new InvalidParameterValueException("Unable to find a volume with id " + volumeId);
}
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
Pair<List<SnapshotPolicyVO>, Integer> result = _snapshotPolicyDao.listAndCountByVolumeId(volumeId);
return new Pair<List<? extends SnapshotPolicy>, Integer>(result.first(), result.second());
}
@ -999,7 +999,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
throw new InvalidParameterValueException("Policy id given: " + policy + " does not belong to a valid volume");
}
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
}
boolean success = true;
@ -1030,12 +1030,9 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
@Override
public Snapshot allocSnapshot(Long volumeId, Long policyId) throws ResourceAllocationException {
Account caller = CallContext.current().getCallingAccount();
VolumeInfo volume = volFactory.getVolume(volumeId);
supportedByHypervisor(volume);
// Verify permissions
_accountMgr.checkAccess(caller, null, true, volume);
Type snapshotType = getSnapshotType(policyId);
Account owner = _accountMgr.getAccount(volume.getAccountId());

7
server/src/com/cloud/tags/TaggedResourceManagerImpl.java
View File

@ -25,11 +25,12 @@ import javax.ejb.Local;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
import org.apache.log4j.Logger;
import org.apache.cloudstack.api.Identity;
import org.apache.cloudstack.api.InternalIdentity;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.storage.datastore.db.StoragePoolVO;
import org.apache.log4j.Logger;
import com.cloud.api.query.dao.ResourceTagJoinDao;
import com.cloud.dc.DataCenterVO;
@ -222,7 +223,7 @@ public class TaggedResourceManagerImpl extends ManagerBase implements TaggedReso
Long domainId = accountDomainPair.second();
Long accountId = accountDomainPair.first();
if (accountId != null) {
_accountMgr.checkAccess(caller, null, false, _accountMgr.getAccount(accountId));
_accountMgr.checkAccess(caller, null, _accountMgr.getAccount(accountId));
} else if (domainId != null && !_accountMgr.isNormalUser(caller.getId())) {
//check permissions;
_accountMgr.checkAccess(caller, _domainMgr.getDomain(domainId));
@ -284,7 +285,7 @@ public class TaggedResourceManagerImpl extends ManagerBase implements TaggedReso
for (ResourceTag resourceTag : resourceTags) {
//1) validate the permissions
Account owner = _accountMgr.getAccount(resourceTag.getAccountId());
_accountMgr.checkAccess(caller, null, false, owner);
_accountMgr.checkAccess(caller, null, owner);
//2) Only remove tag if it matches key value pairs
if (tags != null && !tags.isEmpty()) {
for (String key : tags.keySet()) {

4
server/src/com/cloud/template/TemplateAdapterBase.java
View File

@ -258,7 +258,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat
//check if the caller can operate with the template owner
Account caller = CallContext.current().getCallingAccount();
Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
_accountMgr.checkAccess(caller, null, true, owner);
_accountMgr.checkAccess(caller, null, owner);
boolean isRouting = (cmd.isRoutingType() == null) ? false : cmd.isRoutingType();
@ -281,7 +281,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat
//check if the caller can operate with the template owner
Account caller = CallContext.current().getCallingAccount();
Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
_accountMgr.checkAccess(caller, null, true, owner);
_accountMgr.checkAccess(caller, null, owner);
Long zoneId = cmd.getZoneId();
// ignore passed zoneId if we are using region wide image store

