Allow users with CDM Admin permission to retrieve activities

master
Charitha Goonetilleke 3 years ago
parent 3fea6f79c7
commit 6f008ea65f

@ -66,7 +66,7 @@ public class ActivityProviderServiceImpl implements ActivityInfoProviderService
@HeaderParam("If-Modified-Since") String ifModifiedSince) {
Activity activity;
DeviceManagementProviderService dmService;
Response response = validateAdminUser();
Response response = validateAdminPermission();
if (response == null) {
try {
RequestValidationUtil.validateActivityId(id);
@ -103,7 +103,7 @@ public class ActivityProviderServiceImpl implements ActivityInfoProviderService
return Response.status(400).entity(
new ErrorResponse.ErrorResponseBuilder().setMessage(msg).build()).build();
}
Response validationFailedResponse = validateAdminUser();
Response validationFailedResponse = validateAdminPermission();
if (validationFailedResponse == null) {
List<Activity> activities;
ActivityList activityList = new ActivityList();
@ -184,7 +184,7 @@ public class ActivityProviderServiceImpl implements ActivityInfoProviderService
log.debug("getActivities -> Operation Code : " +operationCode+ "offset " + offset + " limit: " + limit );
}
RequestValidationUtil.validatePaginationParameters(offset, limit);
Response response = validateAdminUser();
Response response = validateAdminPermission();
if(response == null){
List<Activity> activities;
ActivityList activityList = new ActivityList();
@ -272,7 +272,7 @@ public class ActivityProviderServiceImpl implements ActivityInfoProviderService
if (log.isDebugEnabled()) {
log.debug("getActivities final timestamp " + timestamp);
}
Response response = validateAdminUser();
Response response = validateAdminPermission();
if (response == null) {
ActivityList activityList = new ActivityList();
DeviceManagementProviderService dmService;
@ -330,19 +330,21 @@ public class ActivityProviderServiceImpl implements ActivityInfoProviderService
}
}
private Response validateAdminUser(){
private Response validateAdminPermission() {
//TODO: also check initiated by field to check current user has added the operation, if so allow access.
try {
if (!DeviceMgtAPIUtils.isAdmin()) {
return Response.status(Response.Status.UNAUTHORIZED).entity("Unauthorized operation! Only admin role can perform " +
"this operation.").build();
if (!DeviceMgtAPIUtils.isAdminUser()) {
return Response.status(Response.Status.UNAUTHORIZED)
.entity("Unauthorized operation! Only users with CDM ADMIN PERMISSION " +
"can perform this operation.").build();
}
return null;
} catch (UserStoreException e) {
String msg
= "Error occurred while validating the user have admin role!";
String msg = "Error occurred while validating the user have admin permission!";
log.error(msg, e);
return Response.serverError().entity(
new ErrorResponse.ErrorResponseBuilder().setMessage(msg).build()).build();
}
}
}

@ -36,6 +36,7 @@
package org.wso2.carbon.device.mgt.jaxrs.util;
import io.entgra.application.mgt.common.services.ApplicationManager;
import io.entgra.application.mgt.common.services.SubscriptionManager;
import org.apache.axis2.AxisFault;
import org.apache.axis2.client.Options;
import org.apache.axis2.java.security.SSLProtocolSocketFactory;
@ -46,13 +47,13 @@ import org.apache.commons.httpclient.protocol.Protocol;
import org.apache.commons.httpclient.protocol.ProtocolSocketFactory;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.analytics.api.AnalyticsDataAPI;
import org.wso2.carbon.analytics.stream.persistence.stub.EventStreamPersistenceAdminServiceStub;
import org.wso2.carbon.base.ServerConfiguration;
import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.core.util.Utils;
import io.entgra.application.mgt.common.services.SubscriptionManager;
import org.wso2.carbon.device.mgt.common.Device;
import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
import org.wso2.carbon.device.mgt.common.EnrolmentInfo;
@ -81,6 +82,7 @@ import org.wso2.carbon.device.mgt.common.spi.OTPManagementService;
import org.wso2.carbon.device.mgt.core.app.mgt.ApplicationManagementProviderService;
import org.wso2.carbon.device.mgt.core.device.details.mgt.DeviceInformationManager;
import org.wso2.carbon.device.mgt.core.dto.DeviceTypeVersion;
import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionUtils;
import org.wso2.carbon.device.mgt.core.privacy.PrivacyComplianceProvider;
import org.wso2.carbon.device.mgt.core.search.mgt.SearchManagerService;
import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService;
@ -141,6 +143,7 @@ import java.util.Queue;
*/
public class DeviceMgtAPIUtils {
private final static String CDM_ADMIN_PERMISSION = "/device-mgt/devices/any-device/permitted-actions-under-owning-device";
private static final String NOTIFIER_FREQUENCY = "notifierFrequency";
private static final String STREAM_DEFINITION_PREFIX = "iot.per.device.stream.";
private static final String DEFAULT_HTTP_PROTOCOL = "https";
@ -873,6 +876,27 @@ public class DeviceMgtAPIUtils {
return false;
}
public static boolean isAdminUser() throws UserStoreException {
int tenantId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId(true);
String userName = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUsername();
UserRealm userRealm = DeviceMgtAPIUtils.getRealmService().getTenantUserRealm(tenantId);
if (userRealm != null && userRealm.getAuthorizationManager() != null) {
return userRealm.getAuthorizationManager()
.isUserAuthorized(removeTenantDomain(userName),
PermissionUtils.getAbsolutePermissionPath(CDM_ADMIN_PERMISSION),
CarbonConstants.UI_PERMISSION_ACTION);
}
return false;
}
private static String removeTenantDomain(String username) {
String tenantDomain = CarbonContext.getThreadLocalCarbonContext().getTenantDomain();
if (username.endsWith(tenantDomain)) {
return username.substring(0, username.lastIndexOf("@"));
}
return username;
}
public static DeviceTypeVersion convertDeviceTypeVersionWrapper(String deviceTypeName, int deviceTypeId,
DeviceTypeVersionWrapper deviceTypeVersion) {
DeviceTypeVersion typeVersion = new DeviceTypeVersion();

Loading…
Cancel
Save