Implemented scope based authorization in device-mgt UI module

4.x.x
mharindu 8 years ago
parent aa7d3385ce
commit bd41e4f4fb

@ -161,6 +161,10 @@
<artifactId>org.wso2.carbon.user.api</artifactId> <artifactId>org.wso2.carbon.user.api</artifactId>
<scope>provided</scope> <scope>provided</scope>
</dependency> </dependency>
<dependency>
<groupId>org.wso2.carbon.devicemgt</groupId>
<artifactId>org.wso2.carbon.apimgt.annotations</artifactId>
</dependency>
</dependencies> </dependencies>
<build> <build>

@ -18,20 +18,19 @@
package org.wso2.carbon.apimgt.application.extension.api; package org.wso2.carbon.apimgt.application.extension.api;
import org.wso2.carbon.apimgt.annotations.api.API;
import org.wso2.carbon.apimgt.application.extension.api.util.RegistrationProfile; import org.wso2.carbon.apimgt.application.extension.api.util.RegistrationProfile;
import javax.ws.rs.Consumes; import javax.ws.rs.*;
import javax.ws.rs.DELETE;
import javax.ws.rs.POST;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response; import javax.ws.rs.core.Response;
/** /**
* This is the application registration service that exposed for apimApplicationRegistration * This is the application registration service that exposed for apimApplicationRegistration
*/ */
@API(name = "API Registration Service", version = "1.0.0",
context = "api-application-registration",
tags = {"devicemgt_admin"})
public interface ApiApplicationRegistrationService { public interface ApiApplicationRegistrationService {
/** /**
@ -40,6 +39,7 @@ public interface ApiApplicationRegistrationService {
@POST @POST
@Produces(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON) @Consumes(MediaType.APPLICATION_JSON)
@Path("register/tenants")
Response register(@PathParam("tenantDomain") String tenantDomain, Response register(@PathParam("tenantDomain") String tenantDomain,
@QueryParam("applicationName") String applicationName); @QueryParam("applicationName") String applicationName);
@ -51,6 +51,7 @@ public interface ApiApplicationRegistrationService {
@POST @POST
@Produces(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON) @Consumes(MediaType.APPLICATION_JSON)
@Path("register")
Response register(RegistrationProfile registrationProfile); Response register(RegistrationProfile registrationProfile);
/** /**
@ -59,5 +60,6 @@ public interface ApiApplicationRegistrationService {
* @return the response status of request. * @return the response status of request.
*/ */
@DELETE @DELETE
@Path("unregister")
Response unregister(@QueryParam("applicationName") String applicationName); Response unregister(@QueryParam("applicationName") String applicationName);
} }

@ -47,7 +47,11 @@
<!--publish to apim--> <!--publish to apim-->
<context-param> <context-param>
<param-name>managed-api-enabled</param-name> <param-name>managed-api-enabled</param-name>
<param-value>false</param-value> <param-value>true</param-value>
</context-param>
<context-param>
<param-name>managed-api-owner</param-name>
<param-value>admin</param-value>
</context-param> </context-param>
<filter> <filter>

