commit
5da2ae1f74
@ -0,0 +1,181 @@
|
||||
/*
|
||||
* Copyright (c) 2018 - 2024, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved.
|
||||
*
|
||||
* Entgra (Pvt) Ltd. licenses this file to you under the Apache License,
|
||||
* Version 2.0 (the "License"); you may not use this file except
|
||||
* in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
package io.entgra.device.mgt.core.device.mgt.api.jaxrs.service.api;
|
||||
|
||||
import io.entgra.device.mgt.core.device.mgt.api.jaxrs.beans.ErrorResponse;
|
||||
import io.entgra.device.mgt.core.device.mgt.common.authorization.DeviceAuthorizationRequest;
|
||||
import io.entgra.device.mgt.core.device.mgt.common.authorization.GroupAuthorizationRequest;
|
||||
import io.entgra.device.mgt.core.device.mgt.common.authorization.GroupAuthorizationResult;
|
||||
import io.swagger.annotations.*;
|
||||
import org.apache.axis2.transport.http.HTTPConstants;
|
||||
|
||||
import javax.validation.Valid;
|
||||
import javax.ws.rs.*;
|
||||
import javax.ws.rs.core.MediaType;
|
||||
import javax.ws.rs.core.Response;
|
||||
|
||||
@SwaggerDefinition(
|
||||
info = @Info(
|
||||
version = "1.0.0",
|
||||
title = "",
|
||||
extensions = {
|
||||
@Extension(properties = {
|
||||
@ExtensionProperty(name = "name", value = "AccessAuthorizationService"),
|
||||
@ExtensionProperty(name = "context", value = "/api/device-mgt/v1.0/access"),
|
||||
})
|
||||
}
|
||||
),
|
||||
tags = {
|
||||
@Tag(name = "device_management", description = "")
|
||||
}
|
||||
)
|
||||
@Path("/access")
|
||||
@Api(value = "AccessAuthorizationService", description = "This API carries all device group management related " +
|
||||
"access authorization")
|
||||
@Produces(MediaType.APPLICATION_JSON)
|
||||
@Consumes(MediaType.APPLICATION_JSON)
|
||||
public interface AccessAuthorizationService {
|
||||
|
||||
@POST
|
||||
@Path("/device")
|
||||
@ApiOperation(
|
||||
produces = MediaType.APPLICATION_JSON,
|
||||
httpMethod = HTTPConstants.HEADER_GET,
|
||||
value = "check device access authorization",
|
||||
notes = "Returns device access acutorization info",
|
||||
tags = "device_management"
|
||||
)
|
||||
@ApiResponses(
|
||||
value = {
|
||||
@ApiResponse(
|
||||
code = 201,
|
||||
message = "Created. \n Device group has successfully been created",
|
||||
responseHeaders = {
|
||||
@ResponseHeader(
|
||||
name = "Content-Location",
|
||||
description = "The URL of the added group."),
|
||||
@ResponseHeader(
|
||||
name = "Content-Type",
|
||||
description = "The content type of the body"),
|
||||
@ResponseHeader(
|
||||
name = "ETag",
|
||||
description = "Entity Tag of the response resource.\n" +
|
||||
"Used by caches, or in conditional requests."),
|
||||
@ResponseHeader(
|
||||
name = "Last-Modified",
|
||||
description = "Date and time the resource has been modified the last time" +
|
||||
".\n" + "Used by caches, or in conditional requests.")
