You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2013/01/12 00:51:02 UTC
[16/32] git commit: APIChecker: Rename refactor and add interface
checkExistence
APIChecker: Rename refactor and add interface checkExistence
Signed-off-by: Rohit Yadav <bh...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/74bb043c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/74bb043c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/74bb043c
Branch: refs/heads/api_limit
Commit: 74bb043c37d28bad586ff8a42d8aa6533cef4aa8
Parents: 18bdc58
Author: Rohit Yadav <bh...@apache.org>
Authored: Thu Jan 10 18:49:18 2013 -0800
Committer: Rohit Yadav <bh...@apache.org>
Committed: Thu Jan 10 18:51:30 2013 -0800
----------------------------------------------------------------------
.../apache/cloudstack/acl/APIAccessChecker.java | 28 ---------------
api/src/org/apache/cloudstack/acl/APIChecker.java | 28 +++++++++++++++
client/tomcatconf/components.xml.in | 2 +-
.../acl/StaticRoleBasedAPIAccessChecker.java | 16 ++++++--
server/src/com/cloud/api/ApiServer.java | 25 ++++++++-----
5 files changed, 57 insertions(+), 42 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/74bb043c/api/src/org/apache/cloudstack/acl/APIAccessChecker.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/APIAccessChecker.java b/api/src/org/apache/cloudstack/acl/APIAccessChecker.java
deleted file mode 100644
index 1645fa2..0000000
--- a/api/src/org/apache/cloudstack/acl/APIAccessChecker.java
+++ /dev/null
@@ -1,28 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.acl;
-
-import org.apache.cloudstack.acl.RoleType;
-import com.cloud.utils.component.Adapter;
-
-/**
- * APIAccessChecker checks the ownership and access control to API requests
- */
-public interface APIAccessChecker extends Adapter {
- // Interface for checking access to an API for an user
- boolean canAccessAPI(RoleType roleType, String apiCommandName);
-}
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/74bb043c/api/src/org/apache/cloudstack/acl/APIChecker.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/APIChecker.java b/api/src/org/apache/cloudstack/acl/APIChecker.java
new file mode 100644
index 0000000..61dd7de
--- /dev/null
+++ b/api/src/org/apache/cloudstack/acl/APIChecker.java
@@ -0,0 +1,28 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import org.apache.cloudstack.acl.RoleType;
+import com.cloud.utils.component.Adapter;
+
+// APIChecker checks the ownership and access control to API requests
+public interface APIChecker extends Adapter {
+ // Interface for checking access for a role using apiname
+ boolean checkAccess(RoleType roleType, String apiCommandName);
+ // Interface for checking existence of an api by name
+ boolean checkExistence(String apiCommandName);
+}
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/74bb043c/client/tomcatconf/components.xml.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/components.xml.in b/client/tomcatconf/components.xml.in
index b779c86..bb39839 100755
--- a/client/tomcatconf/components.xml.in
+++ b/client/tomcatconf/components.xml.in
@@ -53,7 +53,7 @@ under the License.
<dao name="Configuration configuration server" class="com.cloud.configuration.dao.ConfigurationDaoImpl">
<param name="premium">true</param>
</dao>
- <adapters key="org.apache.cloudstack.acl.APIAccessChecker">
+ <adapters key="org.apache.cloudstack.acl.APIChecker">
<adapter name="StaticRoleBasedAPIAccessChecker" class="org.apache.cloudstack.acl.StaticRoleBasedAPIAccessChecker"/>
</adapters>
<adapters key="com.cloud.agent.manager.allocator.HostAllocator">
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/74bb043c/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
----------------------------------------------------------------------
diff --git a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
index d6bf3f6..740fbbc 100644
--- a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
+++ b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
@@ -29,13 +29,12 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
-import static org.apache.cloudstack.acl.RoleType.*;
import org.apache.log4j.Logger;
// This is the default API access checker that grab's the user's account
// based on the account type, access is granted
-@Local(value=APIAccessChecker.class)
-public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIAccessChecker {
+@Local(value=APIChecker.class)
+public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIChecker {
protected static final Logger s_logger = Logger.getLogger(StaticRoleBasedAPIAccessChecker.class);
@@ -50,11 +49,20 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIA
}
@Override
- public boolean canAccessAPI(RoleType roleType, String commandName) {
+ public boolean checkAccess(RoleType roleType, String commandName) {
return s_roleBasedApisMap.get(roleType).contains(commandName);
}
@Override
+ public boolean checkExistence(String apiName) {
+ for (RoleType roleType: RoleType.values()) {
+ if (s_roleBasedApisMap.get(roleType).contains(apiName))
+ return true;
+ }
+ return false;
+ }
+
+ @Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
super.configure(name, params);
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/74bb043c/server/src/com/cloud/api/ApiServer.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java
index be3c087..7663e8e 100755
--- a/server/src/com/cloud/api/ApiServer.java
+++ b/server/src/com/cloud/api/ApiServer.java
@@ -51,8 +51,7 @@ import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import com.cloud.utils.ReflectUtil;
-import org.apache.cloudstack.acl.APIAccessChecker;
-import org.apache.cloudstack.acl.ControlledEntity;
+import org.apache.cloudstack.acl.APIChecker;
import org.apache.cloudstack.acl.RoleType;
import org.apache.cloudstack.api.*;
import org.apache.cloudstack.api.command.user.account.ListAccountsCmd;
@@ -146,8 +145,8 @@ public class ApiServer implements HttpRequestHandler {
@Inject private DomainManager _domainMgr = null;
@Inject private AsyncJobManager _asyncMgr = null;
- @Inject(adapter = APIAccessChecker.class)
- protected Adapters<APIAccessChecker> _apiAccessCheckers;
+ @Inject(adapter = APIChecker.class)
+ protected Adapters<APIChecker> _apiAccessCheckers;
private Account _systemAccount = null;
private User _systemUser = null;
@@ -558,7 +557,7 @@ public class ApiServer implements HttpRequestHandler {
return true;
} else {
// check against every available command to see if the command exists or not
- if (!isCommandAvailable(null, commandName) && !commandName.equals("login") && !commandName.equals("logout")) {
+ if (!doesCommandExist(commandName) && !commandName.equals("login") && !commandName.equals("logout")) {
s_logger.debug("The given command:" + commandName + " does not exist or it is not available for user with id:" + userId);
throw new ServerApiException(BaseCmd.UNSUPPORTED_ACTION_ERROR, "The given command does not exist or it is not available for user");
}
@@ -790,17 +789,25 @@ public class ApiServer implements HttpRequestHandler {
return true;
}
- private boolean isCommandAvailable(User user, String commandName)
- throws PermissionDeniedException {
+ private boolean doesCommandExist(String apiName) {
+ for (APIChecker apiChecker : _apiAccessCheckers) {
+ // If any checker has api info on the command, return true
+ if (apiChecker.checkExistence(apiName))
+ return true;
+ }
+ return false;
+ }
+
+ private boolean isCommandAvailable(User user, String commandName) {
if (user == null) {
return false;
}
Account account = _accountMgr.getAccount(user.getAccountId());
RoleType roleType = _accountMgr.getRoleType(account);
- for (APIAccessChecker apiChecker : _apiAccessCheckers) {
+ for (APIChecker apiChecker : _apiAccessCheckers) {
// Fail the checking if any checker fails to verify
- if (!apiChecker.canAccessAPI(roleType, commandName))
+ if (!apiChecker.checkAccess(roleType, commandName))
return false;
}
return true;