34
server/src/com/cloud/template/TemplateManagerImpl.java
View File

@ -369,7 +369,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
throw new InvalidParameterValueException("Unable to find template id=" + templateId);
}
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, true, vmTemplate);
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, vmTemplate);
prepareTemplateInAllStoragePools(vmTemplate, zoneId);
return vmTemplate;
@ -415,7 +415,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
throw new InvalidParameterValueException("Unable to extract template id=" + templateId + " as it's not extractable");
}
_accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template);
_accountMgr.checkAccess(caller, AccessType.OperateEntry, template);
List<DataStore> ssStores = _dataStoreMgr.getImageStoresByScope(new ZoneScope(zoneId));
@ -722,7 +722,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
return template;
}
_accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template);
_accountMgr.checkAccess(caller, AccessType.OperateEntry, template);
boolean success = copy(userId, template, srcSecStore, dstZone);
@ -911,7 +911,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
throw new InvalidParameterValueException("Please specify a valid VM.");
}
_accountMgr.checkAccess(caller, null, true, userVM);
_accountMgr.checkAccess(caller, null, userVM);
Long isoId = userVM.getIsoId();
if (isoId == null) {
@ -952,12 +952,11 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
// check permissions
// check if caller has access to VM and ISO
// and also check if the VM's owner has access to the ISO.
_accountMgr.checkAccess(caller, null, false, iso, vm);
// and also check if the VM's owner has access to the ISO. This is a bit different from sameOwner check for attachVolumeToVM, where both volume and VM need
// OperateEntry access type. Here VM needs OperateEntry access type, ISO needs UseEntry access type.
_accountMgr.checkAccess(caller, null, iso, vm);
Account vmOwner = _accountDao.findById(vm.getAccountId());
_accountMgr.checkAccess(vmOwner, null, false, iso, vm);
_accountMgr.checkAccess(vmOwner, null, iso);
State vmState = vm.getState();
if (vmState != State.Running && vmState != State.Stopped) {
@ -1061,7 +1060,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
throw new InvalidParameterValueException("unable to find template with id " + templateId);
}
_accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template);
_accountMgr.checkAccess(caller, AccessType.OperateEntry, template);
if (template.getFormat() == ImageFormat.ISO) {
throw new InvalidParameterValueException("Please specify a valid template.");
@ -1084,7 +1083,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
throw new InvalidParameterValueException("unable to find iso with id " + templateId);
}
_accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template);
_accountMgr.checkAccess(caller, AccessType.OperateEntry, template);
if (template.getFormat() != ImageFormat.ISO) {
throw new InvalidParameterValueException("Please specify a valid iso.");
@ -1134,7 +1133,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
}
if (!template.isPublicTemplate()) {
_accountMgr.checkAccess(caller, null, true, template);
_accountMgr.checkAccess(caller, null, template);
}
List<String> accountNames = new ArrayList<String>();
@ -1207,8 +1206,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
}
}
//_accountMgr.checkAccess(caller, AccessType.ModifyEntry, true, template);
_accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template); //TODO: should we replace all ModifyEntry as OperateEntry?
_accountMgr.checkAccess(caller, AccessType.OperateEntry, template);
// If the template is removed throw an error.
if (template.getRemoved() != null) {
@ -1489,7 +1487,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
Account caller = CallContext.current().getCallingAccount();
boolean isAdmin = (_accountMgr.isAdmin(caller.getType()));
_accountMgr.checkAccess(caller, null, true, templateOwner);
_accountMgr.checkAccess(caller, null, templateOwner);
String name = cmd.getTemplateName();
if ((name == null) || (name.length() > 32)) {
@ -1541,7 +1539,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
throw new InvalidParameterValueException("Failed to create private template record, unable to find volume " + volumeId);
}
// check permissions
_accountMgr.checkAccess(caller, null, true, volume);
_accountMgr.checkAccess(caller, null, volume);
// If private template is created from Volume, check that the volume
// will not be active when the private template is
@ -1564,7 +1562,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
volume = _volumeDao.findById(snapshot.getVolumeId());
// check permissions
_accountMgr.checkAccess(caller, null, true, snapshot);
_accountMgr.checkAccess(caller, null, snapshot);
if (snapshot.getState() != Snapshot.State.BackedUp) {
throw new InvalidParameterValueException("Snapshot id=" + snapshotId + " is not in " + Snapshot.State.BackedUp +
@ -1780,7 +1778,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
verifyTemplateId(id);
// do a permission check
_accountMgr.checkAccess(account, AccessType.OperateEntry, true, template);
_accountMgr.checkAccess(account, AccessType.OperateEntry, template);
if (cmd.isRoutingType() != null) {
if (!_accountService.isRootAdmin(account.getId())) {
throw new PermissionDeniedException("Parameter isrouting can only be specified by a Root Admin, permission denied");