|
||||
}
|
||||
),
|
||||
@ApiResponse(
|
||||
code = 303,
|
||||
message = "See Other. \n Source can be retrieved from the URL specified at the Location " +
|
||||
"header.",
|
||||
responseHeaders = {
|
||||
@ResponseHeader(
|
||||
name = "Content-Location",
|
||||
description = "The Source URL of the document.")}),
|
||||
@ApiResponse(
|
||||
code = 400,
|
||||
message = "Bad Request. \n Invalid request or validation error.",
|
||||
response = ErrorResponse.class),
|
||||
@ApiResponse(
|
||||
code = 401,
|
||||
message = "Unauthorized. \n Current logged in user is not authorized for this request",
|
||||
response = ErrorResponse.class),
|
||||
@ApiResponse(
|
||||
code = 415,
|
||||
message = "Unsupported media type. \n The entity of the request was in a not supported " +
|
||||
"format."),
|
||||
@ApiResponse(
|
||||
code = 500,
|
||||
message = "Internal Server Error. \n " +
|
||||
"Server error occurred while checking access",
|
||||
response = ErrorResponse.class)
|
||||
})
|
||||
Response checkDeviceAccess(
|
||||
@ApiParam(
|
||||
name = "deviceAccessRequest",
|
||||
value = "Define the device access request object with data.",
|
||||
required = true)
|
||||
@Valid DeviceAuthorizationRequest deviceAuthorizationRequest);
|
||||
|
||||
@POST
|
||||
@Path("/group")
|
||||
@ApiOperation(
|
||||
produces = MediaType.APPLICATION_JSON,
|
||||
httpMethod = HTTPConstants.HEADER_GET,
|
||||
value = "check device access authorization",
|
||||
notes = "Returns device access acutorization info",
|
||||
tags = "device_management"
|
||||
)
|
||||
@ApiResponses(
|
||||
value = {
|
||||
@ApiResponse(
|
||||
code = 201,
|
||||
message = "Created. \n Device group has successfully been created",
|
||||
responseHeaders = {
|
||||
@ResponseHeader(
|
||||
name = "Content-Location",
|
||||
description = "The URL of the added group."),
|
||||
@ResponseHeader(
|
||||
name = "Content-Type",
|
||||
description = "The content type of the body"),
|
||||
@ResponseHeader(
|
||||
name = "ETag",
|
||||
description = "Entity Tag of the response resource.\n" +
|
||||
"Used by caches, or in conditional requests."),
|
||||
@ResponseHeader(
|
||||
name = "Last-Modified",
|
||||
description = "Date and time the resource has been modified the last time" +
|
||||
".\n" + "Used by caches, or in conditional requests.")
|
||||
}
|
||||
),
|
||||
@ApiResponse(
|
||||
code = 303,
|
||||
message = "See Other. \n Source can be retrieved from the URL specified at the Location " +
|
||||
"header.",
|
||||
responseHeaders = {
|
||||
@ResponseHeader(
|
||||
name = "Content-Location",
|
||||
description = "The Source URL of the document.")}),
|
||||
@ApiResponse(
|
||||
code = 400,
|
||||
message = "Bad Request. \n Invalid request or validation error.",
|
||||
response = ErrorResponse.class),
|
||||
@ApiResponse(
|
||||
code = 401,
|
||||
message = "Unauthorized. \n Current logged in user is not authorized for this request",
|
||||
response = ErrorResponse.class),
|
||||
@ApiResponse(
|
||||
code = 415,
|
||||
message = "Unsupported media type. \n The entity of the request was in a not supported " +
|
||||
"format."),
|
||||
@ApiResponse(
|
||||
code = 500,
|
||||
message = "Internal Server Error. \n " +
|
||||
"Server error occurred while checking access",
|
||||
response = ErrorResponse.class)
|
||||
})
|
||||
Response checkGroupAccess(
|
||||
@ApiParam(
|
||||
name = "groupAccessRequest",
|
||||
value = "Define the group access request object with data.",
|
||||
required = true)
|
||||
@Valid GroupAuthorizationRequest request);
|
||||
}
|
@ -0,0 +1,95 @@
|
||||
/*
|
||||
* Copyright (c) 2018 - 2024, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved.
