initial commit for multi-role and oidc support

Author: Rene Glover

.gitignore

@@ -100,6 +100,14 @@ unittest
 venv
 waf-*
 
+# Developer environment (generated by make init)
+developer/db.properties
+developer/log4j-cloud.xml
+developer/logs/
+developer/.server.pid
+developer/.ui.pid
+.github/copilot-instructions.md
+
 # this ignores _all files starting with '.'. Don't do that!
 #.*
 

Makefile

@@ -19,7 +19,9 @@
 import java.util.HashMap;
 import java.util.Map;
 
+import org.apache.cloudstack.acl.ProjectRoleClaimBinding;
 import org.apache.cloudstack.acl.Role;
+import org.apache.cloudstack.acl.RoleClaimBinding;
 import org.apache.cloudstack.acl.RolePermission;
 import org.apache.cloudstack.affinity.AffinityGroup;
 import org.apache.cloudstack.annotation.Annotation;
@@ -254,9 +256,24 @@ public class EventTypes {
     public static final String EVENT_ROLE_IMPORT = "ROLE.IMPORT";
     public static final String EVENT_ROLE_ENABLE = "ROLE.ENABLE";
     public static final String EVENT_ROLE_DISABLE = "ROLE.DISABLE";
+
+    // OIDC Provider events
+    public static final String EVENT_OIDC_PROVIDER_CREATE = "OIDC.PROVIDER.CREATE";
+    public static final String EVENT_OIDC_PROVIDER_UPDATE = "OIDC.PROVIDER.UPDATE";
+    public static final String EVENT_OIDC_PROVIDER_DELETE = "OIDC.PROVIDER.DELETE";
+    public static final String EVENT_OIDC_PROVIDER_ENABLE = "OIDC.PROVIDER.ENABLE";
+    public static final String EVENT_OIDC_PROVIDER_DISABLE = "OIDC.PROVIDER.DISABLE";
+    public static final String EVENT_OIDC_PROVIDER_TEST = "OIDC.PROVIDER.TEST";
     public static final String EVENT_ROLE_PERMISSION_CREATE = "ROLE.PERMISSION.CREATE";
     public static final String EVENT_ROLE_PERMISSION_UPDATE = "ROLE.PERMISSION.UPDATE";
     public static final String EVENT_ROLE_PERMISSION_DELETE = "ROLE.PERMISSION.DELETE";
+    public static final String EVENT_ROLE_CLAIM_BINDING_CREATE = "ROLE.CLAIM.BINDING.CREATE";
+    public static final String EVENT_ROLE_CLAIM_BINDING_DELETE = "ROLE.CLAIM.BINDING.DELETE";
+    public static final String EVENT_ACCOUNT_ROLE_ASSIGN = "ACCOUNT.ROLE.ASSIGN";
+    public static final String EVENT_ACCOUNT_ROLE_UNASSIGN = "ACCOUNT.ROLE.UNASSIGN";
+    // Role-perspective events (for audit tracking by role)
+    public static final String EVENT_ROLE_ACCOUNT_ASSIGN = "ROLE.ACCOUNT.ASSIGN";
+    public static final String EVENT_ROLE_ACCOUNT_UNASSIGN = "ROLE.ACCOUNT.UNASSIGN";
 
     // Project Role events
     public static final  String EVENT_PROJECT_ROLE_CREATE = "PROJECT.ROLE.CREATE";
@@ -265,6 +282,11 @@ public class EventTypes {
     public static final String EVENT_PROJECT_ROLE_PERMISSION_CREATE = "PROJECT.ROLE.PERMISSION.CREATE";
     public static final String EVENT_PROJECT_ROLE_PERMISSION_UPDATE = "PROJECT.ROLE.PERMISSION.UPDATE";
     public static final String EVENT_PROJECT_ROLE_PERMISSION_DELETE = "PROJECT.ROLE.PERMISSION.DELETE";
+    public static final String EVENT_PROJECT_ROLE_CLAIM_BINDING_CREATE = "PROJECT.ROLE.CLAIM.BINDING.CREATE";
+    public static final String EVENT_PROJECT_ROLE_CLAIM_BINDING_DELETE = "PROJECT.ROLE.CLAIM.BINDING.DELETE";
+    // Project role assignment events (account-perspective for audit tracking)
+    public static final String EVENT_PROJECT_ACCOUNT_ROLE_ASSIGN = "PROJECT.ACCOUNT.ROLE.ASSIGN";
+    public static final String EVENT_PROJECT_ACCOUNT_ROLE_UNASSIGN = "PROJECT.ACCOUNT.ROLE.UNASSIGN";
 
