Merge pull request 'Fix scope attaching issue' (#247) from tcdlpds/device-mgt-core:master into master

Reviewed-on: community/device-mgt-core#247
master
Inosh Perara 1 year ago
commit db80546a5a

@ -30,7 +30,6 @@ import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.base.MultitenantConstants; import org.wso2.carbon.base.MultitenantConstants;
import org.wso2.carbon.context.CarbonContext; import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.context.PrivilegedCarbonContext; import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.context.RegistryType;
import io.entgra.device.mgt.core.device.mgt.api.jaxrs.beans.ErrorResponse; import io.entgra.device.mgt.core.device.mgt.api.jaxrs.beans.ErrorResponse;
import io.entgra.device.mgt.core.device.mgt.api.jaxrs.beans.RoleInfo; import io.entgra.device.mgt.core.device.mgt.api.jaxrs.beans.RoleInfo;
import io.entgra.device.mgt.core.device.mgt.api.jaxrs.beans.RoleList; import io.entgra.device.mgt.core.device.mgt.api.jaxrs.beans.RoleList;
@ -40,9 +39,6 @@ import io.entgra.device.mgt.core.device.mgt.api.jaxrs.service.impl.util.RequestV
import io.entgra.device.mgt.core.device.mgt.api.jaxrs.util.Constants; import io.entgra.device.mgt.core.device.mgt.api.jaxrs.util.Constants;
import io.entgra.device.mgt.core.device.mgt.api.jaxrs.util.DeviceMgtAPIUtils; import io.entgra.device.mgt.core.device.mgt.api.jaxrs.util.DeviceMgtAPIUtils;
import io.entgra.device.mgt.core.device.mgt.api.jaxrs.util.SetReferenceTransformer; import io.entgra.device.mgt.core.device.mgt.api.jaxrs.util.SetReferenceTransformer;
import org.wso2.carbon.registry.api.Registry;
import org.wso2.carbon.registry.core.session.UserRegistry;
import org.wso2.carbon.registry.resource.services.utils.ChangeRolePermissionsUtil;
import org.wso2.carbon.user.api.*; import org.wso2.carbon.user.api.*;
import org.wso2.carbon.user.core.common.AbstractUserStoreManager; import org.wso2.carbon.user.core.common.AbstractUserStoreManager;
import org.wso2.carbon.user.core.constants.UserCoreErrorConstants.ErrorMessages; import org.wso2.carbon.user.core.constants.UserCoreErrorConstants.ErrorMessages;
@ -57,9 +53,11 @@ import java.io.UnsupportedEncodingException;
import java.net.URI; import java.net.URI;
import java.net.URISyntaxException; import java.net.URISyntaxException;
import java.net.URLEncoder; import java.net.URLEncoder;
import java.util.*; import java.util.ArrayList;
import java.util.concurrent.ExecutorService; import java.util.Arrays;
import java.util.concurrent.Executors; import java.util.HashSet;
import java.util.List;
import java.util.Set;
import static io.entgra.device.mgt.core.device.mgt.api.jaxrs.util.Constants.PRIMARY_USER_STORE; import static io.entgra.device.mgt.core.device.mgt.api.jaxrs.util.Constants.PRIMARY_USER_STORE;
@ -404,25 +402,9 @@ public class RoleManagementServiceImpl implements RoleManagementService {
userStoreManager.addRole(roleInfo.getRoleName(), roleInfo.getUsers(), permissions); userStoreManager.addRole(roleInfo.getRoleName(), roleInfo.getUsers(), permissions);
try { try {
if (roleInfo.getPermissions() != null && roleInfo.getPermissions().length > 0) { if (roleInfo.getPermissions() != null && roleInfo.getPermissions().length > 0) {
String finalRoleName = roleInfo.getRoleName(); String[] roleName = roleInfo.getRoleName().split("/");
String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(true); addPermissions(roleName[roleName.length - 1], roleInfo.getPermissions(),
final UserRealm userRealm = DeviceMgtAPIUtils.getUserRealm(); DeviceMgtAPIUtils.getUserRealm());
Thread thread = new Thread(new Runnable() {
@Override
public void run() {
try {
PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true);
DeviceMgtAPIUtils.getApiPublisher().updateScopeRoleMapping(roleInfo.getRoleName(),
RoleManagementServiceImpl.this.getPlatformUIPermissions(finalRoleName, userRealm, roleInfo.getPermissions()));
} catch (APIManagerPublisherException | UserAdminException e) {
log.error("Error Occurred while updating role scope mapping. ", e);
} finally {
PrivilegedCarbonContext.endTenantFlow();
}
}
});
thread.start();
} }
} catch (UserStoreException e) { } catch (UserStoreException e) {
String msg = "Error occurred while loading the user store."; String msg = "Error occurred while loading the user store.";
@ -563,24 +545,8 @@ public class RoleManagementServiceImpl implements RoleManagementService {
} }
if (roleInfo.getPermissions() != null) { if (roleInfo.getPermissions() != null) {
String finalRoleName = roleName; String[] roleDetails = roleName.split("/");
String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(true); addPermissions(roleDetails[roleDetails.length - 1], roleInfo.getPermissions(), userRealm);
Thread thread = new Thread(new Runnable() {
@Override
public void run() {
try {
PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true);
DeviceMgtAPIUtils.getApiPublisher().updateScopeRoleMapping(roleInfo.getRoleName(),
RoleManagementServiceImpl.this.getPlatformUIPermissions(finalRoleName, userRealm, roleInfo.getPermissions()));
} catch (APIManagerPublisherException | UserAdminException e) {
log.error("Error Occurred while updating role scope mapping. ", e);
} finally {
PrivilegedCarbonContext.endTenantFlow();
}
}
});
thread.start();
} }
//TODO: Need to send the updated role information in the entity back to the client //TODO: Need to send the updated role information in the entity back to the client
return Response.status(Response.Status.OK).entity("Role '" + roleInfo.getRoleName() + "' has " + return Response.status(Response.Status.OK).entity("Role '" + roleInfo.getRoleName() + "' has " +
@ -730,4 +696,25 @@ public class RoleManagementServiceImpl implements RoleManagementService {
} }
return rolePermissions; return rolePermissions;
} }
private void addPermissions(String roleName, String[] permissions, UserRealm userRealm) {
String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(true);
Thread thread = new Thread(new Runnable() {
@Override
public void run() {
try {
PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true);
DeviceMgtAPIUtils.getApiPublisher().updateScopeRoleMapping(roleName,
RoleManagementServiceImpl.this.getPlatformUIPermissions(roleName, userRealm,
permissions));
} catch (APIManagerPublisherException | UserAdminException e) {
log.error("Error Occurred while updating role scope mapping. ", e);
} finally {
PrivilegedCarbonContext.endTenantFlow();
}
}
});
thread.start();
}
} }

