Create default roles and assign permissions

When adding new tenant and if the server has configured to add default roles and assign permissions, this PR facilitates to achieve it.
4.x.x
tcdlpds@gmail.com 4 years ago
parent 338413bf1b
commit 3d38bd5570

@ -0,0 +1,49 @@
/* Copyright (c) 2020, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved.
*
* Entgra (Pvt) Ltd. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.common.roles.config;
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlElementWrapper;
import javax.xml.bind.annotation.XmlRootElement;
import java.util.List;
@XmlRootElement(name = "DefaultRoles")
public class DefaultRoles {
private boolean enabled;
private List<Role> roles;
@XmlElement(name = "Enabled", required = true)
public boolean isEnabled() {
return enabled;
}
public void setEnabled(boolean enabled) {
this.enabled = enabled;
}
@XmlElementWrapper(name = "Roles", required = true)
@XmlElement(name = "Role", required = true)
public List<Role> getRoles() {
return roles;
}
public void setRoles(List<Role> roles) {
this.roles = roles;
}
}

@ -0,0 +1,49 @@
/* Copyright (c) 2020, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved.
*
* Entgra (Pvt) Ltd. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.common.roles.config;
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlElementWrapper;
import javax.xml.bind.annotation.XmlRootElement;
import java.util.List;
@XmlRootElement(name = "Role")
public class Role {
private String name;
private List<String> permissions;
@XmlElement(name = "Name", required = true)
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
@XmlElementWrapper(name = "Permissions", required = true)
@XmlElement(name = "Permission", required = true)
public List<String> getPermissions() {
return permissions;
}
public void setPermissions(List<String> permissions) {
this.permissions = permissions;
}
}

@ -18,6 +18,7 @@
package org.wso2.carbon.device.mgt.core.config;
import org.wso2.carbon.device.mgt.common.enrollment.notification.EnrollmentNotificationConfiguration;
import org.wso2.carbon.device.mgt.common.roles.config.DefaultRoles;
import org.wso2.carbon.device.mgt.core.config.analytics.OperationAnalyticsConfiguration;
import org.wso2.carbon.device.mgt.core.config.archival.ArchivalConfiguration;
import org.wso2.carbon.device.mgt.core.config.cache.CertificateCacheConfiguration;
@ -60,7 +61,7 @@ public final class DeviceManagementConfig {
private RemoteSessionConfiguration remoteSessionConfiguration;
private ArchivalConfiguration archivalConfiguration;
private EnrollmentNotificationConfiguration enrollmentNotificationConfiguration;
private DefaultRoles defaultRoles;
@XmlElement(name = "ManagementRepository", required = true)
public DeviceManagementConfigRepository getDeviceManagementConfigRepository() {
@ -215,5 +216,10 @@ public final class DeviceManagementConfig {
EnrollmentNotificationConfiguration enrollmentNotificationConfiguration) {
this.enrollmentNotificationConfiguration = enrollmentNotificationConfiguration;
}
@XmlElement(name = "DefaultRoles", required = true)
public DefaultRoles getDefaultRoles() { return defaultRoles; }
public void setDefaultRoles(DefaultRoles defaultRoles) { this.defaultRoles = defaultRoles; }
}

@ -72,9 +72,11 @@ import org.wso2.carbon.device.mgt.core.task.DeviceTaskManagerService;
import org.wso2.carbon.device.mgt.core.config.ui.UIConfigurationManager;
import org.wso2.carbon.device.mgt.core.util.DeviceManagementSchemaInitializer;
import org.wso2.carbon.device.mgt.core.util.DeviceManagerUtil;
import org.wso2.carbon.device.mgt.core.util.DeviceMgtTenantMgtListener;
import org.wso2.carbon.email.sender.core.service.EmailSenderService;
import org.wso2.carbon.ndatasource.core.DataSourceService;
import org.wso2.carbon.registry.core.service.RegistryService;
import org.wso2.carbon.stratos.common.listeners.TenantMgtListener;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.utils.Axis2ConfigurationContextObserver;
import org.wso2.carbon.utils.ConfigurationContextService;
@ -245,6 +247,9 @@ public class DeviceManagementServiceComponent {
componentContext.getBundleContext().registerService(PrivacyComplianceProvider.class.getName(),
privacyComplianceProvider, null);
componentContext.getBundleContext()
.registerService(TenantMgtListener.class.getName(), new DeviceMgtTenantMgtListener(), null);
if (log.isDebugEnabled()) {
log.debug("Device management core bundle has been successfully initialized");
}

