/**
* Processes a list by finding all canned-acls and expanding those. The returned list is a new
* list that includes all non-canned ACL entries of the input as well as the expanded grants
* mapped to canned-acls
*
* <p>CannedAcls are Grants with Grantee = "", and Permision is the canned-acl string
*
* @param msgAcl
* @return
*/
public static AccessControlList expandCannedAcl(
@Nonnull AccessControlList msgAcl,
@Nullable final String bucketOwnerCanonicalId,
@Nullable final String objectOwnerCanonicalId)
throws EucalyptusCloudException {
if (msgAcl == null) {
throw new IllegalArgumentException("Null list received");
}
AccessControlList outputList = new AccessControlList();
if (outputList.getGrants() == null) {
// Should be handled by constructor of ACL, but just to be sure
outputList.setGrants(new ArrayList<Grant>());
}
final OwnerIdPair owners = new OwnerIdPair(bucketOwnerCanonicalId, objectOwnerCanonicalId);
String entryValue = null;
for (Grant msgGrant : msgAcl.getGrants()) {
entryValue =
msgGrant
.getPermission(); // The OSG binding populates the canned-acl in the permission field
try {
if (cannedAclMap.containsKey(entryValue)) {
outputList.getGrants().addAll(cannedAclMap.get(entryValue).apply(owners));
} else {
// add to output.
outputList.getGrants().add(msgGrant);
}
} catch (Exception e) {
// Failed. Stop now
throw new EucalyptusCloudException("Failed generating the full ACL from canned ACL", e);
}
}
return outputList;
}
@Override
public List<Grant> apply(OwnerIdPair ownerIds) {
ArrayList<Grant> privateGrants = new ArrayList<Grant>();
Grant ownerFullControl = new Grant();
Grantee owner = new Grantee();
String displayName = "";
String ownerCanonicalId = null;
if (!Strings.isNullOrEmpty(ownerIds.getObjectOwnerCanonicalId())) {
ownerCanonicalId = ownerIds.getObjectOwnerCanonicalId();
} else {
ownerCanonicalId = ownerIds.getBucketOwnerCanonicalId();
}
try {
displayName = Accounts.lookupAccountByCanonicalId(ownerCanonicalId).getName();
} catch (AuthException e) {
displayName = "";
}
owner.setCanonicalUser(new CanonicalUser(ownerCanonicalId, displayName));
owner.setType("CanonicalUser");
ownerFullControl.setGrantee(owner);
ownerFullControl.setPermission(ObjectStorageProperties.Permission.FULL_CONTROL.toString());
privateGrants.add(ownerFullControl);
return privateGrants;
}
/**
* Checks grants and transforms grantees into canonicalId from eucalyptus account id or email
* address
*
* @param acl
* @return
*/
public static AccessControlList scrubAcl(AccessControlList acl) {
AccessControlList scrubbed = new AccessControlList();
if (acl == null || acl.getGrants() == null || acl.getGrants().size() == 0) {
return scrubbed;
}
String canonicalId = null;
Grantee grantee;
CanonicalUser canonicalUser;
Group group;
String email;
for (Grant g : acl.getGrants()) {
grantee = g.getGrantee();
if (grantee == null) {
continue; // skip, no grantee
} else {
canonicalUser = grantee.getCanonicalUser();
group = grantee.getGroup();
email = grantee.getEmailAddress();
}
canonicalId = canonicalUser == null ? null : resolveCanonicalId(canonicalUser.getID());
if (canonicalId == null) {
try {
User user = Accounts.lookupUserByEmailAddress(email);
if (user != null && user.isAccountAdmin() && user.getAccount() != null) {
canonicalId = user.getAccount().getCanonicalId();
}
} catch (AuthException authEx) {
// no-op, we'll check the group
}
}
if (canonicalId == null && group != null && !Strings.isNullOrEmpty(group.getUri())) {
ObjectStorageProperties.S3_GROUP foundGroup = AclUtils.getGroupFromUri(group.getUri());
if (foundGroup == null) {
throw new NoSuchElementException("URI: " + group.getUri() + " not found in group map");
}
// Group URI, use as canonicalId for now.
