cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kis...@apache.org
Subject git commit: updated refs/heads/master to 587f587
Date Mon, 09 Dec 2013 16:28:12 GMT
Updated Branches:
  refs/heads/master 088247b61 -> 587f58762


CLOUDSTACK-5145 : Added permission checks while listing network ACLs and acl Items. Users
will be able to list items that they have access to.

Conflicts:
	api/src/com/cloud/network/vpc/NetworkACLService.java
	api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLListsCmd.java
	server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
	server/test/com/cloud/vpc/NetworkACLServiceTest.java


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/587f5876
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/587f5876
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/587f5876

Branch: refs/heads/master
Commit: 587f5876217f268646f6fe03c9f57f5796400aa6
Parents: 088247b
Author: Kishan Kavala <kishan@cloud.com>
Authored: Mon Dec 9 19:49:17 2013 +0530
Committer: Kishan Kavala <kishan@cloud.com>
Committed: Mon Dec 9 21:57:47 2013 +0530

----------------------------------------------------------------------
 .../cloud/network/vpc/NetworkACLService.java    |   8 +-
 .../user/network/ListNetworkACLListsCmd.java    |   9 +-
 .../network/vpc/NetworkACLServiceImpl.java      | 111 ++++++++++++++++---
 .../com/cloud/vpc/NetworkACLServiceTest.java    |   8 ++
 4 files changed, 112 insertions(+), 24 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/587f5876/api/src/com/cloud/network/vpc/NetworkACLService.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/vpc/NetworkACLService.java b/api/src/com/cloud/network/vpc/NetworkACLService.java
index 56a2180..db37833 100644
--- a/api/src/com/cloud/network/vpc/NetworkACLService.java
+++ b/api/src/com/cloud/network/vpc/NetworkACLService.java
@@ -19,6 +19,7 @@ package com.cloud.network.vpc;
 import java.util.List;
 
 import org.apache.cloudstack.api.command.user.network.CreateNetworkACLCmd;
+import org.apache.cloudstack.api.command.user.network.ListNetworkACLListsCmd;
 import org.apache.cloudstack.api.command.user.network.ListNetworkACLsCmd;
 
 import com.cloud.exception.ResourceUnavailableException;
@@ -43,13 +44,10 @@ public interface NetworkACLService {
 
     /**
      * List NetworkACLs by Id/Name/Network or Vpc it belongs to
-     * @param id
-     * @param name
-     * @param networkId
-     * @param vpcId
+     * @param cmd
      * @return
      */
-    Pair<List<? extends NetworkACL>, Integer> listNetworkACLs(Long id, String
name, Long networkId, Long vpcId);
+    Pair<List<? extends NetworkACL>,Integer> listNetworkACLs(ListNetworkACLListsCmd
cmd);
 
     /**
      * Delete specified network ACL. Deletion fails if the list is not empty

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/587f5876/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLListsCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLListsCmd.java
b/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLListsCmd.java
index 6dd5965..56aad94 100644
--- a/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLListsCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLListsCmd.java
@@ -24,6 +24,7 @@ import org.apache.log4j.Logger;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.BaseListCmd;
+import org.apache.cloudstack.api.BaseListProjectAndAccountResourcesCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.response.ListResponse;
 import org.apache.cloudstack.api.response.NetworkACLResponse;
@@ -33,8 +34,8 @@ import org.apache.cloudstack.api.response.VpcResponse;
 import com.cloud.network.vpc.NetworkACL;
 import com.cloud.utils.Pair;
 
-@APICommand(name = "listNetworkACLLists", description = "Lists all network ACLs", responseObject
= NetworkACLResponse.class)
-public class ListNetworkACLListsCmd extends BaseListCmd {
+@APICommand(name = "listNetworkACLLists", description="Lists all network ACLs", responseObject=NetworkACLResponse.class)
+public class ListNetworkACLListsCmd extends BaseListProjectAndAccountResourcesCmd {
     public static final Logger s_logger = Logger.getLogger(ListNetworkACLListsCmd.class.getName());
 
     private static final String s_name = "listnetworkacllistsresponse";
@@ -84,8 +85,8 @@ public class ListNetworkACLListsCmd extends BaseListCmd {
     }
 
     @Override
-    public void execute() {
-        Pair<List<? extends NetworkACL>, Integer> result = _networkACLService.listNetworkACLs(getId(),
getName(), getNetworkId(), getVpcId());
+    public void execute(){
+        Pair<List<? extends NetworkACL>,Integer> result = _networkACLService.listNetworkACLs(this);
         ListResponse<NetworkACLResponse> response = new ListResponse<NetworkACLResponse>();
         List<NetworkACLResponse> aclResponses = new ArrayList<NetworkACLResponse>();
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/587f5876/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java b/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
index 6453934..90a6394 100644
--- a/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
+++ b/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
@@ -23,6 +23,8 @@ import java.util.Map;
 import javax.ejb.Local;
 import javax.inject.Inject;
 
