bug fixing authorize flow

kernel-4.6.x
Amalka Subasinghe 3 years ago
parent 52c0e55b07
commit 510a90a59f

@ -1,64 +0,0 @@
/*
* Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.core.cache;
import java.util.Objects;
public class APIResourcePermissionCacheKey {
private String context;
private volatile int hashCode;
public APIResourcePermissionCacheKey(String context) {
this.context = context;
}
public String getContext() {
return context;
}
public void setContext(String context) {
this.context = context;
}
@Override
public boolean equals(Object obj) {
if (obj == null) {
return false;
}
if (!APIResourcePermissionCacheKey.class.isAssignableFrom(obj.getClass())) {
return false;
}
final APIResourcePermissionCacheKey other = (APIResourcePermissionCacheKey) obj;
String thisId = this.context;
String otherId = other.context;
if (!thisId.equals(otherId)) {
return false;
}
return true;
}
@Override
public int hashCode() {
if (hashCode == 0) {
hashCode = Objects.hash(context);
}
return hashCode;
}
}

@ -1,84 +0,0 @@
/*
* Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.core.cache.impl;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheKey;
import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheManager;
import org.wso2.carbon.device.mgt.core.util.DeviceManagerUtil;
import javax.cache.Cache;
import java.util.List;
public class APIResourcePermissionCacheManagerImpl implements APIResourcePermissionCacheManager {
private static final Log log = LogFactory.getLog(APIResourcePermissionCacheManagerImpl.class);
private static APIResourcePermissionCacheManagerImpl apiResourceCacgeManager;
private APIResourcePermissionCacheManagerImpl() {
}
public static APIResourcePermissionCacheManagerImpl getInstance() {
if (apiResourceCacgeManager == null) {
synchronized (APIResourcePermissionCacheManagerImpl.class) {
if (apiResourceCacgeManager == null) {
apiResourceCacgeManager = new APIResourcePermissionCacheManagerImpl();
}
}
}
return apiResourceCacgeManager;
}
@Override
public void addAPIResourcePermissionToCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions) {
Cache<APIResourcePermissionCacheKey, List<Permission>> lCache = DeviceManagerUtil.getAPIResourcePermissionCache();
if (lCache != null) {
if (lCache.containsKey(cacheKey)) {
this.updateAPIResourcePermissionInCache(cacheKey, permissions);
} else {
lCache.put(cacheKey, permissions);
}
}
}
@Override
public void updateAPIResourcePermissionInCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions) {
Cache<APIResourcePermissionCacheKey, List<Permission>> lCache = DeviceManagerUtil.getAPIResourcePermissionCache();
if (lCache != null) {
if (lCache.containsKey(cacheKey)) {
lCache.replace(cacheKey, permissions);
}
}
}
@Override
public List<Permission> getAPIResourceRermissionFromCache(APIResourcePermissionCacheKey cacheKey) {
Cache<APIResourcePermissionCacheKey, List<Permission>> lCache = DeviceManagerUtil.getAPIResourcePermissionCache();
if (lCache != null) {
return lCache.get(cacheKey);
}
return null;
}
}