34
server/src/com/cloud/user/AccountManagerImpl.java
View File

@ -450,6 +450,20 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
@Override
public void checkAccess(Account account, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException {
// TODO this will eventually deprecate below sameOwner check interface.
// TO BE IMPLEMENTED when multiple controlled entity support interface is added into SecurityChecker
checkAccess(account, accessType, false, entities);
}
@Override
public void checkAccess(Account account, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException {
// TODO this will eventually deprecate below sameOwner check interface.
// TO BE IMPLEMENTED when multiple controlled entity support interface is added into SecurityChecker
checkAccess(account, accessType, false, apiName, entities);
}
@Override
public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, ControlledEntity... entities) {
checkAccess(caller, accessType, sameOwner, null, entities);
@ -1112,7 +1126,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new PermissionDeniedException("user id : " + id + " is system account, update is not allowed");
}
checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, true, account);
checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, account);
if (firstName != null) {
if (firstName.isEmpty()) {
@ -1226,7 +1240,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new InvalidParameterValueException("User id : " + userId + " is a system user, disabling is not allowed");
}
checkAccess(caller, AccessType.OperateEntry, true, account);
checkAccess(caller, AccessType.OperateEntry, account);
boolean success = doSetUserStatus(userId, State.disabled);
if (success) {
@ -1264,7 +1278,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new InvalidParameterValueException("User id : " + userId + " is a system user, enabling is not allowed");
}
checkAccess(caller, AccessType.OperateEntry, true, account);
checkAccess(caller, AccessType.OperateEntry, account);
boolean success = Transaction.execute(new TransactionCallback<Boolean>() {
@Override
@ -1313,7 +1327,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new PermissionDeniedException("user id : " + userId + " is a system user, locking is not allowed");
}
checkAccess(caller, AccessType.OperateEntry, true, account);
checkAccess(caller, AccessType.OperateEntry, account);
// make sure the account is enabled too
// if the user is either locked already or disabled already, don't change state...only lock currently enabled
@ -1377,7 +1391,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new InvalidParameterValueException("The specified account does not exist in the system");
}
checkAccess(caller, null, true, account);
checkAccess(caller, null, account);
// don't allow to delete default account (system and admin)
if (account.isDefault()) {
@ -1422,7 +1436,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
// Check if user performing the action is allowed to modify this account
Account caller = CallContext.current().getCallingAccount();
checkAccess(caller, AccessType.OperateEntry, true, account);
checkAccess(caller, AccessType.OperateEntry, account);
boolean success = enableAccount(account.getId());
if (success) {
@ -1456,7 +1470,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new PermissionDeniedException("Account id : " + accountId + " is a system account, lock is not allowed");
}
checkAccess(caller, AccessType.OperateEntry, true, account);
checkAccess(caller, AccessType.OperateEntry, account);
if (lockAccount(account.getId())) {
CallContext.current().putContextParameter(Account.class, account.getUuid());
@ -1486,7 +1500,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new PermissionDeniedException("Account id : " + accountId + " is a system account, disable is not allowed");
}
checkAccess(caller, AccessType.OperateEntry, true, account);
checkAccess(caller, AccessType.OperateEntry, account);
if (disableAccount(account.getId())) {
CallContext.current().putContextParameter(Account.class, account.getUuid());
@ -1605,7 +1619,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new InvalidParameterValueException("The user is default and can't be removed");
}
checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, true, account);
checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, account);
CallContext.current().putContextParameter(User.class, user.getUuid());
return _userDao.remove(id);
}
@ -2252,7 +2266,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
if (userAccount != null) {
//check permissions
checkAccess(caller, null, false, userAccount);
checkAccess(caller, null, userAccount);
permittedAccounts.add(userAccount.getId());
} else {
throw new InvalidParameterValueException("could not find account " + accountName + " in domain " + domain.getUuid());

