implementing registerIacTemplate API

Author: bernardodemarco

plugins/iac/nimble/src/main/java/org/apache/cloudstack/api/command/RegisterIacTemplateCmd.java

@@ -21,10 +21,8 @@
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiArgValidator;
 import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
 import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
 import org.apache.cloudstack.api.response.AccountResponse;
 import org.apache.cloudstack.api.response.DomainResponse;
 import org.apache.cloudstack.api.response.IacTemplateResponse;
@@ -34,6 +32,7 @@
 import org.apache.cloudstack.service.NimbleService;
 
 import javax.inject.Inject;
+import java.util.ArrayList;
 import java.util.List;
 
 @APICommand(name = "registerIacTemplate",
@@ -51,19 +50,19 @@ public class RegisterIacTemplateCmd extends BaseCmd {
     @Parameter(name = ApiConstants.DESCRIPTION, type = CommandType.STRING, description = "Description of the IaC template.")
     private String description;
 
-    @Parameter(name = ApiConstants.IAC_TEMPLATE_CONTENT, type = CommandType.STRING, length = 65535, 
+    @Parameter(name = ApiConstants.IAC_TEMPLATE_CONTENT, type = CommandType.STRING, length = 65535,
             description = "Content of the IaC template.", required = true, validations = {ApiArgValidator.NotNullOrEmpty})
     private String iacTemplateContent;
 
-    @Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, entityType = DomainResponse.class, 
+    @Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, entityType = DomainResponse.class,
             description = "ID of the domain associated with the IaC template. It must be used along with the \"account\" parameter.")
     private Long domainId;
 
-    @Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, 
+    @Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING,
             description = "Name of the account that will own the IaC template. It must be used along with the \"domainid\" parameter.")
     private String accountName;
 
-    @Parameter(name = ApiConstants.PROJECT_ID, type = CommandType.UUID, entityType = ProjectResponse.class, 
+    @Parameter(name = ApiConstants.PROJECT_ID, type = CommandType.UUID, entityType = ProjectResponse.class,
             description = "ID of the project that will own the IaC template. Mutually exclusive with the \"account\" parameter.")
     private Long projectId;
 
@@ -107,15 +106,28 @@ public Long getProjectId() {
         return projectId;
     }
 
+    public boolean isTemplateShared() {
+        return sharedDomainIds != null || sharedAccountIds != null || sharedProjectIds != null;
+    }
+
     public List<Long> getSharedDomainIds() {
+        if (sharedDomainIds == null) {
+            return new ArrayList<>();
+        }
         return sharedDomainIds;
     }
 
     public List<Long> getSharedAccountIds() {
+        if (sharedAccountIds == null) {
+            return new ArrayList<>();
+        }
         return sharedAccountIds;
     }
 
     public List<Long> getSharedProjectIds() {
+        if (sharedProjectIds == null) {
+            return new ArrayList<>();
+        }
         return sharedProjectIds;
     }
 

plugins/iac/nimble/src/main/java/org/apache/cloudstack/api/response/NimbleResponseBuilder.java

@@ -73,6 +73,7 @@ public IacTemplateResponse createIacTemplateResponse(IacTemplate iacTemplate, bo
         Account owner = ApiDBUtils.findAccountById(iacTemplate.getAccountId());
         populateIacTemplateOwnerFields(response, caller, owner);
         populateIacTemplateSharedEntitiesFields(response, iacTemplate, caller, owner);
+
         response.setObjectName("iactemplates");
         return response;
     }
@@ -95,36 +96,32 @@ private void populateIacTemplateOwnerFields(IacTemplateResponse response, Accoun
             return;
         }
 
