forked from community/device-mgt-core
parent
1c0a0227ab
commit
1dbc1d7b0d
@ -0,0 +1,181 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2018 - 2024, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved.
|
||||||
|
*
|
||||||
|
* Entgra (Pvt) Ltd. licenses this file to you under the Apache License,
|
||||||
|
* Version 2.0 (the "License"); you may not use this file except
|
||||||
|
* in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*/
|
||||||
|
package io.entgra.device.mgt.core.device.mgt.api.jaxrs.service.api;
|
||||||
|
|
||||||
|
import io.entgra.device.mgt.core.device.mgt.api.jaxrs.beans.ErrorResponse;
|
||||||
|
import io.entgra.device.mgt.core.device.mgt.common.authorization.DeviceAuthorizationRequest;
|
||||||
|
import io.entgra.device.mgt.core.device.mgt.common.authorization.GroupAuthorizationRequest;
|
||||||
|
import io.entgra.device.mgt.core.device.mgt.common.authorization.GroupAuthorizationResult;
|
||||||
|
import io.swagger.annotations.*;
|
||||||
|
import org.apache.axis2.transport.http.HTTPConstants;
|
||||||
|
|
||||||
|
import javax.validation.Valid;
|
||||||
|
import javax.ws.rs.*;
|
||||||
|
import javax.ws.rs.core.MediaType;
|
||||||
|
import javax.ws.rs.core.Response;
|
||||||
|
|
||||||
|
@SwaggerDefinition(
|
||||||
|
info = @Info(
|
||||||
|
version = "1.0.0",
|
||||||
|
title = "",
|
||||||
|
extensions = {
|
||||||
|
@Extension(properties = {
|
||||||
|
@ExtensionProperty(name = "name", value = "AccessAuthorizationService"),
|
||||||
|
@ExtensionProperty(name = "context", value = "/api/device-mgt/v1.0/access"),
|
||||||
|
})
|
||||||
|
}
|
||||||
|
),
|
||||||
|
tags = {
|
||||||
|
@Tag(name = "device_management", description = "")
|
||||||
|
}
|
||||||
|
)
|
||||||
|
@Path("/access")
|
||||||
|
@Api(value = "AccessAuthorizationService", description = "This API carries all device group management related " +
|
||||||
|
"access authorization")
|
||||||
|
@Produces(MediaType.APPLICATION_JSON)
|
||||||
|
@Consumes(MediaType.APPLICATION_JSON)
|
||||||
|
public interface AccessAuthorizationService {
|
||||||
|
|
||||||
|
@POST
|
||||||
|
@Path("/device")
|
||||||
|
@ApiOperation(
|
||||||
|
produces = MediaType.APPLICATION_JSON,
|
||||||
|
httpMethod = HTTPConstants.HEADER_GET,
|
||||||
|
value = "check device access authorization",
|
||||||
|
notes = "Returns device access acutorization info",
|
||||||
|
tags = "device_management"
|
||||||
|
)
|
||||||
|
@ApiResponses(
|
||||||
|
value = {
|
||||||
|
@ApiResponse(
|
||||||
|
code = 201,
|
||||||
|
message = "Created. \n Device group has successfully been created",
|
||||||
|
responseHeaders = {
|
||||||
|
@ResponseHeader(
|
||||||
|
name = "Content-Location",
|
||||||
|
description = "The URL of the added group."),
|
||||||
|
@ResponseHeader(
|
||||||
|
name = "Content-Type",
|
||||||
|
description = "The content type of the body"),
|
||||||
|
@ResponseHeader(
|
||||||
|
name = "ETag",
|
||||||
|
description = "Entity Tag of the response resource.\n" +
|
||||||
|
"Used by caches, or in conditional requests."),
|
||||||
|
@ResponseHeader(
|
||||||
|
name = "Last-Modified",
|
||||||
|
description = "Date and time the resource has been modified the last time" +
|
||||||
|
".\n" + "Used by caches, or in conditional requests.")