109
server/src/com/cloud/vm/UserVmManagerImpl.java
View File

@ -35,11 +35,9 @@ import javax.ejb.Local;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
import org.apache.commons.codec.binary.Base64;
import org.apache.log4j.Logger;
import com.cloud.storage.VolumeApiService;
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.affinity.AffinityGroupService;
@ -199,6 +197,7 @@ import com.cloud.server.ConfigurationServer;
import com.cloud.service.ServiceOfferingVO;
import com.cloud.service.dao.ServiceOfferingDao;
import com.cloud.service.dao.ServiceOfferingDetailsDao;
import com.cloud.storage.DataStoreRole;
import com.cloud.storage.DiskOfferingVO;
import com.cloud.storage.GuestOSCategoryVO;
import com.cloud.storage.GuestOSVO;
@ -206,13 +205,13 @@ import com.cloud.storage.SnapshotVO;
import com.cloud.storage.Storage;
import com.cloud.storage.Storage.ImageFormat;
import com.cloud.storage.Storage.TemplateType;
import com.cloud.storage.DataStoreRole;
import com.cloud.storage.StorageManager;
import com.cloud.storage.StoragePool;
import com.cloud.storage.StoragePoolStatus;
import com.cloud.storage.VMTemplateVO;
import com.cloud.storage.VMTemplateZoneVO;
import com.cloud.storage.Volume;
import com.cloud.storage.VolumeApiService;
import com.cloud.storage.VolumeVO;
import com.cloud.storage.dao.DiskOfferingDao;
import com.cloud.storage.dao.GuestOSCategoryDao;
@ -533,7 +532,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw new InvalidParameterValueException("Vm with id " + vmId + " is not in the right state");
}
_accountMgr.checkAccess(caller, null, true, userVm);
_accountMgr.checkAccess(caller, null, userVm);
boolean result = resetVMPasswordInternal(vmId, password);
@ -639,7 +638,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
+ " in specified domain id");
}
_accountMgr.checkAccess(caller, null, true, userVm);
_accountMgr.checkAccess(caller, null, userVm);
String password = null;
String sshPublicKey = s.getPublicKey();
if (template != null && template.getEnablePassword()) {
@ -779,7 +778,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
+ "; make sure the virtual machine is stopped");
}
_accountMgr.checkAccess(caller, null, true, vmInstance);
_accountMgr.checkAccess(caller, null, vmInstance);
// Check resource limits for CPU and Memory.
Map<String, String> customParameters = cmd.getDetails();
@ -893,7 +892,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId);
}
_accountMgr.checkAccess(caller, null, true, vmInstance);
_accountMgr.checkAccess(caller, null, vmInstance);
// Check resource limits for CPU and Memory.
ServiceOfferingVO newServiceOffering = _offeringDao.findById(svcOffId);
@ -962,7 +961,6 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
Long vmId = cmd.getVmId();
Long networkId = cmd.getNetworkId();
String ipAddress = cmd.getIpAddress();
Account caller = CallContext.current().getCallingAccount();
UserVmVO vmInstance = _vmDao.findById(vmId);
if (vmInstance == null) {
@ -973,12 +971,6 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw new InvalidParameterValueException("unable to find a network with id " + networkId);
}
if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
if (!(network.getGuestType() == Network.GuestType.Shared && network.getAclType() == ACLType.Domain)
&& !(network.getAclType() == ACLType.Account && network.getAccountId() == vmInstance.getAccountId())) {
throw new InvalidParameterValueException("only shared network or isolated network with the same account_id can be added to vmId: " + vmId);
}
}
List<NicVO> allNics = _nicDao.listByVmId(vmInstance.getId());
for (NicVO nic : allNics) {
@ -991,18 +983,12 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
profile = new NicProfile(ipAddress, null);
}
// Perform permission check on VM
_accountMgr.checkAccess(caller, null, true, vmInstance);
// Verify that zone is not Basic
DataCenterVO dc = _dcDao.findById(vmInstance.getDataCenterId());
if (dc.getNetworkType() == DataCenter.NetworkType.Basic) {
throw new CloudRuntimeException("Zone " + vmInstance.getDataCenterId() + ", has a NetworkType of Basic. Can't add a new NIC to a VM on a Basic Network");
}
// Perform account permission check on network
_accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
//ensure network belongs in zone
if (network.getDataCenterId() != vmInstance.getDataCenterId()) {
throw new CloudRuntimeException(vmInstance + " is in zone:" + vmInstance.getDataCenterId() + " but " + network + " is in zone:" + network.getDataCenterId());
@ -1061,7 +1047,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
}
// Perform permission check on VM
_accountMgr.checkAccess(caller, null, true, vmInstance);
_accountMgr.checkAccess(caller, null, vmInstance);
// Verify that zone is not Basic
DataCenterVO dc = _dcDao.findById(vmInstance.getDataCenterId());
@ -1075,7 +1061,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
}
// Perform account permission check on network
_accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
_accountMgr.checkAccess(caller, AccessType.UseEntry, network);
boolean nicremoved = false;
@ -1117,7 +1103,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
}
// Perform permission check on VM
_accountMgr.checkAccess(caller, null, true, vmInstance);
_accountMgr.checkAccess(caller, null, vmInstance);
// Verify that zone is not Basic
DataCenterVO dc = _dcDao.findById(vmInstance.getDataCenterId());
@ -1299,7 +1285,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw new InvalidParameterValueException("This operation not permitted for this hypervisor of the vm");
}
_accountMgr.checkAccess(caller, null, true, vmInstance);
_accountMgr.checkAccess(caller, null, vmInstance);
//Check if its a scale "up"
ServiceOfferingVO newServiceOffering = _offeringDao.findById(newServiceOfferingId);
@ -1508,7 +1494,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
}
// check permissions
_accountMgr.checkAccess(caller, null, true, vm);
_accountMgr.checkAccess(caller, null, vm);
if (vm.getRemoved() != null) {
if (s_logger.isDebugEnabled()) {
@ -1851,7 +1837,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw new InvalidParameterValueException("unable to find virtual machine with id " + id);
}
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, vmInstance);
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, vmInstance);
//If the flag is specified and is changed
if (isDisplayVm != null && isDisplayVm != vmInstance.isDisplayVm()) {
@ -2066,7 +2052,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId);
}
_accountMgr.checkAccess(caller, null, true, vmInstance);
_accountMgr.checkAccess(caller, null, vmInstance);
// If the VM is Volatile in nature, on reboot discard the VM's root disk and create a new root disk for it: by calling restoreVM
long serviceOfferingId = vmInstance.getServiceOfferingId();
@ -2170,7 +2156,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw new InvalidParameterValueException("unable to find a vm group with id " + groupId);
}
_accountMgr.checkAccess(caller, null, true, group);
_accountMgr.checkAccess(caller, null, group);
return deleteVmGroup(groupId);
}
@ -2304,7 +2290,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
List<NetworkVO> networkList = new ArrayList<NetworkVO>();
// Verify that caller can perform actions in behalf of vm owner
_accountMgr.checkAccess(caller, null, true, owner);
_accountMgr.checkAccess(caller, null, owner);