+import com.cloud.network.vpc.dao.VpcDao;
+import org.apache.cloudstack.api.command.user.network.ListNetworkACLListsCmd;
 import org.apache.commons.lang.StringUtils;
 import org.apache.log4j.Logger;
 import org.springframework.stereotype.Component;
@@ -87,6 +89,8 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
     VpcManager _vpcMgr;
     @Inject
     EntityManager _entityMgr;
+    @Inject
+    VpcDao _vpcDao;
 
     @Override
     public NetworkACL createNetworkACL(String name, String description, long vpcId) {
@@ -105,13 +109,19 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
     }
 
     @Override
-    public Pair<List<? extends NetworkACL>, Integer> listNetworkACLs(Long id,
String name, Long networkId, Long vpcId) {
+    public Pair<List<? extends NetworkACL>, Integer> listNetworkACLs(ListNetworkACLListsCmd
cmd) {
+        Long id = cmd.getId();
+        String name = cmd.getName();
+        Long networkId = cmd.getNetworkId();
+        Long vpcId = cmd.getVpcId();
         SearchBuilder<NetworkACLVO> sb = _networkACLDao.createSearchBuilder();
         sb.and("id", sb.entity().getId(), Op.EQ);
         sb.and("name", sb.entity().getName(), Op.EQ);
         sb.and("vpcId", sb.entity().getVpcId(), Op.IN);
 
-        if (networkId != null) {
+        Account caller = CallContext.current().getCallingAccount();
+
+        if(networkId != null){
             SearchBuilder<NetworkVO> network = _networkDao.createSearchBuilder();
             network.and("networkId", network.entity().getId(), Op.EQ);
             sb.join("networkJoin", network, sb.entity().getId(), network.entity().getNetworkACLId(),
JoinBuilder.JoinType.INNER);
@@ -126,9 +136,44 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
             sc.setParameters("name", name);
         }
 
-        if (vpcId != null) {
+        if(vpcId != null){
+            Vpc vpc = _entityMgr.findById(Vpc.class, vpcId);
+            if(vpc == null){
+                throw new InvalidParameterValueException("Unable to find VPC");
+            }
+            _accountMgr.checkAccess(caller, null, true, vpc);
             //Include vpcId 0 to list default ACLs
             sc.setParameters("vpcId", vpcId, 0);
+        } else {
+            //ToDo: Add accountId to network_acl table for permission check
+
+            // VpcId is not specified. Find permitted VPCs for the caller
+            // and list ACLs belonging to the permitted VPCs
+            List<Long> permittedAccounts = new ArrayList<Long>();
+            Long domainId = cmd.getDomainId();
+            boolean isRecursive = cmd.isRecursive();
+            String accountName = cmd.getAccountName();
+            Long projectId = cmd.getProjectId();
+            boolean listAll = cmd.listAll();
+            Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject
= new Ternary<Long, Boolean,
+                    ListProjectResourcesCriteria>(domainId, isRecursive, null);
+            _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts,
domainIdRecursiveListProject,
+                    listAll, false);
+            domainId = domainIdRecursiveListProject.first();
+            isRecursive = domainIdRecursiveListProject.second();
+            ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
+            SearchBuilder<VpcVO> sbVpc = _vpcDao.createSearchBuilder();
+            _accountMgr.buildACLSearchBuilder(sbVpc, domainId, isRecursive, permittedAccounts,
listProjectResourcesCriteria);
+            SearchCriteria<VpcVO> scVpc = sbVpc.create();
+            _accountMgr.buildACLSearchCriteria(scVpc, domainId, isRecursive, permittedAccounts,
listProjectResourcesCriteria);
+            List<VpcVO> vpcs = _vpcDao.search(scVpc, null);
+            List<Long> vpcIds = new ArrayList<Long>();
+            for (VpcVO vpc : vpcs) {
+                vpcIds.add(vpc.getId());
+            }
+            //Add vpc_id 0 to list default ACLs
+            vpcIds.add(0L);
+            sc.setParameters("vpcId", vpcIds.toArray());
         }
 
         if (networkId != null) {
@@ -419,20 +464,10 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
         String protocol = cmd.getProtocol();
         String action = cmd.getAction();
         Map<String, String> tags = cmd.getTags();
-
         Account caller = CallContext.current().getCallingAccount();
-        List<Long> permittedAccounts = new ArrayList<Long>();
-
-        Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject
=
-            new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(),
cmd.isRecursive(), null);
-        _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(),
permittedAccounts, domainIdRecursiveListProject, cmd.listAll(), false);
-        Long domainId = domainIdRecursiveListProject.first();
-        Boolean isRecursive = domainIdRecursiveListProject.second();
-        ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
 
