server/src/main/java/com/cloud/acl/AffinityGroupAccessChecker.java - cloudstack - Git at Google

 // Licensed to the Apache Software Foundation (ASF) under one
 // or more contributor license agreements.  See the NOTICE file
 // distributed with this work for additional information
 // regarding copyright ownership.  The ASF licenses this file
 // to you under the Apache License, Version 2.0 (the
 // "License"); you may not use this file except in compliance
 // with the License.  You may obtain a copy of the License at
 //
 //   http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing,
 // software distributed under the License is distributed on an
 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 // KIND, either express or implied.  See the License for the
 // specific language governing permissions and limitations
 // under the License.
 package com.cloud.acl;

 import javax.inject.Inject;

 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
 import org.apache.cloudstack.affinity.AffinityGroup;
 import org.apache.cloudstack.affinity.AffinityGroupService;
 import org.apache.cloudstack.affinity.dao.AffinityGroupDomainMapDao;
 import org.apache.cloudstack.context.CallContext;
 import org.springframework.stereotype.Component;

 import com.cloud.domain.DomainVO;
 import com.cloud.exception.PermissionDeniedException;
 import com.cloud.projects.ProjectAccount;
 import com.cloud.projects.ProjectVO;
 import com.cloud.projects.dao.ProjectAccountDao;
 import com.cloud.projects.dao.ProjectDao;
 import com.cloud.user.Account;
 import com.cloud.user.AccountManager;
 import com.cloud.user.User;
 import com.cloud.utils.exception.CloudRuntimeException;

 @Component
 public class AffinityGroupAccessChecker extends DomainChecker {

     @Inject
     AffinityGroupService _affinityGroupService;
     @Inject
     AccountManager _accountMgr;
     @Inject
     AffinityGroupDomainMapDao _affinityGroupDomainMapDao;
     @Inject
     ProjectDao _projectDao;
     @Inject
     ProjectAccountDao _projectAccountDao;

     @Override
     public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType) throws PermissionDeniedException {
         if (entity instanceof AffinityGroup) {
             AffinityGroup group = (AffinityGroup)entity;

             if (_affinityGroupService.isAdminControlledGroup(group)) {
                 if (accessType == AccessType.OperateEntry && !_accountMgr.isRootAdmin(caller.getId())) {
                     throw new PermissionDeniedException(caller + " does not have permission to operate with resource "
                             + entity);
                 }
             }

             if (group.getAclType() == ACLType.Domain) {
                 if (!_affinityGroupService.isAffinityGroupAvailableInDomain(group.getId(), caller.getDomainId())) {
                     DomainVO callerDomain = _domainDao.findById(caller.getDomainId());
                     if (callerDomain == null) {
                         throw new CloudRuntimeException("cannot check permission on account " + caller.getAccountName() + " whose domain does not exist");
                     }

                     throw new PermissionDeniedException("Affinity group is not available in domain id=" + callerDomain.getUuid());
                 } else {
                     return true;
                 }
             } else {
                 //acl_type account
                 if (caller.getId() != group.getAccountId()) {
                   //check if the group belongs to a project
                     User user = CallContext.current().getCallingUser();
                     ProjectVO project = _projectDao.findByProjectAccountId(group.getAccountId());
                     if (project != null) {
                         ProjectAccount userProjectAccount = _projectAccountDao.findByProjectIdUserId(project.getId(), user.getAccountId(), user.getId());
                         if (userProjectAccount != null) {
                             if (AccessType.ModifyProject.equals(accessType) && _projectAccountDao.canUserModifyProject(project.getId(), user.getAccountId(), user.getId())) {
                                 return true;
                             } else if (!AccessType.ModifyProject.equals(accessType) && _projectAccountDao.canUserAccessProjectAccount(user.getAccountId(), user.getId(), group.getAccountId())) {
                                 return true;
                             }
                         } else {
                             if (AccessType.ModifyProject.equals(accessType) && _projectAccountDao.canModifyProjectAccount(caller.getId(), group.getAccountId())) {
                                 return true;
                             } else if (!AccessType.ModifyProject.equals(accessType) && _projectAccountDao.canAccessProjectAccount(caller.getId(), group.getAccountId())) {
                                 return true;
                             }
                         }
                     }
                     throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
                 } else {
                     return true;
                 }

