StaticRoleBasedAPIAccessChecker: Throw exception on failed check

Plugin should not be responsible for existence of checking an API, this was wrong.
Throw exception boldly when checkAccess fails.

Signed-off-by: Rohit Yadav <bhaisaab@apache.org>

api/src/org/apache/cloudstack/acl/APIChecker.java

@@ -16,13 +16,12 @@
 // under the License.
 package org.apache.cloudstack.acl;
 
+import com.cloud.exception.PermissionDeniedException;
 import org.apache.cloudstack.acl.RoleType;
 import com.cloud.utils.component.Adapter;
 
 // APIChecker checks the ownership and access control to API requests
 public interface APIChecker extends Adapter {
     // Interface for checking access for a role using apiname
-    boolean checkAccess(RoleType roleType, String apiCommandName);
-    // Interface for checking existence of an api by name
-    boolean checkExistence(String apiCommandName);
+    boolean checkAccess(RoleType roleType, String apiCommandName) throws PermissionDeniedException;
 }

plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java

@@ -16,6 +16,7 @@
 // under the License.
 package org.apache.cloudstack.acl;
 
+import com.cloud.exception.PermissionDeniedException;
 import com.cloud.server.ManagementServer;
 import com.cloud.utils.component.AdapterBase;
 import com.cloud.utils.component.ComponentLocator;
@@ -48,17 +49,13 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIC
     }
 
     @Override
-    public boolean checkAccess(RoleType roleType, String commandName) {
-            return s_roleBasedApisMap.get(roleType).contains(commandName);
-    }
-
-    @Override
-    public boolean checkExistence(String apiName) {
-        for (RoleType roleType: RoleType.values()) {
-            if (s_roleBasedApisMap.get(roleType).contains(apiName))
-                return true;
+    public boolean checkAccess(RoleType roleType, String commandName)
+            throws PermissionDeniedException {
+        boolean isAllowed = s_roleBasedApisMap.get(roleType).contains(commandName);
+        if (!isAllowed) {
+            throw new PermissionDeniedException("The API does not exist or is blacklisted. Role type=" + roleType.toString() + " is not allowed to request the api: " + commandName);
         }
-        return false;
+        return isAllowed;
     }
 
     @Override

server/src/com/cloud/api/ApiServer.java

@@ -556,7 +556,7 @@ public class ApiServer implements HttpRequestHandler {
                 return true;
             } else {
                 // check against every available command to see if the command exists or not
-                if (!doesCommandExist(commandName) && !commandName.equals("login") && !commandName.equals("logout")) {
+                if (!_apiNameCmdClassMap.containsKey(commandName) && !commandName.equals("login") && !commandName.equals("logout")) {
                     s_logger.debug("The given command:" + commandName + " does not exist or it is not available for user with id:" + userId);
                     throw new ServerApiException(BaseCmd.UNSUPPORTED_ACTION_ERROR, "The given command does not exist or it is not available for user");
                 }
@@ -780,18 +780,9 @@ public class ApiServer implements HttpRequestHandler {
         return true;
     }
 
-    private boolean doesCommandExist(String apiName) {
-        for (APIChecker apiChecker : _apiAccessCheckers) {
-            // If any checker has api info on the command, return true
-            if (apiChecker.checkExistence(apiName))
-                return true;
-        }
-        return false;
-    }
-
-    private boolean isCommandAvailable(User user, String commandName) {
+    private boolean isCommandAvailable(User user, String commandName) throws PermissionDeniedException {
         if (user == null) {
-            return false;
+            throw new PermissionDeniedException("User is null for role based API access check for command" + commandName);
         }
 
         Account account = _accountMgr.getAccount(user.getAccountId());