fixing asterisk, refactoring apikey permissions check

Author: klaus.freitas.scclouds

api/src/main/java/com/cloud/user/AccountService.java

@@ -23,8 +23,12 @@
 import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.acl.apikeypair.ApiKeyPair;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairPermission;
+import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.command.admin.account.CreateAccountCmd;
+import org.apache.cloudstack.api.command.admin.user.DeleteUserKeysCmd;
 import org.apache.cloudstack.api.command.admin.user.GetUserKeysCmd;
+import org.apache.cloudstack.api.command.admin.user.ListUserKeyRulesCmd;
 import org.apache.cloudstack.api.command.admin.user.ListUserKeysCmd;
 import org.apache.cloudstack.api.command.admin.user.RegisterUserKeysCmd;
 import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
@@ -120,6 +124,8 @@ User createUser(String userName, String password, String firstName, String lastN
 
     void checkAccess(Account account, AccessType accessType, boolean sameOwner, String apiName, ControlledEntity... entities) throws PermissionDeniedException;
 
+    void validateCallingUserHasAccessToDesiredUser(Long userId);
+
     Long finalyzeAccountId(String accountName, Long domainId, Long projectId, boolean enabledOnly);
 
     /**
@@ -133,6 +139,11 @@ User createUser(String userName, String password, String firstName, String lastN
 
     ListResponse<ApiKeyPairResponse> getKeys(ListUserKeysCmd cmd);
 
+    List<ApiKeyPairPermission> listKeyRules(ListUserKeyRulesCmd cmd);
+
+    void deleteApiKey(DeleteUserKeysCmd cmd);
+
+    void deleteApiKey(ApiKeyPair id);
     /**
      * Lists user two-factor authentication provider plugins
      * @return list of providers
@@ -150,4 +161,7 @@ User createUser(String userName, String password, String firstName, String lastN
 
     ApiKeyPair getKeyPairById(Long id);
 
+    ApiKeyPair getKeyPairByApiKey(String apiKey);
+
+    String getAccessingApiKey (BaseCmd cmd);
 }

api/src/main/java/com/cloud/user/ApiKeyPairState.java

@@ -0,0 +1,21 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.user;
+
+public enum ApiKeyPairState {
+    ENABLED, REMOVED, EXPIRED
+}

api/src/main/java/org/apache/cloudstack/acl/RoleService.java

@@ -101,5 +101,24 @@ public interface RoleService {
 
     Permission getRolePermission(String permission);
 
+    List<RolePermissionEntity> findAllRolePermissionsEntityBy(Long roleId);
+
     int removeRolesIfNeeded(List<? extends Role> roles);
+
+    /**
+     * Checks if the role of the caller account has compatible permissions of the specified role permissions.
+     * For each permission of the roleToAccess, the role of the caller needs to contain the same permission.
+     *
+     * @param rolePermissions the permissions of the caller role.
+     * @param rolePermissionsToAccess the permissions for the role that the caller role wants to access.
+     * @return True if the role can be accessed with the given permissions; false otherwise.
+     */
+    boolean roleHasPermission(Map<String, Permission> rolePermissions, List<RolePermissionEntity> rolePermissionsToAccess);
+
+    /**
+     * Given a list of role permissions, returns a {@link Map} containing the API name as the key and the {@link Permission} for the API as the value.
+     *
+     * @param rolePermissions Permissions for the role from role.
+     */
+    Map<String, Permission> getRoleRulesAndPermissions(List<RolePermissionEntity> rolePermissions);
 }

api/src/main/java/org/apache/cloudstack/acl/Rule.java

@@ -25,16 +25,18 @@
 
 public final class Rule {
     private final String rule;
+    private final Pattern matchingPattern;
     private final static Pattern ALLOWED_PATTERN = Pattern.compile("^[a-zA-Z0-9*]+$");
 
     public Rule(final String rule) {
         validate(rule);
         this.rule = rule;
+        matchingPattern = Pattern.compile(rule.toLowerCase().replace("*", "(\\w*\\*?)+"));
     }
 
