forked from community/device-mgt-core
revert-70aa11f8
commit
c74a979c8d
@ -0,0 +1,79 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||||
|
*
|
||||||
|
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||||
|
* Version 2.0 (the "License"); you may not use this file except
|
||||||
|
* in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.wso2.carbon.device.mgt.core.config.permission;
|
||||||
|
|
||||||
|
import java.util.ArrayList;
|
||||||
|
import java.util.Collection;
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This class represents the node of a permission tree.
|
||||||
|
* It holds the current path name, list of permissions associated with URL
|
||||||
|
* and the set of children.
|
||||||
|
*/
|
||||||
|
public class PermissionNode {
|
||||||
|
|
||||||
|
private String pathName;
|
||||||
|
private Map<String, Permission> permissions = new HashMap<String, Permission>();
|
||||||
|
private List<PermissionNode> children = new ArrayList<PermissionNode>();
|
||||||
|
|
||||||
|
public PermissionNode(String pathName) {
|
||||||
|
this.pathName = pathName;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getPathName() {
|
||||||
|
return pathName;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setPathName(String pathName) {
|
||||||
|
this.pathName = pathName;
|
||||||
|
}
|
||||||
|
|
||||||
|
public List<PermissionNode> getChildren() {
|
||||||
|
return children;
|
||||||
|
}
|
||||||
|
|
||||||
|
public PermissionNode getChild(String pathName) {
|
||||||
|
PermissionNode child = null;
|
||||||
|
for (PermissionNode node : children) {
|
||||||
|
if (node.getPathName().equals(pathName)) {
|
||||||
|
return node;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return child;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void addChild(PermissionNode node) {
|
||||||
|
children.add(node);
|
||||||
|
}
|
||||||
|
|
||||||
|
public void addPermission(String httpMethod, Permission permission) {
|
||||||
|
permissions.put(httpMethod, permission);
|
||||||
|
}
|
||||||
|
|
||||||
|
public Permission getPermission(String httpMethod) {
|
||||||
|
return permissions.get(httpMethod);
|
||||||
|
}
|
||||||
|
|
||||||
|
public Collection<Permission> getPermissions() {
|
||||||
|
return permissions.values();
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,113 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||||
|
*
|
||||||
|
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||||
|
* Version 2.0 (the "License"); you may not use this file except
|
||||||
|
* in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.wso2.carbon.device.mgt.core.config.permission;
|
||||||
|
|
||||||
|
import org.apache.commons.logging.Log;
|
||||||
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
|
||||||
|
import java.util.StringTokenizer;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This class represents a tree data structure which will be used for adding and retrieving permissions.
|
||||||
|
*/
|
||||||
|
public class PermissionTree {
|
||||||
|
|
||||||
|
private PermissionNode rootNode;
|
||||||
|
private static final String DYNAMIC_PATH_NOTATION = "*";
|
||||||
|
private static final String ROOT = "/";
|
||||||
|
private static final Log log = LogFactory.getLog(PermissionTree.class);
|
||||||
|
|
||||||
|
public PermissionTree() {
|
||||||
|
rootNode = new PermissionNode(ROOT); // initializing the root node.
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This method is used to add permissions to the tree. Once it receives the permission
|
||||||
|
* it will traverse through the given request path with respect to the permission and place
|
||||||
|
* the permission in the appropriate place in the tree.
|
||||||
|
*
|
||||||
|
* @param permission Permission object.
|
||||||
|
*/
|
||||||
|
public void addPermission(Permission permission) {
|
||||||
|
StringTokenizer st = new StringTokenizer(permission.getUrl(), ROOT);
|
||||||
|
PermissionNode tempRoot = rootNode;
|
||||||
|
PermissionNode tempChild;
|
||||||
|
while (st.hasMoreTokens()) {
|
||||||
|
tempChild = new PermissionNode(st.nextToken());
|
||||||
|
tempRoot = addPermissionNode(tempRoot, tempChild);
|
||||||
|
}
|
||||||
|
tempRoot.addPermission(permission.getMethod(), permission); //setting permission to the vertex
|
||||||
|
if (log.isDebugEnabled()) {
|
||||||
|
log.debug("Added permission '" + permission.getName() + "'");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This method is used to add vertex to the graph. The method will check for the given child
|
||||||
|
* whether exists within the list of children of the given parent.
