@SuppressWarnings("unchecked")
@Override
public List<IAMPolicy> listRecursiveIAMPoliciesByGroup(long groupId) {
List<IAMGroupPolicyMapVO> policyGrpMap = _aclGroupPolicyMapDao.listByGroupId(groupId);
if (policyGrpMap == null || policyGrpMap.size() == 0) {
return new ArrayList<IAMPolicy>();
}
List<Long> policyIds = new ArrayList<Long>();
for (IAMGroupPolicyMapVO pg : policyGrpMap) {
policyIds.add(pg.getAclPolicyId());
}
SearchBuilder<IAMPolicyPermissionVO> permSb = _policyPermissionDao.createSearchBuilder();
permSb.and("isRecursive", permSb.entity().isRecursive(), Op.EQ);
SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
sb.and("ids", sb.entity().getId(), Op.IN);
sb.join(
"recursivePerm",
permSb,
sb.entity().getId(),
permSb.entity().getAclPolicyId(),
JoinBuilder.JoinType.INNER);
SearchCriteria<IAMPolicyVO> sc = sb.create();
sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
sc.setJoinParameters("recursivePerm", "isRecursive", true);
@SuppressWarnings("rawtypes")
List policies = _aclPolicyDao.customSearch(sc, null);
return policies;
}
@DB
@Override
public IAMPolicy addIAMPermissionToIAMPolicy(
long iamPolicyId,
String entityType,
String scope,
Long scopeId,
String action,
String accessType,
Permission perm,
Boolean recursive) {
// get the Acl Policy entity
IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
if (policy == null) {
throw new InvalidParameterValueException(
"Unable to find acl policy: " + iamPolicyId + "; failed to add permission to policy.");
}
// add entry in acl_policy_permission table
IAMPolicyPermissionVO permit =
_policyPermissionDao.findByPolicyAndEntity(
iamPolicyId, entityType, scope, scopeId, action, perm);
if (permit == null) {
// not there already
permit =
new IAMPolicyPermissionVO(
iamPolicyId, action, entityType, accessType, scope, scopeId, perm, recursive);
_policyPermissionDao.persist(permit);
}
return policy;
}
@Override
public void attachIAMPolicyToAccounts(final Long policyId, final List<Long> acctIds) {
IAMPolicy policy = _aclPolicyDao.findById(policyId);
if (policy == null) {
throw new InvalidParameterValueException(
"Unable to find acl policy: " + policyId + "; failed to add policy to account.");
}
Transaction.execute(
new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_policy_map table
for (Long acctId : acctIds) {
IAMAccountPolicyMapVO acctMap =
_aclAccountPolicyMapDao.findByAccountAndPolicy(acctId, policyId);
if (acctMap == null) {
// not there already
acctMap = new IAMAccountPolicyMapVO(acctId, policyId);
_aclAccountPolicyMapDao.persist(acctMap);
}
}
}
});
}
@SuppressWarnings("unchecked")
@Override
public List<IAMPolicy> listIAMPoliciesByGroup(long groupId) {
List<IAMGroupPolicyMapVO> policyGrpMap = _aclGroupPolicyMapDao.listByGroupId(groupId);
if (policyGrpMap == null || policyGrpMap.size() == 0) {
return new ArrayList<IAMPolicy>();
}
List<Long> policyIds = new ArrayList<Long>();
for (IAMGroupPolicyMapVO pg : policyGrpMap) {
policyIds.add(pg.getAclPolicyId());
}
SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
sb.and("ids", sb.entity().getId(), Op.IN);
SearchCriteria<IAMPolicyVO> sc = sb.create();
sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
@SuppressWarnings("rawtypes")
List policies = _aclPolicyDao.customSearch(sc, null);
return policies;
}
@SuppressWarnings("unchecked")
@Override
public List<IAMPolicy> listIAMPolicies(long accountId) {
// static policies of the account
SearchBuilder<IAMGroupAccountMapVO> groupSB = _aclGroupAccountMapDao.createSearchBuilder();
groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
GenericSearchBuilder<IAMGroupPolicyMapVO, Long> policySB =
_aclGroupPolicyMapDao.createSearchBuilder(Long.class);
policySB.selectFields(policySB.entity().getAclPolicyId());
policySB.join(
"accountgroupjoin",
groupSB,
groupSB.entity().getAclGroupId(),
policySB.entity().getAclGroupId(),
JoinType.INNER);
policySB.done();
SearchCriteria<Long> policySc = policySB.create();
policySc.setJoinParameters("accountgroupjoin", "account", accountId);
List<Long> policyIds = _aclGroupPolicyMapDao.customSearch(policySc, null);
// add policies directly attached to the account
List<IAMAccountPolicyMapVO> acctPolicies = _aclAccountPolicyMapDao.listByAccountId(accountId);
for (IAMAccountPolicyMapVO p : acctPolicies) {
policyIds.add(p.getIamPolicyId());
}
if (policyIds.size() == 0) {
return new ArrayList<IAMPolicy>();
}
SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
sb.and("ids", sb.entity().getId(), Op.IN);
SearchCriteria<IAMPolicyVO> sc = sb.create();
sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
@SuppressWarnings("rawtypes")
List policies = _aclPolicyDao.customSearch(sc, null);
return policies;
}
@SuppressWarnings("unchecked")
@Override
public Pair<List<IAMPolicy>, Integer> listIAMPolicies(
Long iamPolicyId, String iamPolicyName, String path, Long startIndex, Long pageSize) {
if (iamPolicyId != null) {
IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy by id " + iamPolicyId);
}
}
Filter searchFilter = new Filter(IAMPolicyVO.class, "id", true, startIndex, pageSize);
SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
sb.and("path", sb.entity().getPath(), SearchCriteria.Op.LIKE);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
