APIChecker: Rename refactor and add interface checkExistence Signed-off-by: Rohit Yadav <[email protected]>
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/74bb043c Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/74bb043c Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/74bb043c Branch: refs/heads/api_limit Commit: 74bb043c37d28bad586ff8a42d8aa6533cef4aa8 Parents: 18bdc58 Author: Rohit Yadav <[email protected]> Authored: Thu Jan 10 18:49:18 2013 -0800 Committer: Rohit Yadav <[email protected]> Committed: Thu Jan 10 18:51:30 2013 -0800 ---------------------------------------------------------------------- .../apache/cloudstack/acl/APIAccessChecker.java | 28 --------------- api/src/org/apache/cloudstack/acl/APIChecker.java | 28 +++++++++++++++ client/tomcatconf/components.xml.in | 2 +- .../acl/StaticRoleBasedAPIAccessChecker.java | 16 ++++++-- server/src/com/cloud/api/ApiServer.java | 25 ++++++++----- 5 files changed, 57 insertions(+), 42 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/74bb043c/api/src/org/apache/cloudstack/acl/APIAccessChecker.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/acl/APIAccessChecker.java b/api/src/org/apache/cloudstack/acl/APIAccessChecker.java deleted file mode 100644 index 1645fa2..0000000 --- a/api/src/org/apache/cloudstack/acl/APIAccessChecker.java +++ /dev/null @@ -1,28 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.acl; - -import org.apache.cloudstack.acl.RoleType; -import com.cloud.utils.component.Adapter; - -/** - * APIAccessChecker checks the ownership and access control to API requests - */ -public interface APIAccessChecker extends Adapter { - // Interface for checking access to an API for an user - boolean canAccessAPI(RoleType roleType, String apiCommandName); -} http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/74bb043c/api/src/org/apache/cloudstack/acl/APIChecker.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/acl/APIChecker.java b/api/src/org/apache/cloudstack/acl/APIChecker.java new file mode 100644 index 0000000..61dd7de --- /dev/null +++ b/api/src/org/apache/cloudstack/acl/APIChecker.java @@ -0,0 +1,28 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +package org.apache.cloudstack.acl; + +import org.apache.cloudstack.acl.RoleType; +import com.cloud.utils.component.Adapter; + +// APIChecker checks the ownership and access control to API requests +public interface APIChecker extends Adapter { + // Interface for checking access for a role using apiname + boolean checkAccess(RoleType roleType, String apiCommandName); + // Interface for checking existence of an api by name + boolean checkExistence(String apiCommandName); +} http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/74bb043c/client/tomcatconf/components.xml.in ---------------------------------------------------------------------- diff --git a/client/tomcatconf/components.xml.in b/client/tomcatconf/components.xml.in index b779c86..bb39839 100755 --- a/client/tomcatconf/components.xml.in +++ b/client/tomcatconf/components.xml.in @@ -53,7 +53,7 @@ under the License. <dao name="Configuration configuration server" class="com.cloud.configuration.dao.ConfigurationDaoImpl"> <param name="premium">true</param> </dao> - <adapters key="org.apache.cloudstack.acl.APIAccessChecker"> + <adapters key="org.apache.cloudstack.acl.APIChecker"> <adapter name="StaticRoleBasedAPIAccessChecker" class="org.apache.cloudstack.acl.StaticRoleBasedAPIAccessChecker"/> </adapters> <adapters key="com.cloud.agent.manager.allocator.HostAllocator"> http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/74bb043c/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java ---------------------------------------------------------------------- diff --git a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java index d6bf3f6..740fbbc 100644 --- a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java +++ b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java @@ -29,13 +29,12 @@ import java.util.List; import java.util.Map; import java.util.Set; -import static org.apache.cloudstack.acl.RoleType.*; import org.apache.log4j.Logger; // This is the default API access checker that grab's the user's account // based on the account type, access is granted -@Local(value=APIAccessChecker.class) -public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIAccessChecker { +@Local(value=APIChecker.class) +public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIChecker { protected static final Logger s_logger = Logger.getLogger(StaticRoleBasedAPIAccessChecker.class); @@ -50,11 +49,20 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIA } @Override - public boolean canAccessAPI(RoleType roleType, String commandName) { + public boolean checkAccess(RoleType roleType, String commandName) { return s_roleBasedApisMap.get(roleType).contains(commandName); } @Override + public boolean checkExistence(String apiName) { + for (RoleType roleType: RoleType.values()) { + if (s_roleBasedApisMap.get(roleType).contains(apiName)) + return true; + } + return false; + } + + @Override public boolean configure(String name, Map<String, Object> params) throws ConfigurationException { super.configure(name, params); http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/74bb043c/server/src/com/cloud/api/ApiServer.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java index be3c087..7663e8e 100755 --- a/server/src/com/cloud/api/ApiServer.java +++ b/server/src/com/cloud/api/ApiServer.java @@ -51,8 +51,7 @@ import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import com.cloud.utils.ReflectUtil; -import org.apache.cloudstack.acl.APIAccessChecker; -import org.apache.cloudstack.acl.ControlledEntity; +import org.apache.cloudstack.acl.APIChecker; import org.apache.cloudstack.acl.RoleType; import org.apache.cloudstack.api.*; import org.apache.cloudstack.api.command.user.account.ListAccountsCmd; @@ -146,8 +145,8 @@ public class ApiServer implements HttpRequestHandler { @Inject private DomainManager _domainMgr = null; @Inject private AsyncJobManager _asyncMgr = null; - @Inject(adapter = APIAccessChecker.class) - protected Adapters<APIAccessChecker> _apiAccessCheckers; + @Inject(adapter = APIChecker.class) + protected Adapters<APIChecker> _apiAccessCheckers; private Account _systemAccount = null; private User _systemUser = null; @@ -558,7 +557,7 @@ public class ApiServer implements HttpRequestHandler { return true; } else { // check against every available command to see if the command exists or not - if (!isCommandAvailable(null, commandName) && !commandName.equals("login") && !commandName.equals("logout")) { + if (!doesCommandExist(commandName) && !commandName.equals("login") && !commandName.equals("logout")) { s_logger.debug("The given command:" + commandName + " does not exist or it is not available for user with id:" + userId); throw new ServerApiException(BaseCmd.UNSUPPORTED_ACTION_ERROR, "The given command does not exist or it is not available for user"); } @@ -790,17 +789,25 @@ public class ApiServer implements HttpRequestHandler { return true; } - private boolean isCommandAvailable(User user, String commandName) - throws PermissionDeniedException { + private boolean doesCommandExist(String apiName) { + for (APIChecker apiChecker : _apiAccessCheckers) { + // If any checker has api info on the command, return true + if (apiChecker.checkExistence(apiName)) + return true; + } + return false; + } + + private boolean isCommandAvailable(User user, String commandName) { if (user == null) { return false; } Account account = _accountMgr.getAccount(user.getAccountId()); RoleType roleType = _accountMgr.getRoleType(account); - for (APIAccessChecker apiChecker : _apiAccessCheckers) { + for (APIChecker apiChecker : _apiAccessCheckers) { // Fail the checking if any checker fails to verify - if (!apiChecker.canAccessAPI(roleType, commandName)) + if (!apiChecker.checkAccess(roleType, commandName)) return false; } return true;
