// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import javax.ejb.Local;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
import net.sf.ehcache.Cache;
import net.sf.ehcache.CacheManager;
import net.sf.ehcache.Element;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.iam.api.IAMGroup;
import org.apache.cloudstack.iam.api.IAMPolicy;
import org.apache.cloudstack.iam.api.IAMPolicyPermission;
import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
import org.apache.cloudstack.iam.api.IAMService;
import org.apache.cloudstack.iam.server.dao.IAMAccountPolicyMapDao;
import org.apache.cloudstack.iam.server.dao.IAMGroupAccountMapDao;
import org.apache.cloudstack.iam.server.dao.IAMGroupDao;
import org.apache.cloudstack.iam.server.dao.IAMGroupPolicyMapDao;
import org.apache.cloudstack.iam.server.dao.IAMPolicyDao;
import org.apache.cloudstack.iam.server.dao.IAMPolicyPermissionDao;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.utils.NumbersUtil;
import com.cloud.utils.Pair;
import com.cloud.utils.component.Manager;
import com.cloud.utils.component.ManagerBase;
import com.cloud.utils.db.DB;
import com.cloud.utils.db.EntityManager;
import com.cloud.utils.db.Filter;
import com.cloud.utils.db.GenericSearchBuilder;
import com.cloud.utils.db.JoinBuilder;
import com.cloud.utils.db.JoinBuilder.JoinType;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
import com.cloud.utils.db.SearchCriteria.Op;
import com.cloud.utils.db.Transaction;
import com.cloud.utils.db.TransactionCallback;
import com.cloud.utils.db.TransactionCallbackNoReturn;
import com.cloud.utils.db.TransactionStatus;
@Local(value = {IAMService.class})
public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
public static final Logger s_logger = Logger.getLogger(IAMServiceImpl.class);
private String _name;
@Inject
IAMPolicyDao _aclPolicyDao;
@Inject
IAMGroupDao _aclGroupDao;
@Inject
EntityManager _entityMgr;
@Inject
IAMGroupPolicyMapDao _aclGroupPolicyMapDao;
@Inject
IAMAccountPolicyMapDao _aclAccountPolicyMapDao;
@Inject
IAMGroupAccountMapDao _aclGroupAccountMapDao;
@Inject
IAMPolicyPermissionDao _policyPermissionDao;
private Cache _iamCache;
private void createIAMCache(final Map<String, ? extends Object> params) {
final String value = (String)params.get("cache.size");
if (value != null) {
final CacheManager cm = CacheManager.create();
final int maxElements = NumbersUtil.parseInt(value, 0);
final int live = NumbersUtil.parseInt((String)params.get("cache.time.to.live"), 300);
final int idle = NumbersUtil.parseInt((String)params.get("cache.time.to.idle"), 300);
_iamCache = new Cache(getName(), maxElements, false, live == -1, live == -1 ? Integer.MAX_VALUE : live, idle);
cm.addCache(_iamCache);
s_logger.info("IAM Cache created: " + _iamCache.toString());
} else {
_iamCache = null;
}
}
@Override
public void addToIAMCache(Object accessKey, Object allowDeny) {
if (_iamCache != null) {
try {
s_logger.debug("Put IAM access check for " + accessKey + " in cache");
_iamCache.put(new Element(accessKey, allowDeny));
} catch (final Exception e) {
s_logger.debug("Can't put " + accessKey + " to IAM cache", e);
}
}
}
@Override
public void invalidateIAMCache() {
//This may need to use event bus to publish to other MS, but event bus now is missing this functionality to handle PublishScope.GLOBAL
if (_iamCache != null) {
s_logger.debug("Invalidate IAM cache");
_iamCache.removeAll();
}
}
@Override
public Object getFromIAMCache(Object accessKey) {
if (_iamCache != null) {
final Element element = _iamCache.get(accessKey);
return element == null ? null : element.getObjectValue();
}
return null;
}
@Override
public boolean configure(final String name, final Map<String, Object> params) throws ConfigurationException {
boolean result = super.configure(name, params);
// create IAM cache
createIAMCache(params);
return result;
}
@DB
@Override
public IAMGroup createIAMGroup(String iamGroupName, String description, String path) {
// check if the group is already existing
IAMGroup grp = _aclGroupDao.findByName(path, iamGroupName);
if (grp != null) {
throw new InvalidParameterValueException(
