changed device access verification approach

merge-requests/7/head
ayyoob 8 years ago
parent 28faf53802
commit fe263efe60

@ -163,7 +163,13 @@
</dependency>
<dependency>
<groupId>org.wso2.carbon.devicemgt</groupId>
<artifactId>org.wso2.carbon.apimgt.annotations</artifactId>
<artifactId>org.wso2.carbon.device.mgt.core</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.wso2.carbon.devicemgt</groupId>
<artifactId>org.wso2.carbon.device.mgt.common</artifactId>
<scope>provided</scope>
</dependency>
</dependencies>

@ -29,6 +29,7 @@ import org.wso2.carbon.apimgt.application.extension.dto.ApiApplicationKey;
import org.wso2.carbon.apimgt.application.extension.exception.APIManagerException;
import org.wso2.carbon.base.MultitenantConstants;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.device.mgt.common.DeviceManagementException;
import org.wso2.carbon.user.api.UserStoreException;
import javax.ws.rs.DELETE;
@ -36,6 +37,8 @@ import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Response;
import java.util.ArrayList;
import java.util.Arrays;
public class ApiApplicationRegistrationServiceImpl implements ApiApplicationRegistrationService {
@ -62,7 +65,8 @@ public class ApiApplicationRegistrationServiceImpl implements ApiApplicationRegi
PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(username);
APIManagementProviderService apiManagementProviderService = APIUtil.getAPIManagementProviderService();
ApiApplicationKey apiApplicationKey = apiManagementProviderService.generateAndRetrieveApplicationKeys(
applicationName, ApiApplicationConstants.DEFAULT_TOKEN_TYPE, username, false);
applicationName, APIUtil.getAllowedApisTags().toArray(new String[APIUtil.getAllowedApisTags().size()]),
ApiApplicationConstants.DEFAULT_TOKEN_TYPE, username, false);
return Response.status(Response.Status.CREATED).entity(apiApplicationKey.toString()).build();
} catch (APIManagerException e) {
String msg = "Error occurred while registering an application '" + applicationName + "'";
@ -72,6 +76,10 @@ public class ApiApplicationRegistrationServiceImpl implements ApiApplicationRegi
String msg = "Failed to retrieve the tenant" + tenantDomain + "'";
log.error(msg, e);
return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(msg).build();
} catch (DeviceManagementException e) {
String msg = "Failed to retrieve the device service";
log.error(msg, e);
return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(msg).build();
} finally {
PrivilegedCarbonContext.endTenantFlow();
}
@ -81,6 +89,13 @@ public class ApiApplicationRegistrationServiceImpl implements ApiApplicationRegi
@POST
public Response register(RegistrationProfile registrationProfile) {
try {
if (registrationProfile.getTags() == null || registrationProfile.getTags().length == 0) {
return Response.status(Response.Status.NOT_ACCEPTABLE).entity("Tags should not be empty").build();
}
if (APIUtil.getAllowedApisTags().containsAll(Arrays.asList(registrationProfile.getTags()))) {
return Response.status(Response.Status.NOT_ACCEPTABLE).entity("APIs(Tags) are not allowed to this user."
).build();
}
String username = APIUtil.getAuthenticatedUser() + "@" + APIUtil.getTenantDomainOftheUser();
APIManagementProviderService apiManagementProviderService = APIUtil.getAPIManagementProviderService();
if (registrationProfile.isMappingAnExistingOAuthApp()) {
@ -109,6 +124,10 @@ public class ApiApplicationRegistrationServiceImpl implements ApiApplicationRegi
+ registrationProfile.getApplicationName() + "'";
log.error(msg, e);
return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity("false").build();
} catch (DeviceManagementException e) {
String msg = "Failed to retrieve the device service";
log.error(msg, e);
return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(msg).build();
}
}

@ -22,14 +22,19 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.apimgt.application.extension.APIManagementProviderService;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.device.mgt.common.DeviceManagementException;
import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService;
import org.wso2.carbon.user.core.service.RealmService;
import java.util.List;
/**
* This class provides utility functions used by REST-API.
*/
public class APIUtil {
private static Log log = LogFactory.getLog(APIUtil.class);
private static final String DEFAULT_CDMF_API_TAG = "device_management";
public static String getAuthenticatedUser() {
PrivilegedCarbonContext threadLocalCarbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
@ -70,4 +75,23 @@ public class APIUtil {
}
return realmService;
}
public static DeviceManagementProviderService getDeviceManagementProviderService() {
PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext();
DeviceManagementProviderService deviceManagementProviderService =
(DeviceManagementProviderService) ctx.getOSGiService(DeviceManagementProviderService.class, null);
if (deviceManagementProviderService == null) {
String msg = "Device Management service has not initialized.";
log.error(msg);
throw new IllegalStateException(msg);
}
return deviceManagementProviderService;
}
public static List<String> getAllowedApisTags() throws DeviceManagementException {
//Todo get allowed cdmf service tags from config.
List<String> allowedApisTags = getDeviceManagementProviderService().getAvailableDeviceTypes();
allowedApisTags.add(DEFAULT_CDMF_API_TAG);
return getAllowedApisTags();
}
}

@ -41,20 +41,6 @@ public interface APIManagementProviderService {
String keyType, String username, boolean isAllowedAllDomains)
throws APIManagerException;
/**
* Generate and retreive application keys. if the application does exist then
* create it and subscribe to all apis.
*
* @param apiApplicationName name of the application.
* @param keyType of the application.
* @param username to whom the application is created
* @return consumerkey and secrete of the created application.
* @throws APIManagerException
*/
ApiApplicationKey generateAndRetrieveApplicationKeys(String apiApplicationName, String keyType,
String username, boolean isAllowedAllDomains)
throws APIManagerException;
/**
* Register existing Oauth application as apim application.
*/

