From 94dd33ffa5de5ad877f7706245c64e42386b9e67 Mon Sep 17 00:00:00 2001 From: Amalka Subasinghe Date: Sat, 26 Jun 2021 13:45:27 +0530 Subject: [PATCH] scope-role-permission refactoring and webapp authorization --- .../carbon/apimgt/annotations/api/Scope.java | 2 + .../src/main/webapp/WEB-INF/web.xml | 2 +- .../publisher/APIPublisherServiceImpl.java | 122 ++++++++++++--- .../apimgt/webapp/publisher/dto/ApiScope.java | 8 + .../lifecycle/util/AnnotationProcessor.java | 17 ++- .../ApplicationManagementPublisherAPI.java | 2 + ...pplicationManagementPublisherAdminAPI.java | 1 + .../ReviewManagementPublisherAdminAPI.java | 2 + .../services/ApplicationManagementAPI.java | 1 + .../api/services/ReviewManagementAPI.java | 2 + .../services/SubscriptionManagementAPI.java | 7 +- .../admin/ReviewManagementStoreAdminAPI.java | 1 + .../admin/SubscriptionManagementAdminAPI.java | 1 + .../mgt/jaxrs/api/CertificateMgtService.java | 1 + .../CertificateManagementAdminService.java | 5 + .../DeviceManagementConfigService.java | 4 + .../DeviceManagementConfigServiceImpl.java | 15 +- .../config/jaxrs/util/DeviceMgtAPIUtils.java | 16 -- .../api/ActivityInfoProviderService.java | 1 + .../AnalyticsArtifactsManagementService.java | 8 + .../api/ConfigurationManagementService.java | 2 + .../jaxrs/service/api/DeviceAgentService.java | 5 + .../api/DeviceEventManagementService.java | 2 + .../service/api/DeviceManagementService.java | 11 ++ .../api/DeviceTypeManagementService.java | 4 + .../service/api/GeoLocationBasedService.java | 3 + .../service/api/GroupManagementService.java | 14 ++ .../jaxrs/service/api/MetadataService.java | 4 + .../api/NotificationManagementService.java | 2 + .../service/api/PolicyManagementService.java | 10 ++ .../service/api/RemoteSessionService.java | 1 + .../service/api/ReportManagementService.java | 1 + .../service/api/RoleManagementService.java | 8 + .../service/api/UserManagementService.java | 13 ++ .../ApplicationManagementAdminService.java | 2 + ...DeviceAccessAuthorizationAdminService.java | 1 + ...AnalyticsArtifactUploaderAdminService.java | 1 + .../admin/DeviceManagementAdminService.java | 3 + .../DeviceTypeManagementAdminService.java | 3 + .../admin/GroupManagementAdminService.java | 3 + .../api/admin/UserManagementAdminService.java | 2 + .../mgt/jaxrs/util/DeviceMgtAPIUtils.java | 11 -- .../mgt/common/permission/mgt/Permission.java | 12 +- .../mgt/PermissionManagerService.java | 20 +-- .../mgt/core/DeviceManagementConstants.java | 1 + .../cache/APIResourcePermissionCacheKey.java | 64 ++++++++ .../APIResourcePermissionCacheManager.java | 31 ++++ ...APIResourcePermissionCacheManagerImpl.java | 84 ++++++++++ .../permission/AnnotationProcessor.java | 16 +- .../mgt/core/config/permission/Scope.java | 9 ++ .../WebAppDeploymentLifecycleListener.java | 7 +- .../DeviceManagementServiceComponent.java | 6 +- .../mgt/PermissionManagerServiceImpl.java | 38 ++--- .../mgt/core/util/DeviceManagerUtil.java | 59 ++++++++ .../client/extension/util/JWTClientUtil.java | 22 +-- .../ConfigurationManagementService.java | 1 + .../pom.xml | 48 ++++-- .../AuthenticationFrameworkUtil.java | 2 +- .../framework/WebappAuthenticationValve.java | 34 +---- .../authorizer/MatchingResource.java | 30 ++++ .../authorizer/PermissionAuthorizer.java | 143 ++++++++++++++++++ pom.xml | 4 +- 62 files changed, 794 insertions(+), 161 deletions(-) create mode 100644 components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheKey.java create mode 100644 components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheManager.java create mode 100644 components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/impl/APIResourcePermissionCacheManagerImpl.java create mode 100644 components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/MatchingResource.java create mode 100644 components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.annotations/src/main/java/org/wso2/carbon/apimgt/annotations/api/Scope.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.annotations/src/main/java/org/wso2/carbon/apimgt/annotations/api/Scope.java index 701a6f183c..86d3b8f477 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.annotations/src/main/java/org/wso2/carbon/apimgt/annotations/api/Scope.java +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.annotations/src/main/java/org/wso2/carbon/apimgt/annotations/api/Scope.java @@ -20,4 +20,6 @@ public @interface Scope { String[] permissions(); + String[] roles(); + } diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml index 823bf51d73..b2d4acf3c4 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml @@ -37,7 +37,7 @@ doAuthentication - true + false diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.webapp.publisher/src/main/java/org/wso2/carbon/apimgt/webapp/publisher/APIPublisherServiceImpl.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.webapp.publisher/src/main/java/org/wso2/carbon/apimgt/webapp/publisher/APIPublisherServiceImpl.java index b1c7769768..a3cc0525a2 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.webapp.publisher/src/main/java/org/wso2/carbon/apimgt/webapp/publisher/APIPublisherServiceImpl.java +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.webapp.publisher/src/main/java/org/wso2/carbon/apimgt/webapp/publisher/APIPublisherServiceImpl.java @@ -18,6 +18,8 @@ */ package org.wso2.carbon.apimgt.webapp.publisher; +import org.wso2.carbon.apimgt.webapp.publisher.dto.ApiScope; +import org.wso2.carbon.apimgt.webapp.publisher.dto.ApiUriTemplate; import org.wso2.carbon.apimgt.api.APIManagementException; import org.wso2.carbon.apimgt.api.APIProvider; import org.wso2.carbon.apimgt.api.FaultGatewaysException; @@ -32,7 +34,6 @@ import org.wso2.carbon.apimgt.api.model.URITemplate; import org.wso2.carbon.apimgt.impl.APIConstants; import org.wso2.carbon.apimgt.impl.APIManagerFactory; import org.wso2.carbon.apimgt.webapp.publisher.config.WebappPublisherConfig; -import org.wso2.carbon.apimgt.webapp.publisher.dto.ApiUriTemplate; import org.wso2.carbon.apimgt.webapp.publisher.exception.APIManagerPublisherException; import org.wso2.carbon.context.PrivilegedCarbonContext; import org.wso2.carbon.utils.multitenancy.MultitenantUtils; @@ -61,11 +62,26 @@ public class APIPublisherServiceImpl implements APIPublisherService { PrivilegedCarbonContext.startTenantFlow(); PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true); PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(apiConfig.getOwner()); + int tenantId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId(); try { APIProvider apiProvider = API_MANAGER_FACTORY.getAPIProvider(apiConfig.getOwner()); - API api = getAPI(apiConfig); + APIIdentifier apiIdentifier = new APIIdentifier(apiConfig.getOwner(), apiConfig.getName(), apiConfig.getVersion()); + + if (!apiProvider.isAPIAvailable(apiIdentifier)) { - if (!apiProvider.isAPIAvailable(api.getId())) { + // add new scopes as shared scopes + Set allSharedScopeKeys = apiProvider.getAllSharedScopeKeys(tenantDomain); + for (ApiScope apiScope : apiConfig.getScopes()) { + if (!allSharedScopeKeys.contains(apiScope.getKey())) { + Scope scope = new Scope(); + scope.setName(apiScope.getName()); + scope.setDescription(apiScope.getDescription()); + scope.setKey(apiScope.getKey()); + scope.setRoles(apiScope.getRoles()); + apiProvider.addSharedScope(scope, tenantDomain); + } + } + API api = getAPI(apiConfig, true); API createdAPI = apiProvider.addAPI(api); if (CREATED_STATUS.equals(createdAPI.getStatus())) { apiProvider.changeLifeCycleStatus(tenantDomain, createdAPI.getUuid(), PUBLISH_ACTION, null); @@ -73,6 +89,7 @@ public class APIPublisherServiceImpl implements APIPublisherService { apiRevision.setApiUUID(createdAPI.getUuid()); apiRevision.setDescription("Initial Revision"); String apiRevisionId = apiProvider.addAPIRevision(apiRevision, tenantDomain); + APIRevisionDeployment apiRevisionDeployment = new APIRevisionDeployment(); apiRevisionDeployment.setDeployment(API_PUBLISH_ENVIRONMENT); apiRevisionDeployment.setVhost("localhost"); @@ -85,14 +102,83 @@ public class APIPublisherServiceImpl implements APIPublisherService { } } else { if (WebappPublisherConfig.getInstance().isEnabledUpdateApi()) { - API existingAPI = apiProvider.getAPI(api.getId()); + + // With 4.x to 5.x upgrade + // - there cannot be same local scope assigned in 2 different APIs + // - local scopes will be deprecated in the future, so need to move all scopes as shared scopes + + // if an api scope is not available as shared scope, but already assigned as local scope -> that means, the scopes available for this API has not moved as shared scopes + // in order to do that : + // 1. update the same API removing scopes from URI templates + // 2. add scopes as shared scopes + // 3. update the API again adding scopes for the URI Templates + + // if an api scope is not available as shared scope, and not assigned as local scope -> that means, there are new scopes + // 1. add new scopes as shared scopes + // 2. update the API adding scopes for the URI Templates + + Set allSharedScopeKeys = apiProvider.getAllSharedScopeKeys(tenantDomain); + Set scopesToMoveAsSharedScopes = new HashSet<>(); + for (ApiScope apiScope : apiConfig.getScopes()) { + // if the scope is not available as shared scope and it is assigned to an API as a local scope + // need remove the local scope and add as a shared scope + if (!allSharedScopeKeys.contains(apiScope.getKey())) { + if (apiProvider.isScopeKeyAssignedLocally(apiIdentifier, apiScope.getKey(), tenantId)) { + // collect scope to move as shared scopes + scopesToMoveAsSharedScopes.add(apiScope); + } else { + // if new scope add as shared scope + Scope scope = new Scope(); + scope.setName(apiScope.getName()); + scope.setDescription(apiScope.getDescription()); + scope.setKey(apiScope.getKey()); + scope.setRoles(apiScope.getRoles()); + apiProvider.addSharedScope(scope, tenantDomain); + } + } else { + // if already available as shared scope -> update + Scope scope = new Scope(); + scope.setName(apiScope.getName()); + scope.setDescription(apiScope.getDescription()); + scope.setKey(apiScope.getKey()); + scope.setRoles(apiScope.getRoles()); + apiProvider.updateSharedScope(scope, tenantDomain); + } + } + + // Get existing API + API existingAPI = apiProvider.getAPI(apiIdentifier); + + if (scopesToMoveAsSharedScopes.size() > 0) { + // update API to remove local scopes + API api = getAPI(apiConfig, false); + api.setStatus(existingAPI.getStatus()); + apiProvider.updateAPI(api); + + for (ApiScope apiScope : scopesToMoveAsSharedScopes) { + Scope scope = new Scope(); + scope.setName(apiScope.getName()); + scope.setDescription(apiScope.getDescription()); + scope.setKey(apiScope.getKey()); + scope.setRoles(apiScope.getRoles()); + apiProvider.addSharedScope(scope, tenantDomain); + } + } + + existingAPI = apiProvider.getAPI(apiIdentifier); + API api = getAPI(apiConfig, true); api.setStatus(existingAPI.getStatus()); apiProvider.updateAPI(api); - if (api.getId().getName().equals(existingAPI.getId().getName()) && - api.getId().getVersion().equals(existingAPI.getId().getVersion())) { - if (CREATED_STATUS.equals(existingAPI.getStatus())) { - apiProvider.changeLifeCycleStatus(tenantDomain, existingAPI.getUuid(), PUBLISH_ACTION, null); - } + + if (CREATED_STATUS.equals(existingAPI.getStatus())) { + apiProvider.changeLifeCycleStatus(tenantDomain, existingAPI.getUuid(), PUBLISH_ACTION, null); + APIRevision apiRevision = new APIRevision(); + apiRevision.setApiUUID(existingAPI.getUuid()); + apiRevision.setDescription("Updated Revision"); + String apiRevisionId = apiProvider.addAPIRevision(apiRevision, tenantDomain); + + List apiRevisionDeploymentList = apiProvider.getAPIRevisionDeploymentList(apiRevisionId); + apiProvider.deployAPIRevision(existingAPI.getUuid(), apiRevisionId, apiRevisionDeploymentList); } } } @@ -105,7 +191,7 @@ public class APIPublisherServiceImpl implements APIPublisherService { } } - private API getAPI(APIConfig config) { + private API getAPI(APIConfig config, boolean includeScopes) { APIIdentifier apiIdentifier = new APIIdentifier(config.getOwner(), config.getName(), config.getVersion()); API api = new API(apiIdentifier); @@ -129,13 +215,15 @@ public class APIPublisherServiceImpl implements APIPublisherService { uriTemplate.setHTTPVerb(apiUriTemplate.getHttpVerb()); uriTemplate.setResourceURI(apiUriTemplate.getResourceURI()); uriTemplate.setUriTemplate(apiUriTemplate.getUriTemplate()); - Scope scope = new Scope(); - if (apiUriTemplate.getScope() != null) { - scope.setName(apiUriTemplate.getScope().getName()); - scope.setDescription(apiUriTemplate.getScope().getDescription()); - scope.setKey(apiUriTemplate.getScope().getKey()); - scope.setRoles(apiUriTemplate.getScope().getRoles()); - uriTemplate.setScope(scope); + if (includeScopes) { + Scope scope = new Scope(); + if (apiUriTemplate.getScope() != null) { + scope.setName(apiUriTemplate.getScope().getName()); + scope.setDescription(apiUriTemplate.getScope().getDescription()); + scope.setKey(apiUriTemplate.getScope().getKey()); + scope.setRoles(apiUriTemplate.getScope().getRoles()); + uriTemplate.setScopes(scope); + } } uriTemplates.add(uriTemplate); } diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.webapp.publisher/src/main/java/org/wso2/carbon/apimgt/webapp/publisher/dto/ApiScope.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.webapp.publisher/src/main/java/org/wso2/carbon/apimgt/webapp/publisher/dto/ApiScope.java index 016dbff37f..5578ea05df 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.webapp.publisher/src/main/java/org/wso2/carbon/apimgt/webapp/publisher/dto/ApiScope.java +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.webapp.publisher/src/main/java/org/wso2/carbon/apimgt/webapp/publisher/dto/ApiScope.java @@ -23,6 +23,7 @@ public class ApiScope { String key; String name; String roles; + String permissions; String description; int id; @@ -61,4 +62,11 @@ public class ApiScope { this.description = description; } + public String getPermissions() { + return permissions; + } + + public void setPermissions(String permissions) { + this.permissions = permissions; + } } diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.webapp.publisher/src/main/java/org/wso2/carbon/apimgt/webapp/publisher/lifecycle/util/AnnotationProcessor.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.webapp.publisher/src/main/java/org/wso2/carbon/apimgt/webapp/publisher/lifecycle/util/AnnotationProcessor.java index 9cac3ca45a..0836018a0c 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.webapp.publisher/src/main/java/org/wso2/carbon/apimgt/webapp/publisher/lifecycle/util/AnnotationProcessor.java +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.webapp.publisher/src/main/java/org/wso2/carbon/apimgt/webapp/publisher/lifecycle/util/AnnotationProcessor.java @@ -70,6 +70,7 @@ public class AnnotationProcessor { private static final String SWAGGER_ANNOTATIONS_PROPERTIES_DESCRIPTION = "description"; private static final String SWAGGER_ANNOTATIONS_PROPERTIES_KEY = "key"; private static final String SWAGGER_ANNOTATIONS_PROPERTIES_PERMISSIONS = "permissions"; + private static final String SWAGGER_ANNOTATIONS_PROPERTIES_ROLES = "roles"; private static final String SWAGGER_ANNOTATIONS_PROPERTIES_VERSION = "version"; private static final String SWAGGER_ANNOTATIONS_PROPERTIES_CONTEXT = "context"; private static final String SWAGGER_ANNOTATIONS_PROPERTIES_VALUE = "value"; @@ -78,6 +79,7 @@ public class AnnotationProcessor { private static final String DEFAULT_SCOPE_NAME = "default admin scope"; private static final String DEFAULT_SCOPE_KEY = "perm:admin"; private static final String DEFAULT_SCOPE_PERMISSION = "/permision/device-mgt"; + private static final String DEFAULT_SCOPE_ROLE = "admin"; private static final String PERMISSION_PREFIX = "/permission/admin"; @@ -217,8 +219,11 @@ public class AnnotationProcessor { ApiScope scope; String permissions[]; StringBuilder aggregatedPermissions; + String roles[]; + StringBuilder aggregatedRoles; for(int i=0; i permissions) { - PermissionManagerService permissionService = DeviceMgtAPIUtils.getPermissionManagerService(); - org.wso2.carbon.device.mgt.common.permission.mgt.Permission permission = new org - .wso2.carbon.device.mgt.common.permission.mgt.Permission(); +// PermissionManagerService permissionService = DeviceMgtAPIUtils.getPermissionManagerService(); +// org.wso2.carbon.device.mgt.common.permission.mgt.Permission permission = new org +// .wso2.carbon.device.mgt.common.permission.mgt.Permission(); for (String path : permissions) { - permission.setPath(path); - permission.setUrl(path); +// permission.setPath(path); +// permission.setUrl(path); try { - permissionService.addPermission(permission); + PermissionUtils.putPermission(path); +// permissionService.addPermission(permission); } catch (PermissionManagementException e) { String msg = "Error occurred adding permission"; log.error(msg, e); diff --git a/components/device-mgt/io.entgra.carbon.device.mgt.config.api/src/main/java/io/entgra/carbon/device/mgt/config/jaxrs/util/DeviceMgtAPIUtils.java b/components/device-mgt/io.entgra.carbon.device.mgt.config.api/src/main/java/io/entgra/carbon/device/mgt/config/jaxrs/util/DeviceMgtAPIUtils.java index 96ef7c0cbc..cf098c6edc 100644 --- a/components/device-mgt/io.entgra.carbon.device.mgt.config.api/src/main/java/io/entgra/carbon/device/mgt/config/jaxrs/util/DeviceMgtAPIUtils.java +++ b/components/device-mgt/io.entgra.carbon.device.mgt.config.api/src/main/java/io/entgra/carbon/device/mgt/config/jaxrs/util/DeviceMgtAPIUtils.java @@ -21,7 +21,6 @@ package io.entgra.carbon.device.mgt.config.jaxrs.util; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.wso2.carbon.context.PrivilegedCarbonContext; -import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService; import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService; import org.wso2.carbon.user.core.service.RealmService; @@ -33,7 +32,6 @@ public class DeviceMgtAPIUtils { private static final Log log = LogFactory.getLog(DeviceMgtAPIUtils.class); private static DeviceManagementProviderService deviceManagementProviderService = null; - private static PermissionManagerService permissionManagerService = null; private static RealmService realmService = null; public static DeviceManagementProviderService getDeviceManagementService() { @@ -50,20 +48,6 @@ public class DeviceMgtAPIUtils { return deviceManagementProviderService; } - public static PermissionManagerService getPermissionManagerService() { - if (permissionManagerService == null) { - PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext(); - permissionManagerService = - (PermissionManagerService) ctx.getOSGiService(PermissionManagerService.class, null); - if (permissionManagerService == null) { - String msg = "Permission Management provider service has not initialized."; - log.error(msg); - throw new IllegalStateException(msg); - } - } - return permissionManagerService; - } - public static RealmService getRealmService() { if (realmService == null) { PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext(); diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/ActivityInfoProviderService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/ActivityInfoProviderService.java index 18241eab75..4219f6b669 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/ActivityInfoProviderService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/ActivityInfoProviderService.java @@ -76,6 +76,7 @@ import javax.ws.rs.core.Response; name = "Get activities", description = "Get activities", key = "perm:get-activity", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/owning-device/view"} ) } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/AnalyticsArtifactsManagementService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/AnalyticsArtifactsManagementService.java index 9ff8ecc44d..b6783010ac 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/AnalyticsArtifactsManagementService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/AnalyticsArtifactsManagementService.java @@ -68,41 +68,49 @@ import javax.ws.rs.core.Response; name = "Create Event Stream Artifact", description = "Create Event Stream Artifact", key = "perm:analytics:artifacts:stream", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/analytics/artifacts/stream/add"}), @Scope( name = "Delete Stream Artifact", description = "Delete Stream Artifact", key = "perm:analytics:artifacts:stream:delete", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/analytics/artifacts/stream/delete"}), @Scope( name = "Create Event Receiver Artifact", description = "Create Event Receiver Artifact", key = "perm:analytics:artifacts:receiver", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/analytics/artifacts/receiver/add"}), @Scope( name = "Delete Receiver Artifact", description = "Delete Receiver Artifact", key = "perm:analytics:artifacts:receiver:delete", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/analytics/artifacts/receiver/delete"}), @Scope( name = "Create Event Publisher Artifact", description = "Create Event Publisher Artifact", key = "perm:analytics:artifacts:publisher", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/analytics/artifacts/publisher/add"}), @Scope( name = "Delete Publisher Artifact", description = "Delete Publisher Artifact", key = "perm:analytics:artifacts:publisher:delete", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/analytics/artifacts/publisher/delete"}), @Scope( name = "Create Siddhi Script Artifact", description = "Create Siddhi Script Artifact", key = "perm:analytics:artifacts:siddhi", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/analytics/artifacts/siddhi-script/add"}), @Scope( name = "Delete Siddhi Script Artifact", description = "Delete Siddhi Script Artifact", key = "perm:analytics:artifacts:siddhi:delete", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/analytics/artifacts/siddhi-script/delete"}) } ) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/ConfigurationManagementService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/ConfigurationManagementService.java index ce744e42bb..92e1f9a473 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/ConfigurationManagementService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/ConfigurationManagementService.java @@ -69,12 +69,14 @@ import javax.ws.rs.core.Response; name = "View configurations", description = "", key = "perm:view-configuration", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/platform-configurations/view"} ), @Scope( name = "Manage configurations", description = "", key = "perm:manage-configuration", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/platform-configurations/manage"} ) } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceAgentService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceAgentService.java index 0cf94395f7..66d8da7eab 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceAgentService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceAgentService.java @@ -77,30 +77,35 @@ import java.util.Map; name = "Enroll Device", description = "Register a device", key = "perm:device:enroll", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/owning-device/add"} ), @Scope( name = "Modify Device", description = "Modify a device", key = "perm:device:modify", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/owning-device/modify"} ), @Scope( name = "Disenroll Device", description = "Disenroll a device", key = "perm:device:disenroll", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/owning-device/remove"} ), @Scope( name = "Publish Event", description = "publish device event", key = "perm:device:publish-event", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/owning-device/event"} ), @Scope( name = "Getting Device Operation Details", description = "Getting Device Operation Details", key = "perm:device:operations", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/owning-device/view"} ) } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceEventManagementService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceEventManagementService.java index 205f1b8ee2..2f91595d38 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceEventManagementService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceEventManagementService.java @@ -51,12 +51,14 @@ import javax.ws.rs.core.Response; name = "Add or Delete Event Definition for device type", description = "Add or Delete Event Definition for device type", key = "perm:device-types:events", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/device-type/add"} ), @Scope( name = "Get Events Details of a Device Type", description = "Get Events Details of a Device Type", key = "perm:device-types:events:view", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/owning-device/view"} ) } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceManagementService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceManagementService.java index 01145b05ec..075061a253 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceManagementService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceManagementService.java @@ -107,66 +107,77 @@ import java.util.List; name = "Getting Details of Registered Devices", description = "Getting Details of Registered Devices", key = "perm:devices:view", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/owning-device/view"} ), @Scope( name = "Getting Details of a Device", description = "Getting Details of a Device", key = "perm:devices:details", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/owning-device/view"} ), @Scope( name = "Update the device specified by device id", description = "Update the device specified by device id", key = "perm:devices:update", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/owning-device/view"} ), @Scope( name = "Delete the device specified by device id", description = "Delete the device specified by device id", key = "perm:devices:delete", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/owning-device/view"} ), @Scope( name = "Getting Feature Details of a Device", description = "Getting Feature Details of a Device", key = "perm:devices:features", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/owning-device/view"} ), @Scope( name = "Advanced Search for Devices", description = "Advanced Search for Devices", key = "perm:devices:search", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/owning-device/view"} ), @Scope( name = "Getting Installed Application Details of a Device", description = "Getting Installed Application Details of a Device", key = "perm:devices:applications", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/owning-device/view"} ), @Scope( name = "Getting Device Operation Details", description = "Getting Device Operation Details", key = "perm:devices:operations", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/owning-device/view"} ), @Scope( name = "Get the details of the policy that is enforced on a device.", description = "Get the details of the policy that is enforced on a device.", key = "perm:devices:effective-policy", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/owning-device/view"} ), @Scope( name = "Getting Policy Compliance Details of a Device", description = "Getting Policy Compliance Details of a Device", key = "perm:devices:compliance-data", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/owning-device/view"} ), @Scope( name = "Change device status.", description = "Change device status.", key = "perm:devices:change-status", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/change-status"} ), } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceTypeManagementService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceTypeManagementService.java index c328433596..0d9adb0197 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceTypeManagementService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceTypeManagementService.java @@ -87,24 +87,28 @@ import javax.ws.rs.core.Response; name = "Getting the Supported Device Platforms", description = "Getting the Supported Device Platforms", key = "perm:device-types:types", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/device-type/view"} ), @Scope( name = "Get Feature Details of a Device Type", description = "Get Feature Details of a Device Type", key = "perm:device-types:features", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/device-type/features/view"} ), @Scope( name = "Get Config Details of a Device Type", description = "Get Config Details of a Device Type", key = "perm:device-types:configs", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/device-type/config/view"} ), @Scope( name = "Getting Details of Policies", description = "Getting Details of Policies", key = "perm:policies:get-details", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/policies/view"} ) } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/GeoLocationBasedService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/GeoLocationBasedService.java index a0cd0854c4..775f5c9e82 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/GeoLocationBasedService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/GeoLocationBasedService.java @@ -73,18 +73,21 @@ import java.util.List; name = "View Analytics", description = "", key = "perm:geo-service:analytics-view", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/owning-device/view-analytics"} ), @Scope( name = "Manage Alerts", description = "", key = "perm:geo-service:alerts-manage", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/owning-device/manage-alerts"} ), @Scope( name = "Manage Geo Fences", description = "", key = "perm:geo-service:geo-fence", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/owning-device/manage-geo-fence"} ) } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/GroupManagementService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/GroupManagementService.java index f61d212493..0d90f3dfd4 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/GroupManagementService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/GroupManagementService.java @@ -82,84 +82,98 @@ import java.util.List; name = "Get the list of groups belongs to current user.", description = "Get the list of groups belongs to current user.", key = "perm:groups:groups", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/groups/view"} ), @Scope( name = "Get the count of groups belongs to current user.", description = "Get the count of groups belongs to current user.", key = "perm:groups:count", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/groups/view"} ), @Scope( name = "Add new device group to the system.", description = "Add new device group to the system.", key = "perm:groups:add", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/groups/add"} ), @Scope( name = "View group specified", description = "View group specified", key = "perm:groups:groups-view", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/groups/view"} ), @Scope( name = "Update a group", description = "Update a group", key = "perm:groups:update", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/groups/update"} ), @Scope( name = "Delete a group", description = "Delete a group", key = "perm:groups:remove", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/groups/remove"} ), @Scope( name = "Manage group sharing with a user", description = "Manage group sharing with a user", key = "perm:groups:share", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/groups/share"} ), @Scope( name = "View list of roles of a device group", description = "View list of roles of a device group", key = "perm:groups:roles", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/groups/roles/view"} ), @Scope( name = "View list of devices in the device group", description = "View list of devices in the device group", key = "perm:groups:devices", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/groups/devices/view"} ), @Scope( name = "View list of device count in the device group", description = "View list of device count in the device group", key = "perm:groups:devices-count", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/groups/devices/view"} ), @Scope( name = "Add devices to group", description = "Add devices to group", key = "perm:groups:devices-add", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/groups/devices/add"} ), @Scope( name = "Remove devices