diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java index e3209474563b..294bc6e84efc 100644 --- a/server/src/com/cloud/user/AccountManagerImpl.java +++ b/server/src/com/cloud/user/AccountManagerImpl.java @@ -16,6 +16,54 @@ // under the License. package com.cloud.user; +import java.net.InetAddress; +import java.net.URLEncoder; +import java.security.NoSuchAlgorithmException; +import java.util.ArrayList; +import java.util.Collections; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Map; +import java.util.UUID; +import java.util.concurrent.Executors; +import java.util.concurrent.ScheduledExecutorService; +import java.util.concurrent.TimeUnit; + +import javax.crypto.KeyGenerator; +import javax.crypto.Mac; +import javax.crypto.SecretKey; +import javax.crypto.spec.SecretKeySpec; +import javax.inject.Inject; +import javax.naming.ConfigurationException; + +import org.apache.commons.codec.binary.Base64; +import org.apache.commons.lang.StringUtils; +import org.apache.log4j.Logger; + +import org.apache.cloudstack.acl.ControlledEntity; +import org.apache.cloudstack.acl.QuerySelector; +import org.apache.cloudstack.acl.RoleType; +import org.apache.cloudstack.acl.SecurityChecker; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; +import org.apache.cloudstack.affinity.AffinityGroup; +import org.apache.cloudstack.affinity.dao.AffinityGroupDao; +import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd; +import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd; +import org.apache.cloudstack.api.command.admin.user.GetUserKeysCmd; +import org.apache.cloudstack.api.command.admin.user.RegisterCmd; +import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd; +import org.apache.cloudstack.context.CallContext; +import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService; +import org.apache.cloudstack.framework.config.ConfigKey; +import org.apache.cloudstack.framework.config.dao.ConfigurationDao; +import org.apache.cloudstack.framework.messagebus.MessageBus; +import org.apache.cloudstack.framework.messagebus.PublishScope; +import org.apache.cloudstack.managed.context.ManagedContextRunnable; +import org.apache.cloudstack.region.gslb.GlobalLoadBalancerRuleDao; +import org.apache.cloudstack.utils.baremetal.BaremetalUtils; + import com.cloud.api.ApiDBUtils; import com.cloud.api.query.vo.ControlledViewEntity; import com.cloud.configuration.Config; @@ -123,53 +171,6 @@ import com.cloud.vm.snapshot.VMSnapshotManager; import com.cloud.vm.snapshot.VMSnapshotVO; import com.cloud.vm.snapshot.dao.VMSnapshotDao; -import org.apache.cloudstack.acl.ControlledEntity; -import org.apache.cloudstack.acl.QuerySelector; -import org.apache.cloudstack.acl.RoleType; -import org.apache.cloudstack.acl.SecurityChecker; -import org.apache.cloudstack.acl.SecurityChecker.AccessType; -import org.apache.cloudstack.affinity.AffinityGroup; -import org.apache.cloudstack.affinity.dao.AffinityGroupDao; -import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd; -import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd; -import org.apache.cloudstack.api.command.admin.user.GetUserKeysCmd; -import org.apache.cloudstack.api.command.admin.user.RegisterCmd; -import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd; -import org.apache.cloudstack.context.CallContext; -import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService; -import org.apache.cloudstack.framework.config.ConfigKey; -import org.apache.cloudstack.framework.config.dao.ConfigurationDao; -import org.apache.cloudstack.framework.messagebus.MessageBus; -import org.apache.cloudstack.framework.messagebus.PublishScope; -import org.apache.cloudstack.managed.context.ManagedContextRunnable; -import org.apache.cloudstack.region.gslb.GlobalLoadBalancerRuleDao; -import org.apache.cloudstack.utils.baremetal.BaremetalUtils; -import org.apache.commons.codec.binary.Base64; -import org.apache.commons.lang.StringUtils; -import org.apache.log4j.Logger; - -import javax.crypto.KeyGenerator; -import javax.crypto.Mac; -import javax.crypto.SecretKey; -import javax.crypto.spec.SecretKeySpec; -import javax.inject.Inject; -import javax.naming.ConfigurationException; -import java.net.InetAddress; -import java.net.URLEncoder; -import java.security.NoSuchAlgorithmException; -import java.util.ArrayList; -import java.util.Collections; -import java.util.HashMap; -import java.util.HashSet; -import java.util.Iterator; -import