parent
28faf53802
commit
fe263efe60
@ -1,30 +0,0 @@
|
||||
package org.wso2.carbon.device.mgt.oauth.extensions;
|
||||
|
||||
import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* This class holds the request format for device for grant type.
|
||||
*/
|
||||
public class DeviceRequestDTO {
|
||||
|
||||
private List<DeviceIdentifier> deviceIdentifiers;
|
||||
private String scope;
|
||||
|
||||
public List<DeviceIdentifier> getDeviceIdentifiers() {
|
||||
return deviceIdentifiers;
|
||||
}
|
||||
|
||||
public void setDeviceIdentifiers(List<DeviceIdentifier> deviceIdentifiers) {
|
||||
this.deviceIdentifiers = deviceIdentifiers;
|
||||
}
|
||||
|
||||
public String getScope() {
|
||||
return scope;
|
||||
}
|
||||
|
||||
public void setScope(String scope) {
|
||||
this.scope = scope;
|
||||
}
|
||||
}
|
@ -1,13 +0,0 @@
|
||||
package org.wso2.carbon.device.mgt.oauth.extensions;
|
||||
|
||||
|
||||
/**
|
||||
* This hold the OAuthConstants related oauth extensions.
|
||||
*/
|
||||
public class OAuthConstants {
|
||||
|
||||
public static final String DEFAULT_DEVICE_ASSERTION = "device";
|
||||
public static final String DEFAULT_USERNAME_IDENTIFIER = "username";
|
||||
public static final String DEFAULT_PASSWORD_IDENTIFIER = "password";
|
||||
|
||||
}
|
@ -1,90 +0,0 @@
|
||||
|
||||
package org.wso2.carbon.device.mgt.oauth.extensions.config;
|
||||
|
||||
import javax.xml.bind.annotation.XmlAccessType;
|
||||
import javax.xml.bind.annotation.XmlAccessorType;
|
||||
import javax.xml.bind.annotation.XmlAttribute;
|
||||
import javax.xml.bind.annotation.XmlElement;
|
||||
import javax.xml.bind.annotation.XmlType;
|
||||
|
||||
|
||||
/**
|
||||
* <p>Java class for Action complex type.
|
||||
*
|
||||
* <p>The following schema fragment specifies the expected content contained within this class.
|
||||
*
|
||||
* <pre>
|
||||
* <complexType name="Action">
|
||||
* <complexContent>
|
||||
* <restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
|
||||
* <sequence>
|
||||
* <element name="Permissions" type="{}Permissions"/>
|
||||
* </sequence>
|
||||
* <attribute name="name" type="{http://www.w3.org/2001/XMLSchema}string" />
|
||||
* </restriction>
|
||||
* </complexContent>
|
||||
* </complexType>
|
||||
* </pre>
|
||||
*
|
||||
*
|
||||
*/
|
||||
@XmlAccessorType(XmlAccessType.FIELD)
|
||||
@XmlType(name = "Action", propOrder = {
|
||||
"permissions"
|
||||
})
|
||||
public class Action {
|
||||
|
||||
@XmlElement(name = "Permissions", required = true)
|
||||
protected Permissions permissions;
|
||||
@XmlAttribute(name = "name")
|
||||
protected String name;
|
||||
|
||||
/**
|
||||
* Gets the value of the permissions property.
|
||||
*
|
||||
* @return
|
||||
* possible object is
|
||||
* {@link Permissions }
|
||||
*
|
||||
*/
|
||||
public Permissions getPermissions() {
|
||||
return permissions;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the value of the permissions property.
|
||||
*
|
||||
* @param value
|
||||
* allowed object is
|
||||
* {@link Permissions }
|
||||
*
|
||||
*/
|
||||
public void setPermissions(Permissions value) {
|
||||
this.permissions = value;
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the value of the name property.
|
||||
*
|
||||
* @return
|
||||
* possible object is
|
||||
* {@link String }
|
||||
*
|
||||
*/
|
||||
public String getName() {
|
||||
return name;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the value of the name property.
|
||||
*
|
||||
* @param value
|
||||
* allowed object is
|
||||
* {@link String }
|
||||
*
|
||||
*/
|
||||
public void setName(String value) {
|
||||
this.name = value;
|
||||
}
|
||||
|
||||
}
|
@ -1,67 +0,0 @@
|
||||
|
||||
package org.wso2.carbon.device.mgt.oauth.extensions.config;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import javax.xml.bind.annotation.XmlAccessType;
|
||||
import javax.xml.bind.annotation.XmlAccessorType;
|
||||
import javax.xml.bind.annotation.XmlElement;
|
||||
import javax.xml.bind.annotation.XmlRootElement;
|
||||
import javax.xml.bind.annotation.XmlType;
|
||||
|
||||
|
||||
/**
|
||||
* <p>Java class for DeviceMgtScopes complex type.
