#!/usr/bin/python3

# -*- coding: utf-8 -*-

# Licensed to the Apache Software Foundation (ASF) under one

# or more contributor license agreements. See the NOTICE file

# distributed with this work for additional information

# regarding copyright ownership. The ASF licenses this file

# to you under the Apache License, Version 2.0 (the

# "License"); you may not use this file except in compliance

# with the License. You may obtain a copy of the License at

#

# http://www.apache.org/licenses/LICENSE-2.0

#

# Unless required by applicable law or agreed to in writing,

# software distributed under the License is distributed on an

# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY

# KIND, either express or implied. See the License for the

# specific language governing permissions and limitations

# under the License.

import os

import sys

import uuid

from contextlib import closing

from optparse import OptionParser

try:

import mysql.connector

except ImportError:

print("mysql.connector cannot be imported, please install mysql-connector-python")

sys.exit(1)

dryrun = False

def runSql(conn, query):

if dryrun:

print("Running SQL query: " + query)

return

with closing(conn.cursor()) as cursor:

cursor.execute(query)

def migrateApiRolePermissions(apis, conn):

# All allow for root admin role Admin(id:1)

runSql(conn, "INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`, `sort_order`) values (UUID(), 1, '*', 'ALLOW', 0);")

# Migrate rules based on commands.properties rule for ResourceAdmin(id:2), DomainAdmin(id:3), User(id:4)

octetKey = {2:2, 3:4, 4:8}

for role in [2, 3, 4]:

sortOrder = 0

for api in sorted(apis.keys()):

# Ignore auth commands

if api in ['login', 'logout', 'samlSso', 'samlSlo', 'listIdps', 'listAndSwitchSamlAccount', 'getSPMetadata']:

continue

if (octetKey[role] & int(apis[api])) > 0:

runSql(conn, "INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`, `sort_order`) values (UUID(), %d, '%s', 'ALLOW', %d);" % (role, api, sortOrder))

sortOrder += 1

print("Static role permissions from commands.properties have been migrated into the db")

def enableDynamicApiChecker(conn):

runSql(conn, "UPDATE `cloud`.`configuration` SET value='true' where name='dynamic.apichecker.enabled'")

conn.commit()

conn.close()

print("Dynamic role based API checker has been enabled!")

def main():

parser = OptionParser()

parser.add_option("-b", "--db", action="store", type="string", dest="db", default="cloud",

help="The name of the database, default: cloud")

parser.add_option("-u", "--user", action="store", type="string", dest="user", default="cloud",

help="User name a MySQL user with privileges on cloud database")

parser.add_option("-p", "--password", action="store", type="string", dest="password", default="cloud",

help="Password of a MySQL user with privileges on cloud database")

parser.add_option("-H", "--host", action="store", type="string", dest="host", default="127.0.0.1",

help="Host or IP of the MySQL server")

parser.add_option("-P", "--port", action="store", type="int", dest="port", default=3306,

help="Host or IP of the MySQL server")

parser.add_option("-f", "--properties-file", action="store", type="string", dest="commandsfile", default="/etc/cloudstack/management/commands.properties",

help="The commands.properties file")

parser.add_option("-D", "--default", action="store_true", dest="defaultRules", default=False,

help="")

parser.add_option("-d", "--dryrun", action="store_true", dest="dryrun", default=False,

help="Dry run and debug operations this tool will perform")

(options, args) = parser.parse_args()

print("Apache CloudStack Role Permission Migration Tool")

print("(c) Apache CloudStack Authors and the ASF, under the Apache License, Version 2.0\n")

global dryrun

if options.dryrun:

dryrun = True

conn = mysql.connector.connect(

host=options.host,

user=options.user,

passwd=options.password,

port=int(options.port),

db=options.db)

if options.defaultRules:

print("Applying the default role permissions, ignoring any provided properties files(s).")

enableDynamicApiChecker(conn)

sys.exit(0)

if not os.path.isfile(options.commandsfile):

print("Provided commands.properties cannot be accessed or does not exist.")

print("Please check passed options, or run only with --default option to use the default role permissions.")

sys.exit(1)

while True:

choice = input("Running this migration tool will remove any " +

"default-role permissions from cloud.role_permissions. " +

"Do you want to continue? [y/N]").lower()

if choice == 'y':

break

else:

print("Aborting!")

sys.exit(1)

# Generate API to permission octet map

apiMap = {}

with open(options.commandsfile) as f:

for line in f.readlines():

if not line or line == '' or line == '\n' or line == '\r\n' or line.startswith('#'):

continue

name, value = line.split('=')

apiMap[name.strip()] = value.strip().split(';')[-1]

# Rename and deprecate old commands.properties file

if not dryrun:

os.rename(options.commandsfile, options.commandsfile + '.deprecated')

print("The commands.properties file has been deprecated and moved at: " + options.commandsfile + '.deprecated')

# Truncate any rules in cloud.role_permissions table

runSql(conn, "DELETE FROM `cloud`.`role_permissions` WHERE `role_id` in (1,2,3,4);")

# Migrate rules from commands.properties to cloud.role_permissions

migrateApiRolePermissions(apiMap, conn)

enableDynamicApiChecker(conn)

if __name__ == '__main__':

main()