forked from community/device-mgt-core
commit
c7685fedca
@ -0,0 +1,79 @@
|
||||
/*
|
||||
* Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||
*
|
||||
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||
* Version 2.0 (the "License"); you may not use this file except
|
||||
* in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
|
||||
package org.wso2.carbon.device.mgt.core.config.permission;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
/**
|
||||
* This class represents the node of a permission tree.
|
||||
* It holds the current path name, list of permissions associated with URL
|
||||
* and the set of children.
|
||||
*/
|
||||
public class PermissionNode {
|
||||
|
||||
private String pathName;
|
||||
private Map<String, Permission> permissions = new HashMap<String, Permission>();
|
||||
private List<PermissionNode> children = new ArrayList<PermissionNode>();
|
||||
|
||||
public PermissionNode(String pathName) {
|
||||
this.pathName = pathName;
|
||||
}
|
||||
|
||||
public String getPathName() {
|
||||
return pathName;
|
||||
}
|
||||
|
||||
public void setPathName(String pathName) {
|
||||
this.pathName = pathName;
|
||||
}
|
||||
|
||||
public List<PermissionNode> getChildren() {
|
||||
return children;
|
||||
}
|
||||
|
||||
public PermissionNode getChild(String pathName) {
|
||||
PermissionNode child = null;
|
||||
for (PermissionNode node : children) {
|
||||
if (node.getPathName().equals(pathName)) {
|
||||
return node;
|
||||
}
|
||||
}
|
||||
return child;
|
||||
}
|
||||
|
||||
public void addChild(PermissionNode node) {
|
||||
children.add(node);
|
||||
}
|
||||
|
||||
public void addPermission(String httpMethod, Permission permission) {
|
||||
permissions.put(httpMethod, permission);
|
||||
}
|
||||
|
||||
public Permission getPermission(String httpMethod) {
|
||||
return permissions.get(httpMethod);
|
||||
}
|
||||
|
||||
public Collection<Permission> getPermissions() {
|
||||
return permissions.values();
|
||||
}
|
||||
}
|
@ -0,0 +1,113 @@
|
||||
/*
|
||||
* Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||
*
|
||||
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||
* Version 2.0 (the "License"); you may not use this file except
|
||||
* in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
|
||||
package org.wso2.carbon.device.mgt.core.config.permission;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import java.util.StringTokenizer;
|
||||
|
||||
/**
|
||||
* This class represents a tree data structure which will be used for adding and retrieving permissions.
|
||||
*/
|
||||
public class PermissionTree {
|
||||
|
||||
private PermissionNode rootNode;
|
||||
private static final String DYNAMIC_PATH_NOTATION = "*";
|
||||
private static final String ROOT = "/";
|
||||
private static final Log log = LogFactory.getLog(PermissionTree.class);
|
||||
|
||||
public PermissionTree() {
|
||||
rootNode = new PermissionNode(ROOT); // initializing the root node.
|
||||
}
|
||||
|
||||
/**
|
||||
* This method is used to add permissions to the tree. Once it receives the permission
|
||||
* it will traverse through the given request path with respect to the permission and place
|
||||
* the permission in the appropriate place in the tree.
|
||||
*
|
||||
* @param permission Permission object.
|
||||
*/
|
||||
public void addPermission(Permission permission) {
|
||||
StringTokenizer st = new StringTokenizer(permission.getUrl(), ROOT);
|
||||
PermissionNode tempRoot = rootNode;
|
||||
PermissionNode tempChild;
|
||||
while (st.hasMoreTokens()) {
|
||||
tempChild = new PermissionNode(st.nextToken());
|
||||
tempRoot = addPermissionNode(tempRoot, tempChild);
|
||||
}
|
||||
tempRoot.addPermission(permission.getMethod(), permission); //setting permission to the vertex
|
||||
if (log.isDebugEnabled()) {
|
||||
log.debug("Added permission '" + permission.getName() + "'");
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* This method is used to add vertex to the graph. The method will check for the given child
|
||||
* whether exists within the list of children of the given parent.
|
||||
*
|
||||
* @param parent Parent PermissionNode.
|
||||
* @param child Child PermissionNode.