|
||||
*
|
||||
* <p>The following schema fragment specifies the expected content contained within this class.
|
||||
*
|
||||
* <pre>
|
||||
* <complexType name="DeviceMgtScopes">
|
||||
* <complexContent>
|
||||
* <restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
|
||||
* <sequence>
|
||||
* <element name="Action" type="{}Action" maxOccurs="unbounded" minOccurs="0"/>
|
||||
* </sequence>
|
||||
* </restriction>
|
||||
* </complexContent>
|
||||
* </complexType>
|
||||
* </pre>
|
||||
*
|
||||
*
|
||||
*/
|
||||
@XmlRootElement(name = "DeviceMgtScopes")
|
||||
public class DeviceMgtScopes {
|
||||
|
||||
@XmlElement(name = "Action")
|
||||
protected List<Action> action;
|
||||
|
||||
/**
|
||||
* Gets the value of the action property.
|
||||
*
|
||||
* <p>
|
||||
* This accessor method returns a reference to the live list,
|
||||
* not a snapshot. Therefore any modification you make to the
|
||||
* returned list will be present inside the JAXB object.
|
||||
* This is why there is not a <CODE>set</CODE> method for the action property.
|
||||
*
|
||||
* <p>
|
||||
* For example, to add a new item, do as follows:
|
||||
* <pre>
|
||||
* getAction().add(newItem);
|
||||
* </pre>
|
||||
*
|
||||
*
|
||||
* <p>
|
||||
* Objects of the following type(s) are allowed in the list
|
||||
* {@link Action }
|
||||
*
|
||||
*
|
||||
*/
|
||||
public List<Action> getAction() {
|
||||
if (action == null) {
|
||||
action = new ArrayList<Action>();
|
||||
}
|
||||
return this.action;
|
||||
}
|
||||
|
||||
}
|
@ -1,67 +0,0 @@
|
||||
|
||||
package org.wso2.carbon.device.mgt.oauth.extensions.config;
|
||||
|
||||
import org.w3c.dom.Document;
|
||||
import org.wso2.carbon.device.mgt.oauth.extensions.OAuthExtUtils;
|
||||
import org.wso2.carbon.utils.CarbonUtils;
|
||||
|
||||
import javax.xml.bind.JAXBContext;
|
||||
import javax.xml.bind.JAXBException;
|
||||
import javax.xml.bind.Unmarshaller;
|
||||
import java.io.File;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
/**
|
||||
* This class represents the configuration that are needed for scopes to permission map.
|
||||
*/
|
||||
public class DeviceMgtScopesConfig {
|
||||
|
||||
private static DeviceMgtScopesConfig config = new DeviceMgtScopesConfig();
|
||||
private static Map<String, String[]> actionPermissionMap = new HashMap<>();
|
||||
|
||||
private static final String DEVICE_MGT_SCOPES_CONFIG_PATH =
|
||||
CarbonUtils.getEtcCarbonConfigDirPath() + File.separator + "device-mgt-scopes.xml";
|
||||
|
||||
private DeviceMgtScopesConfig() {
|
||||
}
|
||||
|
||||
public static DeviceMgtScopesConfig getInstance() {
|
||||
return config;
|
||||
}
|
||||
|
||||
public static void init() throws DeviceMgtScopesConfigurationFailedException {
|
||||
try {
|
||||
File deviceMgtConfig = new File(DEVICE_MGT_SCOPES_CONFIG_PATH);
|
||||
Document doc = OAuthExtUtils.convertToDocument(deviceMgtConfig);
|
||||
|
||||
/* Un-marshaling DeviceMGtScope configuration */
|
||||
JAXBContext ctx = JAXBContext.newInstance(DeviceMgtScopes.class);
|
||||
Unmarshaller unmarshaller = ctx.createUnmarshaller();
|
||||
//unmarshaller.setSchema(getSchema());
|
||||
DeviceMgtScopes deviceMgtScopes = (DeviceMgtScopes) unmarshaller.unmarshal(doc);
|
||||
if (deviceMgtScopes != null) {
|
||||
for (Action action : deviceMgtScopes.getAction()) {
|
||||
Permissions permissions = action.getPermissions();
|
||||
if (permissions != null) {
|
||||
String permission[] = new String[permissions.getPermission().size()];
|
||||
int i = 0;
|
||||
for (String perm : permissions.getPermission()) {
|
||||
