From adc3b652bf601f7b61b6e8883413fbcba972854f Mon Sep 17 00:00:00 2001 From: manoj Date: Fri, 13 Nov 2015 18:57:45 +0530 Subject: [PATCH 1/4] Add authentication method boolean check. Android allows user level authentication. IOS and windows allow device authetication. This is a temporary fix until fix windows and IOS certifcate level user extraction --- .../mgt/core/DeviceManagementPluginRepository.java | 2 +- .../mgt/core/internal/DeviceManagementDataHolder.java | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/DeviceManagementPluginRepository.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/DeviceManagementPluginRepository.java index ae94f52811..351d6fa2ae 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/DeviceManagementPluginRepository.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/DeviceManagementPluginRepository.java @@ -41,7 +41,7 @@ public class DeviceManagementPluginRepository implements DeviceManagerStartupLis } public void addDeviceManagementProvider(DeviceManagementService provider) throws DeviceManagementException { - String deviceType = provider.getType(); + String deviceType = provider.getType(); synchronized (providers) { try { if (isInited) { diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementDataHolder.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementDataHolder.java index d59962a619..25255df402 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementDataHolder.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementDataHolder.java @@ -29,6 +29,8 @@ import org.wso2.carbon.user.core.service.RealmService; import org.wso2.carbon.user.core.tenant.TenantManager; import org.wso2.carbon.utils.ConfigurationContextService; +import java.util.HashMap; + public class DeviceManagementDataHolder { private RealmService realmService; @@ -41,6 +43,7 @@ public class DeviceManagementDataHolder { private AppManagementConfig appManagerConfig; private OperationManager operationManager; private ConfigurationContextService configurationContextService; + private HashMap isUserLevelAutherizationAllowMap; private static DeviceManagementDataHolder thisInstance = new DeviceManagementDataHolder(); @@ -143,4 +146,11 @@ public class DeviceManagementDataHolder { this.configurationContextService = configurationContextService; } + public void setIsUserLevelAutherizationAllow(String pluginType, boolean isAllowUserAuthentication) { + isUserLevelAutherizationAllowMap.put(pluginType,isAllowUserAuthentication); + } + + public boolean getIsUserLevelAutherizationAllow(String pluginType) { + return isUserLevelAutherizationAllowMap.get(pluginType); + } } From 22c2da7fcbecbec0428a0102a530306055cb6977 Mon Sep 17 00:00:00 2001 From: manoj Date: Fri, 13 Nov 2015 21:22:38 +0530 Subject: [PATCH 2/4] Set user level autherization is support by plugin or not --- .../device/mgt/core/DeviceManagementPluginRepository.java | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/DeviceManagementPluginRepository.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/DeviceManagementPluginRepository.java index 971212b923..ed06671f0f 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/DeviceManagementPluginRepository.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/DeviceManagementPluginRepository.java @@ -21,6 +21,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.wso2.carbon.device.mgt.common.DeviceManagementException; import org.wso2.carbon.device.mgt.common.spi.DeviceManagementService; +import org.wso2.carbon.device.mgt.core.internal.DeviceManagementDataHolder; import org.wso2.carbon.device.mgt.core.internal.DeviceManagementServiceComponent; import org.wso2.carbon.device.mgt.core.internal.DeviceManagerStartupListener; import org.wso2.carbon.device.mgt.core.util.DeviceManagerUtil; @@ -76,6 +77,12 @@ public class DeviceManagementPluginRepository implements DeviceManagerStartupLis try { provider.init(); DeviceManagerUtil.registerDeviceType(provider.getType()); + //TODO: + //This is a temporory fix. + //windows and IOS cannot resolve user info by extracting certs + //until fix that, use following variable to enable and disable of checking user authorization. + + DeviceManagementDataHolder.getInstance().setIsUserLevelAutherizationAllow(provider.getType(),true); } catch (Throwable e) { /* Throwable is caught intentionally as failure of one plugin - due to invalid start up parameters, etc - should not block the initialization of other device management providers */ From fdc4ad8e18e5a9d8a60f1876696e8796f3244efa Mon Sep 17 00:00:00 2001 From: manoj Date: Fri, 13 Nov 2015 21:29:47 +0530 Subject: [PATCH 3/4] Set user level autherization is support by plugin or not --- .../carbon/device/mgt/core/DeviceManagementPluginRepository.java | 1 + 1 file changed, 1 insertion(+) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/DeviceManagementPluginRepository.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/DeviceManagementPluginRepository.java index ed06671f0f..7159b947e4 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/DeviceManagementPluginRepository.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/DeviceManagementPluginRepository.java @@ -49,6 +49,7 @@ public class DeviceManagementPluginRepository implements DeviceManagerStartupLis /* Initializing Device Management Service Provider */ provider.init(); DeviceManagerUtil.registerDeviceType(deviceType); + DeviceManagementDataHolder.getInstance().setIsUserLevelAutherizationAllow(provider.getType(),true); } } catch (DeviceManagementException e) { throw new DeviceManagementException("Error occurred while adding device management provider '" + From e14f09b8a87b522c9a7a26994cff69fe87a3adf1 Mon Sep 17 00:00:00 2001 From: harshanl Date: Fri, 13 Nov 2015 21:33:33 +0530 Subject: [PATCH 4/4] Added requireDeviceAuthorization support --- .../device/mgt/common/DeviceManager.java | 7 +++++++ .../core/DeviceManagementPluginRepository.java | 3 +++ .../DeviceAccessAuthorizationServiceImpl.java | 18 +++++++++--------- .../internal/DeviceManagementDataHolder.java | 10 +++++----- .../device/mgt/core/TestDeviceManager.java | 5 +++++ 5 files changed, 29 insertions(+), 14 deletions(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/DeviceManager.java b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/DeviceManager.java index 3481dc8e17..c019276768 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/DeviceManager.