|
||||
*
|
||||
* Entgra (Pvt) Ltd. licenses this file to you under the Apache License,
|
||||
* Version 2.0 (the "License"); you may not use this file except
|
||||
* in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
package io.entgra.device.mgt.core.device.mgt.api.jaxrs.service.impl;
|
||||
|
||||
import io.entgra.device.mgt.core.device.mgt.api.jaxrs.service.api.AccessAuthorizationService;
|
||||
import io.entgra.device.mgt.core.device.mgt.api.jaxrs.util.DeviceMgtAPIUtils;
|
||||
import io.entgra.device.mgt.core.device.mgt.common.DeviceIdentifier;
|
||||
import io.entgra.device.mgt.core.device.mgt.common.authorization.*;
|
||||
import org.apache.commons.lang.StringUtils;
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import javax.ws.rs.core.Response;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
|
||||
public class AccessAuthorizationServiceImpl implements AccessAuthorizationService {
|
||||
|
||||
private static final Log log = LogFactory.getLog(AccessAuthorizationServiceImpl.class);
|
||||
@Override
|
||||
public Response checkDeviceAccess(DeviceAuthorizationRequest deviceAuthorizationRequest) {
|
||||
|
||||
if (StringUtils.isEmpty(deviceAuthorizationRequest.getType())) {
|
||||
String msg = "device type not specified";
|
||||
return Response.status(Response.Status.BAD_REQUEST).entity(msg).build();
|
||||
}
|
||||
|
||||
if (deviceAuthorizationRequest.getDeviceIds().isEmpty()) {
|
||||
String msg = "device ids not specified";
|
||||
return Response.status(Response.Status.BAD_REQUEST).entity(msg).build();
|
||||
}
|
||||
|
||||
if (deviceAuthorizationRequest.getPermissions().isEmpty()) {
|
||||
String msg = "permissions not specified";
|
||||
return Response.status(Response.Status.BAD_REQUEST).entity(msg).build();
|
||||
}
|
||||
|
||||
List<DeviceIdentifier> deviceIdentifiers = new ArrayList<>();
|
||||
for(String id : deviceAuthorizationRequest.getDeviceIds()) {
|
||||
DeviceIdentifier identifier = new DeviceIdentifier(id, deviceAuthorizationRequest.getType());
|
||||
deviceIdentifiers.add(identifier);
|
||||
}
|
||||
try {
|
||||
DeviceAuthorizationResult result = DeviceMgtAPIUtils.getDeviceAccessAuthorizationService()
|
||||
.isUserAuthorized(deviceIdentifiers, deviceAuthorizationRequest.getUsername(),
|
||||
deviceAuthorizationRequest.getPermissions().toArray(new String[0]));
|
||||
return Response.status(Response.Status.OK).entity(result).build();
|
||||
} catch (DeviceAccessAuthorizationException e) {
|
||||
String msg = "Error occurred while checking access info";
|
||||
log.error(msg, e);
|
||||
return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(msg).build();
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public Response checkGroupAccess(GroupAuthorizationRequest request) {
|
||||
|
||||
if (request.getGroupIds().isEmpty()) {
|
||||
String msg = "group ids not specified";
|
||||
return Response.status(Response.Status.BAD_REQUEST).entity(msg).build();
|
||||
}
|
||||
|
||||
if (request.getPermissions().isEmpty()) {
|
||||
String msg = "permissions not specified";
|
||||
return Response.status(Response.Status.BAD_REQUEST).entity(msg).build();
|
||||
}
|
||||
|
||||
try {
|
||||
GroupAuthorizationResult result = DeviceMgtAPIUtils.getGroupAccessAuthorizationService()
|
||||
.isUserAuthorized(request.getGroupIds(), request.getUsername(),
|
||||
request.getPermissions().toArray(new String[0]));
|
||||
return Response.status(Response.Status.OK).entity(result).build();
|
||||
} catch (GroupAccessAuthorizationException e) {
|
||||
String msg = "Error occurred while checking access info";
|
||||
log.error(msg, e);
|
||||
return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(msg).build();
|
||||
}
|
||||
}
|
||||
}
|
@ -0,0 +1,68 @@
|
||||
/*
|
||||
* Copyright (c) 2018 - 2024, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved.