@ -70,17 +70,53 @@
"copyrightSuffix" : " All Rights Reserved." "copyrightSuffix" : " All Rights Reserved."
}, },
"scopes" : [ "scopes" : [
"license-add", "license-view", "device-view", "user:manage",
"device-info", "device-list", "device-view-own", "device-modify", "device-search", "user:view",
"operation-install", "operation-view", "operation-modify", "operation-uninstall", "device-type:admin:view",
"group-add", "group-share", "group-modify", "group-view", "group-remove", "device:view",
"certificate-modify", "certificate-view", "notification:view",
"configuration-view", "configuration-modify", "device:admin:view",
"policy-view", "policy-modify", "application:manage",
"device-notification-view", "device-notification-modify", "activity:view",
"feature-view", "user:admin:reset-password",
"roles-view", "roles-modify", "roles-remove", "roles-add", "policy:manage",
"user-password-reset", "user-password-modify", "user-modify", "user-view", "user-invite", "user-remove", "user-add" "policy:view",
"role:manage",
"role:view",
"configuration:view",
"configuration:modify",
"device:android:operation:reboot",
"device:android:operation:camera",
"device:android:operation:vpn",
"device:android:operation:lock",
"device:android:operation:ring",
"device:android:operation:update-app",
"device:android:operation:wipe",
"device:android:operation:encrypt",
"device:android:operation:blacklist-app",
"device:android:operation:applications",
"device:android:operation:enterprise-wipe",
"device:android:operation:info",
"device:android:operation:wifi",
"device:android:operation:uninstall-app",
"device:android:operation:change-lock",
"device:android:operation:notification",
"device:android:operation:upgrade",
"device:android:operation:unlock",
"device:android:operation:mute",
"device:android:operation:location",
"device:android:operation:webclip",
"device:android:operation:clear-password",
"device:android:operation:password-policy",
"device:android:operation:install-app",
"device:android:event:write",
"device:android:event:read",
"device:android:enroll",
"configuration:manage",
"configuration:view",
"device:android:enroll",
"certificate:view",
"certificate:manage"
], ],
"isOAuthEnabled" : true, "isOAuthEnabled" : true,
"backendRestEndpoints" : { "backendRestEndpoints" : {

@ -83,3 +83,4 @@ var HTTP_CONFLICT = 409;
var HTTP_CREATED = 201; var HTTP_CREATED = 201;
var CACHED_CREDENTIALS = "tenantBasedCredentials"; var CACHED_CREDENTIALS = "tenantBasedCredentials";
var ALLOWED_SCOPES = "scopes";

@ -172,10 +172,11 @@ var utils = function () {
if (xhr["status"] == 200 && xhr["responseText"]) { if (xhr["status"] == 200 && xhr["responseText"]) {
var responsePayload = parse(xhr["responseText"]); var responsePayload = parse(xhr["responseText"]);
var tokenPair = {}; var tokenData = {};
tokenPair["accessToken"] = responsePayload["access_token"]; tokenData["accessToken"] = responsePayload["access_token"];
tokenPair["refreshToken"] = responsePayload["refresh_token"]; tokenData["refreshToken"] = responsePayload["refresh_token"];
return tokenPair; tokenData["scopes"] = responsePayload["scope"];
return tokenData;
} else { } else {
log.error("{/app/modules/oauth/token-handler-utils.js} Error in retrieving access token " + log.error("{/app/modules/oauth/token-handler-utils.js} Error in retrieving access token " +
"by password grant type - getTokenPairByPasswordGrantType(a, b, c, d)"); "by password grant type - getTokenPairByPasswordGrantType(a, b, c, d)");
@ -224,10 +225,11 @@ var utils = function () {
if (xhr["status"] == 200 && xhr["responseText"]) { if (xhr["status"] == 200 && xhr["responseText"]) {
var responsePayload = parse(xhr["responseText"]); var responsePayload = parse(xhr["responseText"]);
var tokenPair = {}; var tokenData = {};
tokenPair["accessToken"] = responsePayload["access_token"]; tokenData["accessToken"] = responsePayload["access_token"];
tokenPair["refreshToken"] = responsePayload["refresh_token"]; tokenData["refreshToken"] = responsePayload["refresh_token"];
return tokenPair; tokenData["scopes"] = responsePayload["scope"];
return tokenData;
} else { } else {
log.error("{/app/modules/oauth/token-handler-utils.js} Error in retrieving access token " + log.error("{/app/modules/oauth/token-handler-utils.js} Error in retrieving access token " +
"by password grant type - getTokenPairBySAMLGrantType(x, y, z)"); "by password grant type - getTokenPairBySAMLGrantType(x, y, z)");