// Get default guest network in Basic zone
Network defaultNetwork = _networkModel.getExclusiveGuestNetwork(zone.getId());
@ -2359,7 +2345,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
boolean isVmWare = (template.getHypervisorType() == HypervisorType.VMware || (hypervisor != null && hypervisor == HypervisorType.VMware));
// Verify that caller can perform actions in behalf of vm owner
_accountMgr.checkAccess(caller, null, true, owner);
_accountMgr.checkAccess(caller, null, owner);
// If no network is specified, find system security group enabled network
if (networkIdList == null || networkIdList.isEmpty()) {
@ -2417,7 +2403,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
// Perform account permission check
if (network.getAclType() == ACLType.Account) {
_accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
_accountMgr.checkAccess(caller, AccessType.UseEntry, network);
}
networkList.add(network);
}
@ -2463,7 +2449,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
List<NetworkVO> networkList = new ArrayList<NetworkVO>();
// Verify that caller can perform actions in behalf of vm owner
_accountMgr.checkAccess(caller, null, true, owner);
_accountMgr.checkAccess(caller, null, owner);
List<HypervisorType> vpcSupportedHTypes = _vpcMgr.getSupportedVpcHypervisors();
if (networkIdList == null || networkIdList.isEmpty()) {
@ -2557,7 +2543,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
List<Long> affinityGroupIdList, Map<String, String> customParameters, String customId) throws InsufficientCapacityException, ResourceUnavailableException,
ConcurrentOperationException, StorageUnavailableException, ResourceAllocationException {
_accountMgr.checkAccess(caller, null, true, owner);
_accountMgr.checkAccess(caller, null, owner);
if (owner.getState() == Account.State.disabled) {
throw new PermissionDeniedException("The owner of vm to deploy is disabled: " + owner);
@ -2633,7 +2619,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw new InvalidParameterValueException("Unable to find security group by id " + securityGroupId);
} else {
// verify permissions
_accountMgr.checkAccess(caller, null, true, owner, sg);
_accountMgr.checkAccess(owner, AccessType.UseEntry, sg);
}
}
}
@ -2649,27 +2635,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
+ " , Please try again after removing the affinity group");
} else {
// verify permissions
if (ag.getAclType() == ACLType.Domain) {
_accountMgr.checkAccess(caller, null, false, owner, ag);
// Root admin has access to both VM and AG by default,
// but
// make sure the owner of these entities is same
if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) {
if (!_affinityGroupService.isAffinityGroupAvailableInDomain(ag.getId(), owner.getDomainId())) {
throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's domain");
}
}
} else {
_accountMgr.checkAccess(caller, null, true, owner, ag);
// Root admin has access to both VM and AG by default,
// but
// make sure the owner of these entities is same
if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) {
if (ag.getAccountId() != owner.getAccountId()) {
throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's account");
}
}
}
_accountMgr.checkAccess(owner, AccessType.UseEntry, ag);
}
}
}
@ -2695,10 +2661,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
}
// Check templates permissions
if (!template.isPublicTemplate()) {
Account templateOwner = _accountMgr.getAccount(template.getAccountId());
_accountMgr.checkAccess(owner, null, true, templateOwner);
}
_accountMgr.checkAccess(owner, AccessType.UseEntry, template);
// check if the user data is correct
validateUserData(userData, httpmethod);
@ -2727,14 +2690,8 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw new InvalidParameterValueException("Network id=" + network.getId() + " doesn't belong to zone " + zone.getId());
}
//relax the check if the caller is admin account
if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
if (!(network.getGuestType() == Network.GuestType.Shared && network.getAclType() == ACLType.Domain)
&& !(network.getAclType() == ACLType.Account && network.getAccountId() == accountId)) {
throw new InvalidParameterValueException("only shared network or isolated network with the same account_id can be added to vm");
}
}
// Perform account permission check on network
_accountMgr.checkAccess(caller, AccessType.UseEntry, network);
IpAddresses requestedIpPair = null;
if (requestedIps != null && !requestedIps.isEmpty()) {
requestedIpPair = requestedIps.get(network.getId());
@ -3356,7 +3313,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId);
}
_accountMgr.checkAccess(callerAccount, null, true, vm);
_accountMgr.checkAccess(callerAccount, null, vm);
Account owner = _accountDao.findById(vm.getAccountId());
@ -3662,7 +3619,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw ex;
}
_accountMgr.checkAccess(caller, null, true, vm);
_accountMgr.checkAccess(caller, null, vm);
boolean status;
@ -4243,8 +4200,8 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
}
//check caller has access to both the old and new account
_accountMgr.checkAccess(caller, null, true, oldAccount);
_accountMgr.checkAccess(caller, null, true, newAccount);
_accountMgr.checkAccess(caller, null, oldAccount);
_accountMgr.checkAccess(caller, null, newAccount);
// make sure the accounts are not same
if (oldAccount.getAccountId() == newAccount.getAccountId()) {
@ -4297,7 +4254,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
VirtualMachineTemplate template = _templateDao.findById(vm.getTemplateId());
if (!template.isPublicTemplate()) {
Account templateOwner = _accountMgr.getAccount(template.getAccountId());
_accountMgr.checkAccess(newAccount, null, true, templateOwner);
_accountMgr.checkAccess(newAccount, null, templateOwner);
}
// VV 5: check the new account can create vm in the domain
@ -4554,7 +4511,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw ex;
}
_accountMgr.checkAccess(caller, null, true, vm);
_accountMgr.checkAccess(caller, null, vm);
return restoreVMInternal(caller, vm, newTemplateId);
}
@ -4604,7 +4561,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
//newTemplateId can be either template or ISO id. In the following snippet based on the vm deployment (from template or ISO) it is handled accordingly
if (newTemplateId != null) {
template = _templateDao.findById(newTemplateId);
_accountMgr.checkAccess(caller, null, true, template);
_accountMgr.checkAccess(caller, null, template);
if (isISO) {
if (!template.getFormat().equals(ImageFormat.ISO)) {
throw new InvalidParameterValueException("Invalid ISO id provided to restore the VM ");
@ -4761,7 +4718,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
if (hostId != null) {
// root.getPoolId() should be null if the VM we are attaching the disk to has never been started before
DataStore dataStore = root.getPoolId() != null ? _dataStoreMgr.getDataStore(root.getPoolId(), DataStoreRole.Primary) : null;
Host host = this._hostDao.findById(hostId);
Host host = _hostDao.findById(hostId);
volumeMgr.disconnectVolumeFromHost(volFactory.getVolume(root.getId()), host, dataStore);
}
@ -4811,7 +4768,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
}
//check permissions
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, vm);
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, vm);
return vm.getUserData();
}

