api/src/main/java/org/apache/cloudstack/api/command/admin/acl/project/UpdateProjectRolePermissionCmd.java

// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements.  See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership.  The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License.  You may obtain a copy of the License at
//
//   http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied.  See the License for the
// specific language governing permissions and limitations
// under the License.

package org.apache.cloudstack.api.command.admin.acl.project;

import java.util.ArrayList;
import java.util.List;

import org.apache.cloudstack.acl.RolePermissionEntity.Permission;
import org.apache.cloudstack.acl.ProjectRole;
import org.apache.cloudstack.acl.ProjectRolePermission;
import org.apache.cloudstack.acl.RoleType;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiArgValidator;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.ProjectResponse;
import org.apache.cloudstack.api.response.ProjectRolePermissionResponse;
import org.apache.cloudstack.api.response.ProjectRoleResponse;
import org.apache.cloudstack.api.response.SuccessResponse;
import org.apache.cloudstack.context.CallContext;
import org.apache.commons.lang3.EnumUtils;

@APICommand(name = "updateProjectRolePermission", description = "Updates a project role permission and/or order", responseObject = SuccessResponse.class,
        requestHasSensitiveInfo = false, responseHasSensitiveInfo = false, authorized = {
        RoleType.Admin, RoleType.ResourceAdmin, RoleType.DomainAdmin, RoleType.User}, since = "4.15.0")
public class UpdateProjectRolePermissionCmd extends BaseCmd {

    /////////////////////////////////////////////////////
    //////////////// API parameters /////////////////////
    /////////////////////////////////////////////////////

    @Parameter(name = ApiConstants.PROJECT_ROLE_ID, type = CommandType.UUID, required = true, entityType = ProjectRoleResponse.class,
            description = "ID of the project role", validations = {ApiArgValidator.PositiveNumber})
    private Long projectRoleId;

    @Parameter(name = ApiConstants.PROJECT_ID, type = CommandType.UUID, required = true, entityType = ProjectResponse.class,
            description = "ID of project where project role permission is to be updated")
    private Long projectId;

    @Parameter(name = ApiConstants.RULE_ORDER, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = ProjectRolePermissionResponse.class,
            description = "The parent role permission uuid, use 0 to move this rule at the top of the list")
    private List<Long> projectRulePermissionOrder;

    @Parameter(name = ApiConstants.PROJECT_ROLE_PERMISSION_ID, type = CommandType.UUID, entityType = ProjectRolePermissionResponse.class,
            description = "Project Role permission rule id")
    private Long projectRuleId;

    @Parameter(name = ApiConstants.PERMISSION, type = CommandType.STRING,
            description = "Rule permission, can be: allow or deny")
    private String projectRolePermission;

    /////////////////////////////////////////////////////
    /////////////////// Accessors ///////////////////////
    /////////////////////////////////////////////////////


    public Long getProjectRoleId() {
        return projectRoleId;
    }

    public List<Long> getProjectRulePermissionOrder() {
        return projectRulePermissionOrder;
    }

    public Long getProjectRuleId() {
        return projectRuleId;
    }

    public Permission getProjectRolePermission() {
        if (this.projectRolePermission == null) {
            return null;
        }

        if (!EnumUtils.isValidEnum(Permission.class, projectRolePermission.toUpperCase())) {
            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Values for permission parameter should be: allow or deny");
        }

        return Permission.valueOf(projectRolePermission.toUpperCase());
    }

    public Long getProjectId() {
        return projectId;
    }

    /////////////////////////////////////////////////////
    /////////////////// API Implementation //////////////
    /////////////////////////////////////////////////////
    @Override
    public void execute() {
        ProjectRole projectRole = projRoleService.findProjectRole(getProjectRoleId(), getProjectId());
        boolean result = false;
        if (projectRole == null) {
            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Invalid role id provided");
        }
        if (getProjectRulePermissionOrder() != null) {
            if (getProjectRuleId() != null || getProjectRolePermission() != null) {
                throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Parameters permission and ruleid must be mutually exclusive with ruleorder");
            }
            CallContext.current().setEventDetails("Reordering permissions for role id: " + projectRole.getId());
            result = updateProjectRolePermissionOrder(projectRole);

        } else if (getProjectRuleId() != null || getProjectRolePermission() != null ) {
            if (getProjectRulePermissionOrder() != null) {
                throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Parameters permission and ruleid must be mutually exclusive with ruleorder");
            }
            ProjectRolePermission rolePermission = getValidProjectRolePermission();
            CallContext.current().setEventDetails("Updating project role permission for rule id: " + getProjectRuleId() + " to: " + getProjectRolePermission().toString());
            result = projRoleService.updateProjectRolePermission(projectId, projectRole, rolePermission, getProjectRolePermission());
        }
        SuccessResponse response = new SuccessResponse(getCommandName());
        response.setSuccess(result);
        setResponseObject(response);
    }

    private ProjectRolePermission getValidProjectRolePermission() {
        ProjectRolePermission rolePermission = projRoleService.findProjectRolePermission(getProjectRuleId());
        if (rolePermission == null || rolePermission.getProjectId() != getProjectId()) {
            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Role permission doesn't exist in the project, probably because of invalid rule id");
        }
        return rolePermission;
    }

    private boolean updateProjectRolePermissionOrder(ProjectRole projectRole) {
        final List<ProjectRolePermission> rolePermissionsOrder = new ArrayList<>();
        for (Long rolePermissionId : getProjectRulePermissionOrder()) {
            final ProjectRolePermission rolePermission = projRoleService.findProjectRolePermission(rolePermissionId);
            if (rolePermission == null) {
                throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Provided project role permission(s) do not exist");
            }
            rolePermissionsOrder.add(rolePermission);
        }
        return projRoleService.updateProjectRolePermission(projectId, projectRole, rolePermissionsOrder);
    }

    @Override
    public long getEntityOwnerId() {
        return CallContext.current().getCallingAccountId();
    }
}