few changed mqtt authoriser

merge-requests/1/head
ayyoob 9 years ago
parent 787178ddff
commit 14ead035d7

@ -1344,33 +1344,17 @@
</file>
<file>
<source>
../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/iot/devicemgt-config.xml
../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/etc/mqtt.properties
</source>
<outputDirectory>${pom.artifactId}-${pom.version}/repository/conf/iot</outputDirectory>
<filtered>true</filtered>
<fileMode>644</fileMode>
</file>
<file>
<source>
../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/iot/mqtt.properties
</source>
<outputDirectory>${pom.artifactId}-${pom.version}/repository/conf/iot</outputDirectory>
<filtered>true</filtered>
<fileMode>644</fileMode>
</file>
<file>
<source>
../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/iot/xmpp.properties
</source>
<outputDirectory>${pom.artifactId}-${pom.version}/repository/conf/iot</outputDirectory>
<outputDirectory>${pom.artifactId}-${pom.version}/repository/conf/etc</outputDirectory>
<filtered>true</filtered>
<fileMode>644</fileMode>
</file>
<file>
<source>
../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/iot/devicemgt-config.xsd
../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/etc/xmpp.properties
</source>
<outputDirectory>${pom.artifactId}-${pom.version}/repository/conf/iot</outputDirectory>
<outputDirectory>${pom.artifactId}-${pom.version}/repository/conf/etc</outputDirectory>
<filtered>true</filtered>
<fileMode>644</fileMode>
</file>

@ -47,12 +47,12 @@
<artifactId>andes</artifactId>
</dependency>
<dependency>
<groupId>org.wso2.carbon.devicemgt</groupId>
<artifactId>org.wso2.carbon.device.mgt.core</artifactId>
<groupId>org.wso2.carbon</groupId>
<artifactId>org.wso2.carbon.user.api</artifactId>
</dependency>
<dependency>
<groupId>org.wso2.carbon.devicemgt</groupId>
<artifactId>org.wso2.carbon.device.mgt.common</artifactId>
<groupId>org.wso2.carbon</groupId>
<artifactId>org.wso2.carbon.user.core</artifactId>
</dependency>
</dependencies>
@ -83,12 +83,11 @@
org.wso2.andes.configuration.enums,
org.wso2.andes.mqtt,
org.wso2.carbon.context,
org.wso2.carbon.device.mgt.common,
org.wso2.carbon.device.mgt.common.authorization,
org.apache.commons.logging,
org.osgi.service.component,
org.wso2.carbon.user.core.service,
org.wso2.carbon.user.core.tenant
org.wso2.carbon.user.core.tenant,
org.wso2.carbon.user.api
</Import-Package>
</instructions>
</configuration>

@ -24,8 +24,10 @@ import org.wso2.andes.configuration.enums.MQTTAuthoriztionPermissionLevel;
import org.wso2.andes.mqtt.MQTTAuthorizationSubject;
import org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.internal.AuthorizationDataHolder;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationException;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException;
import java.util.List;
/**
* Authorize the connecting users against Carbon Permission Model. Intended usage is
@ -35,35 +37,32 @@ import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorization
*/
public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer {
private static final Logger logger = Logger.getLogger(DeviceAccessBasedMQTTAuthorizer.class);
private static final String CONNECTION_PERMISSION = "/permission/admin/device-mgt/user";
private static final String SCOPE_IDENTIFIER = "scope";
/**
* {@inheritDoc} Authorize the user against carbon device mgt model.
*/
@Override
public boolean isAuthorizedForTopic(MQTTAuthorizationSubject authorizationSubject, String topic,
MQTTAuthoriztionPermissionLevel permissionLevel) {
try {
String topics[] = topic.split("/");
if (topics.length < 3) {
return false;
}
String tenantIdFromTopic = topics[0];
if (!tenantIdFromTopic.equals(authorizationSubject.getTenantDomain())) {
return false;
String topics[] = topic.split("/");
if (topics.length < 3) {
return false;
}
String tenantIdFromTopic = topics[0];
if (!tenantIdFromTopic.equals(authorizationSubject.getTenantDomain())) {
return false;
}
String deviceTypeFromTopic = topics[1];
String deviceIdFromTopic = topics[2];
List<String> scopes = (List<String>) authorizationSubject.getProperties().get(SCOPE_IDENTIFIER);
if (scopes != null) {
for (String scope : scopes) {
//TODO : have to validate token with scopes.
}
String deviceTypeFromTopic = topics[1];
String deviceIdFromTopic = topics[2];
PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(
authorizationSubject.getTenantDomain(), true);
PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(authorizationSubject.getUsername());
return AuthorizationDataHolder.getInstance().getDeviceAccessAuthorizationService().isUserAuthorized(
new DeviceIdentifier(deviceIdFromTopic, deviceTypeFromTopic));
} catch (DeviceAccessAuthorizationException e) {
logger.error("Failed on Device Access Authorization for user " + authorizationSubject.getUsername(), e);
} finally {
PrivilegedCarbonContext.endTenantFlow();
}
return false;
return true;
}
/**
@ -71,6 +70,36 @@ public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer {
*/
@Override
public boolean isAuthorizedToConnect(MQTTAuthorizationSubject authorizationSubject) {
return true;
return isUserAuthorized(authorizationSubject, CONNECTION_PERMISSION, "ui.execute");
}
/**
* Check whether the client is authorized with the given permission and action.
*
* @param authorizationSubject this contains the client information
* @param permission Carbon permission that requires for the use
* @param action Carbon permission action that requires for the given permission.
* @return boolean - true if user is authorized else return false.
*/
private boolean isUserAuthorized(MQTTAuthorizationSubject authorizationSubject, String permission, String action) {
String username = authorizationSubject.getUsername();
try {
PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(
authorizationSubject.getTenantDomain(), true);
int tenantId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId();
UserRealm userRealm = AuthorizationDataHolder.getInstance().getRealmService()
.getTenantUserRealm(tenantId);
if (userRealm != null && userRealm.getAuthorizationManager() != null) {
return userRealm.getAuthorizationManager().isUserAuthorized(username, permission, action);
}
return false;
} catch (UserStoreException e) {
String errorMsg = String.format("Unable to authorize the user : %s", username);
logger.error(errorMsg, e);
return false;
} finally {
PrivilegedCarbonContext.endTenantFlow();
}
}
}

