From 480d6d5b7e6e779bc317ae0d5533088521ac092b Mon Sep 17 00:00:00 2001 From: Rasika Perera Date: Mon, 25 Apr 2016 19:41:04 +0530 Subject: [PATCH 01/11] Remove redundant log messages --- .../public/js/invoker-lib.js | 1 - 1 file changed, 1 deletion(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.lib.service-invoker-utility/public/js/invoker-lib.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.lib.service-invoker-utility/public/js/invoker-lib.js index 15679db063..cd9d2e5d29 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.lib.service-invoker-utility/public/js/invoker-lib.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.lib.service-invoker-utility/public/js/invoker-lib.js @@ -50,7 +50,6 @@ var invokerUtil = function () { accept: acceptType, success: successCallback }; - console.log(data); var paramValue = {}; paramValue.actionMethod = methoad; paramValue.actionUrl = url; From 38cdd94f3c74608091ce1e6be325121bb5d290a8 Mon Sep 17 00:00:00 2001 From: Rasika Perera Date: Tue, 3 May 2016 00:33:19 +0530 Subject: [PATCH 02/11] Adding group permission checking for Device Access Authorizations --- .../DeviceAccessAuthorizationService.java | 26 +++ .../DeviceAccessAuthorizationServiceImpl.java | 220 +++++++++--------- .../internal/DeviceManagementDataHolder.java | 11 + .../DeviceManagementServiceComponent.java | 1 + 4 files changed, 146 insertions(+), 112 deletions(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/authorization/DeviceAccessAuthorizationService.java b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/authorization/DeviceAccessAuthorizationService.java index 5c6b9b4b4b..e54901bc6c 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/authorization/DeviceAccessAuthorizationService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/authorization/DeviceAccessAuthorizationService.java @@ -51,6 +51,32 @@ public interface DeviceAccessAuthorizationService { DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers) throws DeviceAccessAuthorizationException; + /** + * This method will check whether the given user has the access to the device identified by the given + * DeviceIdentifier. + * + * @param deviceIdentifier - DeviceIdentifier of the device to be checked. + * @param username - Username of the user to be checked for authorization. + * @param permission - Permission + * @return Boolean authorization result. + * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. + */ + boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String permission) throws DeviceAccessAuthorizationException; + + /** + * This method will check whether the given user has the access to the devices identified by the given + * DeviceIdentifier list. + * + * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization. + * @param username - User name + * @param permission - Permission + * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & + * unauthorized devices. + * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. + */ + DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers, String username, String permission) throws + DeviceAccessAuthorizationException; + /** * This method will check whether the given user has the access to the device identified by the given * DeviceIdentifier. diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java index 857f0f63e9..cb0dc03ccf 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java @@ -20,20 +20,26 @@ package org.wso2.carbon.device.mgt.core.authorization; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.wso2.carbon.CarbonConstants; import org.wso2.carbon.context.CarbonContext; -import org.wso2.carbon.device.mgt.common.*; +import org.wso2.carbon.device.mgt.common.Device; +import org.wso2.carbon.device.mgt.common.DeviceIdentifier; +import org.wso2.carbon.device.mgt.common.DeviceManagementException; +import org.wso2.carbon.device.mgt.common.EnrolmentInfo; import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationException; import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService; import org.wso2.carbon.device.mgt.common.authorization.DeviceAuthorizationResult; +import org.wso2.carbon.device.mgt.common.group.mgt.DeviceGroup; +import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException; import org.wso2.carbon.device.mgt.common.permission.mgt.Permission; import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException; import org.wso2.carbon.device.mgt.core.internal.DeviceManagementDataHolder; import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionUtils; import org.wso2.carbon.user.api.UserRealm; import org.wso2.carbon.user.api.UserStoreException; -import org.wso2.carbon.user.api.UserStoreManager; import java.util.HashMap; +import java.util.Iterator; import java.util.List; import java.util.Map; @@ -66,158 +72,148 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori } @Override - public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException { - boolean status; - String username = this.getUserName(); + public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String permission) + throws DeviceAccessAuthorizationException { int tenantId = this.getTenantId(); if (username == null || username.isEmpty()) { - return !DeviceManagementDataHolder.getInstance().requireDeviceAuthorization(deviceIdentifier.getType()); + return false; } - try { - //Check for admin users. If the user is an admin user we authorize the access to that device. - status = isAdminUser(username, tenantId); - } catch (UserStoreException e) { - throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " + - deviceIdentifier.getId() + " for the user : " + username, e); + //check for admin and ownership permissions + if (isAdminOrDeviceOwner(username, tenantId, deviceIdentifier)) { + return true; } - //Check for device ownership. If the user is the owner of the device we allow the access. - if (!status) { - try { - Device device = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider(). - getDevice(deviceIdentifier); - EnrolmentInfo enrolmentInfo = device.getEnrolmentInfo(); - if (enrolmentInfo != null && username.equalsIgnoreCase(enrolmentInfo.getOwner())) { - status = true; - } - } catch (DeviceManagementException e) { - throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " + - deviceIdentifier.getId() + " for the user : " + username, e); + //check for group permissions + try { + if (permission == null || permission.isEmpty()) { + return false; } + return checkGroupsPermission(username, tenantId, permission); + } catch (GroupManagementException | UserStoreException e) { + throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " + + deviceIdentifier.getId() + " for the user : " + + username, e); } - return status; } @Override - public DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers) throws - DeviceAccessAuthorizationException { - boolean status; - DeviceAuthorizationResult deviceAuthorizationResult = new DeviceAuthorizationResult(); - String username = this.getUserName(); + public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username) + throws DeviceAccessAuthorizationException { + return isUserAuthorized(deviceIdentifier, username, null); + } + + @Override + public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException { + return isUserAuthorized(deviceIdentifier, this.getUserName(), null); + } + + @Override + public DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers, String username, + String permission) + throws DeviceAccessAuthorizationException { int tenantId = this.getTenantId(); if (username == null || username.isEmpty()) { - return deviceAuthorizationResult; - } - try { - //Check for admin users. If the user is an admin user we authorize the access to that device. - status = isAdminUser(username, tenantId); - } catch (UserStoreException e) { - throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : " + - username, e); + return null; } - //Check for device ownership. If the user is the owner of the device we allow the access. - if (!status) { - try { - //Get the list of devices of the user - List devicesOfUser = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider(). - getDevicesOfUser(username); - //Convert device-list to a Map - Map ownershipData = this.getOwnershipOfDevices(devicesOfUser); - for (DeviceIdentifier deviceIdentifier : deviceIdentifiers) { - if (ownershipData.containsKey(deviceIdentifier.getId())) { + DeviceAuthorizationResult deviceAuthorizationResult = new DeviceAuthorizationResult(); + for (DeviceIdentifier deviceIdentifier : deviceIdentifiers) { + //check for admin and ownership permissions + if (isAdminOrDeviceOwner(username, tenantId, deviceIdentifier)) { + deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier); + } else { + try { + if (permission == null || permission.isEmpty()) { + return null; + } + //check for group permissions + if (checkGroupsPermission(username, tenantId, permission)) { deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier); } else { deviceAuthorizationResult.addUnauthorizedDevice(deviceIdentifier); } + } catch (GroupManagementException | UserStoreException e) { + throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " + + deviceIdentifier.getId() + " for the user : " + + username, e); } - } catch (DeviceManagementException e) { - throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : " - + username, e); } - } else { - deviceAuthorizationResult.setAuthorizedDevices(deviceIdentifiers); } return deviceAuthorizationResult; } @Override - public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username) + public DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers, String username) + throws DeviceAccessAuthorizationException { + return