start implementation of implicit rules

bernardodemarco · bernardodemarco · commit 9f38fd3a2aec · 2026-01-20T19:22:04.000-03:00
diff --git a/api/src/main/java/org/apache/cloudstack/acl/APIChecker.java b/api/src/main/java/org/apache/cloudstack/acl/APIChecker.java
@@ -44,4 +44,5 @@ public interface APIChecker extends Adapter {
      */
     List<String> getApisAllowedToUser(Role role, User user, List<String> apiNames) throws PermissionDeniedException;
     boolean isEnabled();
+    List<RolePermissionEntity> getImplicitRolePermissions(RoleType roleType);
 }
diff --git a/api/src/main/java/org/apache/cloudstack/acl/RoleService.java b/api/src/main/java/org/apache/cloudstack/acl/RoleService.java
@@ -104,7 +104,7 @@ public interface RoleService {
 
     List<RolePermission> findAllPermissionsBy(Long roleId);
 
-    List<RolePermissionEntity> findAllRolePermissionsEntityBy(Long roleId);
+    List<RolePermissionEntity> findAllRolePermissionsEntityBy(Long roleId, boolean considerImplicitRules);
 
     Permission getRolePermission(String permission);
 
diff --git a/engine/schema/src/main/java/org/apache/cloudstack/acl/RolePermissionBaseVO.java b/engine/schema/src/main/java/org/apache/cloudstack/acl/RolePermissionBaseVO.java
@@ -50,6 +50,12 @@ public class RolePermissionBaseVO implements RolePermissionEntity {
 
     public RolePermissionBaseVO() { this.uuid = UUID.randomUUID().toString(); }
 
+    public RolePermissionBaseVO(final String rule, final Permission permission) {
+        this();
+        this.rule = rule;
+        this.permission = permission;
+    }
+
     public RolePermissionBaseVO(final String rule, final Permission permission, final String description) {
         this();
         this.rule = rule;
diff --git a/plugins/acl/dynamic-role-based/src/main/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java b/plugins/acl/dynamic-role-based/src/main/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
@@ -50,7 +50,7 @@ public class DynamicRoleBasedAPIAccessChecker extends AdapterBase implements API
     private RoleService roleService;
 
     private List<PluggableService> services;
-    private Map<RoleType, Set<String>> annotationRoleBasedApisMap = new HashMap<RoleType, Set<String>>();
+    private Map<RoleType, Set<String>> annotationRoleBasedApisMap = new HashMap<>();
 
     private LazyCache<Long, Account> accountCache;
     private LazyCache<Long, Pair<Role, List<RolePermission>>> rolePermissionsCache;
@@ -59,7 +59,7 @@ public class DynamicRoleBasedAPIAccessChecker extends AdapterBase implements API
     protected DynamicRoleBasedAPIAccessChecker() {
         super();
         for (RoleType roleType : RoleType.values()) {
-            annotationRoleBasedApisMap.put(roleType, new HashSet<String>());
+            annotationRoleBasedApisMap.put(roleType, new HashSet<>());
         }
     }
 
@@ -206,6 +206,14 @@ public List<RolePermissionEntity> defineNewKeypairRules(Role accountRole, ApiKey
         return allPermissions;
     }
 
+    @Override
+    public List<RolePermissionEntity> getImplicitRolePermissions(RoleType roleType) {
+        return annotationRoleBasedApisMap.get(roleType)
+                .stream()
+                .map(implicitApi -> new RolePermissionBaseVO(implicitApi, Permission.ALLOW))
+                .collect(Collectors.toList());
+    }
+
     /**
      * Only one strategy should be used between StaticRoleBasedAPIAccessChecker and DynamicRoleBasedAPIAccessChecker
      * Default behavior is to use the Dynamic version. The StaticRoleBasedAPIAccessChecker is the legacy version.
diff --git a/plugins/acl/project-role-based/src/main/java/org/apache/cloudstack/acl/ProjectRoleBasedApiAccessChecker.java b/plugins/acl/project-role-based/src/main/java/org/apache/cloudstack/acl/ProjectRoleBasedApiAccessChecker.java
@@ -183,6 +183,11 @@ public boolean configure(String name, Map<String, Object> params) throws Configu
         return true;
     }
 
