Exemplo n.º 1
0
  public static void getVcenterTenantOptions(String id) {
    List<TenantOrgRestRep> vCenterTenantOptions = new ArrayList<TenantOrgRestRep>();
    if (StringUtils.isBlank(id) || id.equalsIgnoreCase("null")) {
      renderJSON(vCenterTenantOptions);
      return;
    }

    List<ACLEntry> vcenterAcls = VCenterUtils.getAcl(uri(id));
    if (CollectionUtils.isEmpty(vcenterAcls)) {
      renderJSON(vCenterTenantOptions);
      return;
    }

    addNoneTenantOption(id, vCenterTenantOptions);

    Iterator<ACLEntry> aclEntryIterator = vcenterAcls.iterator();
    while (aclEntryIterator.hasNext()) {
      ACLEntry aclEntry = aclEntryIterator.next();
      if (aclEntry == null) {
        continue;
      }

      TenantOrgRestRep tenantOrgRestRep = TenantUtils.getTenant(aclEntry.getTenant());
      if (tenantOrgRestRep != null) {
        vCenterTenantOptions.add(tenantOrgRestRep);
      }
    }
    renderJSON(vCenterTenantOptions);
  }
  /**
   * Validates the individual list of acl entries. It is not valid acl entries list, when an acl
   * entry contains more than one privilege or privileges other than USE and if the tenant provided
   * in the acl entry is not a valid tenant org.
   *
   * @param aclEntries acl entries to be validated.
   */
  private void validateAclEntries(List<ACLEntry> aclEntries) {
    if (CollectionUtils.isEmpty(aclEntries)) {
      return;
    }

    Iterator<ACLEntry> aclEntryIterator = aclEntries.iterator();
    while (aclEntryIterator.hasNext()) {
      ACLEntry aclEntry = aclEntryIterator.next();

      // If more than one privileges provided the ACL Entry, it is not supported
      // for vCenter ACL. Only USE ACL can be provided.
      if (aclEntry.getAces().size() != 1) {
        throw APIException.badRequests.unsupportedNumberOfPrivileges(
            URI.create(aclEntry.getTenant()), aclEntry.getAces());
      }

      if (!aclEntry.getAces().get(0).equalsIgnoreCase(ACL.USE.name())) {
        throw APIException.badRequests.unsupportedPrivilege(
            URI.create(aclEntry.getTenant()), aclEntry.getAces().get(0));
      }

      // Validate if the provided tenant is a valid tenant or not.
      URI tenantId = URI.create(aclEntry.getTenant());
      TenantOrg tenant = queryObject(TenantOrg.class, tenantId, true);
      ArgValidator.checkEntity(tenant, tenantId, isIdEmbeddedInURL(tenantId));
    }
  }
Exemplo n.º 3
0
    public void doReadAcls() {
      List<ACLEntry> aclEntries = VCenterUtils.getAcl(URI.create(this.id));
      if (CollectionUtils.isEmpty(aclEntries)) {
        if (!CollectionUtils.isEmpty(this.tenants)) {
          this.tenants.clear();
          this.tenant = "";
        }
        return;
      }

      this.tenants = new HashSet<String>();
      if (aclEntries.size() > 1) {
        Iterator<ACLEntry> aclIt = aclEntries.iterator();
        while (aclIt.hasNext()) {
          this.tenants.add(aclIt.next().getTenant());
        }
        renderArgs.put("disableCascadeTenancy", true);
      } else {
        ACLEntry aclEntry = aclEntries.iterator().next();
        this.tenant = aclEntry.getTenant();
        this.tenants.add(aclEntry.getTenant());
      }
    }
  /**
   * Checks if the user is authorized to view the vCenter. Authorized if, The user a TenantOrg user
   * of one the tenant that shares the vCenter. The user is a TenantAdmin of one of the tenant that
   * shares the vCenter.
   *
   * @param aclEntries the tenants list that shares the vCenter.
   */
  private void verifyAuthorizedInTenantOrg(List<ACLEntry> aclEntries) {
    boolean isUserAuthorized = false;
    StorageOSUser user = getUserFromContext();
    Iterator<ACLEntry> aclEntriesIterator = aclEntries.iterator();
    while (aclEntriesIterator.hasNext()) {
      ACLEntry aclEntry = aclEntriesIterator.next();
      if (aclEntry == null) {
        continue;
      }

      if (user.getTenantId().toString().equals(aclEntry.getTenant())
          || isSystemAdminOrMonitorUser()
          || _permissionsHelper.userHasGivenRole(
              user, URI.create(aclEntry.getTenant()), Role.TENANT_ADMIN)) {
        isUserAuthorized = true;
        break;
      }
    }

    if (!isUserAuthorized) {
      throw APIException.forbidden.insufficientPermissionsForUser(user.getName());
    }
  }