validate oauth token and permission

feature/appm-store/pbac
inoshperera 5 years ago
parent 1bb18f30c9
commit 2ab0efbcdd

@ -86,6 +86,7 @@
org.wso2.carbon.utils, org.wso2.carbon.utils,
org.wso2.carbon.utils.multitenancy, org.wso2.carbon.utils.multitenancy,
org.xml.sax, org.xml.sax,
com.google.gson.*,
javax.servlet, javax.servlet,
javax.servlet.http, javax.servlet.http,
javax.xml, javax.xml,
@ -215,6 +216,10 @@
<groupId>org.wso2.carbon.devicemgt</groupId> <groupId>org.wso2.carbon.devicemgt</groupId>
<artifactId>org.wso2.carbon.device.mgt.common</artifactId> <artifactId>org.wso2.carbon.device.mgt.common</artifactId>
</dependency> </dependency>
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
</dependency>
<dependency> <dependency>
<groupId>org.wso2.orbit.org.apache.httpcomponents</groupId> <groupId>org.wso2.orbit.org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId> <artifactId>httpclient</artifactId>

@ -22,6 +22,13 @@ import org.apache.catalina.connector.Response;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.w3c.dom.Document; import org.w3c.dom.Document;
import org.wso2.carbon.base.MultitenantConstants;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
import org.wso2.carbon.webapp.authenticator.framework.internal.AuthenticatorFrameworkDataHolder;
import javax.xml.XMLConstants; import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilder;
@ -32,6 +39,7 @@ import java.io.IOException;
public class AuthenticationFrameworkUtil { public class AuthenticationFrameworkUtil {
private static final Log log = LogFactory.getLog(AuthenticationFrameworkUtil.class); private static final Log log = LogFactory.getLog(AuthenticationFrameworkUtil.class);
private static final String UI_EXECUTE = "ui.execute";
static void handleResponse(Request request, Response response, int statusCode, String payload) { static void handleResponse(Request request, Response response, int statusCode, String payload) {
response.setStatus(statusCode); response.setStatus(statusCode);
@ -65,4 +73,43 @@ public class AuthenticationFrameworkUtil {
} }
} }
static boolean isUserAuthorized(int tenantId, String tenantDomain, String username, String
permission) throws
AuthenticationException {
boolean tenantFlowStarted = false;
try{
//If this is a tenant user
if(tenantId != MultitenantConstants.SUPER_TENANT_ID){
PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain);
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantId(tenantId);
PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(username);
tenantFlowStarted = true;
}
RealmService realmService = AuthenticatorFrameworkDataHolder.getInstance().getRealmService();
if (realmService == null) {
String msg = "RealmService is not initialized";
log.error(msg);
throw new AuthenticationException(msg);
}
UserRealm userRealm = realmService.getTenantUserRealm(tenantId);
return userRealm.getAuthorizationManager()
.isUserAuthorized(MultitenantUtils
.getTenantAwareUsername(username), permission, UI_EXECUTE);
} catch (UserStoreException e) {
String msg = "Error while getting username";
log.error(msg, e);
throw new AuthenticationException(msg, e);
}
finally {
if (tenantFlowStarted) {
PrivilegedCarbonContext.endTenantFlow();
}
}
}
} }

@ -18,9 +18,11 @@
*/ */
package org.wso2.carbon.webapp.authenticator.framework; package org.wso2.carbon.webapp.authenticator.framework;
import com.google.gson.Gson;
import org.apache.catalina.Context; import org.apache.catalina.Context;
import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response; import org.apache.catalina.connector.Response;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.owasp.encoder.Encode; import org.owasp.encoder.Encode;
@ -42,6 +44,8 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
private static final Log log = LogFactory.getLog(WebappAuthenticationValve.class); private static final Log log = LogFactory.getLog(WebappAuthenticationValve.class);
private static TreeMap<String, String> nonSecuredEndpoints = new TreeMap<>(); private static TreeMap<String, String> nonSecuredEndpoints = new TreeMap<>();
private static final String PERMISSION_PREFIX = "/permission/admin";
public static final String AUTHORIZE_PERMISSION = "Authorize-Permission";
@Override @Override
public void invoke(Request request, Response response, CompositeValve compositeValve) { public void invoke(Request request, Response response, CompositeValve compositeValve) {
@ -64,6 +68,39 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
authenticationInfo.setStatus(status); authenticationInfo.setStatus(status);
} }
// This section will allow to validate a given access token is authenticated to access given
// resource(permission)
if (request.getCoyoteRequest() != null
&& StringUtils.isNotEmpty(request.getHeader(AUTHORIZE_PERMISSION))
&& (authenticationInfo.getStatus() == WebappAuthenticator.Status.CONTINUE ||
authenticationInfo.getStatus() == WebappAuthenticator.Status.SUCCESS)) {
boolean isAllowed;
try {
isAllowed = AuthenticationFrameworkUtil.isUserAuthorized(
authenticationInfo.getTenantId(), authenticationInfo.getTenantDomain(),
authenticationInfo.getUsername(),
PERMISSION_PREFIX + request.getHeader (AUTHORIZE_PERMISSION));
} catch (AuthenticationException e) {
String msg = "Could not authorize permission";
log.error(msg);
AuthenticationFrameworkUtil.handleResponse(request, response,
HttpServletResponse.SC_INTERNAL_SERVER_ERROR, msg);
return;
}
if (isAllowed) {
Gson gson = new Gson();
AuthenticationFrameworkUtil.handleResponse(request, response, HttpServletResponse.SC_OK,
gson.toJson(authenticationInfo));
return;
} else {
log.error("Unauthorized message from user " + authenticationInfo.getUsername());
AuthenticationFrameworkUtil.handleResponse(request, response,
HttpServletResponse.SC_FORBIDDEN, "Unauthorized to access the API");
return;
}
}
Tenant tenant = null; Tenant tenant = null;
if (authenticationInfo.getTenantId() != -1) { if (authenticationInfo.getTenantId() != -1) {
try { try {

Loading…
Cancel
Save