private void denyApiAccess(final String commandName) throws PermissionDeniedException { throw new PermissionDeniedException("The API " + commandName + " is blacklisted for the account's role."); }
@Override public void checkAccess(User user, ControlledEntity entity) throws PermissionDeniedException { for (SecurityChecker checker : _securityCheckers) { if (checker.checkAccess(user, entity)) { if (s_logger.isDebugEnabled()) { s_logger.debug("Access granted to " + user + "to " + entity + "by " + checker.getName()); } return; } } throw new PermissionDeniedException("There's no way to confirm " + user + " has access to " + entity); }
@Override public void checkAccess(Account caller, Domain domain) throws PermissionDeniedException { for (SecurityChecker checker : _securityCheckers) { if (checker.checkAccess(caller, domain)) { if (s_logger.isDebugEnabled()) { s_logger.debug("Access granted to " + caller + " to " + domain + " by " + checker.getName()); } return; } } throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to " + domain); }
@Override public void checkAccess(Account account, DiskOffering dof) throws PermissionDeniedException { for (SecurityChecker checker : _securityCheckers) { if (checker.checkAccess(account, dof)) { if (s_logger.isDebugEnabled()) { s_logger.debug("Access granted to " + account + " to " + dof + " by " + checker.getName()); } return; } } assert false : "How can all of the security checkers pass on checking this caller?"; throw new PermissionDeniedException("There's no way to confirm " + account + " has access to " + dof); }
@Override public void checkAccess(Account account, ServiceOffering so) throws PermissionDeniedException { for (SecurityChecker checker : _securityCheckers) { if (checker.checkAccess(account, so)) { if (s_logger.isDebugEnabled()) { s_logger.debug("Access granted to " + account + " to " + so + " by " + checker.getName()); } return; } } assert false : "How can all of the security checkers pass on checking this caller?"; throw new PermissionDeniedException("There's no way to confirm " + account + " has access to " + so); }
private void checkCallerAccess() { if (!isEnabled()) { throw new PermissionDeniedException("Dynamic api checker is not enabled, aborting role operation"); } Account caller = getCurrentAccount(); if (caller == null || caller.getRoleId() == null) { throw new PermissionDeniedException("Restricted API called by an invalid user account"); } Role callerRole = findRole(caller.getRoleId()); if (callerRole == null || callerRole.getRoleType() != RoleType.Admin) { throw new PermissionDeniedException("Restricted API called by an user account of non-Admin role type"); } }
@Override public void checkDiskOfferingAccess(final Account caller, final DiskOffering dof) { for (final SecurityChecker checker : _secChecker) { if (checker.checkAccess(caller, dof)) { if (s_logger.isDebugEnabled()) { s_logger.debug("Access granted to " + caller + " to disk offering:" + dof.getId() + " by " + checker.getName()); } return; } else { throw new PermissionDeniedException("Access denied to " + caller + " by " + checker.getName()); } } assert false : "How can all of the security checkers pass on checking this caller?"; throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to disk offering:" + dof.getId()); }
@Override public void checkZoneAccess(final Account caller, final DataCenter zone) { for (final SecurityChecker checker : _secChecker) { if (checker.checkAccess(caller, zone)) { if (s_logger.isDebugEnabled()) { s_logger.debug("Access granted to " + caller + " to zone:" + zone.getId() + " by " + checker.getName()); } return; } else { throw new PermissionDeniedException("Access denied to " + caller + " by " + checker.getName() + " for zone " + zone.getId()); } } assert false : "How can all of the security checkers pass on checking this caller?"; throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to zone:" + zone.getId()); }