@ -43,70 +43,6 @@ public class APIManagementProviderServiceImpl implements APIManagementProviderSe
private static final Log log = LogFactory.getLog(APIManagementProviderServiceImpl.class);
/**
* {@inheritDoc}
*/
@Override
public ApiApplicationKey generateAndRetrieveApplicationKeys(String apiApplicationName, String keyType,
String username, boolean isAllowedAllDomains)
throws APIManagerException {
try {
APIManagerUtil.loadTenantRegistry();
APIConsumer apiConsumer = APIManagerFactory.getInstance().getAPIConsumer(username);
String groupId = getLoggedInUserGroupId(username, APIManagerUtil.getTenantDomain());
int applicationId = createApplicationAndSubscribeToAllAPIs(apiApplicationName, username);
Application[] applications = apiConsumer.getApplications(apiConsumer.getSubscriber(username), groupId);
Application application = null;
for (Application app : applications) {
if (app.getId() == applicationId) {
application = app;
}
}
if (application == null) {
throw new APIManagerException("Api application creation failed for " + apiApplicationName +
" to the user " + username);
}
APIKey retrievedApiApplicationKey = null;
for (APIKey apiKey : application.getKeys()) {
String applicationKeyType = apiKey.getType();
if (applicationKeyType != null && applicationKeyType.equals(keyType)) {
retrievedApiApplicationKey = apiKey;
break;
}
}
if (retrievedApiApplicationKey != null) {
ApiApplicationKey apiApplicationKey = new ApiApplicationKey();
apiApplicationKey.setConsumerKey(retrievedApiApplicationKey.getConsumerKey());
apiApplicationKey.setConsumerSecret(retrievedApiApplicationKey.getConsumerSecret());
return apiApplicationKey;
}
String[] allowedDomains = new String[1];
if (isAllowedAllDomains) {
allowedDomains[0] = ApiApplicationConstants.ALLOWED_DOMAINS;
} else {
allowedDomains[0] = APIManagerUtil.getTenantDomain();
}
JSONObject jsonObject = new JSONObject();
jsonObject.put(ApiApplicationConstants.JSONSTRING_USERNAME_TAG, username);
String ownerJsonString = jsonObject.toJSONString();
Map<String, Object> keyDetails = apiConsumer.requestApprovalForApplicationRegistration(username,
apiApplicationName,
keyType, "",
allowedDomains,
ApiApplicationConstants.DEFAULT_VALIDITY_PERIOD,
"null", groupId,
ownerJsonString);
ApiApplicationKey apiApplicationKey = new ApiApplicationKey();
apiApplicationKey.setConsumerKey((String) keyDetails.get(APIConstants.FrontEndParameterNames
.CONSUMER_KEY));
apiApplicationKey.setConsumerSecret((String) keyDetails.get(
APIConstants.FrontEndParameterNames.CONSUMER_SECRET));
return apiApplicationKey;
} catch (APIManagementException e) {
throw new APIManagerException("Failed to register a api application : " + apiApplicationName, e);
}
}
/**
* {@inheritDoc}
*/
@ -385,43 +321,6 @@ public class APIManagementProviderServiceImpl implements APIManagementProviderSe
}
}
/**
* This method registers an api application and then subscribe the application to the api.
*
* @param username subscription is created for the user.
* @throws APIManagerException
*/
private int createApplicationAndSubscribeToAllAPIs(String apiApplicationName, String username)
throws APIManagerException {
try {
APIConsumer apiConsumer = APIManagerFactory.getInstance().getAPIConsumer(username);
String groupId = getLoggedInUserGroupId(username, APIManagerUtil.getTenantDomain());
int applicationId = createApplication(apiConsumer, apiApplicationName, username, groupId);
String tenantDomain = MultitenantUtils.getTenantDomain(username);
Set<API> userVisibleAPIs = apiConsumer.getAllPublishedAPIs(tenantDomain);
if (!MultitenantConstants.SUPER_TENANT_DOMAIN_NAME.equals(tenantDomain)) {
userVisibleAPIs.addAll(apiConsumer.getAllPublishedAPIs(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME));
}
Subscriber subscriber = apiConsumer.getSubscriber(username);
Set<SubscribedAPI> subscribedAPIs = apiConsumer.getSubscribedAPIs(subscriber);
for (API visibleApi : userVisibleAPIs) {
APIIdentifier apiIdentifier = visibleApi.getId();
boolean isSubscribed = false;
for (SubscribedAPI subscribedAPI : subscribedAPIs) {
if (subscribedAPI.getApiId().equals(apiIdentifier)) {
isSubscribed = true;
}
}
if (!isSubscribed) {
addSubscription(apiConsumer, apiIdentifier, applicationId, username);
}
}
return applicationId;
} catch (APIManagementException e) {
throw new APIManagerException("Failed to fetch device apis information for the user " + username, e);
}
}
private String getLoggedInUserGroupId(String username, String tenantDomain) throws APIManagerException {
JSONObject loginInfoJsonObj = new JSONObject();
try {

@ -1,14 +1,21 @@
package org.wso2.carbon.device.mgt.jaxrs.beans;
import io.swagger.annotations.ApiModel;
import io.swagger.annotations.ApiModelProperty;
import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
import java.util.List;
@ApiModel(value = "AuthorizationRequest", description = "Authorization details together with deviceIdentifier and permission")
public class AuthorizationRequest {
@ApiModelProperty(name = "tenantDomain", value = "tenant domain.", required = false)
String tenantDomain;
@ApiModelProperty(name = "username", value = "username of the user, to whom the device identifiers needs to be verified", required = true)
String username;
@ApiModelProperty(name = "deviceIdentifiers", value = "list of devices that needs to be verified against the user", required = true)
List<DeviceIdentifier> deviceIdentifiers;
@ApiModelProperty(name = "permission", value = "if null then checks against the owner else it could be grouping permission", required = false)
List<String> permissions;
public String getTenantDomain() {

