consider implicit rules

Author: bernardodemarco

plugins/acl/dynamic-role-based/src/main/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java

@@ -75,7 +75,7 @@ public List<String> getApisAllowedToUser(Role role, User user, List<String> apiN
 
         List<String> allowedApis = new ArrayList<>();
         for (String api : apiNames) {
-            if (checkApiPermissionByRole(role, api, allPermissionEntities, false)) {
+            if (checkApiPermissionByRole(role, api, allPermissionEntities)) {
                 allowedApis.add(api);
             }
         }
@@ -90,7 +90,7 @@ public List<String> getApisAllowedToUser(Role role, User user, List<String> apiN
      * @param allPermissions list of role permissions for the given role
      * @return if the role has the permission for the API
      */
-    public boolean checkApiPermissionByRole(Role role, String apiName, List<RolePermissionEntity> allPermissions, boolean keyPairOverride) {
+    public boolean checkApiPermissionByRole(Role role, String apiName, List<RolePermissionEntity> allPermissions) {
         for (RolePermissionEntity permission : allPermissions) {
             if (!permission.getRule().matches(apiName)) {
                 continue;
@@ -106,9 +106,19 @@ public boolean checkApiPermissionByRole(Role role, String apiName, List<RolePerm
             return true;
         }
 
-        return annotationRoleBasedApisMap.get(role.getRoleType()) != null &&
-                annotationRoleBasedApisMap.get(role.getRoleType()).contains(apiName) &&
-                !keyPairOverride;
+        return isApiImplicitlyAllowedForRoleType(role.getRoleType(), apiName);
+    }
+
+    /**
+     * Returns whether an API is implicitly allowed for a role type. Access to APIs can be
+     * implicitly managed through the {@link APICommand#authorized()} field of the {@link APICommand} annotation.
+     * @param roleType role type to check implicit API access.
+     * @param apiName the name of the API whose implicit access will be checked.
+     * @return whether the given API is implicitly allowed for the role type.
+     */
+    public boolean isApiImplicitlyAllowedForRoleType(RoleType roleType, String apiName) {
+        return annotationRoleBasedApisMap.get(roleType) != null &&
+                annotationRoleBasedApisMap.get(roleType).contains(apiName);
     }
 
     protected Account getAccountFromId(long accountId) {
@@ -143,67 +153,59 @@ protected Account getAccountFromIdUsingCache(long accountId) {
     }
 
     @Override
-    public boolean checkAccess(User user, String commandName, ApiKeyPairPermission ... apiKeyPairPermissions) throws PermissionDeniedException {
+    public boolean checkAccess(User user, String commandName, ApiKeyPairPermission... apiKeyPairPermissions) throws PermissionDeniedException {
         if (!isEnabled()) {
             return true;
         }
         Account account = getAccountFromIdUsingCache(user.getAccountId());
         if (account == null) {
             throw new PermissionDeniedException(String.format("Account for user id [%s] cannot be found", user.getUuid()));
         }
-        Pair<Role, List<RolePermission>> roleAndPermissions = getRolePermissionsUsingCache(account.getRoleId());
-        final Role accountRole = roleAndPermissions.first();
-        if (accountRole == null) {
-            throw new PermissionDeniedException(String.format("Account role for user id [%s] cannot be found.", user.getUuid()));
-        }
-        if (accountRole.getRoleType() == RoleType.Admin && accountRole.getId() == RoleType.Admin.getId()) {
-            logger.info("Account for user id {} is Root Admin or Domain Admin, all APIs are allowed.", user.getUuid());
-            return true;
-        }
-
-        List<RolePermissionEntity> allRules = defineNewKeypairRules(accountRole, apiKeyPairPermissions);
-        boolean override = apiKeyPairPermissions.length != 0;
+        return checkApisPermissions(account, commandName, apiKeyPairPermissions);
+    }
 
