Updated Branches:
refs/heads/master 088247b61 -> 587f58762
CLOUDSTACK-5145 : Added permission checks while listing network ACLs and acl
Items. Users will be able to list items that they have access to.
Conflicts:
api/src/com/cloud/network/vpc/NetworkACLService.java
api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLListsCmd.java
server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
server/test/com/cloud/vpc/NetworkACLServiceTest.java
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/587f5876
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/587f5876
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/587f5876
Branch: refs/heads/master
Commit: 587f5876217f268646f6fe03c9f57f5796400aa6
Parents: 088247b
Author: Kishan Kavala <[email protected]>
Authored: Mon Dec 9 19:49:17 2013 +0530
Committer: Kishan Kavala <[email protected]>
Committed: Mon Dec 9 21:57:47 2013 +0530
----------------------------------------------------------------------
.../cloud/network/vpc/NetworkACLService.java | 8 +-
.../user/network/ListNetworkACLListsCmd.java | 9 +-
.../network/vpc/NetworkACLServiceImpl.java | 111 ++++++++++++++++---
.../com/cloud/vpc/NetworkACLServiceTest.java | 8 ++
4 files changed, 112 insertions(+), 24 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/587f5876/api/src/com/cloud/network/vpc/NetworkACLService.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/vpc/NetworkACLService.java
b/api/src/com/cloud/network/vpc/NetworkACLService.java
index 56a2180..db37833 100644
--- a/api/src/com/cloud/network/vpc/NetworkACLService.java
+++ b/api/src/com/cloud/network/vpc/NetworkACLService.java
@@ -19,6 +19,7 @@ package com.cloud.network.vpc;
import java.util.List;
import org.apache.cloudstack.api.command.user.network.CreateNetworkACLCmd;
+import org.apache.cloudstack.api.command.user.network.ListNetworkACLListsCmd;
import org.apache.cloudstack.api.command.user.network.ListNetworkACLsCmd;
import com.cloud.exception.ResourceUnavailableException;
@@ -43,13 +44,10 @@ public interface NetworkACLService {
/**
* List NetworkACLs by Id/Name/Network or Vpc it belongs to
- * @param id
- * @param name
- * @param networkId
- * @param vpcId
+ * @param cmd
* @return
*/
- Pair<List<? extends NetworkACL>, Integer> listNetworkACLs(Long id, String
name, Long networkId, Long vpcId);
+ Pair<List<? extends NetworkACL>,Integer>
listNetworkACLs(ListNetworkACLListsCmd cmd);
/**
* Delete specified network ACL. Deletion fails if the list is not empty
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/587f5876/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLListsCmd.java
----------------------------------------------------------------------
diff --git
a/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLListsCmd.java
b/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLListsCmd.java
index 6dd5965..56aad94 100644
---
a/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLListsCmd.java
+++
b/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLListsCmd.java
@@ -24,6 +24,7 @@ import org.apache.log4j.Logger;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseListCmd;
+import org.apache.cloudstack.api.BaseListProjectAndAccountResourcesCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.response.ListResponse;
import org.apache.cloudstack.api.response.NetworkACLResponse;
@@ -33,8 +34,8 @@ import org.apache.cloudstack.api.response.VpcResponse;
import com.cloud.network.vpc.NetworkACL;
import com.cloud.utils.Pair;
-@APICommand(name = "listNetworkACLLists", description = "Lists all network
ACLs", responseObject = NetworkACLResponse.class)
-public class ListNetworkACLListsCmd extends BaseListCmd {
+@APICommand(name = "listNetworkACLLists", description="Lists all network
ACLs", responseObject=NetworkACLResponse.class)
+public class ListNetworkACLListsCmd extends
BaseListProjectAndAccountResourcesCmd {
public static final Logger s_logger =
Logger.getLogger(ListNetworkACLListsCmd.class.getName());
private static final String s_name = "listnetworkacllistsresponse";
@@ -84,8 +85,8 @@ public class ListNetworkACLListsCmd extends BaseListCmd {
}
@Override
- public void execute() {
- Pair<List<? extends NetworkACL>, Integer> result =
_networkACLService.listNetworkACLs(getId(), getName(), getNetworkId(),
getVpcId());
+ public void execute(){
+ Pair<List<? extends NetworkACL>,Integer> result =
_networkACLService.listNetworkACLs(this);
ListResponse<NetworkACLResponse> response = new
ListResponse<NetworkACLResponse>();
List<NetworkACLResponse> aclResponses = new
ArrayList<NetworkACLResponse>();