         Filter filter = new Filter(NetworkACLItemVO.class, "id", false, cmd.getStartIndex(),
cmd.getPageSizeVal());
         SearchBuilder<NetworkACLItemVO> sb = _networkACLItemDao.createSearchBuilder();
-        //_accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts,
listProjectResourcesCriteria);
 
         sb.and("id", sb.entity().getId(), Op.EQ);
         sb.and("aclId", sb.entity().getAclId(), Op.EQ);
@@ -452,8 +487,14 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
             sb.join("tagSearch", tagSearch, sb.entity().getId(), tagSearch.entity().getResourceId(),
JoinBuilder.JoinType.INNER);
         }
 
+        if(aclId == null){
+            //Join with network_acl table when aclId is not specified to list acl_items within
permitted VPCs
+            SearchBuilder<NetworkACLVO> vpcSearch = _networkACLDao.createSearchBuilder();
+            vpcSearch.and("vpcId", vpcSearch.entity().getVpcId(), Op.IN);
+            sb.join("vpcSearch", vpcSearch, sb.entity().getAclId(), vpcSearch.entity().getId(),
JoinBuilder.JoinType.INNER);
+        }
+
         SearchCriteria<NetworkACLItemVO> sc = sb.create();
-        // _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
listProjectResourcesCriteria);
 
         if (id != null) {
             sc.setParameters("id", id);
@@ -468,8 +509,48 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
             sc.setParameters("trafficType", trafficType);
         }
 
-        if (aclId != null) {
+        if(aclId != null){
+            // Get VPC and check access
+            NetworkACL acl = _networkACLDao.findById(aclId);
+            if(acl.getVpcId() != 0){
+                Vpc vpc = _vpcDao.findById(acl.getVpcId());
+                if(vpc == null){
+                    throw new InvalidParameterValueException("Unable to find VPC associated
with acl");
+                }
+                _accountMgr.checkAccess(caller, null, true, vpc);
+            }
             sc.setParameters("aclId", aclId);
+        } else {
+            //ToDo: Add accountId to network_acl_item table for permission check
+
+
+            // aclId is not specified
+            // List permitted VPCs and filter aclItems
+            List<Long> permittedAccounts = new ArrayList<Long>();
+            Long domainId = cmd.getDomainId();
+            boolean isRecursive = cmd.isRecursive();
+            String accountName = cmd.getAccountName();
+            Long projectId = cmd.getProjectId();
+            boolean listAll = cmd.listAll();
+            Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject
= new Ternary<Long, Boolean,
+                    ListProjectResourcesCriteria>(domainId, isRecursive, null);
+            _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts,
domainIdRecursiveListProject,
+                    listAll, false);
+            domainId = domainIdRecursiveListProject.first();
+            isRecursive = domainIdRecursiveListProject.second();
+            ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
+            SearchBuilder<VpcVO> sbVpc = _vpcDao.createSearchBuilder();
+            _accountMgr.buildACLSearchBuilder(sbVpc, domainId, isRecursive, permittedAccounts,
listProjectResourcesCriteria);
+            SearchCriteria<VpcVO> scVpc = sbVpc.create();
+            _accountMgr.buildACLSearchCriteria(scVpc, domainId, isRecursive, permittedAccounts,
listProjectResourcesCriteria);
+            List<VpcVO> vpcs = _vpcDao.search(scVpc, null);
+            List<Long> vpcIds = new ArrayList<Long>();
+            for (VpcVO vpc : vpcs) {
+                vpcIds.add(vpc.getId());
+            }
+            //Add vpc_id 0 to list acl_items in default ACL
+            vpcIds.add(0L);
+            sc.setJoinParameters("vpcSearch", "vpcId", vpcIds.toArray());
         }
 
         if (protocol != null) {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/587f5876/server/test/com/cloud/vpc/NetworkACLServiceTest.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/vpc/NetworkACLServiceTest.java b/server/test/com/cloud/vpc/NetworkACLServiceTest.java
index 820e1b6..aeed99b 100644
--- a/server/test/com/cloud/vpc/NetworkACLServiceTest.java
+++ b/server/test/com/cloud/vpc/NetworkACLServiceTest.java
@@ -20,6 +20,7 @@ import java.util.UUID;
 
 import javax.inject.Inject;
 
+import com.cloud.network.vpc.dao.VpcDao;
 import junit.framework.TestCase;
 
 import org.apache.log4j.Logger;
@@ -86,6 +87,8 @@ public class NetworkACLServiceTest extends TestCase {
     NetworkACLItemDao _networkACLItemDao;
     @Inject
     EntityManager _entityMgr;
+    @Inject
+    VpcDao _vpcDao;
 
     private CreateNetworkACLCmd createACLItemCmd;
     private NetworkACLVO acl;
@@ -246,6 +249,11 @@ public class NetworkACLServiceTest extends TestCase {
             return Mockito.mock(VpcGatewayDao.class);
         }
 
+        @Bean
+        public VpcDao vpcDao () {
+            return Mockito.mock(VpcDao.class);
+        }
+
         public static class Library implements TypeFilter {
             @Override
             public boolean match(MetadataReader mdr, MetadataReaderFactory arg1) throws IOException
{


Mime
View raw message