             }

         }

         return false;
     }
 }
	// Licensed to the Apache Software Foundation (ASF) under one
	// or more contributor license agreements. See the NOTICE file
	// distributed with this work for additional information
	// regarding copyright ownership. The ASF licenses this file
	// to you under the Apache License, Version 2.0 (the
	// "License"); you may not use this file except in compliance
	// with the License. You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing,
	// software distributed under the License is distributed on an
	// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	// KIND, either express or implied. See the License for the
	// specific language governing permissions and limitations
	// under the License.
	package com.cloud.acl;

	import javax.inject.Inject;

	import org.apache.cloudstack.acl.ControlledEntity;
	import org.apache.cloudstack.acl.ControlledEntity.ACLType;
	import org.apache.cloudstack.affinity.AffinityGroup;
	import org.apache.cloudstack.affinity.AffinityGroupService;
	import org.apache.cloudstack.affinity.dao.AffinityGroupDomainMapDao;
	import org.apache.cloudstack.context.CallContext;
	import org.springframework.stereotype.Component;

	import com.cloud.domain.DomainVO;
	import com.cloud.exception.PermissionDeniedException;
	import com.cloud.projects.ProjectAccount;
	import com.cloud.projects.ProjectVO;
	import com.cloud.projects.dao.ProjectAccountDao;
	import com.cloud.projects.dao.ProjectDao;
	import com.cloud.user.Account;
	import com.cloud.user.AccountManager;
	import com.cloud.user.User;
	import com.cloud.utils.exception.CloudRuntimeException;

	@Component
	public class AffinityGroupAccessChecker extends DomainChecker {

	@Inject
	AffinityGroupService _affinityGroupService;
	@Inject
	AccountManager _accountMgr;
	@Inject
	AffinityGroupDomainMapDao _affinityGroupDomainMapDao;
	@Inject
	ProjectDao _projectDao;
	@Inject
	ProjectAccountDao _projectAccountDao;

	@Override
	public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType) throws PermissionDeniedException {
	if (entity instanceof AffinityGroup) {
	AffinityGroup group = (AffinityGroup)entity;

	if (_affinityGroupService.isAdminControlledGroup(group)) {
	if (accessType == AccessType.OperateEntry && !_accountMgr.isRootAdmin(caller.getId())) {
	throw new PermissionDeniedException(caller + " does not have permission to operate with resource "
	+ entity);
	}
	}

	if (group.getAclType() == ACLType.Domain) {
	if (!_affinityGroupService.isAffinityGroupAvailableInDomain(group.getId(), caller.getDomainId())) {
	DomainVO callerDomain = _domainDao.findById(caller.getDomainId());
	if (callerDomain == null) {
	throw new CloudRuntimeException("cannot check permission on account " + caller.getAccountName() + " whose domain does not exist");
	}

	throw new PermissionDeniedException("Affinity group is not available in domain id=" + callerDomain.getUuid());
	} else {
	return true;
	}
	} else {
	//acl_type account
	if (caller.getId() != group.getAccountId()) {
	//check if the group belongs to a project
	User user = CallContext.current().getCallingUser();
	ProjectVO project = _projectDao.findByProjectAccountId(group.getAccountId());
	if (project != null) {
	ProjectAccount userProjectAccount = _projectAccountDao.findByProjectIdUserId(project.getId(), user.getAccountId(), user.getId());
	if (userProjectAccount != null) {
	if (AccessType.ModifyProject.equals(accessType) && _projectAccountDao.canUserModifyProject(project.getId(), user.getAccountId(), user.getId())) {
	return true;
	} else if (!AccessType.ModifyProject.equals(accessType) && _projectAccountDao.canUserAccessProjectAccount(user.getAccountId(), user.getId(), group.getAccountId())) {
	return true;
	}
	} else {
	if (AccessType.ModifyProject.equals(accessType) && _projectAccountDao.canModifyProjectAccount(caller.getId(), group.getAccountId())) {
	return true;
	} else if (!AccessType.ModifyProject.equals(accessType) && _projectAccountDao.canAccessProjectAccount(caller.getId(), group.getAccountId())) {
	return true;
	}
	}
	}
	throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
	} else {
	return true;
	}

	}

	}

	return false;
	}
	}