from group", description = "Remove devices from group", key = "perm:groups:devices-remove", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/groups/devices/remove"} ), @Scope( name = "Assign devices to groups", description = "Assign devices to groups", key = "perm:groups:assign", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/groups/devices/add"} ), @Scope( name = "List of groups that have the device", description = "List of groups that have the device", key = "perm:groups:device", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/groups/devices/view"} ) } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/MetadataService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/MetadataService.java index 3a22364ed5..7f6ab365df 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/MetadataService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/MetadataService.java @@ -73,24 +73,28 @@ import javax.ws.rs.core.Response; name = "View metadata records", description = "View metadata records", key = "perm:metadata:view", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/metadata/view"} ), @Scope( name = "Create a metadata record", description = "Create a metadata record", key = "perm:metadata:create", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/metadata/create"} ), @Scope( name = "Update a metadata record", description = "Updating a specified metadata record", key = "perm:metadata:update", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/metadata/update"} ), @Scope( name = "Delete a metadata record", description = "Delete a specified metadata record", key = "perm:metadata:remove", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/metadata/remove"} ) } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/NotificationManagementService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/NotificationManagementService.java index 71d173c11f..9d36d1067f 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/NotificationManagementService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/NotificationManagementService.java @@ -73,12 +73,14 @@ import javax.ws.rs.core.Response; name = "Getting All Device Notification Details", description = "Getting All Device Notification Details", key = "perm:notifications:view", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/notifications/view"} ), @Scope( name = "Updating the Device Notification Status", description = "Updating the Device Notification Status", key = "perm:notifications:mark-checked", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/notifications/view"} ) } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/PolicyManagementService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/PolicyManagementService.java index 607a4a8ef0..4db3de0ab5 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/PolicyManagementService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/PolicyManagementService.java @@ -79,60 +79,70 @@ import java.util.List; name = "Adding a Policy", description = "Adding a Policy", key = "perm:policies:manage", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/policies/manage"} ), @Scope( name = "Getting Details of Policies", description = "Getting Details of Policies", key = "perm:policies:get-details", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/policies/view"} ), @Scope( name = "Getting Details of a Policy", description = "Getting Details of a Policy", key = "perm:policies:get-policy-details", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/policies/view"} ), @Scope( name = "Updating a Policy", description = "Updating a Policy", key = "perm:policies:update", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/policies/manage"} ), @Scope( name = "Removing Multiple Policies", description = "Removing Multiple Policies", key = "perm:policies:remove", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/policies/manage"} ), @Scope( name = "Activating Policies", description = "Activating Policies", key = "perm:policies:activate", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/policies/manage"} ), @Scope( name = "Deactivating Policies", description = "Deactivating Policies", key = "perm:policies:deactivate", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/policies/manage"} ), @Scope( name = "Applying Changes on Policies", description = "Applying Changes on Policies", key = "perm:policies:changes", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/policies/manage"} ), @Scope( name = "Updating the Policy Priorities", description = "Updating the Policy Priorities", key = "perm:policies:priorities", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/policies/manage"} ), @Scope( name = "Fetching the Effective Policy", description = "Fetching the Effective Policy", key = "perm:policies:effective-policy", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/policies/view"} ) } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/RemoteSessionService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/RemoteSessionService.java index 9717ce1c27..f52a9f1aa7 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/RemoteSessionService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/RemoteSessionService.java @@ -61,6 +61,7 @@ import javax.ws.rs.core.Response; name = "Remote Session Connection", description = "", key = "perm:remote-session-service:connect", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/owning-device/remote-session"} ) } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/ReportManagementService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/ReportManagementService.java index 3f1f88a6c6..41364f8afd 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/ReportManagementService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/ReportManagementService.java @@ -66,6 +66,7 @@ import java.util.List; name = "Getting Details of Registered Devices", description = "Getting Details of Registered Devices", key = "perm:devices:view", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/owning-device/view"} ), } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/RoleManagementService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/RoleManagementService.java index ebc4c49984..d3cbb88469 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/RoleManagementService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/RoleManagementService.java @@ -53,48 +53,56 @@ import java.util.List; name = "Getting the List of Roles", description = "Getting the List of Roles", key = "perm:roles:view", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/roles/view"} ), @Scope( name = "Getting Permission Details of a Role", description = "Getting Permission Details of a Role", key = "perm:roles:permissions", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/roles/view"} ), @Scope( name = "Getting the List of Roles", description = "Getting the List of Roles", key = "perm:roles:details", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/roles/view"} ), @Scope( name = "Adding a Role", description = "Adding a Role", key = "perm:roles:add", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/roles/manage"} ), @Scope( name = "Adding a combined Role", description = "Adding a combined Role", key = "perm:roles:create-combined-role", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/roles/manage"} ), @Scope( name = "Updating Role Details", description = "Updating Role Details", key = "perm:roles:update", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/roles/manage"} ), @Scope( name = "Deleting a Role", description = "Deleting a Role", key = "perm:roles:delete", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/roles/manage"} ), @Scope( name = "Adding Users to a Role", description = "Adding Users to a Role", key = "perm:roles:add-users", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/roles/manage"} ) } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/UserManagementService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/UserManagementService.java index 5e580f6a06..5be208a448 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/UserManagementService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/UserManagementService.java @@ -97,78 +97,91 @@ import javax.ws.rs.core.Response; name = "Adding a User", description = "Adding a User", key = "perm:users:add", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/users/manage"} ), @Scope( name = "Getting Details of a User", description = "Getting Details of a User", key = "perm:users:details", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/users/view"} ), @Scope( name = "Updating Details of a User", description = "Updating Details of a User", key = "perm:users:update", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/users/manage"} ), @Scope( name = "Deleting a User", description = "Deleting a User", key = "perm:users:delete", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/users/manage"} ), @Scope( name = "Getting the Role Details of a User", description = "Getting the Role Details of a User", key = "perm:users:roles", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/users/view"} ), @Scope( name = "Getting Details of Users", description = "Getting Details of Users", key = "perm:users:user-details", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/users/view"} ), @Scope( name = "Getting the User Count", description = "Getting the User Count", key = "perm:users:count", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/users/view"} ), @Scope( name = "Getting the User existence status", description = "Getting the User existence status", key = "perm:users:is-exist", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/users/view"} ), @Scope( name = "Searching for a User Name", description = "Searching for a User Name", key = "perm:users:search", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/users/view"} ), @Scope( name = "Changing the User Password", description = "Adding a User", key = "perm:users:credentials", + roles = {"Internal/everyone"}, permissions = {"/login"} ), @Scope( name = "Sending Enrollment Invitations to Users", description = "Sending Enrollment Invitations to Users", key = "perm:users:send-invitation", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/users/manage"} ), @Scope( name = "Get activities", description = "Get activities", key = "perm:get-activity", + roles = {"Internal/everyone"}, permissions = {"/device-mgt/devices/owning-device/view"} ), @Scope( name = "Getting the Permissions of the User", description = "Getting the Permissions of the User", key = "perm:user:permission-view", + roles = {"Internal/everyone"}, permissions = {"/login"} ) } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/ApplicationManagementAdminService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/ApplicationManagementAdminService.java