@ -21,6 +21,8 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.core.ServerStartupObserver; import org.wso2.carbon.core.ServerStartupObserver;
import org.wso2.carbon.device.mgt.core.DeviceManagementConstants; import org.wso2.carbon.device.mgt.core.DeviceManagementConstants;
import org.wso2.carbon.user.api.AuthorizationManager;
import org.wso2.carbon.user.api.Permission;
import org.wso2.carbon.user.api.UserStoreException; import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.api.UserStoreManager; import org.wso2.carbon.user.api.UserStoreManager;
import org.wso2.carbon.utils.multitenancy.MultitenantConstants; import org.wso2.carbon.utils.multitenancy.MultitenantConstants;
@ -35,20 +37,42 @@ public class UserRoleCreateObserver implements ServerStartupObserver {
@Override @Override
public void completedServerStartup() { public void completedServerStartup() {
String tenantDomain = MultitenantConstants.SUPER_TENANT_DOMAIN_NAME; String tenantDomain = MultitenantConstants.SUPER_TENANT_DOMAIN_NAME;
String tenantAdminName = "admin";
try { try {
UserStoreManager userStoreManager = UserStoreManager userStoreManager =
DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm( DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(
MultitenantConstants.SUPER_TENANT_ID).getUserStoreManager(); MultitenantConstants.SUPER_TENANT_ID).getUserStoreManager();
userStoreManager.addRole( String tenantAdminName =
DeviceManagementConstants.User.DEFAULT_DEVICE_ADMIN, DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(
new String[]{tenantAdminName}, MultitenantConstants.SUPER_TENANT_ID).getRealmConfiguration().getAdminUserName();
DeviceManagementConstants.User.PERMISSIONS_FOR_DEVICE_ADMIN); AuthorizationManager authorizationManager = DeviceManagementDataHolder.getInstance().getRealmService()
userStoreManager.addRole( .getTenantUserRealm(MultitenantConstants.SUPER_TENANT_ID).getAuthorizationManager();
DeviceManagementConstants.User.DEFAULT_DEVICE_USER,
new String[]{tenantAdminName}, if (!userStoreManager.isExistingRole(DeviceManagementConstants.User.DEFAULT_DEVICE_ADMIN)) {
DeviceManagementConstants.User.PERMISSIONS_FOR_DEVICE_USER); userStoreManager.addRole(
DeviceManagementConstants.User.DEFAULT_DEVICE_ADMIN,
null,
DeviceManagementConstants.User.PERMISSIONS_FOR_DEVICE_ADMIN);
} else {
for (Permission permission : DeviceManagementConstants.User.PERMISSIONS_FOR_DEVICE_ADMIN) {
authorizationManager.authorizeRole(DeviceManagementConstants.User.DEFAULT_DEVICE_ADMIN,
permission.getResourceId(), permission.getAction());
}
}
if (!userStoreManager.isExistingRole(DeviceManagementConstants.User.DEFAULT_DEVICE_USER)) {
userStoreManager.addRole(
DeviceManagementConstants.User.DEFAULT_DEVICE_USER,
null,
DeviceManagementConstants.User.PERMISSIONS_FOR_DEVICE_USER);
} else {
for (Permission permission : DeviceManagementConstants.User.PERMISSIONS_FOR_DEVICE_USER) {
authorizationManager.authorizeRole(DeviceManagementConstants.User.DEFAULT_DEVICE_USER,
permission.getResourceId(), permission.getAction());
}
}
userStoreManager.updateRoleListOfUser(tenantAdminName, null,
new String[] {DeviceManagementConstants.User.DEFAULT_DEVICE_ADMIN,
DeviceManagementConstants.User.DEFAULT_DEVICE_USER});
if (log.isDebugEnabled()) { if (log.isDebugEnabled()) {
log.debug("Device management roles: " + DeviceManagementConstants.User.DEFAULT_DEVICE_USER + ", " + log.debug("Device management roles: " + DeviceManagementConstants.User.DEFAULT_DEVICE_USER + ", " +

@ -4,9 +4,9 @@
* WSO2 Inc. licenses this file to you under the Apache License, * WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except * Version 2.0 (the "License"); you may not use this file except
* in compliance with the License. * in compliance with the License.
* You may obtain a copy of the License at * you may obtain a copy of the License at
* *
* http://www.apache.org/licenses/LICENSE-2.0 * http://www.apache.org/licenses/LICENSE-2.0
* *
* Unless required by applicable law or agreed to in writing, * Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an * software distributed under the License is distributed on an
@ -15,17 +15,26 @@
* specific language governing permissions and limitations * specific language governing permissions and limitations
* under the License. * under the License.
*/ */
package org.wso2.carbon.device.mgt.core.cache; package org.wso2.carbon.device.mgt.core.permission.mgt;
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission; import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map;
public interface APIResourcePermissionCacheManager { public class APIResourcePermissions {
private Map<String, List<Permission>> apiResourcePermissions;
void addAPIResourcePermissionToCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions); public APIResourcePermissions() {
apiResourcePermissions = new HashMap<>();
}
void updateAPIResourcePermissionInCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions); public void addPermissionList(String context, List<Permission> permissions){
apiResourcePermissions.put(context, permissions);
}
List<Permission> getAPIResourceRermissionFromCache(APIResourcePermissionCacheKey cacheKey); public List<Permission> getPermissions(String context) {
return apiResourcePermissions.get(context);
}
} }