@ -20,26 +20,18 @@ package org.wso2.carbon.device.mgt.jaxrs.service.api.admin;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import io.swagger.annotations.ApiParam;
import io.swagger.annotations.ApiResponse;
import io.swagger.annotations.ApiResponses;
import io.swagger.annotations.ResponseHeader;
import org.wso2.carbon.apimgt.annotations.api.API;
import org.wso2.carbon.apimgt.annotations.api.Permission;
import org.wso2.carbon.device.mgt.common.Device;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAuthorizationResult;
import org.wso2.carbon.device.mgt.common.operation.mgt.Activity;
import org.wso2.carbon.device.mgt.jaxrs.beans.AuthorizationRequest;
import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse;
import javax.validation.constraints.Size;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;

@ -67,7 +67,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
return !DeviceManagementDataHolder.getInstance().requireDeviceAuthorization(deviceIdentifier.getType());
}
//check for admin and ownership permissions
if (isAdminOrDeviceOwner(username, tenantId, deviceIdentifier)) {
if (isAdmin(username, tenantId) || isDeviceOwner(deviceIdentifier, username)) {
return true;
}
//check for group permissions
@ -127,9 +127,12 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
return null;
}
DeviceAuthorizationResult deviceAuthorizationResult = new DeviceAuthorizationResult();
if (isAdmin(username, tenantId)) {
deviceAuthorizationResult.setAuthorizedDevices(deviceIdentifiers);
}
for (DeviceIdentifier deviceIdentifier : deviceIdentifiers) {
//check for admin and ownership permissions
if (isAdminOrDeviceOwner(username, tenantId, deviceIdentifier)) {
if (isDeviceOwner(deviceIdentifier, username)) {
deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
} else {
try {
@ -179,15 +182,13 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
return isUserAuthorized(deviceIdentifiers, this.getUserName(), groupPermissions);
}
private boolean isAdminOrDeviceOwner(String username, int tenantId, DeviceIdentifier deviceIdentifier)
private boolean isAdmin(String username, int tenantId)
throws DeviceAccessAuthorizationException {
try {
//First Check for admin users. If the user is an admin user we authorize the access to that device.
//Secondly Check for device ownership. If the user is the owner of the device we allow the access.
return (isAdminUser(username, tenantId) || isDeviceOwner(deviceIdentifier, username));
//Check for admin users. If the user is an admin user we authorize the access to that device.
return (isAdminUser(username, tenantId));
} catch (UserStoreException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
deviceIdentifier.getId() + " for the user : " +
throw new DeviceAccessAuthorizationException("Unable to authorize the access for the user : " +
username, e);
}
}

@ -34,10 +34,6 @@
<url>http://wso2.org</url>
<dependencies>
<dependency>
<groupId>org.wso2.carbon.devicemgt</groupId>
<artifactId>org.wso2.carbon.device.mgt.common</artifactId>
</dependency>
<dependency>
<groupId>org.wso2.carbon.identity</groupId>
<artifactId>org.wso2.carbon.identity.oauth</artifactId>
@ -54,18 +50,10 @@
<groupId>org.wso2.carbon.apimgt</groupId>
<artifactId>org.wso2.carbon.apimgt.keymgt</artifactId>
</dependency>
<dependency>
<groupId>com.googlecode.json-simple.wso2</groupId>
<artifactId>json-simple</artifactId>
</dependency>
<dependency>
<groupId>org.wso2.carbon.identity</groupId>
<artifactId>org.wso2.carbon.identity.oauth2.grant.jwt</artifactId>
</dependency>
<dependency>
<groupId>org.wso2.carbon.devicemgt</groupId>
<artifactId>org.wso2.carbon.device.mgt.core</artifactId>
</dependency>
<dependency>
<groupId>com.googlecode.json-simple.wso2</groupId>
<artifactId>json-simple</artifactId>
</dependency>
</dependencies>
<build>
@ -94,9 +82,7 @@
javax.security.auth.*,
org.apache.commons.logging,
org.osgi.service.component,
org.wso2.carbon.device.mgt.common.permission.mgt,
org.wso2.carbon.device.mgt.oauth.extensions.*,
org.wso2.carbon.device.mgt.*,
org.wso2.carbon.identity.application.common.model,
org.wso2.carbon.identity.oauth.callback,
org.wso2.carbon.identity.oauth2,
@ -123,10 +109,6 @@
org.wso2.carbon.utils.multitenancy,
org.wso2.carbon.identity.oauth2.grant.jwt.*,
org.wso2.carbon.device.mgt.core.*,
javax.xml.bind,
javax.xml.bind.annotation,
javax.xml.parsers;version="${javax.xml.parsers.import.pkg.version}";resolution:=optional,
org.w3c.dom,
org.wso2.carbon.apimgt.keymgt,
org.wso2.carbon.apimgt.keymgt.handlers,
com.google.gson,

@ -1,30 +0,0 @@
package org.wso2.carbon.device.mgt.oauth.extensions;
import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
import java.util.List;
/**
* This class holds the request format for device for grant type.
*/
public class DeviceRequestDTO {
private List<DeviceIdentifier> deviceIdentifiers;
private String scope;
public List<DeviceIdentifier> getDeviceIdentifiers() {
return deviceIdentifiers;
}
public void setDeviceIdentifiers(List<DeviceIdentifier> deviceIdentifiers) {
this.deviceIdentifiers = deviceIdentifiers;
}
public String getScope() {
return scope;
}
public void setScope(String scope) {
this.scope = scope;
}
}

@ -1,13 +0,0 @@
package org.wso2.carbon.device.mgt.oauth.extensions;
/**
* This hold the OAuthConstants related oauth extensions.
*/
public class OAuthConstants {
public static final String DEFAULT_DEVICE_ASSERTION = "device";
public static final String DEFAULT_USERNAME_IDENTIFIER = "username";
public static final String DEFAULT_PASSWORD_IDENTIFIER = "password";
}