SearchCriteria<IAMPolicyVO> sc = sb.create();
if (iamPolicyName != null) {
sc.setParameters("name", iamPolicyName);
}
if (iamPolicyId != null) {
sc.setParameters("id", iamPolicyId);
}
sc.setParameters("path", path + "%");
Pair<List<IAMPolicyVO>, Integer> policies = _aclPolicyDao.searchAndCount(sc, searchFilter);
@SuppressWarnings("rawtypes")
List policyList = policies.first();
return new Pair<List<IAMPolicy>, Integer>(policyList, policies.second());
}
@DB
@Override
public boolean deleteIAMPolicy(final long iamPolicyId) {
// get the Acl Policy entity
final IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
if (policy == null) {
throw new InvalidParameterValueException(
"Unable to find acl policy: " + iamPolicyId + "; failed to delete acl policy.");
}
Transaction.execute(
new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove this role related entry in acl_group_role_map
List<IAMGroupPolicyMapVO> groupPolicyMap =
_aclGroupPolicyMapDao.listByPolicyId(policy.getId());
if (groupPolicyMap != null) {
for (IAMGroupPolicyMapVO gr : groupPolicyMap) {
_aclGroupPolicyMapDao.remove(gr.getId());
}
}
// remove this policy related entry in acl_account_policy_map table
List<IAMAccountPolicyMapVO> policyAcctMap =
_aclAccountPolicyMapDao.listByPolicyId(policy.getId());
if (policyAcctMap != null) {
for (IAMAccountPolicyMapVO policyAcct : policyAcctMap) {
_aclAccountPolicyMapDao.remove(policyAcct.getId());
}
}
// remove this policy related entry in acl_policy_permission table
List<IAMPolicyPermissionVO> policyPermMap =
_policyPermissionDao.listByPolicy(policy.getId());
if (policyPermMap != null) {
for (IAMPolicyPermissionVO policyPerm : policyPermMap) {
_policyPermissionDao.remove(policyPerm.getId());
}
}
// remove this role from acl_role table
_aclPolicyDao.remove(iamPolicyId);
}
});
return true;
}
@DB
@Override
public IAMPolicy resetIAMPolicy(long iamPolicyId) {
// get the Acl Policy entity
IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
if (policy == null) {
throw new InvalidParameterValueException(
"Unable to find acl policy: " + iamPolicyId + "; failed to reset the policy.");
}
SearchBuilder<IAMPolicyPermissionVO> sb = _policyPermissionDao.createSearchBuilder();
sb.and("policyId", sb.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
sb.and("scope", sb.entity().getScope(), SearchCriteria.Op.EQ);
sb.done();
SearchCriteria<IAMPolicyPermissionVO> permissionSC = sb.create();
permissionSC.setParameters("policyId", iamPolicyId);
_policyPermissionDao.expunge(permissionSC);
return policy;
}
@DB
@Override
public IAMPolicy createIAMPolicy(
final String iamPolicyName,
final String description,
final Long parentPolicyId,
final String path) {
// check if the policy is already existing
IAMPolicy ro = _aclPolicyDao.findByName(iamPolicyName);
if (ro != null) {
throw new InvalidParameterValueException(
"Unable to create acl policy with name " + iamPolicyName + " already exisits");
}
IAMPolicy role =
Transaction.execute(
new TransactionCallback<IAMPolicy>() {
@Override
public IAMPolicy doInTransaction(TransactionStatus status) {
IAMPolicyVO rvo = new IAMPolicyVO(iamPolicyName, description);
rvo.setPath(path);
IAMPolicy role = _aclPolicyDao.persist(rvo);
if (parentPolicyId != null) {
// copy parent role permissions
List<IAMPolicyPermissionVO> perms =
_policyPermissionDao.listByPolicy(parentPolicyId);
if (perms != null) {
for (IAMPolicyPermissionVO perm : perms) {
perm.setAclPolicyId(role.getId());
_policyPermissionDao.persist(perm);
}
}
}
return role;
}
});
return role;
}
// search for policy with only one resource grant permission
@Override
public IAMPolicy getResourceGrantPolicy(
String entityType, Long entityId, String accessType, String action) {
List<IAMPolicyVO> policyList = _aclPolicyDao.listAll();
for (IAMPolicyVO policy : policyList) {
List<IAMPolicyPermission> pp = listPolicyPermissions(policy.getId());
if (pp != null && pp.size() == 1) {
// resource grant policy should only have one ACL permission assigned
IAMPolicyPermission permit = pp.get(0);
if (permit.getEntityType().equals(entityType)
&& permit.getScope().equals(PermissionScope.RESOURCE.toString())
&& permit.getScopeId().longValue() == entityId.longValue()) {
if (accessType != null && permit.getAccessType().equals(accessType)) {
return policy;
} else if (action != null && permit.getAction().equals(action)) {
return policy;
}
}
}
}
return null;
}
@DB
@Override
public IAMPolicy removeIAMPermissionFromIAMPolicy(
long iamPolicyId, String entityType, String scope, Long scopeId, String action) {
// get the Acl Policy entity
IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
if (policy == null) {
throw new InvalidParameterValueException(
"Unable to find acl policy: "
+ iamPolicyId
+ "; failed to revoke permission from policy.");
}
// remove entry from acl_entity_permission table
IAMPolicyPermissionVO permit =
_policyPermissionDao.findByPolicyAndEntity(
iamPolicyId, entityType, scope, scopeId, action, Permission.Allow);
if (permit != null) {
// not removed yet
_policyPermissionDao.remove(permit.getId());
}
return policy;
}
@Override
public IAMPolicy getResourceOwnerPolicy() {
return _aclPolicyDao.findByName("RESOURCE_OWNER");
}