Return-Path: 
 <cloudstack-commits-return-7782-apmail-incubator-cloudstack-commits-archive=incubator.apache.org@incubator.apache.org>
X-Original-To: apmail-incubator-cloudstack-commits-archive@minotaur.apache.org
Delivered-To: apmail-incubator-cloudstack-commits-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 48958EC7D
	for <apmail-incubator-cloudstack-commits-archive@minotaur.apache.org>;
 Thu, 10 Jan 2013 19:49:59 +0000 (UTC)
Received: (qmail 51720 invoked by uid 500); 10 Jan 2013 19:49:59 -0000
Delivered-To: apmail-incubator-cloudstack-commits-archive@incubator.apache.org
Received: (qmail 51703 invoked by uid 500); 10 Jan 2013 19:49:59 -0000
Mailing-List: contact cloudstack-commits-help@incubator.apache.org;
 run by ezmlm
Precedence: bulk
List-Help: <mailto:cloudstack-commits-help@incubator.apache.org>
List-Unsubscribe: <mailto:cloudstack-commits-unsubscribe@incubator.apache.org>
List-Post: <mailto:cloudstack-commits@incubator.apache.org>
List-Id: <cloudstack-commits.incubator.apache.org>
Reply-To: cloudstack-dev@incubator.apache.org
Delivered-To: mailing list cloudstack-commits@incubator.apache.org
Received: (qmail 51686 invoked by uid 99); 10 Jan 2013 19:49:58 -0000
Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org)
 (140.211.11.114)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Jan 2013 19:49:58 +0000
Received: by tyr.zones.apache.org (Postfix, from userid 65534)
	id B9E461792D; Thu, 10 Jan 2013 19:49:58 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: bhaisaab@apache.org
To: cloudstack-commits@incubator.apache.org
X-Mailer: ASF-Git Admin Mailer
Subject: [2/2] git commit: APIAccessChecker: Make it check based on role type
 and not user
Message-Id: <20130110194958.B9E461792D@tyr.zones.apache.org>
Date: Thu, 10 Jan 2013 19:49:58 +0000 (UTC)

Updated Branches:
  refs/heads/master 1b8e17255 -> 62a42723f


APIAccessChecker: Make it check based on role type and not user

Signed-off-by: Rohit Yadav <bhaisaab@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/62a42723
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/62a42723
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/62a42723

Branch: refs/heads/master
Commit: 62a42723f995279fcaa4a63d9b0be061d32c66ca
Parents: c6d9877
Author: Rohit Yadav <bhaisaab@apache.org>
Authored: Thu Jan 10 11:49:15 2013 -0800
Committer: Rohit Yadav <bhaisaab@apache.org>
Committed: Thu Jan 10 11:49:15 2013 -0800

----------------------------------------------------------------------
 .../apache/cloudstack/acl/APIAccessChecker.java    |    7 +-
 .../acl/StaticRoleBasedAPIAccessChecker.java       |   84 ++++++---------
 server/src/com/cloud/api/ApiServer.java            |   33 ++++++-
 3 files changed, 69 insertions(+), 55 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/62a42723/api/src/org/apache/cloudstack/acl/APIAccessChecker.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/APIAccessChecker.java b/api/src/org/apache/cloudstack/acl/APIAccessChecker.java
index 3194bd1..a5c656d 100644
--- a/api/src/org/apache/cloudstack/acl/APIAccessChecker.java
+++ b/api/src/org/apache/cloudstack/acl/APIAccessChecker.java
@@ -16,11 +16,8 @@
 // under the License.
 package org.apache.cloudstack.acl;
 
-import java.util.Properties;
-
+import org.apache.cloudstack.acl.RoleType;
 import com.cloud.exception.PermissionDeniedException;
-import com.cloud.user.Account;
-import com.cloud.user.User;
 import com.cloud.utils.component.Adapter;
 
 /**
@@ -28,5 +25,5 @@ import com.cloud.utils.component.Adapter;
  */
 public interface APIAccessChecker extends Adapter {
     // Interface for checking access to an API for an user
-    boolean canAccessAPI(User user, String apiCommandName) throws PermissionDeniedException;
+    boolean canAccessAPI(RoleType roleType, String apiCommandName) throws PermissionDeniedException;
 }