java.util.List; -import java.util.Map; -import java.util.UUID; -import java.util.concurrent.Executors; -import java.util.concurrent.ScheduledExecutorService; -import java.util.concurrent.TimeUnit; - - public class AccountManagerImpl extends ManagerBase implements AccountManager, Manager { public static final Logger s_logger = Logger.getLogger(AccountManagerImpl.class); @@ -350,7 +351,7 @@ public boolean configure(final String name, final Map params) th public UserVO getSystemUser() { if (_systemUser == null) { _systemUser = _userDao.findById(User.UID_SYSTEM); - } + } return _systemUser; } @@ -493,7 +494,6 @@ public void checkAccess(Account caller, Domain domain) throws PermissionDeniedEx throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to " + domain); } - @Override public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, ControlledEntity... entities) { checkAccess(caller, accessType, sameOwner, null, entities); @@ -535,8 +535,8 @@ public void checkAccess(Account caller, AccessType accessType, boolean sameOwner Account account = ApiDBUtils.findAccountById(entity.getAccountId()); domainId = account != null ? account.getDomainId() : -1; } - if (entity.getAccountId() != -1 && domainId != -1 && !(entity instanceof VirtualMachineTemplate) && - !(entity instanceof Network && accessType != null && accessType == AccessType.UseEntry) && !(entity instanceof AffinityGroup)) { + if (entity.getAccountId() != -1 && domainId != -1 && !(entity instanceof VirtualMachineTemplate) + && !(entity instanceof Network && accessType != null && accessType == AccessType.UseEntry) && !(entity instanceof AffinityGroup)) { List toBeChecked = domains.get(entity.getDomainId()); // for templates, we don't have to do cross domains check if (toBeChecked == null) { @@ -614,13 +614,13 @@ public void updateLoginAttempts(final Long id, final int attempts, final boolean Transaction.execute(new TransactionCallbackNoReturn() { @Override public void doInTransactionWithoutResult(TransactionStatus status) { - UserAccountVO user = null; - user = _userAccountDao.lockRow(id, true); - user.setLoginAttempts(attempts); + UserAccountVO user = null; + user = _userAccountDao.lockRow(id, true); + user.setLoginAttempts(attempts); if (toDisable) { - user.setState(State.disabled.toString()); - } - _userAccountDao.update(id, user); + user.setState(State.disabled.toString()); + } + _userAccountDao.update(id, user); } }); } catch (Exception e) { @@ -855,9 +855,7 @@ protected boolean cleanupAccount(AccountVO account, long callerUserId, Account c for (IpAddress ip : ipsToRelease) { s_logger.debug("Releasing ip " + ip + " as a part of account id=" + accountId + " cleanup"); if (!_ipAddrMgr.disassociatePublicIpAddress(ip.getId(), callerUserId, caller)) { - s_logger.warn("Failed to release ip address " + ip - + " as a part of account id=" + accountId - + " clenaup"); + s_logger.warn("Failed to release ip address " + ip + " as a part of account id=" + accountId + " clenaup"); accountCleanupNeeded = true; } } @@ -900,8 +898,8 @@ protected boolean cleanupAccount(AccountVO account, long callerUserId, Account c List ipsToRelease = _ipAddressDao.listByAccount(accountId); for (IpAddress ip : ipsToRelease) { if (ip.isPortable()) { - s_logger.debug("Releasing portable ip " + ip + " as a part of account id=" + accountId + " cleanup"); - _ipAddrMgr.releasePortableIpAddress(ip.getId()); + s_logger.debug("Releasing portable ip " + ip + " as a part of account id=" + accountId + " cleanup"); + _ipAddrMgr.releasePortableIpAddress(ip.getId()); } } @@ -930,7 +928,7 @@ protected boolean cleanupAccount(AccountVO account, long callerUserId, Account c // Delete ssh keypairs List sshkeypairs = _sshKeyPairDao.listKeyPairs(accountId, account.getDomainId()); - for (SSHKeyPairVO keypair: sshkeypairs) { + for (SSHKeyPairVO keypair : sshkeypairs) { _sshKeyPairDao.remove(keypair.getId()); } return true; @@ -994,9 +992,7 @@ private boolean doDisableAccount(long accountId) throws ConcurrentOperationExcep try { _itMgr.advanceStop(vm.getUuid(), false); } catch (OperationTimedoutException ote) { - s_logger.warn( - "Operation for stopping vm timed out, unable to stop vm " - + vm.getHostName(), ote); + s_logger.warn("Operation for stopping vm timed out, unable to stop vm " + vm.getHostName(), ote); success = false; } } catch (AgentUnavailableException aue) { @@ -1009,15 +1005,14 @@ private boolean doDisableAccount(long