Use IAMService to implement QuerySelector adapter.

api/src/org/apache/cloudstack/acl/QuerySelector.java

@@ -24,35 +24,35 @@ import com.cloud.utils.component.Adapter;
 /**
  * QueryChecker returns granted access at domain, account or resource level.
  */
-public interface QueryChecker extends Adapter {
+public interface QuerySelector extends Adapter {
 
     /**
-    * List granted domains for the caller, given a specific entity type.
+    * List granted domains for the caller, given a specific action.
     *
     * @param caller account to check against.
-    * @param entityType entity type
+    * @param action action
     * @return list of domain Ids granted to the caller account.
     */
-    List<Long> getAuthorizedDomains(Account caller, AclEntityType entityType);
+    List<Long> getAuthorizedDomains(Account caller, String action);
 
     /**
-    * List granted accounts for the caller, given a specific entity type.
+    * List granted accounts for the caller, given a specific action.
     *
     * @param caller account to check against.
-    * @param entityType entity type
+    * @param action action.
     * @return list of domain Ids granted to the caller account.
     */
-    List<Long> getAuthorizedAccounts(Account caller, AclEntityType entityType);
+    List<Long> getAuthorizedAccounts(Account caller, String action);
 
 
     /**
-    * List granted resources for the caller, given a specific entity type.
+    * List granted resources for the caller, given a specific action.
     *
     * @param caller account to check against.
-    * @param entityType entity type
+    * @param action action.
     * @return list of domain Ids granted to the caller account.
     */
-    List<Long> getAuthorizedResources(Account caller, AclEntityType entityType);
+    List<Long> getAuthorizedResources(Account caller, String action);
 
 
 }

plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQuerySelector.java

@@ -20,32 +20,32 @@ import java.util.List;
 
 import org.apache.log4j.Logger;
 
-import org.apache.cloudstack.acl.AclEntityType;
+import org.apache.cloudstack.acl.QuerySelector;
-import org.apache.cloudstack.acl.QueryChecker;
 
 import com.cloud.user.Account;
 import com.cloud.utils.component.AdapterBase;
 
-public class RoleBasedEntityQueryChecker extends AdapterBase implements QueryChecker {
+public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySelector {
 
-    private static final Logger s_logger = Logger.getLogger(RoleBasedEntityQueryChecker.class.getName());
+    private static final Logger s_logger = Logger.getLogger(RoleBasedEntityQuerySelector.class.getName());
 
     @Override
-    public List<Long> getAuthorizedDomains(Account caller, AclEntityType entityType) {
+    public List<Long> getAuthorizedDomains(Account caller, String action) {
         // TODO Auto-generated method stub
         return null;
     }
 
     @Override
-    public List<Long> getAuthorizedAccounts(Account caller, AclEntityType entityType) {
+    public List<Long> getAuthorizedAccounts(Account caller, String action) {
         // TODO Auto-generated method stub
         return null;
     }
 
     @Override
-    public List<Long> getAuthorizedResources(Account caller, AclEntityType entityType) {
+    public List<Long> getAuthorizedResources(Account caller, String action) {
         // TODO Auto-generated method stub
         return null;
     }
 
+
 }

services/iam/plugin/pom.xml

@@ -42,5 +42,10 @@
       <artifactId>cloud-server</artifactId>
       <version>${project.version}</version>    
     </dependency>  
+    <dependency>
+      <groupId>org.apache.cloudstack</groupId>
+      <artifactId>cloud-iam</artifactId>
+      <version>${project.version}</version>    
+    </dependency>            
   </dependencies> 
 </project>

services/iam/plugin/src/org/apache/cloudstack/acl/AclService.java

@@ -56,11 +56,5 @@ public interface AclService {
 
     List<AclPolicy> getEffectivePolicies(Account caller, ControlledEntity entity);
 
-    /* Visibility related interfaces */
-    List<Long> getGrantedDomains(long accountId, String action);
-
-    List<Long> getGrantedAccounts(long accountId, String action);
-
-    List<Long> getGrantedResources(long accountId, String action);
 
