start implementation of implicit rules

Author: bernardodemarco

api/src/main/java/org/apache/cloudstack/acl/APIChecker.java

@@ -44,4 +44,5 @@ public interface APIChecker extends Adapter {
      */
     List<String> getApisAllowedToUser(Role role, User user, List<String> apiNames) throws PermissionDeniedException;
     boolean isEnabled();
+    List<RolePermissionEntity> getImplicitRolePermissions(RoleType roleType);
 }

api/src/main/java/org/apache/cloudstack/acl/RoleService.java

@@ -104,7 +104,7 @@ public interface RoleService {
 
     List<RolePermission> findAllPermissionsBy(Long roleId);
 
-    List<RolePermissionEntity> findAllRolePermissionsEntityBy(Long roleId);
+    List<RolePermissionEntity> findAllRolePermissionsEntityBy(Long roleId, boolean considerImplicitRules);
 
     Permission getRolePermission(String permission);
 

engine/schema/src/main/java/org/apache/cloudstack/acl/RolePermissionBaseVO.java

@@ -50,6 +50,12 @@ public class RolePermissionBaseVO implements RolePermissionEntity {
 
     public RolePermissionBaseVO() { this.uuid = UUID.randomUUID().toString(); }
 
+    public RolePermissionBaseVO(final String rule, final Permission permission) {
+        this();
+        this.rule = rule;
+        this.permission = permission;
+    }
+
     public RolePermissionBaseVO(final String rule, final Permission permission, final String description) {
         this();
         this.rule = rule;

plugins/acl/dynamic-role-based/src/main/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java

@@ -50,7 +50,7 @@ public class DynamicRoleBasedAPIAccessChecker extends AdapterBase implements API
     private RoleService roleService;
 
     private List<PluggableService> services;
-    private Map<RoleType, Set<String>> annotationRoleBasedApisMap = new HashMap<RoleType, Set<String>>();
+    private Map<RoleType, Set<String>> annotationRoleBasedApisMap = new HashMap<>();
 
     private LazyCache<Long, Account> accountCache;
     private LazyCache<Long, Pair<Role, List<RolePermission>>> rolePermissionsCache;
@@ -59,7 +59,7 @@ public class DynamicRoleBasedAPIAccessChecker extends AdapterBase implements API
     protected DynamicRoleBasedAPIAccessChecker() {
         super();
         for (RoleType roleType : RoleType.values()) {
-            annotationRoleBasedApisMap.put(roleType, new HashSet<String>());
+            annotationRoleBasedApisMap.put(roleType, new HashSet<>());
         }
     }
 
@@ -206,6 +206,14 @@ public List<RolePermissionEntity> defineNewKeypairRules(Role accountRole, ApiKey
         return allPermissions;
     }
 
+    @Override
+    public List<RolePermissionEntity> getImplicitRolePermissions(RoleType roleType) {
+        return annotationRoleBasedApisMap.get(roleType)
+                .stream()
+                .map(implicitApi -> new RolePermissionBaseVO(implicitApi, Permission.ALLOW))
+                .collect(Collectors.toList());
+    }
+
     /**
      * Only one strategy should be used between StaticRoleBasedAPIAccessChecker and DynamicRoleBasedAPIAccessChecker
      * Default behavior is to use the Dynamic version. The StaticRoleBasedAPIAccessChecker is the legacy version.

plugins/acl/project-role-based/src/main/java/org/apache/cloudstack/acl/ProjectRoleBasedApiAccessChecker.java

@@ -183,6 +183,11 @@ public boolean configure(String name, Map<String, Object> params) throws Configu
         return true;
     }
 
+    @Override
+    public List<RolePermissionEntity> getImplicitRolePermissions(RoleType roleType) {
+        return List.of();
+    }
+
     @Override
     public boolean start() {
         return super.start();

plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java

@@ -164,6 +164,11 @@ public boolean start() {
         return super.start();
     }
 
+    @Override
+    public List<RolePermissionEntity> getImplicitRolePermissions(RoleType roleType) {
+        return List.of();
+    }
+
     private void processMapping(Map<String, String> configMap) {
         for (Map.Entry<String, String> entry : configMap.entrySet()) {
             String apiName = entry.getKey();

plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryServiceImpl.java

@@ -338,15 +338,16 @@ public List<Class<?>> getCommands() {
 
     protected List<ApiDiscoveryResponse> listApisForKeyPair(String apiKey, String apiName, Account account, User user, Role role, List<String> apisAllowed) {
         ApiKeyPair keyPair = accountService.getKeyPairByApiKey(apiKey);
-        List<RolePermissionEntity> rolePermissionEntities = apiKeyPairService.findAllPermissionsByKeyPairId(keyPair.getId(), account.getRoleId()).stream()
-                .map(apiKeyPairPermission -> (RolePermissionEntity) apiKeyPairPermission).collect(Collectors.toList());
+        List<RolePermissionEntity> keyPairPermissions = apiKeyPairService.findAllPermissionsByKeyPairId(keyPair.getId(), account.getRoleId()).stream()
+                .map(apiKeyPairPermission -> (RolePermissionEntity) apiKeyPairPermission)
+                .collect(Collectors.toList());
 