+    @Override
+    public List<RolePermissionEntity> getImplicitRolePermissions(RoleType roleType) {
+        return List.of();
+    }
+
     @Override
     public boolean start() {
         return super.start();
diff --git a/plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java b/plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
@@ -164,6 +164,11 @@ public boolean start() {
         return super.start();
     }
 
+    @Override
+    public List<RolePermissionEntity> getImplicitRolePermissions(RoleType roleType) {
+        return List.of();
+    }
+
     private void processMapping(Map<String, String> configMap) {
         for (Map.Entry<String, String> entry : configMap.entrySet()) {
             String apiName = entry.getKey();
diff --git a/plugins/api/rate-limit/src/main/java/org/apache/cloudstack/ratelimit/ApiRateLimitServiceImpl.java b/plugins/api/rate-limit/src/main/java/org/apache/cloudstack/ratelimit/ApiRateLimitServiceImpl.java
@@ -27,6 +27,8 @@
 import net.sf.ehcache.CacheManager;
 
 import org.apache.cloudstack.acl.Role;
+import org.apache.cloudstack.acl.RolePermissionEntity;
+import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.acl.apikeypair.ApiKeyPairPermission;
 import org.apache.cloudstack.utils.reflectiontostringbuilderutils.ReflectionToStringBuilderUtils;
 import org.springframework.stereotype.Component;
@@ -208,6 +210,11 @@ public boolean hasApiRateLimitBeenExceeded(Long accountId) {
         return true;
     }
 
+    @Override
+    public List<RolePermissionEntity> getImplicitRolePermissions(RoleType roleType) {
+        return List.of();
+    }
+
     @Override
     public boolean isEnabled() {
         if (!enabled) {
diff --git a/server/src/main/java/com/cloud/api/ApiServer.java b/server/src/main/java/com/cloud/api/ApiServer.java
@@ -1106,7 +1106,7 @@ public boolean verifyRequest(final Map<String, Object[]> requestParameters, fina
             }
 
             if (!commandAvailable(remoteAddress, commandName, user)) {
-                return false;
+                return false;// remove this one, not required, does not need to check against rules role here
             }
 
             if (keyPair.getRemoved() != null) {
@@ -1140,10 +1140,10 @@ public boolean verifyRequest(final Map<String, Object[]> requestParameters, fina
             }
             CallContext.register(user, account);
 
-            List<ApiKeyPairPermission> keyPairPermissions = keyPairManager.findAllPermissionsByKeyPairId(keyPair.getId(), account.getRoleId());
+            List<ApiKeyPairPermission> keyPairPermissions = keyPairManager.findAllPermissionsByKeyPairId(keyPair.getId(), account.getRoleId());// so deveria pegar as permissions do keypair explicitas ouuuu busca pelas implicitas aqui
 
             if (commandAvailable(remoteAddress, commandName, user, keyPairPermissions.toArray(new ApiKeyPairPermission[0]))) {
-                logger.info(String.format("API accessed through API KeyPair. API Key: [%s]", keyPair.getApiKey()));
+                logger.info("API accessed through API KeyPair. API Key: [{}]", keyPair.getApiKey());
                 return true;
             }
         } catch (final ServerApiException ex) {
diff --git a/server/src/main/java/com/cloud/user/AccountManagerImpl.java b/server/src/main/java/com/cloud/user/AccountManagerImpl.java
@@ -3486,28 +3486,22 @@ public void doInTransactionWithoutResult(TransactionStatus status) {
     @DB
     private ApiKeyPairVO validateAndPersistKeyPairAndPermissions(Account account, ApiKeyPairVO newApiKeyPair,
                                                                  List<Map<String, Object>> rules, RegisterUserKeysCmd cmd) {
-        // this is only used to determine if we should use api key permissions or account permissions to base our new key on
         String accessingApiKey = getAccessingApiKey(cmd);
         final Role accountRole = roleService.findRole(account.getRoleId());
+        List<RolePermissionEntity> allPermissions = accessingApiKey == null ?
+                roleService.findAllRolePermissionsEntityBy(accountRole.getId(), true) : getAllKeypairPermissions(accessingApiKey);
+        List<RolePermissionEntity> permissions = new ArrayList<>();
 
