/**
* Checks grants and transforms grantees into canonicalId from eucalyptus account id or email
* address
*
* @param acl
* @return
*/
public static AccessControlList scrubAcl(AccessControlList acl) {
AccessControlList scrubbed = new AccessControlList();
if (acl == null || acl.getGrants() == null || acl.getGrants().size() == 0) {
return scrubbed;
}
String canonicalId = null;
Grantee grantee;
CanonicalUser canonicalUser;
Group group;
String email;
for (Grant g : acl.getGrants()) {
grantee = g.getGrantee();
if (grantee == null) {
continue; // skip, no grantee
} else {
canonicalUser = grantee.getCanonicalUser();
group = grantee.getGroup();
email = grantee.getEmailAddress();
}
canonicalId = canonicalUser == null ? null : resolveCanonicalId(canonicalUser.getID());
if (canonicalId == null) {
try {
User user = Accounts.lookupUserByEmailAddress(email);
if (user != null && user.isAccountAdmin() && user.getAccount() != null) {
canonicalId = user.getAccount().getCanonicalId();
}
} catch (AuthException authEx) {
// no-op, we'll check the group
}
}
if (canonicalId == null && group != null && !Strings.isNullOrEmpty(group.getUri())) {
ObjectStorageProperties.S3_GROUP foundGroup = AclUtils.getGroupFromUri(group.getUri());
if (foundGroup == null) {
throw new NoSuchElementException("URI: " + group.getUri() + " not found in group map");
}
// Group URI, use as canonicalId for now.
canonicalId = group.getUri();
}
if (canonicalId == null) {
throw new NoSuchElementException("No canonicalId found for grant: " + g.toString());
} else {
if (grantee.getCanonicalUser() == null) {
grantee.setCanonicalUser(new CanonicalUser(canonicalId, ""));
} else {
grantee.getCanonicalUser().setID(canonicalId);
}
}
}
return acl;
}
/**
* Processes a list by finding all canned-acls and expanding those. The returned list is a new
* list that includes all non-canned ACL entries of the input as well as the expanded grants
* mapped to canned-acls
*
* <p>CannedAcls are Grants with Grantee = "", and Permision is the canned-acl string
*
* @param msgAcl
* @return
*/
public static AccessControlList expandCannedAcl(
@Nonnull AccessControlList msgAcl,
@Nullable final String bucketOwnerCanonicalId,
@Nullable final String objectOwnerCanonicalId)
throws EucalyptusCloudException {
if (msgAcl == null) {
throw new IllegalArgumentException("Null list received");
}
AccessControlList outputList = new AccessControlList();
if (outputList.getGrants() == null) {
// Should be handled by constructor of ACL, but just to be sure
outputList.setGrants(new ArrayList<Grant>());
}
final OwnerIdPair owners = new OwnerIdPair(bucketOwnerCanonicalId, objectOwnerCanonicalId);
String entryValue = null;
for (Grant msgGrant : msgAcl.getGrants()) {
entryValue =
msgGrant
.getPermission(); // The OSG binding populates the canned-acl in the permission field
try {
if (cannedAclMap.containsKey(entryValue)) {
outputList.getGrants().addAll(cannedAclMap.get(entryValue).apply(owners));
} else {
// add to output.
outputList.getGrants().add(msgGrant);
}
} catch (Exception e) {
// Failed. Stop now
throw new EucalyptusCloudException("Failed generating the full ACL from canned ACL", e);
}
}
return outputList;
}