From 4eb588ac60a4b3eecdb6e132cda092a21f084ef1 Mon Sep 17 00:00:00 2001 From: Rasika Perera Date: Tue, 3 May 2016 14:37:34 +0530 Subject: [PATCH 1/5] Group Constants moved to common --- .../carbon/device/mgt/jaxrs/api/Group.java | 38 +++++---------- .../group/mgt/DeviceGroupConstants.java | 47 +++++++++++++++++++ 2 files changed, 59 insertions(+), 26 deletions(-) create mode 100644 components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/group/mgt/DeviceGroupConstants.java diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/api/Group.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/api/Group.java index acd9e987141..35288175688 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/api/Group.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/api/Group.java @@ -22,9 +22,9 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.wso2.carbon.context.PrivilegedCarbonContext; import org.wso2.carbon.device.mgt.common.DeviceIdentifier; -import org.wso2.carbon.device.mgt.common.EnrolmentInfo; import org.wso2.carbon.device.mgt.common.PaginationResult; import org.wso2.carbon.device.mgt.common.group.mgt.DeviceGroup; +import org.wso2.carbon.device.mgt.common.group.mgt.DeviceGroupConstants; import org.wso2.carbon.device.mgt.common.group.mgt.GroupAlreadyEixistException; import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException; import org.wso2.carbon.device.mgt.common.group.mgt.GroupUser; @@ -48,20 +48,6 @@ import java.util.List; @SuppressWarnings("NonJaxWsWebServices") public class Group { - private static final String DEFAULT_ADMIN_ROLE = "admin"; - private static final String DEFAULT_OPERATOR_ROLE = "invoke-device-operations"; - private static final String DEFAULT_STATS_MONITOR_ROLE = "view-statistics"; - private static final String DEFAULT_VIEW_POLICIES = "view-policies"; - private static final String DEFAULT_MANAGE_POLICIES = "mange-policies"; - private static final String DEFAULT_VIEW_EVENTS = "view-events"; - private static final String[] DEFAULT_ADMIN_PERMISSIONS = {"/permission/device-mgt/admin/groups", - "/permission/device-mgt/user/groups"}; - private static final String[] DEFAULT_OPERATOR_PERMISSIONS = {"/permission/device-mgt/user/groups/device_operation"}; - private static final String[] DEFAULT_STATS_MONITOR_PERMISSIONS = {"/permission/device-mgt/user/groups/device_monitor"}; - private static final String[] DEFAULT_MANAGE_POLICIES_PERMISSIONS = {"/permission/device-mgt/user/groups/device_policies/add"}; - private static final String[] DEFAULT_VIEW_POLICIES_PERMISSIONS = {"/permission/device-mgt/user/groups/device_policies/view"}; - private static final String[] DEFAULT_VIEW_EVENTS_PERMISSIONS = {"/permission/device-mgt/user/groups/device_events"}; - private static Log log = LogFactory.getLog(Group.class); @POST @@ -76,18 +62,18 @@ public class Group { group.setDateOfLastUpdate(new Date().getTime()); try { GroupManagementProviderService groupManagementService = DeviceMgtAPIUtils.getGroupManagementProviderService(); - groupManagementService.createGroup(group, DEFAULT_ADMIN_ROLE, DEFAULT_ADMIN_PERMISSIONS); + groupManagementService.createGroup(group, DeviceGroupConstants.Roles.DEFAULT_ADMIN_ROLE, DeviceGroupConstants.Permissions.DEFAULT_ADMIN_PERMISSIONS); groupManagementService.addGroupSharingRole(owner, group.getName(), owner, - DEFAULT_OPERATOR_ROLE, - DEFAULT_OPERATOR_PERMISSIONS); - groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DEFAULT_STATS_MONITOR_ROLE, - DEFAULT_STATS_MONITOR_PERMISSIONS); - groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DEFAULT_VIEW_POLICIES, - DEFAULT_VIEW_POLICIES_PERMISSIONS); - groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DEFAULT_MANAGE_POLICIES, - DEFAULT_MANAGE_POLICIES_PERMISSIONS); - groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DEFAULT_VIEW_EVENTS, - DEFAULT_VIEW_EVENTS_PERMISSIONS); + DeviceGroupConstants.Roles.DEFAULT_OPERATOR_ROLE, + DeviceGroupConstants.Permissions.DEFAULT_OPERATOR_PERMISSIONS); + groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DeviceGroupConstants.Roles.DEFAULT_STATS_MONITOR_ROLE, + DeviceGroupConstants.Permissions.DEFAULT_STATS_MONITOR_PERMISSIONS); + groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DeviceGroupConstants.Roles.DEFAULT_VIEW_POLICIES, + DeviceGroupConstants.Permissions.DEFAULT_VIEW_POLICIES_PERMISSIONS); + groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DeviceGroupConstants.Roles.DEFAULT_MANAGE_POLICIES, + DeviceGroupConstants.Permissions.DEFAULT_MANAGE_POLICIES_PERMISSIONS); + groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DeviceGroupConstants.Roles.DEFAULT_VIEW_EVENTS, + DeviceGroupConstants.Permissions.DEFAULT_VIEW_EVENTS_PERMISSIONS); return Response.status(Response.Status.CREATED).build(); } catch (GroupAlreadyEixistException e) { return Response.status(Response.Status.CONFLICT).entity(e.getMessage()).build(); diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/group/mgt/DeviceGroupConstants.java b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/group/mgt/DeviceGroupConstants.java new file