isUserAuthorized(deviceIdentifiers, username, null); + } + + @Override + public DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers) + throws DeviceAccessAuthorizationException { + return isUserAuthorized(deviceIdentifiers, this.getUserName(), null); + } + + private boolean isAdminOrDeviceOwner(String username, int tenantId, DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException { - boolean status; - int tenantId = this.getTenantId(); - if (username == null || username.isEmpty()) { - return false; - } try { - //Check for admin users. If the user is an admin user we authorize the access to that device. - status = isAdminUser(username, tenantId); + //First Check for admin users. If the user is an admin user we authorize the access to that device. + //Secondly Check for device ownership. If the user is the owner of the device we allow the access. + return (isAdminUser(username, tenantId) || isDeviceOwner(deviceIdentifier, username)); } catch (UserStoreException e) { throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " + - deviceIdentifier.getId() + " for the user : " + username, e); + deviceIdentifier.getId() + " for the user : " + + username, e); } - //Check for device ownership. If the user is the owner of the device we allow the access. - if (!status) { - try { - Device device = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider(). - getDevice(deviceIdentifier); - EnrolmentInfo enrolmentInfo = device.getEnrolmentInfo(); - if (enrolmentInfo != null && username.equalsIgnoreCase(enrolmentInfo.getOwner())) { - status = true; + } + + private boolean checkGroupsPermission(String username, int tenantId, String permission) + throws GroupManagementException, UserStoreException { + List groups = + DeviceManagementDataHolder.getInstance().getGroupManagementProviderService().getGroups(username, + permission); + UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId); + if (userRealm != null && userRealm.getAuthorizationManager() != null) { + Iterator groupIterator = groups.iterator(); + while (groupIterator.hasNext()) { + DeviceGroup deviceGroup = groupIterator.next(); + Iterator rolesIterator = deviceGroup.getRoles().iterator(); + while (rolesIterator.hasNext()) { + String role = rolesIterator.next(); + if (userRealm.getAuthorizationManager().isRoleAuthorized( + "Internal/group-" + deviceGroup.getId() + "-" + role, permission, + CarbonConstants.UI_PERMISSION_ACTION)) { + return true; + } } - } catch (DeviceManagementException e) { - throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " + - deviceIdentifier.getId() + " for the user : " + username, e); } } - return status; + return false; } - @Override - public DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers, String username) - throws DeviceAccessAuthorizationException { - boolean status; - int tenantId = this.getTenantId(); - DeviceAuthorizationResult deviceAuthorizationResult = new DeviceAuthorizationResult(); - if (username == null || username.isEmpty()) { - return null; - } - try { - //Check for admin users. If the user is an admin user we authorize the access to that device. - status = isAdminUser(username, tenantId); - } catch (UserStoreException e) { - throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : " + - username, e); - } + private boolean isDeviceOwner(DeviceIdentifier deviceIdentifier, String username) + throws DeviceAccessAuthorizationException { //Check for device ownership. If the user is the owner of the device we allow the access. - if (!status) { - try { - Device device; - EnrolmentInfo enrolmentInfo; - for (DeviceIdentifier deviceIdentifier : deviceIdentifiers) { - device = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider(). - getDevice(deviceIdentifier); - enrolmentInfo = device.getEnrolmentInfo(); - if (enrolmentInfo != null && username.equalsIgnoreCase(enrolmentInfo.getOwner())) { - deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier); - } else { - deviceAuthorizationResult.addUnauthorizedDevice(deviceIdentifier); - } - } - } catch (DeviceManagementException e) { - throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : " - + username, e); + try { + Device device = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider(). + getDevice(deviceIdentifier); + EnrolmentInfo enrolmentInfo = device.getEnrolmentInfo(); + if (enrolmentInfo != null && username.equalsIgnoreCase(enrolmentInfo.getOwner())) { + return true; } - } else { - deviceAuthorizationResult.setAuthorizedDevices(deviceIdentifiers); + } catch (DeviceManagementException e) { + throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " + + deviceIdentifier.getId() + " for the user : " + + username, e); } - return deviceAuthorizationResult; + return false; } private boolean isAdminUser(String username, int tenantId) throws UserStoreException { UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId); if (userRealm != null && userRealm.getAuthorizationManager() != null) { return userRealm.getAuthorizationManager() - .isUserAuthorized(removeTenantDomain(username), PermissionUtils.getAbsolutePermissionPath(EMM_ADMIN_PERMISSION), - PermissionMethod.UI_EXECUTE); + .isUserAuthorized(removeTenantDomain(username), + PermissionUtils.getAbsolutePermissionPath(EMM_ADMIN_PERMISSION), + PermissionMethod.UI_EXECUTE); } return false; } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementDataHolder.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementDataHolder.java index ee594bc657..b09c1e8149 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementDataHolder.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementDataHolder.java @@ -25,6 +25,7 @@ import org.wso2.carbon.device.mgt.common.operation.mgt.OperationManager; import org.wso2.carbon.device.mgt.core.app.mgt.config.AppManagementConfig; import org.wso2.carbon.device.mgt.core.config.license.LicenseConfig; import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService; +import org.wso2.carbon.device.mgt.core.service.GroupManagementProviderService; import org.wso2.carbon.ntask.core.service.TaskService; import org.wso2.carbon.registry.core.service.RegistryService; import org.wso2.carbon.user.core.service.RealmService; @@ -47,6 +48,7 @@ public class DeviceManagementDataHolder { private ConfigurationContextService configurationContextService; private HashMap requireDeviceAuthorization = new HashMap<>(); private DeviceAccessAuthorizationService deviceAccessAuthorizationService; + private GroupManagementProviderService groupManagementProviderService; private TaskService taskService; //private EmailSenderService emailSenderService; @@ -91,6 +93,15 @@ public class DeviceManagementDataHolder { this.deviceManagerProvider = deviceManagerProvider; } + public GroupManagementProviderService getGroupManagementProviderService() { + return groupManagementProviderService; + } + + public void setGroupManagementProviderService( + GroupManagementProviderService groupManagementProviderService) { + this.groupManagementProviderService = groupManagementProviderService; + } + public RegistryService getRegistryService() { if (registryService == null) { throw new IllegalStateException("Registry service is not initialized properly"); diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementServiceComponent.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementServiceComponent.java index 96cebe50db..35f7e50f00 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementServiceComponent.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementServiceComponent.java @@ -195,6 +195,7 @@ public class DeviceManagementServiceComponent { /* Registering Group Management Service */ GroupManagementProviderService groupManagementProvider = new GroupManagementProviderServiceImpl(); + DeviceManagementDataHolder.getInstance().setGroupManagementProviderService(groupManagementProvider); bundleContext.registerService(GroupManagementProviderService.class.getName(), groupManagementProvider, null); /* Registering Tenant Configuration Management Service */ From 4eb588ac60a4b3eecdb6e132cda092a21f084ef1 Mon Sep 17 00:00:00 2001 From: Rasika Perera Date: Tue, 3 May 2016 14:37:34 +0530 Subject: [PATCH 03/11] Group Constants moved to common --- .../carbon/device/mgt/jaxrs/api/Group.java | 38 +++++---------- .../group/mgt/DeviceGroupConstants.java | 47 +++++++++++++++++++ 2 files changed, 59 insertions(+), 26 deletions(-) create mode 100644 components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/group/mgt/DeviceGroupConstants.java diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/api/Group.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/api/Group.java index acd9e98714..3528817568 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/api/Group.