[GitHub] [cloudstack] DaanHoogland commented on a diff in pull request #7153: Introducing concept of domain VPCs

Fri, 28 Apr 2023 00:47:38 -0700 


DaanHoogland commented on code in PR #7153:
URL: https://github.com/apache/cloudstack/pull/7153#discussion_r1180042689


##########
server/src/main/java/com/cloud/api/ApiResponseHelper.java:
##########
@@ -2534,7 +2534,12 @@ public NetworkResponse 
createNetworkResponse(ResponseView view, Network network)
         if (network.getVpcId() != null) {
             Vpc vpc = ApiDBUtils.findVpcById(network.getVpcId());
             if (vpc != null) {
-                response.setVpcId(vpc.getUuid());
+                try {
+                    
_accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, 
vpc);
+                    response.setVpcId(vpc.getUuid());
+                } catch (PermissionDeniedException e){
+                    s_logger.debug("Not setting the vpcId to the response 
because the caller does not have access to the VPC");
+                }

Review Comment:
   Can you extract this as a separate method?



##########
server/src/main/java/com/cloud/network/IpAddressManagerImpl.java:
##########
@@ -1476,7 +1476,8 @@ public IPAddressVO associateIPToGuestNetwork(long ipId, 
long networkId, boolean
         //     - if shared network in Advanced zone
         //     - and it belongs to the system
         if (network.getAccountId() != owner.getId()) {
-            if (zone.getNetworkType() != NetworkType.Basic && 
!(zone.getNetworkType() == NetworkType.Advanced && network.getGuestType() == 
Network.GuestType.Shared)) {
+            if (zone.getNetworkType() != NetworkType.Basic &&
+                    !(zone.getNetworkType() == NetworkType.Advanced && 
network.getGuestType() == Network.GuestType.Shared || 
network.getVpcId().equals(ipToAssoc.getVpcId())))  {

Review Comment:
   So if `network.getVpcId().equals(ipToAssoc.getVpcId())` we should throw an 
exception! Can you explain?



##########
server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java:
##########
@@ -1764,9 +1764,14 @@ public void doInTransactionWithoutResult(final 
TransactionStatus status) {
                         }
                     }
 
-                    // 4) vpc and network should belong to the same owner
-                    if (vpc.getAccountId() != networkOwner.getId()) {
-                        throw new InvalidParameterValueException("Vpc " + vpc 
+ " owner is different from the network owner " + networkOwner);
+                    // 4) Vpc's account should be able to access network 
owner's account
+                    Account vpcaccount = 
_accountMgr.getAccount(vpc.getAccountId());
+                    try {
+                        _accountMgr.checkAccess(vpcaccount, null, false, 
networkOwner);
+                    }
+                    catch (PermissionDeniedException e) {
+                        s_logger.error(e.getMessage());
+                        throw new 
InvalidParameterValueException(String.format("VPC owner does not have access to 
account [%s].", networkOwner.getAccountName()));

Review Comment:
   can you extract this as a method?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to