@ -18,7 +18,6 @@
package org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.internal;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.user.core.tenant.TenantManager;
@ -26,7 +25,6 @@ public class AuthorizationDataHolder {
private RealmService realmService;
private TenantManager tenantManager;
private DeviceAccessAuthorizationService deviceAccessAuthorizationService;
private static AuthorizationDataHolder thisInstance = new AuthorizationDataHolder();
@ -56,12 +54,4 @@ public class AuthorizationDataHolder {
return tenantManager;
}
public DeviceAccessAuthorizationService getDeviceAccessAuthorizationService() {
return deviceAccessAuthorizationService;
}
public void setDeviceAccessAuthorizationService(DeviceAccessAuthorizationService deviceAccessAuthorizationService) {
this.deviceAccessAuthorizationService = deviceAccessAuthorizationService;
}
}

@ -21,7 +21,6 @@ package org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.internal;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.osgi.service.component.ComponentContext;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService;
import org.wso2.carbon.user.core.service.RealmService;
/**
@ -32,12 +31,6 @@ import org.wso2.carbon.user.core.service.RealmService;
* policy="dynamic"
* bind="setRealmService"
* unbind="unsetRealmService"
* @scr.reference name="org.wso2.carbon.device.access.authorization"
* interface="org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService"
* cardinality="1..1"
* policy="dynamic"
* bind="setDeviceAccessAuthorizationService"
* unbind="unsetDeviceAccessAuthorizationService"
*/
@SuppressWarnings("unused")
public class AuthorizationServiceComponent {
@ -76,18 +69,4 @@ public class AuthorizationServiceComponent {
AuthorizationDataHolder.getInstance().setRealmService(null);
}
protected void setDeviceAccessAuthorizationService(DeviceAccessAuthorizationService deviceAccessAuthorizationService) {
if (log.isDebugEnabled()) {
log.debug("Setting Device Access Authorization Service");
}
AuthorizationDataHolder.getInstance().setDeviceAccessAuthorizationService(deviceAccessAuthorizationService);
}
protected void unsetDeviceAccessAuthorizationService(DeviceAccessAuthorizationService deviceAccessAuthorizationService) {
if (log.isDebugEnabled()) {
log.debug("Removing Device Access Authorization Service");
}
AuthorizationDataHolder.getInstance().setDeviceAccessAuthorizationService(null);
}
}

@ -69,7 +69,6 @@
</bundles>
<importFeatures>
<importFeatureDef>org.wso2.carbon.core.server:${carbon.kernel.version}</importFeatureDef>
<importFeatureDef>org.wso2.carbon.device.mgt.server:${carbon.device.mgt.version}</importFeatureDef>
</importFeatures>
</configuration>
</execution>

@ -20,7 +20,7 @@ public class ConnectedCupMQttTransportHandler extends MQTTTransportHandler {
private static ConnectedCupMQttTransportHandler connectedCupMQttTransportHandler;
private static String publishTopic = "wso2/%s/" + DEVICE_TYPE + "/%s";
private static String publishTopic = "%s/" + DEVICE_TYPE + "/%s";
protected ConnectedCupMQttTransportHandler() {
super(iotServerSubscriber, DEVICE_TYPE, "tcp://localhost:1883", "");

@ -57,7 +57,7 @@ public class ConnectedCupManagerService implements DeviceManagementService{
@Override
public ProvisioningConfig getProvisioningConfig() {
return new ProvisioningConfig("carbon.super", true);
return new ProvisioningConfig("carbon.super", false);
}
@Override

Loading…
Cancel
Save