Permalink
Browse files

Fix merge conflicts.

  • Loading branch information...
2 parents 0237773 + e0651ae commit 1a9ca74f05a528f573b0d4ec126550c2036a6b0f Ryan Morgan committed Jul 8, 2010
View
@@ -87,6 +87,13 @@ Changes in HQApi 3.0
*) [HHQ-3144] Add ServerConfigApi to allow manipulation of HQ server config
settings.
+
+Changes in HQApi 2.5
+
+ *) [HHQ-4133] Perform permission checking on ResourceApi.
+
+ *) Back port AlertApi to 2.x branch. As a part of this change portions of
+ the new MetricDataApi were also backported to aid in testing.
Changes in HQApi 2.4
@@ -8,6 +8,7 @@ import org.hyperic.hq.events.server.session.AlertManagerEJBImpl as AlertMan
import org.hyperic.hq.escalation.server.session.EscalationManagerEJBImpl as EscMan
import org.hyperic.hq.events.server.session.ClassicEscalationAlertType
import org.hyperic.hq.authz.shared.PermissionException
+import org.hyperic.hq.authz.shared.PermissionException
public class AlertController extends ApiController {
@@ -189,6 +190,8 @@ public class AlertController extends ApiController {
failureXml = getFailureXML(ErrorCode.INVALID_PARAMETERS,
"Invalid severity " + sev)
+ } catch (PermissionException e) {
+ // User cannot see this resource, continue with empty list
} catch (Throwable t) {
failureXml = getFailureXML(ErrorCode.UNEXPECTED_ERROR,
t.getMessage())
@@ -268,11 +268,17 @@ public class AlertdefinitionController extends ApiController {
def postRequest = new XmlParser().parseText(getPostData())
def resources = []
for (xmlDef in postRequest['Resource']) {
- def resource = getResource(xmlDef.'@id'?.toInteger())
- if (!resource) {
- failureXml = getFailureXML(ErrorCode.OBJECT_NOT_FOUND,
- "Unable to find resource with id " + xmlDef.'@id')
- break
+ try {
+ def resource = getResource(xmlDef.'@id'?.toInteger())
+ if (!resource) {
+ failureXml = getFailureXML(ErrorCode.OBJECT_NOT_FOUND,
+ "Unable to find resource with id " + xmlDef.'@id')
+ break
+ }
+
+ resources.add(resource)
+ } catch (PermissionException e) {
+ // Ignore resources the user cannot see
}
}
@@ -350,7 +356,13 @@ public class AlertdefinitionController extends ApiController {
}
}
} else if (resourceId != null) {
- def resource = getResource(resourceId)
+ def resource = null
+ try {
+ resource = getResource(resourceId)
+ } catch (PermissionException e) {
+ failureXml = getFailureXML(ErrorCode.PERMISSION_DENIED)
+ }
+
if (!resource) {
failureXml = getFailureXML(ErrorCode.OBJECT_NOT_FOUND,
"Resource with id = " + resourceId +
@@ -504,7 +516,12 @@ public class AlertdefinitionController extends ApiController {
} else if (xmlDef['Resource'].size() == 1) {
typeBased = false
def rid = xmlDef['Resource'][0].'@id'?.toInteger()
- resource = getResource(rid)
+ try {
+ resource = getResource(rid)
+ } catch (PermissionException e) {
+ // Ignore
+ }
+
if (!resource) {
failureXml = getFailureXML(ErrorCode.OBJECT_NOT_FOUND,
"Cannot find resource with " +
@@ -678,7 +695,12 @@ public class AlertdefinitionController extends ApiController {
it.'@key' == 'action'
}?.'@value'
- def cResource = getResource(rId)
+ def cResource = null
+ try {
+ cResource = getResource(rId)
+ } catch (PermissionException e) {
+ // Ignore
+ }
if (cResource != null && action != null) {
def actions = cResource.getControlActions(user)
if (!actions.find { it == action }) {
@@ -51,6 +51,24 @@ class ApiController extends BaseController {
}
/**
+ * Checks view permission for the passed in resource.
