Adding group permission checking for Device Access Authorizations

4.x.x
Rasika Perera 9 years ago
parent 07c0aa1045
commit 38cdd94f3c

@ -51,6 +51,32 @@ public interface DeviceAccessAuthorizationService {
DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers) throws DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers) throws
DeviceAccessAuthorizationException; DeviceAccessAuthorizationException;
/**
* This method will check whether the given user has the access to the device identified by the given
* DeviceIdentifier.
*
* @param deviceIdentifier - DeviceIdentifier of the device to be checked.
* @param username - Username of the user to be checked for authorization.
* @param permission - Permission
* @return Boolean authorization result.
* @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
*/
boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String permission) throws DeviceAccessAuthorizationException;
/**
* This method will check whether the given user has the access to the devices identified by the given
* DeviceIdentifier list.
*
* @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization.
* @param username - User name
* @param permission - Permission
* @return DeviceAuthorizationResult - Authorization result including the list of authorized devices &
* unauthorized devices.
* @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
*/
DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username, String permission) throws
DeviceAccessAuthorizationException;
/** /**
* This method will check whether the given user has the access to the device identified by the given * This method will check whether the given user has the access to the device identified by the given
* DeviceIdentifier. * DeviceIdentifier.

@ -20,20 +20,26 @@ package org.wso2.carbon.device.mgt.core.authorization;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.context.CarbonContext; import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.device.mgt.common.*; import org.wso2.carbon.device.mgt.common.Device;
import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
import org.wso2.carbon.device.mgt.common.DeviceManagementException;
import org.wso2.carbon.device.mgt.common.EnrolmentInfo;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationException; import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationException;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService; import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAuthorizationResult; import org.wso2.carbon.device.mgt.common.authorization.DeviceAuthorizationResult;
import org.wso2.carbon.device.mgt.common.group.mgt.DeviceGroup;
import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException;
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission; import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException; import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
import org.wso2.carbon.device.mgt.core.internal.DeviceManagementDataHolder; import org.wso2.carbon.device.mgt.core.internal.DeviceManagementDataHolder;
import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionUtils; import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionUtils;
import org.wso2.carbon.user.api.UserRealm; import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException; import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.api.UserStoreManager;
import java.util.HashMap; import java.util.HashMap;
import java.util.Iterator;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
@ -66,158 +72,148 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
} }
@Override @Override
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException { public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String permission)
boolean status; throws DeviceAccessAuthorizationException {
String username = this.getUserName();
int tenantId = this.getTenantId(); int tenantId = this.getTenantId();
if (username == null || username.isEmpty()) { if (username == null || username.isEmpty()) {
return !DeviceManagementDataHolder.getInstance().requireDeviceAuthorization(deviceIdentifier.getType()); return false;
} }
try { //check for admin and ownership permissions
//Check for admin users. If the user is an admin user we authorize the access to that device. if (isAdminOrDeviceOwner(username, tenantId, deviceIdentifier)) {
status = isAdminUser(username, tenantId); return true;
} catch (UserStoreException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
deviceIdentifier.getId() + " for the user : " + username, e);
} }
//Check for device ownership. If the user is the owner of the device we allow the access. //check for group permissions
if (!status) { try {
try { if (permission == null || permission.isEmpty()) {
Device device = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider(). return false;
getDevice(deviceIdentifier);
EnrolmentInfo enrolmentInfo = device.getEnrolmentInfo();
if (enrolmentInfo != null && username.equalsIgnoreCase(enrolmentInfo.getOwner())) {
status = true;
}
} catch (DeviceManagementException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
deviceIdentifier.getId() + " for the user : " + username, e);
} }
return checkGroupsPermission(username, tenantId, permission);
} catch (GroupManagementException | UserStoreException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
deviceIdentifier.getId() + " for the user : " +
username, e);
} }
return status;
} }
@Override @Override
public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers) throws public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username)
DeviceAccessAuthorizationException { throws DeviceAccessAuthorizationException {
boolean status; return isUserAuthorized(deviceIdentifier, username, null);
DeviceAuthorizationResult deviceAuthorizationResult = new DeviceAuthorizationResult(); }
String username = this.getUserName();
@Override
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException {
return isUserAuthorized(deviceIdentifier, this.getUserName(), null);
}
@Override
public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username,
String permission)
throws DeviceAccessAuthorizationException {
int tenantId = this.getTenantId(); int tenantId = this.getTenantId();
if (username == null || username.isEmpty()) { if (username == null || username.isEmpty()) {
return deviceAuthorizationResult; return null;
}
try {
//Check for admin users. If the user is an admin user we authorize the access to that device.
status = isAdminUser(username, tenantId);
} catch (UserStoreException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : " +
username, e);
} }
//Check for device ownership. If the user is the owner of the device we allow the access. DeviceAuthorizationResult deviceAuthorizationResult = new DeviceAuthorizationResult();
if (!status) { for (DeviceIdentifier deviceIdentifier : deviceIdentifiers) {
try { //check for admin and ownership permissions
//Get the list of devices of the user if (isAdminOrDeviceOwner(username, tenantId, deviceIdentifier)) {
