From 510a90a59f5efbf3618d83a69d1b25c174462b92 Mon Sep 17 00:00:00 2001
From: Amalka Subasinghe <amalkasubasinghe@gmail.com>
Date: Fri, 9 Jul 2021 14:46:28 +0530
Subject: [PATCH] bug fixing authorize flow

---
 .../cache/APIResourcePermissionCacheKey.java  | 64 --------------
 ...APIResourcePermissionCacheManagerImpl.java | 84 -------------------
 .../core/internal/UserRoleCreateObserver.java | 42 ++++++++--
 .../mgt/APIResourcePermissions.java}          | 23 +++--
 .../mgt/PermissionManagerServiceImpl.java     | 14 +---
 .../mgt/core/util/DeviceManagerUtil.java      | 16 ----
 .../framework/WebappAuthenticationValve.java  |  4 +-
 .../authorizer/PermissionAuthorizer.java      |  4 +
 8 files changed, 60 insertions(+), 191 deletions(-)
 delete mode 100644 components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheKey.java
 delete mode 100644 components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/impl/APIResourcePermissionCacheManagerImpl.java
 rename components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/{cache/APIResourcePermissionCacheManager.java => permission/mgt/APIResourcePermissions.java} (50%)

diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheKey.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheKey.java
deleted file mode 100644
index 2db061a6d0..0000000000
--- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheKey.java
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
- *
- * WSO2 Inc. licenses this file to you under the Apache License,
- * Version 2.0 (the "License"); you may not use this file except
- * in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.wso2.carbon.device.mgt.core.cache;
-
-import java.util.Objects;
-
-public class APIResourcePermissionCacheKey {
-
-    private String context;
-    private volatile int hashCode;
-
-    public APIResourcePermissionCacheKey(String context) {
-        this.context = context;
-    }
-
-
-    public String getContext() {
-        return context;
-    }
-
-    public void setContext(String context) {
-        this.context = context;
-    }
-
-    @Override
-    public boolean equals(Object obj) {
-        if (obj == null) {
-            return false;
-        }
-        if (!APIResourcePermissionCacheKey.class.isAssignableFrom(obj.getClass())) {
-            return false;
-        }
-        final APIResourcePermissionCacheKey other = (APIResourcePermissionCacheKey) obj;
-        String thisId = this.context;
-        String otherId = other.context;
-        if (!thisId.equals(otherId)) {
-            return false;
-        }
-        return true;
-    }
-
-    @Override
-    public int hashCode() {
-        if (hashCode == 0) {
-            hashCode = Objects.hash(context);
-        }
-        return hashCode;
-    }
-}
diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/impl/APIResourcePermissionCacheManagerImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/impl/APIResourcePermissionCacheManagerImpl.java
deleted file mode 100644
index 3b08a8d8b2..0000000000
--- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/impl/APIResourcePermissionCacheManagerImpl.java
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
- *
- * WSO2 Inc. licenses this file to you under the Apache License,
- * Version 2.0 (the "License"); you may not use this file except
- * in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.wso2.carbon.device.mgt.core.cache.impl;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
-import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheKey;
-import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheManager;
-import org.wso2.carbon.device.mgt.core.util.DeviceManagerUtil;
-
-import javax.cache.Cache;
-import java.util.List;
-
-public class APIResourcePermissionCacheManagerImpl implements APIResourcePermissionCacheManager {
-
-
-    private static final Log log = LogFactory.getLog(APIResourcePermissionCacheManagerImpl.class);
-
-    private static APIResourcePermissionCacheManagerImpl apiResourceCacgeManager;
-
-    private APIResourcePermissionCacheManagerImpl() {
-    }
-
-    public static APIResourcePermissionCacheManagerImpl getInstance() {
-        if (apiResourceCacgeManager == null) {
-            synchronized (APIResourcePermissionCacheManagerImpl.class) {
-                if (apiResourceCacgeManager == null) {
-                    apiResourceCacgeManager = new APIResourcePermissionCacheManagerImpl();
-                }
-            }
-        }
-        return apiResourceCacgeManager;
-    }
-
-
-    @Override
-    public void addAPIResourcePermissionToCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions) {
-        Cache<APIResourcePermissionCacheKey, List<Permission>> lCache = DeviceManagerUtil.getAPIResourcePermissionCache();
-        if (lCache != null) {
-            if (lCache.containsKey(cacheKey)) {
-                this.updateAPIResourcePermissionInCache(cacheKey, permissions);
-            } else {
-                lCache.put(cacheKey, permissions);
-            }
-        }
-    }
-
-    @Override
-    public void updateAPIResourcePermissionInCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions) {
-
-        Cache<APIResourcePermissionCacheKey, List<Permission>> lCache = DeviceManagerUtil.getAPIResourcePermissionCache();
-        if (lCache != null) {
-            if (lCache.containsKey(cacheKey)) {
-                lCache.replace(cacheKey, permissions);
-            }
-        }
-
-    }
-
-    @Override
-    public List<Permission> getAPIResourceRermissionFromCache(APIResourcePermissionCacheKey cacheKey) {
-        Cache<APIResourcePermissionCacheKey, List<Permission>> lCache = DeviceManagerUtil.getAPIResourcePermissionCache();
-        if (lCache != null) {
-            return lCache.get(cacheKey);
-        }
-        return null;
-    }
-}
diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/UserRoleCreateObserver.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/UserRoleCreateObserver.java
index ce16866524..5fb9509629 100644
--- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/UserRoleCreateObserver.java
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/UserRoleCreateObserver.java
@@ -21,6 +21,8 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.core.ServerStartupObserver;
 import org.wso2.carbon.device.mgt.core.DeviceManagementConstants;
+import org.wso2.carbon.user.api.AuthorizationManager;
+import org.wso2.carbon.user.api.Permission;
 import org.wso2.carbon.user.api.UserStoreException;
 import org.wso2.carbon.user.api.UserStoreManager;
 import org.wso2.carbon.utils.multitenancy.MultitenantConstants;
@@ -35,20 +37,42 @@ public class UserRoleCreateObserver implements ServerStartupObserver {
     @Override
     public void completedServerStartup() {
         String tenantDomain = MultitenantConstants.SUPER_TENANT_DOMAIN_NAME;
-        String tenantAdminName = "admin";
 