accountId) throws ConcurrentOperationExcep } @Override - @ActionEvents({ - @ActionEvent(eventType = EventTypes.EVENT_ACCOUNT_CREATE, eventDescription = "creating Account"), - @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User") - }) + @ActionEvents({@ActionEvent(eventType = EventTypes.EVENT_ACCOUNT_CREATE, eventDescription = "creating Account"), + @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User")}) public UserAccount createUserAccount(final String userName, final String password, final String firstName, final String lastName, final String email, final String timezone, - String accountName, final short accountType, final Long roleId, Long domainId, final String networkDomain, final Map details, String accountUUID, final String userUUID) { + String accountName, final short accountType, final Long roleId, Long domainId, final String networkDomain, final Map details, String accountUUID, + final String userUUID) { - return createUserAccount(userName, password, firstName, lastName, email, timezone, accountName, accountType, roleId, domainId, networkDomain, details, accountUUID, userUUID, - User.Source.UNKNOWN); + return createUserAccount(userName, password, firstName, lastName, email, timezone, accountName, accountType, roleId, domainId, networkDomain, details, accountUUID, + userUUID, User.Source.UNKNOWN); } // /////////////////////////////////////////////////// @@ -1026,13 +1021,11 @@ public UserAccount createUserAccount(final String userName, final String passwor @Override @DB - @ActionEvents({ - @ActionEvent(eventType = EventTypes.EVENT_ACCOUNT_CREATE, eventDescription = "creating Account"), - @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User") - }) - public UserAccount createUserAccount(final String userName, final String password, final String firstName, final String lastName, final String email, - final String timezone, String accountName, final short accountType, final Long roleId, Long domainId, final String networkDomain, final Map details, - String accountUUID, final String userUUID, final User.Source source) { + @ActionEvents({@ActionEvent(eventType = EventTypes.EVENT_ACCOUNT_CREATE, eventDescription = "creating Account"), + @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User")}) + public UserAccount createUserAccount(final String userName, final String password, final String firstName, final String lastName, final String email, final String timezone, + String accountName, final short accountType, final Long roleId, Long domainId, final String networkDomain, final Map details, String accountUUID, + final String userUUID, final User.Source source) { if (accountName == null) { accountName = userName; @@ -1120,8 +1113,8 @@ public Pair doInTransaction(TransactionStatus status) { @Override @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User") - public UserVO createUser(String userName, String password, String firstName, String lastName, String email, String timeZone, String accountName, Long domainId, - String userUUID, User.Source source) { + public UserVO createUser(String userName, String password, String firstName, String lastName, String email, String timeZone, String accountName, Long domainId, String userUUID, + User.Source source) { // default domain to ROOT if not specified if (domainId == null) { domainId = Domain.ROOT_DOMAIN; @@ -1156,14 +1149,15 @@ public UserVO createUser(String userName, String password, String firstName, Str @Override @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User") public UserVO createUser(String userName, String password, String firstName, String lastName, String email, String timeZone, String accountName, Long domainId, - String userUUID) { + String userUUID) { - return createUser(userName, password, firstName,lastName, email, timeZone, accountName, domainId, userUUID, User.Source.UNKNOWN); + return createUser(userName, password, firstName, lastName, email, timeZone, accountName, domainId, userUUID, User.Source.UNKNOWN); } @Override @ActionEvent(eventType = EventTypes.EVENT_USER_UPDATE, eventDescription = "updating User") - public UserAccount updateUser(Long userId, String firstName, String lastName, String email, String userName, String password, String apiKey, String secretKey, String timeZone) { + public UserAccount updateUser(Long userId, String firstName, String lastName, String email, String userName, String password, String