|
|
|
@ -20,20 +20,26 @@ package org.wso2.carbon.device.mgt.core.authorization;
|
|
|
|
|
|
|
|
|
|
import org.apache.commons.logging.Log;
|
|
|
|
|
import org.apache.commons.logging.LogFactory;
|
|
|
|
|
import org.wso2.carbon.CarbonConstants;
|
|
|
|
|
import org.wso2.carbon.context.CarbonContext;
|
|
|
|
|
import org.wso2.carbon.device.mgt.common.*;
|
|
|
|
|
import org.wso2.carbon.device.mgt.common.Device;
|
|
|
|
|
import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
|
|
|
|
|
import org.wso2.carbon.device.mgt.common.DeviceManagementException;
|
|
|
|
|
import org.wso2.carbon.device.mgt.common.EnrolmentInfo;
|
|
|
|
|
import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationException;
|
|
|
|
|
import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService;
|
|
|
|
|
import org.wso2.carbon.device.mgt.common.authorization.DeviceAuthorizationResult;
|
|
|
|
|
import org.wso2.carbon.device.mgt.common.group.mgt.DeviceGroup;
|
|
|
|
|
import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException;
|
|
|
|
|
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
|
|
|
|
|
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
|
|
|
|
|
import org.wso2.carbon.device.mgt.core.internal.DeviceManagementDataHolder;
|
|
|
|
|
import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionUtils;
|
|
|
|
|
import org.wso2.carbon.user.api.UserRealm;
|
|
|
|
|
import org.wso2.carbon.user.api.UserStoreException;
|
|
|
|
|
import org.wso2.carbon.user.api.UserStoreManager;
|
|
|
|
|
|
|
|
|
|
import java.util.HashMap;
|
|
|
|
|
import java.util.Iterator;
|
|
|
|
|
import java.util.List;
|
|
|
|
|
import java.util.Map;
|
|
|
|
|
|
|
|
|
@ -66,157 +72,173 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException {
|
|
|
|
|
boolean status;
|
|
|
|
|
String username = this.getUserName();
|
|
|
|
|
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String[] groupPermissions)
|
|
|
|
|
throws DeviceAccessAuthorizationException {
|
|
|
|
|
int tenantId = this.getTenantId();
|
|
|
|
|
if (username == null || username.isEmpty()) {
|
|
|
|
|
return !DeviceManagementDataHolder.getInstance().requireDeviceAuthorization(deviceIdentifier.getType());
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
try {
|
|
|
|
|
//Check for admin users. If the user is an admin user we authorize the access to that device.
|
|
|
|
|
status = isAdminUser(username, tenantId);
|
|
|
|
|
} catch (UserStoreException e) {
|
|
|
|
|
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
|
|
|
|
|
deviceIdentifier.getId() + " for the user : " + username, e);
|
|
|
|
|
//check for admin and ownership permissions
|
|
|
|
|
if (isAdminOrDeviceOwner(username, tenantId, deviceIdentifier)) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
//Check for device ownership. If the user is the owner of the device we allow the access.
|
|
|
|
|
if (!status) {
|
|
|
|
|
//check for group permissions
|
|
|
|
|
try {
|
|
|
|
|
Device device = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider().
|
|
|
|
|
getDevice(deviceIdentifier);
|
|
|
|
|
EnrolmentInfo enrolmentInfo = device.getEnrolmentInfo();
|
|
|
|
|
if (enrolmentInfo != null && username.equalsIgnoreCase(enrolmentInfo.getOwner())) {
|
|
|
|
|
status = true;
|
|
|
|
|
if (groupPermissions == null || groupPermissions.length == 0) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
} catch (DeviceManagementException e) {
|
|
|
|
|
for (String groupPermission : groupPermissions) {
|
|
|
|
|
if (!checkGroupsPermission(username, tenantId, groupPermission)) {
|
|
|
|
|
//if at least one fails, authorization fails
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return true;
|
|
|
|
|
} catch (GroupManagementException | UserStoreException e) {
|
|
|
|
|
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
|
|
|
|
|
deviceIdentifier.getId() + " for the user : " + username, e);
|
|
|
|
|
deviceIdentifier.getId() + " for the user : " +
|
|
|
|
|
username, e);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return status;
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username)
|
|
|
|
|
throws DeviceAccessAuthorizationException {
|
|
|
|
|
return isUserAuthorized(deviceIdentifier, username, null);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers) throws
|
|
|
|
|
DeviceAccessAuthorizationException {
|
|
|
|
|
boolean status;
|
|
|
|
|
DeviceAuthorizationResult deviceAuthorizationResult = new DeviceAuthorizationResult();
|
|
|
|
|
String username = this.getUserName();
|
|
|
|
|
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String[] groupPermissions)
|
|
|
|
|
throws DeviceAccessAuthorizationException {
|
|
|
|
|
return isUserAuthorized(deviceIdentifier, this.getUserName(), groupPermissions);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException {
|
|
|
|
|
return isUserAuthorized(deviceIdentifier, this.getUserName(), null);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username,
|
|
|
|
|
String[] groupPermissions)
|
|
|
|
|
throws DeviceAccessAuthorizationException {
|
|
|
|
|
int tenantId = this.getTenantId();
|
|
|
|
|
if (username == null || username.isEmpty()) {
|
|
|
|
|
return deviceAuthorizationResult;
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
DeviceAuthorizationResult deviceAuthorizationResult = new DeviceAuthorizationResult();
|
|
|
|
|
for (DeviceIdentifier deviceIdentifier : deviceIdentifiers) {
|
|
|
|
|
//check for admin and ownership permissions
|
|
|
|
|
if (isAdminOrDeviceOwner(username, tenantId, deviceIdentifier)) {
|
|
|
|
|
deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
|
|
|
|
|
} else {
|
|
|
|
|
try {
|
|
|
|
|
//Check for admin users. If the user is an admin user we authorize the access to that device.