"Unable to create acl group with name " + iamGroupName
+ " already exisits for path " + path);
}
IAMGroupVO rvo = new IAMGroupVO(iamGroupName, description);
rvo.setPath(path);
return _aclGroupDao.persist(rvo);
}
@DB
@Override
public boolean deleteIAMGroup(final Long iamGroupId) {
// get the Acl Group entity
final IAMGroup grp = _aclGroupDao.findById(iamGroupId);
if (grp == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + iamGroupId
+ "; failed to delete acl group.");
}
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove this group related entry in acl_group_policy_map
List<IAMGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByGroupId(grp.getId());
if (groupPolicyMap != null) {
for (IAMGroupPolicyMapVO gr : groupPolicyMap) {
_aclGroupPolicyMapDao.remove(gr.getId());
}
}
// remove this group related entry in acl_group_account table
List<IAMGroupAccountMapVO> groupAcctMap = _aclGroupAccountMapDao.listByGroupId(grp.getId());
if (groupAcctMap != null) {
for (IAMGroupAccountMapVO grpAcct : groupAcctMap) {
_aclGroupAccountMapDao.remove(grpAcct.getId());
}
}
// remove this group from acl_group table
_aclGroupDao.remove(iamGroupId);
}
});
invalidateIAMCache();
return true;
}
@SuppressWarnings("unchecked")
@Override
public List<IAMGroup> listIAMGroups(long accountId) {
GenericSearchBuilder<IAMGroupAccountMapVO, Long> groupSB = _aclGroupAccountMapDao.createSearchBuilder(Long.class);
groupSB.selectFields(groupSB.entity().getAclGroupId());
groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
SearchCriteria<Long> groupSc = groupSB.create();
groupSc.setParameters("account", accountId);
List<Long> groupIds = _aclGroupAccountMapDao.customSearch(groupSc, null);
if (groupIds == null || groupIds.isEmpty()) {
return new ArrayList<IAMGroup>();
}
SearchBuilder<IAMGroupVO> sb = _aclGroupDao.createSearchBuilder();
sb.and("ids", sb.entity().getId(), Op.IN);
SearchCriteria<IAMGroupVO> sc = sb.create();
sc.setParameters("ids", groupIds.toArray(new Object[groupIds.size()]));
@SuppressWarnings("rawtypes")
List groups = _aclGroupDao.search(sc, null);
return groups;
}
@DB
@Override
public IAMGroup addAccountsToGroup(final List<Long> acctIds, final Long groupId) {
// get the Acl Group entity
IAMGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to add accounts to acl group.");
}
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_account_map table
for (Long acctId : acctIds) {
// check account permissions
IAMGroupAccountMapVO grMap = _aclGroupAccountMapDao.findByGroupAndAccount(groupId, acctId);
if (grMap == null) {
// not there already
grMap = new IAMGroupAccountMapVO(groupId, acctId);
_aclGroupAccountMapDao.persist(grMap);
}
}
}
});
invalidateIAMCache();
return group;
}
@DB
@Override
public IAMGroup removeAccountsFromGroup(final List<Long> acctIds, final Long groupId) {
// get the Acl Group entity
IAMGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to remove accounts from acl group.");
}
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove entries from acl_group_account_map table
for (Long acctId : acctIds) {
IAMGroupAccountMapVO grMap = _aclGroupAccountMapDao.findByGroupAndAccount(groupId, acctId);
if (grMap != null) {
// not removed yet
_aclGroupAccountMapDao.remove(grMap.getId());
}
}
}
});
invalidateIAMCache();
return group;
}
@Override
public List<Long> listAccountsByGroup(long groupId) {
List<IAMGroupAccountMapVO> grpAcctMap = _aclGroupAccountMapDao.listByGroupId(groupId);
if (grpAcctMap == null || grpAcctMap.size() == 0) {
return new ArrayList<Long>();
}
List<Long> accts = new ArrayList<Long>();
for (IAMGroupAccountMapVO grpAcct : grpAcctMap) {
accts.add(grpAcct.getAccountId());
}
return accts;
}
@Override
public Pair<List<IAMGroup>, Integer> listIAMGroups(Long iamGroupId, String iamGroupName, String path, Long startIndex, Long pageSize) {
if (iamGroupId != null) {
IAMGroup group = _aclGroupDao.findById(iamGroupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group by id " + iamGroupId);
}
}
Filter searchFilter = new Filter(IAMGroupVO.class, "id", true, startIndex, pageSize);