     // CA events
     public static final String EVENT_CA_CERTIFICATE_ISSUE = "CA.CERTIFICATE.ISSUE";
@@ -963,6 +985,13 @@ public class EventTypes {
         entityEventDetails.put(EVENT_ROLE_PERMISSION_CREATE, RolePermission.class);
         entityEventDetails.put(EVENT_ROLE_PERMISSION_UPDATE, RolePermission.class);
         entityEventDetails.put(EVENT_ROLE_PERMISSION_DELETE, RolePermission.class);
+        entityEventDetails.put(EVENT_ROLE_CLAIM_BINDING_CREATE, RoleClaimBinding.class);
+        entityEventDetails.put(EVENT_ROLE_CLAIM_BINDING_DELETE, RoleClaimBinding.class);
+        entityEventDetails.put(EVENT_ACCOUNT_ROLE_ASSIGN, Account.class);
+        entityEventDetails.put(EVENT_ACCOUNT_ROLE_UNASSIGN, Account.class);
+        // Role-perspective events (for audit tracking by role)
+        entityEventDetails.put(EVENT_ROLE_ACCOUNT_ASSIGN, Role.class);
+        entityEventDetails.put(EVENT_ROLE_ACCOUNT_UNASSIGN, Role.class);
 
         // Account events
         entityEventDetails.put(EVENT_ACCOUNT_ENABLE, Account.class);
@@ -1175,6 +1204,11 @@ public class EventTypes {
         entityEventDetails.put(EVENT_PROJECT_INVITATION_UPDATE, Project.class);
         entityEventDetails.put(EVENT_PROJECT_INVITATION_REMOVE, Project.class);
         entityEventDetails.put(EVENT_PROJECT_ACCOUNT_REMOVE, Project.class);
+        entityEventDetails.put(EVENT_PROJECT_ROLE_CLAIM_BINDING_CREATE, ProjectRoleClaimBinding.class);
+        entityEventDetails.put(EVENT_PROJECT_ROLE_CLAIM_BINDING_DELETE, ProjectRoleClaimBinding.class);
+        // Project role assignment events (account-perspective for audit tracking)
+        entityEventDetails.put(EVENT_PROJECT_ACCOUNT_ROLE_ASSIGN, Account.class);
+        entityEventDetails.put(EVENT_PROJECT_ACCOUNT_ROLE_UNASSIGN, Account.class);
 
         // Network as a Service
         entityEventDetails.put(EVENT_NETWORK_ELEMENT_CONFIGURE, Network.class);

api/src/main/java/com/cloud/event/EventTypes.java

@@ -32,4 +32,6 @@ public enum Role {
     Role getAccountRole();
 
     long getProjectAccountId();
+
+    Long getAssignedBy();
 }

api/src/main/java/com/cloud/projects/ProjectAccount.java

@@ -68,6 +68,8 @@ public interface ProjectService {
 
     ProjectAccount assignAccountToProject(Project project, long accountId, Role accountRole, Long userId, Long projectRoleId);
 
+    ProjectAccount assignAccountToProject(Project project, long accountId, Role accountRole, Long userId, Long projectRoleId, Long assignedBy);
+
     Account getProjectOwner(long projectId);
 
     List<Long> getProjectOwners(long projectId);

api/src/main/java/com/cloud/projects/ProjectService.java

@@ -0,0 +1,107 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.acl;
+
+import org.apache.cloudstack.acl.RolePermissionEntity.Permission;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * Represents an effective permission with lineage information showing
+ * which roles contributed to the final permission state.
+ */
+public class EffectivePermission {
+
+    private String rule;
+    private Permission permission;
+    private List<RoleSource> sourceRoles;
+    private List<RoleSource> overriddenRoles;
+
+    public EffectivePermission(String rule, Permission permission) {
+        this.rule = rule;
+        this.permission = permission;
+        this.sourceRoles = new ArrayList<>();
+        this.overriddenRoles = new ArrayList<>();
+    }
+
+    public String getRule() {
+        return rule;
+    }
+
+    public void setRule(String rule) {
+        this.rule = rule;
+    }
+
+    public Permission getPermission() {
+        return permission;
+    }
+
+    public void setPermission(Permission permission) {
+        this.permission = permission;
+    }
+
+    public List<RoleSource> getSourceRoles() {
+        return sourceRoles;
+    }
+
+    public void addSourceRole(RoleSource source) {
+        this.sourceRoles.add(source);
+    }
+
+    public List<RoleSource> getOverriddenRoles() {
+        return overriddenRoles;
+    }
+
+    public void addOverriddenRole(RoleSource source) {
+        this.overriddenRoles.add(source);
+    }
+
+    /**
+     * Represents a role that contributed to the effective permission
+     */
+    public static class RoleSource {
+        private long roleId;
+        private String roleName;
+        private Permission permission;
+        private boolean isPrimaryRole;
+
+        public RoleSource(long roleId, String roleName, Permission permission, boolean isPrimaryRole) {
+            this.roleId = roleId;
+            this.roleName = roleName;
+            this.permission = permission;
+            this.isPrimaryRole = isPrimaryRole;
+        }
+
+        public long getRoleId() {
+            return roleId;
+        }
+
+        public String getRoleName() {
+            return roleName;
+        }
+
+        public Permission getPermission() {
+            return permission;
+        }
+
+        public boolean isPrimaryRole() {
+            return isPrimaryRole;
+        }
+    }
+}