         List<String> filteredApis = new ArrayList<>();
-        if (apiName != null && isApiAllowedForKey(rolePermissionEntities, apiName)) {
+        if (apiName != null && isApiAllowedForKey(keyPairPermissions, apiName)) {
             filteredApis = List.of(apiName);
         } else {
             for (String api : apisAllowed) {
-                if (isApiAllowedForKey(rolePermissionEntities, api)) {
+                if (isApiAllowedForKey(keyPairPermissions, api)) {
                     filteredApis.add(api);
                 }
             }

plugins/api/rate-limit/src/main/java/org/apache/cloudstack/ratelimit/ApiRateLimitServiceImpl.java

@@ -27,6 +27,8 @@
 import net.sf.ehcache.CacheManager;
 
 import org.apache.cloudstack.acl.Role;
+import org.apache.cloudstack.acl.RolePermissionEntity;
+import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.acl.apikeypair.ApiKeyPairPermission;
 import org.apache.cloudstack.utils.reflectiontostringbuilderutils.ReflectionToStringBuilderUtils;
 import org.springframework.stereotype.Component;
@@ -208,6 +210,11 @@ public boolean hasApiRateLimitBeenExceeded(Long accountId) {
         return true;
     }
 
+    @Override
+    public List<RolePermissionEntity> getImplicitRolePermissions(RoleType roleType) {
+        return List.of();
+    }
+
     @Override
     public boolean isEnabled() {
         if (!enabled) {

server/src/main/java/com/cloud/api/ApiServer.java

@@ -1106,7 +1106,7 @@ public boolean verifyRequest(final Map<String, Object[]> requestParameters, fina
             }
 
             if (!commandAvailable(remoteAddress, commandName, user)) {
-                return false;
+                return false;// remove this one, not required, does not need to check against rules role here
             }
 
             if (keyPair.getRemoved() != null) {
@@ -1141,9 +1141,8 @@ public boolean verifyRequest(final Map<String, Object[]> requestParameters, fina
             CallContext.register(user, account);
 
             List<ApiKeyPairPermission> keyPairPermissions = keyPairManager.findAllPermissionsByKeyPairId(keyPair.getId(), account.getRoleId());
-
             if (commandAvailable(remoteAddress, commandName, user, keyPairPermissions.toArray(new ApiKeyPairPermission[0]))) {
-                logger.info(String.format("API accessed through API KeyPair. API Key: [%s]", keyPair.getApiKey()));
+                logger.info("API accessed through API KeyPair. API Key: [{}]", keyPair.getApiKey());
                 return true;
             }
         } catch (final ServerApiException ex) {

server/src/main/java/com/cloud/user/AccountManagerImpl.java

@@ -3168,17 +3168,17 @@ public ListResponse<ApiKeyPairResponse> listKeys(ListUserKeysCmd cmd) {
         List<ApiKeyPairResponse> responses = new ArrayList<>();
 
         if (cmd.getKeyId() != null || cmd.getApiKeyFilter() != null) {
-            fetchOnlyOneKeypair(responses, cmd);
+            fetchOnlyOneKeyPair(responses, cmd);
             finalResponse.setResponses(responses);
             return finalResponse;
         }
 
-        Integer total = fetchMultipleKeypairs(responses, cmd);
+        Integer total = fetchMultipleKeyPairs(responses, cmd);
         finalResponse.setResponses(responses, total);
         return finalResponse;
     }
 
