Added scope validator and refactored code

revert-70aa11f8
harshanl 9 years ago
parent 648d8ec209
commit 77f5f466d6

@ -55,7 +55,7 @@ public class Permission {
return scope;
}
@XmlElement(name = "scope", required = true)
@XmlElement(name = "scope", required = false)
public void setScope(String scope) {
this.scope = scope;
}

@ -17,6 +17,9 @@
*/
package org.wso2.carbon.device.mgt.common.permission.mgt;
/**
* Custom exception class of Permission related operations.
*/
public class PermissionManagementException extends Exception {
private static final long serialVersionUID = -3151279311929070298L;

@ -26,7 +26,7 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
import org.wso2.carbon.device.mgt.core.config.permission.PermissionConfiguration;
import org.wso2.carbon.device.mgt.core.permission.mgt.RegistryBasedPermissionManagerServiceImpl;
import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionManagerServiceImpl;
import javax.servlet.ServletContext;
import javax.xml.bind.JAXBContext;
@ -35,6 +35,10 @@ import javax.xml.bind.Unmarshaller;
import java.io.File;
import java.io.InputStream;
/**
* This listener class will initiate the permission addition of permissions defined in
* permission.xml of any web-app.
*/
@SuppressWarnings("unused")
public class WebAppDeploymentLifecycleListener implements LifecycleListener {
@ -56,7 +60,7 @@ public class WebAppDeploymentLifecycleListener implements LifecycleListener {
unmarshaller.unmarshal(permissionStream);
if (permissionConfiguration != null &&
permissionConfiguration.getPermissions() != null) {
RegistryBasedPermissionManagerServiceImpl.getInstance().addPermissions(
PermissionManagerServiceImpl.getInstance().addPermissions(
permissionConfiguration.getPermissions());
}
}

@ -45,7 +45,7 @@ import org.wso2.carbon.device.mgt.core.notification.mgt.NotificationManagementSe
import org.wso2.carbon.device.mgt.core.notification.mgt.dao.NotificationManagementDAOFactory;
import org.wso2.carbon.device.mgt.core.operation.mgt.OperationManagerImpl;
import org.wso2.carbon.device.mgt.core.operation.mgt.dao.OperationManagementDAOFactory;
import org.wso2.carbon.device.mgt.core.permission.mgt.RegistryBasedPermissionManagerServiceImpl;
import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionManagerServiceImpl;
import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService;
import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderServiceImpl;
import org.wso2.carbon.device.mgt.core.util.DeviceManagementSchemaInitializer;
@ -191,7 +191,7 @@ public class DeviceManagementServiceComponent {
/* Registering PermissionManager Service */
PermissionManagerService permissionManagerService
= RegistryBasedPermissionManagerServiceImpl.getInstance();
= PermissionManagerServiceImpl.getInstance();
bundleContext.registerService(PermissionManagerService.class.getName(), permissionManagerService, null);
/* Registering App Management service */

@ -29,21 +29,21 @@ import java.util.Properties;
* This class will add, update custom permissions defined in permission.xml in webapps and it will
* use Registry as the persistence storage.
*/
public class RegistryBasedPermissionManagerServiceImpl implements PermissionManagerService {
public class PermissionManagerServiceImpl implements PermissionManagerService {
public static final String URL_PROPERTY = "URL";
public static final String HTTP_METHOD_PROPERTY = "HTTP_METHOD";
private static RegistryBasedPermissionManagerServiceImpl registryBasedPermissionManager;
private static PermissionManagerServiceImpl registryBasedPermissionManager;
private static PermissionTree permissionTree; // holds the permissions at runtime.
private RegistryBasedPermissionManagerServiceImpl() {
private PermissionManagerServiceImpl() {
}
public static RegistryBasedPermissionManagerServiceImpl getInstance() {
public static PermissionManagerServiceImpl getInstance() {
if (registryBasedPermissionManager == null) {
synchronized (RegistryBasedPermissionManagerServiceImpl.class) {
synchronized (PermissionManagerServiceImpl.class) {
if (registryBasedPermissionManager == null) {
registryBasedPermissionManager = new RegistryBasedPermissionManagerServiceImpl();
registryBasedPermissionManager = new PermissionManagerServiceImpl();
permissionTree = new PermissionTree();
}
}