canonicalId = group.getUri();
}
if (canonicalId == null) {
throw new NoSuchElementException("No canonicalId found for grant: " + g.toString());
} else {
if (grantee.getCanonicalUser() == null) {
grantee.setCanonicalUser(new CanonicalUser(canonicalId, ""));
} else {
grantee.getCanonicalUser().setID(canonicalId);
}
}
}
return acl;
}
@Override
public List<Grant> apply(OwnerIdPair ownerIds) {
List<Grant> grants = PrivateOnlyGrantBuilder.INSTANCE.apply(ownerIds);
Grantee grantee = new Grantee();
grantee.setGroup(new Group(ObjectStorageProperties.S3_GROUP.EC2_BUNDLE_READ.toString()));
Grant grant = new Grant();
grant.setPermission(ObjectStorageProperties.Permission.READ.toString());
grant.setGrantee(grantee);
grants.add(grant);
return grants;
}
@Override
public List<Grant> apply(OwnerIdPair ownerIds) {
List<Grant> awsExecRead = PrivateOnlyGrantBuilder.INSTANCE.apply(ownerIds);
Grantee execReadGroup = new Grantee();
execReadGroup.setGroup(new Group(ObjectStorageProperties.S3_GROUP.AWS_EXEC_READ.toString()));
Grant execReadGrant = new Grant();
execReadGrant.setPermission(ObjectStorageProperties.Permission.READ.toString());
execReadGrant.setGrantee(execReadGroup);
awsExecRead.add(execReadGrant);
return awsExecRead;
}
@Override
public List<Grant> apply(OwnerIdPair ownerIds) {
List<Grant> publicReadWrite = PublicReadGrantBuilder.INSTANCE.apply(ownerIds);
Grantee allUsers = new Grantee();
allUsers.setGroup(new Group(ObjectStorageProperties.S3_GROUP.ALL_USERS_GROUP.toString()));
Grant allUsersGrant = new Grant();
allUsersGrant.setPermission(ObjectStorageProperties.Permission.WRITE.toString());
allUsersGrant.setGrantee(allUsers);
publicReadWrite.add(allUsersGrant);
return publicReadWrite;
}
@Override
public List<Grant> apply(OwnerIdPair ownerIds) {
List<Grant> authenticatedRead = PrivateOnlyGrantBuilder.INSTANCE.apply(ownerIds);
Grantee authenticatedUsers = new Grantee();
authenticatedUsers.setGroup(
new Group(ObjectStorageProperties.S3_GROUP.AUTHENTICATED_USERS_GROUP.toString()));
Grant authUsersGrant = new Grant();
authUsersGrant.setPermission(ObjectStorageProperties.Permission.READ.toString());
authUsersGrant.setGrantee(authenticatedUsers);
authenticatedRead.add(authUsersGrant);
return authenticatedRead;
}
@Override
public List<Grant> apply(OwnerIdPair ownerIds) {
List<Grant> bucketOwnerRead = PrivateOnlyGrantBuilder.INSTANCE.apply(ownerIds);
String canonicalId = ownerIds.getBucketOwnerCanonicalId();
String displayName = "";
try {
displayName = Accounts.lookupAccountByCanonicalId(canonicalId).getName();
} catch (AuthException e) {
displayName = "";
}
Grantee bucketOwner = new Grantee();
bucketOwner.setCanonicalUser(new CanonicalUser(canonicalId, displayName));
Grant bucketOwnerGrant = new Grant();
bucketOwnerGrant.setPermission(ObjectStorageProperties.Permission.READ.toString());
bucketOwnerGrant.setGrantee(bucketOwner);
bucketOwnerRead.add(bucketOwnerGrant);
return bucketOwnerRead;
}
@Override
public List<Grant> apply(OwnerIdPair ownerIds) {
List<Grant> logDeliveryWrite = PrivateOnlyGrantBuilder.INSTANCE.apply(ownerIds);
Grantee logGroup = new Grantee();
logGroup.setGroup(new Group(ObjectStorageProperties.S3_GROUP.LOGGING_GROUP.toString()));
Grant loggingWriteGrant = new Grant();
loggingWriteGrant.setPermission(ObjectStorageProperties.Permission.WRITE.toString());
loggingWriteGrant.setGrantee(logGroup);
Grant loggingReadAcpGrant = new Grant();
loggingReadAcpGrant.setPermission(ObjectStorageProperties.Permission.READ_ACP.toString());
loggingReadAcpGrant.setGrantee(logGroup);
logDeliveryWrite.add(loggingWriteGrant);
logDeliveryWrite.add(loggingReadAcpGrant);
return logDeliveryWrite;
}