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/62a42723/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
----------------------------------------------------------------------
diff --git a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
index d39f87f..43ca403 100644
--- a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
+++ b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
@@ -27,80 +27,66 @@ import javax.ejb.Local;
 import javax.naming.ConfigurationException;
 
 import org.apache.cloudstack.acl.APIAccessChecker;
+import org.apache.cloudstack.acl.RoleType;
+import static org.apache.cloudstack.acl.RoleType.*;
 import org.apache.log4j.Logger;
 
 import com.cloud.exception.PermissionDeniedException;
 import com.cloud.server.ManagementServer;
-import com.cloud.user.Account;
-import com.cloud.user.AccountManager;
-import com.cloud.user.User;
 import com.cloud.utils.PropertiesUtil;
 import com.cloud.utils.component.AdapterBase;
 import com.cloud.utils.component.ComponentLocator;
-import com.cloud.utils.component.Inject;
 import com.cloud.utils.component.PluggableService;
 
-/*
- * This is the default API access checker that grab's the user's account
- * based on the account type, access is granted referring to commands in all *.properties files.
- */
-
+// This is the default API access checker that grab's the user's account
+// based on the account type, access is granted
 @Local(value=APIAccessChecker.class)
 public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIAccessChecker {
 
     protected static final Logger s_logger = Logger.getLogger(StaticRoleBasedAPIAccessChecker.class);
-    public static final short ADMIN_COMMAND = 1;
-    public static final short DOMAIN_ADMIN_COMMAND = 4;
-    public static final short RESOURCE_DOMAIN_ADMIN_COMMAND = 2;
-    public static final short USER_COMMAND = 8;
-    private static List<String> s_userCommands = null;
-    private static List<String> s_resellerCommands = null; // AKA domain-admin
-    private static List<String> s_adminCommands = null;
-    private static List<String> s_resourceDomainAdminCommands = null;
-    private static List<String> s_allCommands = null;
-
-    protected @Inject AccountManager _accountMgr;
+    private static Set<String> s_userCommands = null;
+    private static Set<String> s_resellerCommands = null; // AKA domain-admin
+    private static Set<String> s_adminCommands = null;
+    private static Set<String> s_resourceDomainAdminCommands = null;
+    private static Set<String> s_allCommands = null;
 
     protected StaticRoleBasedAPIAccessChecker() {
         super();
-        s_allCommands = new ArrayList<String>();
-        s_userCommands = new ArrayList<String>();
-        s_resellerCommands = new ArrayList<String>();
-        s_adminCommands = new ArrayList<String>();
-        s_resourceDomainAdminCommands = new ArrayList<String>();
+        s_allCommands = new HashSet<String>();
+        s_userCommands = new HashSet<String>();
+        s_resellerCommands = new HashSet<String>();
+        s_adminCommands = new HashSet<String>();
+        s_resourceDomainAdminCommands = new HashSet<String>();
     }
 
     @Override
-    public boolean canAccessAPI(User user, String apiCommandName)
+    public boolean canAccessAPI(RoleType roleType, String apiCommandName)
             throws PermissionDeniedException{
 
         boolean commandExists = s_allCommands.contains(apiCommandName);
 
-        if(commandExists && user != null){
-                Long accountId = user.getAccountId();
-                Account userAccount = _accountMgr.getAccount(accountId);
-                short accountType = userAccount.getType();
-                return isCommandAvailableForAccount(accountType, apiCommandName);
+        if(commandExists) {
+            return isCommandAvailableForAccount(roleType, apiCommandName);
         }
 
