Adding group permission checking for Device Access Authorizations

merge-requests/7/head
Rasika Perera 9 years ago
parent 07c0aa1045
commit 38cdd94f3c

@ -51,6 +51,32 @@ public interface DeviceAccessAuthorizationService {
DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers) throws
DeviceAccessAuthorizationException;
/**
* This method will check whether the given user has the access to the device identified by the given
* DeviceIdentifier.
*
* @param deviceIdentifier - DeviceIdentifier of the device to be checked.
* @param username - Username of the user to be checked for authorization.
* @param permission - Permission
* @return Boolean authorization result.
* @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
*/
boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String permission) throws DeviceAccessAuthorizationException;
/**
* This method will check whether the given user has the access to the devices identified by the given
* DeviceIdentifier list.
*
* @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization.
* @param username - User name
* @param permission - Permission
* @return DeviceAuthorizationResult - Authorization result including the list of authorized devices &
* unauthorized devices.
* @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
*/
DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username, String permission) throws
DeviceAccessAuthorizationException;
/**
* This method will check whether the given user has the access to the device identified by the given
* DeviceIdentifier.

@ -20,20 +20,26 @@ package org.wso2.carbon.device.mgt.core.authorization;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.device.mgt.common.*;
import org.wso2.carbon.device.mgt.common.Device;
import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
import org.wso2.carbon.device.mgt.common.DeviceManagementException;
import org.wso2.carbon.device.mgt.common.EnrolmentInfo;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationException;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAuthorizationResult;
import org.wso2.carbon.device.mgt.common.group.mgt.DeviceGroup;
import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException;
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
import org.wso2.carbon.device.mgt.core.internal.DeviceManagementDataHolder;
import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionUtils;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.api.UserStoreManager;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
@ -66,158 +72,148 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
}
@Override
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException {
boolean status;
String username = this.getUserName();
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String permission)
throws DeviceAccessAuthorizationException {
int tenantId = this.getTenantId();
if (username == null || username.isEmpty()) {
return !DeviceManagementDataHolder.getInstance().requireDeviceAuthorization(deviceIdentifier.getType());
return false;
}
try {
//Check for admin users. If the user is an admin user we authorize the access to that device.
status = isAdminUser(username, tenantId);
} catch (UserStoreException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
deviceIdentifier.getId() + " for the user : " + username, e);
//check for admin and ownership permissions
if (isAdminOrDeviceOwner(username, tenantId, deviceIdentifier)) {
return true;
}
//Check for device ownership. If the user is the owner of the device we allow the access.
if (!status) {
try {
Device device = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider().
getDevice(deviceIdentifier);
EnrolmentInfo enrolmentInfo = device.getEnrolmentInfo();
if (enrolmentInfo != null && username.equalsIgnoreCase(enrolmentInfo.getOwner())) {
status = true;
}
} catch (DeviceManagementException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
deviceIdentifier.getId() + " for the user : " + username, e);
//check for group permissions
try {
if (permission == null || permission.isEmpty()) {
return false;
}
return checkGroupsPermission(username, tenantId, permission);
} catch (GroupManagementException | UserStoreException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
deviceIdentifier.getId() + " for the user : " +
username, e);
}
return status;
}
@Override
public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers) throws
DeviceAccessAuthorizationException {
boolean status;
DeviceAuthorizationResult deviceAuthorizationResult = new DeviceAuthorizationResult();
String username = this.getUserName();
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username)
throws DeviceAccessAuthorizationException {
return isUserAuthorized(deviceIdentifier, username, null);
}
@Override
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException {
return isUserAuthorized(deviceIdentifier, this.getUserName(), null);
}
@Override
public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username,
String permission)
throws DeviceAccessAuthorizationException {
int tenantId = this.getTenantId();
if (username == null || username.isEmpty()) {
return deviceAuthorizationResult;
}
try {
//Check for admin users. If the user is an admin user we authorize the access to that device.
status = isAdminUser(username, tenantId);
} catch (UserStoreException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : " +
username, e);
return null;
}
//Check for device ownership. If the user is the owner of the device we allow the access.
if (!status) {
try {
//Get the list of devices of the user
List<Device> devicesOfUser = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider().
getDevicesOfUser(username);
//Convert device-list to a Map
Map<String, String> ownershipData = this.getOwnershipOfDevices(devicesOfUser);
for (DeviceIdentifier deviceIdentifier : deviceIdentifiers) {
if (ownershipData.containsKey(deviceIdentifier.getId())) {
DeviceAuthorizationResult deviceAuthorizationResult = new DeviceAuthorizationResult();
for (DeviceIdentifier deviceIdentifier : deviceIdentifiers) {