api/src/main/java/org/apache/cloudstack/acl/EffectivePermission.java

@@ -20,7 +20,17 @@
 import org.apache.cloudstack.api.Identity;
 import org.apache.cloudstack.api.InternalIdentity;
 
+import com.cloud.projects.ProjectAccount;
+
 public interface ProjectRole extends RoleEntity, InternalIdentity, Identity {
 
     Long getProjectId();
+
+    /**
+     * Gets the project account type (Admin/Regular) associated with this role.
+     * When this role is assigned to an account in a project, this type determines
+     * the account's project membership type.
+     * @return the project account type, defaults to Regular if not set
+     */
+    ProjectAccount.Role getType();
 }

api/src/main/java/org/apache/cloudstack/acl/ProjectRole.java

@@ -0,0 +1,43 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.acl;
+
+import java.util.Date;
+
+import org.apache.cloudstack.api.Identity;
+
+public interface ProjectRoleClaimBinding extends Identity {
+
+    long getId();
+
+    String getUuid();
+
+    long getProjectRoleId();
+
+    RoleClaimBinding.ClaimType getClaimType();
+
+    String getClaimValue();
+
+    Date getCreated();
+
+    Date getRemoved();
+
+    Long getCreatedBy();
+
+    Long getRemovedBy();
+}

api/src/main/java/org/apache/cloudstack/acl/ProjectRoleClaimBinding.java

@@ -22,6 +22,8 @@
 import org.apache.cloudstack.api.command.admin.acl.project.CreateProjectRolePermissionCmd;
 import org.apache.cloudstack.acl.RolePermissionEntity.Permission;
 
+import com.cloud.projects.ProjectAccount;
+
 public interface ProjectRoleService {
     /**
      * Creates a Project role in a Project to be mapped to a user/ account (all users of an account)
@@ -32,6 +34,16 @@ public interface ProjectRoleService {
      */
     ProjectRole createProjectRole(Long projectId, String name, String description);
 
+    /**
+     * Creates a Project role in a Project to be mapped to a user/ account (all users of an account)
+     * @param projectId ID of the project where the project role is to be created
+     * @param name Name of the project role
+     * @param description description provided for the project role
+     * @param type the project account type (Admin/Regular) for accounts assigned to this role
+     * @return the Instance of the project role created
+     */
+    ProjectRole createProjectRole(Long projectId, String name, String description, ProjectAccount.Role type);
+
     /**
      * Updates a Project role created
      * @param role Project role reference to be updated
@@ -42,6 +54,17 @@ public interface ProjectRoleService {
      */
     ProjectRole updateProjectRole(ProjectRole role, Long projectId, String name, String description);
 
+    /**
+     * Updates a Project role created
+     * @param role Project role reference to be updated
+     * @param projectId ID of the project where the Project role exists
+     * @param name new name to be given to the project role
+     * @param description description for the project role
+     * @param type the project account type (Admin/Regular) for accounts assigned to this role
+     * @return the updated instance of the project role
+     */
+    ProjectRole updateProjectRole(ProjectRole role, Long projectId, String name, String description, ProjectAccount.Role type);
+
     /**
      *
      * @param projectId ID of the project in which the project role is to be searched for
@@ -116,4 +139,10 @@ public interface ProjectRoleService {
      */
     List<ProjectRolePermission> findAllProjectRolePermissions(Long projectId, Long projectRoleId);
 
+    ProjectRoleClaimBinding createProjectRoleClaimBinding(long projectRoleId, RoleClaimBinding.ClaimType claimType, String claimValue);
+
+    boolean deleteProjectRoleClaimBinding(long id);
+
+    List<ProjectRoleClaimBinding> listProjectRoleClaimBindings(long projectRoleId);
+
 }

api/src/main/java/org/apache/cloudstack/acl/ProjectRoleService.java

@@ -35,4 +35,10 @@ public String toString(){
     boolean isDefault();
     boolean isPublicRole();
     State getState();
+
+    /**
+     * Returns the domain ID for domain-scoped roles.
+     * @return the domain ID if this role is domain-scoped, null if global
+     */
+    Long getDomainId();
 }