fixes in the listIacTemplates API

bernardodemarco · bernardodemarco · commit 7cac162ff732 · 2026-05-15T22:58:43.000-03:00
diff --git a/plugins/iac/nimble/src/main/java/org/apache/cloudstack/api/command/ListIacTemplatesCmd.java b/plugins/iac/nimble/src/main/java/org/apache/cloudstack/api/command/ListIacTemplatesCmd.java
@@ -24,7 +24,6 @@ public class ListIacTemplatesCmd extends BaseListCmd {
     @Inject
     private NimbleService nimbleService;
 
-    @ACL
     @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IacTemplateResponse.class, description = "ID of the IaC template.")
     private Long id;
 
@@ -87,13 +86,6 @@ public boolean isShowSharedIacTemplates() {
 
     @Override
     public long getEntityOwnerId() {
-        if (getId() != null) {
-            IacTemplate iacTemplate = nimbleService.findIacTemplateById(id);
-            if (iacTemplate != null) {
-                return iacTemplate.getAccountId();
-            }
-        }
-
         if (getAccountId() != null) {
             return getAccountId();
         }
diff --git a/plugins/iac/nimble/src/main/java/org/apache/cloudstack/service/NimbleManagerImpl.java b/plugins/iac/nimble/src/main/java/org/apache/cloudstack/service/NimbleManagerImpl.java
@@ -121,7 +121,11 @@ public ListResponse<IacResourceTypeResponse> listIacResourceTypes(ListIacResourc
 
     @Override
     public ListResponse<IacTemplateResponse> listIacTemplates(ListIacTemplatesCmd cmd) {
-        Account caller = CallContext.current().getCallingAccount();
+        CallContext currentCallContext = CallContext.current();
+        Account caller = currentCallContext.getCallingAccount();
+        if (cmd.getId() != null) {
+            checkCallerAccessToIacTemplate(currentCallContext, cmd.getId());
+        }
         long domainId = getBaseDomainIdToListIacTemplatesFrom(cmd.getDomainId(), caller);
         List<Long> domainIds = cmd.isRecursive() ? domainDao.getDomainAndChildrenIds(domainId) : List.of(domainId);
         Long accountId = getAccountIdToListIacTemplatesFor(cmd.getAccountId(), cmd.getProjectId(), caller);
@@ -138,6 +142,35 @@ public ListResponse<IacTemplateResponse> listIacTemplates(ListIacTemplatesCmd cm
         return response;
     }
 
+    private void checkCallerAccessToIacTemplate(CallContext callContext, long iacTemplateId) {
+        IacTemplateVO iacTemplate = iacTemplateDao.findById(iacTemplateId);
+        if (iacTemplate == null) {
+            throw new InvalidParameterValueException("Unable to find IaC template with the specified ID.");
+        }
+
+        boolean hasAccess = false;
+        Account iacTemplateOwner = accountService.getActiveAccountById(iacTemplate.getAccountId());
+        if (iacTemplateOwner != null) {
+            try {
+                accountService.checkAccess(callContext.getCallingUser(), iacTemplateOwner);
+                hasAccess = true;
+            } catch (PermissionDeniedException ignored) {}
+        }
+
+        Account caller = callContext.getCallingAccount();
+        boolean isIacTemplateSharedWithCallingAccount = iacTemplate.getAccountMappings()
+                .stream().anyMatch((accountMap) -> accountMap.getAccountId() == caller.getId());
+        boolean isIacTemplateSharedWithCallingAccountDomain = iacTemplate.getDomainMappings()
+                .stream().anyMatch((domainMap) -> domainMap.getDomainId() == caller.getDomainId());
+        if (isIacTemplateSharedWithCallingAccount || isIacTemplateSharedWithCallingAccountDomain) {
+            hasAccess = true;
+        }
+
+        if (!hasAccess) {
+            throw new PermissionDeniedException(String.format("Account [%s] does not have permission to operate over the requested IaC template.", caller.getAccountName()));
+        }
+    }
+
     Set<Long> getListOfSharedIacTemplatesIds(long domainId, Long accountId) {
         Set<Long> sharedIacTemplateIds = new HashSet<>();
         iacTemplateAccountMapDao.listByAccountId(accountId)
@@ -295,7 +328,8 @@ private IacTemplate persistIacTemplate(BaseIacTemplateRegistrationCmd cmd, Accou
                 if (iacTemplateUpdate) {
                     iacTemplateDomainMapDao.removeByIacTemplateId(iacTemplate.getId());
                 }
-                Set<Long> sharedDomainIds = cmd.isRecursiveDomains() ? getSharedDomainIdsRecursively(cmd.getSharedDomainIds()) : cmd.getSharedDomainIds();
+                Set<Long> sharedDomainIds = BooleanUtils.toBoolean(cmd.isRecursiveDomains()) ?
+                        getSharedDomainIdsRecursively(cmd.getSharedDomainIds()) : cmd.getSharedDomainIds();
                 persistDomainMappings(sharedDomainIds, persistedTemplate.getId(), owner);
             }
 
@@ -411,6 +445,7 @@ public IacTemplate findIacTemplateById(Long id) {
 
     @Override
     public void cleanUpAccountIacTemplates(long accountId) {
+        // not cleaning up relationships here?
         iacTemplateDao.removeByAccountId(accountId);
     }
 
