Fix conflicts on checkAccess

Nicole Schmidt · Nicole Schmidt · commit 7f9e8ab17e2f · 2025-02-03T15:14:55.000-03:00
diff --git a/plugins/acl/dynamic-role-based/src/main/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java b/plugins/acl/dynamic-role-based/src/main/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
@@ -160,8 +160,11 @@ public boolean checkAccess(User user, String commandName, ApiKeyPairPermission .
             logger.info("Account for user id {} is Root Admin or Domain Admin, all APIs are allowed.", user.getUuid());
             return true;
         }
-        List<RolePermission> allPermissions = roleAndPermissions.second();
-        if (checkApiPermissionByRole(accountRole, commandName, allPermissions)) {
+
+        List<RolePermissionEntity> allRules = defineNewKeypairRules(accountRole, apiKeyPairPermissions);
+        boolean override = apiKeyPairPermissions.length != 0;
+
+        if (checkApiPermissionByRole(accountRole, commandName, allRules, override)) {
             return true;
         }
         throw new UnavailableCommandException(String.format("The API [%s] does not exist or is not available for the account for user id [%s].", commandName, user.getUuid()));
diff --git a/plugins/acl/dynamic-role-based/src/test/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessCheckerTest.java b/plugins/acl/dynamic-role-based/src/test/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessCheckerTest.java
@@ -248,7 +248,7 @@ public void checkAccessTestValidApiKeyPairPermissionWithNullOverride() {
         Mockito.doReturn(Collections.singletonList(permission)).when(roleServiceMock).findAllPermissionsBy(Mockito.anyLong());
 
         assertTrue(apiAccessCheckerSpy.checkAccess(getTestUser(), api, emptyPermissionArray));
-        Mockito.verify(roleServiceMock, Mockito.times(1)).findAllPermissionsBy(Mockito.anyLong());
+        Mockito.verify(roleServiceMock, Mockito.times(2)).findAllPermissionsBy(Mockito.anyLong());
     }
 
     @Test(expected = UnavailableCommandException.class)

Original file line number	Diff line number	Diff line change
`@@ -160,8 +160,11 @@ public boolean checkAccess(User user, String commandName, ApiKeyPairPermission .`
`160`	`160`	`logger.info("Account for user id {} is Root Admin or Domain Admin, all APIs are allowed.", user.getUuid());`
`161`	`161`	`return true;`
`162`	`162`	`}`
`163`		`- List<RolePermission> allPermissions = roleAndPermissions.second();`
`164`		`- if (checkApiPermissionByRole(accountRole, commandName, allPermissions)) {`
	`163`	`+`
	`164`	`+ List<RolePermissionEntity> allRules = defineNewKeypairRules(accountRole, apiKeyPairPermissions);`
	`165`	`+ boolean override = apiKeyPairPermissions.length != 0;`
	`166`	`+`
	`167`	`+ if (checkApiPermissionByRole(accountRole, commandName, allRules, override)) {`
`165`	`168`	`return true;`
`166`	`169`	`}`
`167`	`170`	`throw new UnavailableCommandException(String.format("The API [%s] does not exist or is not available for the account for user id [%s].", commandName, user.getUuid()));`
Original file line number	Diff line number	Diff line change
`@@ -248,7 +248,7 @@ public void checkAccessTestValidApiKeyPairPermissionWithNullOverride() {`
`248`	`248`	`Mockito.doReturn(Collections.singletonList(permission)).when(roleServiceMock).findAllPermissionsBy(Mockito.anyLong());`
`249`	`249`
`250`	`250`	`assertTrue(apiAccessCheckerSpy.checkAccess(getTestUser(), api, emptyPermissionArray));`
`251`		`- Mockito.verify(roleServiceMock, Mockito.times(1)).findAllPermissionsBy(Mockito.anyLong());`
	`251`	`+ Mockito.verify(roleServiceMock, Mockito.times(2)).findAllPermissionsBy(Mockito.anyLong());`
`252`	`252`	`}`
`253`	`253`
`254`	`254`	`@Test(expected = UnavailableCommandException.class)`