@ -114,11 +114,6 @@ public class UserManagementServiceImpl implements UserManagementService {
private static final String API_BASE_PATH = "/users"; private static final String API_BASE_PATH = "/users";
private static final Log log = LogFactory.getLog(UserManagementServiceImpl.class); private static final Log log = LogFactory.getLog(UserManagementServiceImpl.class);
private static final String ADMIN_ROLE = "admin";
private static final String DEFAULT_DEVICE_USER = "Internal/devicemgt-user";
private static final String DEFAULT_DEVICE_ADMIN = "Internal/devicemgt-admin";
private static final String DEFAULT_SUBSCRIBER = "Internal/subscriber";
// Permissions that are given for a normal device user. // Permissions that are given for a normal device user.
private static final Permission[] PERMISSIONS_FOR_DEVICE_USER = { private static final Permission[] PERMISSIONS_FOR_DEVICE_USER = {
new Permission("/permission/admin/Login", "ui.execute"), new Permission("/permission/admin/Login", "ui.execute"),
@ -155,51 +150,9 @@ public class UserManagementServiceImpl implements UserManagementService {
Map<String, String> defaultUserClaims = Map<String, String> defaultUserClaims =
this.buildDefaultUserClaims(userInfo.getFirstname(), userInfo.getLastname(), this.buildDefaultUserClaims(userInfo.getFirstname(), userInfo.getLastname(),
userInfo.getEmailAddress(), true); userInfo.getEmailAddress(), true);
// calling addUser method of carbon user api
List<String> tmpRoles = new ArrayList<>();
String[] userInfoRoles = userInfo.getRoles();
tmpRoles.add(DEFAULT_DEVICE_USER);
boolean subscriberFound = false;
boolean adminFound = false;
if (userInfoRoles != null) {
//check if subscriber role is coming in the payload
for (String r : userInfoRoles) {
if (!subscriberFound || !adminFound) {
if (DEFAULT_SUBSCRIBER.equals(r)) {
subscriberFound = true;
} else if (ADMIN_ROLE.equals(r)) {
tmpRoles.add(DEFAULT_DEVICE_ADMIN);
adminFound = true;
}
} else {
break;
}
}
tmpRoles.addAll(Arrays.asList(userInfoRoles));
}
if (!subscriberFound) {
// Add Internal/subscriber role to new users
if (userStoreManager.isExistingRole(DEFAULT_SUBSCRIBER)) {
tmpRoles.add(DEFAULT_SUBSCRIBER);
} else {
log.warn("User: " + userInfo.getUsername() + " will not be able to enroll devices as '" +
DEFAULT_SUBSCRIBER + "' is missing in the system");
}
}
String[] roles = new String[tmpRoles.size()];
tmpRoles.toArray(roles);
// If the normal device user role does not exist, create a new role with the minimal permissions
if (!userStoreManager.isExistingRole(DEFAULT_DEVICE_USER)) {
userStoreManager.addRole(DEFAULT_DEVICE_USER, null, PERMISSIONS_FOR_DEVICE_USER);
}
userStoreManager.addUser(userInfo.getUsername(), initialUserPassword, userStoreManager.addUser(userInfo.getUsername(), initialUserPassword,
roles, defaultUserClaims, null); userInfo.getRoles(), defaultUserClaims, null);
// Outputting debug message upon successful addition of user // Outputting debug message upon successful addition of user
if (log.isDebugEnabled()) { if (log.isDebugEnabled()) {
log.debug("User '" + userInfo.getUsername() + "' has successfully been added."); log.debug("User '" + userInfo.getUsername() + "' has successfully been added.");