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/587f5876/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
b/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
index 6453934..90a6394 100644
--- a/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
+++ b/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
@@ -23,6 +23,8 @@ import java.util.Map;
import javax.ejb.Local;
import javax.inject.Inject;
+import com.cloud.network.vpc.dao.VpcDao;
+import org.apache.cloudstack.api.command.user.network.ListNetworkACLListsCmd;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
@@ -87,6 +89,8 @@ public class NetworkACLServiceImpl extends ManagerBase
implements NetworkACLServ
VpcManager _vpcMgr;
@Inject
EntityManager _entityMgr;
+ @Inject
+ VpcDao _vpcDao;
@Override
public NetworkACL createNetworkACL(String name, String description, long
vpcId) {
@@ -105,13 +109,19 @@ public class NetworkACLServiceImpl extends ManagerBase
implements NetworkACLServ
}
@Override
- public Pair<List<? extends NetworkACL>, Integer> listNetworkACLs(Long id,
String name, Long networkId, Long vpcId) {
+ public Pair<List<? extends NetworkACL>, Integer>
listNetworkACLs(ListNetworkACLListsCmd cmd) {
+ Long id = cmd.getId();
+ String name = cmd.getName();
+ Long networkId = cmd.getNetworkId();
+ Long vpcId = cmd.getVpcId();
SearchBuilder<NetworkACLVO> sb = _networkACLDao.createSearchBuilder();
sb.and("id", sb.entity().getId(), Op.EQ);
sb.and("name", sb.entity().getName(), Op.EQ);
sb.and("vpcId", sb.entity().getVpcId(), Op.IN);
- if (networkId != null) {
+ Account caller = CallContext.current().getCallingAccount();
+
+ if(networkId != null){
SearchBuilder<NetworkVO> network =
_networkDao.createSearchBuilder();
network.and("networkId", network.entity().getId(), Op.EQ);
sb.join("networkJoin", network, sb.entity().getId(),
network.entity().getNetworkACLId(), JoinBuilder.JoinType.INNER);
@@ -126,9 +136,44 @@ public class NetworkACLServiceImpl extends ManagerBase
implements NetworkACLServ
sc.setParameters("name", name);
}
- if (vpcId != null) {
+ if(vpcId != null){
+ Vpc vpc = _entityMgr.findById(Vpc.class, vpcId);
+ if(vpc == null){
+ throw new InvalidParameterValueException("Unable to find VPC");
+ }
+ _accountMgr.checkAccess(caller, null, true, vpc);
//Include vpcId 0 to list default ACLs
sc.setParameters("vpcId", vpcId, 0);
+ } else {
+ //ToDo: Add accountId to network_acl table for permission check
+
+ // VpcId is not specified. Find permitted VPCs for the caller
+ // and list ACLs belonging to the permitted VPCs
+ List<Long> permittedAccounts = new ArrayList<Long>();
+ Long domainId = cmd.getDomainId();
+ boolean isRecursive = cmd.isRecursive();
+ String accountName = cmd.getAccountName();
+ Long projectId = cmd.getProjectId();
+ boolean listAll = cmd.listAll();
+ Ternary<Long, Boolean, ListProjectResourcesCriteria>
domainIdRecursiveListProject = new Ternary<Long, Boolean,
+ ListProjectResourcesCriteria>(domainId, isRecursive, null);
+ _accountMgr.buildACLSearchParameters(caller, id, accountName,
projectId, permittedAccounts, domainIdRecursiveListProject,
+ listAll, false);
+ domainId = domainIdRecursiveListProject.first();
+ isRecursive = domainIdRecursiveListProject.second();
+ ListProjectResourcesCriteria listProjectResourcesCriteria =
domainIdRecursiveListProject.third();
+ SearchBuilder<VpcVO> sbVpc = _vpcDao.createSearchBuilder();
+ _accountMgr.buildACLSearchBuilder(sbVpc, domainId, isRecursive,
permittedAccounts, listProjectResourcesCriteria);
+ SearchCriteria<VpcVO> scVpc = sbVpc.create();
+ _accountMgr.buildACLSearchCriteria(scVpc, domainId, isRecursive,
permittedAccounts, listProjectResourcesCriteria);
+ List<VpcVO> vpcs = _vpcDao.search(scVpc, null);
+ List<Long> vpcIds = new ArrayList<Long>();
+ for (VpcVO vpc : vpcs) {
+ vpcIds.add(vpc.getId());
+ }
+ //Add vpc_id 0 to list default ACLs
+ vpcIds.add(0L);
+ sc.setParameters("vpcId", vpcIds.toArray());
}
if (networkId != null) {
@@ -419,20 +464,10 @@ public class NetworkACLServiceImpl extends ManagerBase
implements NetworkACLServ
String protocol = cmd.getProtocol();
String action = cmd.getAction();
Map<String, String> tags = cmd.getTags();
-
Account caller = CallContext.current().getCallingAccount();
- List<Long> permittedAccounts = new ArrayList<Long>();
-
- Ternary<Long, Boolean, ListProjectResourcesCriteria>
domainIdRecursiveListProject =
- new Ternary<Long, Boolean,
ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(),
cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject,
cmd.listAll(), false);
- Long domainId = domainIdRecursiveListProject.first();
- Boolean isRecursive = domainIdRecursiveListProject.second();
