nvazquez commented on a change in pull request #5879:
URL: https://github.com/apache/cloudstack/pull/5879#discussion_r799454586
##########
File path:
plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryServiceImpl.java
##########
@@ -210,6 +211,24 @@ private ApiDiscoveryResponse getCmdRequestMap(Class<?>
cmdClass, APICommand apiC
return response;
}
+ @Override
+ public List<String> listApiNames(Account account) {
+ List<String> apiNames = new ArrayList<>();
+ for (String apiName : s_apiNameDiscoveryResponseMap.keySet()) {
+ boolean isAllowed = true;
+ for (APIChecker apiChecker : _apiAccessCheckers) {
+ try {
+ apiChecker.checkAccess(account, apiName);
+ } catch (Exception ex) {
+ isAllowed = false;
Review comment:
I think we won't need this variable - after the checkAccess method we
can add the element to the list and on the catch block we can log the exception
describing the error. Then the next if won't be needed either
##########
File path:
plugins/acl/project-role-based/src/main/java/org/apache/cloudstack/acl/ProjectRoleBasedApiAccessChecker.java
##########
@@ -58,9 +58,13 @@ private void denyApiAccess(final String commandName) throws
PermissionDeniedExce
throw new PermissionDeniedException("The API " + commandName + " is
denied for the user's/account's project role.");
}
+ @Override
+ public boolean isEnabled() {
+ return roleService.isEnabled();
+ }
public boolean isDisabled() {
Review comment:
Not an issue but an improvement request - can we leave only one of these
methods?
##########
File path: server/src/main/java/com/cloud/user/AccountManagerImpl.java
##########
@@ -1110,6 +1183,75 @@ public UserAccount createUserAccount(final String
userName, final String passwor
return _userAccountDao.findById(userId);
}
+ /**
+ * if there is any permission under the requested role that is not
permitted for the caller, refuse
+ */
+ private void checkRoleEscalation(Account caller, Account requested) {
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug(String.format("checking if user of account %s [%s]
with role-id [%d] can create an account of type %s [%s] with role-id [%d]",
+ caller.getAccountName(),
+ caller.getUuid(),
+ caller.getRoleId(),
+ requested.getAccountName(),
+ requested.getUuid(),
+ requested.getRoleId()));
+ }
+ List<APIChecker> apiCheckers = getEnabledApiCheckers();
+ for (String command : apiNameList) {
+ try {
+ checkApiAccess(apiCheckers, requested, command);
+ } catch (PermissionDeniedException pde) {
+ if (s_logger.isTraceEnabled()) {
+ s_logger.trace(String.format("checking for permission to
\"%s\" is irrelevant as it is not requested for %s [%s]",
+ command,
+ pde.getAccount().getAccountName(),
+ pde.getAccount().getUuid(),
+ pde.getEntitiesInViolation()
+ ));
+ }
+ continue;
+ }
+ // so requested can, now make sure caller can as well
+ try {
+ if (s_logger.isTraceEnabled()) {
+ s_logger.trace(String.format("permission to \"%s\" is
requested",
+ command));
+ }
+ checkApiAccess(apiCheckers, caller, command);
+ } catch (PermissionDeniedException pde) {
+ String msg = String.format("user of account %s/%s (%s) can not
create an account with access to %s",
+ caller.getAccountName(),
+ caller.getDomainId(),
+ caller.getUuid(),
+ command);
+ s_logger.warn(msg);
+ throw new PermissionDeniedException(msg,pde);
+ }
+ }
+ }
+
+ private void checkApiAccess(List<APIChecker> apiCheckers, Account caller,
String command) {
+ for (final APIChecker apiChecker : apiCheckers) {
+ apiChecker.checkAccess(caller, command);
+ }
+ }
+
+ @NotNull
+ private List<APIChecker> getEnabledApiCheckers() {
+ // we are really only interested in the dynamic access checker
+ List<APIChecker> usableApiCheckera = new ArrayList<>();
Review comment:
Typo?
##########
File path: server/src/main/java/com/cloud/user/AccountManagerImpl.java
##########
@@ -358,10 +391,46 @@ public UserVO getSystemUser() {
@Override
public boolean start() {
+ if (apiNameList == null) {
Review comment:
Could somehow the list be empty but not null at this point?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