@ -187,7 +187,6 @@
<Scope>am:store:app:modify</Scope> <Scope>am:store:app:modify</Scope>
<Scope>am:store:app:sub:install</Scope> <Scope>am:store:app:sub:install</Scope>
<Scope>am:store:app:sub:uninstall</Scope> <Scope>am:store:app:sub:uninstall</Scope>
<Scope>am:admin:pub:app:review:update</Scope>
<Scope>am:admin:pub:app:review:view</Scope> <Scope>am:admin:pub:app:review:view</Scope>
<Scope>am:admin:pub:app:update</Scope> <Scope>am:admin:pub:app:update</Scope>
<Scope>am:admin:store:app:review:update</Scope> <Scope>am:admin:store:app:review:update</Scope>
@ -196,12 +195,8 @@
<Scope>dm:device-type:view</Scope> <Scope>dm:device-type:view</Scope>
<Scope>and:enterprise:modify</Scope> <Scope>and:enterprise:modify</Scope>
<Scope>and:enterprise:view</Scope> <Scope>and:enterprise:view</Scope>
<Scope>and:work:customer</Scope>
<Scope>and:work:admin</Scope>
<Scope>app:command:modify</Scope>
<Scope>dm:sign-csr</Scope> <Scope>dm:sign-csr</Scope>
<Scope>dm:admin:devices:view</Scope> <Scope>dm:admin:devices:view</Scope>
<Scope>dm:admin:topics:view</Scope>
<Scope>rm:roles:add</Scope> <Scope>rm:roles:add</Scope>
<Scope>rm:users:add</Scope> <Scope>rm:users:add</Scope>
<Scope>rm:roles:update</Scope> <Scope>rm:roles:update</Scope>
@ -210,15 +205,6 @@
<Scope>rm:roles:view</Scope> <Scope>rm:roles:view</Scope>
<Scope>rm:roles:combined:add</Scope> <Scope>rm:roles:combined:add</Scope>
<Scope>rm:roles:delete</Scope> <Scope>rm:roles:delete</Scope>
<Scope>an:db:vulnerabilities</Scope>
<Scope>an:db:non-compliant:count</Scope>
<Scope>an:db:non-compliant</Scope>
<Scope>an:db:by-groups</Scope>
<Scope>an:db:device:count</Scope>
<Scope>an:db:feature-non-compliant</Scope>
<Scope>an:db:overview:count</Scope>
<Scope>an:db:filtered-count</Scope>
<Scope>an:db:details</Scope>
<Scope>dm:activity:get</Scope> <Scope>dm:activity:get</Scope>
<Scope>dm:devices:delete</Scope> <Scope>dm:devices:delete</Scope>
<Scope>dm:devices:app:view</Scope> <Scope>dm:devices:app:view</Scope>
@ -295,7 +281,6 @@
<Scope>dm:device:enroll</Scope> <Scope>dm:device:enroll</Scope>
<Scope>dm:geo:an:view</Scope> <Scope>dm:geo:an:view</Scope>
<Scope>dm:geo:alerts:manage</Scope> <Scope>dm:geo:alerts:manage</Scope>
<Scope>appm:read</Scope>
<Scope>dm:admin:devices:permanent-delete</Scope> <Scope>dm:admin:devices:permanent-delete</Scope>
<Scope>and:conf:manage</Scope> <Scope>and:conf:manage</Scope>
<Scope>and:conf:view</Scope> <Scope>and:conf:view</Scope>
@ -345,7 +330,6 @@
<Scope>win:ops:reboot</Scope> <Scope>win:ops:reboot</Scope>
<Scope>win:ops:location</Scope> <Scope>win:ops:location</Scope>
<Scope>admin:tenant:view</Scope> <Scope>admin:tenant:view</Scope>
<Scope>dm:admin:metadata:view</Scope>
<Scope>dm:admin:devices:usage:view</Scope> <Scope>dm:admin:devices:usage:view</Scope>
<Scope>and:ops:clear-app</Scope> <Scope>and:ops:clear-app</Scope>
<Scope>and:ops:suspend-package</Scope> <Scope>and:ops:suspend-package</Scope>

Loading…
Cancel
Save