@ -31,6 +31,7 @@ import org.wso2.carbon.registry.core.Registry;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import java.io.File;
import java.util.StringTokenizer;
/**
* Utility class which holds necessary utility methods required for persisting permissions in
@ -71,12 +72,16 @@ public class PermissionUtils {
throws PermissionManagementException {
boolean status;
try {
Resource resource = PermissionUtils.getGovernanceRegistry().newCollection();
resource.addProperty(PERMISSION_PROPERTY_NAME, permission.getName());
PermissionUtils.getGovernanceRegistry().beginTransaction();
PermissionUtils.getGovernanceRegistry().put(ADMIN_PERMISSION_REGISTRY_PATH +
permission.getPath(), resource);
PermissionUtils.getGovernanceRegistry().commitTransaction();
StringTokenizer tokenizer = new StringTokenizer(permission.getPath(), "/");
String lastToken = "", currentToken, tempPath;
while(tokenizer.hasMoreTokens()){
currentToken = tokenizer.nextToken();
tempPath = lastToken + "/" + currentToken;
if(!checkResourceExists(tempPath)){
createRegistryCollection(tempPath, currentToken.substring(0));
}
lastToken = tempPath;
}
status = true;
} catch (RegistryException e) {
throw new PermissionManagementException(
@ -86,10 +91,21 @@ public class PermissionUtils {
return status;
}
public static boolean checkPermissionExistence(Permission permission)
public static void createRegistryCollection(String path, String resourceName)
throws PermissionManagementException,
RegistryException {
Resource resource = PermissionUtils.getGovernanceRegistry().newCollection();
resource.addProperty(PERMISSION_PROPERTY_NAME, resourceName);
PermissionUtils.getGovernanceRegistry().beginTransaction();
PermissionUtils.getGovernanceRegistry().put(ADMIN_PERMISSION_REGISTRY_PATH +
path, resource);
PermissionUtils.getGovernanceRegistry().commitTransaction();
}
public static boolean checkResourceExists(String path)
throws PermissionManagementException,
org.wso2.carbon.registry.core.exceptions.RegistryException {
return PermissionUtils.getGovernanceRegistry().resourceExists(permission.getPath());
return PermissionUtils.getGovernanceRegistry().resourceExists(path);
}
public static Document convertToDocument(File file) throws PermissionManagementException {

@ -123,8 +123,8 @@ public class DynamicRegistrationManager {
//Check whether this is an already registered application
if (!dynamicRegistrationManager.isRegisteredOAuthApplication(webAppName)) {
//Construct the RegistrationProfile
registrationProfile = DynamicClientWebAppRegistrationUtil
.constructRegistrationProfile(servletContext, webAppName);
registrationProfile = DynamicClientWebAppRegistrationUtil.
constructRegistrationProfile(servletContext, webAppName);
//Register the OAuth application
oAuthApp = dynamicRegistrationManager.registerOAuthApplication(
registrationProfile);

@ -1,63 +0,0 @@
/*
* Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* you may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.oauth.extensions;
import org.wso2.carbon.device.mgt.oauth.extensions.internal.OAuthExtensionsDataHolder;
import org.wso2.carbon.user.api.AuthorizationManager;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.api.UserStoreManager;
import org.wso2.carbon.user.core.service.RealmService;
/**
* Created by harshan on 10/2/15.
*/
public class OAuthExtensionsUtils {
public static void getRolePermissions(String role){
RealmService realmService = OAuthExtensionsDataHolder.getInstance().getRealmService();
try {
int tenantId = realmService.getTenantManager().getTenantId("tenant-domain");
AuthorizationManager
authorizationManager = realmService.getTenantUserRealm(tenantId).getAuthorizationManager();
// authorizationManager.is
} catch (UserStoreException e) {
e.printStackTrace();
}
}
public static void getUserPermissions(String userName){
}
public static String[] getUserRoles(String userName){
RealmService realmService = OAuthExtensionsDataHolder.getInstance().getRealmService();
try {
int tenantId = realmService.getTenantManager().getTenantId("tenant-domain");
UserStoreManager userStoreManager = realmService.getTenantUserRealm(tenantId).getUserStoreManager();
return userStoreManager.getRoleListOfUser(userName);
} catch (UserStoreException e) {
e.printStackTrace();
}
return new String[0];
}
public static void getScopePermissions(String scopeKey){
}
}

