Merge pull request #168 from ayyoob/das-ext

Added device scope based authorisation for mqtt
application-manager-new
Ruwan 9 years ago committed by GitHub
commit 62a602848f

@ -1214,22 +1214,6 @@
<outputDirectory>${pom.artifactId}-${pom.version}/repository/deployment/server/webapps</outputDirectory> <outputDirectory>${pom.artifactId}-${pom.version}/repository/deployment/server/webapps</outputDirectory>
<fileMode>644</fileMode> <fileMode>644</fileMode>
</file> </file>
<file>
<source>
../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/etc/mqtt.properties
</source>
<outputDirectory>${pom.artifactId}-${pom.version}/repository/conf/etc</outputDirectory>
<filtered>true</filtered>
<fileMode>644</fileMode>
</file>
<file>
<source>
../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/etc/xmpp.properties
</source>
<outputDirectory>${pom.artifactId}-${pom.version}/repository/conf/etc</outputDirectory>
<filtered>true</filtered>
<fileMode>644</fileMode>
</file>
<file> <file>
<source> <source>
../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/etc/jwt.properties ../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/etc/jwt.properties

@ -356,6 +356,11 @@
<Scope>device_scope</Scope> <Scope>device_scope</Scope>
</ScopeWhitelist> </ScopeWhitelist>
<!-- This hold the prefix of device scopes. If a device specific token needs to be issues then token
needs to be sent with the prefix of Device Scope with the format of
DeviceScope/DeviceType/DeviceId -->
<DeviceScope>cdmf</DeviceScope>
</APIKeyValidator> </APIKeyValidator>
<!-- <!--

@ -150,7 +150,7 @@
</SupportedGrantType> </SupportedGrantType>
<SupportedGrantType> <SupportedGrantType>
<GrantTypeName>urn:ietf:params:oauth:grant-type:jwt-bearer</GrantTypeName> <GrantTypeName>urn:ietf:params:oauth:grant-type:jwt-bearer</GrantTypeName>
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTBearerGrantHandler</GrantTypeHandlerImplClass> <GrantTypeHandlerImplClass>org.wso2.carbon.device.mgt.oauth.extensions.handlers.grant.ExtendedJWTBearerGrantHandler</GrantTypeHandlerImplClass>
<GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator</GrantTypeValidatorImplClass> <GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator</GrantTypeValidatorImplClass>
</SupportedGrantType> </SupportedGrantType>
</SupportedGrantTypes> </SupportedGrantTypes>

@ -38,7 +38,11 @@ import java.util.List;
public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer { public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer {
private static final Logger logger = Logger.getLogger(DeviceAccessBasedMQTTAuthorizer.class); private static final Logger logger = Logger.getLogger(DeviceAccessBasedMQTTAuthorizer.class);
private static final String CONNECTION_PERMISSION = "/permission/admin/device-mgt/user"; private static final String CONNECTION_PERMISSION = "/permission/admin/device-mgt/user";
private static final String ADMIN_PERMISSION = "/permission/admin/device-mgt/admin";
private static final String SCOPE_IDENTIFIER = "scope"; private static final String SCOPE_IDENTIFIER = "scope";
private static final String CDMF_SCOPE_PREFIX = "cdmf";
private static final String CDMF_SCOPE_SEPERATOR = "/";
private static final String UI_EXECUTE = "ui.execute";
/** /**
* {@inheritDoc} Authorize the user against carbon device mgt model. * {@inheritDoc} Authorize the user against carbon device mgt model.
@ -46,6 +50,9 @@ public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer {
@Override @Override
public boolean isAuthorizedForTopic(MQTTAuthorizationSubject authorizationSubject, String topic, public boolean isAuthorizedForTopic(MQTTAuthorizationSubject authorizationSubject, String topic,
MQTTAuthoriztionPermissionLevel permissionLevel) { MQTTAuthoriztionPermissionLevel permissionLevel) {
if (isUserAuthorized(authorizationSubject, ADMIN_PERMISSION, UI_EXECUTE)) {
return true;
}
String topics[] = topic.split("/"); String topics[] = topic.split("/");
if (topics.length < 3) { if (topics.length < 3) {
return false; return false;
@ -59,10 +66,17 @@ public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer {
List<String> scopes = (List<String>) authorizationSubject.getProperties().get(SCOPE_IDENTIFIER); List<String> scopes = (List<String>) authorizationSubject.getProperties().get(SCOPE_IDENTIFIER);
if (scopes != null) { if (scopes != null) {
for (String scope : scopes) { for (String scope : scopes) {
//TODO : have to validate token with scopes. if (scope.startsWith(CDMF_SCOPE_PREFIX)) {
String deviceId[] = scope.split(CDMF_SCOPE_SEPERATOR);
if (deviceId.length == 3) {
if (deviceIdFromTopic.equals(deviceId[2]) && deviceTypeFromTopic.equals(deviceId[1])) {
return true;
}
}
}
} }
} }
return true; return false;
} }
/** /**
@ -70,7 +84,7 @@ public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer {
*/ */
@Override @Override
public boolean isAuthorizedToConnect(MQTTAuthorizationSubject authorizationSubject) { public boolean isAuthorizedToConnect(MQTTAuthorizationSubject authorizationSubject) {
return isUserAuthorized(authorizationSubject, CONNECTION_PERMISSION, "ui.execute"); return isUserAuthorized(authorizationSubject, CONNECTION_PERMISSION, UI_EXECUTE);
} }
/** /**

@ -1155,7 +1155,7 @@
<carbon.metrics.version>1.2.0</carbon.metrics.version> <carbon.metrics.version>1.2.0</carbon.metrics.version>
<!--JWT grant type extension feature--> <!--JWT grant type extension feature-->
<identity.jwt.extension.version>1.0.0</identity.jwt.extension.version> <identity.jwt.extension.version>1.0.2</identity.jwt.extension.version>
<!--http client version--> <!--http client version-->
<httpclient.version>4.3.1.wso2v2</httpclient.version> <httpclient.version>4.3.1.wso2v2</httpclient.version>
<httpclient.version.range>[4.3.1, 5.0.0)</httpclient.version.range> <httpclient.version.range>[4.3.1, 5.0.0)</httpclient.version.range>

Loading…
Cancel
Save