List<Device> devicesOfUser = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider(). deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
getDevicesOfUser(username); } else {
//Convert device-list to a Map try {
Map<String, String> ownershipData = this.getOwnershipOfDevices(devicesOfUser); if (permission == null || permission.isEmpty()) {
for (DeviceIdentifier deviceIdentifier : deviceIdentifiers) { return null;
if (ownershipData.containsKey(deviceIdentifier.getId())) { }
//check for group permissions
if (checkGroupsPermission(username, tenantId, permission)) {
deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier); deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
} else { } else {
deviceAuthorizationResult.addUnauthorizedDevice(deviceIdentifier); deviceAuthorizationResult.addUnauthorizedDevice(deviceIdentifier);
} }
} catch (GroupManagementException | UserStoreException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
deviceIdentifier.getId() + " for the user : " +
username, e);
} }
} catch (DeviceManagementException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : "
+ username, e);
} }
} else {
deviceAuthorizationResult.setAuthorizedDevices(deviceIdentifiers);
} }
return deviceAuthorizationResult; return deviceAuthorizationResult;
} }
@Override @Override
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username) public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username)
throws DeviceAccessAuthorizationException {
return isUserAuthorized(deviceIdentifiers, username, null);
}
@Override
public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers)
throws DeviceAccessAuthorizationException {
return isUserAuthorized(deviceIdentifiers, this.getUserName(), null);
}
private boolean isAdminOrDeviceOwner(String username, int tenantId, DeviceIdentifier deviceIdentifier)
throws DeviceAccessAuthorizationException { throws DeviceAccessAuthorizationException {
boolean status;
int tenantId = this.getTenantId();
if (username == null || username.isEmpty()) {
return false;
}
try { try {
//Check for admin users. If the user is an admin user we authorize the access to that device. //First Check for admin users. If the user is an admin user we authorize the access to that device.
status = isAdminUser(username, tenantId); //Secondly Check for device ownership. If the user is the owner of the device we allow the access.
return (isAdminUser(username, tenantId) || isDeviceOwner(deviceIdentifier, username));
} catch (UserStoreException e) { } catch (UserStoreException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " + throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
deviceIdentifier.getId() + " for the user : " + username, e); deviceIdentifier.getId() + " for the user : " +
username, e);
} }
//Check for device ownership. If the user is the owner of the device we allow the access. }
if (!status) {
try { private boolean checkGroupsPermission(String username, int tenantId, String permission)
Device device = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider(). throws GroupManagementException, UserStoreException {
getDevice(deviceIdentifier); List<DeviceGroup> groups =
EnrolmentInfo enrolmentInfo = device.getEnrolmentInfo(); DeviceManagementDataHolder.getInstance().getGroupManagementProviderService().getGroups(username,
if (enrolmentInfo != null && username.equalsIgnoreCase(enrolmentInfo.getOwner())) { permission);
status = true; UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId);
if (userRealm != null && userRealm.getAuthorizationManager() != null) {
Iterator<DeviceGroup> groupIterator = groups.iterator();
while (groupIterator.hasNext()) {
DeviceGroup deviceGroup = groupIterator.next();
Iterator<String> rolesIterator = deviceGroup.getRoles().iterator();
while (rolesIterator.hasNext()) {
String role = rolesIterator.next();
if (userRealm.getAuthorizationManager().isRoleAuthorized(
"Internal/group-" + deviceGroup.getId() + "-" + role, permission,
CarbonConstants.UI_PERMISSION_ACTION)) {
return true;
}
} }
} catch (DeviceManagementException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
deviceIdentifier.getId() + " for the user : " + username, e);
} }
} }
return status; return false;
} }
@Override private boolean isDeviceOwner(DeviceIdentifier deviceIdentifier, String username)
public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username) throws DeviceAccessAuthorizationException {
throws DeviceAccessAuthorizationException {
boolean status;
int tenantId = this.getTenantId();
DeviceAuthorizationResult deviceAuthorizationResult = new DeviceAuthorizationResult();
if (username == null || username.isEmpty()) {
return null;
}
try {
//Check for admin users. If the user is an admin user we authorize the access to that device.
status = isAdminUser(username, tenantId);
} catch (UserStoreException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : " +
username, e);
}
//Check for device ownership. If the user is the owner of the device we allow the access. //Check for device ownership. If the user is the owner of the device we allow the access.
if (!status) { try {
try { Device device = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider().
Device device; getDevice(deviceIdentifier);
EnrolmentInfo enrolmentInfo; EnrolmentInfo enrolmentInfo = device.getEnrolmentInfo();
for (DeviceIdentifier deviceIdentifier : deviceIdentifiers) { if (enrolmentInfo != null && username.equalsIgnoreCase(enrolmentInfo.getOwner())) {
device = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider(). return true;
getDevice(deviceIdentifier);
enrolmentInfo = device.getEnrolmentInfo();
if (enrolmentInfo != null && username.equalsIgnoreCase(enrolmentInfo.getOwner())) {
deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
} else {
deviceAuthorizationResult.addUnauthorizedDevice(deviceIdentifier);
}
}
} catch (DeviceManagementException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : "
+ username, e);
} }
} else { } catch (DeviceManagementException e) {
deviceAuthorizationResult.setAuthorizedDevices(deviceIdentifiers); throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
deviceIdentifier.getId() + " for the user : " +
username, e);
} }
return deviceAuthorizationResult; return false;
} }
private boolean isAdminUser(String username, int tenantId) throws UserStoreException { private boolean isAdminUser(String username, int tenantId) throws UserStoreException {
UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId); UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId);
if (userRealm != null && userRealm.getAuthorizationManager() != null) { if (userRealm != null && userRealm.getAuthorizationManager() != null) {
return userRealm.getAuthorizationManager() return userRealm.getAuthorizationManager()
.isUserAuthorized(removeTenantDomain(username), PermissionUtils.getAbsolutePermissionPath(EMM_ADMIN_PERMISSION), .isUserAuthorized(removeTenantDomain(username),
PermissionMethod.UI_EXECUTE); PermissionUtils.getAbsolutePermissionPath(EMM_ADMIN_PERMISSION),
PermissionMethod.UI_EXECUTE);
} }
return false; return false;
} }