private void checkCommandAvailable(final User user, final String commandName, final InetAddress remoteAddress) throws PermissionDeniedException { if (user == null) { throw new PermissionDeniedException("User is null for role based API access check for command" + commandName); } final Account account = accountMgr.getAccount(user.getAccountId()); final String accessAllowedCidrs = ApiServiceConfiguration.ApiAllowedSourceCidrList.valueIn(account.getId()).replaceAll("\\s",""); final Boolean apiSourceCidrChecksEnabled = ApiServiceConfiguration.ApiSourceCidrChecksEnabled.value(); if (apiSourceCidrChecksEnabled) { s_logger.debug("CIDRs from which account '" + account.toString() + "' is allowed to perform API calls: " + accessAllowedCidrs); if (!NetUtils.isIpInCidrList(remoteAddress, accessAllowedCidrs.split(","))) { s_logger.warn("Request by account '" + account.toString() + "' was denied since " + remoteAddress + " does not match " + accessAllowedCidrs); throw new PermissionDeniedException("Calls for domain '" + account.getAccountName() + "' are not allowed from ip address '" + remoteAddress.getHostAddress()); } } for (final APIChecker apiChecker : apiAccessCheckers) { apiChecker.checkAccess(user, commandName); } }
@Override public Long checkAccessAndSpecifyAuthority(Account caller, Long zoneId) { // We just care for resource domain admin for now. He should be permitted to see only his zone. if (isResourceDomainAdmin(caller.getAccountId())) { if (zoneId == null) { return getZoneIdForAccount(caller); } else if (zoneId.compareTo(getZoneIdForAccount(caller)) != 0) { throw new PermissionDeniedException("Caller " + caller + "is not allowed to access the zone " + zoneId); } else { return zoneId; } } else { return zoneId; } }
@Override public boolean checkAccess(Account caller, Domain domain) throws PermissionDeniedException { if (caller.getState() != Account.State.enabled) { throw new PermissionDeniedException(caller + " is disabled."); } long domainId = domain.getId(); if (_accountService.isNormalUser(caller.getId())) { if (caller.getDomainId() != domainId) { throw new PermissionDeniedException(caller + " does not have permission to operate within domain id=" + domain.getUuid()); } } else if (!_domainDao.isChildDomain(caller.getDomainId(), domainId)) { throw new PermissionDeniedException(caller + " does not have permission to operate within domain id=" + domain.getUuid()); } return true; }
@Override public boolean checkAccess(User user, Domain domain) throws PermissionDeniedException { if (user.getRemoved() != null) { throw new PermissionDeniedException(user + " is no longer active."); } Account account = _accountDao.findById(user.getAccountId()); return checkAccess(account, domain); }
@Override public <T> void checkUuid(String uuid, Class<T> entityType) { if (uuid == null) { return; } Account caller = CallContext.current().getCallingAccount(); // Only admin and system allowed to do this if (!(caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId()))) { throw new PermissionDeniedException("Please check your permissions, you are not allowed to create/update custom id"); } checkUuidSimple(uuid, entityType); }
@Override @ActionEvent(eventType = EventTypes.EVENT_DOMAIN_DELETE, eventDescription = "deleting Domain", async = true) public boolean deleteDomain(long domainId, Boolean cleanup) { Account caller = getCaller(); DomainVO domain = _domainDao.findById(domainId); if (domain == null) { throw new InvalidParameterValueException("Failed to delete domain " + domainId + ", domain not found"); } else if (domainId == Domain.ROOT_DOMAIN) { throw new PermissionDeniedException("Can't delete ROOT domain"); } _accountMgr.checkAccess(caller, domain); return deleteDomain(domain, cleanup); }
private void checkResourceAccessible(Long accountId, Long domainId, String exceptionMessage) { Account caller = CallContext.current().getCallingAccount(); if (Objects.equals(domainId, -1)) { throw new CloudRuntimeException("Invalid DomainId: -1"); } if (accountId != null) { _accountMgr.checkAccess(caller, null, false, _accountMgr.getAccount(accountId)); } else if (domainId != null && !_accountMgr.isNormalUser(caller.getId())) { //check permissions; _accountMgr.checkAccess(caller, _domainMgr.getDomain(domainId)); } else { throw new PermissionDeniedException(exceptionMessage); } }