@ -18,25 +18,14 @@
package org.wso2.carbon.device.mgt.oauth.extensions;
import com.google.gson.Gson;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.w3c.dom.Document;
import org.wso2.carbon.apimgt.api.APIManagementException;
import org.wso2.carbon.apimgt.impl.APIConstants;
import org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO;
import org.wso2.carbon.apimgt.impl.utils.APIUtil;
import org.wso2.carbon.apimgt.keymgt.ScopesIssuer;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationException;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAuthorizationResult;
import org.wso2.carbon.device.mgt.oauth.extensions.config.DeviceMgtScopesConfig;
import org.wso2.carbon.device.mgt.oauth.extensions.config.DeviceMgtScopesConfigurationFailedException;
import org.wso2.carbon.device.mgt.oauth.extensions.internal.OAuthExtensionsDataHolder;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.oauth2.model.RequestParameter;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.user.api.TenantManager;
import org.wso2.carbon.user.api.UserRealm;
@ -44,9 +33,6 @@ import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.service.RealmService;
import javax.cache.Caching;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import java.io.File;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
@ -126,7 +112,6 @@ public class OAuthExtUtils {
restAPIScopesOfCurrentTenant = APIUtil.
getRESTAPIScopesFromConfig(APIUtil.getTenantRESTAPIScopesConfig(tenantDomain));
//call load tenant org.wso2.carbon.device.mgt.iot.output.adapter.ui.config for rest API.
//then put cache
appScopes.putAll(restAPIScopesOfCurrentTenant);
Caching.getCacheManager(APIConstants.API_MANAGER_CACHE_MANAGER)
@ -288,82 +273,4 @@ public class OAuthExtUtils {
return trimmedName.substring(START_INDEX, trimmedName.lastIndexOf('@'));
}
public static boolean validateScope(OAuthTokenReqMessageContext tokReqMsgCtx) {
boolean isScopesSet = ScopesIssuer.getInstance().setScopes(tokReqMsgCtx);
if (isScopesSet) {
PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(
tokReqMsgCtx.getAuthorizedUser().getTenantDomain(), true);
String username = tokReqMsgCtx.getAuthorizedUser().getUserName();
PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(username);
try {
DeviceRequestDTO deviceRequestDTO = null;
RequestParameter parameters[] = tokReqMsgCtx.getOauth2AccessTokenReqDTO().getRequestParameters();
for (RequestParameter parameter : parameters) {
if (OAuthConstants.DEFAULT_DEVICE_ASSERTION.equals(parameter.getKey())) {
String deviceJson = parameter.getValue()[0];
Gson gson = new Gson();
deviceRequestDTO = gson.fromJson(new String(Base64.decodeBase64(deviceJson)),
DeviceRequestDTO.class);
}
}
if (deviceRequestDTO != null) {
String requestScopes = deviceRequestDTO.getScope();
String scopeNames[] = requestScopes.split(" ");
for (String scopeName : scopeNames) {
List<DeviceIdentifier> deviceIdentifiers = deviceRequestDTO.getDeviceIdentifiers();
DeviceAuthorizationResult deviceAuthorizationResult = OAuthExtensionsDataHolder.getInstance()
.getDeviceAccessAuthorizationService()
.isUserAuthorized(deviceIdentifiers, username, getPermissions(scopeName));
if (deviceAuthorizationResult != null &&
deviceAuthorizationResult.getAuthorizedDevices() != null) {
String scopes[] = tokReqMsgCtx.getScope();
String authorizedScopes[] = new String[scopes.length + deviceAuthorizationResult
.getAuthorizedDevices().size()];
int scopeIndex = 0;
for (String scope : scopes) {
authorizedScopes[scopeIndex] = scope;
scopeIndex++;
}
for (DeviceIdentifier deviceIdentifier : deviceAuthorizationResult.getAuthorizedDevices()) {
authorizedScopes[scopeIndex] =
DEFAULT_SCOPE_TAG + ":" + deviceIdentifier.getType() + ":" +
deviceIdentifier.getId() + ":" + scopeName;
scopeIndex++;
}
tokReqMsgCtx.setScope(authorizedScopes);
}
}
}
} catch (DeviceAccessAuthorizationException e) {
log.error("Error occurred while checking authorization for the user " + username, e);
} finally {
PrivilegedCarbonContext.endTenantFlow();
}
}
return isScopesSet;
}
/**
* retrieve the permission related to given scope.
* @param scopeName requested scope action
* @return set of permission associated with the given scope.
*/
private static String[] getPermissions(String scopeName) {
return DeviceMgtScopesConfig.getInstance().getDeviceMgtScopePermissionMap().get(scopeName);
}
public static Document convertToDocument(File file) throws DeviceMgtScopesConfigurationFailedException {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
try {
DocumentBuilder docBuilder = factory.newDocumentBuilder();
return docBuilder.parse(file);
} catch (Exception e) {
throw new DeviceMgtScopesConfigurationFailedException("Error occurred while parsing file, while converting " +
"to a org.w3c.dom.Document", e);
}
}
}