+        Domain domain = ApiDBUtils.findDomainById(owner.getDomainId());
+        if (domain != null) {
+            response.setDomainId(domain.getUuid());
+            response.setDomainName(domain.getName());
+            response.setDomainPath(domain.getPath());
+        }
+
         if (owner.getType() == Account.Type.PROJECT) {
             Project project = ApiDBUtils.findProjectByProjectAccountIdIncludingRemoved(owner.getId());
-            response.setProjectId(project.getUuid());
-            response.setProjectName(project.getName());
+            if (project != null) {
+                response.setProjectId(project.getUuid());
+                response.setProjectName(project.getName());
+            }
         } else {
             response.setAccountName(owner.getAccountName());
             response.setAccountId(owner.getUuid());
         }
     }
 
     private void populateIacTemplateSharedEntitiesFields(IacTemplateResponse response, IacTemplate iacTemplate, Account caller, Account owner) {
-        boolean isCallerAdmin = accountService.isAdmin(caller.getId());
-        boolean isCallerTheIacTemplateOwner = caller.getId() == owner.getId();
-        if (!isCallerAdmin && !isCallerTheIacTemplateOwner) {
-            return;
+        if (verifyCallerAccessToIacTemplateOwner(caller, owner)) {
+            response.setSharedDomains(getSharedDomainResponses(iacTemplate.getDomainMappings()));
+            Pair<List<IacTemplateResponse.SharedAccountResponse>, List<IacTemplateResponse.SharedProjectResponse>> sharedAccountAndProjectResponses = getSharedAccountAndProjectResponses(iacTemplate.getAccountMappings());
+            response.setSharedAccounts(sharedAccountAndProjectResponses.first());
+            response.setSharedProjects(sharedAccountAndProjectResponses.second());
         }
-
-        if (isCallerAdmin && !accountService.isRootAdmin(caller.getId())) {
-            try {
-                accountService.checkAccess(caller, null, false, owner);
-            } catch (PermissionDeniedException e) {
-                return;
-            }
-        }
-
-//        the above validation workflow could maybe be tranfered to the access check method
-        response.setSharedDomains(getSharedDomainResponses(iacTemplate.getDomainMappings()));
-        Pair<List<IacTemplateResponse.SharedAccountResponse>, List<IacTemplateResponse.SharedProjectResponse>> sharedAccountAndProjectResponses = getSharedAccountAndProjectResponses(iacTemplate.getAccountMappings());
-        response.setSharedAccounts(sharedAccountAndProjectResponses.first());
-        response.setSharedProjects(sharedAccountAndProjectResponses.second());
     }
 
     private List<IacTemplateResponse.SharedDomainResponse> getSharedDomainResponses(List<IacTemplateDomainMapVO> domainMappings) {

plugins/iac/nimble/src/main/java/org/apache/cloudstack/persistence/iactemplates/IacTemplateAccountMapVO.java

@@ -29,6 +29,9 @@ public class IacTemplateAccountMapVO {
     @Column(name = "account_id", nullable = false)
     private long accountId;
 
+    public IacTemplateAccountMapVO() {
+    }
+
     public IacTemplateAccountMapVO(long iacTemplateId, long accountId) {
         this.iacTemplateId = iacTemplateId;
         this.accountId = accountId;

plugins/iac/nimble/src/main/java/org/apache/cloudstack/persistence/iactemplates/IacTemplateDomainMapVO.java

@@ -29,6 +29,9 @@ public class IacTemplateDomainMapVO {
     @Column(name = "domain_id", nullable = false)
     private long domainId;
 
+    public IacTemplateDomainMapVO() {
+    }
+
     public IacTemplateDomainMapVO(long iacTemplateId, long domainId) {
         this.iacTemplateId = iacTemplateId;
         this.domainId = domainId;

plugins/iac/nimble/src/main/java/org/apache/cloudstack/persistence/iactemplates/IacTemplateVO.java

@@ -27,6 +27,7 @@
 import javax.persistence.Temporal;
 import javax.persistence.TemporalType;
 import javax.persistence.Transient;
+import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
 import java.util.UUID;
@@ -69,10 +70,13 @@ public class IacTemplateVO implements IacTemplate {
     private Date removed;
 
