/**
* Ensures the the policy is not empty. If found empty or null, a 'private' policy is generated
* and returned. If creating for an object, the BucketOwnerCanonicalId must not be null. If found
* null, then a bucket-creation is expected and ACLs will be expanded as such.
*
* @param requestUser
* @param policy
* @return
*/
public static AccessControlPolicy processNewResourcePolicy(
@Nonnull User requestUser,
@Nullable AccessControlPolicy policy,
@Nullable String bucketOwnerCanonicalId)
throws Exception {
AccessControlPolicy acPolicy = null;
if (policy != null) {
acPolicy = policy;
} else {
acPolicy = new AccessControlPolicy();
}
if (acPolicy.getOwner() == null) {
acPolicy.setOwner(buildCanonicalUser(requestUser.getAccount()));
}
if (acPolicy.getAccessControlList() == null) {
acPolicy.setAccessControlList(new AccessControlList());
}
if (acPolicy.getAccessControlList().getGrants() == null
|| acPolicy.getAccessControlList().getGrants().size() == 0) {
// Add default 'fullcontrol' grant for owner.
acPolicy
.getAccessControlList()
.getGrants()
.add(
new Grant(
new Grantee(buildCanonicalUser(requestUser.getAccount())),
ObjectStorageProperties.Permission.FULL_CONTROL.toString()));
}
if (bucketOwnerCanonicalId != null) {
acPolicy.setAccessControlList(
AclUtils.expandCannedAcl(
acPolicy.getAccessControlList(),
bucketOwnerCanonicalId,
requestUser.getAccount().getCanonicalId()));
} else {
acPolicy.setAccessControlList(
AclUtils.expandCannedAcl(
acPolicy.getAccessControlList(), requestUser.getAccount().getCanonicalId(), null));
}
return acPolicy;
}
/**
* Checks grants and transforms grantees into canonicalId from eucalyptus account id or email
* address
*
* @param acl
* @return
*/
public static AccessControlList scrubAcl(AccessControlList acl) {
AccessControlList scrubbed = new AccessControlList();
if (acl == null || acl.getGrants() == null || acl.getGrants().size() == 0) {
return scrubbed;
}
String canonicalId = null;
Grantee grantee;
CanonicalUser canonicalUser;
Group group;
String email;
for (Grant g : acl.getGrants()) {
grantee = g.getGrantee();
if (grantee == null) {
continue; // skip, no grantee
} else {
canonicalUser = grantee.getCanonicalUser();
group = grantee.getGroup();
email = grantee.getEmailAddress();
}
canonicalId = canonicalUser == null ? null : resolveCanonicalId(canonicalUser.getID());
if (canonicalId == null) {
try {
User user = Accounts.lookupUserByEmailAddress(email);
if (user != null && user.isAccountAdmin() && user.getAccount() != null) {
canonicalId = user.getAccount().getCanonicalId();
}
} catch (AuthException authEx) {
// no-op, we'll check the group
}
}
if (canonicalId == null && group != null && !Strings.isNullOrEmpty(group.getUri())) {
ObjectStorageProperties.S3_GROUP foundGroup = AclUtils.getGroupFromUri(group.getUri());
if (foundGroup == null) {
throw new NoSuchElementException("URI: " + group.getUri() + " not found in group map");
}
// Group URI, use as canonicalId for now.
canonicalId = group.getUri();
}
if (canonicalId == null) {
throw new NoSuchElementException("No canonicalId found for grant: " + g.toString());
} else {
if (grantee.getCanonicalUser() == null) {
grantee.setCanonicalUser(new CanonicalUser(canonicalId, ""));
} else {
grantee.getCanonicalUser().setID(canonicalId);
}
}
}
return acl;
}