|
||||
*
|
||||
* Entgra (Pvt) Ltd. licenses this file to you under the Apache License,
|
||||
* Version 2.0 (the "License"); you may not use this file except
|
||||
* in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
package io.entgra.device.mgt.core.device.mgt.common.authorization;
|
||||
|
||||
import io.swagger.annotations.ApiModel;
|
||||
import io.swagger.annotations.ApiModelProperty;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
@ApiModel(value = "DeviceAuthorizationRequest", description = "")
|
||||
public class DeviceAuthorizationRequest {
|
||||
|
||||
@ApiModelProperty(name = "type", value = "device type")
|
||||
private String type;
|
||||
@ApiModelProperty(name = "deviceIds", value = "list of device ids")
|
||||
private List<String> deviceIds;
|
||||
@ApiModelProperty(name = "username", value = "user who is accessing the device")
|
||||
private String username;
|
||||
@ApiModelProperty(name = "permissions", value = "list of permissions")
|
||||
private List<String> permissions;
|
||||
|
||||
public String getType() {
|
||||
return type;
|
||||
}
|
||||
|
||||
public void setType(String type) {
|
||||
this.type = type;
|
||||
}
|
||||
|
||||
public List<String> getDeviceIds() {
|
||||
return deviceIds;
|
||||
}
|
||||
|
||||
public void setDeviceIds(List<String> deviceIds) {
|
||||
this.deviceIds = deviceIds;
|
||||
}
|
||||
|
||||
public String getUsername() {
|
||||
return username;
|
||||
}
|
||||
|
||||
public void setUsername(String username) {
|
||||
this.username = username;
|
||||
}
|
||||
|
||||
public List<String> getPermissions() {
|
||||
return permissions;
|
||||
}
|
||||
|
||||
public void setPermissions(List<String> permissions) {
|
||||
this.permissions = permissions;
|
||||
}
|
||||
}
|
@ -0,0 +1,61 @@
|
||||
/*
|
||||
* Copyright (c) 2018 - 2024, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved.
|
||||
*
|
||||
* Entgra (Pvt) Ltd. licenses this file to you under the Apache License,
|
||||
* Version 2.0 (the "License"); you may not use this file except
|
||||
* in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
|
||||
package io.entgra.device.mgt.core.device.mgt.common.authorization;
|
||||
|
||||
/**
|
||||
* Custom exception class which wraps exceptions occurred inside GroupAccessAuthorization service.
|
||||
*/
|
||||
public class GroupAccessAuthorizationException extends Exception {
|
||||
|
||||
private static final long serialVersionUID = -3151279331929070297L;
|
||||
|
||||
private String errorMessage;
|
||||
|
||||
public String getErrorMessage() {
|
||||
return errorMessage;
|
||||
}
|
||||
|
||||
public void setErrorMessage(String errorMessage) {
|
||||
this.errorMessage = errorMessage;
|
||||
}
|
||||
|
||||
public GroupAccessAuthorizationException(String msg, Exception nestedEx) {
|
||||
super(msg, nestedEx);
|
||||
setErrorMessage(msg);
|
||||
}
|
||||
|
||||
public GroupAccessAuthorizationException(String message, Throwable cause) {
|
||||
super(message, cause);
|
||||
setErrorMessage(message);
|
||||
}
|
||||
|
||||
public GroupAccessAuthorizationException(String msg) {
|
||||
super(msg);
|
||||
setErrorMessage(msg);
|
||||
}
|
||||
|
||||
public GroupAccessAuthorizationException() {
|
||||
super();
|
||||
}
|
||||
|
||||
public GroupAccessAuthorizationException(Throwable cause) {
|
||||
super(cause);
|
||||
}
|
||||
|
||||
}
|
@ -0,0 +1,33 @@
|
||||
/*
|
||||
* Copyright (c) 2018 - 2024, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved.
