Prevent addition/removal for well known container roles
[controller.git] / opendaylight / appauth / src / main / java / org / opendaylight / controller / appauth / authorization / Authorization.java
index fd8799f..b872f49 100644 (file)
@@ -16,6 +16,7 @@ import java.util.Map.Entry;
 import java.util.Set;
 import java.util.concurrent.ConcurrentMap;
 
 import java.util.Set;
 import java.util.concurrent.ConcurrentMap;
 
+import org.opendaylight.controller.containermanager.IContainerAuthorization;
 import org.opendaylight.controller.sal.authorization.AppRoleLevel;
 import org.opendaylight.controller.sal.authorization.IResourceAuthorization;
 import org.opendaylight.controller.sal.authorization.Privilege;
 import org.opendaylight.controller.sal.authorization.AppRoleLevel;
 import org.opendaylight.controller.sal.authorization.IResourceAuthorization;
 import org.opendaylight.controller.sal.authorization.Privilege;
@@ -66,6 +67,11 @@ private static final Logger logger = LoggerFactory.getLogger(Authorization.class
                     "Controller roles cannot be explicitely "
                             + "created in App context");
         }
                     "Controller roles cannot be explicitely "
                             + "created in App context");
         }
+        if (isContainerRole(role)) {
+            return new Status(StatusCode.NOTALLOWED,
+                    "Container roles cannot be explicitely "
+                            + "created in App context");
+        }
         if (isRoleInUse(role)) {
             return new Status(StatusCode.CONFLICT, "Role already in use");
         }
         if (isRoleInUse(role)) {
             return new Status(StatusCode.CONFLICT, "Role already in use");
         }
@@ -96,7 +102,10 @@ private static final Logger logger = LoggerFactory.getLogger(Authorization.class
             return new Status(StatusCode.NOTALLOWED,
                     "Controller roles cannot be removed");
         }
             return new Status(StatusCode.NOTALLOWED,
                     "Controller roles cannot be removed");
         }
-
+        if (isContainerRole(role)) {
+            return new Status(StatusCode.NOTALLOWED,
+                    "Container roles cannot be removed");
+        }
         return removeRoleInternal(role);
     }
 
         return removeRoleInternal(role);
     }
 
@@ -599,6 +608,15 @@ private static final Logger logger = LoggerFactory.getLogger(Authorization.class
                     .equals(UserLevel.NETWORKOPERATOR.toString()));
     }
 
                     .equals(UserLevel.NETWORKOPERATOR.toString()));
     }
 
+    private boolean isContainerRole(String role) {
+        IContainerAuthorization containerAuth = (IContainerAuthorization) ServiceHelper.getGlobalInstance(
+                IContainerAuthorization.class, this);
+        if (containerAuth == null) {
+            return false;
+        }
+        return containerAuth.isApplicationRole(role);
+    }
+
     private boolean isRoleInUse(String role) {
         IUserManager userManager = (IUserManager) ServiceHelper
                 .getGlobalInstance(IUserManager.class, this);
     private boolean isRoleInUse(String role) {
         IUserManager userManager = (IUserManager) ServiceHelper
                 .getGlobalInstance(IUserManager.class, this);