RoleBasedEntityQuerySelector.java

// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements.  See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership.  The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License.  You may obtain a copy of the License at
//
//   http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied.  See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam;

import java.util.ArrayList;
import java.util.List;

import javax.inject.Inject;

import org.apache.log4j.Logger;

import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.QuerySelector;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.iam.api.IAMGroup;
import org.apache.cloudstack.iam.api.IAMPolicy;
import org.apache.cloudstack.iam.api.IAMPolicyPermission;
import org.apache.cloudstack.iam.api.IAMService;

import com.cloud.domain.DomainVO;
import com.cloud.domain.dao.DomainDao;
import com.cloud.user.Account;
import com.cloud.utils.component.AdapterBase;

public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySelector {

    private static final Logger s_logger = Logger.getLogger(RoleBasedEntityQuerySelector.class.getName());

    @Inject
    IAMService _iamService;
    @Inject
    DomainDao _domainDao;

    @Override
    public List<Long> getAuthorizedDomains(Account caller, String action, AccessType accessType) {
        long accountId = caller.getAccountId();
        if (accessType == null) {
            accessType = AccessType.UseEntry;  // default always show resources authorized to use
        }
        // Get the static Policies of the Caller
        List<IAMPolicy> policies = _iamService.listIAMPolicies(accountId);
        // for each policy, find granted permission with Domain scope
        List<Long> domainIds = new ArrayList<Long>();
        for (IAMPolicy policy : policies) {
            List<IAMPolicyPermission> pp = new ArrayList<IAMPolicyPermission>();
            pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action,
                    PermissionScope.DOMAIN.toString(), accessType.toString()));

            if (pp != null) {
                for (IAMPolicyPermission p : pp) {
                    if (p.getScopeId() != null) {
                        Long domainId = null;
                        if (p.getScopeId().longValue() == -1) {
                            domainId = caller.getDomainId();
                            //domainIds.add(caller.getDomainId());
                        } else {
                            domainId = p.getScopeId();
                            //domainIds.add(p.getScopeId());
                        }
                        //domainIds.add(domainId);
                        // add all the domain children from this domain (including this domain itself). Like RoleBasedEntityAccessChecker, we made an assumption, if DOMAIN scope is granted, it means that
                        // the whole domain tree is granted access.
                        DomainVO domain = _domainDao.findById(domainId);
                        List<Long> childDomains = _domainDao.getDomainChildrenIds(domain.getPath());
                        if (childDomains != null && childDomains.size() > 0) {
                            domainIds.addAll(childDomains);
                        }

                    }
                }
            }
        }
        return domainIds;
    }

    @Override
    public List<Long> getAuthorizedAccounts(Account caller, String action, AccessType accessType) {
        long accountId = caller.getAccountId();
        if (accessType == null) {
            accessType = AccessType.UseEntry;  // default always show resources authorized to use
        }
        // Get the static Policies of the Caller
        List<IAMPolicy> policies = _iamService.listIAMPolicies(accountId);
        // for each policy, find granted permission with Account scope
        List<Long> accountIds = new ArrayList<Long>();
        for (IAMPolicy policy : policies) {
            List<IAMPolicyPermission> pp = new ArrayList<IAMPolicyPermission>();
            pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action,
                    PermissionScope.ACCOUNT.toString(), accessType.toString()));

            if (pp != null) {
                for (IAMPolicyPermission p : pp) {
                    if (p.getScopeId() != null) {
                        if (p.getScopeId().longValue() == -1) {
                            accountIds.add(caller.getId());
                        } else {
                            accountIds.add(p.getScopeId());
                        }
                    }
                }
            }
        }
        return accountIds;
    }

    @Override
    public List<Long> getAuthorizedResources(Account caller, String action, AccessType accessType) {
        long accountId = caller.getAccountId();
        if (accessType == null) {
            accessType = AccessType.UseEntry;  // default always show resources authorized to use
        }
        // Get the static Policies of the Caller
        List<IAMPolicy> policies = _iamService.listIAMPolicies(accountId);

        // add the policies that grant recursive access
        List<IAMGroup> groups = _iamService.listIAMGroups(caller.getId());
        for (IAMGroup group : groups) {
            // for each group find the grand parent groups.
            List<IAMGroup> parentGroups = _iamService.listParentIAMGroups(group.getId());
            for (IAMGroup parentGroup : parentGroups) {
                policies.addAll(_iamService.listRecursiveIAMPoliciesByGroup(parentGroup.getId()));
            }
        }

        // for each policy, find granted permission with Resource scope
        List<Long> entityIds = new ArrayList<Long>();
        for (IAMPolicy policy : policies) {
            List<IAMPolicyPermission> pp = new ArrayList<IAMPolicyPermission>();
            pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action,
                    PermissionScope.RESOURCE.toString(), accessType.toString()));

            if (pp != null) {
                for (IAMPolicyPermission p : pp) {
                    if (p.getScopeId() != null) {
                        entityIds.add(p.getScopeId());
                    }
                }
            }
        }
        return entityIds;
    }

    @Override
    public boolean isGrantedAll(Account caller, String action, AccessType accessType) {
        long accountId = caller.getAccountId();
        if (accessType == null) {
            accessType = AccessType.UseEntry;  // default always show resources authorized to use
        }
        // Get the static Policies of the Caller
        List<IAMPolicy> policies = _iamService.listIAMPolicies(accountId);
        // for each policy, find granted permission with ALL scope
        for (IAMPolicy policy : policies) {
            List<IAMPolicyPermission> pp = new ArrayList<IAMPolicyPermission>();
            pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action, PermissionScope.ALL.toString(),
                    accessType.toString()));
            if (pp != null && pp.size() > 0) {
                return true;
            }
        }
        return false;
    }

    @Override
    public List<String> listAclGroupsByAccount(long accountId) {
        List<IAMGroup> groups = _iamService.listIAMGroups(accountId);
        List<String> groupNames = new ArrayList<String>();
        for (IAMGroup grp : groups) {
            groupNames.add(grp.getName());
        }
        return groupNames;
    }

}