|
||||
*
|
||||
* Entgra (Pvt) Ltd. licenses this file to you under the Apache License,
|
||||
* Version 2.0 (the "License"); you may not use this file except
|
||||
* in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
package io.entgra.device.mgt.core.device.mgt.common.authorization;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
public interface GroupAccessAuthorizationService {
|
||||
|
||||
public boolean isUserAuthorized(int groupId, String username, String[] groupPermissions)
|
||||
throws GroupAccessAuthorizationException;
|
||||
|
||||
public boolean isUserAuthorized(int groupId, String[] groupPermissions)
|
||||
throws GroupAccessAuthorizationException;
|
||||
|
||||
public GroupAuthorizationResult isUserAuthorized(List<Integer> groupIds, String username, String[] groupPermission)
|
||||
throws GroupAccessAuthorizationException;
|
||||
|
||||
}
|
@ -0,0 +1,58 @@
|
||||
/*
|
||||
* Copyright (c) 2018 - 2024, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved.
|
||||
*
|
||||
* Entgra (Pvt) Ltd. licenses this file to you under the Apache License,
|
||||
* Version 2.0 (the "License"); you may not use this file except
|
||||
* in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
package io.entgra.device.mgt.core.device.mgt.common.authorization;
|
||||
|
||||
import io.swagger.annotations.ApiModel;
|
||||
import io.swagger.annotations.ApiModelProperty;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
@ApiModel(value = "GroupAuthorizationRequest", description = "")
|
||||
public class GroupAuthorizationRequest {
|
||||
|
||||
@ApiModelProperty(name = "groupIds", value = "list of group Ids")
|
||||
private List<Integer> groupIds;
|
||||
@ApiModelProperty(name = "username", value = "user who is accessing the device")
|
||||
private String username;
|
||||
@ApiModelProperty(name = "permissions", value = "list of permissions")
|
||||
private List<String> permissions;
|
||||
|
||||
public List<Integer> getGroupIds() {
|
||||
return groupIds;
|
||||
}
|
||||
|
||||
public void setGroupIds(List<Integer> groupIds) {
|
||||
this.groupIds = groupIds;
|
||||
}
|
||||
|
||||
public String getUsername() {
|
||||
return username;
|
||||
}
|
||||
|
||||
public void setUsername(String username) {
|
||||
this.username = username;
|
||||
}
|
||||
|
||||
public List<String> getPermissions() {
|
||||
return permissions;
|
||||
}
|
||||
|
||||
public void setPermissions(List<String> permissions) {
|
||||
this.permissions = permissions;
|
||||
}
|
||||
}
|
@ -0,0 +1,56 @@
|
||||
/*
|
||||
* Copyright (c) 2018 - 2024, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved.
|
||||
*
|
||||
* Entgra (Pvt) Ltd. licenses this file to you under the Apache License,
|
||||
* Version 2.0 (the "License"); you may not use this file except
|
||||
* in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
|
||||
package io.entgra.device.mgt.core.device.mgt.common.authorization;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* Represents a GroupAuthorizationResult including a list of authorized groups and a list of unauthorized groups.
|
||||
*/
|
||||
public class GroupAuthorizationResult {
|
||||
|
||||
private List<Integer> authorizedGroupIds = new ArrayList<>();
|
||||
private List<Integer> unauthorizedGroupIds= new ArrayList<>();
|
||||
|
||||
public List<Integer> getAuthorizedGroupIds() {
|
||||
return authorizedGroupIds;
|
||||
}
|
||||
|
||||
public void setAuthorizedGroupIds(List<Integer> authorizedGroupIds) {
|
||||
this.authorizedGroupIds = authorizedGroupIds;
|
||||
}
|
||||
|
||||
public List<Integer> getUnauthorizedGroupIds() {
|
||||
return unauthorizedGroupIds;
|
||||
}
|
||||
|
||||
public void setUnauthorizedGroupIds(List<Integer> unauthorizedGroupIds) {
|
||||
this.unauthorizedGroupIds = unauthorizedGroupIds;
|
||||
}
|
||||
|
||||
public void addAuthorizedGroupId(int groupId) {
|
||||
this.authorizedGroupIds.add(groupId);
|
||||
}
|
||||
|
||||
public void addUnauthorizedGroupId(int groupId) {
|
||||
this.unauthorizedGroupIds.add(groupId);
|
||||
}
|
||||
|
||||
}
|
@ -0,0 +1,173 @@
|
||||
/*
|
||||
* Copyright (c) 2018 - 2024, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved.
