diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java index 5e7d10ec5c8..8e09501d045 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java +++ b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java @@ -16,6 +16,7 @@ // under the License. package org.apache.cloudstack.acl.api; +import java.util.ArrayList; import java.util.HashMap; import java.util.List; @@ -24,13 +25,16 @@ import javax.inject.Inject; import org.apache.log4j.Logger; +import org.apache.cloudstack.acl.AclEntityType; import org.apache.cloudstack.acl.ControlledEntity; import org.apache.cloudstack.acl.PermissionScope; import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.acl.api.response.AclGroupResponse; +import org.apache.cloudstack.acl.api.response.AclPermissionResponse; import org.apache.cloudstack.acl.api.response.AclPolicyResponse; import org.apache.cloudstack.api.BaseListCmd; import org.apache.cloudstack.api.response.ListResponse; +import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.iam.api.AclGroup; import org.apache.cloudstack.iam.api.AclPolicy; import org.apache.cloudstack.iam.api.AclPolicyPermission; @@ -39,6 +43,7 @@ import org.apache.cloudstack.iam.api.IAMService; import com.cloud.api.ApiServerService; import com.cloud.domain.Domain; +import com.cloud.domain.DomainVO; import com.cloud.domain.dao.DomainDao; import com.cloud.event.ActionEvent; import com.cloud.event.EventTypes; @@ -47,7 +52,11 @@ import com.cloud.storage.Snapshot; import com.cloud.storage.Volume; import com.cloud.template.VirtualMachineTemplate; import com.cloud.user.Account; +import com.cloud.user.AccountManager; +import com.cloud.user.AccountVO; +import com.cloud.user.dao.AccountDao; import com.cloud.uservm.UserVm; +import com.cloud.utils.Pair; import com.cloud.utils.component.Manager; import com.cloud.utils.component.ManagerBase; import com.cloud.utils.db.DB; @@ -67,6 +76,12 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService, Man @Inject DomainDao _domainDao; + @Inject + AccountDao _accountDao; + + @Inject + AccountManager _accountMgr; + public static HashMap entityClassMap = new HashMap(); @@ -278,27 +293,142 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService, Man @Override public AclPolicyResponse createAclPolicyResponse(AclPolicy policy) { - // TODO Auto-generated method stub - return null; + AclPolicyResponse response = new AclPolicyResponse(); + response.setId(policy.getUuid()); + response.setName(policy.getName()); + response.setDescription(policy.getDescription()); + String domainPath = policy.getPath(); + if (domainPath != null) { + DomainVO domain = _domainDao.findDomainByPath(domainPath); + if (domain != null) { + response.setDomainId(domain.getUuid()); + response.setDomainName(domain.getName()); + } + } + long accountId = policy.getAccountId(); + AccountVO owner = _accountDao.findById(accountId); + if (owner != null) { + response.setAccountName(owner.getAccountName()); + } + // find permissions associated with this policy + List permissions = _iamSrv.listPolicyPermissions(policy.getId()); + if (permissions != null && permissions.size() > 0) { + for (AclPolicyPermission permission : permissions) { + AclPermissionResponse perm = new AclPermissionResponse(); + perm.setAction(permission.getAction()); + perm.setEntityType(AclEntityType.valueOf(permission.getEntityType())); + perm.setScope(PermissionScope.valueOf(permission.getScope())); + perm.setScopeId(permission.getScopeId()); + perm.setPermission(permission.getPermission()); + response.addPermission(perm); + } + } + response.setObjectName("aclpolicy"); + return response; } @Override public AclGroupResponse createAclGroupResponse(AclGroup group) { - // TODO Auto-generated method stub - return null; + AclGroupResponse response = new AclGroupResponse(); + response.setId(group.getUuid()); + response.setName(group.getName()); + response.setDescription(group.getDescription()); + String domainPath = group.getPath(); + if (domainPath != null) { + DomainVO domain = _domainDao.findDomainByPath(domainPath); + if (domain != null) { + response.setDomainId(domain.getUuid()); + response.setDomainName(domain.getName()); + } + } + long accountId = group.getAccountId(); + AccountVO owner = _accountDao.findById(accountId); + if (owner != null) { + response.setAccountName(owner.getAccountName()); + } + // find all the members in this group + List members = _iamSrv.listAccountsByGroup(group.getId()); + if (members != null && members.size() > 0) { + for (Long member : members) { + AccountVO mem = _accountDao.findById(accountId); + if (mem != null) { + response.addMemberAccount(mem.getAccountName()); + } + } + } + + // find all the policies attached to this group + List policies = _iamSrv.listAclPoliciesByGroup(group.getId()); + if (policies != null && policies.size() > 0) { + for (AclPolicy policy : policies) { + response.addPolicy(policy.getName()); + } + } + + response.setObjectName("aclgroup"); + return response; + } @Override - public ListResponse listAclGroups(Long aclGroupId, String aclGroupName, Long domainId, Long startIndex, Long pageSize) { - // TODO Auto-generated method stub - return null; + public ListResponse listAclGroups(Long aclGroupId, String aclGroupName, Long domainId, Long startIndex, Long pageSize) { + // acl check + Account caller = CallContext.current().getCallingAccount(); + + Domain domain = null; + if (domainId != null) { + domain = _domainDao.findById(domainId); + if (domain == null) { + throw new InvalidParameterValueException("Domain id=" + domainId + " doesn't exist"); + } + + _accountMgr.checkAccess(caller, domain); + } else { + domain = _domainDao.findById(caller.getDomainId()); + } + String domainPath = domain.getPath(); + // search for groups + Pair, Integer> result = _iamSrv.listAclGroups(aclGroupId, aclGroupName, domainPath, startIndex, pageSize); + // generate group response + ListResponse response = new ListResponse(); + List groupResponses = new ArrayList(); + for (AclGroup group : result.first()) { + AclGroupResponse resp = createAclGroupResponse(group); + groupResponses.add(resp); + } + response.setResponses(groupResponses, result.second()); + return response; } @Override - public ListResponse listAclPolicies(Long aclPolicyId, String aclPolicyName, Long domainId, Long startIndex, + public ListResponse listAclPolicies(Long aclPolicyId, String aclPolicyName, Long domainId, Long startIndex, Long pageSize) { - // TODO Auto-generated method stub - return null; + // acl check + Account caller = CallContext.current().getCallingAccount(); + + Domain domain = null; + if (domainId != null) { + domain = _domainDao.findById(domainId); + if (domain == null) { + throw new InvalidParameterValueException("Domain id=" + domainId + " doesn't exist"); + } + + _accountMgr.checkAccess(caller, domain); + } else { + domain = _domainDao.findById(caller.getDomainId()); + } + String domainPath = domain.getPath(); + // search for policies + Pair, Integer> result = _iamSrv.listAclPolicies(aclPolicyId, aclPolicyName, domainPath, startIndex, pageSize); + // generate policy response + ListResponse response = new ListResponse(); + List policyResponses = new ArrayList(); + for (AclPolicy policy : result.first()) { + AclPolicyResponse resp = createAclPolicyResponse(policy); + policyResponses.add(resp); + } + response.setResponses(policyResponses, result.second()); + return response; } } diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/api/response/AclPermissionResponse.java b/services/iam/plugin/src/org/apache/cloudstack/acl/api/response/AclPermissionResponse.java index 8ad662a9ce9..dd510d4a5ae 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/acl/api/response/AclPermissionResponse.java +++ b/services/iam/plugin/src/org/apache/cloudstack/acl/api/response/AclPermissionResponse.java @@ -19,10 +19,10 @@ package org.apache.cloudstack.acl.api.response; import com.google.gson.annotations.SerializedName; import org.apache.cloudstack.acl.AclEntityType; -import org.apache.cloudstack.acl.AclPolicyPermission; import org.apache.cloudstack.acl.PermissionScope; import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.BaseResponse; +import org.apache.cloudstack.iam.api.AclPolicyPermission; import com.cloud.serializer.Param; diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/AclGroup.java b/services/iam/server/src/org/apache/cloudstack/iam/api/AclGroup.java index a64ca7f3fd8..56ba0eddec8 100644 --- a/services/iam/server/src/org/apache/cloudstack/iam/api/AclGroup.java +++ b/services/iam/server/src/org/apache/cloudstack/iam/api/AclGroup.java @@ -25,4 +25,8 @@ public interface AclGroup { long getId(); String getUuid(); + + String getPath(); + + long getAccountId(); } diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/AclPolicy.java b/services/iam/server/src/org/apache/cloudstack/iam/api/AclPolicy.java index 