 }

services/iam/plugin/src/org/apache/cloudstack/acl/AclServiceImpl.java

@@ -27,7 +27,6 @@ import org.apache.log4j.Logger;
 
 import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.acl.dao.AclApiPermissionDao;
 import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
 import org.apache.cloudstack.acl.dao.AclGroupDao;
 import org.apache.cloudstack.acl.dao.AclGroupPolicyMapDao;
@@ -676,61 +675,4 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
         return policies;
     }
 
-    @Override
-    public List<Long> getGrantedDomains(long accountId, String action) {
-        // Get the static Policies of the Caller
-        List<AclPolicy> policies = listAclPolicies(accountId);
-        // for each policy, find granted permission with Domain scope
-        List<Long> domainIds = new ArrayList<Long>();
-        for (AclPolicy policy : policies) {
-            List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.DOMAIN);
-            if (pp != null) {
-                for (AclPolicyPermissionVO p : pp) {
-                    if (p.getScopeId() != null) {
-                        domainIds.add(p.getScopeId());
-                    }
-                }
-            }
-        }
-        return domainIds;
-    }
-
-    @Override
-    public List<Long> getGrantedAccounts(long accountId, String action) {
-        // Get the static Policies of the Caller
-        List<AclPolicy> policies = listAclPolicies(accountId);
-        // for each policy, find granted permission with Account scope
-        List<Long> accountIds = new ArrayList<Long>();
-        for (AclPolicy policy : policies) {
-            List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.ACCOUNT);
-            if (pp != null) {
-                for (AclPolicyPermissionVO p : pp) {
-                    if (p.getScopeId() != null) {
-                        accountIds.add(p.getScopeId());
-                    }
-                }
-            }
-        }
-        return accountIds;
-    }
-
-    @Override
-    public List<Long> getGrantedResources(long accountId, String action) {
-        // Get the static Policies of the Caller
-        List<AclPolicy> policies = listAclPolicies(accountId);
-        // for each policy, find granted permission with Resource scope
-        List<Long> entityIds = new ArrayList<Long>();
-        for (AclPolicy policy : policies) {
-            List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.RESOURCE);
-            if (pp != null) {
-                for (AclPolicyPermissionVO p : pp) {
-                    if (p.getScopeId() != null) {
-                        entityIds.add(p.getScopeId());
-                    }
-                }
-            }
-        }
-        return entityIds;
-    }
-
 }

services/iam/plugin/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQueryChecker.java

@@ -1,51 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.acl.entity;
-
-import java.util.List;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.acl.AclEntityType;
-import org.apache.cloudstack.acl.QueryChecker;
-
-import com.cloud.user.Account;
-import com.cloud.utils.component.AdapterBase;
-
-public class RoleBasedEntityQueryChecker extends AdapterBase implements QueryChecker {
-
-    private static final Logger s_logger = Logger.getLogger(RoleBasedEntityQueryChecker.class.getName());
-
-    @Override
-    public List<Long> getAuthorizedDomains(Account caller, AclEntityType entityType) {
-        // TODO Auto-generated method stub
-        return null;
-    }
-
-    @Override
-    public List<Long> getAuthorizedAccounts(Account caller, AclEntityType entityType) {
-        // TODO Auto-generated method stub
-        return null;
-    }
-
-    @Override
-    public List<Long> getAuthorizedResources(Account caller, AclEntityType entityType) {
-        // TODO Auto-generated method stub
-        return null;
-    }
-
-}

services/iam/plugin/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQuerySelector.java