         try {
             UserStoreManager userStoreManager =
                     DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(
                             MultitenantConstants.SUPER_TENANT_ID).getUserStoreManager();
-            userStoreManager.addRole(
-                    DeviceManagementConstants.User.DEFAULT_DEVICE_ADMIN,
-                    new String[]{tenantAdminName},
-                    DeviceManagementConstants.User.PERMISSIONS_FOR_DEVICE_ADMIN);
-            userStoreManager.addRole(
-                    DeviceManagementConstants.User.DEFAULT_DEVICE_USER,
-                    new String[]{tenantAdminName},
-                    DeviceManagementConstants.User.PERMISSIONS_FOR_DEVICE_USER);
+            String tenantAdminName =
+                    DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(
+                            MultitenantConstants.SUPER_TENANT_ID).getRealmConfiguration().getAdminUserName();
+            AuthorizationManager authorizationManager = DeviceManagementDataHolder.getInstance().getRealmService()
+                    .getTenantUserRealm(MultitenantConstants.SUPER_TENANT_ID).getAuthorizationManager();
+
+            if (!userStoreManager.isExistingRole(DeviceManagementConstants.User.DEFAULT_DEVICE_ADMIN)) {
+                userStoreManager.addRole(
+                        DeviceManagementConstants.User.DEFAULT_DEVICE_ADMIN,
+                        null,
+                        DeviceManagementConstants.User.PERMISSIONS_FOR_DEVICE_ADMIN);
+            } else {
+                for (Permission permission : DeviceManagementConstants.User.PERMISSIONS_FOR_DEVICE_ADMIN) {
+                    authorizationManager.authorizeRole(DeviceManagementConstants.User.DEFAULT_DEVICE_ADMIN,
+                            permission.getResourceId(), permission.getAction());
+                }
+            }
+            if (!userStoreManager.isExistingRole(DeviceManagementConstants.User.DEFAULT_DEVICE_USER)) {
+                userStoreManager.addRole(
+                        DeviceManagementConstants.User.DEFAULT_DEVICE_USER,
+                        null,
+                        DeviceManagementConstants.User.PERMISSIONS_FOR_DEVICE_USER);
+            } else {
+                for (Permission permission : DeviceManagementConstants.User.PERMISSIONS_FOR_DEVICE_USER) {
+                    authorizationManager.authorizeRole(DeviceManagementConstants.User.DEFAULT_DEVICE_USER,
+                            permission.getResourceId(), permission.getAction());
+                }
+            }
+            userStoreManager.updateRoleListOfUser(tenantAdminName, null,
+                    new String[] {DeviceManagementConstants.User.DEFAULT_DEVICE_ADMIN,
+                            DeviceManagementConstants.User.DEFAULT_DEVICE_USER});
 