index 92c42bfb3b..2ff9bf9783 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/ApplicationManagementAdminService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/ApplicationManagementAdminService.java @@ -67,12 +67,14 @@ import javax.ws.rs.core.Response; name = "Installing an Application (Internal API)", description = "Installing an Application (Internal API)", key = "perm:applications:install", + roles = {"admin"}, permissions = {"/device-mgt/applications/manage"} ), @Scope( name = "Uninstalling an Application (Internal API)", description = "Uninstalling an Application (Internal API)", key = "perm:applications:uninstall", + roles = {"admin"}, permissions = {"/device-mgt/applications/manage"} ) } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceAccessAuthorizationAdminService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceAccessAuthorizationAdminService.java index 6a4b12d72e..cb23896ea4 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceAccessAuthorizationAdminService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceAccessAuthorizationAdminService.java @@ -67,6 +67,7 @@ import javax.ws.rs.core.Response; name = "Verify device authorization", description = "Verify device authorization", key = "perm:authorization:verify", + roles = {"admin"}, permissions = {"/device-mgt/authorization/verify"} ) } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceAnalyticsArtifactUploaderAdminService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceAnalyticsArtifactUploaderAdminService.java index 94220ef8cd..8722e0cae0 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceAnalyticsArtifactUploaderAdminService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceAnalyticsArtifactUploaderAdminService.java @@ -57,6 +57,7 @@ import javax.ws.rs.core.Response; name = "Devicetype deployment", description = "Deploy devicetype", key = "perm:devicetype:deployment", + roles = {"admin"}, permissions = {"/device-mgt/devicetype/deploy"} ) } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceManagementAdminService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceManagementAdminService.java index a5d8adf59c..eb4b10fc41 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceManagementAdminService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceManagementAdminService.java @@ -94,18 +94,21 @@ import java.util.List; name = "Getting Details of a Device", description = "Getting Details of a Device", key = "perm:admin:devices:view", + roles = {"admin"}, permissions = {"/device-mgt/devices/owning-device/view"} ), @Scope( name = "Update the Device Owner", description = "Update the ownership of the device", key = "perm:admin:devices:update-enrollment", + roles = {"admin"}, permissions = {"/device-mgt/admin/devices/update-enrollment"} ), @Scope( name = "Permanently Delete the device specified by device id", description = "Permanently Delete the device specified by device id", key = "perm:devices:permanent-delete", + roles = {"admin"}, permissions = {"/device-mgt/admin/devices/permanent-delete"} ) } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceTypeManagementAdminService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceTypeManagementAdminService.java index 899f84ec70..17224c605e 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceTypeManagementAdminService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceTypeManagementAdminService.java @@ -92,18 +92,21 @@ import javax.ws.rs.core.Response; name = "Manage a Device Type", description = "Add, Edit or View a Device Type", key = "perm:admin:device-type", + roles = {"admin"}, permissions = {"/device-mgt/admin/device-type"} ), @Scope( name = "Getting Details of a Device Type", description = "Getting Details of a Device Type", key = "perm:admin:device-type:view", + roles = {"admin"}, permissions = {"/device-mgt/admin/device-type/view"} ), @Scope( name = "Add Device Type Config", description = "Add Platform Config of a Device Type", key = "perm:admin:device-type:configs", + roles = {"admin"}, permissions = {"/device-mgt/admin/device-type/config"} ) } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/GroupManagementAdminService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/GroupManagementAdminService.java index f631b1dc51..30f2da5714 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/GroupManagementAdminService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/GroupManagementAdminService.java @@ -70,18 +70,21 @@ import javax.ws.rs.core.Response; name = "View groups", description = "", key = "perm:admin-groups:view", + roles = {"admin"}, permissions = {"/device-mgt/admin/groups/view"} ), @Scope( name = "Count groups", description = "", key = "perm:admin-groups:count", + roles = {"admin"}, permissions = {"/device-mgt/admin/groups/view"} ), @Scope( name = "Add groups", description = "", key = "perm:admin-groups:add", + roles = {"admin"}, permissions = {"/device-mgt/admin/groups/add"} ) } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/UserManagementAdminService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/UserManagementAdminService.java index bbe64367c4..9dbfbbc6f8 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/UserManagementAdminService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/UserManagementAdminService.java @@ -53,12 +53,14 @@ import javax.ws.rs.core.Response; name = "View Users", description = "View Users", key = "perm:admin-users:view", + roles = {"admin"}, permissions = {"/device-mgt/users/manage"} ), @Scope( name = "Delete Users Device Information", description = "Delete users device details", key = "perm:admin-users:remove", + roles = {"admin"}, permissions = {"/device-mgt/users/manage"} ) } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/util/DeviceMgtAPIUtils.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/util/DeviceMgtAPIUtils.java index 49a734cdee..4f45ea3980 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/util/DeviceMgtAPIUtils.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/util/DeviceMgtAPIUtils.java @@ -74,7 +74,6 @@ import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException; import org.wso2.carbon.device.mgt.common.metadata.mgt.MetadataManagementService; import org.wso2.carbon.device.mgt.common.notification.mgt.NotificationManagementService; import org.wso2.carbon.device.mgt.common.operation.mgt.Operation; -import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService; import org.wso2.carbon.device.mgt.common.report.mgt.ReportManagementService; import org.wso2.carbon.device.mgt.common.spi.DeviceTypeGeneratorService; import org.wso2.carbon.device.mgt.common.spi.OTPManagementService; @@ -549,16 +548,6 @@ public class DeviceMgtAPIUtils { return searchManagerService; } - public static PermissionManagerService getPermissionManagerService() { - PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext(); - PermissionManagerService PermissionManagerService = - (PermissionManagerService) ctx.getOSGiService(PermissionManagerService.class, null); - if (PermissionManagerService == null) { - throw new IllegalStateException("Permission manager service is not initialized."); - } - return PermissionManagerService; - } - public static GeoLocationProviderService getGeoService() { PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext(); GeoLocationProviderService diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/permission/mgt/Permission.java b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/permission/mgt/Permission.java index ff194a7b86..241d8039e3 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/permission/mgt/Permission.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/permission/mgt/Permission.java @@ -18,9 +18,6 @@ package org.wso2.carbon.device.mgt.common.permission.mgt; -import javax.xml.bind.annotation.XmlElement; -import javax.xml.bind.annotation.XmlRootElement; - /** * This class represents the information related to permission. */ @@ -30,6 +27,7 @@ public class Permission { private String path; // permission string private String url; // url of the resource private String method; // http method + private String urlPattern; public String getUrl() { return url; @@ -62,4 +60,12 @@ public class Permission { public void setPath(String path) { this.path = path; } + + public String getUrlPattern() { + return urlPattern; + } + + public void setUrlPattern(String urlPattern) { + this.urlPattern = urlPattern; + } } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/permission/mgt/PermissionManagerService.java b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/permission/mgt/PermissionManagerService.java index 68b81a9de4..2c765c6824 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/permission/mgt/PermissionManagerService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/permission/mgt/PermissionManagerService.java @@ -18,7 +18,7 @@ package org.wso2.carbon.device.mgt.common.permission.mgt; -import java.util.Properties; +import java.util.List; /** * This represents the Permission management functionality which should be implemented by @@ -26,22 +26,8 @@ import java.util.Properties; */ public interface PermissionManagerService { - /** - * Adds a permission. - * - * @param permission - Permission to be added - * @return A boolean indicating the status of the operation. - * @throws PermissionManagementException If some unusual behaviour is observed while adding the permission. - */ - boolean addPermission(Permission permission) throws PermissionManagementException; + boolean addPermission(String context, List permissions) throws PermissionManagementException; - /** - * Fetches a given permission. - * - * @param properties - Properties of the permission to be fetched. - * @return The matched Permission object. - * @throws PermissionManagementException If some unusual behaviour is observed while fetching the permission. - */ - Permission getPermission(Properties properties) throws PermissionManagementException; + List getPermission(String context) throws PermissionManagementException; } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/DeviceManagementConstants.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/DeviceManagementConstants.java index f29afccfcf..1d0f581451 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/DeviceManagementConstants.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/DeviceManagementConstants.java @@ -42,6 +42,7 @@ public final class DeviceManagementConstants { public static final String DM_CACHE_MANAGER = "DM_CACHE_MANAGER"; public static final String DEVICE_CACHE = "DEVICE_CACHE"; + public static final String API_RESOURCE_PERMISSION_CACHE = "API_RESOURCE_CACHE_CACHE"; public static final String GEOFENCE_CACHE = "GEOFENCE_CACHE"; public static final String ENROLLMENT_NOTIFICATION_API_ENDPOINT = "/api/device-mgt/enrollment-notification"; public static final String URL_SEPERATOR = "/"; diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheKey.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheKey.java new file mode 100644 index 0000000000..2db061a6d0 --- /dev/null +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheKey.java @@ -0,0 +1,64 @@ +/* + * Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.wso2.carbon.device.mgt.core.cache; + +import java.util.Objects; + +public class APIResourcePermissionCacheKey { + + private String context; + private volatile int hashCode; + + public APIResourcePermissionCacheKey(String context) { + this.context = context; + } + + + public String getContext() { + return context; + } + + public void setContext(String context) { + this.context = context; + } + + @Override + public boolean equals(Object obj) { + if (obj == null) { + return false; + } + if (!APIResourcePermissionCacheKey.class.isAssignableFrom(obj.getClass())) { + return false; + } + final APIResourcePermissionCacheKey other = (APIResourcePermissionCacheKey) obj; + String thisId = this.context; + String otherId = other.context; + if (!thisId.equals(otherId)) { + return false; + } + return true; + } + + @Override + public int hashCode() { + if (hashCode == 0) { + hashCode = Objects.hash(context); + } + return hashCode; + } +} diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheManager.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheManager.java new file mode 100644 index 0000000000..4dac439cc4 --- /dev/null +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheManager.java @@ -0,0 +1,31 @@ +/* + * Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.wso2.carbon.device.mgt.core.cache; + +import org.wso2.carbon.device.mgt.common.permission.mgt.Permission; + +import java.util.List; + +public interface APIResourcePermissionCacheManager { + + void addAPIResourcePermissionToCache(APIResourcePermissionCacheKey cacheKey, List permissions); + + void updateAPIResourcePermissionInCache(APIResourcePermissionCacheKey cacheKey, List permissions); + + List getAPIResourceRermissionFromCache(APIResourcePermissionCacheKey cacheKey); +} diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/impl/APIResourcePermissionCacheManagerImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/impl/APIResourcePermissionCacheManagerImpl.java new file mode 100644 index 0000000000..3b08a8d8b2 --- /dev/null +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/impl/APIResourcePermissionCacheManagerImpl.java @@ -0,0 +1,84 @@ +/* + * Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.wso2.carbon.device.mgt.core.cache.impl; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.wso2.carbon.device.mgt.common.permission.mgt.Permission; +import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheKey; +import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheManager; +import org.wso2.carbon.device.mgt.core.util.DeviceManagerUtil; + +import javax.cache.Cache; +import java.util.List; + +public class APIResourcePermissionCacheManagerImpl implements APIResourcePermissionCacheManager { + + + private static final Log log = LogFactory.getLog(APIResourcePermissionCacheManagerImpl.class); + + private static APIResourcePermissionCacheManagerImpl apiResourceCacgeManager; + + private APIResourcePermissionCacheManagerImpl() { + } + + public static APIResourcePermissionCacheManagerImpl getInstance() { + if (apiResourceCacgeManager == null) { + synchronized (APIResourcePermissionCacheManagerImpl.class) { + if (apiResourceCacgeManager == null) { + apiResourceCacgeManager = new APIResourcePermissionCacheManagerImpl(); + } + } + } + return apiResourceCacgeManager; + } + + + @Override + public void addAPIResourcePermissionToCache(APIResourcePermissionCacheKey cacheKey, List permissions) { + Cache> lCache = DeviceManagerUtil.getAPIResourcePermissionCache(); + if (lCache != null) { + if (lCache.containsKey(cacheKey)) { + this.updateAPIResourcePermissionInCache(cacheKey, permissions); + } else { + lCache.put(cacheKey, permissions); + } + } + } + + @Override + public void updateAPIResourcePermissionInCache(APIResourcePermissionCacheKey cacheKey, List permissions) { + + Cache> lCache = DeviceManagerUtil.getAPIResourcePermissionCache(); + if (lCache != null) { + if (lCache.containsKey(cacheKey)) { + lCache.replace(cacheKey, permissions); + } + } + + } + + @Override + public List getAPIResourceRermissionFromCache(APIResourcePermissionCacheKey cacheKey) { + Cache> lCache = DeviceManagerUtil.getAPIResourcePermissionCache(); + if (lCache != null) { + return lCache.get(cacheKey); + } + return null; + } +} diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/config/permission/AnnotationProcessor.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/config/permission/AnnotationProcessor.java index d6a6a84118..e60b14eee9 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/config/permission/AnnotationProcessor.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/config/permission/AnnotationProcessor.java @@ -67,6 +67,7 @@ public class AnnotationProcessor { private static final String SWAGGER_ANNOTATIONS_PROPERTIES_DESCRIPTION = "description"; private static final String SWAGGER_ANNOTATIONS_PROPERTIES_KEY = "key"; private static final String SWAGGER_ANNOTATIONS_PROPERTIES_PERMISSIONS = "permissions"; + private static final String SWAGGER_ANNOTATIONS_PROPERTIES_ROLES = "roles"; private static final String ANNOTATIONS_SCOPES = "scopes"; private static final String ANNOTATIONS_SCOPE = "scope"; private static final String DEFAULT_PERM_NAME = "default"; @@ -239,6 +240,7 @@ public class AnnotationProcessor { subCtx = makeContextURLReady(resourceRootContext) + makeContextURLReady(subCtx); } permission.setUrl(replaceDynamicPathVariables(subCtx)); + permission.setUrlPattern(permission.getUrl().replace("*", "[a-zA-Z0-9-_]+")); String httpMethod; for (int i = 0; i < annotations.length; i++) { httpMethod = getHTTPMethodAnnotation(annotations[i]); @@ -398,7 +400,7 @@ public class AnnotationProcessor { if (scope != null) { permission.setName(scope.getName()); //TODO: currently permission tree supports only adding one permission per API point. - permission.setPath(scope.getRoles().split(" ")[0]); + permission.setPath(scope.getPermissions().split(" ")[0]); } else { log.warn("No Scope mapping is done for scope key: " + scopeKey); permission.setName(DEFAULT_PERM_NAME); @@ -420,8 +422,11 @@ public class AnnotationProcessor { Scope scope; String permissions[]; StringBuilder aggregatedPermissions; + String roles[]; + StringBuilder aggregatedRoles; for(int i=0; i permissions = annotationProcessor.extractPermissions(annotatedAPIClasses); PermissionManagerService permissionManagerService = PermissionManagerServiceImpl.getInstance(); - if (permissions != null) { - for (Permission permission : permissions) { - permissionManagerService.addPermission(permission); - } - } + permissionManagerService.addPermission(contextPath, permissions); + } catch (PermissionManagementException e) { log.error("Exception occurred while adding the permissions from webapp : " + servletContext.getContextPath(), e); diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementServiceComponent.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementServiceComponent.java index 5bd7a3730b..9bbb385b20 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementServiceComponent.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementServiceComponent.java @@ -22,11 +22,11 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.osgi.framework.BundleContext; import org.osgi.service.component.ComponentContext; -import org.wso2.carbon.device.mgt.common.event.config.EventConfigurationProviderService; -import org.wso2.carbon.device.mgt.common.exceptions.DeviceManagementException; import org.wso2.carbon.device.mgt.common.app.mgt.ApplicationManagementException; import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService; import org.wso2.carbon.device.mgt.common.configuration.mgt.PlatformConfigurationManagementService; +import org.wso2.carbon.device.mgt.common.event.config.EventConfigurationProviderService; +import org.wso2.carbon.device.mgt.common.exceptions.DeviceManagementException; import org.wso2.carbon.device.mgt.common.geo.service.GeoLocationProviderService; import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException; import org.wso2.carbon.device.mgt.common.metadata.mgt.MetadataManagementService; @@ -48,6 +48,7 @@ import org.wso2.carbon.device.mgt.core.config.DeviceConfigurationManager; import org.wso2.carbon.device.mgt.core.config.DeviceManagementConfig; import org.wso2.carbon.device.mgt.core.config.datasource.DataSourceConfig; import org.wso2.carbon.device.mgt.core.config.tenant.PlatformConfigurationManagementServiceImpl; +import org.wso2.carbon.device.mgt.core.config.ui.UIConfigurationManager; import org.wso2.carbon.device.mgt.core.dao.DeviceManagementDAOFactory; import org.wso2.carbon.device.mgt.core.dao.GroupManagementDAOFactory; import org.wso2.carbon.device.mgt.core.device.details.mgt.DeviceInformationManager; @@ -75,7 +76,6 @@ import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderServiceIm import org.wso2.carbon.device.mgt.core.service.GroupManagementProviderService; import org.wso2.carbon.device.mgt.core.service.GroupManagementProviderServiceImpl; import org.wso2.carbon.device.mgt.core.task.DeviceTaskManagerService; -import org.wso2.carbon.device.mgt.core.config.ui.UIConfigurationManager; import org.wso2.carbon.device.mgt.core.util.DeviceManagementSchemaInitializer; import org.wso2.carbon.device.mgt.core.util.DeviceManagerUtil; import org.wso2.carbon.device.mgt.core.util.DeviceMgtTenantMgtListener; diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/permission/mgt/PermissionManagerServiceImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/permission/mgt/PermissionManagerServiceImpl.java index 07865c5095..c2591a1df6 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/permission/mgt/PermissionManagerServiceImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/permission/mgt/PermissionManagerServiceImpl.java @@ -18,13 +18,16 @@ package org.wso2.carbon.device.mgt.core.permission.mgt; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; import org.wso2.carbon.device.mgt.common.permission.mgt.Permission; import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException; import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService; +import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheKey; +import org.wso2.carbon.device.mgt.core.cache.impl.APIResourcePermissionCacheManagerImpl; -import java.util.HashSet; +import java.util.List; import java.util.Properties; -import java.util.Set; /** * This class will