     @Transient
-    private List<IacTemplateAccountMapVO> accountMappings;
+    private List<IacTemplateAccountMapVO> accountMappings = new ArrayList<>();
 
     @Transient
-    private List<IacTemplateDomainMapVO> domainMappings;
+    private List<IacTemplateDomainMapVO> domainMappings = new ArrayList<>();
+
+    public IacTemplateVO() {
+    }
 
     public IacTemplateVO(String name, String description, String iacTemplateContent, boolean recursiveDomains, long domainId, long accountId) {
         this.name = name;

plugins/iac/nimble/src/main/java/org/apache/cloudstack/service/NimbleManagerImpl.java

@@ -49,7 +49,6 @@
 import org.apache.cloudstack.persistence.iactemplatesprofile.IacResourceTypeDao;
 import org.apache.cloudstack.persistence.iactemplatesprofile.IacResourceTypeVO;
 import org.apache.cloudstack.tosca.orchestrator.ToscaOrchestrator;
-import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.lang3.ObjectUtils;
 
 import javax.inject.Inject;
@@ -117,46 +116,81 @@ private boolean doesUserHaveAccessToNodeTypeApis(Pair<String, String> nodeTypeAp
     @Override
     public IacTemplateResponse registerIacTemplate(RegisterIacTemplateCmd cmd) {
         Account owner = accountService.getActiveAccountById(cmd.getEntityOwnerId());
-        validateAccessToIacTemplateSharingEntities(owner, cmd);
+        boolean isTemplateOwnerAdmin = accountService.isAdmin(owner.getId());
+        if (!isTemplateOwnerAdmin) {
+            if (cmd.isRecursiveDomains()) {
+                throw new InvalidParameterValueException(String.format("An IaC template owned by [%s] cannot be shared recursively across different domains.", owner.getAccountName()));
+            }
+
+            if (cmd.isTemplateShared()) {
+                throw new InvalidParameterValueException(String.format("Account [%s] does not have permission to share IaC template with other entities.", owner.getAccountName()));
+            }
+        }
+
+//        validateAccessToIacTemplateSharingEntities(owner, cmd);
         toscaOrchestrator.parseServiceTemplate(cmd.getIacTemplateContent());
 
         IacTemplate iacTemplate = persistIacTemplate(cmd, owner);
         if (iacTemplate == null) {
             throw new CloudRuntimeException("Unable to register IaC template.");
         }
-        return responseBuilder.createIacTemplateResponse(iacTemplate, true);
+        return responseBuilder.createIacTemplateResponse(iacTemplate, false);
     }
 
     private IacTemplate persistIacTemplate(RegisterIacTemplateCmd cmd, Account owner) {
         IacTemplateVO iacTemplate = new IacTemplateVO(cmd.getName(), cmd.getDescription(), cmd.getIacTemplateContent(),
                 cmd.isRecursiveDomains(), owner.getDomainId(), owner.getAccountId());
         return Transaction.execute((TransactionCallback<IacTemplate>) (status) -> {
             IacTemplateVO persistedTemplate = iacTemplateDao.persist(iacTemplate);
-            List<IacTemplateDomainMapVO> domainMappings = cmd.getSharedDomainIds().stream()
-                    .map(domainId -> iacTemplateDomainMapDao.persist(new IacTemplateDomainMapVO(persistedTemplate.getId(), domainId)))
-                    .collect(Collectors.toList());
-            List<IacTemplateAccountMapVO> accountMappings = cmd.getSharedAccountIds().stream()
-                    .map(accountId -> iacTemplateAccountMapDao.persist(new IacTemplateAccountMapVO(persistedTemplate.getId(), accountId)))
-                    .collect(Collectors.toList());
+            List<IacTemplateDomainMapVO> domainMappings = persistDomainMappings(cmd.getSharedDomainIds(), persistedTemplate.getId());
+            List<IacTemplateAccountMapVO> accountMappings = persistAccountMappings(cmd.getSharedAccountIds(), cmd.getSharedProjectIds(), persistedTemplate.getId(), owner);
             persistedTemplate.setDomainMappings(domainMappings);
             persistedTemplate.setAccountMappings(accountMappings);
             return persistedTemplate;
         });
     }
 