+ * @throws PermissionException if permission is not granted, otherwise
+ * the passed in Resource is returned.
+ */
+ protected checkViewPermission(resource) {
+ if (resource.isPlatform()) {
+ return resource.toPlatform().checkPerms(operation: 'view', user:user)
+ } else if (resource.isServer()) {
+ return resource.toServer().checkPerms(operation: 'view', user:user)
+ } else if (resource.isService()) {
+ return resource.toService().checkPerms(operation: 'view', user:user)
+ } else {
+ log.error("Unhandled resource type " + resource.prototype)
+ return null
+ }
+ }
+
+ /**
* Get the resource based on the given id. If the resource is not found,
* null is returned.
*/
@@ -69,10 +87,12 @@ class ApiController extends BaseController {
try {
resource.name // Check the object really exists
resource.entityId // Check the object is an appdef object
- return resource
} catch (Throwable t) {
return null
}
+
+ // ResourceHelper does not check permissions
+ return checkViewPermission(resource)
}
}
@@ -172,7 +172,12 @@ class GroupController extends ApiController {
for (xmlResource in xmlGroup['Resource']) {
log.debug("Found resource " + xmlResource.'@name')
- def resource = getResource(xmlResource.'@id'?.toInteger());
+ def resource = null
+ try {
+ resource = getResource(xmlResource.'@id'?.toInteger());
+ } catch (PermissionException e) {
+ // Ignore resources the user cannot see.
+ }
if (!resource) {
failureXml = getFailureXML(ErrorCode.OBJECT_NOT_FOUND,
@@ -3,6 +3,7 @@ import org.hyperic.hq.hqu.rendit.BaseController
import org.hyperic.hq.hqapi1.ErrorCode;
import org.hyperic.hq.zevents.ZeventManager;
import org.hyperic.hq.appdef.server.session.ResourceRefreshZevent;
+import org.hyperic.hq.authz.shared.PermissionException
class MetricController extends ApiController {
@@ -137,21 +138,25 @@ class MetricController extends ApiController {
failureXml = getFailureXML(ErrorCode.INVALID_PARAMETERS,
"Resource id not given")
} else {
- def res = getResource(resourceId)
- if (!res) {
- failureXml = getFailureXML(ErrorCode.OBJECT_NOT_FOUND,
- "Unable to find resource id=" + resourceId)
- } else {
- try {
- if (enabled != null && enabled) {
- metrics = res.enabledMetrics
- } else {
- metrics = res.metrics
- }
- } catch (Exception e) {
- log.error("UnexpectedError: " + e.getMessage(), e)
- failureXml = getFailureXML(ErrorCode.UNEXPECTED_ERROR)
+ try {
+ def res = getResource(resourceId)
+ if (!res) {
+ failureXml = getFailureXML(ErrorCode.OBJECT_NOT_FOUND,
+ "Unable to find resource id=" + resourceId)
+ } else {
+ try {
+ if (enabled != null && enabled) {
+ metrics = res.enabledMetrics
+ } else {
+ metrics = res.metrics
+ }
+ } catch (Exception e) {
+ log.error("UnexpectedError: " + e.getMessage(), e)
+ failureXml = getFailureXML(ErrorCode.UNEXPECTED_ERROR)
+ }
}
+ } catch (PermissionException e) {
+ failureXml = getFailureXML(ErrorCode.PERMISSION_DENIED)
}
}
@@ -506,7 +511,18 @@ class MetricController extends ApiController {
// Validate the resources exist.