permission[i] = perm;
|
||||
i++;
|
||||
}
|
||||
actionPermissionMap.put(action.getName(), permission);
|
||||
}
|
||||
}
|
||||
}
|
||||
} catch (JAXBException e) {
|
||||
throw new DeviceMgtScopesConfigurationFailedException("Error occurred while un-marshalling Device Scope" +
|
||||
" Config", e);
|
||||
}
|
||||
}
|
||||
|
||||
public Map<String, String[]> getDeviceMgtScopePermissionMap() {
|
||||
return actionPermissionMap;
|
||||
}
|
||||
|
||||
}
|
@ -1,44 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||
*
|
||||
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||
* Version 2.0 (the "License"); you may not use this file except
|
||||
* in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
|
||||
package org.wso2.carbon.device.mgt.oauth.extensions.config;
|
||||
|
||||
public class DeviceMgtScopesConfigurationFailedException extends Exception {
|
||||
|
||||
private static final long serialVersionUID = -3151279312929070398L;
|
||||
|
||||
public DeviceMgtScopesConfigurationFailedException(String msg, Exception nestedEx) {
|
||||
super(msg, nestedEx);
|
||||
}
|
||||
|
||||
public DeviceMgtScopesConfigurationFailedException(String message, Throwable cause) {
|
||||
super(message, cause);
|
||||
}
|
||||
|
||||
public DeviceMgtScopesConfigurationFailedException(String msg) {
|
||||
super(msg);
|
||||
}
|
||||
|
||||
public DeviceMgtScopesConfigurationFailedException() {
|
||||
super();
|
||||
}
|
||||
|
||||
public DeviceMgtScopesConfigurationFailedException(Throwable cause) {
|
||||
super(cause);
|
||||
}
|
||||
}
|
@ -1,78 +0,0 @@
|
||||
|
||||
package org.wso2.carbon.device.mgt.oauth.extensions.config;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import javax.xml.bind.annotation.XmlAccessType;
|
||||
import javax.xml.bind.annotation.XmlAccessorType;
|
||||
import javax.xml.bind.annotation.XmlElement;
|
||||
import javax.xml.bind.annotation.XmlType;
|
||||
|
||||
|
||||
/**
|
||||
* <p>Java class for Permissions complex type.
|
||||
*
|
||||
* <p>The following schema fragment specifies the expected content contained within this class.
|
||||
*
|
||||
* <pre>
|
||||
* <complexType name="Permissions">
|
||||
* <complexContent>
|
||||
* <restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
|
||||
* <sequence>
|
||||
* <element name="Permission" maxOccurs="unbounded" minOccurs="0">
|
||||
* <simpleType>
|
||||
* <restriction base="{http://www.w3.org/2001/XMLSchema}string">
|
||||
* <enumeration value="/permission/device-mgt/user/groups/device_operation"/>
|
||||
* <enumeration value="/permission/device-mgt/groups"/>
|
||||
* <enumeration value="/permission/device-mgt/user/groups"/>
|
||||
* <enumeration value="/permission/device-mgt/user/groups/device_monitor"/>
|
||||
* </restriction>
|
||||
* </simpleType>
|
||||
* </element>
|
||||
* </sequence>
|
||||
* </restriction>
|
||||
* </complexContent>
|
||||
* </complexType>
|
||||
* </pre>
|
||||
*
|
||||
*
|
||||
*/
|
||||
@XmlAccessorType(XmlAccessType.FIELD)
|
||||
@XmlType(name = "Permissions", propOrder = {
|
||||
"permission"
|
||||
})
|
||||
public class Permissions {
|
||||
|
||||
@XmlElement(name = "Permission")
|
||||
protected List<String> permission;
|
||||
|
||||
/**
|
||||
* Gets the value of the permission property.
|
||||
*
|
||||
* <p>
|
||||
* This accessor method returns a reference to the live list,
|
||||
* not a snapshot. Therefore any modification you make to the
|
||||
* returned list will be present inside the JAXB object.
|
||||
* This is why there is not a <CODE>set</CODE> method for the permission property.
