// Copyright 2019 Yunion // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package models import ( "context" "database/sql" "fmt" "time" "yunion.io/x/jsonutils" "yunion.io/x/log" "yunion.io/x/pkg/errors" "yunion.io/x/pkg/gotypes" "yunion.io/x/pkg/tristate" "yunion.io/x/pkg/util/netutils" "yunion.io/x/pkg/util/rbacscope" "yunion.io/x/sqlchemy" "yunion.io/x/onecloud/pkg/apis" api "yunion.io/x/onecloud/pkg/apis/identity" "yunion.io/x/onecloud/pkg/cloudcommon/db" "yunion.io/x/onecloud/pkg/cloudcommon/db/quotas" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/keystone/locale" "yunion.io/x/onecloud/pkg/mcclient" "yunion.io/x/onecloud/pkg/util/stringutils2" ) type SRoleManager struct { SIdentityBaseResourceManager db.SSharableBaseResourceManager } var RoleManager *SRoleManager func init() { RoleManager = &SRoleManager{ SIdentityBaseResourceManager: NewIdentityBaseResourceManager( SRole{}, "role", "role", "roles", ), } RoleManager.SetVirtualObject(RoleManager) } /* +------------+--------------+------+-----+----------+-------+ | Field | Type | Null | Key | Default | Extra | +------------+--------------+------+-----+----------+-------+ | id | varchar(64) | NO | PRI | NULL | | | name | varchar(255) | NO | MUL | NULL | | | extra | text | YES | | NULL | | | domain_id | varchar(64) | NO | | <> | | | created_at | datetime | YES | | NULL | | +------------+--------------+------+-----+----------+-------+ */ type SRole struct { SIdentityBaseResource `"name->update":""` db.SSharableBaseResource `"is_public->create":"domain_optional" "public_scope->create":"domain_optional"` } func (manager *SRoleManager) GetContextManagers() [][]db.IModelManager { return [][]db.IModelManager{ {ProjectManager, UserManager}, {ProjectManager, GroupManager}, } } const ( ROLE_DEFAULT_DOMAIN_ID = "<>" ) func (manager *SRoleManager) InitializeData() error { q := manager.Query() q = q.IsNull("description").IsNotNull("extra") roles := make([]SRole, 0) err := db.FetchModelObjects(manager, q, &roles) if err != nil { return errors.Wrap(err, "query") } for i := range roles { if gotypes.IsNil(roles[i].Extra) { continue } desc, _ := roles[i].Extra.GetString("description") _, err = db.Update(&roles[i], func() error { roles[i].Description = desc return nil }) if err != nil { return errors.Wrap(err, "update description") } } err = manager.initializeDomainId() if err != nil { return errors.Wrap(err, "InitializeDomainId") } err = manager.initSysRole(context.TODO()) if err != nil { return errors.Wrap(err, "initSysRole") } return nil } func (manager *SRoleManager) initializeDomainId() error { q := manager.Query().Equals("domain_id", ROLE_DEFAULT_DOMAIN_ID) roles := make([]SRole, 0) err := db.FetchModelObjects(manager, q, &roles) if err != nil { return err } for i := range roles { db.Update(&roles[i], func() error { roles[i].DomainId = api.DEFAULT_DOMAIN_ID return nil }) } return nil } func (manager *SRoleManager) initSysRole(ctx context.Context) error { q := manager.Query().Equals("name", api.SystemAdminRole) q = q.Equals("domain_id", api.DEFAULT_DOMAIN_ID) cnt, err := q.CountWithError() if err != nil { return errors.Wrap(err, "query") } if cnt == 1 { return nil } if cnt > 2 { // ??? log.Fatalf("duplicate system role???") } // insert role := SRole{} role.Name = api.SystemAdminRole role.IsPublic = true role.PublicScope = string(rbacscope.ScopeSystem) role.DomainId = api.DEFAULT_DOMAIN_ID role.Description = "Boostrap system default admin role" role.SetModelManager(manager, &role) err = manager.TableSpec().Insert(ctx, &role) if err != nil { return errors.Wrap(err, "insert") } return nil } func (role *SRole) GetUserCount() (int, error) { q := AssignmentManager.fetchRoleUserIdsQuery(role.Id) return q.CountWithError() } func (role *SRole) GetGroupCount() (int, error) { q := AssignmentManager.fetchRoleGroupIdsQuery(role.Id) return q.CountWithError() } func (role *SRole) GetProjectCount() (int, error) { q := AssignmentManager.fetchRoleProjectIdsQuery(role.Id) return q.CountWithError() } func (role *SRole) ValidateUpdateData(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, input api.RoleUpdateInput) (api.RoleUpdateInput, error) { if len(input.Name) > 0 { return input, httperrors.NewForbiddenError("cannot alter name of role") } var err error input.IdentityBaseUpdateInput, err = role.SIdentityBaseResource.ValidateUpdateData(ctx, userCred, query, input.IdentityBaseUpdateInput) if err != nil { return input, errors.Wrap(err, "SIdentityBaseResource.ValidateUpdateData") } return input, nil } func (role *SRole) IsSystemRole() bool { return role.Name == api.SystemAdminRole && role.DomainId == api.DEFAULT_DOMAIN_ID } func (role *SRole) ValidateDeleteCondition(ctx context.Context, info jsonutils.JSONObject) error { // if role.IsShared() { // return httperrors.NewInvalidStatusError("cannot delete shared role") // } if role.IsSystemRole() { return httperrors.NewForbiddenError("cannot delete system role") } usrCnt, _ := role.GetUserCount() if usrCnt > 0 { return httperrors.NewNotEmptyError("role is being assigned to user") } grpCnt, _ := role.GetGroupCount() if grpCnt > 0 { return httperrors.NewNotEmptyError("role is being assigned to group") } rps, err := RolePolicyManager.fetchByRoleId(role.Id) if err != nil { return errors.Wrap(err, "FetchByRoleId") } if len(rps) > 0 { return httperrors.NewNotEmptyError("role is in associated with %d policies", len(rps)) } return role.SIdentityBaseResource.ValidateDeleteCondition(ctx, nil) } func (manager *SRoleManager) FetchCustomizeColumns( ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, objs []interface{}, fields stringutils2.SSortedStrings, isList bool, ) []api.RoleDetails { rows := make([]api.RoleDetails, len(objs)) identRows := manager.SIdentityBaseResourceManager.FetchCustomizeColumns(ctx, userCred, query, objs, fields, isList) shareRows := manager.SSharableBaseResourceManager.FetchCustomizeColumns(ctx, userCred, query, objs, fields, isList) for i := range rows { rows[i] = api.RoleDetails{ IdentityBaseResourceDetails: identRows[i], SharableResourceBaseInfo: shareRows[i], } role := objs[i].(*SRole) rows[i].UserCount, _ = role.GetUserCount() rows[i].GroupCount, _ = role.GetGroupCount() rows[i].ProjectCount, _ = role.GetProjectCount() names, _, _ := RolePolicyManager.GetMatchPolicyGroup2(false, []string{role.Id}, "", "", time.Time{}, true) rows[i].Policies = names mp := make([]string, 0) for _, v := range names { mp = append(mp, v...) } rows[i].MatchPolicies = mp } return rows } // 角色列表 func (manager *SRoleManager) ListItemFilter( ctx context.Context, q *sqlchemy.SQuery, userCred mcclient.TokenCredential, query api.RoleListInput, ) (*sqlchemy.SQuery, error) { var err error q, err = manager.SIdentityBaseResourceManager.ListItemFilter(ctx, q, userCred, query.IdentityBaseResourceListInput) if err != nil { return nil, errors.Wrap(err, "SIdentityBaseResourceManager.ListItemFilter") } q, err = manager.SSharableBaseResourceManager.ListItemFilter(ctx, q, userCred, query.SharableResourceBaseListInput) if err != nil { return nil, errors.Wrap(err, "SSharableBaseResourceManager.ListItemFilter") } var projectId string projectStr := query.ProjectId if len(projectStr) > 0 { project, err := ProjectManager.FetchProjectById(projectStr) if err != nil { if err == sql.ErrNoRows { return nil, httperrors.NewResourceNotFoundError2(ProjectManager.Keyword(), projectStr) } else { return nil, httperrors.NewGeneralError(err) } } projectId = project.Id } userStr := query.UserId if len(projectId) > 0 && len(userStr) > 0 { userObj, err := UserManager.FetchById(userStr) if err != nil { if err == sql.ErrNoRows { return nil, httperrors.NewResourceNotFoundError2(UserManager.Keyword(), userStr) } else { return nil, httperrors.NewGeneralError(err) } } subq := AssignmentManager.fetchUserProjectRoleIdsQuery(userObj.GetId(), projectId) q = q.In("id", subq.SubQuery()) } groupStr := query.GroupId if len(projectId) > 0 && len(groupStr) > 0 { groupObj, err := GroupManager.FetchById(groupStr) if err != nil { if err == sql.ErrNoRows { return nil, httperrors.NewResourceNotFoundError2(GroupManager.Keyword(), groupStr) } else { return nil, httperrors.NewGeneralError(err) } } subq := AssignmentManager.fetchGroupProjectRoleIdsQuery(groupObj.GetId(), projectId) q = q.In("id", subq.SubQuery()) } return q, nil } func (manager *SRoleManager) OrderByExtraFields( ctx context.Context, q *sqlchemy.SQuery, userCred mcclient.TokenCredential, query api.RoleListInput, ) (*sqlchemy.SQuery, error) { var err error q, err = manager.SIdentityBaseResourceManager.OrderByExtraFields(ctx, q, userCred, query.IdentityBaseResourceListInput) if err != nil { return nil, errors.Wrap(err, "SIdentityBaseResourceManager.OrderByExtraFields") } return q, nil } func (manager *SRoleManager) QueryDistinctExtraField(q *sqlchemy.SQuery, field string) (*sqlchemy.SQuery, error) { var err error q, err = manager.SIdentityBaseResourceManager.QueryDistinctExtraField(q, field) if err == nil { return q, nil } return q, httperrors.ErrNotFound } func (role *SRole) UpdateInContext(ctx context.Context, userCred mcclient.TokenCredential, ctxObjs []db.IModel, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { if len(ctxObjs) != 2 { return nil, httperrors.NewInputParameterError("not supported update context") } project, ok := ctxObjs[0].(*SProject) if !ok { return nil, httperrors.NewInputParameterError("not supported update context %s", ctxObjs[0].Keyword()) } if project.DomainId != role.DomainId { projectOwner := &db.SOwnerId{ ProjectId: project.Id, DomainId: project.DomainId, } if !role.IsSharable(projectOwner) { return nil, httperrors.NewInputParameterError("inconsistent domain for project and roles") } } err := validateJoinProject(userCred, project, []string{role.Id}) if err != nil { return nil, errors.Wrap(err, "validateJoinProject") } switch obj := ctxObjs[1].(type) { case *SUser: return nil, AssignmentManager.ProjectAddUser(ctx, userCred, project, obj, role) case *SGroup: return nil, AssignmentManager.projectAddGroup(ctx, userCred, project, obj, role) default: return nil, httperrors.NewInputParameterError("not supported secondary update context %s", ctxObjs[0].Keyword()) } } func (role *SRole) DeleteInContext(ctx context.Context, userCred mcclient.TokenCredential, ctxObjs []db.IModel, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { if len(ctxObjs) != 2 { return nil, httperrors.NewInputParameterError("not supported update context") } project, ok := ctxObjs[0].(*SProject) if !ok { return nil, httperrors.NewInputParameterError("not supported update context %s", ctxObjs[0].Keyword()) } switch obj := ctxObjs[1].(type) { case *SUser: return nil, AssignmentManager.projectRemoveUser(ctx, userCred, project, obj, role) case *SGroup: return nil, AssignmentManager.projectRemoveGroup(ctx, userCred, project, obj, role) default: return nil, httperrors.NewInputParameterError("not supported secondary update context %s", ctxObjs[0].Keyword()) } } func (manager *SRoleManager) FetchRoleByName(roleName string, domainId, domainName string) (*SRole, error) { obj, err := db.NewModelObject(manager) if err != nil { return nil, err } domain, err := DomainManager.FetchDomain(domainId, domainName) if err != nil { return nil, err } q := manager.Query().Equals("name", roleName).Equals("domain_id", domain.Id) err = q.First(obj) if err != nil { return nil, err } return obj.(*SRole), err } func (manager *SRoleManager) FetchRoleById(roleId string) (*SRole, error) { obj, err := db.NewModelObject(manager) if err != nil { return nil, err } q := manager.Query().Equals("id", roleId) err = q.First(obj) if err != nil { return nil, err } return obj.