|
||||||
|
}
|
||||||
|
),
|
||||||
|
@ApiResponse(
|
||||||
|
code = 303,
|
||||||
|
message = "See Other. \n Source can be retrieved from the URL specified at the Location " +
|
||||||
|
"header.",
|
||||||
|
responseHeaders = {
|
||||||
|
@ResponseHeader(
|
||||||
|
name = "Content-Location",
|
||||||
|
description = "The Source URL of the document.")}),
|
||||||
|
@ApiResponse(
|
||||||
|
code = 400,
|
||||||
|
message = "Bad Request. \n Invalid request or validation error.",
|
||||||
|
response = ErrorResponse.class),
|
||||||
|
@ApiResponse(
|
||||||
|
code = 401,
|
||||||
|
message = "Unauthorized. \n Current logged in user is not authorized for this request",
|
||||||
|
response = ErrorResponse.class),
|
||||||
|
@ApiResponse(
|
||||||
|
code = 415,
|
||||||
|
message = "Unsupported media type. \n The entity of the request was in a not supported " +
|
||||||
|
"format."),
|
||||||
|
@ApiResponse(
|
||||||
|
code = 500,
|
||||||
|
message = "Internal Server Error. \n " +
|
||||||
|
"Server error occurred while checking access",
|
||||||
|
response = ErrorResponse.class)
|
||||||
|
})
|
||||||
|
Response checkDeviceAccess(
|
||||||
|
@ApiParam(
|
||||||
|
name = "deviceAccessRequest",
|
||||||
|
value = "Define the device access request object with data.",
|
||||||
|
required = true)
|
||||||
|
@Valid DeviceAuthorizationRequest deviceAuthorizationRequest);
|
||||||
|
|
||||||
|
@POST
|
||||||
|
@Path("/group")
|
||||||
|
@ApiOperation(
|
||||||
|
produces = MediaType.APPLICATION_JSON,
|
||||||
|
httpMethod = HTTPConstants.HEADER_GET,
|
||||||
|
value = "check device access authorization",
|
||||||
|
notes = "Returns device access acutorization info",
|
||||||
|
tags = "device_management"
|
||||||
|
)
|
||||||
|
@ApiResponses(
|
||||||
|
value = {
|
||||||
|
@ApiResponse(
|
||||||
|
code = 201,
|
||||||
|
message = "Created. \n Device group has successfully been created",
|
||||||
|
responseHeaders = {
|
||||||
|
@ResponseHeader(
|
||||||
|
name = "Content-Location",
|
||||||
|
description = "The URL of the added group."),
|
||||||
|
@ResponseHeader(
|
||||||
|
name = "Content-Type",
|
||||||
|
description = "The content type of the body"),
|
||||||
|
@ResponseHeader(
|
||||||
|
name = "ETag",
|
||||||
|
description = "Entity Tag of the response resource.\n" +
|
||||||
|
"Used by caches, or in conditional requests."),
|
||||||
|
@ResponseHeader(
|
||||||
|
name = "Last-Modified",
|
||||||
|
description = "Date and time the resource has been modified the last time" +
|
||||||
|
".\n" + "Used by caches, or in conditional requests.")
|
||||||
|
}
|
||||||
|
),
|
||||||
|
@ApiResponse(
|
||||||
|
code = 303,
|
||||||
|
message = "See Other. \n Source can be retrieved from the URL specified at the Location " +
|
||||||
|
"header.",
|
||||||
|
responseHeaders = {
|
||||||
|
@ResponseHeader(
|
||||||
|
name = "Content-Location",
|
||||||
|
description = "The Source URL of the document.")}),
|
||||||
|
@ApiResponse(
|
||||||
|
code = 400,
|
||||||
|
message = "Bad Request. \n Invalid request or validation error.",
|
||||||
|
response = ErrorResponse.class),
|
||||||
|
@ApiResponse(
|
||||||
|
code = 401,
|
||||||
|
message = "Unauthorized. \n Current logged in user is not authorized for this request",
|
||||||
|
response = ErrorResponse.class),
|
||||||
|
@ApiResponse(
|
||||||
|
code = 415,
|
||||||
|
message = "Unsupported media type. \n The entity of the request was in a not supported " +
|
||||||
|
"format."),
|
||||||
|
@ApiResponse(
|
||||||
|
code = 500,
|
||||||
|
message = "Internal Server Error. \n " +
|
||||||
|
"Server error occurred while checking access",
|
||||||
|
response = ErrorResponse.class)
|
||||||
|
})
|
||||||
|
Response checkGroupAccess(
|
||||||
|
@ApiParam(
|
||||||
|
name = "groupAccessRequest",
|
||||||
|
value = "Define the group access request object with data.",
|
||||||
|
required = true)
|
||||||
|
@Valid GroupAuthorizationRequest request);
|
||||||
|
}
|
@ -0,0 +1,95 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2018 - 2024, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved.