|
||||
*
|
||||
* <p>
|
||||
* For example, to add a new item, do as follows:
|
||||
* <pre>
|
||||
* getPermission().add(newItem);
|
||||
* </pre>
|
||||
*
|
||||
*
|
||||
* <p>
|
||||
* Objects of the following type(s) are allowed in the list
|
||||
* {@link String }
|
||||
*
|
||||
*
|
||||
*/
|
||||
public List<String> getPermission() {
|
||||
if (permission == null) {
|
||||
permission = new ArrayList<String>();
|
||||
}
|
||||
return this.permission;
|
||||
}
|
||||
|
||||
}
|
@ -1,31 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||
*
|
||||
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||
* Version 2.0 (the "License"); you may not use this file except
|
||||
* in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
package org.wso2.carbon.device.mgt.oauth.extensions.handlers.grant;
|
||||
|
||||
import org.wso2.carbon.device.mgt.oauth.extensions.OAuthExtUtils;
|
||||
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
|
||||
import org.wso2.carbon.identity.oauth2.grant.jwt.JWTBearerGrantHandler;
|
||||
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
|
||||
|
||||
public class ExtendedDeviceMgtJWTBearerGrantHandler extends JWTBearerGrantHandler {
|
||||
|
||||
@Override
|
||||
public boolean validateScope(OAuthTokenReqMessageContext tokReqMsgCtx) throws IdentityOAuth2Exception {
|
||||
return OAuthExtUtils.validateScope(tokReqMsgCtx);
|
||||
}
|
||||
}
|
@ -1,59 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||
*
|
||||
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||
* Version 2.0 (the "License"); you may not use this file except
|
||||
* in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
|
||||
package org.wso2.carbon.device.mgt.oauth.extensions.handlers.grant;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.wso2.carbon.apimgt.keymgt.handlers.ExtendedPasswordGrantHandler;
|
||||
import org.wso2.carbon.device.mgt.oauth.extensions.OAuthConstants;
|
||||
import org.wso2.carbon.device.mgt.oauth.extensions.OAuthExtUtils;
|
||||
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
|
||||
import org.wso2.carbon.identity.oauth2.model.RequestParameter;
|
||||
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
|
||||
|
||||
@SuppressWarnings("unused")
|
||||
public class ExtendedDeviceMgtPasswordGrantHandler extends ExtendedPasswordGrantHandler {
|
||||
|
||||
private static Log log = LogFactory.getLog(ExtendedDeviceMgtPasswordGrantHandler.class);
|
||||
|
||||
@Override
|
||||
public boolean validateGrant(OAuthTokenReqMessageContext tokReqMsgCtx) throws IdentityOAuth2Exception {
|
||||
RequestParameter parameters[] = tokReqMsgCtx.getOauth2AccessTokenReqDTO().getRequestParameters();
|
||||
for (RequestParameter parameter : parameters) {
|
||||
switch (parameter.getKey()) {
|
||||
case OAuthConstants.DEFAULT_USERNAME_IDENTIFIER:
|
||||
String username = parameter.getValue()[0];
|
||||
tokReqMsgCtx.getOauth2AccessTokenReqDTO().setResourceOwnerUsername(username);
|
||||
break;
|
||||
|
||||
case OAuthConstants.DEFAULT_PASSWORD_IDENTIFIER:
|
||||
String password = parameter.getValue()[0];
|
||||
tokReqMsgCtx.getOauth2AccessTokenReqDTO().setResourceOwnerPassword(password);
|
||||
break;
|
||||
}
|
||||
}
|
||||
return super.validateGrant(tokReqMsgCtx);
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean validateScope(OAuthTokenReqMessageContext tokReqMsgCtx) {
|
||||
return OAuthExtUtils.validateScope(tokReqMsgCtx);
|
||||
}
|
||||
|
||||
}
|
@ -1,38 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||
*
|
||||
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||
* Version 2.0 (the "License"); you may not use this file except
|
||||
* in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License
|
||||
*/
|
||||
|
||||
package org.wso2.carbon.device.mgt.oauth.extensions.validators;
|
||||
|
||||
import org.apache.oltu.oauth2.common.OAuth;
|
||||
import org.apache.oltu.oauth2.common.validators.AbstractValidator;
|
||||
import org.wso2.carbon.device.mgt.oauth.extensions.OAuthConstants;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
/**
|
||||
* Grant validator for JSON Web Tokens
|
||||
* For JWT Grant to be valid the required parameters are
|
||||
* grant_type and assertion
|
||||
*/
|
||||
public class ExtendedDeviceJWTGrantValidator extends AbstractValidator<HttpServletRequest> {