@ -1,90 +0,0 @@
package org.wso2.carbon.device.mgt.oauth.extensions.config;
import javax.xml.bind.annotation.XmlAccessType;
import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlAttribute;
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlType;
/**
* <p>Java class for Action complex type.
*
* <p>The following schema fragment specifies the expected content contained within this class.
*
* <pre>
* &lt;complexType name="Action">
* &lt;complexContent>
* &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
* &lt;sequence>
* &lt;element name="Permissions" type="{}Permissions"/>
* &lt;/sequence>
* &lt;attribute name="name" type="{http://www.w3.org/2001/XMLSchema}string" />
* &lt;/restriction>
* &lt;/complexContent>
* &lt;/complexType>
* </pre>
*
*
*/
@XmlAccessorType(XmlAccessType.FIELD)
@XmlType(name = "Action", propOrder = {
"permissions"
})
public class Action {
@XmlElement(name = "Permissions", required = true)
protected Permissions permissions;
@XmlAttribute(name = "name")
protected String name;
/**
* Gets the value of the permissions property.
*
* @return
* possible object is
* {@link Permissions }
*
*/
public Permissions getPermissions() {
return permissions;
}
/**
* Sets the value of the permissions property.
*
* @param value
* allowed object is
* {@link Permissions }
*
*/
public void setPermissions(Permissions value) {
this.permissions = value;
}
/**
* Gets the value of the name property.
*
* @return
* possible object is
* {@link String }
*
*/
public String getName() {
return name;
}
/**
* Sets the value of the name property.
*
* @param value
* allowed object is
* {@link String }
*
*/
public void setName(String value) {
this.name = value;
}
}

@ -1,67 +0,0 @@
package org.wso2.carbon.device.mgt.oauth.extensions.config;
import java.util.ArrayList;
import java.util.List;
import javax.xml.bind.annotation.XmlAccessType;
import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlRootElement;
import javax.xml.bind.annotation.XmlType;
/**
* <p>Java class for DeviceMgtScopes complex type.
*
* <p>The following schema fragment specifies the expected content contained within this class.
*
* <pre>
* &lt;complexType name="DeviceMgtScopes">
* &lt;complexContent>
* &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
* &lt;sequence>
* &lt;element name="Action" type="{}Action" maxOccurs="unbounded" minOccurs="0"/>
* &lt;/sequence>
* &lt;/restriction>
* &lt;/complexContent>
* &lt;/complexType>
* </pre>
*
*
*/
@XmlRootElement(name = "DeviceMgtScopes")
public class DeviceMgtScopes {
@XmlElement(name = "Action")
protected List<Action> action;
/**
* Gets the value of the action property.
*
* <p>
* This accessor method returns a reference to the live list,
* not a snapshot. Therefore any modification you make to the
* returned list will be present inside the JAXB object.
* This is why there is not a <CODE>set</CODE> method for the action property.
*
* <p>
* For example, to add a new item, do as follows:
* <pre>
* getAction().add(newItem);
* </pre>
*
*
* <p>
* Objects of the following type(s) are allowed in the list
* {@link Action }
*
*
*/
public List<Action> getAction() {
if (action == null) {
action = new ArrayList<Action>();
}
return this.action;
}
}

@ -1,67 +0,0 @@
package org.wso2.carbon.device.mgt.oauth.extensions.config;
import org.w3c.dom.Document;
import org.wso2.carbon.device.mgt.oauth.extensions.OAuthExtUtils;
import org.wso2.carbon.utils.CarbonUtils;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException;
import javax.xml.bind.Unmarshaller;
import java.io.File;
import java.util.HashMap;
import java.util.Map;
/**
* This class represents the configuration that are needed for scopes to permission map.
*/
public class DeviceMgtScopesConfig {
private static DeviceMgtScopesConfig config = new DeviceMgtScopesConfig();
private static Map<String, String[]> actionPermissionMap = new HashMap<>();
private static final String DEVICE_MGT_SCOPES_CONFIG_PATH =
CarbonUtils.getEtcCarbonConfigDirPath() + File.separator + "device-mgt-scopes.xml";
private DeviceMgtScopesConfig() {
}
public static DeviceMgtScopesConfig getInstance() {
return config;
}
public static void init() throws DeviceMgtScopesConfigurationFailedException {
try {
File deviceMgtConfig = new File(DEVICE_MGT_SCOPES_CONFIG_PATH);
Document doc = OAuthExtUtils.convertToDocument(deviceMgtConfig);
/* Un-marshaling DeviceMGtScope configuration */
JAXBContext ctx = JAXBContext.newInstance(DeviceMgtScopes.class);
Unmarshaller unmarshaller = ctx.createUnmarshaller();
//unmarshaller.setSchema(getSchema());
DeviceMgtScopes deviceMgtScopes = (DeviceMgtScopes) unmarshaller.unmarshal(doc);
if (deviceMgtScopes != null) {
for (Action action : deviceMgtScopes.getAction()) {
Permissions permissions = action.getPermissions();
if (permissions != null) {
String permission[] = new String[permissions.getPermission().size()];
int i = 0;
for (String perm : permissions.getPermission()) {
permission[i] = perm;
i++;
}
actionPermissionMap.put(action.getName(), permission);
}
}
}
} catch (JAXBException e) {
throw new DeviceMgtScopesConfigurationFailedException("Error occurred while un-marshalling Device Scope" +
" Config", e);
}
}
public Map<String, String[]> getDeviceMgtScopePermissionMap() {
return actionPermissionMap;
}
}

@ -1,44 +0,0 @@
/*
* Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.oauth.extensions.config;
public class DeviceMgtScopesConfigurationFailedException extends Exception {
private static final long serialVersionUID = -3151279312929070398L;
public DeviceMgtScopesConfigurationFailedException(String msg, Exception nestedEx) {
super(msg, nestedEx);
}
public DeviceMgtScopesConfigurationFailedException(String message, Throwable cause) {
super(message, cause);
}
public DeviceMgtScopesConfigurationFailedException(String msg) {
super(msg);
}
public DeviceMgtScopesConfigurationFailedException() {
super();
}
public DeviceMgtScopesConfigurationFailedException(Throwable cause) {
super(cause);
}
}