|
||||||
|
*
|
||||||
|
* Entgra (Pvt) Ltd. licenses this file to you under the Apache License,
|
||||||
|
* Version 2.0 (the "License"); you may not use this file except
|
||||||
|
* in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*/
|
||||||
|
package io.entgra.device.mgt.core.device.mgt.api.jaxrs.service.impl;
|
||||||
|
|
||||||
|
import io.entgra.device.mgt.core.device.mgt.api.jaxrs.service.api.AccessAuthorizationService;
|
||||||
|
import io.entgra.device.mgt.core.device.mgt.api.jaxrs.util.DeviceMgtAPIUtils;
|
||||||
|
import io.entgra.device.mgt.core.device.mgt.common.DeviceIdentifier;
|
||||||
|
import io.entgra.device.mgt.core.device.mgt.common.authorization.*;
|
||||||
|
import org.apache.commons.lang.StringUtils;
|
||||||
|
import org.apache.commons.logging.Log;
|
||||||
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
|
||||||
|
import javax.ws.rs.core.Response;
|
||||||
|
import java.util.ArrayList;
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
|
||||||
|
public class AccessAuthorizationServiceImpl implements AccessAuthorizationService {
|
||||||
|
|
||||||
|
private static final Log log = LogFactory.getLog(AccessAuthorizationServiceImpl.class);
|
||||||
|
@Override
|
||||||
|
public Response checkDeviceAccess(DeviceAuthorizationRequest deviceAuthorizationRequest) {
|
||||||
|
|
||||||
|
if (StringUtils.isEmpty(deviceAuthorizationRequest.getType())) {
|
||||||
|
String msg = "device type not specified";
|
||||||
|
return Response.status(Response.Status.BAD_REQUEST).entity(msg).build();
|
||||||
|
}
|
||||||
|
|
||||||
|
if (deviceAuthorizationRequest.getDeviceIds().isEmpty()) {
|
||||||
|
String msg = "device ids not specified";
|
||||||
|
return Response.status(Response.Status.BAD_REQUEST).entity(msg).build();
|
||||||
|
}
|
||||||
|
|
||||||
|
if (deviceAuthorizationRequest.getPermissions().isEmpty()) {
|
||||||
|
String msg = "permissions not specified";
|
||||||
|
return Response.status(Response.Status.BAD_REQUEST).entity(msg).build();
|
||||||
|
}
|
||||||
|
|
||||||
|
List<DeviceIdentifier> deviceIdentifiers = new ArrayList<>();
|
||||||
|
for(String id : deviceAuthorizationRequest.getDeviceIds()) {
|
||||||
|
DeviceIdentifier identifier = new DeviceIdentifier(id, deviceAuthorizationRequest.getType());
|
||||||
|
deviceIdentifiers.add(identifier);
|
||||||
|
}
|
||||||
|
try {
|
||||||
|
DeviceAuthorizationResult result = DeviceMgtAPIUtils.getDeviceAccessAuthorizationService()
|
||||||
|
.isUserAuthorized(deviceIdentifiers, deviceAuthorizationRequest.getUsername(),
|
||||||
|
deviceAuthorizationRequest.getPermissions().toArray(new String[0]));
|
||||||
|
return Response.status(Response.Status.OK).entity(result).build();
|
||||||
|
} catch (DeviceAccessAuthorizationException e) {
|
||||||
|
String msg = "Error occurred while checking access info";
|
||||||
|
log.error(msg, e);
|
||||||
|
return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(msg).build();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Response checkGroupAccess(GroupAuthorizationRequest request) {
|
||||||
|
|
||||||
|
if (request.getGroupIds().isEmpty()) {
|
||||||
|
String msg = "group ids not specified";
|
||||||
|
return Response.status(Response.Status.BAD_REQUEST).entity(msg).build();
|
||||||
|
}
|
||||||
|
|
||||||
|
if (request.getPermissions().isEmpty()) {
|
||||||
|
String msg = "permissions not specified";
|
||||||
|
return Response.status(Response.Status.BAD_REQUEST).entity(msg).build();
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
GroupAuthorizationResult result = DeviceMgtAPIUtils.getGroupAccessAuthorizationService()
|
||||||
|
.isUserAuthorized(request.getGroupIds(), request.getUsername(),
|
||||||
|
request.getPermissions().toArray(new String[0]));
|
||||||
|
return Response.status(Response.Status.OK).entity(result).build();
|
||||||
|
} catch (GroupAccessAuthorizationException e) {
|
||||||
|
String msg = "Error occurred while checking access info";
|
||||||
|
log.error(msg, e);
|
||||||
|
return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(msg).build();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,68 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2018 - 2024, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved.
