public static void getVcenterTenantOptions(String id) {
List<TenantOrgRestRep> vCenterTenantOptions = new ArrayList<TenantOrgRestRep>();
if (StringUtils.isBlank(id) || id.equalsIgnoreCase("null")) {
renderJSON(vCenterTenantOptions);
return;
}
List<ACLEntry> vcenterAcls = VCenterUtils.getAcl(uri(id));
if (CollectionUtils.isEmpty(vcenterAcls)) {
renderJSON(vCenterTenantOptions);
return;
}
addNoneTenantOption(id, vCenterTenantOptions);
Iterator<ACLEntry> aclEntryIterator = vcenterAcls.iterator();
while (aclEntryIterator.hasNext()) {
ACLEntry aclEntry = aclEntryIterator.next();
if (aclEntry == null) {
continue;
}
TenantOrgRestRep tenantOrgRestRep = TenantUtils.getTenant(aclEntry.getTenant());
if (tenantOrgRestRep != null) {
vCenterTenantOptions.add(tenantOrgRestRep);
}
}
renderJSON(vCenterTenantOptions);
}
/**
* Validates the individual list of acl entries. It is not valid acl entries list, when an acl
* entry contains more than one privilege or privileges other than USE and if the tenant provided
* in the acl entry is not a valid tenant org.
*
* @param aclEntries acl entries to be validated.
*/
private void validateAclEntries(List<ACLEntry> aclEntries) {
if (CollectionUtils.isEmpty(aclEntries)) {
return;
}
Iterator<ACLEntry> aclEntryIterator = aclEntries.iterator();
while (aclEntryIterator.hasNext()) {
ACLEntry aclEntry = aclEntryIterator.next();
// If more than one privileges provided the ACL Entry, it is not supported
// for vCenter ACL. Only USE ACL can be provided.
if (aclEntry.getAces().size() != 1) {
throw APIException.badRequests.unsupportedNumberOfPrivileges(
URI.create(aclEntry.getTenant()), aclEntry.getAces());
}
if (!aclEntry.getAces().get(0).equalsIgnoreCase(ACL.USE.name())) {
throw APIException.badRequests.unsupportedPrivilege(
URI.create(aclEntry.getTenant()), aclEntry.getAces().get(0));
}
// Validate if the provided tenant is a valid tenant or not.
URI tenantId = URI.create(aclEntry.getTenant());
TenantOrg tenant = queryObject(TenantOrg.class, tenantId, true);
ArgValidator.checkEntity(tenant, tenantId, isIdEmbeddedInURL(tenantId));
}
}
public void doReadAcls() {
List<ACLEntry> aclEntries = VCenterUtils.getAcl(URI.create(this.id));
if (CollectionUtils.isEmpty(aclEntries)) {
if (!CollectionUtils.isEmpty(this.tenants)) {
this.tenants.clear();
this.tenant = "";
}
return;
}
this.tenants = new HashSet<String>();
if (aclEntries.size() > 1) {
Iterator<ACLEntry> aclIt = aclEntries.iterator();
while (aclIt.hasNext()) {
this.tenants.add(aclIt.next().getTenant());
}
renderArgs.put("disableCascadeTenancy", true);
} else {
ACLEntry aclEntry = aclEntries.iterator().next();
this.tenant = aclEntry.getTenant();
this.tenants.add(aclEntry.getTenant());
}
}
/**
* Checks if the user is authorized to view the vCenter. Authorized if, The user a TenantOrg user
* of one the tenant that shares the vCenter. The user is a TenantAdmin of one of the tenant that
* shares the vCenter.
*
* @param aclEntries the tenants list that shares the vCenter.
*/
private void verifyAuthorizedInTenantOrg(List<ACLEntry> aclEntries) {
boolean isUserAuthorized = false;
StorageOSUser user = getUserFromContext();
Iterator<ACLEntry> aclEntriesIterator = aclEntries.iterator();
while (aclEntriesIterator.hasNext()) {
ACLEntry aclEntry = aclEntriesIterator.next();
if (aclEntry == null) {
continue;
}
if (user.getTenantId().toString().equals(aclEntry.getTenant())
|| isSystemAdminOrMonitorUser()
|| _permissionsHelper.userHasGivenRole(
user, URI.create(aclEntry.getTenant()), Role.TENANT_ADMIN)) {
isUserAuthorized = true;
break;
}
}
if (!isUserAuthorized) {
throw APIException.forbidden.insufficientPermissionsForUser(user.getName());
}
}