apiKey, String secretKey, + String timeZone) { // Input validation UserVO user = _userDao.getUser(userId); @@ -1298,7 +1292,7 @@ public UserAccount updateUser(UpdateUserCmd cmd) { String timeZone = cmd.getTimezone(); String userName = cmd.getUsername(); - return updateUser(id, firstName, lastName, email, userName, password, apiKey, secretKey, timeZone); + return updateUser(id, firstName, lastName, email, userName, password, apiKey, secretKey, timeZone); } @Override @@ -1556,8 +1550,7 @@ public AccountVO lockAccount(String accountName, Long domainId, Long accountId) } if (account == null || account.getType() == Account.ACCOUNT_TYPE_PROJECT) { - throw new InvalidParameterValueException("Unable to find active account by accountId: " + accountId + " OR by name: " + accountName + " in domain " + - domainId); + throw new InvalidParameterValueException("Unable to find active account by accountId: " + accountId + " OR by name: " + accountName + " in domain " + domainId); } if (account.getId() == Account.ACCOUNT_ID_SYSTEM) { @@ -1645,8 +1638,8 @@ public AccountVO updateAccount(UpdateAccountCmd cmd) { // to // update // itself - throw new InvalidParameterValueException("There already exists an account with the name:" + newAccountName + " in the domain:" + domainId + - " with existing account id:" + duplicateAcccount.getId()); + throw new InvalidParameterValueException( + "There already exists an account with the name:" + newAccountName + " in the domain:" + domainId + " with existing account id:" + duplicateAcccount.getId()); } if (networkDomain != null && !networkDomain.isEmpty()) { @@ -1674,9 +1667,9 @@ public AccountVO updateAccount(UpdateAccountCmd cmd) { public Boolean doInTransaction(TransactionStatus status) { boolean success = _accountDao.update(accountFinal.getId(), acctForUpdate); - if (details != null && success) { + if (details != null && success) { _accountDetailsDao.update(accountFinal.getId(), details); - } + } return success; } @@ -1919,8 +1912,8 @@ public void markUserRegistered(long userId) { @Override @DB - public AccountVO createAccount(final String accountName, final short accountType, final Long roleId, final Long domainId, final String networkDomain, final Map details, - final String uuid) { + public AccountVO createAccount(final String accountName, final short accountType, final Long roleId, final Long domainId, final String networkDomain, + final Map details, final String uuid) { // Validate domain Domain domain = _domainMgr.getDomain(domainId); if (domain == null) { @@ -1932,7 +1925,8 @@ public AccountVO createAccount(final String accountName, final short accountType } if ((domainId != Domain.ROOT_DOMAIN) && (accountType == Account.ACCOUNT_TYPE_ADMIN)) { - throw new InvalidParameterValueException("Invalid account type " + accountType + " given for an account in domain " + domainId + "; unable to create user of admin role type in non-ROOT domain."); + throw new InvalidParameterValueException( + "Invalid account type " + accountType + " given for an account in domain " + domainId + "; unable to create user of admin role type in non-ROOT domain."); } // Validate account/user/domain settings @@ -1964,37 +1958,37 @@ public AccountVO createAccount(final String accountName, final short accountType return Transaction.execute(new TransactionCallback() { @Override public AccountVO doInTransaction(TransactionStatus status) { - AccountVO account = _accountDao.persist(new AccountVO(accountName, domainId, networkDomain, accountType, roleId, uuid)); + AccountVO account = _accountDao.persist(new AccountVO(accountName, domainId, networkDomain, accountType, roleId, uuid)); - if (account == null) { - throw new CloudRuntimeException("Failed to create account name " + accountName + " in domain id=" + domainId); - } + if (account == null) { + throw new CloudRuntimeException("Failed to create account name " + accountName + " in domain id=" + domainId); + } - Long accountId = account.getId(); + Long accountId = account.getId(); - if (details != null) { - _accountDetailsDao.persist(accountId, details); - } + if (details != null) { + _accountDetailsDao.persist(accountId, details); + } - // Create resource count records for the account - _resourceCountDao.createResourceCounts(accountId, ResourceLimit.ResourceOwnerType.Account); + // Create resource count records for the account + _resourceCountDao.createResourceCounts(accountId, ResourceLimit.ResourceOwnerType.Account); - // Create