added web app tenant authorisation for tenant for non managed api scenario

9 years ago · 733884cba7
parent 3a3e9cc649
commit 733884cba7
2 changed files with 62 additions and 0 deletions
--- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java
@ -26,6 +26,7 @@ import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve;
 import org.wso2.carbon.tomcat.ext.valves.CompositeValve;
 import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;
+import org.wso2.carbon.webapp.authenticator.framework.authorizer.WebappTenantAuthorizer;

 import javax.servlet.http.HttpServletResponse;
 import java.util.HashMap;
@ -44,6 +45,8 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
            return;
        }

+
+
        WebappAuthenticator authenticator = WebappAuthenticatorFactory.getAuthenticator(request);
        if (authenticator == null) {
            String msg = "Failed to load an appropriate authenticator to authenticate the request";
@ -51,6 +54,11 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
            return;
        }
        AuthenticationInfo authenticationInfo = authenticator.authenticate(request, response);
+        if (isManagedAPI(request) && (authenticationInfo.getStatus() == WebappAuthenticator.Status.CONTINUE ||
+                authenticationInfo.getStatus() == WebappAuthenticator.Status.SUCCESS)) {
+            WebappAuthenticator.Status status = WebappTenantAuthorizer.authorize(request, authenticationInfo);
+            authenticationInfo.setStatus(status);
+        }
        if (authenticationInfo.getTenantId() != -1) {
            try {
                PrivilegedCarbonContext.startTenantFlow();
@ -77,6 +85,11 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
        return (param == null || !Boolean.parseBoolean(param) || isNonSecuredEndPoint(request));
    }

+    private boolean isManagedAPI(Request request) {
+        String param = request.getContext().findParameter("managed-api-enabled");
+        return (param != null && Boolean.parseBoolean(param));
+    }
+
    private boolean isContextSkipped(Request request) {
        String ctx = request.getContext().getPath();
        if (ctx == null || "".equals(ctx)) {
--- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/WebappTenantAuthorizer.java
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/WebappTenantAuthorizer.java
@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.webapp.authenticator.framework.authorizer;
+
+import org.apache.catalina.connector.Request;
+import org.wso2.carbon.webapp.authenticator.framework.AuthenticationInfo;
+import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;
+
+/**
+ * This class represents the methods that are used to authorize requests based on the tenant subscription.
+ */
+public class WebappTenantAuthorizer {
+	private static final String SHARED_WITH_ALL_TENANTS_PARAM_NAME = "isSharedWithAllTenants";
+	private static final String PROVIDER_TENANT_DOMAIN_PARAM_NAME = "providerTenantDomain";
+
+	public static WebappAuthenticator.Status authorize(Request request, AuthenticationInfo authenticationInfo) {
+		String tenantDomain = authenticationInfo.getTenantDomain();
+		if (tenantDomain != null && isSharedWithAllTenants(request) || isProviderTenant(request, tenantDomain)) {
+			return WebappAuthenticator.Status.CONTINUE;
+		}
+		return WebappAuthenticator.Status.FAILURE;
+	}
+
+	private static boolean isSharedWithAllTenants(Request request) {
+		String param = request.getContext().findParameter(SHARED_WITH_ALL_TENANTS_PARAM_NAME);
+		return (param == null || Boolean.parseBoolean(param));
+	}
+
+	private static boolean isProviderTenant(Request request, String requestTenantDomain) {
+		String param = request.getContext().findParameter(PROVIDER_TENANT_DOMAIN_PARAM_NAME);
+		return (param == null || requestTenantDomain.equals(param));
+	}
+}