SearchBuilder<IAMGroupVO> sb = _aclGroupDao.createSearchBuilder();
sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
sb.and("path", sb.entity().getPath(), SearchCriteria.Op.LIKE);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
SearchCriteria<IAMGroupVO> sc = sb.create();
if (iamGroupName != null) {
sc.setParameters("name", iamGroupName);
}
if (iamGroupId != null) {
sc.setParameters("id", iamGroupId);
}
sc.setParameters("path", path + "%");
Pair<List<IAMGroupVO>, Integer> groups = _aclGroupDao.searchAndCount(sc, searchFilter);
return new Pair<List<IAMGroup>, Integer>(new ArrayList<IAMGroup>(groups.first()), groups.second());
}
@Override
public List<IAMGroup> listParentIAMGroups(long groupId) {
IAMGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group by id " + groupId);
}
String path = group.getPath();
List<String> pathList = new ArrayList<String>();
String[] parts = path.split("/");
for (String part : parts) {
int start = path.indexOf(part);
if (start > 0) {
String subPath = path.substring(0, start);
pathList.add(subPath);
}
}
if (pathList.isEmpty()) {
return new ArrayList<IAMGroup>();
}
SearchBuilder<IAMGroupVO> sb = _aclGroupDao.createSearchBuilder();
sb.and("paths", sb.entity().getPath(), SearchCriteria.Op.IN);
SearchCriteria<IAMGroupVO> sc = sb.create();
sc.setParameters("paths", pathList.toArray());
List<IAMGroupVO> groups = _aclGroupDao.search(sc, null);
return new ArrayList<IAMGroup>(groups);
}
@DB
@Override
public IAMPolicy createIAMPolicy(final String iamPolicyName, final String description, final Long parentPolicyId, final String path) {
// check if the policy is already existing
IAMPolicy ro = _aclPolicyDao.findByName(iamPolicyName);
if (ro != null) {
throw new InvalidParameterValueException(
"Unable to create acl policy with name " + iamPolicyName
+ " already exisits");
}
IAMPolicy role = Transaction.execute(new TransactionCallback<IAMPolicy>() {
@Override
public IAMPolicy doInTransaction(TransactionStatus status) {
IAMPolicyVO rvo = new IAMPolicyVO(iamPolicyName, description);
rvo.setPath(path);
IAMPolicy role = _aclPolicyDao.persist(rvo);
if (parentPolicyId != null) {
// copy parent role permissions
List<IAMPolicyPermissionVO> perms = _policyPermissionDao.listByPolicy(parentPolicyId);
if (perms != null) {
for (IAMPolicyPermissionVO perm : perms) {
perm.setAclPolicyId(role.getId());
_policyPermissionDao.persist(perm);
}
}
}
return role;
}
});
return role;
}
@DB
@Override
public boolean deleteIAMPolicy(final long iamPolicyId) {
// get the Acl Policy entity
final IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
+ "; failed to delete acl policy.");
}
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove this policy related entry in acl_group_policy_map
List<IAMGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByPolicyId(policy.getId());
if (groupPolicyMap != null) {
for (IAMGroupPolicyMapVO gr : groupPolicyMap) {
_aclGroupPolicyMapDao.remove(gr.getId());
}
}
// remove this policy related entry in acl_account_policy_map table
List<IAMAccountPolicyMapVO> policyAcctMap = _aclAccountPolicyMapDao.listByPolicyId(policy.getId());
if (policyAcctMap != null) {
for (IAMAccountPolicyMapVO policyAcct : policyAcctMap) {
_aclAccountPolicyMapDao.remove(policyAcct.getId());
}
}
// remove this policy related entry in acl_policy_permission table
List<IAMPolicyPermissionVO> policyPermMap = _policyPermissionDao.listByPolicy(policy.getId());
if (policyPermMap != null) {
for (IAMPolicyPermissionVO policyPerm : policyPermMap) {
_policyPermissionDao.remove(policyPerm.getId());
}
}
// remove this role from acl_role table
_aclPolicyDao.remove(iamPolicyId);
}
});
invalidateIAMCache();
return true;
}
@SuppressWarnings("unchecked")
@Override
public List<IAMPolicy> listIAMPolicies(long accountId) {
// static policies of the account
SearchBuilder<IAMGroupAccountMapVO> groupSB = _aclGroupAccountMapDao.createSearchBuilder();
groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
GenericSearchBuilder<IAMGroupPolicyMapVO, Long> policySB = _aclGroupPolicyMapDao.createSearchBuilder(Long.class);
policySB.selectFields(policySB.entity().getAclPolicyId());