(*SRole), err } func (manager *SRoleManager) FetchRole(roleId, roleName string, domainId, domainName string) (*SRole, error) { if len(roleId) > 0 { return manager.FetchRoleById(roleId) } if len(roleName) > 0 { return manager.FetchRoleByName(roleName, domainId, domainName) } return nil, fmt.Errorf("no role Id or name provided") } func (role *SRole) IsShared() bool { return db.SharableModelIsShared(role) } func (role *SRole) IsSharable(reqUsrId mcclient.IIdentityProvider) bool { return db.SharableModelIsSharable(role, reqUsrId) } func (role *SRole) PerformPublic(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, input apis.PerformPublicDomainInput) (jsonutils.JSONObject, error) { err := db.SharablePerformPublic(role, ctx, userCred, apis.PerformPublicProjectInput{PerformPublicDomainInput: input}) if err != nil { return nil, errors.Wrap(err, "SharablePerformPublic") } return nil, nil } func (role *SRole) PerformPrivate(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, input apis.PerformPrivateInput) (jsonutils.JSONObject, error) { err := db.SharablePerformPrivate(role, ctx, userCred) if err != nil { return nil, errors.Wrap(err, "SharablePerformPrivate") } return nil, nil } func (role *SRole) CustomizeCreate(ctx context.Context, userCred mcclient.TokenCredential, ownerId mcclient.IIdentityProvider, query jsonutils.JSONObject, data jsonutils.JSONObject) error { db.SharableModelCustomizeCreate(role, ctx, userCred, ownerId, query, data) return role.SIdentityBaseResource.CustomizeCreate(ctx, userCred, ownerId, query, data) } func (role *SRole) Delete(ctx context.Context, userCred mcclient.TokenCredential) error { db.SharedResourceManager.CleanModelShares(ctx, userCred, role) return role.SIdentityBaseResource.RealDelete(ctx, userCred) } func (manager *SRoleManager) ValidateCreateData( ctx context.Context, userCred mcclient.TokenCredential, ownerId mcclient.IIdentityProvider, query jsonutils.JSONObject, input api.RoleCreateInput, ) (api.RoleCreateInput, error) { err := db.ValidateCreateDomainId(ownerId.GetProjectDomainId()) if err != nil { return input, errors.Wrap(err, "ValidateCreateDomainId") } input.IdentityBaseResourceCreateInput, err = manager.SIdentityBaseResourceManager.ValidateCreateData(ctx, userCred, ownerId, query, input.IdentityBaseResourceCreateInput) if err != nil { return input, errors.Wrap(err, "SIdentityBaseResourceManager.ValidateCreateData") } input.SharableResourceBaseCreateInput, err = db.SharableManagerValidateCreateData(manager, ctx, userCred, ownerId, query, input.SharableResourceBaseCreateInput) if err != nil { return input, errors.Wrap(err, "SharableManagerValidateCreateData") } quota := &SIdentityQuota{ SBaseDomainQuotaKeys: quotas.SBaseDomainQuotaKeys{DomainId: ownerId.GetProjectDomainId()}, Role: 1, } err = quotas.CheckSetPendingQuota(ctx, userCred, quota) if err != nil { return input, errors.Wrap(err, "CheckSetPendingQuota") } return input, nil } func (role *SRole) GetUsages() []db.IUsage { if role.Deleted { return nil } usage := SIdentityQuota{Role: 1} usage.SetKeys(quotas.SBaseDomainQuotaKeys{DomainId: role.DomainId}) return []db.IUsage{ &usage, } } func (role *SRole) PostCreate( ctx context.Context, userCred mcclient.TokenCredential, ownerId mcclient.IIdentityProvider, query jsonutils.JSONObject, data jsonutils.JSONObject, ) { role.SIdentityBaseResource.PostCreate(ctx, userCred, ownerId, query, data) quota := &SIdentityQuota{ SBaseDomainQuotaKeys: quotas.SBaseDomainQuotaKeys{DomainId: ownerId.GetProjectDomainId()}, Role: 1, } err := quotas.CancelPendingUsage(ctx, userCred, quota, quota, true) if err != nil { log.Errorf("CancelPendingUsage fail %s", err) } } func (manager *SRoleManager) FilterByOwner(ctx context.Context, q *sqlchemy.SQuery, man db.FilterByOwnerProvider, userCred mcclient.TokenCredential, owner mcclient.IIdentityProvider, scope rbacscope.TRbacScope) *sqlchemy.SQuery { return db.SharableManagerFilterByOwner(ctx, manager, q, userCred, owner, scope) } func (role *SRole) GetSharableTargetDomainIds() []string { return nil } func (role *SRole) GetRequiredSharedDomainIds() []string { return []string{role.DomainId} } func (role *SRole) GetSharedDomains() []string { return db.SharableGetSharedProjects(role, db.SharedTargetDomain) } func validateRolePolicies(userCred mcclient.TokenCredential, policyIds []string) error { _, assignPolicies, err := RolePolicyManager.GetPolicyGroupByIds(policyIds, false) if err != nil { return errors.Wrapf(err, "RolePolicyManager.GetPolicyGroupByIds %s", policyIds) } return validateAssignPolicies(userCred, "", assignPolicies) } func (role *SRole) PerformSetPolicies(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, input api.RolePerformSetPoliciesInput) (jsonutils.JSONObject, error) { if len(input.Action) == 0 { input.Action = api.ROLE_SET_POLICY_ACTION_DEFAULT } inputPolicyIds := stringutils2.NewSortedStrings(nil) normalInputIds := stringutils2.NewSortedStrings(nil) normalInputs := make(map[string]sRolePerformAddPolicyInput, len(input.Policies)) for i := range input.Policies { normalInput, err := role.normalizeRoleAddPolicyInput(ctx, userCred, input.Policies[i]) if err != nil { return nil, errors.Wrapf(err, "normalizeRoleAddPolicyInput at %d", i) } inputPolicyIds = stringutils2.Append(inputPolicyIds, normalInput.policyId) idstr := normalInput.getId() if _, ok := normalInputs[idstr]; !ok { normalInputs[idstr] = normalInput normalInputIds = stringutils2.Append(normalInputIds, idstr) } else { log.Warningf("duplicate input key id %s", idstr) } } existRpList, err := RolePolicyManager.fetchByRoleId(role.Id) if err != nil { return nil, errors.Wrap(err, "RolePolicyManager.fetchByRoleId") } existPolicyIds := stringutils2.NewSortedStrings(nil) existRpIds := stringutils2.NewSortedStrings(nil) existRpMap := make(map[string]*SRolePolicy) for i := range existRpList { existPolicyIds = stringutils2.Append(existPolicyIds, existRpList[i].PolicyId) idstr := existRpList[i].GetId() if _, ok := existRpMap[idstr]; !ok { existRpMap[idstr] = &existRpList[i] existRpIds = stringutils2.Append(existRpIds, idstr) } } addedIds, updatedIds, deletedIds := stringutils2.Split(normalInputIds, existRpIds) isBootStrap, err := RolePolicyManager.isBootstrapRolePolicy() if !isBootStrap { // validate var newPolicyIds []string if input.Action == api.ROLE_SET_POLICY_ACTION_REPLACE { newPolicyIds = inputPolicyIds } else { newPolicyIds = stringutils2.Append(newPolicyIds, inputPolicyIds...) newPolicyIds = stringutils2.Append(newPolicyIds, existPolicyIds...) } err = validateRolePolicies(userCred, newPolicyIds) if err != nil { return nil, errors.Wrap(err, "validateRolePolicies") } } if input.Action == api.ROLE_SET_POLICY_ACTION_REPLACE { for _, idstr := range deletedIds { toDel := existRpMap[idstr] err := RolePolicyManager.deleteRecord(ctx, toDel.RoleId, toDel.ProjectId, toDel.PolicyId) if err != nil { return nil, errors.Wrap(err, "RolePolicyManager.deleteRecord") } } } for _, idstr := range updatedIds { toUpdate := normalInputs[idstr] err := RolePolicyManager.newRecord(ctx, toUpdate.roleId, toUpdate.projectId, toUpdate.policyId, tristate.True, toUpdate.prefixes, toUpdate.validSince, toUpdate.validUntil) if err != nil { return nil, errors.Wrap(err, "RolePolicyManager.updateRecord") } } for _, idstr := range addedIds { toAdd := normalInputs[idstr] err := RolePolicyManager.newRecord(ctx, toAdd.roleId, toAdd.projectId, toAdd.policyId, tristate.True, toAdd.prefixes, toAdd.validSince, toAdd.validUntil) if err != nil { return nil, errors.Wrap(err, "RolePolicyManager.newRecord") } } return nil, nil } type sRolePerformAddPolicyInput struct { prefixes []netutils.IPV4Prefix roleId string projectId string policyId string validSince time.Time validUntil time.Time } func (s sRolePerformAddPolicyInput) getId() string { return fmt.Sprintf("%s:%s:%s", s.roleId, s.projectId, s.policyId) } func (role *SRole) normalizeRoleAddPolicyInput(ctx context.Context, userCred mcclient.TokenCredential, input