0794888acb3..db309c88212 100644 --- a/services/iam/server/src/org/apache/cloudstack/iam/api/AclPolicy.java +++ b/services/iam/server/src/org/apache/cloudstack/iam/api/AclPolicy.java @@ -29,4 +29,8 @@ public interface AclPolicy { long getId(); String getUuid(); + + String getPath(); + + long getAccountId(); } diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java index ed82f65eeeb..355e8cfed9a 100644 --- a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java +++ b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java @@ -20,6 +20,8 @@ import java.util.List; import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission; +import com.cloud.utils.Pair; + public interface IAMService { /* ACL group related interfaces */ @@ -33,6 +35,10 @@ public interface IAMService { AclGroup removeAccountsFromGroup(List acctIds, Long groupId); + List listAccountsByGroup(long groupId); + + Pair, Integer> listAclGroups(Long aclGroupId, String aclGroupName, String path, Long startIndex, Long pageSize); + /* ACL Policy related interfaces */ AclPolicy createAclPolicy(String aclPolicyName, String description, Long parentPolicyId); @@ -40,6 +46,10 @@ public interface IAMService { List listAclPolicies(long accountId); + List listAclPoliciesByGroup(long groupId); + + Pair, Integer> listAclPolicies(Long aclPolicyId, String aclPolicyName, String path, Long startIndex, Long pageSize); + AclGroup attachAclPoliciesToGroup(List policyIds, Long groupId); AclGroup removeAclPoliciesFromGroup(List policyIds, Long groupId); @@ -52,6 +62,8 @@ public interface IAMService { AclPolicy getResourceOwnerPolicy(); + List listPolicyPermissions(long policyId); + List listPolicyPermissionsByScope(long policyId, String action, String scope); List listPollcyPermissionByEntityType(long policyId, String action, String entityType); diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/AclGroupVO.java b/services/iam/server/src/org/apache/cloudstack/iam/server/AclGroupVO.java index 892803d7461..69d20d2118a 100644 --- a/services/iam/server/src/org/apache/cloudstack/iam/server/AclGroupVO.java +++ b/services/iam/server/src/org/apache/cloudstack/iam/server/AclGroupVO.java @@ -50,6 +50,9 @@ public class AclGroupVO implements AclGroup { @Column(name = "path") private String path; + @Column(name = "account_id") + private long accountId; + @Column(name = GenericDao.REMOVED_COLUMN) private Date removed; @@ -82,6 +85,7 @@ public class AclGroupVO implements AclGroup { return description; } + @Override public String getPath() { return path; } @@ -90,6 +94,15 @@ public class AclGroupVO implements AclGroup { this.path = path; } + @Override + public long getAccountId() { + return accountId; + } + + public void setAccountId(long acctId) { + accountId = acctId; + } + @Override public String getUuid() { return uuid; diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/AclPolicyVO.java b/services/iam/server/src/org/apache/cloudstack/iam/server/AclPolicyVO.java index e6e30ca7ea5..f3ceb0495ca 100644 --- a/services/iam/server/src/org/apache/cloudstack/iam/server/AclPolicyVO.java +++ b/services/iam/server/src/org/apache/cloudstack/iam/server/AclPolicyVO.java @@ -49,8 +49,8 @@ public class AclPolicyVO implements AclPolicy { @Column(name = "uuid") private String uuid; - @Column(name = "domain_id") - private long domainId; + @Column(name = "path") + private String path; @Column(name = "account_id") private long accountId; @@ -109,14 +109,16 @@ public class AclPolicyVO implements AclPolicy { return created; } - public long getDomainId() { - return domainId; + @Override + public String getPath() { + return path; } - public void setDomainId(long domainId) { - this.domainId = domainId; + public void setPath(String path) { + this.path = path; } + @Override public long getAccountId() { return accountId; } diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java index 8c87afc860e..5695996aabb 100644 --- a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java +++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java @@ -36,14 +36,14 @@ import org.apache.cloudstack.iam.server.dao.AclGroupPolicyMapDao; import org.apache.cloudstack.iam.server.dao.AclPolicyDao; import org.apache.cloudstack.iam.server.dao.AclPolicyPermissionDao; -import com.cloud.event.ActionEvent; -import com.cloud.event.EventTypes; import com.cloud.exception.InvalidParameterValueException; import com.cloud.user.Account; +import