@Override public long getEntityOwnerId() { Volume volume = _entityMgr.findById(Volume.class, getVolumeId()); if (volume == null) { throw new InvalidParameterValueException("Unable to find volume by id=" + volumeId); } Account account = _accountService.getAccount(volume.getAccountId()); //Can create templates for enabled projects/accounts only if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) { Project project = _projectService.findByProjectAccountId(volume.getAccountId()); if (project.getState() != Project.State.Active) { throw new PermissionDeniedException("Can't add resources to the project id=" + project.getId() + " in state=" + project.getState() + " as it's no longer active"); } } else if (account.getState() == Account.State.disabled) { throw new PermissionDeniedException("The owner of template is disabled: " + account); } return volume.getAccountId(); }
@Override public long getEntityOwnerId() { Volume volume = _entityMgr.findById(Volume.class, getEntityId()); if (volume == null) { throw new InvalidParameterValueException("Unable to find volume by id=" + id); } Account account = _accountService.getAccount(volume.getAccountId()); //Can resize volumes for enabled projects/accounts only if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) { Project project = _projectService.findByProjectAccountId(volume.getAccountId()); if (project.getState() != Project.State.Active) { throw new PermissionDeniedException("Can't add resources to project id=" + project.getId() + " in state=" + project.getState() + " as it's no longer active"); } } else if (account.getState() == Account.State.disabled) { throw new PermissionDeniedException("The owner of volume " + id + " is disabled: " + account); } return volume.getAccountId(); }
@Override public long getEntityOwnerId() { Volume volume = _entityMgr.findById(Volume.class, getVolumeId()); if (volume == null) { throw new InvalidParameterValueException("Unable to find volume by id=" + volumeId); } Account account = _accountService.getAccount(volume.getAccountId()); //Can create templates for enabled projects/accounts only if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) { Project project = _projectService.findByProjectAccountId(volume.getAccountId()); if (project.getState() != Project.State.Active) { PermissionDeniedException ex = new PermissionDeniedException("Can't add resources to the specified project id in state=" + project.getState() + " as it's no longer active"); ex.addProxyObject(project.getUuid(), "projectId"); throw ex; } } else if (account.getState() == Account.State.disabled) { throw new PermissionDeniedException("The owner of template is disabled: " + account); } return volume.getAccountId(); }
@Override public long getEntityOwnerId() { VMSnapshot vmsnapshot = _entityMgr.findById(VMSnapshot.class, getVMSnapshotId()); if (vmsnapshot == null) { throw new InvalidParameterValueException("Unable to find vmsnapshot by id=" + getVMSnapshotId()); } Account account = _accountService.getAccount(vmsnapshot.getAccountId()); //Can create templates for enabled projects/accounts only if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) { Project project = _projectService.findByProjectAccountId(vmsnapshot.getAccountId()); if (project == null) { throw new InvalidParameterValueException("Unable to find project by account id=" + account.getUuid()); } if (project.getState() != Project.State.Active) { throw new PermissionDeniedException("Can't add resources to the project id=" + project.getUuid() + " in state=" + project.getState() + " as it's no longer active"); } } else if (account.getState() == Account.State.disabled) { throw new PermissionDeniedException("The owner of template is disabled: " + account); } return vmsnapshot.getAccountId(); }
@Override public AsyncJobResponse queryJobResult(final QueryAsyncJobResultCmd cmd) { final Account caller = CallContext.current().getCallingAccount(); final AsyncJob job = _entityMgr.findByIdIncludingRemoved(AsyncJob.class, cmd.getId()); if (job == null) { throw new InvalidParameterValueException("Unable to find a job by id " + cmd.getId()); } final User userJobOwner = _accountMgr.getUserIncludingRemoved(job.getUserId()); final Account jobOwner = _accountMgr.getAccount(userJobOwner.getAccountId()); //check permissions if (_accountMgr.isNormalUser(caller.getId())) { //regular user can see only jobs he owns if (caller.getId() != jobOwner.getId()) { throw new PermissionDeniedException("Account " + caller + " is not authorized to see job id=" + job.getId()); } } else if (_accountMgr.isDomainAdmin(caller.getId())) { _accountMgr.checkAccess(caller, null, true, jobOwner); } return createAsyncJobResponse(_jobMgr.queryJob(cmd.getId(), true)); }