-    protected void validateAccessToIacTemplateSharingEntities(Account owner, RegisterIacTemplateCmd cmd) {
-        boolean isTemplateOwnerAdmin = accountService.isAdmin(owner.getId());
-        if (!isTemplateOwnerAdmin) {
-            if (cmd.isRecursiveDomains()) {
-                throw new InvalidParameterValueException(String.format("An IaC template owned by [%s] cannot be shared recursively across different domains.", owner.getAccountName()));
+    private List<IacTemplateAccountMapVO> persistAccountMappings(List<Long> sharedAccountIds, List<Long> sharedProjectIds, long iacTemplateId, Account iacTemplateOwner) {
+        List<IacTemplateAccountMapVO> accountMappings = new ArrayList<>();
+
+        for (Long accountId : sharedAccountIds) {
+            Account account = accountService.getActiveAccountById(accountId);
+            if (account == null) {
+                throw new InvalidParameterValueException(String.format("Unable to find account with ID [%s].", accountId));
             }
+            accountService.checkAccess(iacTemplateOwner, null, false, account);
+            IacTemplateAccountMapVO accountMapping = new IacTemplateAccountMapVO(iacTemplateId, accountId);
+            iacTemplateAccountMapDao.persist(accountMapping);
+            accountMappings.add(accountMapping);
+        }
 
-            if (CollectionUtils.isNotEmpty(cmd.getSharedDomainIds()) || CollectionUtils.isNotEmpty(cmd.getSharedAccountIds())
-                    || CollectionUtils.isNotEmpty(cmd.getSharedProjectIds())) {
-                throw new InvalidParameterValueException(String.format("Account [%s] does not have permission to share IaC template with other entities.", owner.getAccountName()));
+        for (Long projectId : sharedProjectIds) {
+            Project project = projectManager.getProject(projectId);
+            if (project == null) {
+                throw new InvalidParameterValueException(String.format("Unable to find project with ID [%s].", projectId));
             }
+            if (!projectManager.canAccessProjectAccount(iacTemplateOwner, project.getProjectAccountId())) {
+                throw new InvalidParameterValueException(String.format("Account [%s] does not have permission to share IaC template with project [%s].", iacTemplateOwner.getAccountName(), project.getName()));
+            }
+            IacTemplateAccountMapVO accountMapping = new IacTemplateAccountMapVO(iacTemplateId, project.getProjectAccountId());
+            iacTemplateAccountMapDao.persist(accountMapping);
+            accountMappings.add(accountMapping);
         }
 
+        return accountMappings;
+    }
+
+    private List<IacTemplateDomainMapVO> persistDomainMappings(List<Long> sharedDomainIds, long iacTemplateId) {
+        return sharedDomainIds.stream()
+                .map(domainId -> {
+                    IacTemplateDomainMapVO domainMapping = new IacTemplateDomainMapVO(iacTemplateId, domainId);
+                    iacTemplateDomainMapDao.persist(domainMapping);
+                    return domainMapping;
+                }).collect(Collectors.toList());
+    }
+
+    protected void validateAccessToIacTemplateSharingEntities(Account owner, RegisterIacTemplateCmd cmd) {
+
         cmd.getSharedDomainIds().forEach(domainId -> {
             Domain domain = domainManager.getDomain(domainId);
             if (domain == null) {
@@ -210,7 +244,7 @@ public List<Class<?>> getCommands() {
         if (!NimbleServiceEnabled.value()) {
             return commands;
         }
-        return List.of(ListIacResourceTypesCmd.class, DeployIacTemplateCmd.class);
+        return List.of(ListIacResourceTypesCmd.class, RegisterIacTemplateCmd.class, DeployIacTemplateCmd.class);
     }
 
     @Override