Add authorization check for shared devices in groups

revert-70aa11f8
Charitha Goonetilleke 9 years ago
parent 92784120bd
commit 8c62d9d64c

@ -1,10 +1,10 @@
/* /*
* Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
* *
* WSO2 Inc. licenses this file to you under the Apache License, * WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except * Version 2.0 (the "License"); you may not use this file except
* in compliance with the License. * in compliance with the License.
* you may obtain a copy of the License at * You may obtain a copy of the License at
* *
* http://www.apache.org/licenses/LICENSE-2.0 * http://www.apache.org/licenses/LICENSE-2.0
* *
@ -20,7 +20,6 @@ package org.wso2.carbon.device.mgt.core.authorization;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.context.CarbonContext; import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.device.mgt.common.Device; import org.wso2.carbon.device.mgt.common.Device;
import org.wso2.carbon.device.mgt.common.DeviceIdentifier; import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
@ -39,7 +38,6 @@ import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException; import org.wso2.carbon.user.api.UserStoreException;
import java.util.HashMap; import java.util.HashMap;
import java.util.Iterator;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
@ -51,18 +49,6 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
private final static String EMM_ADMIN_PERMISSION = "/device-mgt/admin-device-access"; private final static String EMM_ADMIN_PERMISSION = "/device-mgt/admin-device-access";
private static Log log = LogFactory.getLog(DeviceAccessAuthorizationServiceImpl.class); private static Log log = LogFactory.getLog(DeviceAccessAuthorizationServiceImpl.class);
public static final class PermissionMethod {
private PermissionMethod() {
throw new AssertionError();
}
public static final String READ = "read";
public static final String WRITE = "write";
public static final String DELETE = "delete";
public static final String ACTION = "action";
public static final String UI_EXECUTE = "ui.execute";
}
public DeviceAccessAuthorizationServiceImpl() { public DeviceAccessAuthorizationServiceImpl() {
try { try {
this.addAdminPermissionToRegistry(); this.addAdminPermissionToRegistry();
@ -88,7 +74,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
return false; return false;
} }
for (String groupPermission : groupPermissions) { for (String groupPermission : groupPermissions) {
if (!checkGroupsPermission(username, tenantId, groupPermission)) { if (!isAuthorizedViaGroup(username, deviceIdentifier, groupPermission)) {
//if at least one fails, authorization fails //if at least one fails, authorization fails
return false; return false;
} }
@ -139,7 +125,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
//check for group permissions //check for group permissions
boolean isAuthorized = true; boolean isAuthorized = true;
for (String groupPermission : groupPermissions) { for (String groupPermission : groupPermissions) {
if (!checkGroupsPermission(username, tenantId, groupPermission)) { if (!isAuthorizedViaGroup(username, deviceIdentifier, groupPermission)) {
//if at least one failed, authorizations fails and break the loop //if at least one failed, authorizations fails and break the loop
isAuthorized = false; isAuthorized = false;
break; break;
@ -191,27 +177,19 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
} }
} }
private boolean checkGroupsPermission(String username, int tenantId, String groupPermission) private boolean isAuthorizedViaGroup(String username, DeviceIdentifier deviceIdentifier, String groupPermission)
throws GroupManagementException, UserStoreException { throws GroupManagementException, UserStoreException {
List<DeviceGroup> groups = List<DeviceGroup> authorizedGroups =
DeviceManagementDataHolder.getInstance().getGroupManagementProviderService().getGroups(username, DeviceManagementDataHolder.getInstance().getGroupManagementProviderService()
groupPermission); .getGroups(username, groupPermission);
UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId); List<DeviceGroup> groupsWithDevice =
if (userRealm != null && userRealm.getAuthorizationManager() != null) { DeviceManagementDataHolder.getInstance().getGroupManagementProviderService()
Iterator<DeviceGroup> groupIterator = groups.iterator(); .getGroups(deviceIdentifier);
while (groupIterator.hasNext()) { for (DeviceGroup group : authorizedGroups) {
DeviceGroup deviceGroup = groupIterator.next(); if (groupsWithDevice.contains(group)) {
Iterator<String> rolesIterator = deviceGroup.getRoles().iterator();
while (rolesIterator.hasNext()) {
String role = rolesIterator.next();
if (userRealm.getAuthorizationManager().isRoleAuthorized(
"Internal/group-" + deviceGroup.getId() + "-" + role, groupPermission,
CarbonConstants.UI_PERMISSION_ACTION)) {
return true; return true;
} }
} }
}
}
return false; return false;
} }
@ -285,4 +263,16 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
} }
return ownershipData; return ownershipData;
} }
public static final class PermissionMethod {
public static final String READ = "read";
public static final String WRITE = "write";
public static final String DELETE = "delete";
public static final String ACTION = "action";
public static final String UI_EXECUTE = "ui.execute";
private PermissionMethod() {
throw new AssertionError();
}
}
} }
Loading…
Cancel
Save