- ListProjectResourcesCriteria listProjectResourcesCriteria =
domainIdRecursiveListProject.third();
Filter filter = new Filter(NetworkACLItemVO.class, "id", false,
cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<NetworkACLItemVO> sb =
_networkACLItemDao.createSearchBuilder();
- //_accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive,
permittedAccounts, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), Op.EQ);
sb.and("aclId", sb.entity().getAclId(), Op.EQ);
@@ -452,8 +487,14 @@ public class NetworkACLServiceImpl extends ManagerBase
implements NetworkACLServ
sb.join("tagSearch", tagSearch, sb.entity().getId(),
tagSearch.entity().getResourceId(), JoinBuilder.JoinType.INNER);
}
+ if(aclId == null){
+ //Join with network_acl table when aclId is not specified to list
acl_items within permitted VPCs
+ SearchBuilder<NetworkACLVO> vpcSearch =
_networkACLDao.createSearchBuilder();
+ vpcSearch.and("vpcId", vpcSearch.entity().getVpcId(), Op.IN);
+ sb.join("vpcSearch", vpcSearch, sb.entity().getAclId(),
vpcSearch.entity().getId(), JoinBuilder.JoinType.INNER);
+ }
+
SearchCriteria<NetworkACLItemVO> sc = sb.create();
- // _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive,
permittedAccounts, listProjectResourcesCriteria);
if (id != null) {
sc.setParameters("id", id);
@@ -468,8 +509,48 @@ public class NetworkACLServiceImpl extends ManagerBase
implements NetworkACLServ
sc.setParameters("trafficType", trafficType);
}
- if (aclId != null) {
+ if(aclId != null){
+ // Get VPC and check access
+ NetworkACL acl = _networkACLDao.findById(aclId);
+ if(acl.getVpcId() != 0){
+ Vpc vpc = _vpcDao.findById(acl.getVpcId());
+ if(vpc == null){
+ throw new InvalidParameterValueException("Unable to find
VPC associated with acl");
+ }
+ _accountMgr.checkAccess(caller, null, true, vpc);
+ }
sc.setParameters("aclId", aclId);
+ } else {
+ //ToDo: Add accountId to network_acl_item table for permission
check
+
+
+ // aclId is not specified
+ // List permitted VPCs and filter aclItems
+ List<Long> permittedAccounts = new ArrayList<Long>();
+ Long domainId = cmd.getDomainId();
+ boolean isRecursive = cmd.isRecursive();
+ String accountName = cmd.getAccountName();
+ Long projectId = cmd.getProjectId();
+ boolean listAll = cmd.listAll();
+ Ternary<Long, Boolean, ListProjectResourcesCriteria>
domainIdRecursiveListProject = new Ternary<Long, Boolean,
+ ListProjectResourcesCriteria>(domainId, isRecursive, null);
+ _accountMgr.buildACLSearchParameters(caller, id, accountName,
projectId, permittedAccounts, domainIdRecursiveListProject,
+ listAll, false);
+ domainId = domainIdRecursiveListProject.first();
+ isRecursive = domainIdRecursiveListProject.second();
+ ListProjectResourcesCriteria listProjectResourcesCriteria =
domainIdRecursiveListProject.third();
+ SearchBuilder<VpcVO> sbVpc = _vpcDao.createSearchBuilder();
+ _accountMgr.buildACLSearchBuilder(sbVpc, domainId, isRecursive,
permittedAccounts, listProjectResourcesCriteria);
+ SearchCriteria<VpcVO> scVpc = sbVpc.create();
+ _accountMgr.buildACLSearchCriteria(scVpc, domainId, isRecursive,
permittedAccounts, listProjectResourcesCriteria);
+ List<VpcVO> vpcs = _vpcDao.search(scVpc, null);
+ List<Long> vpcIds = new ArrayList<Long>();
+ for (VpcVO vpc : vpcs) {
+ vpcIds.add(vpc.getId());
+ }
+ //Add vpc_id 0 to list acl_items in default ACL
+ vpcIds.add(0L);
+ sc.setJoinParameters("vpcSearch", "vpcId", vpcIds.toArray());
}
if (protocol != null) {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/587f5876/server/test/com/cloud/vpc/NetworkACLServiceTest.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/vpc/NetworkACLServiceTest.java
b/server/test/com/cloud/vpc/NetworkACLServiceTest.java
index 820e1b6..aeed99b 100644
--- a/server/test/com/cloud/vpc/NetworkACLServiceTest.java
+++ b/server/test/com/cloud/vpc/NetworkACLServiceTest.java
@@ -20,6 +20,7 @@ import java.util.UUID;
import javax.inject.Inject;
+import com.cloud.network.vpc.dao.VpcDao;
import junit.framework.TestCase;
import org.apache.log4j.Logger;
@@ -86,6 +87,8 @@ public class NetworkACLServiceTest extends TestCase {
NetworkACLItemDao _networkACLItemDao;
@Inject
EntityManager _entityMgr;
+ @Inject
+ VpcDao _vpcDao;
private CreateNetworkACLCmd createACLItemCmd;
private NetworkACLVO acl;
@@ -246,6 +249,11 @@ public class NetworkACLServiceTest extends TestCase {
return Mockito.mock(VpcGatewayDao.class);
}
+ @Bean
+ public VpcDao vpcDao () {
+ return Mockito.mock(VpcDao.class);
+ }
+
public static class Library implements TypeFilter {
@Override
public boolean match(MetadataReader mdr, MetadataReaderFactory
arg1) throws IOException {