|
||||||
|
*
|
||||||
|
* Entgra (Pvt) Ltd. licenses this file to you under the Apache License,
|
||||||
|
* Version 2.0 (the "License"); you may not use this file except
|
||||||
|
* in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*/
|
||||||
|
package io.entgra.device.mgt.core.device.mgt.common.authorization;
|
||||||
|
|
||||||
|
import io.swagger.annotations.ApiModel;
|
||||||
|
import io.swagger.annotations.ApiModelProperty;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
@ApiModel(value = "DeviceAuthorizationRequest", description = "")
|
||||||
|
public class DeviceAuthorizationRequest {
|
||||||
|
|
||||||
|
@ApiModelProperty(name = "type", value = "device type")
|
||||||
|
private String type;
|
||||||
|
@ApiModelProperty(name = "deviceIds", value = "list of device ids")
|
||||||
|
private List<String> deviceIds;
|
||||||
|
@ApiModelProperty(name = "username", value = "user who is accessing the device")
|
||||||
|
private String username;
|
||||||
|
@ApiModelProperty(name = "permissions", value = "list of permissions")
|
||||||
|
private List<String> permissions;
|
||||||
|
|
||||||
|
public String getType() {
|
||||||
|
return type;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setType(String type) {
|
||||||
|
this.type = type;
|
||||||
|
}
|
||||||
|
|
||||||
|
public List<String> getDeviceIds() {
|
||||||
|
return deviceIds;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setDeviceIds(List<String> deviceIds) {
|
||||||
|
this.deviceIds = deviceIds;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getUsername() {
|
||||||
|
return username;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setUsername(String username) {
|
||||||
|
this.username = username;
|
||||||
|
}
|
||||||
|
|
||||||
|
public List<String> getPermissions() {
|
||||||
|
return permissions;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setPermissions(List<String> permissions) {
|
||||||
|
this.permissions = permissions;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,61 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2018 - 2024, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved.
|
||||||
|
*
|
||||||
|
* Entgra (Pvt) Ltd. licenses this file to you under the Apache License,
|
||||||
|
* Version 2.0 (the "License"); you may not use this file except
|
||||||
|
* in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package io.entgra.device.mgt.core.device.mgt.common.authorization;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Custom exception class which wraps exceptions occurred inside GroupAccessAuthorization service.