api.RolePerformAddPolicyInput) (sRolePerformAddPolicyInput, error) { output := sRolePerformAddPolicyInput{} prefList := make([]netutils.IPV4Prefix, 0) for _, ipStr := range input.Ips { pref, err := netutils.NewIPV4Prefix(ipStr) if err != nil { return output, errors.Wrapf(httperrors.ErrInputParameter, "invalid prefix %s", ipStr) } prefList = append(prefList, pref) } if len(input.ProjectId) > 0 { proj, err := ProjectManager.FetchByIdOrName(ctx, userCred, input.ProjectId) if err != nil { if errors.Cause(err) == sql.ErrNoRows { return output, errors.Wrapf(httperrors.ErrNotFound, "%s %s", ProjectManager.Keyword(), input.ProjectId) } else { return output, errors.Wrap(err, "ProjectManager.FetchByIdOrName") } } output.projectId = proj.GetId() } if len(input.PolicyId) == 0 { return output, errors.Wrap(httperrors.ErrInputParameter, "missing policy_id") } policy, err := PolicyManager.FetchByIdOrName(ctx, userCred, input.PolicyId) if err != nil { if errors.Cause(err) == sql.ErrNoRows { return output, errors.Wrapf(httperrors.ErrNotFound, "%s %s", PolicyManager.Keyword(), input.PolicyId) } else { return output, errors.Wrap(err, "PolicyManager.FetchByIdOrName") } } output.roleId = role.Id output.prefixes = prefList output.policyId = policy.GetId() output.validSince = input.ValidSince output.validUntil = input.ValidUntil return output, nil } func (role *SRole) PerformAddPolicy(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, input api.RolePerformAddPolicyInput) (jsonutils.JSONObject, error) { normalInput, err := role.normalizeRoleAddPolicyInput(ctx, userCred, input) if err != nil { return nil, errors.Wrap(err, "normalizeRoleAddPolicyInput") } isBootStrap, err := RolePolicyManager.isBootstrapRolePolicy() if !isBootStrap { // validate rps, err := RolePolicyManager.fetchByRoleId(role.Id) if err != nil { return nil, errors.Wrap(err, "fetchByRoleId") } newPolicyIds := stringutils2.NewSortedStrings(nil) for i := range rps { newPolicyIds = stringutils2.Append(newPolicyIds, rps[i].PolicyId) } newPolicyIds = stringutils2.Append(newPolicyIds, normalInput.policyId) err = validateRolePolicies(userCred, newPolicyIds) if err != nil { return nil, errors.Wrap(err, "validateRolePolicies") } } err = RolePolicyManager.newRecord(ctx, normalInput.roleId, normalInput.projectId, normalInput.policyId, tristate.True, normalInput.prefixes, normalInput.validSince, normalInput.validUntil) if err != nil { return nil, errors.Wrap(err, "newRecord") } return nil, nil } func (role *SRole) PerformRemovePolicy(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, input api.RolePerformRemovePolicyInput) (jsonutils.JSONObject, error) { if len(input.ProjectId) > 0 { proj, err := ProjectManager.FetchByIdOrName(ctx, userCred, input.ProjectId) if err != nil { if errors.Cause(err) == sql.ErrNoRows { return nil, errors.Wrapf(httperrors.ErrNotFound, "%s %s", ProjectManager.Keyword(), input.ProjectId) } else { return nil, errors.Wrap(err, "ProjectManager.FetchByIdOrName") } } input.ProjectId = proj.GetId() } if len(input.PolicyId) == 0 { return nil, errors.Wrap(httperrors.ErrInputParameter, "missing policy_id") } policy, err := PolicyManager.FetchByIdOrName(ctx, userCred, input.PolicyId) if err != nil { if errors.Cause(err) == sql.ErrNoRows { return nil, errors.Wrapf(httperrors.ErrNotFound, "%s %s", PolicyManager.Keyword(), input.PolicyId) } else { return nil, errors.Wrap(err, "PolicyManager.FetchByIdOrName") } } err = RolePolicyManager.deleteRecord(ctx, role.Id, input.ProjectId, policy.GetId()) if err != nil { return nil, errors.Wrap(err, "deleteRecord") } return nil, nil } func (role *SRole) GetChangeOwnerCandidateDomainIds() []string { return db.ISharableChangeOwnerCandidateDomainIds(role) } func (role *SRole) GetI18N(ctx context.Context) *jsonutils.JSONDict { r := jsonutils.NewDict() act18 := locale.PredefinedRoleI18nTable.Lookup(ctx, role.Description) r.Set("description", jsonutils.NewString(act18)) return r }