@ -0,0 +1,148 @@
/* Copyright (c) 2020, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved.
*
* Entgra (Pvt) Ltd. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.core.util;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
import org.wso2.carbon.device.mgt.common.roles.config.Role;
import org.wso2.carbon.device.mgt.core.config.DeviceConfigurationManager;
import org.wso2.carbon.device.mgt.core.config.DeviceManagementConfig;
import org.wso2.carbon.device.mgt.core.internal.DeviceManagementDataHolder;
import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionUtils;
import org.wso2.carbon.registry.core.exceptions.RegistryException;
import org.wso2.carbon.stratos.common.beans.TenantInfoBean;
import org.wso2.carbon.stratos.common.listeners.TenantMgtListener;
import org.wso2.carbon.user.api.Permission;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.api.UserStoreManager;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
public class DeviceMgtTenantMgtListener implements TenantMgtListener {
private static final Log log = LogFactory.getLog(DeviceMgtTenantMgtListener.class);
private static final int EXEC_ORDER = 10;
private static final String PERMISSION_ACTION = "ui.execute";
@Override
public void onTenantCreate(TenantInfoBean tenantInfoBean) {
DeviceManagementConfig config = DeviceConfigurationManager.getInstance().getDeviceManagementConfig();
if (config.getDefaultRoles().isEnabled()) {
Map<String, List<Permission>> roleMap = getValidRoleMap(config);
try {
PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext()
.setTenantDomain(tenantInfoBean.getTenantDomain(), true);
UserStoreManager userStoreManager = DeviceManagementDataHolder.getInstance().getRealmService()
.getTenantUserRealm(tenantInfoBean.getTenantId()).getUserStoreManager();
roleMap.forEach((key, value) -> {
try {
userStoreManager.addRole(key, null, value.toArray(new Permission[0]));
} catch (UserStoreException e) {
log.error("Error occurred while adding default roles into user store.", e);
}
});
} catch (UserStoreException e) {
log.error("Error occurred while getting user store manager.", e);
} finally {
PrivilegedCarbonContext.endTenantFlow();
}
}
}
@Override
public void onTenantUpdate(TenantInfoBean tenantInfoBean) {
// doing nothing
}
@Override
public void onTenantDelete(int i) {
// doing nothing
}
@Override
public void onTenantRename(int i, String s, String s1) {
// doing nothing
}
@Override
public void onTenantInitialActivation(int i) {
// doing nothing
}
@Override
public void onTenantActivation(int i) {
// doing nothing
}
@Override
public void onTenantDeactivation(int i) {
// doing nothing
}
@Override
public void onSubscriptionPlanChange(int i, String s, String s1) {
// doing nothing
}
@Override
public int getListenerOrder() {
return EXEC_ORDER;
}
@Override
public void onPreDelete(int i) {
// doing nothing
}
/**
* Use the default roles defined in the cdm-config and evaluate the defined permissions. If permissions does not
* exist then exclude them and return role map which contains defined roles in the cdm-config and existing
* permission list as a roleMap
* @param config cdm-config
* @return {@link Map} key is role name and value is list of permissions which needs to be assigned to the role
* defined in the key.
*/
private Map<String, List<Permission>> getValidRoleMap(DeviceManagementConfig config) {
Map<String, List<Permission>> roleMap = new HashMap<>();
try {
for (Role role : config.getDefaultRoles().getRoles()) {
List<Permission> permissionList = new ArrayList<>();
for (String permissionPath : role.getPermissions()) {
if (PermissionUtils.checkResourceExists(permissionPath)) {
Permission permission = new Permission(permissionPath, PERMISSION_ACTION);
permissionList.add(permission);
} else {
log.warn("Permission " + permissionPath + " does not exist. Hence it will not add to role "
+ role.getName());
}
}
roleMap.put(role.getName(), permissionList);
}
} catch (PermissionManagementException | RegistryException e) {
log.error("Error occurred while checking permission existence.", e);
}
return roleMap;
}
}

@ -159,5 +159,16 @@
<ExtensionClass>org.wso2.carbon.device.mgt.common.enrollment.notification.EnrollmentNotifier</ExtensionClass>
<NotifyingInternalHost>http://localhost:8280</NotifyingInternalHost>
</EnrolmentNotificationConfiguration>
<DefaultRoles>
<Enabled>false</Enabled>
<Roles>
<Role>
<Name>test_role</Name>
<Permissions>
<Permission>/permission/admin/Login</Permission>
</Permissions>
</Role>
</Roles>
</DefaultRoles>
</DeviceMgtConfiguration>

Loading…
Cancel
Save