|
|
|
|
|
status = isAdminUser(username, tenantId);
|
|
|
|
|
} catch (UserStoreException e) {
|
|
|
|
|
throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : " +
|
|
|
|
|
username, e);
|
|
|
|
|
if (groupPermissions == null || groupPermissions.length == 0) {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
//Check for device ownership. If the user is the owner of the device we allow the access.
|
|
|
|
|
if (!status) {
|
|
|
|
|
try {
|
|
|
|
|
//Get the list of devices of the user
|
|
|
|
|
List<Device> devicesOfUser = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider().
|
|
|
|
|
getDevicesOfUser(username);
|
|
|
|
|
//Convert device-list to a Map
|
|
|
|
|
Map<String, String> ownershipData = this.getOwnershipOfDevices(devicesOfUser);
|
|
|
|
|
for (DeviceIdentifier deviceIdentifier : deviceIdentifiers) {
|
|
|
|
|
if (ownershipData.containsKey(deviceIdentifier.getId())) {
|
|
|
|
|
//check for group permissions
|
|
|
|
|
boolean isAuthorized = true;
|
|
|
|
|
for (String groupPermission : groupPermissions) {
|
|
|
|
|
if (!checkGroupsPermission(username, tenantId, groupPermission)) {
|
|
|
|
|
//if at least one failed, authorizations fails and break the loop
|
|
|
|
|
isAuthorized = false;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (isAuthorized) {
|
|
|
|
|
deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
|
|
|
|
|
} else {
|
|
|
|
|
deviceAuthorizationResult.addUnauthorizedDevice(deviceIdentifier);
|
|
|
|
|
}
|
|
|
|
|
} catch (GroupManagementException | UserStoreException e) {
|
|
|
|
|
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
|
|
|
|
|
deviceIdentifier.getId() + " for the user : " +
|
|
|
|
|
username, e);
|
|
|
|
|
}
|
|
|
|
|
} catch (DeviceManagementException e) {
|
|
|
|
|
throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : "
|
|
|
|
|
+ username, e);
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
deviceAuthorizationResult.setAuthorizedDevices(deviceIdentifiers);
|
|
|
|
|
}
|
|
|
|
|
return deviceAuthorizationResult;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username)
|
|
|
|
|
public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username)
|
|
|
|
|
throws DeviceAccessAuthorizationException {
|
|
|
|
|
boolean status;
|
|
|
|
|
int tenantId = this.getTenantId();
|
|
|
|
|
if (username == null || username.isEmpty()) {
|
|
|
|
|
return false;
|
|
|
|
|
return isUserAuthorized(deviceIdentifiers, username, null);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers)
|
|
|
|
|
throws DeviceAccessAuthorizationException {
|
|
|
|
|
return isUserAuthorized(deviceIdentifiers, this.getUserName(), null);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String[] groupPermissions)
|
|
|
|
|
throws DeviceAccessAuthorizationException {
|
|
|
|
|
return isUserAuthorized(deviceIdentifiers, this.getUserName(), groupPermissions);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private boolean isAdminOrDeviceOwner(String username, int tenantId, DeviceIdentifier deviceIdentifier)
|
|
|
|
|
throws DeviceAccessAuthorizationException {
|
|
|
|
|
try {
|
|
|
|
|
//Check for admin users. If the user is an admin user we authorize the access to that device.
|
|
|
|
|
status = isAdminUser(username, tenantId);
|
|
|
|
|
//First Check for admin users. If the user is an admin user we authorize the access to that device.
|
|
|
|
|
//Secondly Check for device ownership. If the user is the owner of the device we allow the access.
|
|
|
|
|
return (isAdminUser(username, tenantId) || isDeviceOwner(deviceIdentifier, username));
|
|
|
|
|
} catch (UserStoreException e) {
|
|
|
|
|
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
|
|
|
|
|
deviceIdentifier.getId() + " for the user : " + username, e);
|
|
|
|
|
deviceIdentifier.getId() + " for the user : " +
|
|
|
|
|
username, e);
|
|
|
|
|
}
|
|
|
|
|
//Check for device ownership. If the user is the owner of the device we allow the access.
