示例#1
0
  @SuppressWarnings("unchecked")
  @Override
  public List<IAMPolicy> listRecursiveIAMPoliciesByGroup(long groupId) {
    List<IAMGroupPolicyMapVO> policyGrpMap = _aclGroupPolicyMapDao.listByGroupId(groupId);
    if (policyGrpMap == null || policyGrpMap.size() == 0) {
      return new ArrayList<IAMPolicy>();
    }

    List<Long> policyIds = new ArrayList<Long>();
    for (IAMGroupPolicyMapVO pg : policyGrpMap) {
      policyIds.add(pg.getAclPolicyId());
    }

    SearchBuilder<IAMPolicyPermissionVO> permSb = _policyPermissionDao.createSearchBuilder();
    permSb.and("isRecursive", permSb.entity().isRecursive(), Op.EQ);

    SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
    sb.and("ids", sb.entity().getId(), Op.IN);
    sb.join(
        "recursivePerm",
        permSb,
        sb.entity().getId(),
        permSb.entity().getAclPolicyId(),
        JoinBuilder.JoinType.INNER);

    SearchCriteria<IAMPolicyVO> sc = sb.create();
    sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
    sc.setJoinParameters("recursivePerm", "isRecursive", true);

    @SuppressWarnings("rawtypes")
    List policies = _aclPolicyDao.customSearch(sc, null);

    return policies;
  }
示例#2
0
  @DB
  @Override
  public IAMPolicy addIAMPermissionToIAMPolicy(
      long iamPolicyId,
      String entityType,
      String scope,
      Long scopeId,
      String action,
      String accessType,
      Permission perm,
      Boolean recursive) {
    // get the Acl Policy entity
    IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
    if (policy == null) {
      throw new InvalidParameterValueException(
          "Unable to find acl policy: " + iamPolicyId + "; failed to add permission to policy.");
    }

    // add entry in acl_policy_permission table
    IAMPolicyPermissionVO permit =
        _policyPermissionDao.findByPolicyAndEntity(
            iamPolicyId, entityType, scope, scopeId, action, perm);
    if (permit == null) {
      // not there already
      permit =
          new IAMPolicyPermissionVO(
              iamPolicyId, action, entityType, accessType, scope, scopeId, perm, recursive);
      _policyPermissionDao.persist(permit);
    }
    return policy;
  }
示例#3
0
  @Override
  public void attachIAMPolicyToAccounts(final Long policyId, final List<Long> acctIds) {
    IAMPolicy policy = _aclPolicyDao.findById(policyId);
    if (policy == null) {
      throw new InvalidParameterValueException(
          "Unable to find acl policy: " + policyId + "; failed to add policy to account.");
    }

    Transaction.execute(
        new TransactionCallbackNoReturn() {
          @Override
          public void doInTransactionWithoutResult(TransactionStatus status) {
            // add entries in acl_group_policy_map table
            for (Long acctId : acctIds) {
              IAMAccountPolicyMapVO acctMap =
                  _aclAccountPolicyMapDao.findByAccountAndPolicy(acctId, policyId);
              if (acctMap == null) {
                // not there already
                acctMap = new IAMAccountPolicyMapVO(acctId, policyId);
                _aclAccountPolicyMapDao.persist(acctMap);
              }
            }
          }
        });
  }
示例#4
0
  @SuppressWarnings("unchecked")
  @Override
  public List<IAMPolicy> listIAMPoliciesByGroup(long groupId) {
    List<IAMGroupPolicyMapVO> policyGrpMap = _aclGroupPolicyMapDao.listByGroupId(groupId);
    if (policyGrpMap == null || policyGrpMap.size() == 0) {
      return new ArrayList<IAMPolicy>();
    }

    List<Long> policyIds = new ArrayList<Long>();
    for (IAMGroupPolicyMapVO pg : policyGrpMap) {
      policyIds.add(pg.getAclPolicyId());
    }

    SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
    sb.and("ids", sb.entity().getId(), Op.IN);
    SearchCriteria<IAMPolicyVO> sc = sb.create();
    sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
    @SuppressWarnings("rawtypes")
    List policies = _aclPolicyDao.customSearch(sc, null);

    return policies;
  }
示例#5
0
  @SuppressWarnings("unchecked")
  @Override
  public List<IAMPolicy> listIAMPolicies(long accountId) {

