From bd41e4f4fbf5731ed473ec5b43ae8cd51e024948 Mon Sep 17 00:00:00 2001 From: mharindu Date: Tue, 9 Aug 2016 19:08:07 +0530 Subject: [PATCH] Implemented scope based authorization in device-mgt UI module --- .../pom.xml | 4 ++ .../ApiApplicationRegistrationService.java | 14 +++-- .../src/main/webapp/WEB-INF/web.xml | 6 +- .../devicemgt/app/conf/config.json | 58 +++++++++++++++---- .../devicemgt/app/modules/constants.js | 1 + .../app/modules/oauth/token-handler-utils.js | 18 +++--- .../app/modules/oauth/token-handlers.js | 28 ++++++--- .../authenticator/OAuthAuthenticator.java | 2 +- 8 files changed, 97 insertions(+), 34 deletions(-) diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/pom.xml b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/pom.xml index 5e7794b952..8d3f9af30b 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/pom.xml +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/pom.xml @@ -161,6 +161,10 @@ org.wso2.carbon.user.api provided + + org.wso2.carbon.devicemgt + org.wso2.carbon.apimgt.annotations + diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationService.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationService.java index 8a81a8a5ec..8e2843cdc3 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationService.java +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationService.java @@ -18,20 +18,19 @@ package org.wso2.carbon.apimgt.application.extension.api; +import org.wso2.carbon.apimgt.annotations.api.API; import org.wso2.carbon.apimgt.application.extension.api.util.RegistrationProfile; -import javax.ws.rs.Consumes; -import javax.ws.rs.DELETE; -import javax.ws.rs.POST; -import javax.ws.rs.PathParam; -import javax.ws.rs.Produces; -import javax.ws.rs.QueryParam; +import javax.ws.rs.*; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; /** * This is the application registration service that exposed for apimApplicationRegistration */ +@API(name = "API Registration Service", version = "1.0.0", + context = "api-application-registration", + tags = {"devicemgt_admin"}) public interface ApiApplicationRegistrationService { /** @@ -40,6 +39,7 @@ public interface ApiApplicationRegistrationService { @POST @Produces(MediaType.APPLICATION_JSON) @Consumes(MediaType.APPLICATION_JSON) + @Path("register/tenants") Response register(@PathParam("tenantDomain") String tenantDomain, @QueryParam("applicationName") String applicationName); @@ -51,6 +51,7 @@ public interface ApiApplicationRegistrationService { @POST @Produces(MediaType.APPLICATION_JSON) @Consumes(MediaType.APPLICATION_JSON) + @Path("register") Response register(RegistrationProfile registrationProfile); /** @@ -59,5 +60,6 @@ public interface ApiApplicationRegistrationService { * @return the response status of request. */ @DELETE + @Path("unregister") Response unregister(@QueryParam("applicationName") String applicationName); } diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml index 549bf4c1bd..e771ee6c09 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml @@ -47,7 +47,11 @@ managed-api-enabled - false + true + + + managed-api-owner + admin diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/conf/config.json b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/conf/config.json index ad95aa01d6..cf19f5ec5b 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/conf/config.json +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/conf/config.json @@ -70,17 +70,53 @@ "copyrightSuffix" : " All Rights Reserved." }, "scopes" : [ - "license-add", "license-view", "device-view", - "device-info", "device-list", "device-view-own", "device-modify", "device-search", - "operation-install", "operation-view", "operation-modify", "operation-uninstall", - "group-add", "group-share", "group-modify", "group-view", "group-remove", - "certificate-modify", "certificate-view", - "configuration-view", "configuration-modify", - "policy-view", "policy-modify", - "device-notification-view", "device-notification-modify", - "feature-view", - "roles-view", "roles-modify", "roles-remove", "roles-add", - "user-password-reset", "user-password-modify", "user-modify", "user-view", "user-invite", "user-remove", "user-add" + "user:manage", + "user:view", + "device-type:admin:view", + "device:view", + "notification:view", + "device:admin:view", + "application:manage", + "activity:view", + "user:admin:reset-password", + "policy:manage", + "policy:view", + "role:manage", + "role:view", + "configuration:view", + "configuration:modify", + "device:android:operation:reboot", + "device:android:operation:camera", + "device:android:operation:vpn", + "device:android:operation:lock", + "device:android:operation:ring", + "device:android:operation:update-app", + "device:android:operation:wipe", + "device:android:operation:encrypt", + "device:android:operation:blacklist-app", + "device:android:operation:applications", + "device:android:operation:enterprise-wipe", + "device:android:operation:info", + "device:android:operation:wifi", + "device:android:operation:uninstall-app", + "device:android:operation:change-lock", + "device:android:operation:notification", + "device:android:operation:upgrade", + "device:android:operation:unlock", + "device:android:operation:mute", + "device:android:operation:location", + "device:android:operation:webclip", + "device:android:operation:clear-password", + "device:android:operation:password-policy", + "device:android:operation:install-app", + "device:android:event:write", + "device:android:event:read", + "device:android:enroll", + "configuration:manage", + "configuration:view", + "device:android:enroll", + "certificate:view", + "certificate:manage" ], "isOAuthEnabled" : true, "backendRestEndpoints" : { diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/constants.