-        List<RolePermissionEntity> allPermissions = accessingApiKey == null ? getAllAccountRolePermissions(accountRole) : getAllKeypairPermissions(accessingApiKey);
-        List<RolePermissionEntity> permissions;
-        if (CollectionUtils.isEmpty(rules)) {
-            permissions = allPermissions.stream()
-                    .map(permission -> new ApiKeyPairPermissionVO(0, permission.getRule().toString(), permission.getPermission(), permission.getDescription()))
-                    .collect(Collectors.toList());
-        } else {
-            permissions = new ArrayList<>();
-            for (Map<String, Object> ruleDetail : rules) {
-                String rule = ruleDetail.get(ApiConstants.RULE).toString();
-                RolePermission.Permission rulePermission = (RolePermission.Permission) ruleDetail.get(ApiConstants.PERMISSION);
-                String ruleDescription = (String) ruleDetail.get(ApiConstants.DESCRIPTION);
-                permissions.add(new ApiKeyPairPermissionVO(0, rule, rulePermission, ruleDescription));
-            }
-            if (!isApiKeySupersetOfPermission(allPermissions, permissions)) {
-                throw new InvalidParameterValueException(String.format("The keypair being created has a bigger set of permissions than the account [%s] that owns it. This is " +
-                        "not allowed.", account.getUuid()));
-            }
+        for (Map<String, Object> ruleDetail : rules) {
+            String rule = ruleDetail.get(ApiConstants.RULE).toString();
+            RolePermission.Permission rulePermission = (RolePermission.Permission) ruleDetail.get(ApiConstants.PERMISSION);
+            String ruleDescription = (String) ruleDetail.get(ApiConstants.DESCRIPTION);
+            permissions.add(new ApiKeyPairPermissionVO(0, rule, rulePermission, ruleDescription));
+        }
+
+        if (!isApiKeySupersetOfPermission(allPermissions, permissions)) {
+            throw new InvalidParameterValueException(String.format("The keypair being created has a bigger set of permissions than the account [%s] that owns it. This is " +
+                    "not allowed.", account.getUuid()));
         }
 
         ApiKeyPairVO savedApiKeyPair = apiKeyPairDao.persist(newApiKeyPair);
@@ -3519,16 +3513,6 @@ private ApiKeyPairVO validateAndPersistKeyPairAndPermissions(Account account, Ap
         return savedApiKeyPair;
     }
 
-    /**
-     * Gets all account role permissions
-     * @param accountRole base account role of the user.
-     */
-    private List<RolePermissionEntity> getAllAccountRolePermissions(Role accountRole) {
-        List<RolePermission> allAccountRolePermissions = roleService.findAllPermissionsBy(accountRole.getId());
-        return allAccountRolePermissions.stream().map(permission -> (RolePermissionEntity) permission)
-                .collect(Collectors.toList());
-    }
-
     /**
      * Gets all API keypair permissions for the given apiKey
      */
diff --git a/server/src/main/java/org/apache/cloudstack/acl/ApiKeyPairManagerImpl.java b/server/src/main/java/org/apache/cloudstack/acl/ApiKeyPairManagerImpl.java
@@ -18,7 +18,9 @@
 
 import com.cloud.utils.component.ManagerBase;
 
+import java.util.HashSet;
 import java.util.Map;
+import java.util.Set;
 import java.util.stream.Collectors;
 import org.apache.cloudstack.acl.apikeypair.ApiKeyPairService;
 import org.apache.cloudstack.acl.apikeypair.ApiKeyPair;
@@ -40,36 +42,39 @@ public class ApiKeyPairManagerImpl extends ManagerBase implements ApiKeyPairServ
 
     @Override
     public List<ApiKeyPairPermission> findAllPermissionsByKeyPairId(Long apiKeyPairId, Long roleId) {
-        List<ApiKeyPairPermissionVO> allPermissions = apiKeyPairPermissionsDao.findAllByKeyPairIdSorted(apiKeyPairId);
-        List<RolePermissionEntity> rolePermissionsEntity = roleService.findAllRolePermissionsEntityBy(roleId);
+        List<ApiKeyPairPermissionVO> keyPairPermissions = apiKeyPairPermissionsDao.findAllByKeyPairIdSorted(apiKeyPairId);
+        List<RolePermissionEntity> rolePermissionsEntity = roleService.findAllRolePermissionsEntityBy(roleId, true);
 