@@ -0,0 +1,103 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl.entity;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.inject.Inject;
+
+import org.apache.log4j.Logger;
+
+import org.apache.cloudstack.acl.PermissionScope;
+import org.apache.cloudstack.acl.QuerySelector;
+import org.apache.cloudstack.iam.api.AclPolicy;
+import org.apache.cloudstack.iam.api.AclPolicyPermission;
+import org.apache.cloudstack.iam.api.IAMService;
+
+import com.cloud.user.Account;
+import com.cloud.utils.component.AdapterBase;
+
+public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySelector {
+
+    private static final Logger s_logger = Logger.getLogger(RoleBasedEntityQuerySelector.class.getName());
+
+    @Inject
+    IAMService _iamService;
+
+    @Override
+    public List<Long> getAuthorizedDomains(Account caller, String action) {
+        long accountId = caller.getAccountId();
+        // Get the static Policies of the Caller
+        List<AclPolicy> policies = _iamService.listAclPolicies(accountId);
+        // for each policy, find granted permission with Domain scope
+        List<Long> domainIds = new ArrayList<Long>();
+        for (AclPolicy policy : policies) {
+            List<AclPolicyPermission> pp = _iamService.listPolicyPermissionsByScope(policy.getId(), action, PermissionScope.DOMAIN.toString());
+            if (pp != null) {
+                for (AclPolicyPermission p : pp) {
+                    if (p.getScopeId() != null) {
+                        domainIds.add(p.getScopeId());
+                    }
+                }
+            }
+        }
+        return domainIds;
+    }
+
+    @Override
+    public List<Long> getAuthorizedAccounts(Account caller, String action) {
+        long accountId = caller.getAccountId();
+        // Get the static Policies of the Caller
+        List<AclPolicy> policies = _iamService.listAclPolicies(accountId);
+        // for each policy, find granted permission with Account scope
+        List<Long> accountIds = new ArrayList<Long>();
+        for (AclPolicy policy : policies) {
+            List<AclPolicyPermission> pp = _iamService.listPolicyPermissionsByScope(policy.getId(), action, PermissionScope.ACCOUNT.toString());
+            if (pp != null) {
+                for (AclPolicyPermission p : pp) {
+                    if (p.getScopeId() != null) {
+                        accountIds.add(p.getScopeId());
+                    }
+                }
+            }
+        }
+        return accountIds;
+    }
+
+    @Override
+    public List<Long> getAuthorizedResources(Account caller, String action) {
+        long accountId = caller.getAccountId();
+        // Get the static Policies of the Caller
+        List<AclPolicy> policies = _iamService.listAclPolicies(accountId);
+        // for each policy, find granted permission with Resource scope
+        List<Long> entityIds = new ArrayList<Long>();
+        for (AclPolicy policy : policies) {
+            List<AclPolicyPermission> pp = _iamService.listPolicyPermissionsByScope(policy.getId(), action, PermissionScope.RESOURCE.toString());
+            if (pp != null) {
+                for (AclPolicyPermission p : pp) {
+                    if (p.getScopeId() != null) {
+                        entityIds.add(p.getScopeId());
+                    }
+                }
+            }
+        }
+        return entityIds;
+    }
+
+
+}

services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java

@@ -50,8 +50,11 @@ public interface IAMService {
     AclPolicy removeAclPermissionFromAclPolicy(long aclPolicyId, String entityType, String scope, Long scopeId,
             String action);
 
+    List<AclPolicyPermission> listPolicyPermissionsByScope(long policyId, String action, String scope);
+
     boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies);
 
     List<Long> getGrantedEntities(long accountId, String action, String scope);
 
+
 }

services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java

@@ -24,8 +24,10 @@ import javax.inject.Inject;
 
 import org.apache.log4j.Logger;
 
+import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.iam.api.AclGroup;
 import org.apache.cloudstack.iam.api.AclPolicy;
+import org.apache.cloudstack.iam.api.AclPolicyPermission;
 import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission;
 import org.apache.cloudstack.iam.api.IAMService;
 import org.apache.cloudstack.iam.server.dao.AclGroupAccountMapDao;
@@ -33,7 +35,6 @@ import org.apache.cloudstack.iam.server.dao.AclGroupDao;
 import org.apache.cloudstack.iam.server.dao.AclGroupPolicyMapDao;
 import org.apache.cloudstack.iam.server.dao.AclPolicyDao;
 import org.apache.cloudstack.iam.server.dao.AclPolicyPermissionDao;
-import org.apache.cloudstack.context.CallContext;
 
 import com.cloud.event.ActionEvent;
 import com.cloud.event.EventTypes;
@@ -539,5 +540,12 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
         return entityIds;
     }
 
+    @Override
+    public List<AclPolicyPermission> listPolicyPermissionsByScope(long policyId, String action, String scope) {
+        List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policyId, action, scope);
+        List<AclPolicyPermission> pl = new ArrayList<AclPolicyPermission>();
+        pl.addAll(pp);
+        return pl;
+    }
 
 }