|
||||||
|
*
|
||||||
|
* @param parent Parent PermissionNode.
|
||||||
|
* @param child Child PermissionNode.
|
||||||
|
* @return returns the newly created child or the existing child.
|
||||||
|
*/
|
||||||
|
private PermissionNode addPermissionNode(PermissionNode parent, PermissionNode child) {
|
||||||
|
PermissionNode existChild = parent.getChild(child.getPathName());
|
||||||
|
if (existChild == null) {
|
||||||
|
parent.addChild(child);
|
||||||
|
return child;
|
||||||
|
}
|
||||||
|
return existChild;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This method is used to retrieve the permission for a given url and http method.
|
||||||
|
* Breath First Search (BFS) is used to traverse the tree.
|
||||||
|
*
|
||||||
|
* @param url Request URL.
|
||||||
|
* @param httpMethod HTTP method of the request.
|
||||||
|
* @return returns the permission with related to the request path or null if there is
|
||||||
|
* no any permission that is stored with respected to the given request path.
|
||||||
|
*/
|
||||||
|
public Permission getPermission(String url, String httpMethod) {
|
||||||
|
StringTokenizer st = new StringTokenizer(url, ROOT);
|
||||||
|
PermissionNode tempRoot = rootNode;
|
||||||
|
while (st.hasMoreTokens()) {
|
||||||
|
String currentToken = st.nextToken();
|
||||||
|
|
||||||
|
// returns the child node which matches with the 'currentToken' path.
|
||||||
|
tempRoot = tempRoot.getChild(currentToken);
|
||||||
|
|
||||||
|
// if tempRoot is null, that means 'currentToken' is not matched with the child's path.
|
||||||
|
// It means that it is at a point where the request must have dynamic path variables.
|
||||||
|
// Therefor it looks for '*' in the request path. ('*' denotes dynamic path variable).
|
||||||
|
if (tempRoot == null) {
|
||||||
|
tempRoot = tempRoot.getChild(DYNAMIC_PATH_NOTATION);
|
||||||
|
// if tempRoot is null, that means there is no any permission which matches with the
|
||||||
|
// given path
|
||||||
|
if (tempRoot == null) {
|
||||||
|
if (log.isDebugEnabled()) {
|
||||||
|
log.debug("Permission for request path '" + url + "' does not exist");
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return tempRoot.getPermission(httpMethod);
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,76 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||||
|
*
|
||||||
|
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||||
|
* Version 2.0 (the "License"); you may not use this file except
|
||||||
|
* in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.wso2.carbon.webapp.authenticator.framework.authorizer;
|
||||||
|
|
||||||
|
import org.apache.catalina.connector.Request;
|
||||||
|
import org.apache.catalina.connector.Response;
|
||||||
|
import org.apache.commons.logging.Log;
|
||||||
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
import org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve;
|
||||||
|
import org.wso2.carbon.tomcat.ext.valves.CompositeValve;
|
||||||
|
import org.wso2.carbon.webapp.authenticator.framework.AuthenticationFrameworkUtil;
|
||||||
|
import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;
|
||||||
|
|
||||||
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
|
||||||
|
public class PermissionAuthorizationValve extends CarbonTomcatValve {
|
||||||
|
|
||||||
|
private static final Log log = LogFactory.getLog(PermissionAuthorizationValve.class);
|
||||||
|
private static final String AUTHORIZATION_ENABLED = "authorization-enabled";
|
||||||
|
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void invoke(Request request, Response response, CompositeValve compositeValve) {
|
||||||
|
|
||||||
|
String permissionStatus =
|
||||||
|
request.getContext().findParameter(AUTHORIZATION_ENABLED);
|
||||||
|
if (permissionStatus == null || permissionStatus.isEmpty()) {
|
||||||
|
this.processResponse(request, response, compositeValve, WebappAuthenticator.Status.CONTINUE);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
// check whether the permission checking function is enabled in web.xml
|
||||||
|
boolean isEnabled = new Boolean(permissionStatus);
|
||||||
|
if (!isEnabled) {
|
||||||
|
this.processResponse(request, response, compositeValve, WebappAuthenticator.Status.CONTINUE);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (log.isDebugEnabled()) {
|
||||||
|
log.debug("Checking permission of request: " + request.getRequestURI());