def results = []
for (String id : ids) {
- def resource = getResource(id.toInteger())
+ def resource = null
+ try {
+ resource = getResource(id.toInteger())
+ } catch (PermissionException e) {
+ renderXml() {
+ MetricsDataResponse() {
+ out << getFailureXML(ErrorCode.PERMISSION_DENIED)
+ }
+ }
+ return
+ }
+
if (!resource) {
renderXml() {
MetricsDataResponse() {
@@ -560,7 +576,18 @@ class MetricController extends ApiController {
def zevents = []
for (res in xmlResources) {
- def resource = getResource(res.'@id'.toInteger())
+ def resource = null
+ try {
+ resource = getResource(res.'@id'.toInteger())
+ } catch (PermissionException e) {
+ renderXml() {
+ StatusResponse() {
+ out << getFailureXML(ErrorCode.PERMISSION_DENIED)
+ }
+ }
+ return
+ }
+
if (!resource) {
renderXml() {
StatusResponse() {
@@ -367,31 +367,31 @@ class ResourceController extends ApiController {
if (!id && !platformName && !fqdn) {
failureXml = getFailureXML(ErrorCode.INVALID_PARAMETERS)
} else {
- if (id) {
- resource = getResource(id)
- if (!resource) {
- failureXml = getFailureXML(ErrorCode.OBJECT_NOT_FOUND,
- "Resource id=" + id +
- " not found")
- }
- } else if (platformName) {
- resource = resourceHelper.find('platform':platformName)
- if (!resource) {
- failureXml = getFailureXML(ErrorCode.OBJECT_NOT_FOUND,
- "Platform '" + platformName +
- "' not found")
- }
- } else if (fqdn) {
- try {
+ try {
+ if (id) {
+ resource = getResource(id)
+ if (!resource) {
+ failureXml = getFailureXML(ErrorCode.OBJECT_NOT_FOUND,
+ "Resource id=" + id +
+ " not found")
+ }
+ } else if (platformName) {
+ resource = resourceHelper.find('platform': platformName)
+ if (!resource) {
+ failureXml = getFailureXML(ErrorCode.OBJECT_NOT_FOUND,
+ "Platform '" + platformName +
+ "' not found")
+ }
+ } else if (fqdn) {
resource = resourceHelper.find('byFqdn':fqdn)
if (!resource) {
failureXml = getFailureXML(ErrorCode.OBJECT_NOT_FOUND,
"Platform fqdn='" + fqdn +
"' not found")
}
- } catch (PermissionException pe) {
- failureXml = getFailureXML(ErrorCode.PERMISSION_DENIED)
}
+ } catch (PermissionException e) {
+ failureXml = getFailureXML(ErrorCode.PERMISSION_DENIED)
}
}
@@ -428,19 +428,42 @@ class ResourceController extends ApiController {
" not found")
} else {
def platforms = agent.platforms
- resources = platforms*.resource
+ for (platform in platforms) {
+ try {
+ resources.add(platform.checkPerms(operation: 'view', user:user))
+ } catch (PermissionException e) {
+ log.debug("Ignoring platform " + platform.name + " due to permissions.")
+ }
+ }
}
} else if (prototype) {
- resources = resourceHelper.find('byPrototype': prototype)
+ def matching = resourceHelper.find('byPrototype': prototype)
+
+ for (resource in matching) {
+ try {
+ resources.add(checkViewPermission(resource))
+ } catch (PermissionException e) {
+ log.debug("Ignoring resource " + resource.name + " due to permissions")
+ }
+ }
} else if (description) {
// TODO: Move into HQ.
+ def matching = []
def session = DAOFactory.getDAOFactory().currentSession
- resources.addAll(session.createQuery(
+ matching.addAll(session.createQuery(
"select p.resource from Platform p where p.description like '%${description}%'").list())
- resources.addAll(session.createQuery(
+ matching.addAll(session.createQuery(
"select s.resource from Server s where s.description like '%${description}%'").list())
- resources.addAll(session.createQuery(
+ matching.addAll(session.createQuery(
"select s.resource from Service s where s.description like '%${description}%'").list())
+
+ for (resource in matching) {
+ try {
+ resources.add(checkViewPermission(resource))
+ } catch (PermissionException e) {
+ log.debug("Ignoring resource " + resource.name + " due to permissions")
+ }
+ }
} else {
// Shouldn't happen
failureXml = getFailureXML(ErrorCode.INVALID_PARAMETERS)
Oops, something went wrong.

0 comments on commit 1a9ca74

Please sign in to comment.