APIChecker: Rename refactor and add interface checkExistence

yadvr · yadvr · commit 74bb043c37d2 · 2013-01-10T18:51:30.000-08:00
Signed-off-by: Rohit Yadav &lt;bhaisaab@apache.org&gt;
diff --git a/api/src/org/apache/cloudstack/acl/APIChecker.java b/api/src/org/apache/cloudstack/acl/APIChecker.java
@@ -19,10 +19,10 @@
 import org.apache.cloudstack.acl.RoleType;
 import com.cloud.utils.component.Adapter;
 
-/**
- * APIAccessChecker checks the ownership and access control to API requests
- */
-public interface APIAccessChecker extends Adapter {
-    // Interface for checking access to an API for an user
-    boolean canAccessAPI(RoleType roleType, String apiCommandName);
+// APIChecker checks the ownership and access control to API requests
+public interface APIChecker extends Adapter {
+    // Interface for checking access for a role using apiname
+    boolean checkAccess(RoleType roleType, String apiCommandName);
+    // Interface for checking existence of an api by name
+    boolean checkExistence(String apiCommandName);
 }
diff --git a/client/tomcatconf/components.xml.in b/client/tomcatconf/components.xml.in
@@ -53,7 +53,7 @@ under the License.
         <dao name="Configuration configuration server" class="com.cloud.configuration.dao.ConfigurationDaoImpl">
              <param name="premium">true</param>
         </dao>
-        <adapters key="org.apache.cloudstack.acl.APIAccessChecker">
+        <adapters key="org.apache.cloudstack.acl.APIChecker">
             <adapter name="StaticRoleBasedAPIAccessChecker" class="org.apache.cloudstack.acl.StaticRoleBasedAPIAccessChecker"/>
         </adapters>
         <adapters key="com.cloud.agent.manager.allocator.HostAllocator">
diff --git a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
@@ -29,13 +29,12 @@
 import java.util.Map;
 import java.util.Set;
 
-import static org.apache.cloudstack.acl.RoleType.*;
 import org.apache.log4j.Logger;
 
 // This is the default API access checker that grab's the user's account
 // based on the account type, access is granted
-@Local(value=APIAccessChecker.class)
-public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIAccessChecker {
+@Local(value=APIChecker.class)
+public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIChecker {
 
     protected static final Logger s_logger = Logger.getLogger(StaticRoleBasedAPIAccessChecker.class);
 
@@ -50,10 +49,19 @@ protected StaticRoleBasedAPIAccessChecker() {
     }
 
     @Override
-    public boolean canAccessAPI(RoleType roleType, String commandName) {
+    public boolean checkAccess(RoleType roleType, String commandName) {
             return s_roleBasedApisMap.get(roleType).contains(commandName);
     }
 
+    @Override
+    public boolean checkExistence(String apiName) {
+        for (RoleType roleType: RoleType.values()) {
+            if (s_roleBasedApisMap.get(roleType).contains(apiName))
+                return true;
+        }
+        return false;
+    }
+
     @Override
     public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
         super.configure(name, params);
diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java
@@ -51,8 +51,7 @@
 import javax.servlet.http.HttpSession;
 
 import com.cloud.utils.ReflectUtil;
-import org.apache.cloudstack.acl.APIAccessChecker;
-import org.apache.cloudstack.acl.ControlledEntity;
+import org.apache.cloudstack.acl.APIChecker;
 import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.api.*;
 import org.apache.cloudstack.api.command.user.account.ListAccountsCmd;
@@ -146,8 +145,8 @@ public class ApiServer implements HttpRequestHandler {
     @Inject private DomainManager _domainMgr = null;
     @Inject private AsyncJobManager _asyncMgr = null;
 
-    @Inject(adapter = APIAccessChecker.class)
-    protected Adapters<APIAccessChecker> _apiAccessCheckers;
+    @Inject(adapter = APIChecker.class)
+    protected Adapters<APIChecker> _apiAccessCheckers;
 
     private Account _systemAccount = null;
     private User _systemUser = null;
@@ -558,7 +557,7 @@ public boolean verifyRequest(Map<String, Object[]> requestParameters, Long userI
                 return true;
             } else {
                 // check against every available command to see if the command exists or not
-                if (!isCommandAvailable(null, commandName) && !commandName.equals("login") && !commandName.equals("logout")) {
+                if (!doesCommandExist(commandName) && !commandName.equals("login") && !commandName.equals("logout")) {
                     s_logger.debug("The given command:" + commandName + " does not exist or it is not available for user with id:" + userId);
                     throw new ServerApiException(BaseCmd.UNSUPPORTED_ACTION_ERROR, "The given command does not exist or it is not available for user");
                 }
@@ -790,17 +789,25 @@ public boolean verifyUser(Long userId) {
         return true;
     }
 
-    private boolean isCommandAvailable(User user, String commandName)
-            throws PermissionDeniedException {
+    private boolean doesCommandExist(String apiName) {
+        for (APIChecker apiChecker : _apiAccessCheckers) {
+            // If any checker has api info on the command, return true
+            if (apiChecker.checkExistence(apiName))
+                return true;
+        }
+        return false;
+    }
+
+    private boolean isCommandAvailable(User user, String commandName) {
         if (user == null) {
             return false;
         }
 
         Account account = _accountMgr.getAccount(user.getAccountId());
         RoleType roleType = _accountMgr.getRoleType(account);
-        for (APIAccessChecker apiChecker : _apiAccessCheckers) {
+        for (APIChecker apiChecker : _apiAccessCheckers) {
             // Fail the checking if any checker fails to verify
-            if (!apiChecker.canAccessAPI(roleType, commandName))
+            if (!apiChecker.checkAccess(roleType, commandName))
                 return false;
         }
         return true;