mode 100644 index 00000000000..cdd72f0e279 --- /dev/null +++ b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/group/mgt/DeviceGroupConstants.java @@ -0,0 +1,47 @@ +/* + * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.wso2.carbon.device.mgt.common.group.mgt; + +/** + * Holds Device Group constants and expose to external access + */ +public class DeviceGroupConstants { + public static class Roles { + public static final String DEFAULT_ADMIN_ROLE = "admin"; + public static final String DEFAULT_OPERATOR_ROLE = "invoke-device-operations"; + public static final String DEFAULT_STATS_MONITOR_ROLE = "view-statistics"; + public static final String DEFAULT_VIEW_POLICIES = "view-policies"; + public static final String DEFAULT_MANAGE_POLICIES = "mange-policies"; + public static final String DEFAULT_VIEW_EVENTS = "view-events"; + } + + public static class Permissions { + public static final String[] DEFAULT_ADMIN_PERMISSIONS = + {"/permission/device-mgt/admin/groups", "/permission/device-mgt/user/groups"}; + public static final String[] DEFAULT_OPERATOR_PERMISSIONS = + {"/permission/device-mgt/user/groups/device_operation"}; + public static final String[] DEFAULT_STATS_MONITOR_PERMISSIONS = + {"/permission/device-mgt/user/groups/device_monitor"}; + public static final String[] DEFAULT_MANAGE_POLICIES_PERMISSIONS = + {"/permission/device-mgt/user/groups/device_policies/add"}; + public static final String[] DEFAULT_VIEW_POLICIES_PERMISSIONS = + {"/permission/device-mgt/user/groups/device_policies/view"}; + public static final String[] DEFAULT_VIEW_EVENTS_PERMISSIONS = + {"/permission/device-mgt/user/groups/device_events"}; + } +} From 64a262d3e4c514437e6d4db57decb014d1a0860c Mon Sep 17 00:00:00 2001 From: Rasika Perera Date: Tue, 3 May 2016 15:34:50 +0530 Subject: [PATCH 2/5] Fixing 404 on groups listing --- .../src/main/resources/jaggeryapps/devicemgt/jaggery.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/jaggery.conf b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/jaggery.conf index d18daaa1723..10170e94574 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/jaggery.conf +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/jaggery.conf @@ -8,7 +8,7 @@ "path": "/api/device-api.jag" }, { - "url": "/api/group/*", + "url": "/api/groups/*", "path": "/api/group-api.jag" }, { From 142ab10eea3823ccb880482f5a58722ff11bef22 Mon Sep 17 00:00:00 2001 From: Rasika Perera Date: Tue, 3 May 2016 19:18:07 +0530 Subject: [PATCH 3/5] Code refactoring --- .../GroupManagementProviderService.java | 61 ++++++++++--------- 1 file changed, 31 insertions(+), 30 deletions(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/service/GroupManagementProviderService.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/service/GroupManagementProviderService.java index b9ffa03340f..67bb3dc4afe 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/service/GroupManagementProviderService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/service/GroupManagementProviderService.java @@ -25,7 +25,6 @@ import org.wso2.carbon.device.mgt.common.group.mgt.DeviceGroup; import org.wso2.carbon.device.mgt.common.group.mgt.GroupAlreadyEixistException; import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException; import org.wso2.carbon.device.mgt.common.group.mgt.GroupUser; -import org.wso2.carbon.device.mgt.core.group.mgt.DeviceGroupBuilder; import java.util.List; @@ -77,6 +76,7 @@ public interface GroupManagementProviderService { /** * Get the device group provided the device group id. + * * @param groupId * @return * @throws GroupManagementException @@ -97,7 +97,7 @@ public interface GroupManagementProviderService { * Get paginated device groups in tenant * * @param startIndex for pagination. - * @param rowCount for pagination. + * @param rowCount for pagination. * @return paginated list of groups * @throws GroupManagementException */ @@ -106,9 +106,9 @@ public interface GroupManagementProviderService { /** * Get paginated device groups in tenant * - * @param username of user. + * @param username of user. * @param startIndex for pagination. - * @param rowCount for pagination. + * @param rowCount for pagination. * @return paginated list of groups * @throws GroupManagementException */ @@ -183,9 +183,9 @@ public interface GroupManagementProviderService { /** * Remove existing sharing role for device group * - * @param groupName of the group - * @param owner of the group - * @param roleName to remove + * @param groupName of the group + * @param owner of the group + * @param roleName to remove * @return is role removed * @throws GroupManagementException */ @@ -194,8 +194,8 @@ public interface GroupManagementProviderService { /** * Get all sharing roles for device group * - * @param groupName of the group - * @param owner of the group + * @param groupName of the group + * @param owner of the group * @return list of roles * @throws GroupManagementException */ @@ -204,9 +204,9 @@ public interface GroupManagementProviderService { /** * Get specific device group sharing roles for user * - * @param