Fix scope attaching issue

issue-10462/secure-pending-operation-6.2
tcdlpds 1 year ago
parent 563077fbfb
commit 58670028c0

@ -30,7 +30,6 @@ import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.base.MultitenantConstants;
import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.context.RegistryType;
import io.entgra.device.mgt.core.device.mgt.api.jaxrs.beans.ErrorResponse;
import io.entgra.device.mgt.core.device.mgt.api.jaxrs.beans.RoleInfo;
import io.entgra.device.mgt.core.device.mgt.api.jaxrs.beans.RoleList;
@ -40,9 +39,6 @@ import io.entgra.device.mgt.core.device.mgt.api.jaxrs.service.impl.util.RequestV
import io.entgra.device.mgt.core.device.mgt.api.jaxrs.util.Constants;
import io.entgra.device.mgt.core.device.mgt.api.jaxrs.util.DeviceMgtAPIUtils;
import io.entgra.device.mgt.core.device.mgt.api.jaxrs.util.SetReferenceTransformer;
import org.wso2.carbon.registry.api.Registry;
import org.wso2.carbon.registry.core.session.UserRegistry;
import org.wso2.carbon.registry.resource.services.utils.ChangeRolePermissionsUtil;
import org.wso2.carbon.user.api.*;
import org.wso2.carbon.user.core.common.AbstractUserStoreManager;
import org.wso2.carbon.user.core.constants.UserCoreErrorConstants.ErrorMessages;
@ -57,9 +53,11 @@ import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URLEncoder;
import java.util.*;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import static io.entgra.device.mgt.core.device.mgt.api.jaxrs.util.Constants.PRIMARY_USER_STORE;
@ -404,25 +402,9 @@ public class RoleManagementServiceImpl implements RoleManagementService {
userStoreManager.addRole(roleInfo.getRoleName(), roleInfo.getUsers(), permissions);
try {
if (roleInfo.getPermissions() != null && roleInfo.getPermissions().length > 0) {
String finalRoleName = roleInfo.getRoleName();
String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(true);
final UserRealm userRealm = DeviceMgtAPIUtils.getUserRealm();
Thread thread = new Thread(new Runnable() {
@Override
public void run() {
try {
PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true);
DeviceMgtAPIUtils.getApiPublisher().updateScopeRoleMapping(roleInfo.getRoleName(),
RoleManagementServiceImpl.this.getPlatformUIPermissions(finalRoleName, userRealm, roleInfo.getPermissions()));
} catch (APIManagerPublisherException | UserAdminException e) {
log.error("Error Occurred while updating role scope mapping. ", e);
} finally {
PrivilegedCarbonContext.endTenantFlow();
}
}
});
thread.start();
String[] roleName = roleInfo.getRoleName().split("/");
addPermissions(roleName[roleName.length - 1], roleInfo.getPermissions(),
DeviceMgtAPIUtils.getUserRealm());
}
} catch (UserStoreException e) {
String msg = "Error occurred while loading the user store.";
@ -563,24 +545,8 @@ public class RoleManagementServiceImpl implements RoleManagementService {
}
if (roleInfo.getPermissions() != null) {
String finalRoleName = roleName;
String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(true);
Thread thread = new Thread(new Runnable() {
@Override
public void run() {
try {
PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true);
DeviceMgtAPIUtils.getApiPublisher().updateScopeRoleMapping(roleInfo.getRoleName(),
RoleManagementServiceImpl.this.getPlatformUIPermissions(finalRoleName, userRealm, roleInfo.getPermissions()));
} catch (APIManagerPublisherException | UserAdminException e) {
log.error("Error Occurred while updating role scope mapping. ", e);
} finally {
PrivilegedCarbonContext.endTenantFlow();
}
}
});
thread.start();
String[] roleDetails = roleName.split("/");
addPermissions(roleDetails[roleDetails.length - 1], roleInfo.getPermissions(), userRealm);
}
//TODO: Need to send the updated role information in the entity back to the client
return Response.status(Response.Status.OK).entity("Role '" + roleInfo.getRoleName() + "' has " +
@ -730,4 +696,25 @@ public class RoleManagementServiceImpl implements RoleManagementService {
}
return rolePermissions;
}
private void addPermissions(String roleName, String[] permissions, UserRealm userRealm) {
String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(true);
Thread thread = new Thread(new Runnable() {
@Override
public void run() {
try {
PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true);
DeviceMgtAPIUtils.getApiPublisher().updateScopeRoleMapping(roleName,
RoleManagementServiceImpl.this.getPlatformUIPermissions(roleName, userRealm,
permissions));
} catch (APIManagerPublisherException | UserAdminException e) {
log.error("Error Occurred while updating role scope mapping. ", e);
} finally {
PrivilegedCarbonContext.endTenantFlow();
}
}
});
thread.start();
}
}