-    private void fetchOnlyOneKeypair(List<ApiKeyPairResponse> responses, ListUserKeysCmd cmd) {
+    private void fetchOnlyOneKeyPair(List<ApiKeyPairResponse> responses, ListUserKeysCmd cmd) {
         ApiKeyPair keyPair;
         if (cmd.getKeyId() != null) {
             keyPair = _accountService.getKeyPairById(cmd.getKeyId());
@@ -3188,14 +3188,13 @@ private void fetchOnlyOneKeypair(List<ApiKeyPairResponse> responses, ListUserKey
 
         validateKeyPairIsNotNull(keyPair);
         validateAccessingKeyPairPermissionsIsSupersetOfAccessedKeyPair(keyPair, cmd);
-
         _accountService.validateCallingUserHasAccessToDesiredUser(keyPair.getUserId());
-        markExpiredKeysWithStateExpired(keyPair);
+        removeApiKeyPairIfExpired(keyPair);
 
         addKeypairResponse(keyPair, responses, cmd);
     }
 
-    private Integer fetchMultipleKeypairs(List<ApiKeyPairResponse> responses, ListUserKeysCmd cmd) {
+    private Integer fetchMultipleKeyPairs(List<ApiKeyPairResponse> responses, ListUserKeysCmd cmd) {
         List<Long> users;
         if (cmd.getUserId() != null) {
             _accountService.validateCallingUserHasAccessToDesiredUser(cmd.getUserId());
@@ -3210,7 +3209,7 @@ private Integer fetchMultipleKeypairs(List<ApiKeyPairResponse> responses, ListUs
                 .filter(keyPair -> isAccessingKeypairSuperset(keyPair, cmd))
                 .forEach(keyPair -> {
                     addKeypairResponse(keyPair, responses, cmd);
-                    markExpiredKeysWithStateExpired(keyPair);
+                    removeApiKeyPairIfExpired(keyPair);
                 });
 
         return keyPairs.second();
@@ -3281,7 +3280,7 @@ private Boolean isApiKeySupersetOfPermission(List<RolePermissionEntity> baseKeyP
         return roleService.roleHasPermission(apiNameToBaseKeyPermissions, comparedPermissions);
     }
 
-    private void markExpiredKeysWithStateExpired(ApiKeyPair apiKeyPair) {
+    private void removeApiKeyPairIfExpired(ApiKeyPair apiKeyPair) {
         if (apiKeyPair.hasEndDatePassed()) {
             internalDeleteApiKey(apiKeyPair);
         }
@@ -3406,7 +3405,7 @@ public ApiKeyPair createApiKeyAndSecretKey(RegisterUserKeysCmd cmd) {
         Account caller = getCurrentCallingAccount();
         User user = _userDao.findById(cmd.getUserId());
         if (user == null) {
-            throw new InvalidParameterValueException(String.format("Unable to find user by id: %d", cmd.getUserId()));
+            throw new InvalidParameterValueException(String.format("Unable to find user by ID: %d", cmd.getUserId()));
         }
 
         final String name = cmd.getName();
@@ -3415,32 +3414,29 @@ public ApiKeyPair createApiKeyAndSecretKey(RegisterUserKeysCmd cmd) {
         final Date startDate = cmd.getStartDate();
         final Date endDate = cmd.getEndDate();
         final List<Map<String, Object>> rules = cmd.getRules();
-        final RegisterUserKeysCmd registerCmd = cmd;
 
         Account account = _accountDao.findById(user.getAccountId());
         checkAccess(caller, null, true, account);
         verifyCallerPrivilegeForUserOrAccountOperations(user);
 
-        // don't allow baremetal or system user
         if (BaremetalUtils.BAREMETAL_SYSTEM_ACCOUNT_NAME.equals(user.getUsername()) || user.getId() == User.UID_SYSTEM) {
-            throw new PermissionDeniedException(String.format("User id: [%s] is system account, update is not allowed.", user.getId()));
+            throw new PermissionDeniedException(String.format("User ID: [%s] is a system account and, thus, the operation is not allowed.", user.getId()));
         }
 
         Date now = DateTime.now().toDate();
 
         if (endDate != null && endDate.compareTo(now) <= 0) {
-            throw new InvalidParameterValueException("Keypair cannot be created with expired date, please input a date on the future.");
+            throw new InvalidParameterValueException("Keypair cannot be created with expired date, please input a date in the future.");
         }
         if (ObjectUtils.allNotNull(startDate, endDate) && startDate.compareTo(endDate) > -1) {
             throw new InvalidParameterValueException("Please specify an end date that is after the start date.");
         }
 
-        // generate both an api key and a secret key, return the keypair to the user
         final ApiKeyPairVO newApiKeyPair = new ApiKeyPairVO(name, userId, description, startDate, endDate, account);
         return Transaction.execute((TransactionCallback<ApiKeyPairVO>) status -> {
             createUserApiKey(userId, newApiKeyPair);
             createUserSecretKey(userId, newApiKeyPair);
-            return validateAndPersistKeyPairAndPermissions(account, newApiKeyPair, rules, registerCmd);
+            return validateAndPersistKeyPairAndPermissions(account, newApiKeyPair, rules, cmd);
         });
     }
 