-        if (!CollectionUtils.isEmpty(allPermissions)) {
-            List<RolePermissionEntity> keyPairPermissionsEntity = allPermissions.stream()
-                    .map(p -> (RolePermissionEntity) p).collect(Collectors.toList());
-
-            Map<String, RolePermissionEntity.Permission> rolePermissionInfo = roleService.getRoleRulesAndPermissions(rolePermissionsEntity);
+        if (CollectionUtils.isEmpty(keyPairPermissions)) {
+            return rolePermissionsEntity.stream().map(p -> {
+                ApiKeyPairPermissionVO permission = new ApiKeyPairPermissionVO();
+                permission.setRule(p.getRule().getRuleString());
+                permission.setDescription(p.getDescription());
+                permission.setPermission(p.getPermission());
+                return permission;
+            }).collect(Collectors.toList());
+        }
 
-            if (roleService.roleHasPermission(rolePermissionInfo, keyPairPermissionsEntity)) {
-                return allPermissions.stream().map(p -> (ApiKeyPairPermission) p).collect(Collectors.toList());
-            }
+        List<RolePermissionEntity> keyPairPermissionsEntity = keyPairPermissions.stream()
+                .map(p -> (RolePermissionEntity) p).collect(Collectors.toList());
+        Map<String, RolePermissionEntity.Permission> rolePermissionInfo = roleService.getRoleRulesAndPermissions(rolePermissionsEntity);
+        if (roleService.roleHasPermission(rolePermissionInfo, keyPairPermissionsEntity)) {
+            return keyPairPermissions.stream().map(p -> (ApiKeyPairPermission) p).collect(Collectors.toList());
+        }
 
-            Map<String, RolePermissionEntity.Permission> keyPairPermissionInfo = roleService.getRoleRulesAndPermissions(keyPairPermissionsEntity);
-            if (!roleService.roleHasPermission(keyPairPermissionInfo, rolePermissionsEntity)) {
-                for (RolePermissionEntity rolePermission : keyPairPermissionsEntity) {
-                    if (rolePermission.getPermission() == RolePermissionEntity.Permission.DENY && !rolePermissionsEntity.contains(rolePermission)) {
-                        rolePermissionsEntity.add(0, rolePermission);
-                    }
-                }
+        Set<String> rulesToBeDeniedForTheKeyPair = new HashSet<>();
+        Map<String, RolePermissionEntity.Permission> keyPairPermissionInfo = roleService.getRoleRulesAndPermissions(keyPairPermissionsEntity);
+        for (RolePermissionEntity rolePermission : rolePermissionsEntity) {
+            boolean isPermissionAllowedByTheKeyPair = keyPairPermissionInfo.containsKey(rolePermission.getRule().getRuleString())
+                    && RolePermissionEntity.Permission.ALLOW == keyPairPermissionInfo.get(rolePermission.getRule().getRuleString());
+            if (rolePermission.getPermission() == RolePermissionEntity.Permission.DENY && isPermissionAllowedByTheKeyPair) {
+                rulesToBeDeniedForTheKeyPair.add(rolePermission.getRule().getRuleString());
             }
         }
-
-        return rolePermissionsEntity.stream().map(p -> {
-            ApiKeyPairPermissionVO permission = new ApiKeyPairPermissionVO();
-            permission.setRule(p.getRule().getRuleString());
-            permission.setDescription(p.getDescription());
-            permission.setPermission(p.getPermission());
-            return permission;
-        }).collect(Collectors.toList());
+        return keyPairPermissions.stream()
+                .map(permission -> (ApiKeyPairPermission) permission)
+                .filter(permission -> !rulesToBeDeniedForTheKeyPair.contains(permission.getRule().getRuleString()))
+                .collect(Collectors.toList());
     }
 
     @Override
diff --git a/server/src/main/java/org/apache/cloudstack/acl/RoleManagerImpl.java b/server/src/main/java/org/apache/cloudstack/acl/RoleManagerImpl.java
@@ -21,6 +21,7 @@
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
+import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -75,6 +76,7 @@ public class RoleManagerImpl extends ManagerBase implements RoleService, Configu
     private RolePermissionsDao rolePermissionsDao;
     @Inject
     private AccountManager accountManager;
+    private List<APIChecker> apiAccessCheckers;
 
     public void checkCallerAccess() {
         if (!isEnabled()) {
@@ -456,14 +458,14 @@ public int removeRolesIfNeeded(List<? extends Role> roles) {
         }
 