//check for admin and ownership permissions
if (isAdminOrDeviceOwner(username, tenantId, deviceIdentifier)) {
deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
} else {
try {
if (permission == null || permission.isEmpty()) {
return null;
}
//check for group permissions
if (checkGroupsPermission(username, tenantId, permission)) {
deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
} else {
deviceAuthorizationResult.addUnauthorizedDevice(deviceIdentifier);
}
} catch (GroupManagementException | UserStoreException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
deviceIdentifier.getId() + " for the user : " +
username, e);
}
} catch (DeviceManagementException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : "
+ username, e);
}
} else {
deviceAuthorizationResult.setAuthorizedDevices(deviceIdentifiers);
}
return deviceAuthorizationResult;
}
@Override
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username)
public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username)
throws DeviceAccessAuthorizationException {
return isUserAuthorized(deviceIdentifiers, username, null);
}
@Override
public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers)
throws DeviceAccessAuthorizationException {
return isUserAuthorized(deviceIdentifiers, this.getUserName(), null);
}
private boolean isAdminOrDeviceOwner(String username, int tenantId, DeviceIdentifier deviceIdentifier)
throws DeviceAccessAuthorizationException {
boolean status;
int tenantId = this.getTenantId();
if (username == null || username.isEmpty()) {
return false;
}
try {
//Check for admin users. If the user is an admin user we authorize the access to that device.
status = isAdminUser(username, tenantId);
//First Check for admin users. If the user is an admin user we authorize the access to that device.
//Secondly Check for device ownership. If the user is the owner of the device we allow the access.
return (isAdminUser(username, tenantId) || isDeviceOwner(deviceIdentifier, username));
} catch (UserStoreException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
deviceIdentifier.getId() + " for the user : " + username, e);
deviceIdentifier.getId() + " for the user : " +
username, e);
}
//Check for device ownership. If the user is the owner of the device we allow the access.
if (!status) {
try {
Device device = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider().
getDevice(deviceIdentifier);
EnrolmentInfo enrolmentInfo = device.getEnrolmentInfo();
if (enrolmentInfo != null && username.equalsIgnoreCase(enrolmentInfo.getOwner())) {
status = true;
}
private boolean checkGroupsPermission(String username, int tenantId, String permission)
throws GroupManagementException, UserStoreException {
List<DeviceGroup> groups =
DeviceManagementDataHolder.getInstance().getGroupManagementProviderService().getGroups(username,
permission);
UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId);
if (userRealm != null && userRealm.getAuthorizationManager() != null) {
Iterator<DeviceGroup> groupIterator = groups.iterator();
while (groupIterator.hasNext()) {
DeviceGroup deviceGroup = groupIterator.next();
Iterator<String> rolesIterator = deviceGroup.getRoles().iterator();
while (rolesIterator.hasNext()) {
String role = rolesIterator.next();
if (userRealm.getAuthorizationManager().isRoleAuthorized(
"Internal/group-" + deviceGroup.getId() + "-" + role, permission,
CarbonConstants.UI_PERMISSION_ACTION)) {
return true;
}
}
} catch (DeviceManagementException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
deviceIdentifier.getId() + " for the user : " + username, e);
}
}
return status;
return false;
}
@Override
public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username)
throws DeviceAccessAuthorizationException {
boolean status;
int tenantId = this.getTenantId();
DeviceAuthorizationResult deviceAuthorizationResult = new DeviceAuthorizationResult();
if (username == null || username.isEmpty()) {
return null;
}
try {
//Check for admin users. If the user is an admin user we authorize the access to that device.
status = isAdminUser(username, tenantId);
} catch (UserStoreException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : " +
username, e);
}
private boolean isDeviceOwner(DeviceIdentifier deviceIdentifier, String username)
throws DeviceAccessAuthorizationException {
//Check for device ownership. If the user is the owner of the device we allow the access.
if (!status) {
try {
Device device;
EnrolmentInfo enrolmentInfo;
for (DeviceIdentifier deviceIdentifier : deviceIdentifiers) {
device = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider().
getDevice(deviceIdentifier);
enrolmentInfo = device.getEnrolmentInfo();
if (enrolmentInfo != null && username.equalsIgnoreCase(enrolmentInfo.getOwner())) {
deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
} else {
deviceAuthorizationResult.addUnauthorizedDevice(deviceIdentifier);
}
}
} catch (DeviceManagementException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : "
+ username, e);
try {
Device device = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider().
getDevice(deviceIdentifier);
EnrolmentInfo enrolmentInfo = device.getEnrolmentInfo();
if (enrolmentInfo != null && username.equalsIgnoreCase(enrolmentInfo.getOwner())) {
return true;
}
} else {
deviceAuthorizationResult.setAuthorizedDevices(deviceIdentifiers);
} catch (DeviceManagementException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
deviceIdentifier.getId() + " for the user : " +
username, e);
}
return deviceAuthorizationResult;
return false;
}
private boolean isAdminUser(String username, int tenantId) throws UserStoreException {
UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId);
if (userRealm != null && userRealm.getAuthorizationManager() != null) {
return userRealm.getAuthorizationManager()
.isUserAuthorized(removeTenantDomain(username), PermissionUtils.getAbsolutePermissionPath(EMM_ADMIN_PERMISSION),
PermissionMethod.UI_EXECUTE);
.isUserAuthorized(removeTenantDomain(username),
PermissionUtils.getAbsolutePermissionPath(EMM_ADMIN_PERMISSION),
PermissionMethod.UI_EXECUTE);
}
return false;
}