|
|
|
|
|
if (!status) {
|
|
|
|
|
try {
|
|
|
|
|
Device device = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider().
|
|
|
|
|
getDevice(deviceIdentifier);
|
|
|
|
|
EnrolmentInfo enrolmentInfo = device.getEnrolmentInfo();
|
|
|
|
|
if (enrolmentInfo != null && username.equalsIgnoreCase(enrolmentInfo.getOwner())) {
|
|
|
|
|
status = true;
|
|
|
|
|
}
|
|
|
|
|
} catch (DeviceManagementException e) {
|
|
|
|
|
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
|
|
|
|
|
deviceIdentifier.getId() + " for the user : " + username, e);
|
|
|
|
|
|
|
|
|
|
private boolean checkGroupsPermission(String username, int tenantId, String groupPermission)
|
|
|
|
|
throws GroupManagementException, UserStoreException {
|
|
|
|
|
List<DeviceGroup> groups =
|
|
|
|
|
DeviceManagementDataHolder.getInstance().getGroupManagementProviderService().getGroups(username,
|
|
|
|
|
groupPermission);
|
|
|
|
|
UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId);
|
|
|
|
|
if (userRealm != null && userRealm.getAuthorizationManager() != null) {
|
|
|
|
|
Iterator<DeviceGroup> groupIterator = groups.iterator();
|
|
|
|
|
while (groupIterator.hasNext()) {
|
|
|
|
|
DeviceGroup deviceGroup = groupIterator.next();
|
|
|
|
|
Iterator<String> rolesIterator = deviceGroup.getRoles().iterator();
|
|
|
|
|
while (rolesIterator.hasNext()) {
|
|
|
|
|
String role = rolesIterator.next();
|
|
|
|
|
if (userRealm.getAuthorizationManager().isRoleAuthorized(
|
|
|
|
|
"Internal/group-" + deviceGroup.getId() + "-" + role, groupPermission,
|
|
|
|
|
CarbonConstants.UI_PERMISSION_ACTION)) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username)
|
|
|
|
|
throws DeviceAccessAuthorizationException {
|
|
|
|
|
boolean status;
|
|
|
|
|
int tenantId = this.getTenantId();
|
|
|
|
|
DeviceAuthorizationResult deviceAuthorizationResult = new DeviceAuthorizationResult();
|
|
|
|
|
if (username == null || username.isEmpty()) {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
try {
|
|
|
|
|
//Check for admin users. If the user is an admin user we authorize the access to that device.
|
|
|
|
|
status = isAdminUser(username, tenantId);
|
|
|
|
|
} catch (UserStoreException e) {
|
|
|
|
|
throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : " +
|
|
|
|
|
username, e);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private boolean isDeviceOwner(DeviceIdentifier deviceIdentifier, String username)
|
|
|
|
|
throws DeviceAccessAuthorizationException {
|
|
|
|
|
//Check for device ownership. If the user is the owner of the device we allow the access.
|
|
|
|
|
if (!status) {
|
|
|
|
|
try {
|
|
|
|
|
Device device;
|
|
|
|
|
EnrolmentInfo enrolmentInfo;
|
|
|
|
|
for (DeviceIdentifier deviceIdentifier : deviceIdentifiers) {
|
|
|
|
|
device = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider().
|
|
|
|
|
Device device = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider().
|
|
|
|
|
getDevice(deviceIdentifier);
|
|
|
|
|
enrolmentInfo = device.getEnrolmentInfo();
|
|
|
|
|
EnrolmentInfo enrolmentInfo = device.getEnrolmentInfo();
|
|
|
|
|
if (enrolmentInfo != null && username.equalsIgnoreCase(enrolmentInfo.getOwner())) {
|
|
|
|
|
deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
|
|
|
|
|
} else {
|
|
|
|
|
deviceAuthorizationResult.addUnauthorizedDevice(deviceIdentifier);
|
|
|
|
|
}
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
} catch (DeviceManagementException e) {
|
|
|
|
|
throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : "
|
|
|
|
|
+ username, e);
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
deviceAuthorizationResult.setAuthorizedDevices(deviceIdentifiers);
|
|
|
|
|
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
|
|
|
|
|
deviceIdentifier.getId() + " for the user : " +
|
|
|
|
|
username, e);
|
|
|
|
|
}
|
|
|
|
|
return deviceAuthorizationResult;
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private boolean isAdminUser(String username, int tenantId) throws UserStoreException {
|
|
|
|
|
UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId);
|
|
|
|
|
if (userRealm != null && userRealm.getAuthorizationManager() != null) {
|
|
|
|
|
return userRealm.getAuthorizationManager()
|
|
|
|
|
.isUserAuthorized(removeTenantDomain(username), PermissionUtils.getAbsolutePermissionPath(EMM_ADMIN_PERMISSION),
|
|
|
|
|
.isUserAuthorized(removeTenantDomain(username),
|
|
|
|
|
PermissionUtils.getAbsolutePermissionPath(EMM_ADMIN_PERMISSION),
|
|
|
|
|
PermissionMethod.UI_EXECUTE);
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|