diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java index ac006cd571f..f5f209d61fb 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java @@ -89,7 +89,6 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori } } - //done @Override public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username) throws DeviceAccessAuthorizationException { @@ -102,13 +101,11 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori return isUserAuthorized(deviceIdentifier, this.getUserName(), groupPermissions); } - //done @Override public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException { return isUserAuthorized(deviceIdentifier, this.getUserName(), null); } - //done @Override public boolean isDeviceAdminUser() throws DeviceAccessAuthorizationException { String username = this.getUserName(); @@ -168,14 +165,12 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori return deviceAuthorizationResult; } - //done @Override public DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers, String username) throws DeviceAccessAuthorizationException { return isUserAuthorized(deviceIdentifiers, username, null); } - //done @Override public DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers) throws DeviceAccessAuthorizationException { diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/test/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceTest.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/test/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceTest.java index 9dfaa75224a..a5fad9bd679 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/test/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceTest.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/test/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceTest.java @@ -23,14 +23,18 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.mockito.Mockito; import org.testng.Assert; +import org.testng.annotations.AfterClass; import org.testng.annotations.BeforeClass; import org.testng.annotations.Test; import org.wso2.carbon.CarbonConstants; import org.wso2.carbon.context.PrivilegedCarbonContext; import org.wso2.carbon.device.mgt.common.Device; import org.wso2.carbon.device.mgt.common.DeviceIdentifier; +import org.wso2.carbon.device.mgt.common.DeviceNotFoundException; import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationException; import org.wso2.carbon.device.mgt.common.authorization.DeviceAuthorizationResult; +import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException; +import org.wso2.carbon.device.mgt.common.group.mgt.RoleDoesNotExistException; import org.wso2.carbon.device.mgt.common.permission.mgt.*; import org.wso2.carbon.device.mgt.core.TestDeviceManagementService; import org.wso2.carbon.device.mgt.core.common.BaseDeviceManagementTest; @@ -40,6 +44,7 @@ import org.wso2.carbon.device.mgt.core.internal.DeviceManagementDataHolder; import org.wso2.carbon.device.mgt.core.internal.DeviceManagementServiceComponent; import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService; import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderServiceImpl; +import org.wso2.carbon.device.mgt.core.service.GroupManagementProviderService; import org.wso2.carbon.device.mgt.core.service.GroupManagementProviderServiceImpl; import org.wso2.carbon.registry.core.config.RegistryContext; import org.wso2.carbon.registry.core.exceptions.RegistryException; @@ -53,8 +58,7 @@ import org.wso2.carbon.user.core.tenant.JDBCTenantManager; import org.wso2.carbon.utils.multitenancy.MultitenantConstants; import java.io.InputStream; -import java.util.ArrayList; -import java.util.List; +import java.util.*; public class DeviceAccessAuthorizationServiceTest extends BaseDeviceManagementTest { @@ -63,10 +67,24 @@ public class DeviceAccessAuthorizationServiceTest extends BaseDeviceManagementTe private static final String DEVICE_TYPE = "AUTH_SERVICE_TEST_TYPE"; private static final int NO_OF_DEVICES = 5; private static final String ADMIN_USER = "admin"; + private static final String NON_ADMIN_ALLOWED_USER = "nonAdmin"; + private static final String NORMAL_USER = "normal"; private static final String ADMIN_ROLE = "adminRole"; + private static final String NON_ADMIN_ROLE = "nonAdminRole"; + private static final String DEFAULT_GROUP = "defaultGroup"; private static final String DEVICE_ID_PREFIX = "AUTH-SERVICE-TEST-DEVICE-ID-"; + public static final String USER_CLAIM_EMAIL_ADDRESS = "http://wso2.org/claims/emailaddress"; + public static final