add, update custom permissions defined in permission.xml in webapps and it will @@ -32,10 +35,7 @@ import java.util.Set; */ public class PermissionManagerServiceImpl implements PermissionManagerService { - public static final String URL_PROPERTY = "URL"; - public static final String HTTP_METHOD_PROPERTY = "HTTP_METHOD"; private static PermissionManagerServiceImpl registryBasedPermissionManager; - private static PermissionTree permissionTree; // holds the permissions at runtime. private PermissionManagerServiceImpl() { } @@ -45,7 +45,6 @@ public class PermissionManagerServiceImpl implements PermissionManagerService { synchronized (PermissionManagerServiceImpl.class) { if (registryBasedPermissionManager == null) { registryBasedPermissionManager = new PermissionManagerServiceImpl(); - permissionTree = new PermissionTree(); } } } @@ -53,21 +52,22 @@ public class PermissionManagerServiceImpl implements PermissionManagerService { } @Override - public boolean addPermission(Permission permission) throws PermissionManagementException { - // adding a permission to the tree - permission.setPath(permission.getPath()); - permissionTree.addPermission(permission); - return PermissionUtils.putPermission(permission); + public boolean addPermission(String context, List permissions) throws PermissionManagementException { + try { + for (Permission permission : permissions) { + PermissionUtils.putPermission(permission); + } + APIResourcePermissionCacheManagerImpl.getInstance().addAPIResourcePermissionToCache( + new APIResourcePermissionCacheKey(context), permissions); + } catch (PermissionManagementException e) { + return false; + } + return true; } @Override - public Permission getPermission(Properties properties) throws PermissionManagementException { - String url = (String) properties.get(URL_PROPERTY); - String httpMethod = (String) properties.get(HTTP_METHOD_PROPERTY); - - if (url == null || url.isEmpty() || httpMethod == null || httpMethod.isEmpty()) { - throw new PermissionManagementException("Resource URI/HTTP method is empty"); - } - return permissionTree.getPermission(url, httpMethod); + public List getPermission(String context) throws PermissionManagementException { + return APIResourcePermissionCacheManagerImpl.getInstance().getAPIResourceRermissionFromCache( + new APIResourcePermissionCacheKey(context)); } } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/util/DeviceManagerUtil.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/util/DeviceManagerUtil.java index 0a2932e930..4415acec60 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/util/DeviceManagerUtil.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/util/DeviceManagerUtil.java @@ -73,8 +73,10 @@ import org.wso2.carbon.device.mgt.common.group.mgt.DeviceGroup; import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException; import org.wso2.carbon.device.mgt.common.notification.mgt.NotificationManagementException; import org.wso2.carbon.device.mgt.common.operation.mgt.OperationManagementException; +import org.wso2.carbon.device.mgt.common.permission.mgt.Permission; import org.wso2.carbon.device.mgt.common.type.mgt.DeviceTypeMetaDefinition; import org.wso2.carbon.device.mgt.core.DeviceManagementConstants; +import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheKey; import org.wso2.carbon.device.mgt.core.cache.DeviceCacheKey; import org.wso2.carbon.device.mgt.core.cache.GeoCacheKey; import org.wso2.carbon.device.mgt.core.config.DeviceConfigurationManager; @@ -136,6 +138,7 @@ public final class DeviceManagerUtil { public static final String GENERAL_CONFIG_RESOURCE_PATH = "general"; private static boolean isDeviceCacheInitialized = false; + private static boolean isAPIResourcePermissionCacheInitialized = false; private static boolean isGeoFenceCacheInitialized = false; public static Document convertToDocument(File file) throws DeviceManagementException { @@ -663,6 +666,44 @@ public final class DeviceManagerUtil { } } + public static void initializeAPIResourcePermissionCache() { +// DeviceManagementConfig config = DeviceConfigurationManager.getInstance().getDeviceManagementConfig(); +// int deviceCacheExpiry = config.getDeviceCacheConfiguration().getExpiryTime(); +// long deviceCacheCapacity = config.getDeviceCacheConfiguration().getCapacity(); + CacheManager manager = getCacheManager(); +// if (config.getDeviceCacheConfiguration().isEnabled()) { + if(!isDeviceCacheInitialized) { + isDeviceCacheInitialized = true; + if (manager != null) { +// if (deviceCacheExpiry > 0) { +// manager.createCacheBuilder(DeviceManagementConstants.DEVICE_CACHE). +// setExpiry(CacheConfiguration.ExpiryType.MODIFIED, new CacheConfiguration.Duration(TimeUnit.SECONDS, +// deviceCacheExpiry)).setExpiry(CacheConfiguration.ExpiryType.ACCESSED, new CacheConfiguration. +// Duration(TimeUnit.SECONDS, deviceCacheExpiry)).setStoreByValue(true).build(); +// if(deviceCacheCapacity > 0 ) { +// ((CacheImpl) manager.getCache(DeviceManagementConstants.DEVICE_CACHE)). +// setCapacity(deviceCacheCapacity); +// } +// } else { + manager.getCache(DeviceManagementConstants.API_RESOURCE_PERMISSION_CACHE); +// } + } else { +// if (deviceCacheExpiry > 0) { +// Caching.getCacheManager(). +// createCacheBuilder(DeviceManagementConstants.DEVICE_CACHE). +// setExpiry(CacheConfiguration.ExpiryType.MODIFIED, new CacheConfiguration.Duration(TimeUnit.SECONDS, +// deviceCacheExpiry)).setExpiry(CacheConfiguration.ExpiryType.ACCESSED, new CacheConfiguration. +// Duration(TimeUnit.SECONDS, deviceCacheExpiry)).setStoreByValue(true).build(); +// ((CacheImpl)(manager.getCache(DeviceManagementConstants.DEVICE_CACHE))). +// setCapacity(deviceCacheCapacity); +// } else { + Caching.getCacheManager().getCache(DeviceManagementConstants.API_RESOURCE_PERMISSION_CACHE); +// } + } + } +// } + } + /** * Enable Geofence caching according to the configurations proviced by cdm-config.xml */ @@ -722,6 +763,24 @@ public final class DeviceManagerUtil { return deviceCache; } + public static Cache> getAPIResourcePermissionCache() { +// DeviceManagementConfig config = DeviceConfigurationManager.getInstance().getDeviceManagementConfig(); + CacheManager manager = getCacheManager(); + Cache> apiResourcePermissionCache = null; +// if (config.getDeviceCacheConfiguration().isEnabled()) { + if(!isAPIResourcePermissionCacheInitialized) { + initializeAPIResourcePermissionCache(); + } + if (manager != null) { + apiResourcePermissionCache = manager.getCache(DeviceManagementConstants.API_RESOURCE_PERMISSION_CACHE); + } else { + apiResourcePermissionCache = Caching.getCacheManager(DeviceManagementConstants.DM_CACHE_MANAGER) + .getCache(DeviceManagementConstants.API_RESOURCE_PERMISSION_CACHE); + } +// } + return apiResourcePermissionCache; + } + /** * Get geofence cache object * @return {@link Cache} diff --git a/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/util/JWTClientUtil.java b/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/util/JWTClientUtil.java index 93f6e6fd17..f9980d2122 100644 --- a/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/util/JWTClientUtil.java +++ b/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/util/JWTClientUtil.java @@ -232,18 +232,18 @@ public class JWTClientUtil { } List aud = jwtConfig.getAudiences(); //set up the basic claims - JWTClaimsSet claimsSet = new JWTClaimsSet(); - claimsSet.setIssueTime(new Date(iat)); - claimsSet.setExpirationTime(new Date(exp)); - claimsSet.setIssuer(iss); - claimsSet.setSubject(username); - claimsSet.setNotBeforeTime(new Date(nbf)); - claimsSet.setJWTID(jti); - claimsSet.setAudience(aud); - claimsSet.setClaim(SIGNED_JWT_AUTH_USERNAME, username); + JWTClaimsSet.Builder claimsSet = new JWTClaimsSet.Builder(); + claimsSet.issueTime(new Date(iat)); + claimsSet.expirationTime(new Date(exp)); + claimsSet.issuer(iss); + claimsSet.subject(username); + claimsSet.notBeforeTime(new Date(nbf)); + claimsSet.jwtID(jti); + claimsSet.audience(aud); + claimsSet.claim(SIGNED_JWT_AUTH_USERNAME, username); if (customClaims != null && !customClaims.isEmpty()) { for (String key : customClaims.keySet()) { - claimsSet.setClaim(key, customClaims.get(key)); + claimsSet.claim(key, customClaims.get(key)); } } @@ -280,7 +280,7 @@ public class JWTClientUtil { } } JWSSigner signer = new RSASSASigner(rsaPrivateKey); - SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), claimsSet); + SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), claimsSet.build()); signedJWT.sign(signer); String assertion = signedJWT.serialize(); return assertion; diff --git a/components/transport-mgt/sms-handler/io.entgra.transport.mgt.sms.handler.api/src/main/java/io/entgra/transport/mgt/sms/handler/api/service/ConfigurationManagementService.java b/components/transport-mgt/sms-handler/io.entgra.transport.mgt.sms.handler.api/src/main/java/io/entgra/transport/mgt/sms/handler/api/service/ConfigurationManagementService.java index 3a771222c7..3d4f1d9e0f 100644 --- a/components/transport-mgt/sms-handler/io.entgra.transport.mgt.sms.handler.api/src/main/java/io/entgra/transport/mgt/sms/handler/api/service/ConfigurationManagementService.java +++ b/components/transport-mgt/sms-handler/io.entgra.transport.mgt.sms.handler.api/src/main/java/io/entgra/transport/mgt/sms/handler/api/service/ConfigurationManagementService.java @@ -64,6 +64,7 @@ import javax.ws.rs.core.Response; name = "View configurations", description = "", key = "perm:sms-handler:view-configuration", + roles = {"Internal/everyone"}, permissions = {"/sms-handler/platform-configurations/view"} ) }) diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml index e041b45f83..a7d96cbd94 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml @@ -55,22 +55,22 @@ org.wso2.carbon.webapp.authenticator.framework.* - com.nimbusds.jose, - com.nimbusds.jose.crypto, - com.nimbusds.jwt, + com.nimbusds.jose;version="${nimbus.orbit.version.range}", + com.nimbusds.jose.crypto;version="${nimbus.orbit.version.range}", + com.nimbusds.jwt;version="${nimbus.orbit.version.range}", javax.xml.bind, javax.xml.bind.annotation, javax.xml.parsers;version="${javax.xml.parsers.import.pkg.version}";resolution:=optional, javax.xml.validation, - - - + org.apache.catalina;version="9.0", + org.apache.catalina.connector;version="9.0", + org.apache.catalina.util;version="9.0", org.apache.commons.logging, - - - - org.osgi.service.component, - org.osgi.framework, + org.apache.coyote;version="9.0", + org.apache.tomcat.util.buf;version="9.0", + org.apache.tomcat.util.http;version="9.0", + org.osgi.framework.*;version="${imp.package.version.osgi.framework}", + org.osgi.service.*;version="${imp.package.version.osgi.service}", org.w3c.dom, org.wso2.carbon.context, org.wso2.carbon.core.util, @@ -85,15 +85,15 @@ org.wso2.carbon.utils, org.wso2.carbon.utils.multitenancy, org.xml.sax, - com.google.gson.