    // static policies of the account
    SearchBuilder<IAMGroupAccountMapVO> groupSB = _aclGroupAccountMapDao.createSearchBuilder();
    groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);

    GenericSearchBuilder<IAMGroupPolicyMapVO, Long> policySB =
        _aclGroupPolicyMapDao.createSearchBuilder(Long.class);
    policySB.selectFields(policySB.entity().getAclPolicyId());
    policySB.join(
        "accountgroupjoin",
        groupSB,
        groupSB.entity().getAclGroupId(),
        policySB.entity().getAclGroupId(),
        JoinType.INNER);
    policySB.done();
    SearchCriteria<Long> policySc = policySB.create();
    policySc.setJoinParameters("accountgroupjoin", "account", accountId);

    List<Long> policyIds = _aclGroupPolicyMapDao.customSearch(policySc, null);
    // add policies directly attached to the account
    List<IAMAccountPolicyMapVO> acctPolicies = _aclAccountPolicyMapDao.listByAccountId(accountId);
    for (IAMAccountPolicyMapVO p : acctPolicies) {
      policyIds.add(p.getIamPolicyId());
    }
    if (policyIds.size() == 0) {
      return new ArrayList<IAMPolicy>();
    }
    SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
    sb.and("ids", sb.entity().getId(), Op.IN);
    SearchCriteria<IAMPolicyVO> sc = sb.create();
    sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
    @SuppressWarnings("rawtypes")
    List policies = _aclPolicyDao.customSearch(sc, null);

    return policies;
  }
示例#6
0
  @SuppressWarnings("unchecked")
  @Override
  public Pair<List<IAMPolicy>, Integer> listIAMPolicies(
      Long iamPolicyId, String iamPolicyName, String path, Long startIndex, Long pageSize) {

    if (iamPolicyId != null) {
      IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
      if (policy == null) {
        throw new InvalidParameterValueException("Unable to find acl policy by id " + iamPolicyId);
      }
    }

    Filter searchFilter = new Filter(IAMPolicyVO.class, "id", true, startIndex, pageSize);

    SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
    sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
    sb.and("path", sb.entity().getPath(), SearchCriteria.Op.LIKE);
    sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);

    SearchCriteria<IAMPolicyVO> sc = sb.create();

    if (iamPolicyName != null) {
      sc.setParameters("name", iamPolicyName);
    }

    if (iamPolicyId != null) {
      sc.setParameters("id", iamPolicyId);
    }

    sc.setParameters("path", path + "%");

    Pair<List<IAMPolicyVO>, Integer> policies = _aclPolicyDao.searchAndCount(sc, searchFilter);
    @SuppressWarnings("rawtypes")
    List policyList = policies.first();
    return new Pair<List<IAMPolicy>, Integer>(policyList, policies.second());
  }
示例#7
0
  @DB
  @Override
  public boolean deleteIAMPolicy(final long iamPolicyId) {
    // get the Acl Policy entity
    final IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
    if (policy == null) {
      throw new InvalidParameterValueException(
          "Unable to find acl policy: " + iamPolicyId + "; failed to delete acl policy.");
    }

    Transaction.execute(
        new TransactionCallbackNoReturn() {
          @Override
          public void doInTransactionWithoutResult(TransactionStatus status) {
            // remove this role related entry in acl_group_role_map
            List<IAMGroupPolicyMapVO> groupPolicyMap =
                _aclGroupPolicyMapDao.listByPolicyId(policy.getId());
            if (groupPolicyMap != null) {
              for (IAMGroupPolicyMapVO gr : groupPolicyMap) {
                _aclGroupPolicyMapDao.remove(gr.getId());
              }
            }

            // remove this policy related entry in acl_account_policy_map table
            List<IAMAccountPolicyMapVO> policyAcctMap =
                _aclAccountPolicyMapDao.listByPolicyId(policy.getId());
            if (policyAcctMap != null) {
              for (IAMAccountPolicyMapVO policyAcct : policyAcctMap) {
                _aclAccountPolicyMapDao.remove(policyAcct.getId());
              }
            }

            // remove this policy related entry in acl_policy_permission table
            List<IAMPolicyPermissionVO> policyPermMap =
                _policyPermissionDao.listByPolicy(policy.getId());
            if (policyPermMap != null) {
              for (IAMPolicyPermissionVO policyPerm : policyPermMap) {
                _policyPermissionDao.remove(policyPerm.getId());
              }
            }