|
||||||
|
*/
|
||||||
|
public class GroupAccessAuthorizationException extends Exception {
|
||||||
|
|
||||||
|
private static final long serialVersionUID = -3151279331929070297L;
|
||||||
|
|
||||||
|
private String errorMessage;
|
||||||
|
|
||||||
|
public String getErrorMessage() {
|
||||||
|
return errorMessage;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setErrorMessage(String errorMessage) {
|
||||||
|
this.errorMessage = errorMessage;
|
||||||
|
}
|
||||||
|
|
||||||
|
public GroupAccessAuthorizationException(String msg, Exception nestedEx) {
|
||||||
|
super(msg, nestedEx);
|
||||||
|
setErrorMessage(msg);
|
||||||
|
}
|
||||||
|
|
||||||
|
public GroupAccessAuthorizationException(String message, Throwable cause) {
|
||||||
|
super(message, cause);
|
||||||
|
setErrorMessage(message);
|
||||||
|
}
|
||||||
|
|
||||||
|
public GroupAccessAuthorizationException(String msg) {
|
||||||
|
super(msg);
|
||||||
|
setErrorMessage(msg);
|
||||||
|
}
|
||||||
|
|
||||||
|
public GroupAccessAuthorizationException() {
|
||||||
|
super();
|
||||||
|
}
|
||||||
|
|
||||||
|
public GroupAccessAuthorizationException(Throwable cause) {
|
||||||
|
super(cause);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,16 @@
|
|||||||
|
package io.entgra.device.mgt.core.device.mgt.common.authorization;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
public interface GroupAccessAuthorizationService {
|
||||||
|
|
||||||
|
public boolean isUserAuthorized(int groupId, String username, String[] groupPermissions)
|
||||||
|
throws GroupAccessAuthorizationException;
|
||||||
|
|
||||||
|
public boolean isUserAuthorized(int groupId, String[] groupPermissions)
|
||||||
|
throws GroupAccessAuthorizationException;
|
||||||
|
|
||||||
|
public GroupAuthorizationResult isUserAuthorized(List<Integer> groupIds, String username, String[] groupPermission)
|
||||||
|
throws GroupAccessAuthorizationException;
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,58 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2018 - 2024, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved.
|
||||||
|
*
|
||||||
|
* Entgra (Pvt) Ltd. licenses this file to you under the Apache License,
|
||||||
|
* Version 2.0 (the "License"); you may not use this file except
|
||||||
|
* in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*/
|
||||||
|
package io.entgra.device.mgt.core.device.mgt.common.authorization;
|
||||||
|
|
||||||
|
import io.swagger.annotations.ApiModel;
|
||||||
|
import io.swagger.annotations.ApiModelProperty;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
@ApiModel(value = "GroupAuthorizationRequest", description = "")
|
||||||
|
public class GroupAuthorizationRequest {
|
||||||
|
|
||||||
|
@ApiModelProperty(name = "groupIds", value = "list of group Ids")
|
||||||
|
private List<Integer> groupIds;
|
||||||
|
@ApiModelProperty(name = "username", value = "user who is accessing the device")
|
||||||
|
private String username;
|
||||||
|
@ApiModelProperty(name = "permissions", value = "list of permissions")
|
||||||
|
private List<String> permissions;
|
||||||
|
|
||||||
|
public List<Integer> getGroupIds() {
|
||||||
|
return groupIds;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setGroupIds(List<Integer> groupIds) {
|
||||||
|
this.groupIds = groupIds;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getUsername() {
|
||||||
|
return username;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setUsername(String username) {
|
||||||
|
this.username = username;
|
||||||
|
}
|
||||||
|
|
||||||
|
public List<String> getPermissions() {
|
||||||
|
return permissions;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setPermissions(List<String> permissions) {
|
||||||
|
this.permissions = permissions;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,56 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2018 - 2024, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved.
|
||||||
|
*
|
||||||
|
* Entgra (Pvt) Ltd. licenses this file to you under the Apache License,
|
||||||
|
* Version 2.0 (the "License"); you may not use this file except
|
||||||
|
* in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package io.entgra.device.mgt.core.device.mgt.common.authorization;
|
||||||
|
|
||||||
|
import java.util.ArrayList;
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Represents a GroupAuthorizationResult including a list of authorized groups and a list of unauthorized groups.
|
||||||
|
*/
|
||||||
|
public class GroupAuthorizationResult {
|
||||||
|
|
||||||
|
private List<Integer> authorizedGroupIds = new ArrayList<>();
|
||||||
|
private List<Integer> unauthorizedGroupIds= new ArrayList<>();
|
||||||
|
|
||||||
|
public List<Integer> getAuthorizedGroupIds() {
|
||||||
|
return authorizedGroupIds;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setAuthorizedGroupIds(List<Integer> authorizedGroupIds) {
|
||||||
|
this.authorizedGroupIds = authorizedGroupIds;
|
||||||
|
}
|
||||||
|
|
||||||
|
public List<Integer> getUnauthorizedGroupIds() {
|
||||||
|
return unauthorizedGroupIds;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setUnauthorizedGroupIds(List<Integer> unauthorizedGroupIds) {
|
||||||
|
this.unauthorizedGroupIds = unauthorizedGroupIds;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void addAuthorizedGroupId(int groupId) {
|
||||||
|
this.authorizedGroupIds.add(groupId);
|
||||||
|
}
|
||||||
|
|
||||||
|
public void addUnauthorizedGroupId(int groupId) {
|
||||||
|
this.unauthorizedGroupIds.add(groupId);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,173 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2018 - 2024, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved.