@ -1,78 +0,0 @@
package org.wso2.carbon.device.mgt.oauth.extensions.config;
import java.util.ArrayList;
import java.util.List;
import javax.xml.bind.annotation.XmlAccessType;
import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlType;
/**
* <p>Java class for Permissions complex type.
*
* <p>The following schema fragment specifies the expected content contained within this class.
*
* <pre>
* &lt;complexType name="Permissions">
* &lt;complexContent>
* &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
* &lt;sequence>
* &lt;element name="Permission" maxOccurs="unbounded" minOccurs="0">
* &lt;simpleType>
* &lt;restriction base="{http://www.w3.org/2001/XMLSchema}string">
* &lt;enumeration value="/permission/device-mgt/user/groups/device_operation"/>
* &lt;enumeration value="/permission/device-mgt/groups"/>
* &lt;enumeration value="/permission/device-mgt/user/groups"/>
* &lt;enumeration value="/permission/device-mgt/user/groups/device_monitor"/>
* &lt;/restriction>
* &lt;/simpleType>
* &lt;/element>
* &lt;/sequence>
* &lt;/restriction>
* &lt;/complexContent>
* &lt;/complexType>
* </pre>
*
*
*/
@XmlAccessorType(XmlAccessType.FIELD)
@XmlType(name = "Permissions", propOrder = {
"permission"
})
public class Permissions {
@XmlElement(name = "Permission")
protected List<String> permission;
/**
* Gets the value of the permission property.
*
* <p>
* This accessor method returns a reference to the live list,
* not a snapshot. Therefore any modification you make to the
* returned list will be present inside the JAXB object.
* This is why there is not a <CODE>set</CODE> method for the permission property.
*
* <p>
* For example, to add a new item, do as follows:
* <pre>
* getPermission().add(newItem);
* </pre>
*
*
* <p>
* Objects of the following type(s) are allowed in the list
* {@link String }
*
*
*/
public List<String> getPermission() {
if (permission == null) {
permission = new ArrayList<String>();
}
return this.permission;
}
}

@ -1,31 +0,0 @@
/*
* Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.oauth.extensions.handlers.grant;
import org.wso2.carbon.device.mgt.oauth.extensions.OAuthExtUtils;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.grant.jwt.JWTBearerGrantHandler;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
public class ExtendedDeviceMgtJWTBearerGrantHandler extends JWTBearerGrantHandler {
@Override
public boolean validateScope(OAuthTokenReqMessageContext tokReqMsgCtx) throws IdentityOAuth2Exception {
return OAuthExtUtils.validateScope(tokReqMsgCtx);
}
}

@ -1,59 +0,0 @@
/*
* Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.oauth.extensions.handlers.grant;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.apimgt.keymgt.handlers.ExtendedPasswordGrantHandler;
import org.wso2.carbon.device.mgt.oauth.extensions.OAuthConstants;
import org.wso2.carbon.device.mgt.oauth.extensions.OAuthExtUtils;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.model.RequestParameter;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
@SuppressWarnings("unused")
public class ExtendedDeviceMgtPasswordGrantHandler extends ExtendedPasswordGrantHandler {
private static Log log = LogFactory.getLog(ExtendedDeviceMgtPasswordGrantHandler.class);
@Override
public boolean validateGrant(OAuthTokenReqMessageContext tokReqMsgCtx) throws IdentityOAuth2Exception {
RequestParameter parameters[] = tokReqMsgCtx.getOauth2AccessTokenReqDTO().getRequestParameters();
for (RequestParameter parameter : parameters) {
switch (parameter.getKey()) {
case OAuthConstants.DEFAULT_USERNAME_IDENTIFIER:
String username = parameter.getValue()[0];
tokReqMsgCtx.getOauth2AccessTokenReqDTO().setResourceOwnerUsername(username);
break;
case OAuthConstants.DEFAULT_PASSWORD_IDENTIFIER:
String password = parameter.getValue()[0];
tokReqMsgCtx.getOauth2AccessTokenReqDTO().setResourceOwnerPassword(password);
break;
}
}
return super.validateGrant(tokReqMsgCtx);
}
@Override
public boolean validateScope(OAuthTokenReqMessageContext tokReqMsgCtx) {
return OAuthExtUtils.validateScope(tokReqMsgCtx);
}
}

@ -24,12 +24,6 @@ import org.osgi.service.component.ComponentContext;
import org.wso2.carbon.apimgt.api.APIManagementException;
import org.wso2.carbon.apimgt.impl.APIConstants;
import org.wso2.carbon.apimgt.impl.APIManagerConfiguration;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationException;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService;
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService;
import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService;
import org.wso2.carbon.device.mgt.oauth.extensions.config.DeviceMgtScopesConfig;
import org.wso2.carbon.device.mgt.oauth.extensions.config.DeviceMgtScopesConfigurationFailedException;
import org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.utils.CarbonUtils;
@ -52,18 +46,6 @@ import java.util.List;
* policy="dynamic"
* bind="setOAuth2ValidationService"
* unbind="unsetOAuth2ValidationService"
* @scr.reference name="permission.manager.service"
* interface="org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService"
* cardinality="1..1"
* policy="dynamic"
* bind="setPermissionManagerService"
* unbind="unsetPermissionManagerService"
* @scr.reference name="org.wso2.carbon.device.authorization"
* interface="org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService"
* cardinality="1..1"
* policy="dynamic"
* bind="setDeviceAccessAuthorizationService"
* unbind="unsetDeviceAccessAuthorizationService"
*/
public class OAuthExtensionServiceComponent {
@ -79,7 +61,6 @@ public class OAuthExtensionServiceComponent {
log.debug("Starting OAuthExtensionBundle");
}
try {
DeviceMgtScopesConfig.init();
APIManagerConfiguration configuration = new APIManagerConfiguration();
String filePath = new StringBuilder().
@ -108,8 +89,6 @@ public class OAuthExtensionServiceComponent {
OAuthExtensionsDataHolder.getInstance().setWhitelistedScopes(whiteList);
} catch (APIManagementException e) {
log.error("Error occurred while loading DeviceMgtConfig configurations", e);
} catch (DeviceMgtScopesConfigurationFailedException e) {
log.error("Failed to initialize device scope configuration.", e);
}
}
@ -168,50 +147,5 @@ public class OAuthExtensionServiceComponent {
OAuthExtensionsDataHolder.getInstance().setoAuth2TokenValidationService(null);
}
/**
* Sets PermissionManagerService Service.
*
* @param permissionManagerService An instance of PermissionManagerService
*/
protected void setPermissionManagerService(PermissionManagerService permissionManagerService) {
if (log.isDebugEnabled()) {
log.debug("Setting PermissionManager Service");
}
OAuthExtensionsDataHolder.getInstance().setPermissionManagerService(permissionManagerService);
}
/**
* Unsets PermissionManagerService Service.
*
* @param permissionManagerService An instance of PermissionManagerService
*/
protected void unsetPermissionManagerService(PermissionManagerService permissionManagerService) {
if (log.isDebugEnabled()) {
log.debug("Unsetting PermissionManager Service");
}
OAuthExtensionsDataHolder.getInstance().setPermissionManagerService(null);
}
/**
* Set DeviceManagementProviderService
* @param deviceAccessAuthorizationService An instance of deviceAccessAuthorizationService
*/
protected void setDeviceAccessAuthorizationService(DeviceAccessAuthorizationService deviceAccessAuthorizationService) {
if (log.isDebugEnabled()) {
log.debug("Setting Device Management Service");
}
OAuthExtensionsDataHolder.getInstance().setDeviceAccessAuthorizationService(deviceAccessAuthorizationService);
}
/**
* unset DeviceManagementProviderService
* @param deviceAccessAuthorizationService An instance of deviceAccessAuthorizationService
*/
protected void unsetDeviceAccessAuthorizationService(DeviceAccessAuthorizationService deviceAccessAuthorizationService) {
if (log.isDebugEnabled()) {
log.debug("Removing Device Management Service");
}
OAuthExtensionsDataHolder.getInstance().setDeviceAccessAuthorizationService(null);
}
}