-        if (checkApiPermissionByRole(accountRole, commandName, allRules, override)) {
-            return true;
-        }
-        throw new UnavailableCommandException(String.format("The API [%s] does not exist or is not available for the account for user id [%s].", commandName, user.getUuid()));
+    @Override
+    public boolean checkAccess(Account account, String commandName, ApiKeyPairPermission... apiKeyPairPermissions) {
+        return checkApisPermissions(account, commandName, apiKeyPairPermissions);
     }
 
-    public boolean checkAccess(Account account, String commandName, ApiKeyPairPermission ... apiKeyPairPermissions) {
+    protected boolean checkApisPermissions(Account account, String commandName, ApiKeyPairPermission... apiKeyPairPermissions) {
         Pair<Role, List<RolePermission>> roleAndPermissions = getRolePermissionsUsingCache(account.getRoleId());
         final Role accountRole = roleAndPermissions.first();
         if (accountRole == null) {
-            throw new PermissionDeniedException(String.format("The account [%s] has role null or unknown.", account));
+            throw new PermissionDeniedException(String.format("The role of the account [%s] is null or unknown.", account));
         }
 
         if (accountRole.getRoleType() == RoleType.Admin && accountRole.getId() == RoleType.Admin.getId() && apiKeyPairPermissions.length == 0) {
-            if (logger.isTraceEnabled()) {
-                logger.trace(String.format("Account [%s] is Root Admin or Domain Admin, all APIs are allowed.", account));
-            }
+            logger.trace("Account [{}] is Root Admin and there are not API key pair permissions, so all APIs are allowed.", account);
             return true;
         }
 
-        List<RolePermissionEntity> allRules = defineNewKeypairRules(accountRole, apiKeyPairPermissions);
-
-        boolean override = apiKeyPairPermissions.length != 0;
-
-        if (checkApiPermissionByRole(accountRole, commandName, allRules, override)) {
+        List<RolePermissionEntity> allRules = getExplicitPermissions(accountRole, apiKeyPairPermissions);
+        if (checkApiPermissionByRole(accountRole, commandName, allRules)) {
             return true;
         }
         throw new UnavailableCommandException(String.format("The API [%s] does not exist or is not available for the account %s.", commandName, account.getAccountName()));
     }
 
-    public List<RolePermissionEntity> defineNewKeypairRules(Role accountRole, ApiKeyPairPermission ... apiKeyPairPermissions) {
-        List<RolePermissionEntity> allPermissions;
-        if (apiKeyPairPermissions.length == 0) {
-            List<RolePermission> allRolePermissions = roleService.findAllPermissionsBy(accountRole.getId());
-            allPermissions = allRolePermissions.stream().map(permission -> (RolePermissionEntity) permission)
-                    .collect(Collectors.toList());
-        } else {
-            allPermissions = Arrays.asList(apiKeyPairPermissions);
+    /**
+     * Retrieves the explicit permissions associated with the caller. If
+     * the authentication was established via an API key pair, the permissions from the key pair
+     * will be returned. If not, then the caller's account role permissions will be considered.
+     * @param accountRole role of the account whose permissions will be retrieved
+     * @param apiKeyPairPermissions permissions of the API key pair that will be retrieved
+     * @return the permissions associated with the caller's account
+     */
+    protected List<RolePermissionEntity> getExplicitPermissions(Role accountRole, ApiKeyPairPermission... apiKeyPairPermissions) {
+        boolean retrieveRulesFromKeyPair = apiKeyPairPermissions.length > 0;
+        if (retrieveRulesFromKeyPair) {
+            return Arrays.asList(apiKeyPairPermissions);
         }
-        return allPermissions;
+
+        List<RolePermission> allRolePermissions = roleService.findAllPermissionsBy(accountRole.getId());
+        return allRolePermissions.stream()
+                .map(permission -> (RolePermissionEntity) permission)
+                .collect(Collectors.toList());
     }
 