@@ -3486,28 +3482,22 @@ public void doInTransactionWithoutResult(TransactionStatus status) {
     @DB
     private ApiKeyPairVO validateAndPersistKeyPairAndPermissions(Account account, ApiKeyPairVO newApiKeyPair,
                                                                  List<Map<String, Object>> rules, RegisterUserKeysCmd cmd) {
-        // this is only used to determine if we should use api key permissions or account permissions to base our new key on
         String accessingApiKey = getAccessingApiKey(cmd);
         final Role accountRole = roleService.findRole(account.getRoleId());
+        List<RolePermissionEntity> allPermissions = accessingApiKey == null ?
+                roleService.findAllRolePermissionsEntityBy(accountRole.getId(), true) : getAllKeypairPermissions(accessingApiKey);
 
-        List<RolePermissionEntity> allPermissions = accessingApiKey == null ? getAllAccountRolePermissions(accountRole) : getAllKeypairPermissions(accessingApiKey);
-        List<RolePermissionEntity> permissions;
-        if (CollectionUtils.isEmpty(rules)) {
-            permissions = allPermissions.stream()
-                    .map(permission -> new ApiKeyPairPermissionVO(0, permission.getRule().toString(), permission.getPermission(), permission.getDescription()))
-                    .collect(Collectors.toList());
-        } else {
-            permissions = new ArrayList<>();
-            for (Map<String, Object> ruleDetail : rules) {
-                String rule = ruleDetail.get(ApiConstants.RULE).toString();
-                RolePermission.Permission rulePermission = (RolePermission.Permission) ruleDetail.get(ApiConstants.PERMISSION);
-                String ruleDescription = (String) ruleDetail.get(ApiConstants.DESCRIPTION);
-                permissions.add(new ApiKeyPairPermissionVO(0, rule, rulePermission, ruleDescription));
-            }
-            if (!isApiKeySupersetOfPermission(allPermissions, permissions)) {
-                throw new InvalidParameterValueException(String.format("The keypair being created has a bigger set of permissions than the account [%s] that owns it. This is " +
-                        "not allowed.", account.getUuid()));
-            }
+        List<RolePermissionEntity> permissions = new ArrayList<>();
+        for (Map<String, Object> ruleDetail : rules) {
+            String rule = ruleDetail.get(ApiConstants.RULE).toString();
+            RolePermission.Permission rulePermission = (RolePermission.Permission) ruleDetail.get(ApiConstants.PERMISSION);
+            String ruleDescription = (String) ruleDetail.get(ApiConstants.DESCRIPTION);
+            permissions.add(new ApiKeyPairPermissionVO(0, rule, rulePermission, ruleDescription));
+        }
+
+        if (!isApiKeySupersetOfPermission(allPermissions, permissions)) {
+            throw new InvalidParameterValueException(String.format("The keypair being created has a bigger set of permissions than the account [%s] that owns it. This is " +
+                    "not allowed.", account.getUuid()));
         }
 
         ApiKeyPairVO savedApiKeyPair = apiKeyPairDao.persist(newApiKeyPair);
@@ -3519,16 +3509,6 @@ private ApiKeyPairVO validateAndPersistKeyPairAndPermissions(Account account, Ap
         return savedApiKeyPair;
     }
 
-    /**
-     * Gets all account role permissions
-     * @param accountRole base account role of the user.
-     */
-    private List<RolePermissionEntity> getAllAccountRolePermissions(Role accountRole) {
-        List<RolePermission> allAccountRolePermissions = roleService.findAllPermissionsBy(accountRole.getId());
-        return allAccountRolePermissions.stream().map(permission -> (RolePermissionEntity) permission)
-                .collect(Collectors.toList());
-    }
-
     /**
      * Gets all API keypair permissions for the given apiKey
      */
@@ -3539,7 +3519,8 @@ private List<RolePermissionEntity> getAllKeypairPermissions(String apiKey) {
         ApiKeyPair apiKeyPair = keyPairManager.findByApiKey(apiKey);
         Account account = _accountDao.findById(apiKeyPair.getAccountId());
         List<ApiKeyPairPermission> allApiKeyRolePermissions = keyPairManager.findAllPermissionsByKeyPairId(apiKeyPair.getId(), account.getRoleId());
-        return allApiKeyRolePermissions.stream().map(permission -> (RolePermissionEntity) permission)
+        return allApiKeyRolePermissions.stream()
+                .map(permission -> (RolePermissionEntity) permission)
                 .collect(Collectors.toList());
     }