|
||||
* @return returns the newly created child or the existing child.
|
||||
*/
|
||||
private PermissionNode addPermissionNode(PermissionNode parent, PermissionNode child) {
|
||||
PermissionNode existChild = parent.getChild(child.getPathName());
|
||||
if (existChild == null) {
|
||||
parent.addChild(child);
|
||||
return child;
|
||||
}
|
||||
return existChild;
|
||||
}
|
||||
|
||||
/**
|
||||
* This method is used to retrieve the permission for a given url and http method.
|
||||
* Breath First Search (BFS) is used to traverse the tree.
|
||||
*
|
||||
* @param url Request URL.
|
||||
* @param httpMethod HTTP method of the request.
|
||||
* @return returns the permission with related to the request path or null if there is
|
||||
* no any permission that is stored with respected to the given request path.
|
||||
*/
|
||||
public Permission getPermission(String url, String httpMethod) {
|
||||
StringTokenizer st = new StringTokenizer(url, ROOT);
|
||||
PermissionNode tempRoot = rootNode;
|
||||
while (st.hasMoreTokens()) {
|
||||
String currentToken = st.nextToken();
|
||||
|
||||
// returns the child node which matches with the 'currentToken' path.
|
||||
tempRoot = tempRoot.getChild(currentToken);
|
||||
|
||||
// if tempRoot is null, that means 'currentToken' is not matched with the child's path.
|
||||
// It means that it is at a point where the request must have dynamic path variables.
|
||||
// Therefor it looks for '*' in the request path. ('*' denotes dynamic path variable).
|
||||
if (tempRoot == null) {
|
||||
tempRoot = tempRoot.getChild(DYNAMIC_PATH_NOTATION);
|
||||
// if tempRoot is null, that means there is no any permission which matches with the
|
||||
// given path
|
||||
if (tempRoot == null) {
|
||||
if (log.isDebugEnabled()) {
|
||||
log.debug("Permission for request path '" + url + "' does not exist");
|
||||
}
|
||||
return null;
|
||||
}
|
||||
}
|
||||
}
|
||||
return tempRoot.getPermission(httpMethod);
|
||||
}
|
||||
}
|
@ -0,0 +1,76 @@
|
||||
/*
|
||||
* Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||
*
|
||||
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||
* Version 2.0 (the "License"); you may not use this file except
|
||||
* in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
|
||||
package org.wso2.carbon.webapp.authenticator.framework.authorizer;
|
||||
|
||||
import org.apache.catalina.connector.Request;
|
||||
import org.apache.catalina.connector.Response;
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve;
|
||||
import org.wso2.carbon.tomcat.ext.valves.CompositeValve;
|
||||
import org.wso2.carbon.webapp.authenticator.framework.AuthenticationFrameworkUtil;
|
||||
import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;
|
||||
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
public class PermissionAuthorizationValve extends CarbonTomcatValve {
|
||||
|
||||
private static final Log log = LogFactory.getLog(PermissionAuthorizationValve.class);
|
||||
private static final String AUTHORIZATION_ENABLED = "authorization-enabled";
|
||||
|
||||
|
||||
@Override
|
||||
public void invoke(Request request, Response response, CompositeValve compositeValve) {
|
||||
|
||||
String permissionStatus =
|
||||
request.getContext().findParameter(AUTHORIZATION_ENABLED);
|
||||
if (permissionStatus == null || permissionStatus.isEmpty()) {
|
||||
this.processResponse(request, response, compositeValve, WebappAuthenticator.Status.CONTINUE);
|
||||
return;
|
||||
}
|
||||
// check whether the permission checking function is enabled in web.xml
|
||||
boolean isEnabled = new Boolean(permissionStatus);
|
||||
if (!isEnabled) {
|
||||
this.processResponse(request, response, compositeValve, WebappAuthenticator.Status.CONTINUE);
|
||||
return;
|
||||
}
|
||||
|
||||
if (log.isDebugEnabled()) {
|
||||
log.debug("Checking permission of request: " + request.getRequestURI());
|
||||
}
|
||||
PermissionAuthorizer permissionAuthorizer = new PermissionAuthorizer();