         Long callerRoleId = getCurrentAccount().getRoleId();
-        Map<String, Permission> callerRolePermissions = getRoleRulesAndPermissions(findAllRolePermissionsEntityBy(callerRoleId));
+        Map<String, Permission> callerRolePermissions = getRoleRulesAndPermissions(findAllRolePermissionsEntityBy(callerRoleId, false));
 
         int count = 0;
         Iterator<? extends Role> rolesIterator = roles.iterator();
         while (rolesIterator.hasNext()) {
             Role role = rolesIterator.next();
 
-            if (role.getId() == callerRoleId || roleHasPermission(callerRolePermissions, findAllRolePermissionsEntityBy(role.getId()))) {
+            if (role.getId() == callerRoleId || roleHasPermission(callerRolePermissions, findAllRolePermissionsEntityBy(role.getId(), false))) {
                 continue;
             }
 
@@ -567,12 +569,33 @@ public List<RolePermission> findAllPermissionsBy(final Long roleId) {
     }
 
     @Override
-    public List<RolePermissionEntity> findAllRolePermissionsEntityBy(final Long roleId) {
-        List<? extends RolePermissionEntity> permissions = rolePermissionsDao.findAllByRoleIdSorted(roleId);
-        if (permissions != null) {
-            return new ArrayList<>(permissions);
+    public List<RolePermissionEntity> findAllRolePermissionsEntityBy(final Long roleId, final boolean considerImplicitRules) {
+        Map<String, RolePermissionEntity> permissions = new LinkedHashMap<>();
+        if (considerImplicitRules) {
+            getImplicitRolePermissions(roleId).forEach(
+                    permission -> permissions.put(permission.getRule().toString(), permission)
+            );
         }
-        return Collections.emptyList();
+        rolePermissionsDao.findAllByRoleIdSorted(roleId).forEach(
+            permission -> permissions.put(permission.getRule().toString(), permission)
+        );
+        return new ArrayList<>(permissions.values());
+    }
+
+    private List<RolePermissionEntity> getImplicitRolePermissions(Long roleId) {
+        Role role = roleDao.findById(roleId);
+        if (role == null) {
+            return List.of();
+        }
+
+        for (APIChecker apiChecker : apiAccessCheckers) {
+            List<RolePermissionEntity> implicitPermissions = apiChecker.getImplicitRolePermissions(role.getRoleType());
+            if (apiChecker.isEnabled() && !CollectionUtils.isEmpty(implicitPermissions)) {
+                return implicitPermissions;
+            }
+        }
+
+        return List.of();
     }
 
     private boolean isCallerRootAdmin() {
@@ -617,4 +640,9 @@ public List<Class<?>> getCommands() {
         cmdList.add(DisableRoleCmd.class);
         return cmdList;
     }
+
+    @Inject
+    public void setApiAccessCheckers(List<APIChecker> apiAccessCheckers) {
+        this.apiAccessCheckers = apiAccessCheckers;
+    }
 }
diff --git a/server/src/main/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml b/server/src/main/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml
@@ -37,7 +37,9 @@
                   value="#{pluggableAPIAuthenticatorsRegistry.registered}" />
     </bean>
 
-    <bean id="roleManagerImpl" class="org.apache.cloudstack.acl.RoleManagerImpl" />
+    <bean id="roleManagerImpl" class="org.apache.cloudstack.acl.RoleManagerImpl">
+        <property name="apiAccessCheckers" value="#{apiAclCheckersRegistry.registered}" />
+    </bean>
 
     <bean id="projRoleManagerImpl" class="org.apache.cloudstack.acl.ProjectRoleManagerImpl" />
 
diff --git a/server/src/test/java/org/apache/cloudstack/acl/RoleManagerImplTest.java b/server/src/test/java/org/apache/cloudstack/acl/RoleManagerImplTest.java
@@ -233,10 +233,10 @@ public void removeRolesIfNeededTestRoleWithLessPermissionsRemoveRoles() {
         List<Role> roles = new ArrayList<>();
 
         List<RolePermissionEntity> callerAccountRolePermissions = Collections.singletonList(rolePermission1Mock);
-        Mockito.when(roleManagerImpl.findAllRolePermissionsEntityBy(callerAccountRoleMock.getId())).thenReturn(callerAccountRolePermissions);
+        Mockito.when(roleManagerImpl.findAllRolePermissionsEntityBy(callerAccountRoleMock.getId(), false)).thenReturn(callerAccountRolePermissions);
 