@ -25,6 +25,7 @@ import org.wso2.carbon.device.mgt.common.operation.mgt.OperationManager;
import org.wso2.carbon.device.mgt.core.app.mgt.config.AppManagementConfig; import org.wso2.carbon.device.mgt.core.app.mgt.config.AppManagementConfig;
import org.wso2.carbon.device.mgt.core.config.license.LicenseConfig; import org.wso2.carbon.device.mgt.core.config.license.LicenseConfig;
import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService; import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService;
import org.wso2.carbon.device.mgt.core.service.GroupManagementProviderService;
import org.wso2.carbon.ntask.core.service.TaskService; import org.wso2.carbon.ntask.core.service.TaskService;
import org.wso2.carbon.registry.core.service.RegistryService; import org.wso2.carbon.registry.core.service.RegistryService;
import org.wso2.carbon.user.core.service.RealmService; import org.wso2.carbon.user.core.service.RealmService;
@ -47,6 +48,7 @@ public class DeviceManagementDataHolder {
private ConfigurationContextService configurationContextService; private ConfigurationContextService configurationContextService;
private HashMap<String,Boolean> requireDeviceAuthorization = new HashMap<>(); private HashMap<String,Boolean> requireDeviceAuthorization = new HashMap<>();
private DeviceAccessAuthorizationService deviceAccessAuthorizationService; private DeviceAccessAuthorizationService deviceAccessAuthorizationService;
private GroupManagementProviderService groupManagementProviderService;
private TaskService taskService; private TaskService taskService;
//private EmailSenderService emailSenderService; //private EmailSenderService emailSenderService;
@ -91,6 +93,15 @@ public class DeviceManagementDataHolder {
this.deviceManagerProvider = deviceManagerProvider; this.deviceManagerProvider = deviceManagerProvider;
} }
public GroupManagementProviderService getGroupManagementProviderService() {
return groupManagementProviderService;
}
public void setGroupManagementProviderService(
GroupManagementProviderService groupManagementProviderService) {
this.groupManagementProviderService = groupManagementProviderService;
}
public RegistryService getRegistryService() { public RegistryService getRegistryService() {
if (registryService == null) { if (registryService == null) {
throw new IllegalStateException("Registry service is not initialized properly"); throw new IllegalStateException("Registry service is not initialized properly");

@ -195,6 +195,7 @@ public class DeviceManagementServiceComponent {
/* Registering Group Management Service */ /* Registering Group Management Service */
GroupManagementProviderService groupManagementProvider = new GroupManagementProviderServiceImpl(); GroupManagementProviderService groupManagementProvider = new GroupManagementProviderServiceImpl();
DeviceManagementDataHolder.getInstance().setGroupManagementProviderService(groupManagementProvider);
bundleContext.registerService(GroupManagementProviderService.class.getName(), groupManagementProvider, null); bundleContext.registerService(GroupManagementProviderService.class.getName(), groupManagementProvider, null);
/* Registering Tenant Configuration Management Service */ /* Registering Tenant Configuration Management Service */

Loading…
Cancel
Save