@ -18,9 +18,6 @@
package org.wso2.carbon.device.mgt.oauth.extensions.internal;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService;
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService;
import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService;
import org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService;
import org.wso2.carbon.user.core.service.RealmService;
@ -33,10 +30,7 @@ public class OAuthExtensionsDataHolder {
private RealmService realmService;
private OAuth2TokenValidationService oAuth2TokenValidationService;
private PermissionManagerService permissionManagerService;
private List<String> whitelistedScopes;
private String deviceScope;
private DeviceAccessAuthorizationService deviceAccessAuthorizationService;
private static OAuthExtensionsDataHolder thisInstance = new OAuthExtensionsDataHolder();
@ -69,17 +63,6 @@ public class OAuthExtensionsDataHolder {
this.oAuth2TokenValidationService = oAuth2TokenValidationService;
}
public void setPermissionManagerService(PermissionManagerService permissionManagerService) {
this.permissionManagerService = permissionManagerService;
}
public PermissionManagerService getPermissionManagerService() {
if (permissionManagerService == null) {
throw new IllegalStateException("PermissionManager service is not initialized properly");
}
return permissionManagerService;
}
public List<String> getWhitelistedScopes() {
return whitelistedScopes;
}
@ -88,15 +71,4 @@ public class OAuthExtensionsDataHolder {
this.whitelistedScopes = whitelistedScopes;
}
public String getDeviceScope() {
return deviceScope;
}
public DeviceAccessAuthorizationService getDeviceAccessAuthorizationService() {
return deviceAccessAuthorizationService;
}
public void setDeviceAccessAuthorizationService(DeviceAccessAuthorizationService deviceAccessAuthorizationService) {
this.deviceAccessAuthorizationService = deviceAccessAuthorizationService;
}
}

@ -1,38 +0,0 @@
/*
* Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License
*/
package org.wso2.carbon.device.mgt.oauth.extensions.validators;
import org.apache.oltu.oauth2.common.OAuth;
import org.apache.oltu.oauth2.common.validators.AbstractValidator;
import org.wso2.carbon.device.mgt.oauth.extensions.OAuthConstants;
import javax.servlet.http.HttpServletRequest;
/**
* Grant validator for JSON Web Tokens
* For JWT Grant to be valid the required parameters are
* grant_type and assertion
*/
public class ExtendedDeviceJWTGrantValidator extends AbstractValidator<HttpServletRequest> {
public ExtendedDeviceJWTGrantValidator() {
requiredParams.add(OAuth.OAUTH_GRANT_TYPE);
requiredParams.add(OAuth.OAUTH_ASSERTION);
}
}

@ -1,37 +0,0 @@
/*
* Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License
*/
package org.wso2.carbon.device.mgt.oauth.extensions.validators;
import org.apache.oltu.oauth2.common.OAuth;
import org.apache.oltu.oauth2.common.validators.AbstractValidator;
import org.wso2.carbon.device.mgt.oauth.extensions.OAuthConstants;
import javax.servlet.http.HttpServletRequest;
/**
* Grant validator for Device Object with Password Grant type
*/
public class ExtendedDevicePasswordGrantValidator extends AbstractValidator<HttpServletRequest> {
public ExtendedDevicePasswordGrantValidator() {
requiredParams.add(OAuth.OAUTH_USERNAME);
requiredParams.add(OAuth.OAUTH_PASSWORD);
requiredParams.add(OAuthConstants.DEFAULT_DEVICE_ASSERTION);
}
}

