Examples of org.apache.cloudstack.iam.api.IAMPolicy

• org.apache.cloudstack.iam.api.IAMPolicy

    @DB
    @Override
    public IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId,
            String action) {
        // get the Acl Policy entity
        IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
        if (policy == null) {
            throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
                    + "; failed to revoke permission from policy.");
        }
        // remove entry from acl_entity_permission table

        groups.add(group);
        Long groupId = group.getId();
        List<Long> policyIds = new ArrayList<Long>();
        policyIds.add(100L);
        policyIds.add(200L);
        IAMPolicy policy1 = new IAMPolicyVO("policy1", "my first policy");
        IAMPolicy policy2 = new IAMPolicyVO("policy2", "my second policy");
        List<IAMPolicy> policies = new ArrayList<IAMPolicy>();
        policies.add(policy1);
        policies.add(policy2);
        when(_iamSrv.attachIAMPoliciesToGroup(policyIds, groupId)).thenReturn(group);
        when(_iamSrv.listIAMPoliciesByGroup(groupId)).thenReturn(policies);

    @DB
    @Override
    public IAMPolicy resetIAMPolicy(long iamPolicyId) {
        // get the Acl Policy entity
        IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
        if (policy == null) {
            throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
                    + "; failed to reset the policy.");
        }

        assertFalse("policy2 should not belong to the group anymore", policyNames.contains("policy2"));
    }

    @Test
    public void addRemovePermissionToPolicyTest() {
        IAMPolicy policy = new IAMPolicyVO("policy1", "tester policy1");
        List<IAMPolicy> policies = new ArrayList<IAMPolicy>();
        policies.add(policy);
        Long policyId = policy.getId();
        Long resId = 200L;
        Class clz = ListVMsCmd.class;
        when(_apiServer.getCmdClass("listVirtualMachines")).thenReturn(clz);
        when(
                _iamSrv.addIAMPermissionToIAMPolicy(policyId, VirtualMachine.class.getSimpleName(),

        _iamService.removeAccountsFromGroup(accountIds, 20L);
    }

    @Test(expected = InvalidParameterValueException.class)
    public void createAclPolicyTest() {
        IAMPolicy policy = _iamService.createIAMPolicy("policy1", "my first policy", null, "/root/mydomain");
        assertNotNull("Acl policy 'policy1' failed to create ", policy);

        IAMPolicyVO rvo = new IAMPolicyVO("policy2", "second policy");
        when(_aclPolicyDao.findByName(eq("policy2"))).thenReturn(rvo);

    @Override
    public void execute() throws ResourceUnavailableException,
            InsufficientCapacityException, ServerApiException {
        CallContext.current().setEventDetails("IAM policy Id: " + getId());
        IAMPolicy result = _iamApiSrv.removeIAMPermissionFromIAMPolicy(id, entityType, PermissionScope.valueOf(scope), getScopeId(), action);
        if (result != null) {
            IAMPolicyResponse response = _iamApiSrv.createIAMPolicyResponse(result);
            response.setResponseName(getCommandName());
            setResponseObject(response);
        } else {

    private void createPolicyAndAddToDomainGroup(String policyName, String description, String entityType,
            Long entityId, String action, AccessType accessType, Long domainId, Boolean recursive) {

       Domain domain = _domainDao.findById(domainId);
       if (domain != null) {
            IAMPolicy policy = _iamSrv.createIAMPolicy(policyName, description, null, domain.getPath());
            _iamSrv.addIAMPermissionToIAMPolicy(policy.getId(), entityType, PermissionScope.RESOURCE.toString(),
                    entityId, action, accessType.toString(), Permission.Allow, recursive);
            List<Long> policyList = new ArrayList<Long>();
            policyList.add(new Long(policy.getId()));

           List<IAMGroup> domainGroups = listDomainGroup(domain);
           if (domainGroups != null) {
               for (IAMGroup group : domainGroups) {
                   _iamSrv.attachIAMPoliciesToGroup(policyList, group.getId());

    }

    @Override
    public void grantEntityPermissioinToAccounts(String entityType, Long entityId, AccessType accessType, String action, List<Long> accountIds) {
        // check if there is already a policy with only this permission added to it
        IAMPolicy policy = _iamSrv.getResourceGrantPolicy(entityType, entityId, accessType.toString(), action);
        if (policy == null) {
            // not found, just create a policy with resource grant permission
            Account caller = CallContext.current().getCallingAccount();
            String aclPolicyName = "policyGrant" + entityType + entityId;
            String description = "Policy to grant permission to " + entityType + entityId;
            policy = createIAMPolicy(caller, aclPolicyName, description, null);
            // add permission to this policy
            addIAMPermissionToIAMPolicy(policy.getId(), entityType, PermissionScope.RESOURCE, entityId, action,
                    Permission.Allow, false, false);
        }
        // attach this policy to list of accounts if not attached already
        Long policyId = policy.getId();
        for (Long acctId : accountIds) {
            if (!isPolicyAttachedToAccount(policyId, acctId)) {
                attachIAMPolicyToAccounts(policyId, Collections.singletonList(acctId));
            }
        }

    }

    @Override
    public void revokeEntityPermissioinFromAccounts(String entityType, Long entityId, AccessType accessType, String action, List<Long> accountIds) {
        // there should already a policy with only this permission added to it, this call is mainly used
        IAMPolicy policy = _iamSrv.getResourceGrantPolicy(entityType, entityId, accessType.toString(), action);
        if (policy == null) {
            s_logger.warn("Cannot find a policy associated with this entity permissioin to be revoked, just return");
            return;
        }
        // detach this policy from list of accounts if not detached already
        Long policyId = policy.getId();
        for (Long acctId : accountIds) {
            if (isPolicyAttachedToAccount(policyId, acctId)) {
                removeIAMPolicyFromAccounts(policyId, Collections.singletonList(acctId));
            }
        }

        _iamSrv.removeIAMPermissionFromIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
                PermissionScope.RESOURCE.toString(), templateId, "listTemplates");
        _iamSrv.removeIAMPermissionFromIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(),
                PermissionScope.RESOURCE.toString(), templateId, "listTemplates");
        // check if there is a policy with only UseEntry permission for this template added
        IAMPolicy policy = _iamSrv.getResourceGrantPolicy(VirtualMachineTemplate.class.getSimpleName(), templateId, AccessType.UseEntry.toString(), "listTemplates");
        if ( policy == null ){
            s_logger.info("No policy found for this template grant: " + templateId + ", no detach to be done");
            return;
        }
        // delete the policy, which should detach it from groups and accounts
        _iamSrv.deleteIAMPolicy(policy.getId());

    }