com.cloud.utils.Pair; import com.cloud.utils.component.Manager; import com.cloud.utils.component.ManagerBase; import com.cloud.utils.db.DB; import com.cloud.utils.db.EntityManager; +import com.cloud.utils.db.Filter; import com.cloud.utils.db.GenericSearchBuilder; import com.cloud.utils.db.JoinBuilder.JoinType; import com.cloud.utils.db.SearchBuilder; @@ -204,6 +204,52 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager { return group; } + @Override + public List listAccountsByGroup(long groupId) { + List grpAcctMap = _aclGroupAccountMapDao.listByGroupId(groupId); + if (grpAcctMap == null || grpAcctMap.size() == 0) { + return new ArrayList(); + } + + List accts = new ArrayList(); + for (AclGroupAccountMapVO grpAcct : grpAcctMap) { + accts.add(grpAcct.getAccountId()); + } + return accts; + } + + @Override + public Pair, Integer> listAclGroups(Long aclGroupId, String aclGroupName, String path, Long startIndex, Long pageSize) { + if (aclGroupId != null) { + AclGroup group = _aclGroupDao.findById(aclGroupId); + if (group == null) { + throw new InvalidParameterValueException("Unable to find acl group by id " + aclGroupId); + } + } + + Filter searchFilter = new Filter(AclGroupVO.class, "id", true, startIndex, pageSize); + + SearchBuilder sb = _aclGroupDao.createSearchBuilder(); + sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ); + sb.and("path", sb.entity().getPath(), SearchCriteria.Op.LIKE); + sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ); + + SearchCriteria sc = sb.create(); + + if (aclGroupName != null) { + sc.setParameters("name", aclGroupName); + } + + if (aclGroupId != null) { + sc.setParameters("id", aclGroupId); + } + + sc.setParameters("path", path + "%"); + + Pair, Integer> groups = _aclGroupDao.searchAndCount(sc, searchFilter); + return new Pair, Integer>(new ArrayList(groups.first()), groups.second()); + } + @DB @Override public AclPolicy createAclPolicy(final String aclPolicyName, final String description, final Long parentPolicyId) { @@ -304,6 +350,60 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager { return new ArrayList(policies); } + @Override + public List listAclPoliciesByGroup(long groupId) { + List policyGrpMap = _aclGroupPolicyMapDao.listByGroupId(groupId); + if (policyGrpMap == null || policyGrpMap.size() == 0) { + return new ArrayList(); + } + + List policyIds = new ArrayList(); + for (AclGroupPolicyMapVO pg : policyGrpMap) { + policyIds.add(pg.getAclPolicyId()); + } + + SearchBuilder sb = _aclPolicyDao.createSearchBuilder(); + sb.and("ids", sb.entity().getId(), Op.IN); + SearchCriteria sc = sb.create(); + sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()])); + List policies = _aclPolicyDao.customSearch(sc, null); + + return new ArrayList(policies); + } + + @Override + public Pair, Integer> listAclPolicies(Long aclPolicyId, String aclPolicyName, String path, Long startIndex, Long pageSize) { + + if (aclPolicyId != null) { + AclPolicy policy = _aclPolicyDao.findById(aclPolicyId); + if (policy == null) { + throw new InvalidParameterValueException("Unable to find acl policy by id " + aclPolicyId); + } + } + + Filter searchFilter = new Filter(AclPolicyVO.class, "id", true, startIndex, pageSize); + + SearchBuilder sb = _aclPolicyDao.createSearchBuilder(); + sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ); + sb.and("path", sb.entity().getPath(), SearchCriteria.Op.LIKE); + sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ); + + SearchCriteria sc = sb.create(); + + if (aclPolicyName != null) { + sc.setParameters("name", aclPolicyName); + } + + if (aclPolicyId != null) { + sc.setParameters("id", aclPolicyId); + } + + sc.setParameters("path", path + "%"); + + Pair, Integer> policies = _aclPolicyDao.searchAndCount(sc, searchFilter); + return new Pair, Integer>(new ArrayList(policies.first()), policies.second()); + } + @DB @Override public AclGroup attachAclPoliciesToGroup(final List policyIds, final Long groupId) { @@ -527,6 +627,14 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager { return entityIds; } + @Override + public List listPolicyPermissions(long policyId) { + List pp = _policyPermissionDao.listByPolicy(policyId); + List pl = new ArrayList(); + pl.addAll(pp); + return pl; + } + @Override public List listPolicyPermissionsByScope(long policyId, String action, String scope) { List pp = _policyPermissionDao.listGrantedByActionAndScope(policyId, action, scope);