@ -25,6 +25,7 @@ import org.wso2.carbon.device.mgt.common.operation.mgt.OperationManager;
import org.wso2.carbon.device.mgt.core.app.mgt.config.AppManagementConfig;
import org.wso2.carbon.device.mgt.core.config.license.LicenseConfig;
import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService;
import org.wso2.carbon.device.mgt.core.service.GroupManagementProviderService;
import org.wso2.carbon.ntask.core.service.TaskService;
import org.wso2.carbon.registry.core.service.RegistryService;
import org.wso2.carbon.user.core.service.RealmService;
@ -47,6 +48,7 @@ public class DeviceManagementDataHolder {
private ConfigurationContextService configurationContextService;
private HashMap<String,Boolean> requireDeviceAuthorization = new HashMap<>();
private DeviceAccessAuthorizationService deviceAccessAuthorizationService;
private GroupManagementProviderService groupManagementProviderService;
private TaskService taskService;
//private EmailSenderService emailSenderService;
@ -91,6 +93,15 @@ public class DeviceManagementDataHolder {
this.deviceManagerProvider = deviceManagerProvider;
}
public GroupManagementProviderService getGroupManagementProviderService() {
return groupManagementProviderService;
}
public void setGroupManagementProviderService(
GroupManagementProviderService groupManagementProviderService) {
this.groupManagementProviderService = groupManagementProviderService;
}
public RegistryService getRegistryService() {
if (registryService == null) {
throw new IllegalStateException("Registry service is not initialized properly");

@ -195,6 +195,7 @@ public class DeviceManagementServiceComponent {
/* Registering Group Management Service */
GroupManagementProviderService groupManagementProvider = new GroupManagementProviderServiceImpl();
DeviceManagementDataHolder.getInstance().setGroupManagementProviderService(groupManagementProvider);
bundleContext.registerService(GroupManagementProviderService.class.getName(), groupManagementProvider, null);
/* Registering Tenant Configuration Management Service */

Loading…
Cancel
Save