10
server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java
View File

@ -297,7 +297,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
}
// check access
_accountMgr.checkAccess(caller, null, true, userVmVo);
//_accountMgr.checkAccess(caller, null, userVmVo);
// check max snapshot limit for per VM
if (_vmSnapshotDao.findByVm(vmId).size() >= _vmSnapshotMax) {
@ -448,7 +448,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
throw new InvalidParameterValueException("unable to find the vm snapshot with id " + vmSnapshotId);
}
_accountMgr.checkAccess(caller, null, true, vmSnapshot);
_accountMgr.checkAccess(caller, null, vmSnapshot);
// check VM snapshot states, only allow to delete vm snapshots in created and error state
if (VMSnapshot.State.Ready != vmSnapshot.getState() && VMSnapshot.State.Expunging != vmSnapshot.getState() && VMSnapshot.State.Error != vmSnapshot.getState()) {
@ -513,7 +513,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
throw new InvalidParameterValueException("unable to find the vm snapshot with id " + vmSnapshotId);
}
_accountMgr.checkAccess(caller, null, true, vmSnapshot);
_accountMgr.checkAccess(caller, null, vmSnapshot);
// check VM snapshot states, only allow to delete vm snapshots in created and error state
if (VMSnapshot.State.Ready != vmSnapshot.getState() && VMSnapshot.State.Expunging != vmSnapshot.getState() && VMSnapshot.State.Error != vmSnapshot.getState()) {
@ -564,7 +564,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
}
Account caller = getCaller();
_accountMgr.checkAccess(caller, null, true, vmSnapshotVo);
_accountMgr.checkAccess(caller, null, vmSnapshotVo);
// VM should be in running or stopped states
if (userVm.getState() != VirtualMachine.State.Running
@ -646,7 +646,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
}
Account caller = getCaller();
_accountMgr.checkAccess(caller, null, true, vmSnapshotVo);
_accountMgr.checkAccess(caller, null, vmSnapshotVo);
// VM should be in running or stopped states
if (userVm.getState() != VirtualMachine.State.Running && userVm.getState() != VirtualMachine.State.Stopped) {

13
server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
View File

@ -262,7 +262,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
affinityGroupId = group.getId();
}
// check permissions
_accountMgr.checkAccess(caller, AccessType.OperateEntry, true, group);
_accountMgr.checkAccess(caller, AccessType.OperateEntry, group);
final Long affinityGroupIdFinal = affinityGroupId;
Transaction.execute(new TransactionCallbackNoReturn() {
@ -353,7 +353,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
if (userVM == null) {
throw new InvalidParameterValueException("Unable to list affinity groups for virtual machine instance " + vmId + "; instance not found.");
}
_accountMgr.checkAccess(caller, null, true, userVM);
_accountMgr.checkAccess(caller, null, userVM);
// add join to affinity_groups_vm_map
groupSearch.join("vmInstanceSearch", vmInstanceSearch, groupSearch.entity().getId(), vmInstanceSearch.entity().getAffinityGroupId(),
JoinBuilder.JoinType.INNER);
@ -477,14 +477,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
throw new InvalidParameterValueException("Unable to find affinity group by id " + affinityGroupId);
} else {
// verify permissions
_accountMgr.checkAccess(caller, null, true, owner, ag);
// Root admin has access to both VM and AG by default, but make sure the
// owner of these entities is same
if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) {
if (ag.getAccountId() != owner.getAccountId()) {
throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's account");
}
}
_accountMgr.checkAccess(owner, AccessType.UseEntry, ag);
}
}
_affinityGroupVMMapDao.updateMap(vmId, affinityGroupIds);