|
||||||
|
}
|
||||||
|
PermissionAuthorizer permissionAuthorizer = new PermissionAuthorizer();
|
||||||
|
WebappAuthenticator.Status status = permissionAuthorizer.authorize(request, response);
|
||||||
|
this.processResponse(request, response, compositeValve, status);
|
||||||
|
}
|
||||||
|
|
||||||
|
private void processResponse(Request request, Response response, CompositeValve compositeValve,
|
||||||
|
WebappAuthenticator.Status status) {
|
||||||
|
switch (status) {
|
||||||
|
case SUCCESS:
|
||||||
|
case CONTINUE:
|
||||||
|
this.getNext().invoke(request, response, compositeValve);
|
||||||
|
break;
|
||||||
|
case FAILURE:
|
||||||
|
String msg = "Failed to authorize incoming request";
|
||||||
|
log.error(msg);
|
||||||
|
AuthenticationFrameworkUtil.handleResponse(request, response, HttpServletResponse.SC_UNAUTHORIZED, msg);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,90 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||||
|
*
|
||||||
|
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||||
|
* Version 2.0 (the "License"); you may not use this file except
|
||||||
|
* in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.wso2.carbon.webapp.authenticator.framework.authorizer;
|
||||||
|
|
||||||
|
import org.apache.catalina.connector.Request;
|
||||||
|
import org.apache.catalina.connector.Response;
|
||||||
|
import org.apache.commons.logging.Log;
|
||||||
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
import org.wso2.carbon.context.CarbonContext;
|
||||||
|
import org.wso2.carbon.device.mgt.core.config.permission.Permission;
|
||||||
|
import org.wso2.carbon.device.mgt.core.config.permission.PermissionManager;
|
||||||
|
import org.wso2.carbon.user.api.UserStoreException;
|
||||||
|
import org.wso2.carbon.webapp.authenticator.framework.Constants;
|
||||||
|
import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;
|
||||||
|
|
||||||
|
import java.util.StringTokenizer;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This class represents the methods that are used to authorize requests.
|
||||||
|
*/
|
||||||
|
public class PermissionAuthorizer {
|
||||||
|
|
||||||
|
private static final Log log = LogFactory.getLog(PermissionAuthorizer.class);
|
||||||
|
|
||||||
|
public WebappAuthenticator.Status authorize(Request request, Response response) {
|
||||||
|
|
||||||
|
String requestUri = request.getRequestURI();
|
||||||
|
String requestMethod = request.getMethod();
|
||||||
|
|
||||||
|
if (requestUri == null || requestUri.isEmpty() ||
|
||||||
|
requestMethod == null || requestMethod.isEmpty()) {
|
||||||
|
return WebappAuthenticator.Status.CONTINUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
PermissionManager permissionManager = PermissionManager.getInstance();
|
||||||
|
Permission requestPermission = permissionManager.getPermission(requestUri, requestMethod);
|
||||||
|
|
||||||
|
if (requestPermission == null) {
|
||||||
|
if (log.isDebugEnabled()) {
|
||||||
|
log.debug("Permission to request '" + requestUri + "' is not defined in the configuration");
|
||||||
|
}
|
||||||
|
return WebappAuthenticator.Status.FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
|
String permissionString = requestPermission.getPath();
|
||||||
|
|
||||||
|
// This is added temporarily until authentication works.
|
||||||
|
// TODO remove below line.
|
||||||
|
String username = "admin";
|
||||||
|
// TODO uncomment this once the authentication works.
|
||||||
|
//String username = CarbonContext.getThreadLocalCarbonContext().getUsername();
|
||||||
|
|
||||||
|
boolean isUserAuthorized;
|
||||||
|
try {
|
||||||
|
isUserAuthorized = CarbonContext.getThreadLocalCarbonContext().getUserRealm().
|
||||||
|
getAuthorizationManager().isUserAuthorized(username, permissionString,
|
||||||
|
Constants.PermissionMethod.READ);
|
||||||
|
} catch (UserStoreException e) {
|
||||||
|
log.error("Error occurred while retrieving user store. " + e.getMessage());
|
||||||
|
return WebappAuthenticator.Status.FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (log.isDebugEnabled()) {
|
||||||
|
log.debug("Is user authorized: " + isUserAuthorized);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (isUserAuthorized) {
|
||||||
|
return WebappAuthenticator.Status.SUCCESS;
|
||||||
|
} else {
|
||||||
|
return WebappAuthenticator.Status.FAILURE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in new issue