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/api/Group.java @@ -22,9 +22,9 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.wso2.carbon.context.PrivilegedCarbonContext; import org.wso2.carbon.device.mgt.common.DeviceIdentifier; -import org.wso2.carbon.device.mgt.common.EnrolmentInfo; import org.wso2.carbon.device.mgt.common.PaginationResult; import org.wso2.carbon.device.mgt.common.group.mgt.DeviceGroup; +import org.wso2.carbon.device.mgt.common.group.mgt.DeviceGroupConstants; import org.wso2.carbon.device.mgt.common.group.mgt.GroupAlreadyEixistException; import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException; import org.wso2.carbon.device.mgt.common.group.mgt.GroupUser; @@ -48,20 +48,6 @@ import java.util.List; @SuppressWarnings("NonJaxWsWebServices") public class Group { - private static final String DEFAULT_ADMIN_ROLE = "admin"; - private static final String DEFAULT_OPERATOR_ROLE = "invoke-device-operations"; - private static final String DEFAULT_STATS_MONITOR_ROLE = "view-statistics"; - private static final String DEFAULT_VIEW_POLICIES = "view-policies"; - private static final String DEFAULT_MANAGE_POLICIES = "mange-policies"; - private static final String DEFAULT_VIEW_EVENTS = "view-events"; - private static final String[] DEFAULT_ADMIN_PERMISSIONS = {"/permission/device-mgt/admin/groups", - "/permission/device-mgt/user/groups"}; - private static final String[] DEFAULT_OPERATOR_PERMISSIONS = {"/permission/device-mgt/user/groups/device_operation"}; - private static final String[] DEFAULT_STATS_MONITOR_PERMISSIONS = {"/permission/device-mgt/user/groups/device_monitor"}; - private static final String[] DEFAULT_MANAGE_POLICIES_PERMISSIONS = {"/permission/device-mgt/user/groups/device_policies/add"}; - private static final String[] DEFAULT_VIEW_POLICIES_PERMISSIONS = {"/permission/device-mgt/user/groups/device_policies/view"}; - private static final String[] DEFAULT_VIEW_EVENTS_PERMISSIONS = {"/permission/device-mgt/user/groups/device_events"}; - private static Log log = LogFactory.getLog(Group.class); @POST @@ -76,18 +62,18 @@ public class Group { group.setDateOfLastUpdate(new Date().getTime()); try { GroupManagementProviderService groupManagementService = DeviceMgtAPIUtils.getGroupManagementProviderService(); - groupManagementService.createGroup(group, DEFAULT_ADMIN_ROLE, DEFAULT_ADMIN_PERMISSIONS); + groupManagementService.createGroup(group, DeviceGroupConstants.Roles.DEFAULT_ADMIN_ROLE, DeviceGroupConstants.Permissions.DEFAULT_ADMIN_PERMISSIONS); groupManagementService.addGroupSharingRole(owner, group.getName(), owner, - DEFAULT_OPERATOR_ROLE, - DEFAULT_OPERATOR_PERMISSIONS); - groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DEFAULT_STATS_MONITOR_ROLE, - DEFAULT_STATS_MONITOR_PERMISSIONS); - groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DEFAULT_VIEW_POLICIES, - DEFAULT_VIEW_POLICIES_PERMISSIONS); - groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DEFAULT_MANAGE_POLICIES, - DEFAULT_MANAGE_POLICIES_PERMISSIONS); - groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DEFAULT_VIEW_EVENTS, - DEFAULT_VIEW_EVENTS_PERMISSIONS); + DeviceGroupConstants.Roles.DEFAULT_OPERATOR_ROLE, + DeviceGroupConstants.Permissions.DEFAULT_OPERATOR_PERMISSIONS); + groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DeviceGroupConstants.Roles.DEFAULT_STATS_MONITOR_ROLE, + DeviceGroupConstants.Permissions.DEFAULT_STATS_MONITOR_PERMISSIONS); + groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DeviceGroupConstants.Roles.DEFAULT_VIEW_POLICIES, + DeviceGroupConstants.Permissions.DEFAULT_VIEW_POLICIES_PERMISSIONS); + groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DeviceGroupConstants.Roles.DEFAULT_MANAGE_POLICIES, + DeviceGroupConstants.Permissions.DEFAULT_MANAGE_POLICIES_PERMISSIONS); + groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DeviceGroupConstants.Roles.DEFAULT_VIEW_EVENTS, + DeviceGroupConstants.Permissions.DEFAULT_VIEW_EVENTS_PERMISSIONS); return Response.status(Response.Status.CREATED).build(); } catch (GroupAlreadyEixistException e) { return Response.status(Response.Status.CONFLICT).entity(e.getMessage()).build(); diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/group/mgt/DeviceGroupConstants.java b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/group/mgt/DeviceGroupConstants.java new file mode 100644 index 0000000000..cdd72f0e27 --- /dev/null +++ b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/group/mgt/DeviceGroupConstants.java @@ -0,0 +1,47 @@ +/* + * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.wso2.carbon.device.mgt.common.group.mgt; + +/** + * Holds Device Group constants and expose to external access + */ +public class DeviceGroupConstants { + public static class Roles { + public static final String DEFAULT_ADMIN_ROLE = "admin"; + public static final String DEFAULT_OPERATOR_ROLE = "invoke-device-operations"; + public static final String DEFAULT_STATS_MONITOR_ROLE = "view-statistics"; + public static final String DEFAULT_VIEW_POLICIES = "view-policies"; + public static final String DEFAULT_MANAGE_POLICIES = "mange-policies"; + public static final String DEFAULT_VIEW_EVENTS = "view-events"; + } + + public static class Permissions { + public static final String[] DEFAULT_ADMIN_PERMISSIONS = + {"/permission/device-mgt/admin/groups", "/permission/device-mgt/user/groups"}; + public static final String[] DEFAULT_OPERATOR_PERMISSIONS = + {"/permission/device-mgt/user/groups/device_operation"}; + public static final String[] DEFAULT_STATS_MONITOR_PERMISSIONS = + {"/permission/device-mgt/user/groups/device_monitor"}; + public static final String[] DEFAULT_MANAGE_POLICIES_PERMISSIONS = + {"/permission/device-mgt/user/groups/device_policies/add"}; + public static final String[] DEFAULT_VIEW_POLICIES_PERMISSIONS = + {"/permission/device-mgt/user/groups/device_policies/view"}; + public static final String[] DEFAULT_VIEW_EVENTS_PERMISSIONS = + {"/permission/device-mgt/user/groups/device_events"}; + } +} From 64a262d3e4c514437e6d4db57decb014d1a0860c Mon Sep 17 00:00:00 2001 From: Rasika Perera Date: Tue, 3 May 2016 15:34:50 +0530 Subject: [PATCH 04/11] Fixing 404 on groups listing --- .../src/main/resources/jaggeryapps/devicemgt/jaggery.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/jaggery.conf b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/jaggery.conf index d18daaa172..10170e9457 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/jaggery.conf +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/jaggery.conf @@ -8,7 +8,7 @@ "path": "/api/device-api.jag" }, { - "url": "/api/group/*", + "url": "/api/groups/*", "path": "/api/group-api.jag" }, { From 142ab10eea3823ccb880482f5a58722ff11bef22 Mon Sep 17 00:00:00 2001 From: Rasika Perera Date: Tue, 3 May 2016 19:18:07 +0530 Subject: [PATCH 05/11] Code refactoring --- .../GroupManagementProviderService.java | 61 ++++++++++--------- 1 file changed, 31 insertions(+), 30 deletions(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/service/GroupManagementProviderService.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/service/GroupManagementProviderService.java index b9ffa03340..67bb3dc4af 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/service/GroupManagementProviderService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/service/GroupManagementProviderService.java @@ -25,7 +25,6 @@ import org.wso2.carbon.device.mgt.common.group.mgt.DeviceGroup; import org.wso2.carbon.device.mgt.common.group.mgt.GroupAlreadyEixistException; import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException; import org.wso2.carbon.device.mgt.common.group.mgt.GroupUser; -import org.wso2.carbon.device.mgt.core.group.mgt.DeviceGroupBuilder; import java.util.List; @@ -77,6 +76,7 @@ public interface GroupManagementProviderService { /** * Get the device group provided the device group id. + * * @param groupId * @return * @throws GroupManagementException @@ -97,7 +97,7 @@ public interface GroupManagementProviderService { * Get paginated device groups in tenant * * @param startIndex for pagination. - * @param rowCount for pagination. + * @param rowCount for pagination. * @return paginated list of groups * @throws GroupManagementException */ @@ -106,9 +106,9 @@ public interface GroupManagementProviderService { /** * Get paginated device groups in tenant * - * @param username of user. + * @param username of user. * @param startIndex for pagination. - * @param rowCount for pagination. + * @param rowCount for pagination. * @return paginated list of groups * @throws GroupManagementException */ @@ -183,9 +183,9 @@ public interface GroupManagementProviderService { /** * Remove existing sharing role for device group * - * @param groupName of the group - * @param owner of the group - * @param roleName to remove + * @param groupName of the group + * @param owner of the group + * @param roleName to remove * @return is role removed * @throws GroupManagementException */ @@ -194,8 +194,8 @@ public interface GroupManagementProviderService { /** * Get all sharing roles for device group * - * @param groupName of the group - * @param owner of the group + * @param groupName of the group + * @param owner of the group * @return list of roles * @throws GroupManagementException */ @@ -204,9 +204,9 @@ public interface GroupManagementProviderService { /** * Get specific device group sharing roles for user * - * @param userName of the user - * @param groupName of the group - * @param owner of the group + * @param userName of the user + * @param groupName of the group + * @param owner of the group * @return list of roles * @throws GroupManagementException */ @@ -215,8 +215,8 @@ public interface GroupManagementProviderService { /** * Get device group users * - * @param groupName of the group - * @param owner of the group + * @param groupName of the group + * @param owner of the group * @return list of group users * @throws GroupManagementException */ @@ -225,8 +225,8 @@ public interface GroupManagementProviderService { /** * Get all devices in device group. * - * @param groupName of the group. - * @param owner of the group. + * @param groupName of the group. + * @param owner of the group. * @return list of group devices. * @throws GroupManagementException */ @@ -235,10 +235,10 @@ public interface GroupManagementProviderService { /** * Get all devices in device group as paginated result. * - * @param groupName of the group. - * @param owner of the group. + * @param groupName of the group. + * @param owner of the group. * @param startIndex for pagination. - * @param rowCount for pagination. + * @param rowCount for pagination. * @return Paginated list of devices. * @throws GroupManagementException */ @@ -248,8 +248,8 @@ public interface GroupManagementProviderService { /** * This method is used to retrieve the device count of a given group. * - * @param groupName of the group. - * @param owner of the group. + * @param groupName of the group. + * @param owner of the group. * @return returns the device count. * @throws GroupManagementException */ @@ -258,9 +258,9 @@ public interface GroupManagementProviderService { /** * Add device to device group. * - * @param deviceId of the device. - * @param groupName of the group. - * @param owner of the group. + * @param deviceId of the device. + * @param groupName of the group. + * @param owner of the group. * @return is device added. * @throws GroupManagementException */ @@ -269,9 +269,9 @@ public interface GroupManagementProviderService { /** * Remove device from device group. * - * @param deviceId of the device. - * @param groupName of the group. - * @param owner of the group. + * @param deviceId of the device. + * @param groupName of the group. + * @param owner of the group. * @return is device removed. * @throws GroupManagementException */ @@ -280,9 +280,9 @@ public interface GroupManagementProviderService { /** * Get device group permissions of user. * - * @param username of the user. - * @param groupName of the group. - * @param owner of the group. + * @param username of the user. + * @param groupName of the group. + * @param owner of the group. * @return array of permissions. * @throws GroupManagementException */ @@ -300,6 +300,7 @@ public interface GroupManagementProviderService { /** * Get the group of device. + * * @param deviceIdentifier * @return * @throws GroupManagementException From 9cb24d8cec60f918d870a7a37f9bfce9bc661b97 Mon Sep 17 00:00:00 2001 From: Rasika Perera Date: Tue, 3 May 2016 19:18:58 +0530 Subject: [PATCH 06/11] Adding enum to hold default role to default permissions mapping --- .../group/mgt/DeviceGroupConstants.java | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/group/mgt/DeviceGroupConstants.java b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/group/mgt/DeviceGroupConstants.java index cdd72f0e27..24c4089b24 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/group/mgt/DeviceGroupConstants.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/group/mgt/DeviceGroupConstants.java @@ -17,10 +17,45 @@ */ package org.wso2.carbon.device.mgt.common.group.mgt; + /** * Holds Device Group constants and expose to external access */ public class DeviceGroupConstants { + public enum RolePermissions { + DEFAULT_ADMIN_ROLE(Roles.DEFAULT_ADMIN_ROLE), + DEFAULT_OPERATOR_ROLE(Roles.DEFAULT_OPERATOR_ROLE), + DEFAULT_STATS_MONITOR_ROLE(Roles.DEFAULT_STATS_MONITOR_ROLE), + DEFAULT_VIEW_POLICIES(Roles.DEFAULT_VIEW_POLICIES), + DEFAULT_MANAGE_POLICIES(Roles.DEFAULT_MANAGE_POLICIES), + DEFAULT_VIEW_EVENTS(Roles.DEFAULT_VIEW_EVENTS); + + private String value; + private String[] permissions; + + RolePermissions(String value) { + this.value = value; + } + + static { + DEFAULT_ADMIN_ROLE.permissions = Permissions.DEFAULT_ADMIN_PERMISSIONS; + DEFAULT_OPERATOR_ROLE.permissions = Permissions.DEFAULT_OPERATOR_PERMISSIONS; + DEFAULT_STATS_MONITOR_ROLE.permissions = Permissions.DEFAULT_STATS_MONITOR_PERMISSIONS; + DEFAULT_VIEW_POLICIES.permissions = Permissions.DEFAULT_MANAGE_POLICIES_PERMISSIONS; + DEFAULT_MANAGE_POLICIES.permissions = Permissions.DEFAULT_VIEW_POLICIES_PERMISSIONS; + DEFAULT_VIEW_EVENTS.permissions = Permissions.DEFAULT_VIEW_EVENTS_PERMISSIONS; + } + + @Override + public String toString(){ + return this.value; + } + + public String[] getPermissions(){ + return permissions; + } + } + public static class Roles { public static final String DEFAULT_ADMIN_ROLE = "admin"; public static final String DEFAULT_OPERATOR_ROLE = "invoke-device-operations"; From 938eda7c46215ef852c49a003f58e0beb88467b5 Mon Sep 17 00:00:00 2001 From: Rasika Perera Date: Tue, 3 May 2016 19:29:12 +0530 Subject: [PATCH 07/11] Adding group permissions checking --- .../DeviceAccessAuthorizationService.java | 61 +++++++++++++------ .../DeviceAccessAuthorizationServiceImpl.java | 44 ++++++++++--- 2 files changed, 78 insertions(+), 27 deletions(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/authorization/DeviceAccessAuthorizationService.java b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/authorization/DeviceAccessAuthorizationService.java index e54901bc6c..610727edb0 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/authorization/DeviceAccessAuthorizationService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/authorization/DeviceAccessAuthorizationService.java @@ -28,7 +28,6 @@ import java.util.List; * accessing the device information and performing MDM operations on devices. */ public interface DeviceAccessAuthorizationService { - /** * This method will check whether the currently logged-in user has the access to the device identified by the given * DeviceIdentifier. @@ -39,29 +38,55 @@ public interface DeviceAccessAuthorizationService { */ boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException; + /** + * This method will check whether the currently logged-in user has the access to the device identified by the given + * DeviceIdentifier. + * + * @param deviceIdentifier - DeviceIdentifier of the device to be checked. + * @param groupPermissions - Group Permissions. + * @return Boolean authorization result. + * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. + */ + boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String[] groupPermissions) + throws DeviceAccessAuthorizationException; + /** * This method will check whether the currently logged-in user has the access to the devices identified by the given * DeviceIdentifier list. * * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization. - * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & - * unauthorized devices. + * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized + * devices. * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. */ DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers) throws - DeviceAccessAuthorizationException; + DeviceAccessAuthorizationException; + + /** + * This method will check whether the currently logged-in user has the access to the devices identified by the given + * DeviceIdentifier list. + * + * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization. + * @param groupPermissions - Group Permissions + * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized + * devices. + * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. + */ + DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers, String[] groupPermissions) + throws DeviceAccessAuthorizationException; /** * This method will check whether the given user has the access to the device identified by the given * DeviceIdentifier. * * @param deviceIdentifier - DeviceIdentifier of the device to be checked. - * @param username - Username of the user to be checked for authorization. - * @param permission - Permission + * @param username - Username of the user to be checked for authorization. + * @param groupPermissions - Group Permissions * @return Boolean authorization result. * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. */ - boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String permission) throws DeviceAccessAuthorizationException; + boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String[] groupPermissions) + throws DeviceAccessAuthorizationException; /** * This method will check whether the given user has the access to the devices identified by the given @@ -69,20 +94,21 @@ public interface DeviceAccessAuthorizationService { * * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization. * @param username - User name - * @param permission - Permission - * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & - * unauthorized devices. + * @param groupPermissions - Group Permissions + * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized + * devices. * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. */ - DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers, String username, String permission) throws - DeviceAccessAuthorizationException; + DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers, String username, + String[] groupPermissions) throws + DeviceAccessAuthorizationException; /** * This method will check whether the given user has the access to the device identified by the given * DeviceIdentifier. * * @param deviceIdentifier - DeviceIdentifier of the device to be checked. - * @param username - Username of the user to be checked for authorization. + * @param username - Username of the user to be checked for authorization. * @return Boolean authorization result. * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. */ @@ -94,12 +120,11 @@ public interface DeviceAccessAuthorizationService { * DeviceIdentifier list. * * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization. - * @param username - Username of the user to be checked for authorization. - * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & - * unauthorized devices. + * @param username - Username of the user to be checked for authorization. + * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized + * devices. * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. */ DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers, String username) throws - DeviceAccessAuthorizationException; - + DeviceAccessAuthorizationException; } \ No newline at end of file diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java index cb0dc03ccf..3e0dbceb75 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java @@ -72,7 +72,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori } @Override - public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String