policySB.join("accountgroupjoin", groupSB, groupSB.entity().getAclGroupId(), policySB.entity().getAclGroupId(),
JoinType.INNER);
policySB.done();
SearchCriteria<Long> policySc = policySB.create();
policySc.setJoinParameters("accountgroupjoin", "account", accountId);
List<Long> policyIds = _aclGroupPolicyMapDao.customSearch(policySc, null);
// add policies directly attached to the account
List<IAMAccountPolicyMapVO> acctPolicies = _aclAccountPolicyMapDao.listByAccountId(accountId);
for (IAMAccountPolicyMapVO p : acctPolicies) {
policyIds.add(p.getIamPolicyId());
}
if (policyIds.size() == 0) {
return new ArrayList<IAMPolicy>();
}
SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
sb.and("ids", sb.entity().getId(), Op.IN);
SearchCriteria<IAMPolicyVO> sc = sb.create();
sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
@SuppressWarnings("rawtypes")
List policies = _aclPolicyDao.customSearch(sc, null);
return policies;
}
@SuppressWarnings("unchecked")
@Override
public List<IAMPolicy> listIAMPoliciesByGroup(long groupId) {
List<IAMGroupPolicyMapVO> policyGrpMap = _aclGroupPolicyMapDao.listByGroupId(groupId);
if (policyGrpMap == null || policyGrpMap.size() == 0) {
return new ArrayList<IAMPolicy>();
}
List<Long> policyIds = new ArrayList<Long>();
for (IAMGroupPolicyMapVO pg : policyGrpMap) {
policyIds.add(pg.getAclPolicyId());
}
SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
sb.and("ids", sb.entity().getId(), Op.IN);
SearchCriteria<IAMPolicyVO> sc = sb.create();
sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
@SuppressWarnings("rawtypes")
List policies = _aclPolicyDao.customSearch(sc, null);
return policies;
}
@SuppressWarnings("unchecked")
@Override
public List<IAMPolicy> listRecursiveIAMPoliciesByGroup(long groupId) {
List<IAMGroupPolicyMapVO> policyGrpMap = _aclGroupPolicyMapDao.listByGroupId(groupId);
if (policyGrpMap == null || policyGrpMap.size() == 0) {
return new ArrayList<IAMPolicy>();
}
List<Long> policyIds = new ArrayList<Long>();
for (IAMGroupPolicyMapVO pg : policyGrpMap) {
policyIds.add(pg.getAclPolicyId());
}
SearchBuilder<IAMPolicyPermissionVO> permSb = _policyPermissionDao.createSearchBuilder();
permSb.and("isRecursive", permSb.entity().isRecursive(), Op.EQ);
SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
sb.and("ids", sb.entity().getId(), Op.IN);
sb.join("recursivePerm", permSb, sb.entity().getId(), permSb.entity().getAclPolicyId(),
JoinBuilder.JoinType.INNER);
SearchCriteria<IAMPolicyVO> sc = sb.create();
sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
sc.setJoinParameters("recursivePerm", "isRecursive", true);
@SuppressWarnings("rawtypes")
List policies = _aclPolicyDao.customSearch(sc, null);
return policies;
}
@SuppressWarnings("unchecked")
@Override
public Pair<List<IAMPolicy>, Integer> listIAMPolicies(Long iamPolicyId, String iamPolicyName, String path, Long startIndex, Long pageSize) {
if (iamPolicyId != null) {
IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy by id " + iamPolicyId);
}
}
Filter searchFilter = new Filter(IAMPolicyVO.class, "id", true, startIndex, pageSize);
SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
sb.and("path", sb.entity().getPath(), SearchCriteria.Op.LIKE);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
SearchCriteria<IAMPolicyVO> sc = sb.create();
if (iamPolicyName != null) {
sc.setParameters("name", iamPolicyName);
}
if (iamPolicyId != null) {
sc.setParameters("id", iamPolicyId);
}
sc.setParameters("path", path + "%");
Pair<List<IAMPolicyVO>, Integer> policies = _aclPolicyDao.searchAndCount(sc, searchFilter);
@SuppressWarnings("rawtypes")
List policyList = policies.first();
return new Pair<List<IAMPolicy>, Integer>(policyList, policies.second());
}
@DB
@Override
public IAMGroup attachIAMPoliciesToGroup(final List<Long> policyIds, final Long groupId) {
// get the Acl Group entity
IAMGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to add roles to acl group.");
}
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_policy_map table
for (Long policyId : policyIds) {