     /**

plugins/api/discovery/pom.xml

@@ -45,6 +45,12 @@
             <version>${project.version}</version>
             <scope>compile</scope>
         </dependency>
+        <dependency>
+            <groupId>org.apache.cloudstack</groupId>
+            <artifactId>cloud-plugin-acl-dynamic-role-based</artifactId>
+            <version>${project.version}</version>
+            <scope>compile</scope>
+        </dependency>
     </dependencies>
     <build>
         <plugins>

plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryServiceImpl.java

@@ -31,6 +31,7 @@
 import javax.inject.Inject;
 
 import org.apache.cloudstack.acl.APIChecker;
+import org.apache.cloudstack.acl.DynamicRoleBasedAPIAccessChecker;
 import org.apache.cloudstack.acl.Role;
 import org.apache.cloudstack.acl.RoleService;
 import org.apache.cloudstack.acl.RoleType;
@@ -342,11 +343,11 @@ protected List<ApiDiscoveryResponse> listApisForKeyPair(String apiKey, String ap
                 .map(apiKeyPairPermission -> (RolePermissionEntity) apiKeyPairPermission).collect(Collectors.toList());
 
         List<String> filteredApis = new ArrayList<>();
-        if (apiName != null && isApiAllowedForKey(rolePermissionEntities, apiName)) {
+        if (apiName != null && isApiAllowedForKey(rolePermissionEntities, apiName, role.getRoleType())) {
             filteredApis = List.of(apiName);
         } else {
             for (String api : apisAllowed) {
-                if (isApiAllowedForKey(rolePermissionEntities, api)) {
+                if (isApiAllowedForKey(rolePermissionEntities, api, role.getRoleType())) {
                     filteredApis.add(api);
                 }
             }
@@ -357,14 +358,16 @@ protected List<ApiDiscoveryResponse> listApisForKeyPair(String apiKey, String ap
         return filteredApis.stream().map(api -> s_apiNameDiscoveryResponseMap.get(api)).collect(Collectors.toList());
     }
 
-    protected boolean isApiAllowedForKey(List<RolePermissionEntity> rolePermissionEntities, String apiName) {
+    protected boolean isApiAllowedForKey(List<RolePermissionEntity> rolePermissionEntities, String apiName, RoleType roleType) {
         for (RolePermissionEntity rolePermissionEntity : rolePermissionEntities) {
             if (!rolePermissionEntity.getRule().matches(apiName)) {
                 continue;
             }
             return rolePermissionEntity.getPermission().equals(RolePermissionEntity.Permission.ALLOW);
         }
-        return false;
+
+        DynamicRoleBasedAPIAccessChecker dynamicRoleBasedAPIAccessChecker = getDynamicRoleBasedAPIAccessChecker();
+        return dynamicRoleBasedAPIAccessChecker != null && dynamicRoleBasedAPIAccessChecker.isApiImplicitlyAllowedForRoleType(roleType, apiName);
     }
 
     private void checkRateLimit(User user, Role role, List<String> apiNames) {
@@ -377,6 +380,15 @@ private void checkRateLimit(User user, Role role, List<String> apiNames) {
         }
     }
 
+    private DynamicRoleBasedAPIAccessChecker getDynamicRoleBasedAPIAccessChecker() {
+        for (APIChecker apiChecker : _apiAccessCheckers) {
+            if (apiChecker instanceof DynamicRoleBasedAPIAccessChecker) {
+                return (DynamicRoleBasedAPIAccessChecker) apiChecker;
+            }
+        }
+        return null;
+    }
+
     public List<APIChecker> getApiAccessCheckers() {
         return _apiAccessCheckers;
     }

server/src/main/java/com/cloud/user/AccountManagerImpl.java

@@ -3511,7 +3511,7 @@ private ApiKeyPairVO validateAndPersistKeyPairAndPermissions(Account account, Ap
         permissions.forEach(permission -> {
             ApiKeyPairPermissionVO permissionVO = (ApiKeyPairPermissionVO) permission;
             permissionVO.setApiKeyPairId(savedApiKeyPair.getId());
-                apiKeyPairPermissionsDao.persist(permissionVO);
+            apiKeyPairPermissionsDao.persist(permissionVO);
         });
         return savedApiKeyPair;
     }