     public boolean matches(final String commandName) {
-        return StringUtils.isNotEmpty(commandName)
-                && commandName.toLowerCase().matches(rule.toLowerCase().replace("*", "\\w*"));
+        return StringUtils.isNotEmpty(commandName) &&
+                matchingPattern.matcher(commandName.toLowerCase()).matches();
     }
 
     public String getRuleString() {

api/src/main/java/org/apache/cloudstack/acl/apikeypair/ApiKeyPair.java

@@ -32,5 +32,7 @@ public interface ApiKeyPair extends ControlledEntity, InternalIdentity, Identity
     String getSecretKey();
     String getName();
     Date getRemoved();
-    boolean validateDate(boolean throwException);
+    void setRemoved(Date date);
+    void validateDate();
+    boolean hasEndDatePassed();
 }

api/src/main/java/org/apache/cloudstack/acl/apikeypair/ApiKeyPairService.java

@@ -19,13 +19,11 @@
 import java.util.List;
 
 public interface ApiKeyPairService {
-    List<ApiKeyPairPermission> findAllPermissionsByKeyPairId(Long apiKeyPairId);
+    List<ApiKeyPairPermission> findAllPermissionsByKeyPairId(Long apiKeyPairId, Long roleId);
 
     ApiKeyPair findByApiKey(String apiKey);
 
     ApiKeyPair findById(Long id);
 
-    void deleteApiKey(ApiKeyPair id);
-
     void validateCallingUserHasAccessToDesiredUser(Long userId);
 }

api/src/main/java/org/apache/cloudstack/api/ApiConstants.java

@@ -19,6 +19,7 @@
 public class ApiConstants {
     public static final String ACCOUNT = "account";
     public static final String ACCOUNTS = "accounts";
+    public static final String ACCOUNT_NAME = "accountname";
     public static final String ACCOUNT_TYPE = "accounttype";
     public static final String ACCOUNT_ID = "accountid";
     public static final String ACCOUNT_IDS = "accountids";
@@ -35,6 +36,8 @@ public class ApiConstants {
     public static final String ALLOW_USER_FORCE_STOP_VM = "allowuserforcestopvm";
     public static final String ANNOTATION = "annotation";
     public static final String API_KEY = "apikey";
+    public static final String API_KEY_FILTER = "apikeyfilter";
+    public static final String HEADER_API_KEY = "apiKey";
     public static final String ARCHIVED = "archived";
     public static final String ARCH = "arch";
     public static final String AS_NUMBER = "asnumber";
@@ -446,6 +449,7 @@ public class ApiConstants {
     public static final String SHOW_RESOURCE_ICON = "showicon";
     public static final String SHOW_INACTIVE = "showinactive";
     public static final String SHOW_UNIQUE = "showunique";
+    public static final String SHOW_PERMISSIONS = "showpermissions";
     public static final String SIGNATURE = "signature";
     public static final String SIGNATURE_VERSION = "signatureversion";
     public static final String SINCE = "since";
@@ -640,6 +644,7 @@ public class ApiConstants {
     public static final String ROLE_TYPE = "roletype";
     public static final String ROLE_NAME = "rolename";
     public static final String PERMISSION = "permission";
+    public static final String PERMISSIONS = "permissions";
     public static final String RULE = "rule";
     public static final String RULES = "rules";
     public static final String RULE_ID = "ruleid";

api/src/main/java/org/apache/cloudstack/api/command/admin/user/DeleteUserKeysCmd.java

@@ -17,7 +17,6 @@
 package org.apache.cloudstack.api.command.admin.user;
 
 import com.cloud.event.EventTypes;
-import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.user.Account;
 import org.apache.cloudstack.acl.apikeypair.ApiKeyPair;
 import org.apache.cloudstack.api.ACL;
@@ -51,20 +50,13 @@ public long getEntityOwnerId() {
         return Account.ACCOUNT_ID_SYSTEM;
     }
 
-    private Long getId() {
+    public Long getId() {
         return id;
     }
 