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/constants.js index f1ebedd948..38a3075064 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/constants.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/constants.js @@ -83,3 +83,4 @@ var HTTP_CONFLICT = 409; var HTTP_CREATED = 201; var CACHED_CREDENTIALS = "tenantBasedCredentials"; +var ALLOWED_SCOPES = "scopes"; diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/oauth/token-handler-utils.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/oauth/token-handler-utils.js index 180438518f..ba7827173b 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/oauth/token-handler-utils.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/oauth/token-handler-utils.js @@ -172,10 +172,11 @@ var utils = function () { if (xhr["status"] == 200 && xhr["responseText"]) { var responsePayload = parse(xhr["responseText"]); - var tokenPair = {}; - tokenPair["accessToken"] = responsePayload["access_token"]; - tokenPair["refreshToken"] = responsePayload["refresh_token"]; - return tokenPair; + var tokenData = {}; + tokenData["accessToken"] = responsePayload["access_token"]; + tokenData["refreshToken"] = responsePayload["refresh_token"]; + tokenData["scopes"] = responsePayload["scope"]; + return tokenData; } else { log.error("{/app/modules/oauth/token-handler-utils.js} Error in retrieving access token " + "by password grant type - getTokenPairByPasswordGrantType(a, b, c, d)"); @@ -224,10 +225,11 @@ var utils = function () { if (xhr["status"] == 200 && xhr["responseText"]) { var responsePayload = parse(xhr["responseText"]); - var tokenPair = {}; - tokenPair["accessToken"] = responsePayload["access_token"]; - tokenPair["refreshToken"] = responsePayload["refresh_token"]; - return tokenPair; + var tokenData = {}; + tokenData["accessToken"] = responsePayload["access_token"]; + tokenData["refreshToken"] = responsePayload["refresh_token"]; + tokenData["scopes"] = responsePayload["scope"]; + return tokenData; } else { log.error("{/app/modules/oauth/token-handler-utils.js} Error in retrieving access token " + "by password grant type - getTokenPairBySAMLGrantType(x, y, z)"); diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/oauth/token-handlers.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/oauth/token-handlers.js index af8a7e6674..fc1016eb85 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/oauth/token-handlers.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/oauth/token-handlers.js @@ -45,23 +45,30 @@ var handlers = function () { "password grant type. Encoded client credentials are " + "missing - setupTokenPairByPasswordGrantType(x, y)"); } else { - var tokenPair; + var tokenData; // tokenPair will include current access token as well as current refresh token var arrayOfScopes = devicemgtProps["scopes"]; var stringOfScopes = ""; arrayOfScopes.forEach(function (entry) { stringOfScopes += entry + " "; }); - tokenPair = tokenUtil. + tokenData = tokenUtil. getTokenPairByPasswordGrantType(username, encodeURIComponent(password), encodedClientAppCredentials, stringOfScopes); - if (!tokenPair) { + if (!tokenData) { throw new Error("{/app/modules/oauth/token-handlers.js} Could not set up " + "token pair by password grant type. Error in token " + "retrieval - setupTokenPairByPasswordGrantType(x, y)"); } else { - // setting up access token pair into session context as a string + var tokenPair = {}; + tokenPair["accessToken"] = tokenData["accessToken"]; + tokenPair["refreshToken"] = tokenData["refreshToken"]; + // setting up token pair into session context as a string session.put(constants["TOKEN_PAIR"], stringify(tokenPair)); + + var scopes = tokenData.scopes.split(" "); + // adding allowed scopes to the session + session.put(constants["ALLOWED_SCOPES"], scopes); } } } @@ -80,17 +87,24 @@ var handlers = function () { "by saml grant type. Encoded client credentials are " + "missing - setupTokenPairByPasswordGrantType(x, y)"); } else { - var tokenPair; + var tokenData; // accessTokenPair will include current access token as well as current refresh token - tokenPair = tokenUtil. + tokenData = tokenUtil. getTokenPairBySAMLGrantType(samlToken, encodedClientAppCredentials, "PRODUCTION"); - if (!tokenPair) { + if (!tokenData) { throw new Error("{/app/modules/oauth/token-handlers.js} Could not set up token " + "pair by password grant type. Error in token " + "retrieval - setupTokenPairByPasswordGrantType(x, y)"); } else { + var tokenPair = {}; + tokenPair["accessToken"] = tokenData["accessToken"]; + tokenPair["refreshToken"] = tokenData["refreshToken"]; // setting up access token pair into session context as a string session.put(constants["TOKEN_PAIR"], stringify(tokenPair)); + + var scopes = tokenData.scopes.split(" "); + // adding allowed scopes to the session + session.put(constants["ALLOWED_SCOPES"], scopes); } } } diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/OAuthAuthenticator.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/OAuthAuthenticator.java index abb0178cc6..f6169eace9 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/OAuthAuthenticator.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/OAuthAuthenticator.java @@ -129,7 +129,7 @@ public class OAuthAuthenticator implements WebappAuthenticator { if (resource == null || resource.isEmpty()) { authenticationInfo.setStatus(Status.FAILURE); - authenticationInfo.setMessage("Requested resource does not exist"); + authenticationInfo.setMessage("Authorization failed. Requested API resource does not exist"); return authenticationInfo; }