@ -45,23 +45,30 @@ var handlers = function () {
"password grant type. Encoded client credentials are " + "password grant type. Encoded client credentials are " +
"missing - setupTokenPairByPasswordGrantType(x, y)"); "missing - setupTokenPairByPasswordGrantType(x, y)");
} else { } else {
var tokenPair; var tokenData;
// tokenPair will include current access token as well as current refresh token // tokenPair will include current access token as well as current refresh token
var arrayOfScopes = devicemgtProps["scopes"]; var arrayOfScopes = devicemgtProps["scopes"];
var stringOfScopes = ""; var stringOfScopes = "";
arrayOfScopes.forEach(function (entry) { arrayOfScopes.forEach(function (entry) {
stringOfScopes += entry + " "; stringOfScopes += entry + " ";
}); });
tokenPair = tokenUtil. tokenData = tokenUtil.
getTokenPairByPasswordGrantType(username, getTokenPairByPasswordGrantType(username,
encodeURIComponent(password), encodedClientAppCredentials, stringOfScopes); encodeURIComponent(password), encodedClientAppCredentials, stringOfScopes);
if (!tokenPair) { if (!tokenData) {
throw new Error("{/app/modules/oauth/token-handlers.js} Could not set up " + throw new Error("{/app/modules/oauth/token-handlers.js} Could not set up " +
"token pair by password grant type. Error in token " + "token pair by password grant type. Error in token " +
"retrieval - setupTokenPairByPasswordGrantType(x, y)"); "retrieval - setupTokenPairByPasswordGrantType(x, y)");
} else { } else {
// setting up access token pair into session context as a string var tokenPair = {};
tokenPair["accessToken"] = tokenData["accessToken"];
tokenPair["refreshToken"] = tokenData["refreshToken"];
// setting up token pair into session context as a string
session.put(constants["TOKEN_PAIR"], stringify(tokenPair)); session.put(constants["TOKEN_PAIR"], stringify(tokenPair));
var scopes = tokenData.scopes.split(" ");
// adding allowed scopes to the session
session.put(constants["ALLOWED_SCOPES"], scopes);
} }
} }
} }
@ -80,17 +87,24 @@ var handlers = function () {
"by saml grant type. Encoded client credentials are " + "by saml grant type. Encoded client credentials are " +
"missing - setupTokenPairByPasswordGrantType(x, y)"); "missing - setupTokenPairByPasswordGrantType(x, y)");
} else { } else {
var tokenPair; var tokenData;
// accessTokenPair will include current access token as well as current refresh token // accessTokenPair will include current access token as well as current refresh token
tokenPair = tokenUtil. tokenData = tokenUtil.
getTokenPairBySAMLGrantType(samlToken, encodedClientAppCredentials, "PRODUCTION"); getTokenPairBySAMLGrantType(samlToken, encodedClientAppCredentials, "PRODUCTION");
if (!tokenPair) { if (!tokenData) {
throw new Error("{/app/modules/oauth/token-handlers.js} Could not set up token " + throw new Error("{/app/modules/oauth/token-handlers.js} Could not set up token " +
"pair by password grant type. Error in token " + "pair by password grant type. Error in token " +
"retrieval - setupTokenPairByPasswordGrantType(x, y)"); "retrieval - setupTokenPairByPasswordGrantType(x, y)");
} else { } else {
var tokenPair = {};
tokenPair["accessToken"] = tokenData["accessToken"];
tokenPair["refreshToken"] = tokenData["refreshToken"];
// setting up access token pair into session context as a string // setting up access token pair into session context as a string
session.put(constants["TOKEN_PAIR"], stringify(tokenPair)); session.put(constants["TOKEN_PAIR"], stringify(tokenPair));
var scopes = tokenData.scopes.split(" ");
// adding allowed scopes to the session
session.put(constants["ALLOWED_SCOPES"], scopes);
} }
} }
} }

@ -129,7 +129,7 @@ public class OAuthAuthenticator implements WebappAuthenticator {
if (resource == null || resource.isEmpty()) { if (resource == null || resource.isEmpty()) {
authenticationInfo.setStatus(Status.FAILURE); authenticationInfo.setStatus(Status.FAILURE);
authenticationInfo.setMessage("Requested resource does not exist"); authenticationInfo.setMessage("Authorization failed. Requested API resource does not exist");
return authenticationInfo; return authenticationInfo;
} }

Loading…
Cancel
Save