|
||||||
|
*
|
||||||
|
* Entgra (Pvt) Ltd. licenses this file to you under the Apache License,
|
||||||
|
* Version 2.0 (the "License"); you may not use this file except
|
||||||
|
* in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package io.entgra.device.mgt.core.device.mgt.core.authorization;
|
||||||
|
|
||||||
|
import io.entgra.device.mgt.core.device.mgt.common.authorization.GroupAccessAuthorizationException;
|
||||||
|
import io.entgra.device.mgt.core.device.mgt.common.authorization.GroupAccessAuthorizationService;
|
||||||
|
import io.entgra.device.mgt.core.device.mgt.common.authorization.GroupAuthorizationResult;
|
||||||
|
import io.entgra.device.mgt.core.device.mgt.common.group.mgt.DeviceGroup;
|
||||||
|
import io.entgra.device.mgt.core.device.mgt.common.group.mgt.GroupManagementException;
|
||||||
|
import io.entgra.device.mgt.core.device.mgt.common.permission.mgt.Permission;
|
||||||
|
import io.entgra.device.mgt.core.device.mgt.common.permission.mgt.PermissionManagementException;
|
||||||
|
import io.entgra.device.mgt.core.device.mgt.core.internal.DeviceManagementDataHolder;
|
||||||
|
import io.entgra.device.mgt.core.device.mgt.core.permission.mgt.PermissionUtils;
|
||||||
|
import org.apache.commons.logging.Log;
|
||||||
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
import org.opensaml.xmlsec.signature.G;
|
||||||
|
import org.wso2.carbon.CarbonConstants;
|
||||||
|
import org.wso2.carbon.context.CarbonContext;
|
||||||
|
import org.wso2.carbon.user.api.UserRealm;
|
||||||
|
import org.wso2.carbon.user.api.UserStoreException;
|
||||||
|
|
||||||
|
import javax.persistence.criteria.CriteriaBuilder;
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
public class GroupAccessAuthorizationServiceImpl implements GroupAccessAuthorizationService {
|
||||||
|
|
||||||
|
private final static String GROUP_ADMIN_PERMISSION = "/device-mgt/devices/any-group/permitted-actions-under-owning-group";
|
||||||
|
private final static String GROUP_ADMIN = "Group Management Administrator";
|
||||||
|
private static Log log = LogFactory.getLog(DeviceAccessAuthorizationServiceImpl.class);
|
||||||
|
|
||||||
|
public GroupAccessAuthorizationServiceImpl() {
|
||||||
|
try {
|
||||||
|
this.addAdminPermissionToRegistry();
|
||||||
|
} catch (PermissionManagementException e) {
|
||||||
|
log.error("Unable to add the group-admin permission to the registry.", e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean isUserAuthorized(int groupId, String username, String[] groupPermissions)
|
||||||
|
throws GroupAccessAuthorizationException {
|
||||||
|
int tenantId = this.getTenantId();
|
||||||
|
if (username == null || username.isEmpty()) {
|
||||||
|
username = this.getUserName();
|
||||||
|
}
|
||||||
|
//check for admin and ownership permissions
|
||||||
|
if (isGroupAdminUser(username, tenantId) || isGroupOwner(groupId, username)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
//check for group permissions
|
||||||
|
if (groupPermissions == null || groupPermissions.length == 0) {
|
||||||
|
return false;
|
||||||
|
} else {
|
||||||
|
// if group permissions specified, check whether that permission is available in any user role of the group owner
|
||||||
|
try {
|
||||||
|
UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService()
|
||||||
|
.getTenantUserRealm(getTenantId());
|
||||||
|
String[] userRoles = userRealm.getUserStoreManager().getRoleListOfUser(username);
|
||||||
|
boolean isAuthorized = true;
|
||||||
|
for (String groupPermission : groupPermissions) {
|
||||||
|
for (String role : userRoles) {
|
||||||
|
if (!userRealm.getAuthorizationManager().