     @Override
     public void execute() {
-        ApiKeyPair keyPair = apiKeyPairService.findById(getId());
-        if (keyPair == null) {
-            throw new InvalidParameterValueException(String.format("No keypair found with the id [%s].", getId()));
-        }
-        apiKeyPairService.validateCallingUserHasAccessToDesiredUser(keyPair.getUserId());
-
-        apiKeyPairService.deleteApiKey(keyPair);
-
+        _accountService.deleteApiKey(this);
         SuccessResponse response = new SuccessResponse(getCommandName());
         this.setResponseObject(response);
     }

api/src/main/java/org/apache/cloudstack/api/command/admin/user/ListUserKeyRulesCmd.java

@@ -19,7 +19,6 @@
 
 
 import com.cloud.exception.InsufficientCapacityException;
-import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.user.Account;
 import java.util.List;
@@ -28,7 +27,7 @@
 import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.BaseListDomainResourcesCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.ServerApiException;
 import org.apache.cloudstack.api.response.ApiKeyPairResponse;
@@ -42,10 +41,10 @@
         responseHasSensitiveInfo = false,
         since = "4.20.0")
 
-public class ListUserKeyRulesCmd extends BaseCmd {
+public class ListUserKeyRulesCmd extends BaseListDomainResourcesCmd {
 
     @ACL
-    @Parameter(name=ApiConstants.ID, type = CommandType.UUID,  entityType = ApiKeyPairResponse.class, description = "ID of the keypair.", required = true)
+    @Parameter(name = ApiConstants.KEYPAIR_ID, type = CommandType.UUID,  entityType = ApiKeyPairResponse.class, description = "ID of the keypair.", required = true)
     private Long id;
 
     public Long getId() {
@@ -62,13 +61,7 @@ public long getEntityOwnerId() {
 
     @Override
     public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException {
-        ApiKeyPair keyPair = apiKeyPairService.findById(getId());
-        if (keyPair == null) {
-            throw new InvalidParameterValueException(String.format("No keypair found with the id [%s].", getId()));
-        }
-        apiKeyPairService.validateCallingUserHasAccessToDesiredUser(keyPair.getUserId());
-
-        List<ApiKeyPairPermission> permissions = apiKeyPairService.findAllPermissionsByKeyPairId(keyPair.getId());
+        List<ApiKeyPairPermission> permissions = _accountService.listKeyRules(this);
         ListResponse<BaseRolePermissionResponse> response = _responseGenerator.createKeypairPermissionsResponse(permissions);
         response.setResponseName(getCommandName());
         setResponseObject(response);

api/src/main/java/org/apache/cloudstack/api/command/admin/user/ListUserKeysCmd.java

@@ -45,13 +45,21 @@
 public class ListUserKeysCmd extends BaseListDomainResourcesCmd {
 
     @ACL
-    @Parameter(name=ApiConstants.ID, type = CommandType.UUID, entityType = UserResponse.class, description = "ID of the user that owns the keys.")
+    @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = UserResponse.class, description = "ID of the user that owns the keys.")
     private Long userId;
 
     @ACL
-    @Parameter(name=ApiConstants.KEYPAIR_ID, type = CommandType.UUID, entityType = ApiKeyPairResponse.class, description = "ID of the keypair.")
+    @Parameter(name = ApiConstants.KEYPAIR_ID, type = CommandType.UUID, entityType = ApiKeyPairResponse.class, description = "ID of the keypair.")
     private Long keyPairId;
 
+    @ACL
+    @Parameter(name = ApiConstants.API_KEY_FILTER, type = CommandType.STRING, description = "API Key of the keypair.")
+    private String apiKeyFilter;
+
+    @Parameter(name = ApiConstants.SHOW_PERMISSIONS, type = CommandType.BOOLEAN, description = "Whether API Key rules should be returned.")
+    private Boolean showPermissions;
+
+
     protected Logger logger = LogManager.getLogger(getClass());
 
     public Long getUserId() {
@@ -62,6 +70,14 @@ public Long getKeyId() {
         return keyPairId;
     }
 
+    public String getApiKeyFilter() {
+        return apiKeyFilter;
+    }
+
+    public Boolean getShowPermissions() {
+        return showPermissions;
+    }
+
     public long getEntityOwnerId() {
         if (getKeyId() != null) {
             ApiKeyPair keypair = apiKeyPairService.findById(getKeyId());