@ -18,16 +18,11 @@
package org.wso2.carbon.device.mgt.core.permission.mgt; package org.wso2.carbon.device.mgt.core.permission.mgt;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission; import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException; import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService; import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService;
import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheKey;
import org.wso2.carbon.device.mgt.core.cache.impl.APIResourcePermissionCacheManagerImpl;
import java.util.List; import java.util.List;
import java.util.Properties;
/** /**
* This class will add, update custom permissions defined in permission.xml in webapps and it will * This class will add, update custom permissions defined in permission.xml in webapps and it will
@ -36,7 +31,7 @@ import java.util.Properties;
public class PermissionManagerServiceImpl implements PermissionManagerService { public class PermissionManagerServiceImpl implements PermissionManagerService {
private static PermissionManagerServiceImpl registryBasedPermissionManager; private static PermissionManagerServiceImpl registryBasedPermissionManager;
private static APIResourcePermissions apiResourcePermissions;
private PermissionManagerServiceImpl() { private PermissionManagerServiceImpl() {
} }
@ -45,6 +40,7 @@ public class PermissionManagerServiceImpl implements PermissionManagerService {
synchronized (PermissionManagerServiceImpl.class) { synchronized (PermissionManagerServiceImpl.class) {
if (registryBasedPermissionManager == null) { if (registryBasedPermissionManager == null) {
registryBasedPermissionManager = new PermissionManagerServiceImpl(); registryBasedPermissionManager = new PermissionManagerServiceImpl();
apiResourcePermissions = new APIResourcePermissions();
} }
} }
} }
@ -57,8 +53,7 @@ public class PermissionManagerServiceImpl implements PermissionManagerService {
for (Permission permission : permissions) { for (Permission permission : permissions) {
PermissionUtils.putPermission(permission); PermissionUtils.putPermission(permission);
} }
APIResourcePermissionCacheManagerImpl.getInstance().addAPIResourcePermissionToCache( apiResourcePermissions.addPermissionList(context, permissions);
new APIResourcePermissionCacheKey(context), permissions);
} catch (PermissionManagementException e) { } catch (PermissionManagementException e) {
return false; return false;
} }
@ -67,7 +62,6 @@ public class PermissionManagerServiceImpl implements PermissionManagerService {
@Override @Override
public List<Permission> getPermission(String context) throws PermissionManagementException { public List<Permission> getPermission(String context) throws PermissionManagementException {
return APIResourcePermissionCacheManagerImpl.getInstance().getAPIResourceRermissionFromCache( return apiResourcePermissions.getPermissions(context);
new APIResourcePermissionCacheKey(context));
} }
} }

@ -76,7 +76,6 @@ import org.wso2.carbon.device.mgt.common.operation.mgt.OperationManagementExcept
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission; import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
import org.wso2.carbon.device.mgt.common.type.mgt.DeviceTypeMetaDefinition; import org.wso2.carbon.device.mgt.common.type.mgt.DeviceTypeMetaDefinition;
import org.wso2.carbon.device.mgt.core.DeviceManagementConstants; import org.wso2.carbon.device.mgt.core.DeviceManagementConstants;
import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheKey;
import org.wso2.carbon.device.mgt.core.cache.DeviceCacheKey; import org.wso2.carbon.device.mgt.core.cache.DeviceCacheKey;
import org.wso2.carbon.device.mgt.core.cache.GeoCacheKey; import org.wso2.carbon.device.mgt.core.cache.GeoCacheKey;
import org.wso2.carbon.device.mgt.core.config.DeviceConfigurationManager; import org.wso2.carbon.device.mgt.core.config.DeviceConfigurationManager;
@ -724,21 +723,6 @@ public final class DeviceManagerUtil {
return deviceCache; return deviceCache;
} }
public static Cache<APIResourcePermissionCacheKey, List<Permission>> getAPIResourcePermissionCache() {
CacheManager manager = getCacheManager();
Cache<APIResourcePermissionCacheKey, List<Permission>> apiResourcePermissionCache = null;
if(!isAPIResourcePermissionCacheInitialized) {
initializeAPIResourcePermissionCache();
}
if (manager != null) {
apiResourcePermissionCache = manager.getCache(DeviceManagementConstants.API_RESOURCE_PERMISSION_CACHE);
} else {
apiResourcePermissionCache = Caching.getCacheManager(DeviceManagementConstants.DM_CACHE_MANAGER)
.getCache(DeviceManagementConstants.API_RESOURCE_PERMISSION_CACHE);
}
return apiResourcePermissionCache;
}
/** /**
* Get geofence cache object * Get geofence cache object
* @return {@link Cache<GeoCacheKey, GeofenceData>} * @return {@link Cache<GeoCacheKey, GeofenceData>}

@ -21,6 +21,7 @@ package org.wso2.carbon.webapp.authenticator.framework;
import org.apache.catalina.Context; import org.apache.catalina.Context;
import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response; import org.apache.catalina.connector.Response;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.owasp.encoder.Encode; import org.owasp.encoder.Encode;
@ -194,7 +195,8 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
ctx = tokenizer.nextToken(); ctx = tokenizer.nextToken();
} }
} }
return ("carbon".equalsIgnoreCase(ctx) || "services".equalsIgnoreCase(ctx)); return ("carbon".equalsIgnoreCase(ctx) || "services".equalsIgnoreCase(ctx)
|| "oauth2".equalsIgnoreCase(ctx));
} }
private boolean isNonSecuredEndPoint(Request request) { private boolean isNonSecuredEndPoint(Request request) {

@ -46,6 +46,10 @@ public class PermissionAuthorizer {
return WebappAuthenticator.Status.CONTINUE; return WebappAuthenticator.Status.CONTINUE;
} }
if (requestUri.endsWith("/")) {
requestUri = requestUri.substring(0, requestUri.length() - 1);
}
PermissionManagerService registryBasedPermissionManager = PermissionManagerService registryBasedPermissionManager =
PermissionManagerServiceImpl.getInstance(); PermissionManagerServiceImpl.getInstance();
List<Permission> matchingPermissions = null; List<Permission> matchingPermissions = null;

Loading…
Cancel
Save