default security group - _networkGroupMgr.createDefaultSecurityGroup(accountId); + // Create default security group + _networkGroupMgr.createDefaultSecurityGroup(accountId); - return account; - } + return account; + } }); } protected UserVO createUser(long accountId, String userName, String password, String firstName, String lastName, String email, String timezone, String userUUID, - User.Source source) { + User.Source source) { if (s_logger.isDebugEnabled()) { s_logger.debug("Creating user: " + userName + ", accountId: " + accountId + " timezone:" + timezone); } String encodedPassword = null; - for (UserAuthenticator authenticator : _userPasswordEncoders) { + for (UserAuthenticator authenticator : _userPasswordEncoders) { encodedPassword = authenticator.encode(password); if (encodedPassword != null) { break; @@ -2005,7 +1999,7 @@ protected UserVO createUser(long accountId, String userName, String password, St } if (userUUID == null) { - userUUID = UUID.randomUUID().toString(); + userUUID = UUID.randomUUID().toString(); } UserVO user = _userDao.persist(new UserVO(accountId, userName, encodedPassword, firstName, lastName, email, timezone, userUUID, source)); CallContext.current().putContextParameter(User.class, user.getUuid()); @@ -2135,8 +2129,8 @@ public UserAccount authenticateUser(String username, String password, Long domai s_logger.debug("User: " + username + " in domain " + domainId + " has successfully logged in"); } - ActionEventUtils.onActionEvent(user.getId(), user.getAccountId(), user.getDomainId(), EventTypes.EVENT_USER_LOGIN, "user has logged in from IP Address " + - loginIpAddress); + ActionEventUtils.onActionEvent(user.getId(), user.getAccountId(), user.getDomainId(), EventTypes.EVENT_USER_LOGIN, + "user has logged in from IP Address " + loginIpAddress); return user; } else { @@ -2155,10 +2149,10 @@ private UserAccount getUserAccount(String username, String password, Long domain boolean authenticated = false; HashSet actionsOnFailedAuthenticaion = new HashSet(); - User.Source userSource = userAccount != null ? userAccount.getSource(): User.Source.UNKNOWN; + User.Source userSource = userAccount != null ? userAccount.getSource() : User.Source.UNKNOWN; for (UserAuthenticator authenticator : _userAuthenticators) { - if(userSource != User.Source.UNKNOWN) { - if(!authenticator.getName().equalsIgnoreCase(userSource.name())){ + if (userSource != User.Source.UNKNOWN) { + if (!authenticator.getName().equalsIgnoreCase(userSource.name())) { continue; } } @@ -2182,12 +2176,12 @@ private UserAccount getUserAccount(String username, String password, Long domain } userAccount = _userAccountDao.getUserAccount(username, domainId); - if (!userAccount.getState().equalsIgnoreCase(Account.State.enabled.toString()) || - !userAccount.getAccountState().equalsIgnoreCase(Account.State.enabled.toString())) { + if (!userAccount.getState().equalsIgnoreCase(Account.State.enabled.toString()) || !userAccount.getAccountState().equalsIgnoreCase(Account.State.enabled.toString())) { if (s_logger.isInfoEnabled()) { s_logger.info("User " + username + " in domain " + domainName + " is disabled/locked (or account is disabled/locked)"); } - throw new CloudAuthenticationException("User " + username + " (or their account) in domain " + domainName + " is disabled/locked. Please contact the administrator."); + throw new CloudAuthenticationException( + "User " + username + " (or their account) in domain " + domainName + " is disabled/locked. Please contact the administrator."); } // Whenever the user is able to log in successfully, reset the login attempts to zero if (!isInternalAccount(userAccount.getId())) @@ -2231,17 +2225,17 @@ public Pair findUserByApiKey(String apiKey) { } @Override - public Map getKeys(GetUserKeysCmd cmd){ + public Map getKeys(GetUserKeysCmd cmd) { final long userId = cmd.getID(); User user = getActiveUser(userId); - if(user==null){ + if (user == null) { throw new InvalidParameterValueException("Unable to find user by id"); } final ControlledEntity account = getAccount(getUserAccountById(userId).getAccountId()); //Extracting the Account from the userID of the requested user. checkAccess(CallContext.current().getCallingUser(), account); - Map keys = new HashMap(); + Map keys = new HashMap(); keys.put("apikey", user.getApiKey()); keys.put("secretkey", user.getSecretKey()); @@ -2277,8 +2271,8 @@ public String[] createApiKeyAndSecretKey(RegisterCmd cmd) { Transaction.execute(new TransactionCallbackNoReturn() { @Override public void doInTransactionWithoutResult(TransactionStatus status) { - keys[0] = createUserApiKey(userId); - keys[1] = createUserSecretKey(userId); + keys[0] = createUserApiKey(userId); + keys[1] = createUserSecretKey(userId); } }); @@ -2359,18 +2353,16 @@ private String createUserSecretKey(long userId) { return null; } - - @Override - public void buildACLSearchBuilder(SearchBuilder sb, - Long domainId, boolean isRecursive, List permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) { + public void buildACLSearchBuilder(SearchBuilder sb, Long domainId, boolean isRecursive, List permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria) { if (sb.entity() instanceof IPAddressVO) { - sb.and("accountIdIN", ((IPAddressVO) sb.entity()).getAllocatedToAccountId(), SearchCriteria.Op.IN); - sb.and("domainId", ((IPAddressVO) sb.entity()).getAllocatedInDomainId(), SearchCriteria.Op.EQ); + sb.and("accountIdIN", ((IPAddressVO)sb.entity()).getAllocatedToAccountId(), SearchCriteria.Op.IN); + sb.and("domainId", ((IPAddressVO)sb.entity()).getAllocatedInDomainId(), SearchCriteria.Op.EQ); } else if (sb.entity() instanceof ProjectInvitationVO) { - sb.and("accountIdIN", ((ProjectInvitationVO) sb.entity()).getForAccountId(), SearchCriteria.Op.IN); - sb.and("domainId", ((ProjectInvitationVO) sb.entity()).getInDomainId(), SearchCriteria.Op.EQ); + sb.and("accountIdIN", ((ProjectInvitationVO)sb.entity()).getForAccountId(), SearchCriteria.Op.IN); + sb.and("domainId", ((ProjectInvitationVO)sb.entity()).getInDomainId(), SearchCriteria.Op.EQ); } else { sb.and("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN); sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ); @@ -2382,9 +2374,9 @@ public void buildACLSearchBuilder(SearchBuilder sb, domainSearch.and("path", domainSearch.entity().getPath(), SearchCriteria.Op.LIKE); if (sb.entity() instanceof IPAddressVO) { - sb.join("domainSearch", domainSearch, ((IPAddressVO) sb.entity()).getAllocatedInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER); + sb.join("domainSearch", domainSearch, ((IPAddressVO)sb.entity()).getAllocatedInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER); } else if (sb.entity() instanceof ProjectInvitationVO) { - sb.join("domainSearch", domainSearch, ((ProjectInvitationVO) sb.entity()).getInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER); + sb.join("domainSearch", domainSearch, ((ProjectInvitationVO)sb.entity()).getInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER); } else { sb.join("domainSearch", domainSearch, sb.entity().getDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER); } @@ -2399,9 +2391,9 @@ public void buildACLSearchBuilder(SearchBuilder sb, } if (sb.entity() instanceof IPAddressVO) { - sb.join("accountSearch", accountSearch, ((IPAddressVO) sb.entity()).getAllocatedToAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER); + sb.join("accountSearch", accountSearch, ((IPAddressVO)sb.entity()).getAllocatedToAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER); } else if (sb.entity() instanceof ProjectInvitationVO) { - sb.join("accountSearch", accountSearch, ((ProjectInvitationVO) sb.entity()).getForAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER); + sb.join("accountSearch", accountSearch, ((ProjectInvitationVO)sb.entity()).getForAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER); } else { sb.join("accountSearch", accountSearch, sb.entity().getAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER); } @@ -2409,8 +2401,8 @@ public void buildACLSearchBuilder(SearchBuilder sb, } @Override - public void buildACLSearchCriteria(SearchCriteria sc, - Long domainId, boolean isRecursive, List permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) { + public void buildACLSearchCriteria(SearchCriteria sc, Long domainId, boolean isRecursive, List permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria) { if (listProjectResourcesCriteria != null) { sc.setJoinParameters("accountSearch", "type", Account.ACCOUNT_TYPE_PROJECT); @@ -2472,6 +2464,11 @@ public void buildACLSearchParameters(Account caller, Long id, String accountName if (projectId.longValue() == -1) { if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) { permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId())); + + //permittedAccounts