String USER_CLAIM_FIRST_NAME = "http://wso2.org/claims/givenname"; + public static final String USER_CLAIM_LAST_NAME = "http://wso2.org/claims/lastname"; + public static final String ADMIN_PERMISSION = "/permission/admin"; + public static final String NON_ADMIN_PERMISSION = "/permission/admin/manage/device-mgt/devices/owning-device/view"; + + private List deviceIds = new ArrayList<>(); + private List groupDeviceIds = new ArrayList<>(); + private List nonGroupDeviceIds = new ArrayList<>(); + Map defaultUserClaims; @BeforeClass public void init() throws Exception { @@ -80,7 +98,6 @@ public class DeviceAccessAuthorizationServiceTest extends BaseDeviceManagementTe DeviceManagementServiceComponent.notifyStartupListeners(); DeviceManagementDataHolder.getInstance().setDeviceManagementProvider(deviceMgtService); DeviceManagementDataHolder.getInstance().setRegistryService(getRegistryService()); - DeviceManagementDataHolder.getInstance().setDeviceAccessAuthorizationService(new DeviceAccessAuthorizationServiceImpl()); DeviceManagementDataHolder.getInstance().setGroupManagementProviderService(new GroupManagementProviderServiceImpl()); DeviceManagementDataHolder.getInstance().setDeviceTaskManagerService(null); deviceMgtService.registerDeviceType(new TestDeviceManagementService(DEVICE_TYPE, @@ -95,6 +112,8 @@ public class DeviceAccessAuthorizationServiceTest extends BaseDeviceManagementTe } } deviceAccessAuthorizationService = Mockito.mock(DeviceAccessAuthorizationServiceImpl.class, Mockito.CALLS_REAL_METHODS); + defaultUserClaims = buildDefaultUserClaims("firstname", "lastname", "email"); + initializeTestEnvironment(); } private RegistryService getRegistryService() throws RegistryException, UserStoreException { @@ -145,10 +164,120 @@ public class DeviceAccessAuthorizationServiceTest extends BaseDeviceManagementTe @Test public void isDeviceAdminUser() throws DeviceAccessAuthorizationException, UserStoreException, PermissionManagementException { - Permission permission = new Permission("/permission/admin", CarbonConstants.UI_PERMISSION_ACTION); - DeviceManagementDataHolder.getInstance().getRealmService() - .getTenantUserRealm(MultitenantConstants.SUPER_TENANT_ID).getUserStoreManager() - .addRole(ADMIN_ROLE, new String[]{ADMIN_USER}, new Permission[]{permission}); Assert.assertTrue(deviceAccessAuthorizationService.isDeviceAdminUser()); + + } + + @Test + public void isUserAuthorizedAllowedDevice() throws DeviceAccessAuthorizationException, UserStoreException, PermissionManagementException { + PrivilegedCarbonContext.startTenantFlow(); + PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantId(MultitenantConstants.SUPER_TENANT_ID, true); + PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(NON_ADMIN_ALLOWED_USER); + Assert.assertTrue(deviceAccessAuthorizationService.isUserAuthorized(deviceIds.get(0), new String[]{NON_ADMIN_PERMISSION})); + PrivilegedCarbonContext.endTenantFlow(); + } + + @Test + public void isUserAuthorizedNotAllowedDevice() throws DeviceAccessAuthorizationException, UserStoreException, PermissionManagementException { + PrivilegedCarbonContext.startTenantFlow(); + PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantId(MultitenantConstants.SUPER_TENANT_ID, true); + PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(NON_ADMIN_ALLOWED_USER); + Assert.assertFalse(deviceAccessAuthorizationService.isUserAuthorized(deviceIds.get(3), new String[]{NON_ADMIN_PERMISSION})); + PrivilegedCarbonContext.endTenantFlow(); + } + + @Test + public void nonAdminUserTryIsAdmin() throws DeviceAccessAuthorizationException { + PrivilegedCarbonContext.startTenantFlow(); + PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantId(MultitenantConstants.SUPER_TENANT_ID, true); + PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(NORMAL_USER); + Assert.assertFalse(deviceAccessAuthorizationService.isDeviceAdminUser()); + PrivilegedCarbonContext.endTenantFlow(); + } + + @Test + public void isUserAuthorizedAllowedDeviceAllDetails() throws DeviceAccessAuthorizationException, UserStoreException, PermissionManagementException { + PrivilegedCarbonContext.startTenantFlow(); + PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantId(MultitenantConstants.SUPER_TENANT_ID, true); + PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(NON_ADMIN_ALLOWED_USER); + Assert.assertTrue(deviceAccessAuthorizationService.isUserAuthorized(deviceIds.get(0),NON_ADMIN_ALLOWED_USER,new String[]{NON_ADMIN_PERMISSION})); + PrivilegedCarbonContext.endTenantFlow(); + } + + @Test + public void isUserAuthorizedAllowedDeviceAllDetailsWrongDevice() throws DeviceAccessAuthorizationException, UserStoreException, PermissionManagementException { + PrivilegedCarbonContext.startTenantFlow(); + PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantId(MultitenantConstants.SUPER_TENANT_ID, true); + PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(NON_ADMIN_ALLOWED_USER); + Assert.assertFalse(deviceAccessAuthorizationService.isUserAuthorized(deviceIds.get(3),NON_ADMIN_ALLOWED_USER,new String[]{NON_ADMIN_PERMISSION})); + PrivilegedCarbonContext.endTenantFlow(); + } + + @Test + public void deviceIdAndPermission() throws DeviceAccessAuthorizationException { + PrivilegedCarbonContext.startTenantFlow(); + PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantId(MultitenantConstants.SUPER_TENANT_ID, true); + PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(NON_ADMIN_ALLOWED_USER); + DeviceAuthorizationResult deviceAuthorizationResult = deviceAccessAuthorizationService. + isUserAuthorized(deviceIds,new String[]{NON_ADMIN_PERMISSION}); + Assert.assertEquals(deviceAuthorizationResult.getAuthorizedDevices().size(),2); + Assert.assertEquals(deviceAuthorizationResult.getUnauthorizedDevices().size(),3); + PrivilegedCarbonContext.endTenantFlow(); + } + + @Test + public void deviceIdUsernameAndPermission() throws DeviceAccessAuthorizationException { + PrivilegedCarbonContext.startTenantFlow(); + PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantId(MultitenantConstants.SUPER_TENANT_ID, true); + PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(NON_ADMIN_ALLOWED_USER); + DeviceAuthorizationResult deviceAuthorizationResult = deviceAccessAuthorizationService. + isUserAuthorized(deviceIds,NON_ADMIN_ALLOWED_USER,new String[]{NON_ADMIN_PERMISSION}); + Assert.assertEquals(deviceAuthorizationResult.getAuthorizedDevices().size(),2); + Assert.assertEquals(deviceAuthorizationResult.getUnauthorizedDevices().size(),3); + PrivilegedCarbonContext.endTenantFlow(); + } + + public void initializeTestEnvironment() throws UserStoreException, GroupManagementException, RoleDoesNotExistException, + DeviceNotFoundException { + //creating UI permission + Permission adminPermission = new Permission(ADMIN_PERMISSION, CarbonConstants.UI_PERMISSION_ACTION); + Permission deviceViewPermission = new Permission(NON_ADMIN_PERMISSION, CarbonConstants.UI_PERMISSION_ACTION); + UserStoreManager userStoreManager = DeviceManagementDataHolder.getInstance().getRealmService() + .getTenantUserRealm(MultitenantConstants.SUPER_TENANT_ID).getUserStoreManager(); + //Adding a non Admin User + userStoreManager.addUser(NON_ADMIN_ALLOWED_USER, "password", null, defaultUserClaims, null); + //Adding a normal user + userStoreManager.addUser(NORMAL_USER, "password", null, defaultUserClaims, null); + //Adding role with permission to Admin user + userStoreManager.addRole(ADMIN_ROLE, new String[]{ADMIN_USER}, new Permission[]{adminPermission}); + //Adding role with permission to non Admin user + userStoreManager.addRole(NON_ADMIN_ROLE, new String[]{NON_ADMIN_ALLOWED_USER}, new Permission[]{deviceViewPermission}); + //Creating default group + GroupManagementProviderService groupManagementProviderService = DeviceManagementDataHolder.getInstance() + .getGroupManagementProviderService(); + groupManagementProviderService.createDefaultGroup(DEFAULT_GROUP); + int groupId = groupManagementProviderService.getGroup(DEFAULT_GROUP).getGroupId(); + //Sharing group with admin and non admin roles + groupManagementProviderService.manageGroupSharing(groupId, new ArrayList<>(Arrays.asList(ADMIN_ROLE, NON_ADMIN_ROLE))); + //Adding first 2 devices to the group + groupDeviceIds.add(deviceIds.get(0)); + groupDeviceIds.add(deviceIds.get(1)); + groupManagementProviderService.addDevices(groupId, groupDeviceIds); + //Rest of the devices + nonGroupDeviceIds.add(deviceIds.get(2)); + nonGroupDeviceIds.add(deviceIds.get(3)); + nonGroupDeviceIds.add(deviceIds.get(4)); } + + private Map buildDefaultUserClaims(String firstName, String lastName, String emailAddress) { + Map defaultUserClaims = new HashMap<>(); + defaultUserClaims.put(USER_CLAIM_FIRST_NAME, firstName); + defaultUserClaims.put(USER_CLAIM_LAST_NAME, lastName); + defaultUserClaims.put(USER_CLAIM_EMAIL_ADDRESS, emailAddress); + if (log.isDebugEnabled()) { + log.debug("Default claim map is created for new user: " + defaultUserClaims.toString()); + } + return defaultUserClaims; + } + }