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/DeviceManager.java @@ -150,4 +150,11 @@ public interface DeviceManager { void addLicense(License license) throws LicenseManagementException; + /** + * Method to enable to device-authentication for the device-platform. + * + * @return Returns boolean status to enable or disable device-authentication. + */ + boolean requireDeviceAuthorization(); + } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/DeviceManagementPluginRepository.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/DeviceManagementPluginRepository.java index 971212b923..24b88903d8 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/DeviceManagementPluginRepository.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/DeviceManagementPluginRepository.java @@ -21,6 +21,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.wso2.carbon.device.mgt.common.DeviceManagementException; import org.wso2.carbon.device.mgt.common.spi.DeviceManagementService; +import org.wso2.carbon.device.mgt.core.internal.DeviceManagementDataHolder; import org.wso2.carbon.device.mgt.core.internal.DeviceManagementServiceComponent; import org.wso2.carbon.device.mgt.core.internal.DeviceManagerStartupListener; import org.wso2.carbon.device.mgt.core.util.DeviceManagerUtil; @@ -48,6 +49,8 @@ public class DeviceManagementPluginRepository implements DeviceManagerStartupLis /* Initializing Device Management Service Provider */ provider.init(); DeviceManagerUtil.registerDeviceType(deviceType); + DeviceManagementDataHolder.getInstance().setRequireDeviceAuthorization(deviceType, + provider.getDeviceManager().requireDeviceAuthorization()); } } catch (DeviceManagementException e) { throw new DeviceManagementException("Error occurred while adding device management provider '" + diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java index 1595873737..bed880e72c 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java @@ -21,10 +21,7 @@ package org.wso2.carbon.device.mgt.core.authorization; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.wso2.carbon.context.PrivilegedCarbonContext; -import org.wso2.carbon.device.mgt.common.Device; -import org.wso2.carbon.device.mgt.common.DeviceIdentifier; -import org.wso2.carbon.device.mgt.common.DeviceManagementException; -import org.wso2.carbon.device.mgt.common.EnrolmentInfo; +import org.wso2.carbon.device.mgt.common.*; import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationException; import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService; import org.wso2.carbon.device.mgt.common.authorization.DeviceAuthorizationResult; @@ -74,7 +71,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori String username = this.getUserName(); int tenantId = this.getTenantId(); if (username == null || username.isEmpty()) { - return false; + return !DeviceManagementDataHolder.getInstance().requireDeviceAuthorization(deviceIdentifier.getType()); } try { //Check for admin users. If the user is an admin user we authorize the access to that device. @@ -227,11 +224,14 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori private String getUserName() { String username = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUsername(); - String tenantDomain = MultitenantUtils.getTenantDomain(username); - if (username.endsWith(tenantDomain)) { - return username.substring(0, username.lastIndexOf("@")); + if (username != null && username.isEmpty()) { + String tenantDomain = MultitenantUtils.getTenantDomain(username); + if (username.endsWith(tenantDomain)) { + return username.substring(0, username.lastIndexOf("@")); + } + return username; } - return username; + return null; } private int getTenantId() { diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementDataHolder.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementDataHolder.java index b618288b9c..0921ef5081 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementDataHolder.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementDataHolder.java @@ -44,7 +44,7 @@ public class DeviceManagementDataHolder { private AppManagementConfig appManagerConfig; private OperationManager operationManager; private ConfigurationContextService configurationContextService; - private HashMap isUserLevelAutherizationAllowMap; + private HashMap requireDeviceAuthorization = new HashMap<>(); private DeviceAccessAuthorizationService deviceAccessAuthorizationService; private static DeviceManagementDataHolder thisInstance = new DeviceManagementDataHolder(); @@ -148,12 +148,12 @@ public class DeviceManagementDataHolder { this.configurationContextService = configurationContextService; } - public void setIsUserLevelAutherizationAllow(String pluginType, boolean isAllowUserAuthentication) { - isUserLevelAutherizationAllowMap.put(pluginType,isAllowUserAuthentication); + public void setRequireDeviceAuthorization(String pluginType, boolean requireAuthentication) { + requireDeviceAuthorization.put(pluginType,requireAuthentication); } - public boolean getIsUserLevelAutherizationAllow(String pluginType) { - return isUserLevelAutherizationAllowMap.get(pluginType); + public boolean requireDeviceAuthorization(String pluginType) { + return requireDeviceAuthorization.get(pluginType); } public DeviceAccessAuthorizationService getDeviceAccessAuthorizationService() { diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/test/java/org/wso2/carbon/device/mgt/core/TestDeviceManager.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/test/java/org/wso2/carbon/device/mgt/core/TestDeviceManager.java index a9ff90f96c..d8ed7a6dc6 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/test/java/org/wso2/carbon/device/mgt/core/TestDeviceManager.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/test/java/org/wso2/carbon/device/mgt/core/TestDeviceManager.java @@ -116,4 +116,9 @@ public class TestDeviceManager implements DeviceManager { } + @Override + public boolean requireDeviceAuthorization() { + return false; + } + }