userName of the user - * @param groupName of the group - * @param owner of the group + * @param userName of the user + * @param groupName of the group + * @param owner of the group * @return list of roles * @throws GroupManagementException */ @@ -215,8 +215,8 @@ public interface GroupManagementProviderService { /** * Get device group users * - * @param groupName of the group - * @param owner of the group + * @param groupName of the group + * @param owner of the group * @return list of group users * @throws GroupManagementException */ @@ -225,8 +225,8 @@ public interface GroupManagementProviderService { /** * Get all devices in device group. * - * @param groupName of the group. - * @param owner of the group. + * @param groupName of the group. + * @param owner of the group. * @return list of group devices. * @throws GroupManagementException */ @@ -235,10 +235,10 @@ public interface GroupManagementProviderService { /** * Get all devices in device group as paginated result. * - * @param groupName of the group. - * @param owner of the group. + * @param groupName of the group. + * @param owner of the group. * @param startIndex for pagination. - * @param rowCount for pagination. + * @param rowCount for pagination. * @return Paginated list of devices. * @throws GroupManagementException */ @@ -248,8 +248,8 @@ public interface GroupManagementProviderService { /** * This method is used to retrieve the device count of a given group. * - * @param groupName of the group. - * @param owner of the group. + * @param groupName of the group. + * @param owner of the group. * @return returns the device count. * @throws GroupManagementException */ @@ -258,9 +258,9 @@ public interface GroupManagementProviderService { /** * Add device to device group. * - * @param deviceId of the device. - * @param groupName of the group. - * @param owner of the group. + * @param deviceId of the device. + * @param groupName of the group. + * @param owner of the group. * @return is device added. * @throws GroupManagementException */ @@ -269,9 +269,9 @@ public interface GroupManagementProviderService { /** * Remove device from device group. * - * @param deviceId of the device. - * @param groupName of the group. - * @param owner of the group. + * @param deviceId of the device. + * @param groupName of the group. + * @param owner of the group. * @return is device removed. * @throws GroupManagementException */ @@ -280,9 +280,9 @@ public interface GroupManagementProviderService { /** * Get device group permissions of user. * - * @param username of the user. - * @param groupName of the group. - * @param owner of the group. + * @param username of the user. + * @param groupName of the group. + * @param owner of the group. * @return array of permissions. * @throws GroupManagementException */ @@ -300,6 +300,7 @@ public interface GroupManagementProviderService { /** * Get the group of device. + * * @param deviceIdentifier * @return * @throws GroupManagementException From 9cb24d8cec60f918d870a7a37f9bfce9bc661b97 Mon Sep 17 00:00:00 2001 From: Rasika Perera Date: Tue, 3 May 2016 19:18:58 +0530 Subject: [PATCH 4/5] Adding enum to hold default role to default permissions mapping --- .../group/mgt/DeviceGroupConstants.java | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/group/mgt/DeviceGroupConstants.java b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/group/mgt/DeviceGroupConstants.java index cdd72f0e279..24c4089b243 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/group/mgt/DeviceGroupConstants.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/group/mgt/DeviceGroupConstants.java @@ -17,10 +17,45 @@ */ package org.wso2.carbon.device.mgt.common.group.mgt; + /** * Holds Device Group constants and expose to external access */ public class DeviceGroupConstants { + public enum RolePermissions { + DEFAULT_ADMIN_ROLE(Roles.DEFAULT_ADMIN_ROLE), + DEFAULT_OPERATOR_ROLE(Roles.DEFAULT_OPERATOR_ROLE), + DEFAULT_STATS_MONITOR_ROLE(Roles.DEFAULT_STATS_MONITOR_ROLE), + DEFAULT_VIEW_POLICIES(Roles.DEFAULT_VIEW_POLICIES), + DEFAULT_MANAGE_POLICIES(Roles.DEFAULT_MANAGE_POLICIES), + DEFAULT_VIEW_EVENTS(Roles.DEFAULT_VIEW_EVENTS); + + private String value; + private String[] permissions; + + RolePermissions(String value) { + this.value = value; + } + + static { + DEFAULT_ADMIN_ROLE.permissions = Permissions.DEFAULT_ADMIN_PERMISSIONS; + DEFAULT_OPERATOR_ROLE.permissions = Permissions.DEFAULT_OPERATOR_PERMISSIONS; + DEFAULT_STATS_MONITOR_ROLE.permissions = Permissions.DEFAULT_STATS_MONITOR_PERMISSIONS; + DEFAULT_VIEW_POLICIES.permissions = Permissions.DEFAULT_MANAGE_POLICIES_PERMISSIONS; + DEFAULT_MANAGE_POLICIES.permissions = Permissions.DEFAULT_VIEW_POLICIES_PERMISSIONS; + DEFAULT_VIEW_EVENTS.permissions = Permissions.DEFAULT_VIEW_EVENTS_PERMISSIONS; + } + + @Override + public String toString(){ + return this.value; + } + + public String[] getPermissions(){ + return permissions; + } + } + public static class Roles { public static final String DEFAULT_ADMIN_ROLE = "admin"; public static final String DEFAULT_OPERATOR_ROLE = "invoke-device-operations"; From 938eda7c46215ef852c49a003f58e0beb88467b5 Mon Sep 17 00:00:00 2001 From: Rasika Perera Date: Tue, 3 May 2016 19:29:12 +0530 Subject: [PATCH 5/5] Adding group permissions checking --- .../DeviceAccessAuthorizationService.java | 61 +++++++++++++------ .../DeviceAccessAuthorizationServiceImpl.java | 44 ++++++++++--- 2 files changed, 78 insertions(+), 27 deletions(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/authorization/DeviceAccessAuthorizationService.java b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/authorization/DeviceAccessAuthorizationService.java index e54901bc6c8..610727edb07 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/authorization/DeviceAccessAuthorizationService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/authorization/DeviceAccessAuthorizationService.java @@ -28,7 +28,6 @@ import java.util.List; * accessing the device information and performing MDM operations on devices. */ public interface DeviceAccessAuthorizationService { - /** * This method will check whether the currently logged-in user has the access to the device identified by the given * DeviceIdentifier. @@ -39,29 +38,55 @@ public interface DeviceAccessAuthorizationService { */ boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException; + /** + * This method will check whether the currently logged-in user has the access to the device identified by the given + * DeviceIdentifier. + * + * @param deviceIdentifier - DeviceIdentifier of the device to be checked. + * @param groupPermissions - Group Permissions. + * @return Boolean authorization result. + * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. + */ + boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String[] groupPermissions) + throws DeviceAccessAuthorizationException; + /** * This method will check whether the currently logged-in user has the access to the devices identified by the given * DeviceIdentifier list. * * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization. - * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & - * unauthorized devices. + * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized + * devices. * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. */ DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers) throws - DeviceAccessAuthorizationException; + DeviceAccessAuthorizationException; + + /** + * This method will check whether the currently logged-in user has the access to the devices identified by the given + * DeviceIdentifier list. + * + * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization. + * @param groupPermissions - Group Permissions + * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized + * devices. + * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. + */ + DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers, String[] groupPermissions) + throws DeviceAccessAuthorizationException; /** * This method will check whether the given user has the access to the device identified by the given * DeviceIdentifier. * * @param deviceIdentifier - DeviceIdentifier of the device to be checked. - * @param username - Username of the user to be checked for authorization. - * @param permission - Permission + * @param username - Username of the user to be checked for authorization. + * @param groupPermissions - Group Permissions * @return Boolean authorization result. * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. */ - boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String permission) throws DeviceAccessAuthorizationException; + boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String[] groupPermissions) + throws DeviceAccessAuthorizationException; /** * This method will check whether the given user has the access to the devices identified by the given @@ -69,20 +94,21 @@ public interface DeviceAccessAuthorizationService { * * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization. * @param username - User name - * @param permission - Permission - * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & - * unauthorized devices. + * @param groupPermissions - Group Permissions + * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized + * devices. * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. */ - DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers, String username, String permission) throws - DeviceAccessAuthorizationException; + DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers, String username, + String[] groupPermissions) throws + DeviceAccessAuthorizationException; /** * This method will check whether the given user has the access to the device identified by the given * DeviceIdentifier. * * @param deviceIdentifier - DeviceIdentifier of the device to be checked. - * @param username - Username of the user to be checked for authorization. + * @param username - Username of the user to be checked for authorization. * @return Boolean authorization result. * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. */ @@ -94,12 +120,11 @@ public interface