         return commandExists;
     }
 
-    private static boolean isCommandAvailableForAccount(short accountType, String commandName) {
+    private static boolean isCommandAvailableForAccount(RoleType roleType, String commandName) {
         boolean isCommandAvailable = false;
-        switch (accountType) {
-        case Account.ACCOUNT_TYPE_ADMIN:
-            isCommandAvailable = s_adminCommands.contains(commandName);
-            break;
-        case Account.ACCOUNT_TYPE_DOMAIN_ADMIN:
-            isCommandAvailable = s_resellerCommands.contains(commandName);
-            break;
-        case Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN:
-            isCommandAvailable = s_resourceDomainAdminCommands.contains(commandName);
-            break;
-        case Account.ACCOUNT_TYPE_NORMAL:
-            isCommandAvailable = s_userCommands.contains(commandName);
-            break;
+        switch (roleType) {
+            case Admin:
+                isCommandAvailable = s_adminCommands.contains(commandName);
+                break;
+            case DomainAdmin:
+                isCommandAvailable = s_resellerCommands.contains(commandName);
+                break;
+            case ResourceAdmin:
+                isCommandAvailable = s_resourceDomainAdminCommands.contains(commandName);
+                break;
+            case User:
+                isCommandAvailable = s_userCommands.contains(commandName);
+                break;
         }
         return isCommandAvailable;
     }
@@ -157,16 +143,16 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIA
 
             try {
                 short cmdPermissions = Short.parseShort(mask);
-                if ((cmdPermissions & ADMIN_COMMAND) != 0) {
+                if ((cmdPermissions & Admin.getValue()) != 0) {
                     s_adminCommands.add((String) key);
                 }
-                if ((cmdPermissions & RESOURCE_DOMAIN_ADMIN_COMMAND) != 0) {
+                if ((cmdPermissions & ResourceAdmin.getValue()) != 0) {
                     s_resourceDomainAdminCommands.add((String) key);
                 }
-                if ((cmdPermissions & DOMAIN_ADMIN_COMMAND) != 0) {
+                if ((cmdPermissions & DomainAdmin.getValue()) != 0) {
                     s_resellerCommands.add((String) key);
                 }
-                if ((cmdPermissions & USER_COMMAND) != 0) {
+                if ((cmdPermissions & User.getValue()) != 0) {
                     s_userCommands.add((String) key);
                 }
                 s_allCommands.addAll(s_adminCommands);

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/62a42723/server/src/com/cloud/api/ApiServer.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java
index 17a2b29..1c1e8ca 100755
--- a/server/src/com/cloud/api/ApiServer.java
+++ b/server/src/com/cloud/api/ApiServer.java
@@ -53,6 +53,7 @@ import javax.servlet.http.HttpSession;
 import com.cloud.utils.ReflectUtil;
 import org.apache.cloudstack.acl.APIAccessChecker;
 import org.apache.cloudstack.acl.ControlledEntity;
+import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.api.*;
 import org.apache.cloudstack.api.command.user.account.ListAccountsCmd;
 import org.apache.cloudstack.api.command.user.account.ListProjectAccountsCmd;
@@ -790,9 +791,39 @@ public class ApiServer implements HttpRequestHandler {
     }
 
     private boolean isCommandAvailable(User user, String commandName) {
+        if (user == null) {
+            return false;
+        }
+
+        Account account = _accountMgr.getAccount(user.getAccountId());
+        if (account == null) {
+            return false;
+        }
+
+        RoleType roleType = RoleType.Unknown;
+        short accountType = account.getType();
+
+        // Account type to role type translation
+        switch (accountType) {
+            case Account.ACCOUNT_TYPE_ADMIN:
+                roleType = RoleType.Admin;
+                break;
+            case Account.ACCOUNT_TYPE_DOMAIN_ADMIN:
+                roleType = RoleType.DomainAdmin;
+                break;
+            case Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN:
+                roleType = RoleType.ResourceAdmin;
+                break;
+            case Account.ACCOUNT_TYPE_NORMAL:
+                roleType = RoleType.User;
+                break;
+            default:
+                return false;
+        }
+
         for (APIAccessChecker apiChecker : _apiAccessCheckers) {
             // Fail the checking if any checker fails to verify
-            if (!apiChecker.canAccessAPI(user, commandName))
+            if (!apiChecker.canAccessAPI(roleType, commandName))
                 return false;
         }
         return true;