            // remove this role from acl_role table
            _aclPolicyDao.remove(iamPolicyId);
          }
        });

    return true;
  }
示例#8
0
  @DB
  @Override
  public IAMPolicy resetIAMPolicy(long iamPolicyId) {
    // get the Acl Policy entity
    IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
    if (policy == null) {
      throw new InvalidParameterValueException(
          "Unable to find acl policy: " + iamPolicyId + "; failed to reset the policy.");
    }

    SearchBuilder<IAMPolicyPermissionVO> sb = _policyPermissionDao.createSearchBuilder();
    sb.and("policyId", sb.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
    sb.and("scope", sb.entity().getScope(), SearchCriteria.Op.EQ);
    sb.done();
    SearchCriteria<IAMPolicyPermissionVO> permissionSC = sb.create();
    permissionSC.setParameters("policyId", iamPolicyId);
    _policyPermissionDao.expunge(permissionSC);

    return policy;
  }
示例#9
0
  @DB
  @Override
  public IAMPolicy createIAMPolicy(
      final String iamPolicyName,
      final String description,
      final Long parentPolicyId,
      final String path) {

    // check if the policy is already existing
    IAMPolicy ro = _aclPolicyDao.findByName(iamPolicyName);
    if (ro != null) {
      throw new InvalidParameterValueException(
          "Unable to create acl policy with name " + iamPolicyName + " already exisits");
    }

    IAMPolicy role =
        Transaction.execute(
            new TransactionCallback<IAMPolicy>() {
              @Override
              public IAMPolicy doInTransaction(TransactionStatus status) {
                IAMPolicyVO rvo = new IAMPolicyVO(iamPolicyName, description);
                rvo.setPath(path);

                IAMPolicy role = _aclPolicyDao.persist(rvo);
                if (parentPolicyId != null) {
                  // copy parent role permissions
                  List<IAMPolicyPermissionVO> perms =
                      _policyPermissionDao.listByPolicy(parentPolicyId);
                  if (perms != null) {
                    for (IAMPolicyPermissionVO perm : perms) {
                      perm.setAclPolicyId(role.getId());
                      _policyPermissionDao.persist(perm);
                    }
                  }
                }
                return role;
              }
            });

    return role;
  }
示例#10
0
 // search for policy with only one resource grant permission
 @Override
 public IAMPolicy getResourceGrantPolicy(
     String entityType, Long entityId, String accessType, String action) {
   List<IAMPolicyVO> policyList = _aclPolicyDao.listAll();
   for (IAMPolicyVO policy : policyList) {
     List<IAMPolicyPermission> pp = listPolicyPermissions(policy.getId());
     if (pp != null && pp.size() == 1) {
       // resource grant policy should only have one ACL permission assigned
       IAMPolicyPermission permit = pp.get(0);
       if (permit.getEntityType().equals(entityType)
           && permit.getScope().equals(PermissionScope.RESOURCE.toString())
           && permit.getScopeId().longValue() == entityId.longValue()) {
         if (accessType != null && permit.getAccessType().equals(accessType)) {
           return policy;
         } else if (action != null && permit.getAction().equals(action)) {
           return policy;
         }
       }
     }
   }
   return null;
 }
示例#11
0
 @DB
 @Override
 public IAMPolicy removeIAMPermissionFromIAMPolicy(
     long iamPolicyId, String entityType, String scope, Long scopeId, String action) {
   // get the Acl Policy entity
   IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
   if (policy == null) {
     throw new InvalidParameterValueException(
         "Unable to find acl policy: "
             + iamPolicyId
             + "; failed to revoke permission from policy.");
   }
   // remove entry from acl_entity_permission table
   IAMPolicyPermissionVO permit =
       _policyPermissionDao.findByPolicyAndEntity(
           iamPolicyId, entityType, scope, scopeId, action, Permission.Allow);
   if (permit != null) {
     // not removed yet
     _policyPermissionDao.remove(permit.getId());
   }
   return policy;
 }
示例#12
0
 @Override
 public IAMPolicy getResourceOwnerPolicy() {
   return _aclPolicyDao.findByName("RESOURCE_OWNER");
 }