|
||||
*
|
||||
* Entgra (Pvt) Ltd. licenses this file to you under the Apache License,
|
||||
* Version 2.0 (the "License"); you may not use this file except
|
||||
* in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
|
||||
package io.entgra.device.mgt.core.device.mgt.core.authorization;
|
||||
|
||||
import io.entgra.device.mgt.core.device.mgt.common.authorization.GroupAccessAuthorizationException;
|
||||
import io.entgra.device.mgt.core.device.mgt.common.authorization.GroupAccessAuthorizationService;
|
||||
import io.entgra.device.mgt.core.device.mgt.common.authorization.GroupAuthorizationResult;
|
||||
import io.entgra.device.mgt.core.device.mgt.common.group.mgt.DeviceGroup;
|
||||
import io.entgra.device.mgt.core.device.mgt.common.group.mgt.GroupManagementException;
|
||||
import io.entgra.device.mgt.core.device.mgt.common.permission.mgt.Permission;
|
||||
import io.entgra.device.mgt.core.device.mgt.common.permission.mgt.PermissionManagementException;
|
||||
import io.entgra.device.mgt.core.device.mgt.core.internal.DeviceManagementDataHolder;
|
||||
import io.entgra.device.mgt.core.device.mgt.core.permission.mgt.PermissionUtils;
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.opensaml.xmlsec.signature.G;
|
||||
import org.wso2.carbon.CarbonConstants;
|
||||
import org.wso2.carbon.context.CarbonContext;
|
||||
import org.wso2.carbon.user.api.UserRealm;
|
||||
import org.wso2.carbon.user.api.UserStoreException;
|
||||
|
||||
import javax.persistence.criteria.CriteriaBuilder;
|
||||
import java.util.List;
|
||||
|
||||
public class GroupAccessAuthorizationServiceImpl implements GroupAccessAuthorizationService {
|
||||
|
||||
private final static String GROUP_ADMIN_PERMISSION = "/device-mgt/devices/any-group/permitted-actions-under-owning-group";
|
||||
private final static String GROUP_ADMIN = "Group Management Administrator";
|
||||
private static Log log = LogFactory.getLog(DeviceAccessAuthorizationServiceImpl.class);
|
||||
|
||||
public GroupAccessAuthorizationServiceImpl() {
|
||||
try {
|
||||
this.addAdminPermissionToRegistry();
|
||||
} catch (PermissionManagementException e) {
|
||||
log.error("Unable to add the group-admin permission to the registry.", e);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isUserAuthorized(int groupId, String username, String[] groupPermissions)
|
||||
throws GroupAccessAuthorizationException {
|
||||
int tenantId = this.getTenantId();
|
||||
if (username == null || username.isEmpty()) {
|
||||
username = this.getUserName();
|
||||
}
|
||||
//check for admin and ownership permissions
|
||||
if (isGroupAdminUser(username, tenantId) || isGroupOwner(groupId, username)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
//check for group permissions
|
||||
if (groupPermissions == null || groupPermissions.length == 0) {
|
||||
return false;
|
||||
} else {
|
||||
// if group permissions specified, check whether that permission is available in any user role of the group owner
|
||||
try {
|
||||
UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService()
|
||||
.getTenantUserRealm(getTenantId());
|
||||
String[] userRoles = userRealm.getUserStoreManager().getRoleListOfUser(username);
|
||||
boolean isAuthorized = true;
|
||||
for (String groupPermission : groupPermissions) {
|
||||
for (String role : userRoles) {
|
||||
if (!userRealm.getAuthorizationManager().