permission) + public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String[] groupPermissions) throws DeviceAccessAuthorizationException { int tenantId = this.getTenantId(); if (username == null || username.isEmpty()) { @@ -84,10 +84,16 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori } //check for group permissions try { - if (permission == null || permission.isEmpty()) { + if (groupPermissions == null || groupPermissions.length == 0) { return false; } - return checkGroupsPermission(username, tenantId, permission); + for (String groupPermission : groupPermissions) { + if (!checkGroupsPermission(username, tenantId, groupPermission)) { + //if at least one fails, authorization fails + return false; + } + } + return true; } catch (GroupManagementException | UserStoreException e) { throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " + deviceIdentifier.getId() + " for the user : " + @@ -101,6 +107,12 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori return isUserAuthorized(deviceIdentifier, username, null); } + @Override + public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String[] groupPermissions) + throws DeviceAccessAuthorizationException { + return isUserAuthorized(deviceIdentifier, this.getUserName(), groupPermissions); + } + @Override public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException { return isUserAuthorized(deviceIdentifier, this.getUserName(), null); @@ -108,7 +120,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori @Override public DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers, String username, - String permission) + String[] groupPermissions) throws DeviceAccessAuthorizationException { int tenantId = this.getTenantId(); if (username == null || username.isEmpty()) { @@ -121,11 +133,19 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier); } else { try { - if (permission == null || permission.isEmpty()) { + if (groupPermissions == null || groupPermissions.length == 0) { return null; } //check for group permissions - if (checkGroupsPermission(username, tenantId, permission)) { + boolean isAuthorized = true; + for (String groupPermission : groupPermissions) { + if (!checkGroupsPermission(username, tenantId, groupPermission)) { + //if at least one failed, authorizations fails and break the loop + isAuthorized = false; + break; + } + } + if (isAuthorized) { deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier); } else { deviceAuthorizationResult.addUnauthorizedDevice(deviceIdentifier); @@ -152,6 +172,12 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori return isUserAuthorized(deviceIdentifiers, this.getUserName(), null); } + @Override + public DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers, String[] groupPermissions) + throws DeviceAccessAuthorizationException { + return isUserAuthorized(deviceIdentifiers, this.getUserName(), groupPermissions); + } + private boolean isAdminOrDeviceOwner(String username, int tenantId, DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException { try { @@ -165,11 +191,11 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori } } - private boolean checkGroupsPermission(String username, int tenantId, String permission) + private boolean checkGroupsPermission(String username, int tenantId, String groupPermission) throws GroupManagementException, UserStoreException { List groups = DeviceManagementDataHolder.getInstance().getGroupManagementProviderService().getGroups(username, - permission); + groupPermission); UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId); if (userRealm != null && userRealm.getAuthorizationManager() != null) { Iterator groupIterator = groups.iterator(); @@ -179,7 +205,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori while (rolesIterator.hasNext()) { String role = rolesIterator.next(); if (userRealm.getAuthorizationManager().isRoleAuthorized( - "Internal/group-" + deviceGroup.getId() + "-" + role, permission, + "Internal/group-" + deviceGroup.getId() + "-" + role, groupPermission, CarbonConstants.UI_PERMISSION_ACTION)) { return true; } From b6c33a0aec41d1df7af5685642b44a7d8ead7311 Mon Sep 17 00:00:00 2001 From: Rasika Perera Date: Tue, 3 May 2016 19:49:09 +0530 Subject: [PATCH 08/11] Fixing group roles listing --- .../cdmf.page.groups/public/js/listing.js | 137 +++++++++--------- 1 file changed, 66 insertions(+), 71 deletions(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.groups/public/js/listing.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.groups/public/js/listing.js index 9d4b89a8f0..62944a0636 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.groups/public/js/listing.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.groups/public/js/listing.js @@ -141,24 +141,24 @@ function loadGroups() { render: function ( id, type, row, meta ) { var html; html = '' + - '' + - ''; + '' + + ''; html += '' + - '' + - ''; + '' + + ''; html += ''; + 'data-group-owner="' + row.owner + '">' + + ''; html += '' + - ''; + 'data-group-owner="' + row.owner + '" data-group-description="' + row.description + '">' + + ''; html += '' + - ''; + 'data-group-owner="' + row.owner + '">' + + ''; return html; }} @@ -221,12 +221,12 @@ $(document).ready(function () { /* for device list sorting drop down */ $(".ctrl-filter-type-switcher").popover( - { - html: true, - content: function () { - return $("#content-filter-types").html(); - } + { + html: true, + content: function () { + return $("#content-filter-types").html(); } + } ); /* for data tables*/ @@ -235,20 +235,20 @@ $(document).ready(function () { $("[data-toggle=popover]").popover(); $(".ctrl-filter-type-switcher").popover( - { - html: true, - content: function () { - return $('#content-filter-types').html(); - } + { + html: true, + content: function () { + return $('#content-filter-types').html(); } + } ); $('#nav').affix( - { - offset: { - top: $('header').height() - } + { + offset: { + top: $('header').height() } + } ); }); @@ -301,12 +301,12 @@ function attachEvents() { showPopup(); $("a#share-group-next-link").hide(); var userRequest = $.ajax( - { - url: "api/user/all", - method: "GET", - contentType: "application/json", - accept: "application/json" - } + { + url: "api/user/all", + method: "GET", + contentType: "application/json", + accept: "application/json" + } ); userRequest.done(function (data, txtStatus, jqxhr) { var users = JSON.parse(data); @@ -360,23 +360,23 @@ function attachEvents() { showPopup(); $("a#remove-group-yes-link").click(function () { - var successCallback = function (data) { + var successCallback = function (data, textStatus, xhr) { data = JSON.parse(data); - if (data.status == 200) { + if (xhr.status == 200) { $(modalPopupContent).html($('#remove-group-200-content').html()); setTimeout(function () { hidePopup(); location.reload(false); }, 2000); } else { - displayErrors(status); + displayErrors(xhr); } }; invokerUtil.delete("/devicemgt_admin/groups/owner/" + groupOwner + "/name/" + groupName, - successCallback, function (message) { - displayErrors(message.content); - }); + successCallback, function (message) { + displayErrors(message.content); + }); }); $("a#remove-group-cancel-link").click(function () { @@ -405,22 +405,22 @@ function attachEvents() { var newGroupDescription = $('#edit-group-description').val(); var group = {"name": newGroupName, "description": newGroupDescription, "owner": groupOwner}; - var successCallback = function (data) { + var successCallback = function (data, textStatus, xhr) { data = JSON.parse(data); - if (data.status == 200) { + if (xhr.status == 200) { setTimeout(function () { hidePopup(); location.reload(false); }, 2000); } else { - displayErrors(status); + displayErrors(xhr); } }; invokerUtil.put("/devicemgt_admin/groups/owner/" + groupOwner + "/name/" + groupName, group, - successCallback, function (message) { - displayErrors(message.content); - }); + successCallback, function (message) { + displayErrors(message.content); + }); }); $("a#edit-group-cancel-link").click(function () { @@ -433,23 +433,23 @@ function getAllRoles(groupName, groupOwner, selectedUser) { $(modalPopupContent).html($('#share-group-w2-modal-content').html()); $('#user-roles').html('
'); $("a#share-group-yes-link").hide(); - var successCallback = function (data) { + var successCallback = function (data, textStatus, xhr) { data = JSON.parse(data); - if (data.status == 200) { - if (data.data.length > 0) { - generateRoleMap(groupName, groupOwner, selectedUser, data.data); + if (xhr.status == 200) { + if (data.length > 0) { + generateRoleMap(groupName, groupOwner, selectedUser, data); } else { $('#user-roles').html("There is no any roles for this group."); } } else { - displayErrors(status); + displayErrors(xhr); } }; invokerUtil.get("/devicemgt_admin/groups/owner/" + groupOwner + "/name/" + groupName + "/share/roles", - successCallback, function (message) { - displayErrors(message.content); - }); + successCallback, function (message) { + displayErrors(message.content); + }); $("a#share-group-w2-cancel-link").click(function () { hidePopup(); @@ -457,10 +457,10 @@ function getAllRoles(groupName, groupOwner, selectedUser) { } function generateRoleMap(groupName, groupOwner, selectedUser, allRoles) { - var successCallback = function (data) { + var successCallback = function (data, textStatus, xhr) { data = JSON.parse(data); - if (data.status == 200) { - var userRoles = data.data; + if (xhr.status == 200) { + var userRoles = data; var roleMap = []; var str = ''; var isChecked = ''; @@ -474,20 +474,15 @@ function generateRoleMap(groupName, groupOwner, selectedUser, allRoles) { break; } } + roleMap.push(objRole); str += '    '; - roleMap.push(objRole); } $('#user-roles').html(str); $("a#share-group-yes-link").show(); - var