diff --git a/api/src/org/apache/cloudstack/acl/APIChecker.java b/api/src/org/apache/cloudstack/acl/APIChecker.java index 61dd7de75cb..b14dfe101ba 100644 --- a/api/src/org/apache/cloudstack/acl/APIChecker.java +++ b/api/src/org/apache/cloudstack/acl/APIChecker.java @@ -16,13 +16,12 @@ // under the License. package org.apache.cloudstack.acl; +import com.cloud.exception.PermissionDeniedException; import org.apache.cloudstack.acl.RoleType; import com.cloud.utils.component.Adapter; // APIChecker checks the ownership and access control to API requests public interface APIChecker extends Adapter { // Interface for checking access for a role using apiname - boolean checkAccess(RoleType roleType, String apiCommandName); - // Interface for checking existence of an api by name - boolean checkExistence(String apiCommandName); + boolean checkAccess(RoleType roleType, String apiCommandName) throws PermissionDeniedException; } diff --git a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java index 380b6714517..affd69ed89c 100644 --- a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java +++ b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java @@ -16,6 +16,7 @@ // under the License. package org.apache.cloudstack.acl; +import com.cloud.exception.PermissionDeniedException; import com.cloud.server.ManagementServer; import com.cloud.utils.component.AdapterBase; import com.cloud.utils.component.ComponentLocator; @@ -48,17 +49,13 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIC } @Override - public boolean checkAccess(RoleType roleType, String commandName) { - return s_roleBasedApisMap.get(roleType).contains(commandName); - } - - @Override - public boolean checkExistence(String apiName) { - for (RoleType roleType: RoleType.values()) { - if (s_roleBasedApisMap.get(roleType).contains(apiName)) - return true; + public boolean checkAccess(RoleType roleType, String commandName) + throws PermissionDeniedException { + boolean isAllowed = s_roleBasedApisMap.get(roleType).contains(commandName); + if (!isAllowed) { + throw new PermissionDeniedException("The API does not exist or is blacklisted. Role type=" + roleType.toString() + " is not allowed to request the api: " + commandName); } - return false; + return isAllowed; } @Override diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java index 52f2aef56cb..03462e488ef 100755 --- a/server/src/com/cloud/api/ApiServer.java +++ b/server/src/com/cloud/api/ApiServer.java @@ -556,7 +556,7 @@ public class ApiServer implements HttpRequestHandler { return true; } else { // check against every available command to see if the command exists or not - if (!doesCommandExist(commandName) && !commandName.equals("login") && !commandName.equals("logout")) { + if (!_apiNameCmdClassMap.containsKey(commandName) && !commandName.equals("login") && !commandName.equals("logout")) { s_logger.debug("The given command:" + commandName + " does not exist or it is not available for user with id:" + userId); throw new ServerApiException(BaseCmd.UNSUPPORTED_ACTION_ERROR, "The given command does not exist or it is not available for user"); } @@ -780,18 +780,9 @@ public class ApiServer implements HttpRequestHandler { return true; } - private boolean doesCommandExist(String apiName) { - for (APIChecker apiChecker : _apiAccessCheckers) { - // If any checker has api info on the command, return true - if (apiChecker.checkExistence(apiName)) - return true; - } - return false; - } - - private boolean isCommandAvailable(User user, String commandName) { + private boolean isCommandAvailable(User user, String commandName) throws PermissionDeniedException { if (user == null) { - return false; + throw new PermissionDeniedException("User is null for role based API access check for command" + commandName); } Account account = _accountMgr.getAccount(user.getAccountId());