@ -1,112 +0,0 @@
/*
* Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* you may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.oauth.extensions.validators;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService;
import org.wso2.carbon.device.mgt.oauth.extensions.OAuthExtUtils;
import org.wso2.carbon.device.mgt.oauth.extensions.internal.OAuthExtensionsDataHolder;
import org.wso2.carbon.identity.application.common.model.User;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException;
import java.util.Properties;
/**
* Custom OAuth2Token Scope validation implementation for DeviceManagement. This will validate the
* user permissions before dispatching the HTTP request to the actual endpoint.
*/
public class PermissionBasedScopeValidator extends OAuth2ScopeValidator {
private static final String URL_PROPERTY = "URL";
private static final String HTTP_METHOD_PROPERTY = "HTTP_METHOD";
public static final class PermissionMethod {
private PermissionMethod() {
throw new AssertionError();
}
public static final String READ = "read";
public static final String WRITE = "write";
public static final String DELETE = "delete";
public static final String ACTION = "action";
public static final String UI_EXECUTE = "ui.execute";
}
private static final Log log = LogFactory.getLog(PermissionBasedScopeValidator.class);
@Override
public boolean validateScope(AccessTokenDO accessTokenDO, String resource)
throws IdentityOAuth2Exception {
boolean status = true;
//Extract the url & http method
int idx = resource.lastIndexOf(':');
String url = resource.substring(0, idx);
String method = resource.substring(++idx, resource.length());
//This is to remove the url params for request path.
int urlParamIndex = url.indexOf('?');
if(urlParamIndex > 0) {
url = url.substring(0, urlParamIndex);
}
Properties properties = new Properties();
properties.put(PermissionBasedScopeValidator.URL_PROPERTY, url.toLowerCase());
properties.put(PermissionBasedScopeValidator.HTTP_METHOD_PROPERTY, method.toUpperCase());
PermissionManagerService permissionManagerService = OAuthExtensionsDataHolder.getInstance().
getPermissionManagerService();
try {
Permission permission = permissionManagerService.getPermission(properties);
User authzUser = accessTokenDO.getAuthzUser();
if ((permission != null) && (authzUser != null)) {
if (permission.getPath() == null) {
if (log.isDebugEnabled()) {
log.debug("Permission is not defined for the resource '" + resource + "'");
}
return true;
}
String username = authzUser.getUserName();
String userStore = authzUser.getUserStoreDomain();
int tenantId = OAuthExtUtils.getTenantId(authzUser.getTenantDomain());
UserRealm userRealm = OAuthExtensionsDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId);
if (userRealm != null && userRealm.getAuthorizationManager() != null) {
if (userStore != null) {
status = userRealm.getAuthorizationManager()
.isUserAuthorized(userStore + "/" + username, permission.getPath(),
PermissionMethod.UI_EXECUTE);
} else {
status = userRealm.getAuthorizationManager()
.isUserAuthorized(username, permission.getPath(), PermissionMethod.UI_EXECUTE);
}
}
}
} catch (PermissionManagementException e) {
log.error("Error occurred while validating the resource scope for : " + resource +
", Msg = " + e.getMessage(), e);
} catch (UserStoreException e) {
log.error("Error occurred while retrieving user store. " + e.getMessage());
}
return status;
}
}

@ -73,7 +73,9 @@ public class JWTClient {
throw new JWTClientException("JWT is not configured properly for user : " + username);
}
params.add(new BasicNameValuePair(JWTConstants.JWT_PARAM_NAME, assertion));
params.add(new BasicNameValuePair(JWTConstants.SCOPE_PARAM_NAME, scopes));
if (scopes != null && !scopes.isEmpty()) {
params.add(new BasicNameValuePair(JWTConstants.SCOPE_PARAM_NAME, scopes));
}
return getTokenInfo(params, consumerKey, consumerSecret);
}
@ -87,7 +89,9 @@ public class JWTClient {
throw new JWTClientException("JWT is not configured properly for user : " + username);
}
params.add(new BasicNameValuePair(JWTConstants.JWT_PARAM_NAME, assertion));
params.add(new BasicNameValuePair(JWTConstants.SCOPE_PARAM_NAME, scopes));
if (scopes != null && !scopes.isEmpty()) {
params.add(new BasicNameValuePair(JWTConstants.SCOPE_PARAM_NAME, scopes));
}
if (paramsMap != null) {
for (String key : paramsMap.keySet()) {
params.add(new BasicNameValuePair(key, paramsMap.get(key)));

@ -1,51 +0,0 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!--
~ Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
~
~ WSO2 Inc. licenses this file to you under the Apache License,
~ Version 2.0 (the "License"); you may not use this file except
~ in compliance with the License.
~ you may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License.
-->
<!--This holds the scopes that are allowed by the device-mgt, The user require below permission to get the required scope-->
<!--These scopes are assigned after validating with device-mgt specific grant types-->
<DeviceMgtScopes>
<Action name="mqtt-publisher">
<Permissions>
<Permission>/permission/device-mgt/user/groups/device_operation</Permission>
<Permission>/permission/device-mgt/admin/groups</Permission>
<Permission>/permission/device-mgt/user/groups</Permission>
</Permissions>
</Action>
<Action name="mqtt-subscriber">
<Permissions>
<Permission>/permission/device-mgt/user/groups/device_monitor</Permission>
<Permission>/permission/device-mgt/admin/groups</Permission>
<Permission>/permission/device-mgt/user/groups</Permission>
</Permissions>
</Action>
<Action name="stats">
<Permissions>
<Permission>/permission/device-mgt/user/groups/device_monitor</Permission>
<Permission>/permission/device-mgt/admin/groups</Permission>
<Permission>/permission/device-mgt/user/groups</Permission>
</Permissions>
</Action>
<Action name="operation">
<Permissions>
<Permission>/permission/device-mgt/user/groups/device_operation</Permission>
<Permission>/permission/device-mgt/admin/groups</Permission>
<Permission>/permission/device-mgt/user/groups</Permission>
</Permissions>
</Action>
</DeviceMgtScopes>

@ -1,2 +1 @@
instructions.configure = \
org.eclipse.equinox.p2.touchpoint.natives.copy(source:${installFolder}/../features/org.wso2.carbon.device.mgt.oauth.extensions_${feature.version}/device-mgt-scopes.xml,target:${installFolder}/../../conf/etc/device-mgt-scopes.xml,overwrite:true);\
instructions.configure = \
Loading…
Cancel
Save