isOngoing; + $("a#share-group-yes-link").show(); $("a#share-group-yes-link").click(function () { - if (isOngoing) { - return false; - } - $("a#share-group-yes-link").html("Wait..."); - isOngoing = true; for (var role in roleMap) { if ($('#user-role-' + roleMap[role].role).is(':checked') != roleMap[role].assigned) { roleMap[role].assigned = $('#user-role-' + roleMap[role].role).is(':checked'); @@ -496,14 +491,14 @@ function generateRoleMap(groupName, groupOwner, selectedUser, allRoles) { } }); } else { - displayErrors(status); + displayErrors(xhr); } }; invokerUtil.get("/devicemgt_admin/groups/owner/" + groupOwner + "/name/" + groupName + "/share/roles?userName=" + selectedUser, - successCallback, function (message) { - displayErrors(message.content); - }); + successCallback, function (message) { + displayErrors(message.content); + }); $("a#share-group-w2-cancel-link").click(function () { hidePopup(); @@ -511,9 +506,9 @@ function generateRoleMap(groupName, groupOwner, selectedUser, allRoles) { } function updateGroupShare(groupName, groupOwner, selectedUser, role) { - var successCallback = function (data) { + var successCallback = function (data, textStatus, xhr) { data = JSON.parse(data); - var status = data.status; + var status = xhr.status; if (status == 200) { $(modalPopupContent).html($('#share-group-200-content').html()); setTimeout(function () { @@ -521,14 +516,14 @@ function updateGroupShare(groupName, groupOwner, selectedUser, role) { location.reload(false); }, 2000); } else { - displayErrors(status); + displayErrors(xhr); } }; invokerUtil.put("/devicemgt_admin/groups/owner/" + groupOwner + "/name/" + groupName + "/share/roles?userName=" + selectedUser, - role, successCallback, function (message) { - displayErrors(message.content); - }); + role, successCallback, function (message) { + displayErrors(message.content); + }); } function displayErrors(jqXHR) { @@ -555,4 +550,4 @@ function displayErrors(jqXHR) { }); console.log("Error code: " + jqXHR.status); } -} +} \ No newline at end of file From 33eed1f6cd0e5a4fb00610d411741af12256acbc Mon Sep 17 00:00:00 2001 From: Rasika Perera Date: Tue, 3 May 2016 19:52:52 +0530 Subject: [PATCH 09/11] Adding permissions for roles updating --- .../src/main/webapp/META-INF/permissions.xml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/webapp/META-INF/permissions.xml b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/webapp/META-INF/permissions.xml index e00d1a93ac..c45be4b228 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/webapp/META-INF/permissions.xml +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/webapp/META-INF/permissions.xml @@ -1035,6 +1035,13 @@ GET + + Group Roles + /device-mgt/user/groups/roles + /groups/owner/*/name/*/share/roles + PUT + + Group Permissions /device-mgt/admin/groups/roles/permissions From 92784120bd78bae03901020ce01c188a90c2f943 Mon Sep 17 00:00:00 2001 From: Charitha Goonetilleke Date: Tue, 3 May 2016 23:28:26 +0530 Subject: [PATCH 10/11] Add group sharing UI functionality --- .../carbon/device/mgt/jaxrs/api/Group.java | 40 +++++- .../src/main/webapp/META-INF/permissions.xml | 2 +- .../GroupManagementProviderService.java | 19 +-- .../GroupManagementProviderServiceImpl.java | 33 +++-- .../app/pages/cdmf.page.groups/groups.hbs | 24 +++- .../cdmf.page.groups/public/js/listing.js | 124 ++++++------------ 6 files changed, 139 insertions(+), 103 deletions(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/api/Group.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/api/Group.java index 3528817568..cc0aa56dd9 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/api/Group.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/api/Group.java @@ -30,6 +30,7 @@ import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException; import org.wso2.carbon.device.mgt.common.group.mgt.GroupUser; import org.wso2.carbon.device.mgt.core.service.GroupManagementProviderService; import org.wso2.carbon.device.mgt.jaxrs.api.util.DeviceMgtAPIUtils; +import org.wso2.carbon.user.core.multiplecredentials.UserDoesNotExistException; import javax.ws.rs.Consumes; import javax.ws.rs.DELETE; @@ -42,6 +43,7 @@ import javax.ws.rs.PathParam; import javax.ws.rs.Produces; import javax.ws.rs.QueryParam; import javax.ws.rs.core.Response; +import java.util.Arrays; import java.util.Date; import java.util.List; @@ -261,8 +263,10 @@ public class Group { if (isShared) { return Response.status(Response.Status.OK).build(); } else { - return Response.status(Response.Status.NOT_FOUND).build(); + return Response.status(Response.Status.NOT_FOUND).entity("Group not found").build(); } + } catch (UserDoesNotExistException e) { + return Response.status(Response.Status.NOT_FOUND).entity(e.getMessage()).build(); } catch (GroupManagementException e) { log.error(e.getMessage(), e); return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(e.getMessage()).build(); @@ -281,8 +285,10 @@ public class Group { if (isUnShared) { return Response.status(Response.Status.OK).build(); } else { - return Response.status(Response.Status.NOT_FOUND).build(); + return Response.status(Response.Status.NOT_FOUND).entity("Group not found").build(); } + } catch (UserDoesNotExistException e) { + return Response.status(Response.Status.NOT_FOUND).entity(e.getMessage()).build(); } catch (GroupManagementException e) { log.error(e.getMessage(), e); return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(e.getMessage()).build(); @@ -346,6 +352,34 @@ public class Group { String[] rolesArray = new String[roles.size()]; roles.toArray(rolesArray); return Response.status(Response.Status.OK).entity(rolesArray).build(); + } catch (UserDoesNotExistException e) { + return Response.status(Response.Status.NOT_FOUND).entity(e.getMessage()).build(); + } catch (GroupManagementException e) { + log.error(e.getMessage(), e); + return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(e.getMessage()).build(); + } + } + + @PUT + @Path("/owner/{owner}/name/{groupName}/user/{userName}/share/roles") + @Produces("application/json") + public Response setRoles(@PathParam("groupName") String groupName, + @PathParam("owner") String owner, @PathParam("userName") String userName, + List selectedRoles) { + try { + List allRoles = DeviceMgtAPIUtils.getGroupManagementProviderService().getRoles(groupName, owner); + for (String role : allRoles) { + if (selectedRoles.contains(role)) { + DeviceMgtAPIUtils.getGroupManagementProviderService() + .shareGroup(userName, groupName, owner, role); + } else { + DeviceMgtAPIUtils.getGroupManagementProviderService() + .unshareGroup(userName, groupName, owner, role); + } + } + return Response.status(Response.Status.OK).build(); + } catch (UserDoesNotExistException e) { + return Response.status(Response.Status.NOT_FOUND).entity(e.getMessage()).build(); } catch (GroupManagementException e) { log.error(e.getMessage(), e); return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(e.getMessage()).build(); @@ -452,6 +486,8 @@ public class Group { String[] permissions = DeviceMgtAPIUtils.getGroupManagementProviderService() .getPermissions(userName, groupName, owner); return Response.status(Response.Status.OK).entity(permissions).build(); + } catch (UserDoesNotExistException e) { + return Response.status(Response.Status.NOT_FOUND).entity(e.getMessage()).build(); } catch (GroupManagementException e) { log.error(e.getMessage(), e); return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(e.getMessage()).build(); diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/webapp/META-INF/permissions.xml b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/webapp/META-INF/permissions.xml index c45be4b228..89aa3f02f2 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/webapp/META-INF/permissions.xml +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/webapp/META-INF/permissions.xml @@ -1038,7 +1038,7 @@ Group Roles /device-mgt/user/groups/roles - /groups/owner/*/name/*/share/roles + /groups/owner/*/name/*/user/*/share/roles PUT diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/service/GroupManagementProviderService.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/service/GroupManagementProviderService.java index 67bb3dc4af..82564aec36 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/service/GroupManagementProviderService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/service/GroupManagementProviderService.java @@ -25,6 +25,7 @@ import org.wso2.carbon.device.mgt.common.group.mgt.DeviceGroup; import org.wso2.carbon.device.mgt.common.group.mgt.GroupAlreadyEixistException; import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException; import org.wso2.carbon.device.mgt.common.group.mgt.GroupUser; +import org.wso2.carbon.user.core.multiplecredentials.UserDoesNotExistException; import java.util.List; @@ -148,10 +149,10 @@ public interface GroupManagementProviderService { * @param owner of the group * @param sharingRole to be shared * @return is group shared - * @throws GroupManagementException + * @throws GroupManagementException UserDoesNotExistException */ boolean shareGroup(String username, String groupName, String owner, String sharingRole) - throws GroupManagementException; + throws GroupManagementException, UserDoesNotExistException; /** * Un share existing group sharing with user specified by role @@ -161,10 +162,10 @@ public interface GroupManagementProviderService { * @param owner of the group * @param sharingRole to be un shared * @return is group un shared - * @throws GroupManagementException + * @throws GroupManagementException UserDoesNotExistException */ boolean unshareGroup(String userName, String groupName, String owner, String sharingRole) - throws GroupManagementException; + throws