|
||||
|
||||
public ExtendedDeviceJWTGrantValidator() {
|
||||
requiredParams.add(OAuth.OAUTH_GRANT_TYPE);
|
||||
requiredParams.add(OAuth.OAUTH_ASSERTION);
|
||||
}
|
||||
}
|
@ -1,37 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||
*
|
||||
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||
* Version 2.0 (the "License"); you may not use this file except
|
||||
* in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License
|
||||
*/
|
||||
|
||||
package org.wso2.carbon.device.mgt.oauth.extensions.validators;
|
||||
|
||||
import org.apache.oltu.oauth2.common.OAuth;
|
||||
import org.apache.oltu.oauth2.common.validators.AbstractValidator;
|
||||
import org.wso2.carbon.device.mgt.oauth.extensions.OAuthConstants;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
/**
|
||||
* Grant validator for Device Object with Password Grant type
|
||||
*/
|
||||
public class ExtendedDevicePasswordGrantValidator extends AbstractValidator<HttpServletRequest> {
|
||||
|
||||
public ExtendedDevicePasswordGrantValidator() {
|
||||
requiredParams.add(OAuth.OAUTH_USERNAME);
|
||||
requiredParams.add(OAuth.OAUTH_PASSWORD);
|
||||
requiredParams.add(OAuthConstants.DEFAULT_DEVICE_ASSERTION);
|
||||
}
|
||||
}
|
@ -1,112 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||
*
|
||||
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||
* Version 2.0 (the "License"); you may not use this file except
|
||||
* in compliance with the License.
|
||||
* you may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
|
||||
package org.wso2.carbon.device.mgt.oauth.extensions.validators;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
|
||||
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
|
||||
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService;
|
||||
import org.wso2.carbon.device.mgt.oauth.extensions.OAuthExtUtils;
|
||||
import org.wso2.carbon.device.mgt.oauth.extensions.internal.OAuthExtensionsDataHolder;
|
||||
import org.wso2.carbon.identity.application.common.model.User;
|
||||
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
|
||||
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
|
||||
import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator;
|
||||
import org.wso2.carbon.user.api.UserRealm;
|
||||
import org.wso2.carbon.user.api.UserStoreException;
|
||||
|
||||
import java.util.Properties;
|
||||
|
||||
/**
|
||||
* Custom OAuth2Token Scope validation implementation for DeviceManagement. This will validate the
|
||||
* user permissions before dispatching the HTTP request to the actual endpoint.
|
||||
*/
|
||||
public class PermissionBasedScopeValidator extends OAuth2ScopeValidator {
|
||||
|
||||
private static final String URL_PROPERTY = "URL";
|
||||
private static final String HTTP_METHOD_PROPERTY = "HTTP_METHOD";
|
||||
|
||||
public static final class PermissionMethod {
|
||||
private PermissionMethod() {
|
||||
throw new AssertionError();
|
||||
}
|
||||
|
||||
public static final String READ = "read";
|
||||
public static final String WRITE = "write";
|
||||
public static final String DELETE = "delete";
|
||||
public static final String ACTION = "action";
|
||||
public static final String UI_EXECUTE = "ui.execute";
|
||||
}
|
||||
|
||||
private static final Log log = LogFactory.getLog(PermissionBasedScopeValidator.class);
|
||||
|
||||
@Override
|
||||
public boolean validateScope(AccessTokenDO accessTokenDO, String resource)
|
||||
throws IdentityOAuth2Exception {
|
||||
boolean status = true;
|
||||
//Extract the url & http method
|
||||
int idx = resource.lastIndexOf(':');
|
||||
String url = resource.substring(0, idx);
|
||||
String method = resource.substring(++idx, resource.length());
|
||||
//This is to remove the url params for request path.
|
||||
int urlParamIndex = url.indexOf('?');
|
||||
if(urlParamIndex > 0) {
|
||||
url = url.substring(0, urlParamIndex);
|
||||
}
|
||||
|
||||
Properties properties = new Properties();
|
||||
properties.put(PermissionBasedScopeValidator.URL_PROPERTY, url.toLowerCase());
|
||||
properties.put(PermissionBasedScopeValidator.HTTP_METHOD_PROPERTY, method.toUpperCase());
|
||||
PermissionManagerService permissionManagerService = OAuthExtensionsDataHolder.getInstance().