IAMPolicy policy = _aclPolicyDao.findById(policyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+ "; failed to add policies to acl group.");
}
IAMGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId);
if (grMap == null) {
// not there already
grMap = new IAMGroupPolicyMapVO(groupId, policyId);
_aclGroupPolicyMapDao.persist(grMap);
}
}
}
});
invalidateIAMCache();
return group;
}
@DB
@Override
public IAMGroup removeIAMPoliciesFromGroup(final List<Long> policyIds, final Long groupId) {
// get the Acl Group entity
IAMGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to remove roles from acl group.");
}
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_role_map table
for (Long policyId : policyIds) {
IAMPolicy policy = _aclPolicyDao.findById(policyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+ "; failed to add policies to acl group.");
}
IAMGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId);
if (grMap != null) {
// not removed yet
_aclGroupPolicyMapDao.remove(grMap.getId());
}
}
}
});
invalidateIAMCache();
return group;
}
@Override
public void attachIAMPolicyToAccounts(final Long policyId, final List<Long> acctIds) {
IAMPolicy policy = _aclPolicyDao.findById(policyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+ "; failed to add policy to account.");
}
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_policy_map table
for (Long acctId : acctIds) {
IAMAccountPolicyMapVO acctMap = _aclAccountPolicyMapDao.findByAccountAndPolicy(acctId, policyId);
if (acctMap == null) {
// not there already
acctMap = new IAMAccountPolicyMapVO(acctId, policyId);
_aclAccountPolicyMapDao.persist(acctMap);
}
}
}
});
invalidateIAMCache();
}
@Override
public void removeIAMPolicyFromAccounts(final Long policyId, final List<Long> acctIds) {
IAMPolicy policy = _aclPolicyDao.findById(policyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+ "; failed to add policy to account.");
}
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_policy_map table
for (Long acctId : acctIds) {
IAMAccountPolicyMapVO acctMap = _aclAccountPolicyMapDao.findByAccountAndPolicy(acctId, policyId);
if (acctMap != null) {
// exists
_aclAccountPolicyMapDao.remove(acctMap.getId());
}
}
}
});
invalidateIAMCache();
}
@DB
@Override
public IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId,
String action, String accessType, Permission perm, Boolean recursive) {
// get the Acl Policy entity
IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
+ "; failed to add permission to policy.");
}
// add entry in acl_policy_permission table
IAMPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(iamPolicyId, entityType, scope,
scopeId, action, perm, accessType);
if (permit == null) {
// not there already
permit = new IAMPolicyPermissionVO(iamPolicyId, action, entityType, accessType, scope, scopeId, perm,
recursive);
_policyPermissionDao.persist(permit);
}
invalidateIAMCache();
return policy;
}
@DB
@Override
public IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId,
String action) {
// get the Acl Policy entity
IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
+ "; failed to revoke permission from policy.");
}
// remove entry from acl_entity_permission table
IAMPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(iamPolicyId, entityType, scope,
scopeId, action, Permission.Allow, null);
if (permit != null) {
// not removed yet
_policyPermissionDao.remove(permit.getId());
}
invalidateIAMCache();
return policy;
}
@DB
@Override
public void removeIAMPermissionForEntity(final String entityType, final Long entityId) {
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove entry from acl_entity_permission table
List<IAMPolicyPermissionVO> permitList = _policyPermissionDao.listByEntity(entityType, entityId);
for (IAMPolicyPermissionVO permit : permitList) {
long policyId = permit.getAclPolicyId();
_policyPermissionDao.remove(permit.getId());
// remove the policy if there are no other permissions
if ((_policyPermissionDao.listByPolicy(policyId)).isEmpty()) {
deleteIAMPolicy(policyId);
}
}
}
});
invalidateIAMCache();
}
@DB
@Override
public IAMPolicy resetIAMPolicy(long iamPolicyId) {