DeviceAccessAuthorizationService { * DeviceIdentifier list. * * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization. - * @param username - Username of the user to be checked for authorization. - * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & - * unauthorized devices. + * @param username - Username of the user to be checked for authorization. + * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized + * devices. * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. */ DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers, String username) throws - DeviceAccessAuthorizationException; - + DeviceAccessAuthorizationException; } \ No newline at end of file diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java index cb0dc03ccf7..3e0dbceb75c 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java @@ -72,7 +72,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori } @Override - public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String permission) + public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String[] groupPermissions) throws DeviceAccessAuthorizationException { int tenantId = this.getTenantId(); if (username == null || username.isEmpty()) { @@ -84,10 +84,16 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori } //check for group permissions try { - if (permission == null || permission.isEmpty()) { + if (groupPermissions == null || groupPermissions.length == 0) { return false; } - return checkGroupsPermission(username, tenantId, permission); + for (String groupPermission : groupPermissions) { + if (!checkGroupsPermission(username, tenantId, groupPermission)) { + //if at least one fails, authorization fails + return false; + } + } + return true; } catch (GroupManagementException | UserStoreException e) { throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " + deviceIdentifier.getId() + " for the user : " + @@ -101,6 +107,12 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori return isUserAuthorized(deviceIdentifier, username, null); } + @Override + public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String[] groupPermissions) + throws DeviceAccessAuthorizationException { + return isUserAuthorized(deviceIdentifier, this.getUserName(), groupPermissions); + } + @Override public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException { return isUserAuthorized(deviceIdentifier, this.getUserName(), null); @@ -108,7 +120,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori @Override public DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers, String username, - String permission) + String[] groupPermissions) throws DeviceAccessAuthorizationException { int tenantId = this.getTenantId(); if (username == null || username.isEmpty()) { @@ -121,11 +133,19 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier); } else { try { - if (permission == null || permission.isEmpty()) { + if (groupPermissions == null || groupPermissions.length == 0) { return null; } //check for group permissions - if (checkGroupsPermission(username, tenantId, permission)) { + boolean isAuthorized = true; + for (String groupPermission : groupPermissions) { + if (!checkGroupsPermission(username, tenantId, groupPermission)) { + //if at least one failed, authorizations fails and break the loop + isAuthorized = false; + break; + } + } + if (isAuthorized) { deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier); } else { deviceAuthorizationResult.addUnauthorizedDevice(deviceIdentifier); @@ -152,6 +172,12 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori return isUserAuthorized(deviceIdentifiers, this.getUserName(), null); } + @Override + public DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers, String[] groupPermissions) + throws DeviceAccessAuthorizationException { + return isUserAuthorized(deviceIdentifiers, this.getUserName(), groupPermissions); + } + private boolean isAdminOrDeviceOwner(String username, int tenantId, DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException { try { @@ -165,11 +191,11 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori } } - private boolean checkGroupsPermission(String username, int tenantId, String permission) + private boolean checkGroupsPermission(String username, int tenantId, String groupPermission) throws GroupManagementException, UserStoreException { List groups = DeviceManagementDataHolder.getInstance().getGroupManagementProviderService().getGroups(username, - permission); + groupPermission); UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId); if (userRealm != null && userRealm.getAuthorizationManager() != null) { Iterator groupIterator = groups.iterator(); @@ -179,7 +205,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori while (rolesIterator.hasNext()) { String role = rolesIterator.next(); if (userRealm.getAuthorizationManager().isRoleAuthorized( - "Internal/group-" + deviceGroup.getId() + "-" + role, permission, + "Internal/group-" + deviceGroup.getId() + "-" + role, groupPermission, CarbonConstants.UI_PERMISSION_ACTION)) { return true; }