9
server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java
View File

@ -24,14 +24,15 @@ import java.util.Map;
import javax.ejb.Local;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.command.user.loadbalancer.ListApplicationLoadBalancersCmd;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
import org.apache.cloudstack.lb.ApplicationLoadBalancerRuleVO;
import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
import com.cloud.event.ActionEvent;
import com.cloud.event.EventTypes;
@ -114,7 +115,7 @@ public class ApplicationLoadBalancerManagerImpl extends ManagerBase implements A
}
Account caller = CallContext.current().getCallingAccount();
_accountMgr.checkAccess(caller, AccessType.UseEntry, false, guestNtwk);
_accountMgr.checkAccess(caller, AccessType.UseEntry, guestNtwk);
Network sourceIpNtwk = _networkModel.getNetwork(sourceIpNetworkId);
if (sourceIpNtwk == null) {
@ -546,7 +547,7 @@ public class ApplicationLoadBalancerManagerImpl extends ManagerBase implements A
if (rule == null) {
throw new InvalidParameterValueException("Unable to find load balancer " + id);
}
_accountMgr.checkAccess(caller, null, true, rule);
_accountMgr.checkAccess(caller, null, rule);
if (customId != null) {
rule.setUuid(customId);

8
server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java
View File

@ -147,7 +147,7 @@ public class CertServiceImpl implements CertService {
if (certVO == null) {
throw new InvalidParameterValueException("Invalid certificate id: " + certId);
}
_accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, certVO);
_accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, certVO);
List<LoadBalancerCertMapVO> lbCertRule = _lbCertDao.listByCertId(certId);
@ -191,7 +191,7 @@ public class CertServiceImpl implements CertService {
throw new InvalidParameterValueException("Invalid certificate id: " + certId);
}
_accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, true, certVO);
_accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, certVO);
certLbMap = _lbCertDao.listByCertId(certId);
@ -206,7 +206,7 @@ public class CertServiceImpl implements CertService {
throw new InvalidParameterValueException("found no loadbalancer wth id: " + lbRuleId);
}
_accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, true, lb);
_accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, lb);
// get the cert id
LoadBalancerCertMapVO lbCertMapRule;
@ -229,7 +229,7 @@ public class CertServiceImpl implements CertService {
List<SslCertVO> certVOList = _sslCertDao.listByAccountId(accountId);
if (certVOList == null || certVOList.isEmpty())
return certResponseList;
_accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, true, certVOList.get(0));
_accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, certVOList.get(0));
for (SslCertVO cert : certVOList) {
certLbMap = _lbCertDao.listByCertId(cert.getId());

14
server/src/org/apache/cloudstack/region/gslb/GlobalLoadBalancingRulesServiceImpl.java
View File

@ -183,7 +183,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR
throw new InvalidParameterValueException("Invalid global load balancer rule id: " + gslbRuleId);
}
_accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, gslbRule);
_accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, gslbRule);
if (gslbRule.getState() == GlobalLoadBalancerRule.State.Revoke) {
throw new InvalidParameterValueException("global load balancer rule id: " + gslbRule.getUuid() + " is in revoked state");
@ -224,7 +224,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR
throw new InvalidParameterValueException("Specified load balancer rule ID does not exist.");
}
_accountMgr.checkAccess(caller, null, true, loadBalancer);
_accountMgr.checkAccess(caller, null, loadBalancer);
if (gslbRule.getAccountId() != loadBalancer.getAccountId()) {
throw new InvalidParameterValueException("GSLB rule and load balancer rule does not belong to same account");
@ -319,7 +319,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR
throw new InvalidParameterValueException("Invalid global load balancer rule id: " + gslbRuleId);
}
_accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, gslbRule);
_accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, gslbRule);
if (gslbRule.getState() == GlobalLoadBalancerRule.State.Revoke) {
throw new InvalidParameterValueException("global load balancer rule id: " + gslbRuleId + " is already in revoked state");
@ -346,7 +346,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR
throw new InvalidParameterValueException("Specified load balancer rule ID does not exist.");
}
_accountMgr.checkAccess(caller, null, true, loadBalancer);
_accountMgr.checkAccess(caller, null, loadBalancer);
}
for (GlobalLoadBalancerLbRuleMapVO gslbLbMapVo : gslbLbMapVos) {
@ -445,7 +445,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR
throw new InvalidParameterValueException("Invalid global load balancer rule id: " + gslbRuleId);
}
_accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, gslbRule);
_accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, gslbRule);
if (gslbRule.getState() == com.cloud.region.ha.GlobalLoadBalancerRule.State.Staged) {
if (s_logger.isDebugEnabled()) {
@ -523,7 +523,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR
CallContext ctx = CallContext.current();
Account caller = ctx.getCallingAccount();
_accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, gslbRule);
_accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, gslbRule);
if (algorithm != null && !GlobalLoadBalancerRule.Algorithm.isValidAlgorithm(algorithm)) {
throw new InvalidParameterValueException("Invalid Algorithm: " + algorithm);
@ -583,7 +583,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR
if (gslbRule == null) {
throw new InvalidParameterValueException("Invalid gslb rule id specified");
}
_accountMgr.checkAccess(caller, org.apache.cloudstack.acl.SecurityChecker.AccessType.UseEntry, false, gslbRule);
_accountMgr.checkAccess(caller, org.apache.cloudstack.acl.SecurityChecker.AccessType.UseEntry, gslbRule);
response.add(gslbRule);
return response;