can be empty when the caller is not a part of any project (a domain account) + if (permittedAccounts.isEmpty()) { + permittedAccounts.add(caller.getId()); + } } else { domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly); } @@ -2516,10 +2513,9 @@ public void buildACLSearchParameters(Account caller, Long id, String accountName } - @Override - public void buildACLViewSearchBuilder(SearchBuilder sb, Long domainId, - boolean isRecursive, List permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) { + public void buildACLViewSearchBuilder(SearchBuilder sb, Long domainId, boolean isRecursive, List permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria) { sb.and("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN); sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ); @@ -2540,10 +2536,9 @@ public void buildACLViewSearchBuilder(SearchBuilder sc, - Long domainId, boolean isRecursive, List permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) { + public void buildACLViewSearchCriteria(SearchCriteria sc, Long domainId, boolean isRecursive, List permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria) { if (listProjectResourcesCriteria != null) { sc.setParameters("accountType", Account.ACCOUNT_TYPE_PROJECT); } @@ -2561,13 +2556,11 @@ public void buildACLViewSearchCriteria(SearchCriteria listAclGroupsByAccount(Long accountId) { if (_querySelectors == null || _querySelectors.size() == 0) @@ -2594,8 +2587,8 @@ public Long finalyzeAccountId(final String accountName, final Long domainId, fin if (!enabledOnly || account.getState() == Account.State.enabled) { return account.getId(); } else { - throw new PermissionDeniedException("Can't add resources to the account id=" + account.getId() + " in state=" + account.getState() + - " as it's no longer active"); + throw new PermissionDeniedException( + "Can't add resources to the account id=" + account.getId() + " in state=" + account.getState() + " as it's no longer active"); } } else { // idList is not used anywhere, so removed it now @@ -2611,9 +2604,8 @@ public Long finalyzeAccountId(final String accountName, final Long domainId, fin if (!enabledOnly || project.getState() == Project.State.Active) { return project.getProjectAccountId(); } else { - final PermissionDeniedException ex = - new PermissionDeniedException("Can't add resources to the project with specified projectId in state=" + project.getState() + - " as it's no longer active"); + final PermissionDeniedException ex = new PermissionDeniedException( + "Can't add resources to the project with specified projectId in state=" + project.getState() + " as it's no longer active"); ex.addProxyObject(project.getUuid(), "projectId"); throw ex; } @@ -2630,8 +2622,7 @@ public UserAccount getUserAccountById(Long userId) { } @Override - public void checkAccess(Account account, ServiceOffering so) - throws PermissionDeniedException { + public void checkAccess(Account account, ServiceOffering so) throws PermissionDeniedException { for (SecurityChecker checker : _securityCheckers) { if (checker.checkAccess(account, so)) { if (s_logger.isDebugEnabled()) { @@ -2646,8 +2637,7 @@ public void checkAccess(Account account, ServiceOffering so) } @Override - public void checkAccess(Account account, DiskOffering dof) - throws PermissionDeniedException { + public void checkAccess(Account account, DiskOffering dof) throws PermissionDeniedException { for (SecurityChecker checker : _securityCheckers) { if (checker.checkAccess(account, dof)) { if (s_logger.isDebugEnabled()) { @@ -2662,11 +2652,10 @@ public void checkAccess(Account account, DiskOffering dof) } @Override - public void checkAccess(User user, ControlledEntity entity) - throws PermissionDeniedException { - for(SecurityChecker checker : _securityCheckers){ - if(checker.checkAccess(user,entity)){ - if(s_logger.isDebugEnabled()){ + public void checkAccess(User user, ControlledEntity entity) throws PermissionDeniedException { + for (SecurityChecker checker : _securityCheckers) { + if (checker.checkAccess(user, entity)) { + if (s_logger.isDebugEnabled()) { s_logger.debug("Access granted to " + user + "to " + entity + "by " + checker.getName()); } return; @@ -2682,6 +2671,6 @@ public String getConfigComponentName() { @Override public ConfigKey[] getConfigKeys() { - return new ConfigKey[]{UseSecretKeyInResponse}; + return new ConfigKey[] {UseSecretKeyInResponse}; } }