@ -114,11 +114,6 @@ public class UserManagementServiceImpl implements UserManagementService {
private static final String API_BASE_PATH = "/users";
private static final Log log = LogFactory.getLog(UserManagementServiceImpl.class);
private static final String ADMIN_ROLE = "admin";
private static final String DEFAULT_DEVICE_USER = "Internal/devicemgt-user";
private static final String DEFAULT_DEVICE_ADMIN = "Internal/devicemgt-admin";
private static final String DEFAULT_SUBSCRIBER = "Internal/subscriber";
// Permissions that are given for a normal device user.
private static final Permission[] PERMISSIONS_FOR_DEVICE_USER = {
new Permission("/permission/admin/Login", "ui.execute"),
@ -155,51 +150,9 @@ public class UserManagementServiceImpl implements UserManagementService {
Map<String, String> defaultUserClaims =
this.buildDefaultUserClaims(userInfo.getFirstname(), userInfo.getLastname(),
userInfo.getEmailAddress(), true);
// calling addUser method of carbon user api
List<String> tmpRoles = new ArrayList<>();
String[] userInfoRoles = userInfo.getRoles();
tmpRoles.add(DEFAULT_DEVICE_USER);
boolean subscriberFound = false;
boolean adminFound = false;
if (userInfoRoles != null) {
//check if subscriber role is coming in the payload
for (String r : userInfoRoles) {
if (!subscriberFound || !adminFound) {
if (DEFAULT_SUBSCRIBER.equals(r)) {
subscriberFound = true;
} else if (ADMIN_ROLE.equals(r)) {
tmpRoles.add(DEFAULT_DEVICE_ADMIN);
adminFound = true;
}
} else {
break;
}
}
tmpRoles.addAll(Arrays.asList(userInfoRoles));
}
if (!subscriberFound) {
// Add Internal/subscriber role to new users
if (userStoreManager.isExistingRole(DEFAULT_SUBSCRIBER)) {
tmpRoles.add(DEFAULT_SUBSCRIBER);
} else {
log.warn("User: " + userInfo.getUsername() + " will not be able to enroll devices as '" +
DEFAULT_SUBSCRIBER + "' is missing in the system");
}
}
String[] roles = new String[tmpRoles.size()];
tmpRoles.toArray(roles);
// If the normal device user role does not exist, create a new role with the minimal permissions
if (!userStoreManager.isExistingRole(DEFAULT_DEVICE_USER)) {
userStoreManager.addRole(DEFAULT_DEVICE_USER, null, PERMISSIONS_FOR_DEVICE_USER);
}
userStoreManager.addUser(userInfo.getUsername(), initialUserPassword,
roles, defaultUserClaims, null);
userInfo.getRoles(), defaultUserClaims, null);
// Outputting debug message upon successful addition of user
if (log.isDebugEnabled()) {
log.debug("User '" + userInfo.getUsername() + "' has successfully been added.");

@ -187,7 +187,6 @@
<Scope>am:store:app:modify</Scope>
<Scope>am:store:app:sub:install</Scope>
<Scope>am:store:app:sub:uninstall</Scope>
<Scope>am:admin:pub:app:review:update</Scope>
<Scope>am:admin:pub:app:review:view</Scope>
<Scope>am:admin:pub:app:update</Scope>
<Scope>am:admin:store:app:review:update</Scope>
@ -196,12 +195,8 @@
<Scope>dm:device-type:view</Scope>
<Scope>and:enterprise:modify</Scope>
<Scope>and:enterprise:view</Scope>
<Scope>and:work:customer</Scope>
<Scope>and:work:admin</Scope>
<Scope>app:command:modify</Scope>
<Scope>dm:sign-csr</Scope>
<Scope>dm:admin:devices:view</Scope>
<Scope>dm:admin:topics:view</Scope>
<Scope>rm:roles:add</Scope>
<Scope>rm:users:add</Scope>
<Scope>rm:roles:update</Scope>
@ -210,15 +205,6 @@
<Scope>rm:roles:view</Scope>
<Scope>rm:roles:combined:add</Scope>
<Scope>rm:roles:delete</Scope>
<Scope>an:db:vulnerabilities</Scope>
<Scope>an:db:non-compliant:count</Scope>
<Scope>an:db:non-compliant</Scope>
<Scope>an:db:by-groups</Scope>
<Scope>an:db:device:count</Scope>
<Scope>an:db:feature-non-compliant</Scope>
<Scope>an:db:overview:count</Scope>
<Scope>an:db:filtered-count</Scope>
<Scope>an:db:details</Scope>
<Scope>dm:activity:get</Scope>
<Scope>dm:devices:delete</Scope>
<Scope>dm:devices:app:view</Scope>
@ -295,7 +281,6 @@
<Scope>dm:device:enroll</Scope>
<Scope>dm:geo:an:view</Scope>
<Scope>dm:geo:alerts:manage</Scope>
<Scope>appm:read</Scope>
<Scope>dm:admin:devices:permanent-delete</Scope>
<Scope>and:conf:manage</Scope>
<Scope>and:conf:view</Scope>
@ -345,7 +330,6 @@
<Scope>win:ops:reboot</Scope>
<Scope>win:ops:location</Scope>
<Scope>admin:tenant:view</Scope>
<Scope>dm:admin:metadata:view</Scope>
<Scope>dm:admin:devices:usage:view</Scope>
<Scope>and:ops:clear-app</Scope>
<Scope>and:ops:suspend-package</Scope>

Loading…
Cancel
Save