// get the Acl Policy entity
IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
+ "; failed to reset the policy.");
}
SearchBuilder<IAMPolicyPermissionVO> sb = _policyPermissionDao.createSearchBuilder();
sb.and("policyId", sb.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
sb.and("scope", sb.entity().getScope(), SearchCriteria.Op.EQ);
sb.done();
SearchCriteria<IAMPolicyPermissionVO> permissionSC = sb.create();
permissionSC.setParameters("policyId", iamPolicyId);
_policyPermissionDao.expunge(permissionSC);
invalidateIAMCache();
return policy;
}
@Override
public boolean isActionAllowedForPolicies(String action, List<IAMPolicy> policies) {
boolean allowed = false;
if (policies == null || policies.size() == 0) {
return allowed;
}
List<Long> policyIds = new ArrayList<Long>();
for (IAMPolicy policy : policies) {
policyIds.add(policy.getId());
}
SearchBuilder<IAMPolicyPermissionVO> sb = _policyPermissionDao.createSearchBuilder();
sb.and("action", sb.entity().getAction(), Op.EQ);
sb.and("policyId", sb.entity().getAclPolicyId(), Op.IN);
SearchCriteria<IAMPolicyPermissionVO> sc = sb.create();
sc.setParameters("policyId", policyIds.toArray(new Object[policyIds.size()]));
sc.setParameters("action", action);
List<IAMPolicyPermissionVO> permissions = _policyPermissionDao.customSearch(sc, null);
if (permissions != null && !permissions.isEmpty()) {
allowed = true;
}
return allowed;
}
@Override
public List<Long> getGrantedEntities(long accountId, String action, String scope) {
// Get the static Policies of the Caller
List<IAMPolicy> policies = listIAMPolicies(accountId);
// for each policy, find granted permission within the given scope
List<Long> entityIds = new ArrayList<Long>();
for (IAMPolicy policy : policies) {
List<IAMPolicyPermissionVO> pp = _policyPermissionDao.listByPolicyActionAndScope(policy.getId(), action,
scope, null);
if (pp != null) {
for (IAMPolicyPermissionVO p : pp) {
if (p.getScopeId() != null) {
entityIds.add(p.getScopeId());
}
}
}
}
return entityIds;
}
@Override
@SuppressWarnings("unchecked")
public List<IAMPolicyPermission> listPolicyPermissions(long policyId) {
@SuppressWarnings("rawtypes")
List pp = _policyPermissionDao.listByPolicy(policyId);
return pp;
}
@SuppressWarnings("unchecked")
@Override
public List<IAMPolicyPermission> listPolicyPermissionsByScope(long policyId, String action, String scope,
String accessType) {
@SuppressWarnings("rawtypes")
List pp = _policyPermissionDao.listByPolicyActionAndScope(policyId, action, scope, accessType);
return pp;
}
@SuppressWarnings("unchecked")
@Override
public List<IAMPolicyPermission> listPolicyPermissionByActionAndEntity(long policyId, String action,
String entityType) {
@SuppressWarnings("rawtypes")
List pp = _policyPermissionDao.listByPolicyActionAndEntity(policyId, action, entityType);
return pp;
}
@SuppressWarnings("unchecked")
@Override
public List<IAMPolicyPermission> listPolicyPermissionByAccessAndEntity(long policyId, String accessType,
String entityType) {
@SuppressWarnings("rawtypes")
List pp = _policyPermissionDao.listByPolicyAccessAndEntity(policyId, accessType, entityType);
return pp;
}
@Override
public IAMPolicy getResourceOwnerPolicy() {
return _aclPolicyDao.findByName("RESOURCE_OWNER");
}
// search for policy with only one resource grant permission
@Override
public IAMPolicy getResourceGrantPolicy(String entityType, Long entityId, String accessType, String action) {
List<IAMPolicyVO> policyList = _aclPolicyDao.listAll();
for (IAMPolicyVO policy : policyList) {
List<IAMPolicyPermission> pp = listPolicyPermissions(policy.getId());
if (pp != null && pp.size() == 1) {
// resource grant policy should only have one ACL permission assigned
IAMPolicyPermission permit = pp.get(0);
if (permit.getEntityType().equals(entityType) && permit.getScope().equals(PermissionScope.RESOURCE.toString())
&& permit.getScopeId().longValue() == entityId.longValue()) {
if (accessType != null && permit.getAccessType().equals(accessType)) {
return policy;
} else if (action != null && permit.getAction().equals(action)) {
return policy;
}
}
}
}
return null;
}
}