static void createDefault(final OwnerFullName ownerFullName) throws MetadataException {
try {
try {
NetworkGroup net =
Transactions.find(
new NetworkGroup(
AccountFullName.getInstance(ownerFullName.getAccountNumber()),
NETWORK_DEFAULT_NAME));
if (net == null) {
create(ownerFullName, NETWORK_DEFAULT_NAME, "default group");
}
} catch (NoSuchElementException ex) {
try {
create(ownerFullName, NETWORK_DEFAULT_NAME, "default group");
} catch (ConstraintViolationException ex1) {
}
} catch (TransactionException ex) {
try {
create(ownerFullName, NETWORK_DEFAULT_NAME, "default group");
} catch (ConstraintViolationException ex1) {
}
}
} catch (DuplicateMetadataException ex) {
}
}
/**
* Resolve Group Names / Identifiers for the given permissions.
*
* <p>Caller must have open transaction.
*
* @param permissions - The permissions to update
* @throws MetadataException If an error occurs
*/
public static void resolvePermissions(final Iterable<IpPermissionType> permissions)
throws MetadataException {
for (final IpPermissionType ipPermission : permissions) {
if (ipPermission.getGroups() != null)
for (final UserIdGroupPairType groupInfo : ipPermission.getGroups()) {
if (!Strings.isNullOrEmpty(groupInfo.getSourceGroupId())) {
final NetworkGroup networkGroup =
NetworkGroups.lookupByGroupId(groupInfo.getSourceGroupId());
groupInfo.setSourceUserId(networkGroup.getOwnerAccountNumber());
groupInfo.setSourceGroupName(networkGroup.getDisplayName());
} else if (Strings.isNullOrEmpty(groupInfo.getSourceUserId())
|| Strings.isNullOrEmpty(groupInfo.getSourceGroupName())) {
throw new MetadataException("Group ID or User ID/Group Name required.");
} else {
final NetworkGroup networkGroup =
NetworkGroups.lookup(
AccountFullName.getInstance(groupInfo.getSourceUserId()),
groupInfo.getSourceGroupName());
groupInfo.setSourceGroupId(networkGroup.getGroupId());
}
}
}
}
public static NetworkGroup create(
final OwnerFullName ownerFullName, final String groupName, final String groupDescription)
throws MetadataException {
UserFullName userFullName = null;
if (ownerFullName instanceof UserFullName) {
userFullName = (UserFullName) ownerFullName;
} else {
try {
Account account = Accounts.lookupAccountById(ownerFullName.getAccountNumber());
User admin =
Iterables.find(
account.getUsers(),
new Predicate<User>() {
@Override
public boolean apply(User input) {
return input.isAccountAdmin();
}
});
userFullName = UserFullName.getInstance(admin);
} catch (Exception ex) {
LOG.error(ex, ex);
throw new NoSuchMetadataException(
"Failed to create group because owning user could not be identified.", ex);
}
}
final EntityTransaction db = Entities.get(NetworkGroup.class);
try {
NetworkGroup net =
Entities.uniqueResult(
new NetworkGroup(
AccountFullName.getInstance(userFullName.getAccountNumber()), groupName));
if (net == null) {
final NetworkGroup entity =
Entities.persist(new NetworkGroup(userFullName, groupName, groupDescription));
db.commit();
return entity;
} else {
db.rollback();
throw new DuplicateMetadataException(
"Failed to create group: " + groupName + " for " + userFullName.toString());
}
} catch (final NoSuchElementException ex) {
final NetworkGroup entity =
Entities.persist(new NetworkGroup(userFullName, groupName, groupDescription));
db.commit();
return entity;
} catch (final ConstraintViolationException ex) {
Logs.exhaust().error(ex);
db.rollback();
throw new DuplicateMetadataException(
"Failed to create group: " + groupName + " for " + userFullName.toString(), ex);
} catch (final Exception ex) {
Logs.exhaust().error(ex, ex);
db.rollback();
throw new MetadataException(
"Failed to create group: " + groupName + " for " + userFullName.toString(),
PersistenceExceptions.transform(ex));
}
}
@Override
public boolean apply(final Allocation allocInfo) throws MetadataException {
final UserFullName ownerFullName = allocInfo.getOwnerFullName();
final String instanceProfileArn = allocInfo.getRequest().getIamInstanceProfileArn();
final String instanceProfileName = allocInfo.getRequest().getIamInstanceProfileName();
if (!Strings.isNullOrEmpty(instanceProfileArn)
|| !Strings.isNullOrEmpty(instanceProfileName)) {
final String profileAccount;
final String profileName;
if (!Strings.isNullOrEmpty(instanceProfileArn))
try {
final Ern name = Ern.parse(instanceProfileArn);
if (!(name instanceof EuareResourceName)) {
throw new InvalidInstanceProfileMetadataException(
"Invalid IAM instance profile ARN: " + instanceProfileArn);
}
profileAccount = name.getAccount();
profileName = ((EuareResourceName) name).getName();
} catch (JSONException e) {
throw new InvalidInstanceProfileMetadataException(
"Invalid IAM instance profile ARN: " + instanceProfileArn, e);
}
else {
profileAccount = ownerFullName.getAccountNumber();
profileName = instanceProfileName;
}
final InstanceProfile profile;
try {
profile = Accounts.lookupInstanceProfileByName(profileAccount, profileName);
} catch (AuthException e) {
throw new InvalidInstanceProfileMetadataException(
"Invalid IAM instance profile: " + profileAccount + "/" + profileName, e);
}
if (!Strings.isNullOrEmpty(instanceProfileName)
&& !instanceProfileName.equals(profile.getName())) {
throw new InvalidInstanceProfileMetadataException(
String.format(
"Invalid IAM instance profile name '%s' for ARN: %s",
profileName, instanceProfileArn));
}
try {
final AuthContextSupplier user = allocInfo.getAuthContext();
if (!Permissions.isAuthorized(
PolicySpec.VENDOR_IAM,
PolicySpec.IAM_RESOURCE_INSTANCE_PROFILE,
Accounts.getInstanceProfileFullName(profile),
AccountFullName.getInstance(profile.getAccountNumber()),
PolicySpec.IAM_LISTINSTANCEPROFILES,
user)) {
throw new IllegalMetadataAccessException(
String.format(
"Not authorized to access instance profile with ARN %s for %s",
profile.getInstanceProfileArn(), ownerFullName));
}
final Role role = profile.getRole();
if (role != null
&& !Permissions.isAuthorized(
PolicySpec.VENDOR_IAM,
PolicySpec.IAM_RESOURCE_ROLE,
Accounts.getRoleFullName(role),
AccountFullName.getInstance(role.getAccountNumber()),
PolicySpec.IAM_PASSROLE,
user)) {
throw new IllegalMetadataAccessException(
String.format(
"Not authorized to pass role with ARN %s for %s",
role.getRoleArn(), ownerFullName));
}
if (role != null) {
allocInfo.setInstanceProfileArn(profile.getInstanceProfileArn());
allocInfo.setIamInstanceProfileId(profile.getInstanceProfileId());
allocInfo.setIamRoleArn(role.getRoleArn());
} else {
throw new InvalidInstanceProfileMetadataException(
"Role not found for IAM instance profile ARN: " + profile.getInstanceProfileArn());
}
} catch (AuthException e) {
throw new MetadataException("IAM instance profile error", e);
}
}
return true;
}