|
||||
isRoleAuthorized(role, groupPermission, CarbonConstants.UI_PERMISSION_ACTION)) {
|
||||
isAuthorized = false;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
return isAuthorized;
|
||||
} catch (UserStoreException e) {
|
||||
throw new GroupAccessAuthorizationException("Unable to authorize the access to group : " +
|
||||
groupId + " for the user : " +
|
||||
username, e);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public GroupAuthorizationResult isUserAuthorized(List<Integer> groupIds, String username, String[] groupPermission)
|
||||
throws GroupAccessAuthorizationException {
|
||||
GroupAuthorizationResult result = new GroupAuthorizationResult();
|
||||
for (Integer groupId : groupIds) {
|
||||
if (isUserAuthorized(groupId, username, groupPermission)) {
|
||||
result.addAuthorizedGroupId(groupId);
|
||||
} else {
|
||||
result.addUnauthorizedGroupId(groupId);
|
||||
}
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
|
||||
@Override
|
||||
public boolean isUserAuthorized(int groupId, String[] groupPermissions)
|
||||
throws GroupAccessAuthorizationException {
|
||||
return isUserAuthorized(groupId, this.getUserName(), groupPermissions);
|
||||
}
|
||||
|
||||
private boolean isGroupOwner(int groupId, String username)
|
||||
throws GroupAccessAuthorizationException {
|
||||
//Check for group ownership. If the user is the owner of the group we allow the access.
|
||||
try {
|
||||
DeviceGroup group = DeviceManagementDataHolder.getInstance().
|
||||
getGroupManagementProviderService().getGroup(groupId, false);
|
||||
return username.equals(group.getOwner());
|
||||
} catch (GroupManagementException e) {
|
||||
throw new GroupAccessAuthorizationException("Unable to authorize the access to group : " +
|
||||
groupId + " for the user : " +
|
||||
username, e);
|
||||
}
|
||||
}
|
||||
|
||||
private boolean isGroupAdminUser(String username, int tenantId) throws GroupAccessAuthorizationException {
|
||||
try {
|
||||
UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId);
|
||||
if (userRealm != null && userRealm.getAuthorizationManager() != null) {
|
||||
return userRealm.getAuthorizationManager()
|
||||
.isUserAuthorized(removeTenantDomain(username),
|
||||
PermissionUtils.getAbsolutePermissionPath(GROUP_ADMIN_PERMISSION),
|
||||
CarbonConstants.UI_PERMISSION_ACTION);
|
||||
}
|
||||
return false;
|
||||
} catch (UserStoreException e) {
|
||||
throw new GroupAccessAuthorizationException("Unable to authorize the access for the user : " +
|
||||
username, e);
|
||||
}
|
||||
}
|
||||
|
||||
private String getUserName() {
|
||||
String username = CarbonContext.getThreadLocalCarbonContext().getUsername();
|
||||
if (username != null && !username.isEmpty()) {
|
||||
return removeTenantDomain(username);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
private String removeTenantDomain(String username) {
|
||||
String tenantDomain = CarbonContext.getThreadLocalCarbonContext().getTenantDomain();
|
||||
if (username.endsWith(tenantDomain)) {
|
||||
return username.substring(0, username.lastIndexOf("@"));
|
||||
}
|
||||
return username;
|
||||
}
|
||||
|
||||
private int getTenantId() {
|
||||
return CarbonContext.getThreadLocalCarbonContext().getTenantId();
|
||||
}
|
||||
|
||||
private boolean addAdminPermissionToRegistry() throws PermissionManagementException {
|
||||
Permission permission = new Permission();
|
||||
permission.setName(GROUP_ADMIN);
|
||||
permission.setPath(PermissionUtils.getAbsolutePermissionPath(GROUP_ADMIN_PERMISSION));
|
||||
return PermissionUtils.putPermission(permission);
|
||||
}
|
||||
|
||||
}
|
Loading…
Reference in new issue