*, + javax.servlet, javax.servlet.http, javax.xml, org.apache.axis2.transport.http, org.wso2.carbon.certificate.mgt.core.*, - org.wso2.carbon.device.mgt.core.permission.mgt, + org.wso2.carbon.device.mgt.core.permission.mgt.*, org.wso2.carbon.device.mgt.common.*, - org.wso2.carbon.device.mgt.common.permission.mgt, + org.wso2.carbon.device.mgt.common.permission.mgt.*, org.apache.axis2, org.apache.axis2.client, org.apache.commons.codec.binary;version="${commons-codec.wso2.osgi.version.range}", @@ -114,6 +114,9 @@ org.wso2.carbon.base, org.owasp.encoder + + + @@ -194,6 +197,22 @@ org.wso2.carbon.identity.inbound.auth.oauth2 org.wso2.carbon.identity.oauth + + + + org.wso2.orbit.com.nimbusds + nimbus-jose-jwt + + + + + com.nimbusds + nimbus-jose-jwt + + + + + org.wso2.carbon @@ -202,6 +221,7 @@ org.wso2.orbit.com.nimbusds nimbus-jose-jwt + compile org.wso2.carbon.devicemgt diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/AuthenticationFrameworkUtil.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/AuthenticationFrameworkUtil.java index 7c506737e7..c6d12b9286 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/AuthenticationFrameworkUtil.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/AuthenticationFrameworkUtil.java @@ -73,7 +73,7 @@ public class AuthenticationFrameworkUtil { } } - static boolean isUserAuthorized(int tenantId, String tenantDomain, String username, String + public static boolean isUserAuthorized(int tenantId, String tenantDomain, String username, String permission) throws AuthenticationException { boolean tenantFlowStarted = false; diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java index 897bba0812..6547c48f35 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java @@ -18,11 +18,9 @@ */ package org.wso2.carbon.webapp.authenticator.framework; -import com.google.gson.Gson; import org.apache.catalina.Context; import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; -import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.owasp.encoder.Encode; @@ -33,6 +31,7 @@ import org.wso2.carbon.user.api.Tenant; import org.wso2.carbon.user.api.UserStoreException; import org.wso2.carbon.user.core.service.RealmService; import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator; +import org.wso2.carbon.webapp.authenticator.framework.authorizer.PermissionAuthorizer; import org.wso2.carbon.webapp.authenticator.framework.authorizer.WebappTenantAuthorizer; import javax.servlet.http.HttpServletResponse; @@ -48,9 +47,6 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { private static final Log log = LogFactory.getLog(WebappAuthenticationValve.class); private static final TreeMap nonSecuredEndpoints = new TreeMap<>(); - private static final String PERMISSION_PREFIX = "/permission/admin"; - public static final String AUTHORIZE_PERMISSION = "Authorize-Permission"; - private static InetAddress inetAddress = null; @Override @@ -81,8 +77,7 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { } } - if ((this.isContextSkipped(request) || this.skipAuthentication(request)) - && (StringUtils.isEmpty(request.getHeader(AUTHORIZE_PERMISSION)))) { + if ((this.isContextSkipped(request) || this.skipAuthentication(request))) { this.getNext().invoke(request, response, compositeValve); return; } @@ -103,29 +98,12 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { // This section will allow to validate a given access token is authenticated to access given // resource(permission) if (request.getCoyoteRequest() != null - && StringUtils.isNotEmpty(request.getHeader(AUTHORIZE_PERMISSION)) && (authenticationInfo.getStatus() == WebappAuthenticator.Status.CONTINUE || authenticationInfo.getStatus() == WebappAuthenticator.Status.SUCCESS)) { boolean isAllowed; - try { - isAllowed = AuthenticationFrameworkUtil.isUserAuthorized( - authenticationInfo.getTenantId(), authenticationInfo.getTenantDomain(), - authenticationInfo.getUsername(), - PERMISSION_PREFIX + request.getHeader (AUTHORIZE_PERMISSION)); - } catch (AuthenticationException e) { - String msg = "Could not authorize permission"; - log.error(msg); - AuthenticationFrameworkUtil.handleResponse(request, response, - HttpServletResponse.SC_INTERNAL_SERVER_ERROR, msg); - return; - } - - if (isAllowed) { - Gson gson = new Gson(); - AuthenticationFrameworkUtil.handleResponse(request, response, HttpServletResponse.SC_OK, - gson.toJson(authenticationInfo)); - return; - } else { + WebappAuthenticator.Status authorizeStatus = PermissionAuthorizer.authorize(request, authenticationInfo); + isAllowed = WebappAuthenticator.Status.SUCCESS == authorizeStatus; + if (!isAllowed) { log.error("Unauthorized message from user " + authenticationInfo.getUsername()); AuthenticationFrameworkUtil.handleResponse(request, response, HttpServletResponse.SC_FORBIDDEN, "Unauthorized to access the API"); @@ -133,7 +111,7 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { } } - Tenant tenant = null; + Tenant tenant = null; if (authenticationInfo.getTenantId() != -1) { try { PrivilegedCarbonContext.startTenantFlow(); diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/MatchingResource.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/MatchingResource.java new file mode 100644 index 0000000000..0c24986171 --- /dev/null +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/MatchingResource.java @@ -0,0 +1,30 @@ +package org.wso2.carbon.webapp.authenticator.framework.authorizer; + +/** + * Created by amalka on 6/26/21. + */ +public class MatchingResource { + private String urlPattern; + private String permission; + + public MatchingResource(String urlPattern, String permission) { + this.urlPattern = urlPattern; + this.permission = permission; + } + + public String getUrlPattern() { + return urlPattern; + } + + public void setUrlPattern(String urlPattern) { + this.urlPattern = urlPattern; + } + + public String getPermission() { + return permission; + } + + public void setPermission(String permission) { + this.permission = permission; + } +} diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java new file mode 100644 index 0000000000..dd3e8cceff --- /dev/null +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java @@ -0,0 +1,143 @@ +/* + * Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.wso2.carbon.webapp.authenticator.framework.authorizer; + +import org.apache.catalina.connector.Request; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.wso2.carbon.device.mgt.common.permission.mgt.Permission; +import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException; +import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService; +import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionManagerServiceImpl; +import org.wso2.carbon.webapp.authenticator.framework.AuthenticationException; +import org.wso2.carbon.webapp.authenticator.framework.AuthenticationFrameworkUtil; +import org.wso2.carbon.webapp.authenticator.framework.AuthenticationInfo; +import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator; + +import java.util.ArrayList; +import java.util.List; +import java.util.StringTokenizer; + +public class PermissionAuthorizer { + + private static final Log log = LogFactory.getLog(PermissionAuthorizer.class); + + public static WebappAuthenticator.Status authorize(Request request, AuthenticationInfo authenticationInfo) { + String requestUri = request.getRequestURI(); + String requestMethod = request.getMethod(); + String context = request.getContextPath(); + + if (requestUri == null || requestUri.isEmpty() || requestMethod == null || requestMethod.isEmpty()) { + return WebappAuthenticator.Status.CONTINUE; + } + + PermissionManagerService registryBasedPermissionManager = + PermissionManagerServiceImpl.getInstance(); + List matchingPermissions = null; + try { + matchingPermissions = registryBasedPermissionManager.getPermission(context); + } catch (PermissionManagementException e) { + log.error( + "Error occurred while fetching the permission for URI : " + requestUri + + ", msg = " + e.getMessage()); + } + + if (matchingPermissions == null) { + if (log.isDebugEnabled()) { + log.debug("Permission to request '" + requestUri + "' is not defined in the configuration"); + } + return WebappAuthenticator.Status.FAILURE; + } + + String requiredPermission = null; + List matchingResources = new ArrayList<>(); + for (Permission permission : matchingPermissions) { + if (requestMethod.equals(permission.getMethod()) && requestUri.matches(permission.getUrlPattern())) { + if (requestUri.equals(permission.getUrl())) { // is there a exact match + requiredPermission = permission.getPath(); + break; + } else { // all templated urls add to a list + matchingResources.add(new MatchingResource(permission.getUrlPattern().replace(context, ""), permission.getPath())); + } + } + } + + if (requiredPermission == null) { + if (matchingResources.size() == 1) { // only 1 templated url found + requiredPermission = matchingResources.get(0).getPermission(); + } + + if (matchingResources.size() > 1) { // more than 1 templated urls found + String urlWithoutContext = requestUri.replace(context, ""); + StringTokenizer st = new StringTokenizer(urlWithoutContext, "/"); + int tokenPosition = 1; + while (st.hasMoreTokens()) { + List tempList = new ArrayList<>(); + String currentToken = st.nextToken(); + for (MatchingResource matchingResource : matchingResources) { + StringTokenizer stmr = new StringTokenizer(matchingResource.getUrlPattern(), "/"); + int internalTokenPosition = 1; + while (stmr.hasMoreTokens()) { + String internalToken = stmr.nextToken(); + if ((tokenPosition == internalTokenPosition) && currentToken.equals(internalToken)) { + tempList.add(matchingResource); + } + internalTokenPosition++; + if (tokenPosition < internalTokenPosition) { + break; + } + } + } + if (tempList.size() == 1) { + requiredPermission = tempList.get(0).getPermission(); + break; + } + tokenPosition++; + } + } + } + + if (requiredPermission == null) { + if (log.isDebugEnabled()) { + log.debug("Matching permission not found for " + requestUri); + } + return WebappAuthenticator.Status.FAILURE; + } + + boolean isUserAuthorized; + try { + isUserAuthorized = AuthenticationFrameworkUtil.isUserAuthorized( + authenticationInfo.getTenantId(), authenticationInfo.getTenantDomain(), + authenticationInfo.getUsername(), requiredPermission); + } catch (AuthenticationException e) { + log.error("Error occurred while retrieving user store. " + e.getMessage()); + return WebappAuthenticator.Status.FAILURE; + } + + if (isUserAuthorized) { + return WebappAuthenticator.Status.SUCCESS; + } else { + return WebappAuthenticator.Status.FAILURE; + } + + } + +} + + + diff --git a/pom.xml b/pom.xml index ea11339d6e..eacfe8acda 100644 --- a/pom.xml +++ b/pom.xml @@ -2175,8 +2175,8 @@ 1.0.2 - 2.26.1.wso2v3 - [2.26.1, 3.0.0) + 7.3.0.wso2v1 + [7.3, 8) 2.0.1