GroupManagementException, UserDoesNotExistException; /** * Add new sharing role for device group @@ -208,9 +209,10 @@ public interface GroupManagementProviderService { * @param groupName of the group * @param owner of the group * @return list of roles - * @throws GroupManagementException + * @throws GroupManagementException UserDoesNotExistException */ - List getRoles(String userName, String groupName, String owner) throws GroupManagementException; + List getRoles(String userName, String groupName, String owner) + throws GroupManagementException, UserDoesNotExistException; /** * Get device group users @@ -284,9 +286,10 @@ public interface GroupManagementProviderService { * @param groupName of the group. * @param owner of the group. * @return array of permissions. - * @throws GroupManagementException + * @throws GroupManagementException UserDoesNotExistException */ - String[] getPermissions(String username, String groupName, String owner) throws GroupManagementException; + String[] getPermissions(String username, String groupName, String owner) + throws GroupManagementException, UserDoesNotExistException; /** * Get device groups of user with permission. diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/service/GroupManagementProviderServiceImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/service/GroupManagementProviderServiceImpl.java index e20e033735..6cecc185e0 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/service/GroupManagementProviderServiceImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/service/GroupManagementProviderServiceImpl.java @@ -41,6 +41,7 @@ import org.wso2.carbon.user.api.Permission; import org.wso2.carbon.user.api.UserRealm; import org.wso2.carbon.user.api.UserStoreException; import org.wso2.carbon.user.api.UserStoreManager; +import org.wso2.carbon.user.core.multiplecredentials.UserDoesNotExistException; import org.wso2.carbon.user.core.util.UserCoreUtil; import java.sql.SQLException; @@ -379,7 +380,7 @@ public class GroupManagementProviderServiceImpl implements GroupManagementProvid */ @Override public boolean shareGroup(String username, String groupName, String owner, String sharingRole) - throws GroupManagementException { + throws GroupManagementException, UserDoesNotExistException { int groupId = getGroupId(groupName, owner); return modifyGroupShare(username, groupId, sharingRole, true); } @@ -389,14 +390,14 @@ public class GroupManagementProviderServiceImpl implements GroupManagementProvid */ @Override public boolean unshareGroup(String username, String groupName, String owner, String sharingRole) - throws GroupManagementException { + throws GroupManagementException, UserDoesNotExistException { int groupId = getGroupId(groupName, owner); return modifyGroupShare(username, groupId, sharingRole, false); } private boolean modifyGroupShare(String username, int groupId, String sharingRole, boolean isAddNew) - throws GroupManagementException { + throws GroupManagementException, UserDoesNotExistException { if (groupId == -1) { return false; } @@ -407,14 +408,21 @@ public class GroupManagementProviderServiceImpl implements GroupManagementProvid userStoreManager = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm( tenantId).getUserStoreManager(); + if (!userStoreManager.isExistingUser(username)) { + throw new UserDoesNotExistException("User not exists with name " + username); + } roles[0] = "Internal/group-" + groupId + "-" + sharingRole; - if (isAddNew) { + List currentRoles = getRoles(username, groupId); + if (isAddNew && !currentRoles.contains(sharingRole)) { userStoreManager.updateRoleListOfUser(username, null, roles); - } else { + } else if (!isAddNew && currentRoles.contains(sharingRole)) { userStoreManager.updateRoleListOfUser(username, roles, null); } return true; } catch (UserStoreException e) { + if (e instanceof UserDoesNotExistException) { + throw (UserDoesNotExistException) e; + } throw new GroupManagementException("User store error in adding user " + username + " to group name:" + groupId, e); } @@ -532,18 +540,23 @@ public class GroupManagementProviderServiceImpl implements GroupManagementProvid * {@inheritDoc} */ @Override - public List getRoles(String username, String groupName, String owner) throws GroupManagementException { + public List getRoles(String username, String groupName, String owner) + throws GroupManagementException, UserDoesNotExistException { int groupId = getGroupId(groupName, owner); return getRoles(username, groupId); } - private List getRoles(String username, int groupId) throws GroupManagementException { + private List getRoles(String username, int groupId) + throws GroupManagementException, UserDoesNotExistException { UserStoreManager userStoreManager; List groupRoleList = new ArrayList<>(); try { int tenantId = CarbonContext.getThreadLocalCarbonContext().getTenantId(); userStoreManager = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId) .getUserStoreManager(); + if (!userStoreManager.isExistingUser(username)) { + throw new UserDoesNotExistException("User not exists with name " + username); + } String[] roleList = userStoreManager.getRoleListOfUser(username); for (String role : roleList) { if (role != null && role.contains("Internal/group-" + groupId)) { @@ -553,6 +566,9 @@ public class GroupManagementProviderServiceImpl implements GroupManagementProvid } return groupRoleList; } catch (UserStoreException e) { + if (e instanceof UserDoesNotExistException) { + throw (UserDoesNotExistException) e; + } throw new GroupManagementException("Error occurred while getting user store manager.", e); } } @@ -723,7 +739,8 @@ public class GroupManagementProviderServiceImpl implements GroupManagementProvid * {@inheritDoc} */ @Override - public String[] getPermissions(String username, String groupName, String owner) throws GroupManagementException { + public String[] getPermissions(String username, String groupName, String owner) + throws GroupManagementException, UserDoesNotExistException { UserRealm userRealm; int groupId = getGroupId(groupName, owner); List roles = getRoles(username, groupId); diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.groups/groups.hbs b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.groups/groups.hbs index 259daf255f..71c940b6a2 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.groups/groups.hbs +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.groups/groups.hbs @@ -81,8 +81,12 @@
-

Select user to manage group sharing

-
Loading...
+

Enter user name to manage group sharing

+
+
+ + +
+ +
diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.groups/public/js/listing.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.groups/public/js/listing.js index 62944a0636..86f6768c0e 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.groups/public/js/listing.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.groups/public/js/listing.js @@ -100,10 +100,10 @@ function loadGroups() { var currentUser = groupListing.data("currentUser"); var serviceURL; if ($.hasPermission("LIST_ALL_GROUPS")) { - serviceURL = "/devicemgt_admin/groups?start=0&rowCount=1000"; + serviceURL = "/devicemgt_admin/groups"; } else if ($.hasPermission("LIST_GROUPS")) { //Get authenticated users groups - serviceURL = "/devicemgt_admin/groups/user/" + currentUser + "?start=0&rowCount=1000"; + serviceURL = "/devicemgt_admin/groups/user/" + currentUser; } else { $("#loading-content").remove(); $('#device-table').addClass('hidden'); @@ -133,9 +133,7 @@ function loadGroups() { { targets: 0, data: 'id', className: 'remove-padding icon-only content-fill' , render: function ( data, type, row, meta ) { return '
'; }}, - { targets: 1, data: 'name', className: 'fade-edge' , render: function ( name, type, row, meta ) { - return '

' + name + '

'; - }}, + {targets: 1, data: 'name', className: 'fade-edge'}, { targets: 2, data: 'owner', className: 'fade-edge remove-padding-top'}, { targets: 3, data: 'id', className: 'text-right content-fill text-left-on-grid-view no-wrap' , render: function ( id, type, row, meta ) { @@ -293,58 +291,23 @@ function attachEvents() { * on Group Management page in WSO2 Device Management Server Console. */ $("a.share-group-link").click(function () { - var username = $("#group-listing").data("current-user"); var groupName = $(this).data("group-name"); var groupOwner = $(this).data("group-owner"); $(modalPopupContent).html($('#share-group-w1-modal-content').html()); - $('#user-names').html('
'); + $("a#share-group-next-link").show(); showPopup(); - $("a#share-group-next-link").hide(); - var userRequest = $.ajax( - { - url: "api/user/all", - method: "GET", - contentType: "application/json", - accept: "application/json" - } - ); - userRequest.done(function (data, txtStatus, jqxhr) { - var users = JSON.parse(data); - var status = jqxhr.status; - if (status == 200) { - var str = '