2
server/test/com/cloud/event/EventControlsUnitTest.java
View File

@ -60,7 +60,7 @@ public class EventControlsUnitTest extends TestCase {
MockitoAnnotations.initMocks(this);
_mgmtServer._eventDao = _eventDao;
_mgmtServer._accountMgr = _accountMgr;
doNothing().when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(Boolean.class), any(ControlledEntity.class));
doNothing().when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(ControlledEntity.class));
when(_eventDao.listToArchiveOrDeleteEvents(anyList(), anyString(), any(Date.class), any(Date.class), anyList())).thenReturn(_events);
}

9
server/test/com/cloud/network/MockNetworkModelImpl.java
View File

@ -25,6 +25,8 @@ import java.util.Set;
import javax.ejb.Local;
import javax.naming.ConfigurationException;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import com.cloud.dc.Vlan;
import com.cloud.exception.InsufficientAddressCapacityException;
import com.cloud.exception.InvalidParameterValueException;
@ -878,4 +880,11 @@ public class MockNetworkModelImpl extends ManagerBase implements NetworkModel {
public boolean getNetworkEgressDefaultPolicy(Long networkId) {
return false; //To change body of implemented methods use File | Settings | File Templates.
}
@Override
public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) {
// TODO Auto-generated method stub
}
}

11
server/test/com/cloud/user/MockAccountManagerImpl.java
View File

@ -356,5 +356,16 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco
return null;
}
@Override
public void checkAccess(Account account, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException {
// TODO Auto-generated method stub
}
@Override
public void checkAccess(Account account, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException {
// TODO Auto-generated method stub
}
}

8
server/test/com/cloud/vm/UserVmManagerTest.java
View File

@ -283,7 +283,7 @@ public class UserVmManagerTest {
doReturn(3L).when(_volumeMock).getTemplateId();
doReturn(ImageFormat.VHD).when(_templateMock).getFormat();
when(_templateDao.findById(anyLong())).thenReturn(_templateMock);
doNothing().when(_accountMgr).checkAccess(_account, null, true, _templateMock);
doNothing().when(_accountMgr).checkAccess(_account, null, _templateMock);
when(_storageMgr.allocateDuplicateVolume(_volumeMock, 14L)).thenReturn(_volumeMock);
when(_templateMock.getGuestOSId()).thenReturn(5L);
doNothing().when(_vmMock).setGuestOSId(anyLong());
@ -327,7 +327,7 @@ public class UserVmManagerTest {
doReturn(3L).when(_vmMock).getIsoId();
doReturn(ImageFormat.ISO).when(_templateMock).getFormat();
when(_templateDao.findById(anyLong())).thenReturn(_templateMock);
doNothing().when(_accountMgr).checkAccess(_account, null, true, _templateMock);
doNothing().when(_accountMgr).checkAccess(_account, null, _templateMock);
when(_storageMgr.allocateDuplicateVolume(_volumeMock, null)).thenReturn(_volumeMock);
doNothing().when(_vmMock).setIsoId(14L);
when(_templateMock.getGuestOSId()).thenReturn(5L);
@ -413,7 +413,7 @@ public class UserVmManagerTest {
doReturn(VirtualMachine.State.Running).when(_vmInstance).getState();
doNothing().when(_accountMgr).checkAccess(_account, null, true, _templateMock);
doNothing().when(_accountMgr).checkAccess(_account, null, _templateMock);
doNothing().when(_itMgr).checkIfCanUpgrade(_vmMock, _offeringVo);
@ -606,7 +606,7 @@ public class UserVmManagerTest {
when(_accountService.getActiveAccountByName(anyString(), anyLong())).thenReturn(newAccount);
doThrow(new PermissionDeniedException("Access check failed")).when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(Boolean.class),
doThrow(new PermissionDeniedException("Access check failed")).when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class),
any(ControlledEntity.class));
CallContext.register(user, caller);

2
server/test/com/cloud/vm/snapshot/VMSnapshotManagerTest.java
View File

@ -125,7 +125,7 @@ public class VMSnapshotManagerTest {
_vmSnapshotMgr._guestOSDao = _guestOSDao;
_vmSnapshotMgr._hypervisorCapabilitiesDao = _hypervisorCapabilitiesDao;
doNothing().when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(Boolean.class), any(ControlledEntity.class));
doNothing().when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(ControlledEntity.class));
_vmSnapshotMgr._vmSnapshotMax = _vmSnapshotMax;

9
server/test/com/cloud/vpc/MockNetworkModelImpl.java
View File

@ -26,6 +26,8 @@ import javax.ejb.Local;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import com.cloud.dc.Vlan;
import com.cloud.exception.InsufficientAddressCapacityException;
import com.cloud.exception.InvalidParameterValueException;
@ -893,4 +895,11 @@ public class MockNetworkModelImpl extends ManagerBase implements NetworkModel {
public boolean getNetworkEgressDefaultPolicy(Long networkId) {
return false; //To change body of implemented methods use File | Settings | File Templates.
}
@Override
public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) {
// TODO Auto-generated method stub
}
}