|
||||||
|
isRoleAuthorized(role, groupPermission, CarbonConstants.UI_PERMISSION_ACTION)) {
|
||||||
|
isAuthorized = false;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return isAuthorized;
|
||||||
|
} catch (UserStoreException e) {
|
||||||
|
throw new GroupAccessAuthorizationException("Unable to authorize the access to group : " +
|
||||||
|
groupId + " for the user : " +
|
||||||
|
username, e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public GroupAuthorizationResult isUserAuthorized(List<Integer> groupIds, String username, String[] groupPermission)
|
||||||
|
throws GroupAccessAuthorizationException {
|
||||||
|
GroupAuthorizationResult result = new GroupAuthorizationResult();
|
||||||
|
for (Integer groupId : groupIds) {
|
||||||
|
if (isUserAuthorized(groupId, username, groupPermission)) {
|
||||||
|
result.addAuthorizedGroupId(groupId);
|
||||||
|
} else {
|
||||||
|
result.addUnauthorizedGroupId(groupId);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean isUserAuthorized(int groupId, String[] groupPermissions)
|
||||||
|
throws GroupAccessAuthorizationException {
|
||||||
|
return isUserAuthorized(groupId, this.getUserName(), groupPermissions);
|
||||||
|
}
|
||||||
|
|
||||||
|
private boolean isGroupOwner(int groupId, String username)
|
||||||
|
throws GroupAccessAuthorizationException {
|
||||||
|
//Check for group ownership. If the user is the owner of the group we allow the access.
|
||||||
|
try {
|
||||||
|
DeviceGroup group = DeviceManagementDataHolder.getInstance().
|
||||||
|
getGroupManagementProviderService().getGroup(groupId, false);
|
||||||
|
return username.equals(group.getOwner());
|
||||||
|
} catch (GroupManagementException e) {
|
||||||
|
throw new GroupAccessAuthorizationException("Unable to authorize the access to group : " +
|
||||||
|
groupId + " for the user : " +
|
||||||
|
username, e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private boolean isGroupAdminUser(String username, int tenantId) throws GroupAccessAuthorizationException {
|
||||||
|
try {
|
||||||
|
UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId);
|
||||||
|
if (userRealm != null && userRealm.getAuthorizationManager() != null) {
|
||||||
|
return userRealm.getAuthorizationManager()
|
||||||
|
.isUserAuthorized(removeTenantDomain(username),
|
||||||
|
PermissionUtils.getAbsolutePermissionPath(GROUP_ADMIN_PERMISSION),
|
||||||
|
CarbonConstants.UI_PERMISSION_ACTION);
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
} catch (UserStoreException e) {
|
||||||
|
throw new GroupAccessAuthorizationException("Unable to authorize the access for the user : " +
|
||||||
|
username, e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private String getUserName() {
|
||||||
|
String username = CarbonContext.getThreadLocalCarbonContext().getUsername();
|
||||||
|
if (username != null && !username.isEmpty()) {
|
||||||
|
return removeTenantDomain(username);
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
private String removeTenantDomain(String username) {
|
||||||
|
String tenantDomain = CarbonContext.getThreadLocalCarbonContext().getTenantDomain();
|
||||||
|
if (username.endsWith(tenantDomain)) {
|
||||||
|
return username.substring(0, username.lastIndexOf("@"));
|
||||||
|
}
|
||||||
|
return username;
|
||||||
|
}
|
||||||
|
|
||||||
|
private int getTenantId() {
|
||||||
|
return CarbonContext.getThreadLocalCarbonContext().getTenantId();
|
||||||
|
}
|
||||||
|
|
||||||
|
private boolean addAdminPermissionToRegistry() throws PermissionManagementException {
|
||||||
|
Permission permission = new Permission();
|
||||||
|
permission.setName(GROUP_ADMIN);
|
||||||
|
permission.setPath(PermissionUtils.getAbsolutePermissionPath(GROUP_ADMIN_PERMISSION));
|
||||||
|
return PermissionUtils.putPermission(permission);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in new issue