@ -27,7 +27,8 @@ import javax.security.auth.callback.UnsupportedCallbackException;
import java.io.IOException;
/**
* Created by harshan on 10/1/15.
* This class represents a Custom OAuthCallback Handler implementation. This should be implemented
* if there's any necessity of custom logic to authorize OAuthCallbacks.
*/
public class DeviceMgtOAuthCallbackHandler extends AbstractOAuthCallbackHandler {
@ -55,7 +56,7 @@ public class DeviceMgtOAuthCallbackHandler extends AbstractOAuthCallbackHandler
String[] scopes = oauthCallback.getRequestedScope();
oauthCallback.setApprovedScope(scopes);
oauthCallback.setValidScope(true);
//TODO Need to write the necessary logic to validate the scope
//Add the necessary logic if we are doing the scope validation upon token issue
}
}

@ -23,7 +23,7 @@ import org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService;
import org.wso2.carbon.user.core.service.RealmService;
/**
* Created by harshan on 10/2/15.
* This holds the OSGi service references required for oauth extensions bundle.
*/
public class OAuthExtensionsDataHolder {

@ -1,37 +0,0 @@
/*
* Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* you may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.oauth.extensions.validators;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2TokenValidator;
import org.wso2.carbon.identity.oauth2.validators.OAuth2TokenValidationMessageContext;
/**
* OAuth2 Token validator implementation which supports custom token validation logic specific
* to MDM.
*/
public class OAuth2TokenValidator extends DefaultOAuth2TokenValidator {
@Override
public boolean validateAccessToken(
OAuth2TokenValidationMessageContext validationReqDTO) throws IdentityOAuth2Exception {
//for now there's no specific logic to handle in token validation
return true;
}
}

@ -28,12 +28,14 @@ import org.wso2.carbon.device.mgt.oauth.extensions.internal.OAuthExtensionsDataH
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException;
import java.util.Properties;
/**
* Custom OAuth2Token Scope validation implementation.
* Custom OAuth2Token Scope validation implementation for DeviceManagement. This will validate the
* user permissions before dispatching the HTTP request to the actual endpoint.
*/
public class ScopeValidator extends OAuth2ScopeValidator {
@ -72,6 +74,11 @@ public class ScopeValidator extends OAuth2ScopeValidator {
status = CarbonContext.getThreadLocalCarbonContext().getUserRealm().
getAuthorizationManager().isUserAuthorized(username, permission.getPath(),
ScopeValidator.PermissionMethod.READ);
UserRealm userRealm = CarbonContext.getThreadLocalCarbonContext().getUserRealm();
if(userRealm != null && userRealm.getAuthorizationManager() != null){
status = userRealm.getAuthorizationManager().isUserAuthorized(username, permission.getPath(),
ScopeValidator.PermissionMethod.READ);
}
} catch (PermissionManagementException e) {
log.error("Error occurred while validating the resource scope for : " + resource +

@ -30,6 +30,7 @@ import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationRequestDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationResponseDTO;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
import org.wso2.carbon.webapp.authenticator.framework.AuthenticationException;
import org.wso2.carbon.webapp.authenticator.framework.AuthenticationFrameworkUtil;
import org.wso2.carbon.webapp.authenticator.framework.Constants;
@ -122,6 +123,8 @@ public class OAuthAuthenticator implements WebappAuthenticator {
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantId(
IdentityUtil.getTenantIdOFUser(username));
PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(username);
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(
MultitenantUtils.getTenantDomain(username));
} catch (IdentityException e) {
throw new AuthenticationException(
"Error occurred while retrieving the tenant ID of user '" +

@ -25,7 +25,7 @@ import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
import org.wso2.carbon.device.mgt.core.permission.mgt.RegistryBasedPermissionManagerServiceImpl;
import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionManagerServiceImpl;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.webapp.authenticator.framework.Constants;
import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;
@ -49,7 +49,8 @@ public class PermissionAuthorizer {
return WebappAuthenticator.Status.CONTINUE;
}
RegistryBasedPermissionManagerServiceImpl registryBasedPermissionManager = RegistryBasedPermissionManagerServiceImpl.getInstance();
PermissionManagerServiceImpl
registryBasedPermissionManager = PermissionManagerServiceImpl.getInstance();
Properties properties = new Properties();
properties.put("",requestUri);
properties.put("",requestMethod);

Loading…
Cancel
Save