Beispiel #1
0
  /**
   * Checks grants and transforms grantees into canonicalId from eucalyptus account id or email
   * address
   *
   * @param acl
   * @return
   */
  public static AccessControlList scrubAcl(AccessControlList acl) {
    AccessControlList scrubbed = new AccessControlList();
    if (acl == null || acl.getGrants() == null || acl.getGrants().size() == 0) {
      return scrubbed;
    }

    String canonicalId = null;
    Grantee grantee;
    CanonicalUser canonicalUser;
    Group group;
    String email;

    for (Grant g : acl.getGrants()) {
      grantee = g.getGrantee();
      if (grantee == null) {
        continue; // skip, no grantee
      } else {
        canonicalUser = grantee.getCanonicalUser();
        group = grantee.getGroup();
        email = grantee.getEmailAddress();
      }

      canonicalId = canonicalUser == null ? null : resolveCanonicalId(canonicalUser.getID());
      if (canonicalId == null) {
        try {
          User user = Accounts.lookupUserByEmailAddress(email);
          if (user != null && user.isAccountAdmin() && user.getAccount() != null) {
            canonicalId = user.getAccount().getCanonicalId();
          }
        } catch (AuthException authEx) {
          // no-op, we'll check the group
        }
      }
      if (canonicalId == null && group != null && !Strings.isNullOrEmpty(group.getUri())) {
        ObjectStorageProperties.S3_GROUP foundGroup = AclUtils.getGroupFromUri(group.getUri());
        if (foundGroup == null) {
          throw new NoSuchElementException("URI: " + group.getUri() + " not found in group map");
        }
        // Group URI, use as canonicalId for now.
        canonicalId = group.getUri();
      }

      if (canonicalId == null) {
        throw new NoSuchElementException("No canonicalId found for grant: " + g.toString());
      } else {
        if (grantee.getCanonicalUser() == null) {
          grantee.setCanonicalUser(new CanonicalUser(canonicalId, ""));
        } else {
          grantee.getCanonicalUser().setID(canonicalId);
        }
      }
    }

    return acl;
  }
Beispiel #2
0
  /**
   * Processes a list by finding all canned-acls and expanding those. The returned list is a new
   * list that includes all non-canned ACL entries of the input as well as the expanded grants
   * mapped to canned-acls
   *
   * <p>CannedAcls are Grants with Grantee = "", and Permision is the canned-acl string
   *
   * @param msgAcl
   * @return
   */
  public static AccessControlList expandCannedAcl(
      @Nonnull AccessControlList msgAcl,
      @Nullable final String bucketOwnerCanonicalId,
      @Nullable final String objectOwnerCanonicalId)
      throws EucalyptusCloudException {
    if (msgAcl == null) {
      throw new IllegalArgumentException("Null list received");
    }

    AccessControlList outputList = new AccessControlList();
    if (outputList.getGrants() == null) {
      // Should be handled by constructor of ACL, but just to be sure
      outputList.setGrants(new ArrayList<Grant>());
    }
    final OwnerIdPair owners = new OwnerIdPair(bucketOwnerCanonicalId, objectOwnerCanonicalId);
    String entryValue = null;
    for (Grant msgGrant : msgAcl.getGrants()) {
      entryValue =
          msgGrant
              .getPermission(); // The OSG binding populates the canned-acl in the permission field
      try {
        if (cannedAclMap.containsKey(entryValue)) {
          outputList.getGrants().addAll(cannedAclMap.get(entryValue).apply(owners));
        } else {
          // add to output.
          outputList.getGrants().add(msgGrant);
        }
      } catch (Exception e) {
        // Failed. Stop now
        throw new EucalyptusCloudException("Failed generating the full ACL from canned ACL", e);
      }
    }
    return outputList;
  }