|
||||
getPermissionManagerService();
|
||||
try {
|
||||
Permission permission = permissionManagerService.getPermission(properties);
|
||||
User authzUser = accessTokenDO.getAuthzUser();
|
||||
if ((permission != null) && (authzUser != null)) {
|
||||
if (permission.getPath() == null) {
|
||||
if (log.isDebugEnabled()) {
|
||||
log.debug("Permission is not defined for the resource '" + resource + "'");
|
||||
}
|
||||
return true;
|
||||
}
|
||||
String username = authzUser.getUserName();
|
||||
String userStore = authzUser.getUserStoreDomain();
|
||||
int tenantId = OAuthExtUtils.getTenantId(authzUser.getTenantDomain());
|
||||
UserRealm userRealm = OAuthExtensionsDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId);
|
||||
if (userRealm != null && userRealm.getAuthorizationManager() != null) {
|
||||
if (userStore != null) {
|
||||
status = userRealm.getAuthorizationManager()
|
||||
.isUserAuthorized(userStore + "/" + username, permission.getPath(),
|
||||
PermissionMethod.UI_EXECUTE);
|
||||
} else {
|
||||
status = userRealm.getAuthorizationManager()
|
||||
.isUserAuthorized(username, permission.getPath(), PermissionMethod.UI_EXECUTE);
|
||||
}
|
||||
}
|
||||
}
|
||||
} catch (PermissionManagementException e) {
|
||||
log.error("Error occurred while validating the resource scope for : " + resource +
|
||||
", Msg = " + e.getMessage(), e);
|
||||
} catch (UserStoreException e) {
|
||||
log.error("Error occurred while retrieving user store. " + e.getMessage());
|
||||
}
|
||||
return status;
|
||||
}
|
||||
}
|
@ -1,51 +0,0 @@
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<!--
|
||||
~ Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||
~
|
||||
~ WSO2 Inc. licenses this file to you under the Apache License,
|
||||
~ Version 2.0 (the "License"); you may not use this file except
|
||||
~ in compliance with the License.
|
||||
~ you may obtain a copy of the License at
|
||||
~
|
||||
~ http://www.apache.org/licenses/LICENSE-2.0
|
||||
~
|
||||
~ Unless required by applicable law or agreed to in writing,
|
||||
~ software distributed under the License is distributed on an
|
||||
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
~ KIND, either express or implied. See the License for the
|
||||
~ specific language governing permissions and limitations
|
||||
~ under the License.
|
||||
-->
|
||||
|
||||
<!--This holds the scopes that are allowed by the device-mgt, The user require below permission to get the required scope-->
|
||||
<!--These scopes are assigned after validating with device-mgt specific grant types-->
|
||||
<DeviceMgtScopes>
|
||||
<Action name="mqtt-publisher">
|
||||
<Permissions>
|
||||
<Permission>/permission/device-mgt/user/groups/device_operation</Permission>
|
||||
<Permission>/permission/device-mgt/admin/groups</Permission>
|
||||
<Permission>/permission/device-mgt/user/groups</Permission>
|
||||
</Permissions>
|
||||
</Action>
|
||||
<Action name="mqtt-subscriber">
|
||||
<Permissions>
|
||||
<Permission>/permission/device-mgt/user/groups/device_monitor</Permission>
|
||||
<Permission>/permission/device-mgt/admin/groups</Permission>
|
||||
<Permission>/permission/device-mgt/user/groups</Permission>
|
||||
</Permissions>
|
||||
</Action>
|
||||
<Action name="stats">
|
||||
<Permissions>
|
||||
<Permission>/permission/device-mgt/user/groups/device_monitor</Permission>
|
||||
<Permission>/permission/device-mgt/admin/groups</Permission>
|
||||
<Permission>/permission/device-mgt/user/groups</Permission>
|
||||
</Permissions>
|
||||
</Action>
|
||||
<Action name="operation">
|
||||
<Permissions>
|
||||
<Permission>/permission/device-mgt/user/groups/device_operation</Permission>
|
||||
<Permission>/permission/device-mgt/admin/groups</Permission>
|
||||
<Permission>/permission/device-mgt/user/groups</Permission>
|
||||
</Permissions>
|
||||
</Action>
|
||||
</DeviceMgtScopes>
|
@ -1,2 +1 @@
|
||||
instructions.configure = \
|
||||
org.eclipse.equinox.p2.touchpoint.natives.copy(source:${installFolder}/../features/org.wso2.carbon.device.mgt.oauth.extensions_${feature.version}/device-mgt-scopes.xml,target:${installFolder}/../../conf/etc/device-mgt-scopes.xml,overwrite:true);\
|
||||
instructions.configure = \
|
Loading…
Reference in new issue