         List<RolePermissionEntity> callerAccountRolePermissions2 = Collections.singletonList(rolePermission2Mock);
-        Mockito.when(roleManagerImpl.findAllRolePermissionsEntityBy(morePermissionsRoleMock.getId())).thenReturn(callerAccountRolePermissions2);
+        Mockito.when(roleManagerImpl.findAllRolePermissionsEntityBy(morePermissionsRoleMock.getId(), false)).thenReturn(callerAccountRolePermissions2);
 
         roles.add(callerAccountRoleMock);
         roles.add(morePermissionsRoleMock);
@@ -253,10 +253,10 @@ public void removeRolesIfNeededTestRoleWithDifferentPermissionsRemoveRoles() {
         List<Role> roles = new ArrayList<>();
 
         List<RolePermissionEntity> callerAccountRolePermissions = Collections.singletonList(rolePermission1Mock);
-        Mockito.when(roleManagerImpl.findAllRolePermissionsEntityBy(callerAccountRoleMock.getId())).thenReturn(callerAccountRolePermissions);
+        Mockito.when(roleManagerImpl.findAllRolePermissionsEntityBy(callerAccountRoleMock.getId(), false)).thenReturn(callerAccountRolePermissions);
 
         List<RolePermissionEntity> callerAccountRolePermissions3 = Collections.singletonList(rolePermission2Mock);
-        Mockito.when(roleManagerImpl.findAllRolePermissionsEntityBy(differentPermissionsRoleMock.getId())).thenReturn(callerAccountRolePermissions3);
+        Mockito.when(roleManagerImpl.findAllRolePermissionsEntityBy(differentPermissionsRoleMock.getId(), false)).thenReturn(callerAccountRolePermissions3);
 
         roles.add(callerAccountRoleMock);
         roles.add(differentPermissionsRoleMock);

Original file line number	Diff line number	Diff line change
`@@ -44,4 +44,5 @@ public interface APIChecker extends Adapter {`
`44`	`44`	`*/`
`45`	`45`	`List<String> getApisAllowedToUser(Role role, User user, List<String> apiNames) throws PermissionDeniedException;`
`46`	`46`	`boolean isEnabled();`
	`47`	`+ List<RolePermissionEntity> getImplicitRolePermissions(RoleType roleType);`
`47`	`48`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1106,7 +1106,7 @@ public boolean verifyRequest(final Map<String, Object[]> requestParameters, fina`
`1106`	`1106`	`}`
`1107`	`1107`
`1108`	`1108`	`if (!commandAvailable(remoteAddress, commandName, user)) {`
`1109`		`- return false;`
	`1109`	`+ return false;// remove this one, not required, does not need to check against rules role here`
`1110`	`1110`	`}`
`1111`	`1111`
`1112`	`1112`	`if (keyPair.getRemoved() != null) {`
`@@ -1140,10 +1140,10 @@ public boolean verifyRequest(final Map<String, Object[]> requestParameters, fina`
`1140`	`1140`	`}`
`1141`	`1141`	`CallContext.register(user, account);`
`1142`	`1142`
`1143`		`- List<ApiKeyPairPermission> keyPairPermissions = keyPairManager.findAllPermissionsByKeyPairId(keyPair.getId(), account.getRoleId());`
	`1143`	`+ List<ApiKeyPairPermission> keyPairPermissions = keyPairManager.findAllPermissionsByKeyPairId(keyPair.getId(), account.getRoleId());// so deveria pegar as permissions do keypair explicitas ouuuu busca pelas implicitas aqui`
`1144`	`1144`
`1145`	`1145`	`if (commandAvailable(remoteAddress, commandName, user, keyPairPermissions.toArray(new ApiKeyPairPermission[0]))) {`
`1146`		`- logger.info(String.format("API accessed through API KeyPair. API Key: [%s]", keyPair.getApiKey()));`
	`1146`	`+ logger.info("API accessed through API KeyPair. API Key: [{}]", keyPair.getApiKey());`
`1147`	`1147`	`return true;`
`1148`	`1148`	`}`
`1149`	`1149`	`} catch (final ServerApiException ex) {`