'; - if (!hasUsers) { - str = "There is no any other users registered"; - $('#user-names').html(str); - return; - } - $('#user-names').html(str); - $("a#share-group-next-link").show(); - $("a#share-group-next-link").click(function () { - var selectedUser = $('#share-user-selector').val(); - getAllRoles(groupName, groupOwner, selectedUser); - }); + $("a#share-group-next-link").click(function () { + var selectedUser = $('#share-user-selector').val(); + if (selectedUser == $("#group-listing").data("current-user")) { + $("#user-names").html("Please specify a user other than current user."); + $("a#share-group-next-link").hide(); } else { - displayErrors(status); + getAllRoles(groupName, groupOwner, selectedUser); } }); - userRequest.fail(function (jqXHR) { - displayErrors(jqXHR); - }); - $("a#share-group-w1-cancel-link").click(function () { hidePopup(); }); - }); /** @@ -375,7 +338,7 @@ function attachEvents() { invokerUtil.delete("/devicemgt_admin/groups/owner/" + groupOwner + "/name/" + groupName, successCallback, function (message) { - displayErrors(message.content); + displayErrors(message); }); }); @@ -419,7 +382,7 @@ function attachEvents() { invokerUtil.put("/devicemgt_admin/groups/owner/" + groupOwner + "/name/" + groupName, group, successCallback, function (message) { - displayErrors(message.content); + displayErrors(message); }); }); @@ -448,7 +411,7 @@ function getAllRoles(groupName, groupOwner, selectedUser) { invokerUtil.get("/devicemgt_admin/groups/owner/" + groupOwner + "/name/" + groupName + "/share/roles", successCallback, function (message) { - displayErrors(message.content); + displayErrors(message); }); $("a#share-group-w2-cancel-link").click(function () { @@ -461,34 +424,31 @@ function generateRoleMap(groupName, groupOwner, selectedUser, allRoles) { data = JSON.parse(data); if (xhr.status == 200) { var userRoles = data; - var roleMap = []; var str = ''; - var isChecked = ''; - for (var role in allRoles) { - var objRole = {"role": allRoles[role], "assigned": false}; - for (var usrRole in userRoles) { - if (allRoles[role] == userRoles[usrRole]) { - objRole.assigned = true; + for (var i = 0; i < allRoles.length; i++) { + var isChecked = ''; + for (var j = 0; j < userRoles.length; j++) { + if (allRoles[i] == userRoles[j]) { isChecked = 'checked'; break; } } - roleMap.push(objRole); - str += '    '; + str += '    '; } $('#user-roles').html(str); $("a#share-group-yes-link").show(); $("a#share-group-yes-link").show(); $("a#share-group-yes-link").click(function () { - for (var role in roleMap) { - if ($('#user-role-' + roleMap[role].role).is(':checked') != roleMap[role].assigned) { - roleMap[role].assigned = $('#user-role-' + roleMap[role].role).is(':checked'); - updateGroupShare(groupName, groupOwner, selectedUser, roleMap[role]); + var roles = []; + for (var i = 0; i < allRoles.length; i++) { + if ($('#user-role-' + allRoles[i]).is(':checked')) { + roles.push(allRoles[i]); } } + updateGroupShare(groupName, groupOwner, selectedUser, roles); }); } else { displayErrors(xhr); @@ -497,7 +457,7 @@ function generateRoleMap(groupName, groupOwner, selectedUser, allRoles) { invokerUtil.get("/devicemgt_admin/groups/owner/" + groupOwner + "/name/" + groupName + "/share/roles?userName=" + selectedUser, successCallback, function (message) { - displayErrors(message.content); + displayErrors(message); }); $("a#share-group-w2-cancel-link").click(function () { @@ -505,25 +465,19 @@ function generateRoleMap(groupName, groupOwner, selectedUser, allRoles) { }); } -function updateGroupShare(groupName, groupOwner, selectedUser, role) { - var successCallback = function (data, textStatus, xhr) { - data = JSON.parse(data); - var status = xhr.status; - if (status == 200) { - $(modalPopupContent).html($('#share-group-200-content').html()); - setTimeout(function () { - hidePopup(); - location.reload(false); - }, 2000); - } else { - displayErrors(xhr); - } +function updateGroupShare(groupName, groupOwner, selectedUser, roles) { + var successCallback = function (data) { + $(modalPopupContent).html($('#share-group-200-content').html()); + setTimeout(function () { + hidePopup(); + location.reload(false); + }, 2000); }; - invokerUtil.put("/devicemgt_admin/groups/owner/" + groupOwner + "/name/" + groupName + "/share/roles?userName=" + selectedUser, - role, successCallback, function (message) { - displayErrors(message.content); - }); + invokerUtil.put("/devicemgt_admin/groups/owner/" + groupOwner + "/name/" + groupName + "/user/" + selectedUser + "/share/roles", + roles, successCallback, function (message) { + displayErrors(message); + }); } function displayErrors(jqXHR) { @@ -538,6 +492,12 @@ function displayErrors(jqXHR) { $("a#group-403-link").click(function () { hidePopup(); }); + } else if (jqXHR.status == 404) { + $(modalPopupContent).html($('#group-404-content').html()); + $("#group-404-message").html(jqXHR.responseText); + $("a#group-404-link").click(function () { + hidePopup(); + }); } else if (jqXHR.status == 409) { $(modalPopupContent).html($('#group-409-content').html()); $("a#group-409-link").click(function () { From 8c62d9d64caee23616796dce922877a7c3164649 Mon Sep 17 00:00:00 2001 From: Charitha Goonetilleke Date: Wed, 4 May 2016 00:07:48 +0530 Subject: [PATCH 11/11] Add authorization check for shared devices in groups --- .../DeviceAccessAuthorizationServiceImpl.java | 74 ++++++++----------- 1 file changed, 32 insertions(+), 42 deletions(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java index 3e0dbceb75..d3d3ed09c0 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java @@ -1,17 +1,17 @@ /* - * Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. * * WSO2 Inc. licenses this file to you under the Apache License, * Version 2.0 (the "License"); you may not use this file except * in compliance with the License. - * you may obtain a copy of the License at + * You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the + * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. */ @@ -20,7 +20,6 @@ package org.wso2.carbon.device.mgt.core.authorization; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.wso2.carbon.CarbonConstants; import org.wso2.carbon.context.CarbonContext; import org.wso2.carbon.device.mgt.common.Device; import org.wso2.carbon.device.mgt.common.DeviceIdentifier; @@ -39,7 +38,6 @@ import org.wso2.carbon.user.api.UserRealm; import org.wso2.carbon.user.api.UserStoreException; import java.util.HashMap; -import java.util.Iterator; import java.util.List; import java.util.Map; @@ -51,18 +49,6 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori private final static String EMM_ADMIN_PERMISSION = "/device-mgt/admin-device-access"; private static Log log = LogFactory.getLog(DeviceAccessAuthorizationServiceImpl.class); - public static final class PermissionMethod { - private PermissionMethod() { - throw new AssertionError(); - } - - public static final String READ = "read"; - public static final String WRITE = "write"; - public static final String DELETE = "delete"; - public static final String ACTION = "action"; - public static final String UI_EXECUTE = "ui.execute"; - } - public DeviceAccessAuthorizationServiceImpl() { try { this.addAdminPermissionToRegistry(); @@ -88,7 +74,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori return false; } for (String groupPermission : groupPermissions) { - if (!checkGroupsPermission(username, tenantId, groupPermission)) { + if (!isAuthorizedViaGroup(username, deviceIdentifier, groupPermission)) { //if at least one fails, authorization fails return false; } @@ -96,8 +82,8 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori return true; } catch (GroupManagementException | UserStoreException e) { throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " + - deviceIdentifier.getId() + " for the user : " + - username, e); + deviceIdentifier.getId() + " for the user : " + + username, e); } } @@ -139,7 +125,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori //check for group permissions boolean isAuthorized = true; for (String groupPermission : groupPermissions) { - if (!checkGroupsPermission(username, tenantId, groupPermission)) { + if (!isAuthorizedViaGroup(username, deviceIdentifier, groupPermission)) { //if at least one failed, authorizations fails and break the loop isAuthorized = false; break; @@ -152,8 +138,8 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori } } catch (GroupManagementException | UserStoreException e) { throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " + - deviceIdentifier.getId() + " for the user : " + - username, e); + deviceIdentifier.getId() + " for the user : " + + username, e); } } } @@ -191,25 +177,17 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori } } - private boolean checkGroupsPermission(String username, int tenantId, String groupPermission) + private boolean isAuthorizedViaGroup(String username, DeviceIdentifier deviceIdentifier, String groupPermission) throws GroupManagementException, UserStoreException { - List groups = - DeviceManagementDataHolder.getInstance().getGroupManagementProviderService().getGroups(username, - groupPermission); - UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId); - if (userRealm != null && userRealm.getAuthorizationManager() != null) { - Iterator groupIterator = groups.iterator(); - while (groupIterator.hasNext()) { - DeviceGroup deviceGroup = groupIterator.next(); - Iterator rolesIterator = deviceGroup.getRoles().iterator(); - while (rolesIterator.hasNext()) { - String role = rolesIterator.next(); - if (userRealm.getAuthorizationManager().isRoleAuthorized( - "Internal/group-" + deviceGroup.getId() + "-" + role, groupPermission, - CarbonConstants.UI_PERMISSION_ACTION)) { - return true; - } - } + List authorizedGroups = + DeviceManagementDataHolder.getInstance().getGroupManagementProviderService() + .getGroups(username, groupPermission); + List groupsWithDevice = + DeviceManagementDataHolder.getInstance().getGroupManagementProviderService() + .getGroups(deviceIdentifier); + for (DeviceGroup group : authorizedGroups) { + if (groupsWithDevice.contains(group)) { + return true; } } return false; @@ -285,4 +263,16 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori } return ownershipData; } + + public static final class PermissionMethod { + public static final String READ = "read"; + public static final String WRITE = "write"; + public static final String DELETE = "delete"; + public static final String ACTION = "action"; + public static final String UI_EXECUTE = "ui.execute"; + + private PermissionMethod() { + throw new AssertionError(); + } + } } \ No newline at end of file