|
||||
WebappAuthenticator.Status status = permissionAuthorizer.authorize(request, response);
|
||||
this.processResponse(request, response, compositeValve, status);
|
||||
}
|
||||
|
||||
private void processResponse(Request request, Response response, CompositeValve compositeValve,
|
||||
WebappAuthenticator.Status status) {
|
||||
switch (status) {
|
||||
case SUCCESS:
|
||||
case CONTINUE:
|
||||
this.getNext().invoke(request, response, compositeValve);
|
||||
break;
|
||||
case FAILURE:
|
||||
String msg = "Failed to authorize incoming request";
|
||||
log.error(msg);
|
||||
AuthenticationFrameworkUtil.handleResponse(request, response, HttpServletResponse.SC_UNAUTHORIZED, msg);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
@ -0,0 +1,90 @@
|
||||
/*
|
||||
* Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||
*
|
||||
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||
* Version 2.0 (the "License"); you may not use this file except
|
||||
* in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
|
||||
package org.wso2.carbon.webapp.authenticator.framework.authorizer;
|
||||
|
||||
import org.apache.catalina.connector.Request;
|
||||
import org.apache.catalina.connector.Response;
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.wso2.carbon.context.CarbonContext;
|
||||
import org.wso2.carbon.device.mgt.core.config.permission.Permission;
|
||||
import org.wso2.carbon.device.mgt.core.config.permission.PermissionManager;
|
||||
import org.wso2.carbon.user.api.UserStoreException;
|
||||
import org.wso2.carbon.webapp.authenticator.framework.Constants;
|
||||
import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;
|
||||
|
||||
import java.util.StringTokenizer;
|
||||
|
||||
/**
|
||||
* This class represents the methods that are used to authorize requests.
|
||||
*/
|
||||
public class PermissionAuthorizer {
|
||||
|
||||
private static final Log log = LogFactory.getLog(PermissionAuthorizer.class);
|
||||
|
||||
public WebappAuthenticator.Status authorize(Request request, Response response) {
|
||||
|
||||
String requestUri = request.getRequestURI();
|
||||
String requestMethod = request.getMethod();
|
||||
|
||||
if (requestUri == null || requestUri.isEmpty() ||
|
||||
requestMethod == null || requestMethod.isEmpty()) {
|
||||
return WebappAuthenticator.Status.CONTINUE;
|
||||
}
|
||||
|
||||
PermissionManager permissionManager = PermissionManager.getInstance();
|
||||
Permission requestPermission = permissionManager.getPermission(requestUri, requestMethod);
|
||||
|
||||
if (requestPermission == null) {
|
||||
if (log.isDebugEnabled()) {
|
||||
log.debug("Permission to request '" + requestUri + "' is not defined in the configuration");
|
||||
}
|
||||
return WebappAuthenticator.Status.FAILURE;
|
||||
}
|
||||
|
||||
String permissionString = requestPermission.getPath();
|
||||
|
||||
// This is added temporarily until authentication works.
|
||||
// TODO remove below line.
|
||||
String username = "admin";
|
||||
// TODO uncomment this once the authentication works.
|
||||
//String username = CarbonContext.getThreadLocalCarbonContext().getUsername();
|
||||
|
||||
boolean isUserAuthorized;
|
||||
try {
|
||||
isUserAuthorized = CarbonContext.getThreadLocalCarbonContext().getUserRealm().
|
||||
getAuthorizationManager().isUserAuthorized(username, permissionString,
|
||||
Constants.PermissionMethod.READ);
|
||||
} catch (UserStoreException e) {
|
||||
log.error("Error occurred while retrieving user store. " + e.getMessage());
|
||||
return WebappAuthenticator.Status.FAILURE;
|
||||
}
|
||||
|
||||
if (log.isDebugEnabled()) {
|
||||
log.debug("Is user authorized: " + isUserAuthorized);
|
||||
}
|
||||
|
||||
if (isUserAuthorized) {
|
||||
return WebappAuthenticator.Status.SUCCESS;
|
||||
} else {
|
||||
return WebappAuthenticator.Status.FAILURE;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
Loading…
Reference in new issue