             if (log.isDebugEnabled()) {
                 log.debug("Device management roles: " + DeviceManagementConstants.User.DEFAULT_DEVICE_USER + ", " +
diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheManager.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/permission/mgt/APIResourcePermissions.java
similarity index 50%
rename from components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheManager.java
rename to components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/permission/mgt/APIResourcePermissions.java
index 4dac439cc4..703d9f6eda 100644
--- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheManager.java
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/permission/mgt/APIResourcePermissions.java
@@ -4,9 +4,9 @@
  * WSO2 Inc. licenses this file to you under the Apache License,
  * Version 2.0 (the "License"); you may not use this file except
  * in compliance with the License.
- * You may obtain a copy of the License at
+ * you may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ *   http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
@@ -15,17 +15,26 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-package org.wso2.carbon.device.mgt.core.cache;
+package org.wso2.carbon.device.mgt.core.permission.mgt;
 
 import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
 
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
-public interface APIResourcePermissionCacheManager {
+public class APIResourcePermissions {
+    private Map<String, List<Permission>> apiResourcePermissions;
 
-    void addAPIResourcePermissionToCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions);
+    public APIResourcePermissions() {
+        apiResourcePermissions = new HashMap<>();
+    }
 
-    void updateAPIResourcePermissionInCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions);
+    public void addPermissionList(String context, List<Permission> permissions){
+        apiResourcePermissions.put(context, permissions);
+    }
 
-    List<Permission> getAPIResourceRermissionFromCache(APIResourcePermissionCacheKey cacheKey);
+    public List<Permission> getPermissions(String context) {
+        return apiResourcePermissions.get(context);
+    }
 }
diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/permission/mgt/PermissionManagerServiceImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/permission/mgt/PermissionManagerServiceImpl.java
index c2591a1df6..8a222ea3f1 100644
--- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/permission/mgt/PermissionManagerServiceImpl.java
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/permission/mgt/PermissionManagerServiceImpl.java
@@ -18,16 +18,11 @@
 
 package org.wso2.carbon.device.mgt.core.permission.mgt;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
 import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
 import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService;
-import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheKey;
-import org.wso2.carbon.device.mgt.core.cache.impl.APIResourcePermissionCacheManagerImpl;
 
 import java.util.List;
-import java.util.Properties;
 
 /**
  * This class will add, update custom permissions defined in permission.xml in webapps and it will
@@ -36,7 +31,7 @@ import java.util.Properties;
 public class PermissionManagerServiceImpl implements PermissionManagerService {
 
     private static PermissionManagerServiceImpl registryBasedPermissionManager;
-
+    private static APIResourcePermissions apiResourcePermissions;
     private PermissionManagerServiceImpl() {
     }
 
@@ -45,6 +40,7 @@ public class PermissionManagerServiceImpl implements PermissionManagerService {
             synchronized (PermissionManagerServiceImpl.class) {
                 if (registryBasedPermissionManager == null) {
                     registryBasedPermissionManager = new PermissionManagerServiceImpl();
+                    apiResourcePermissions = new APIResourcePermissions();
                 }
             }
         }
@@ -57,8 +53,7 @@ public class PermissionManagerServiceImpl implements PermissionManagerService {
             for (Permission permission : permissions) {
                 PermissionUtils.putPermission(permission);
             }
-            APIResourcePermissionCacheManagerImpl.getInstance().addAPIResourcePermissionToCache(
-                    new APIResourcePermissionCacheKey(context), permissions);
+            apiResourcePermissions.addPermissionList(context, permissions);
         } catch (PermissionManagementException e) {
             return false;
         }
@@ -67,7 +62,6 @@ public class PermissionManagerServiceImpl implements PermissionManagerService {
 
     @Override
     public List<Permission> getPermission(String context) throws PermissionManagementException {
-        return APIResourcePermissionCacheManagerImpl.getInstance().getAPIResourceRermissionFromCache(
-                new APIResourcePermissionCacheKey(context));
+        return apiResourcePermissions.getPermissions(context);
     }
 }
diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/util/DeviceManagerUtil.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/util/DeviceManagerUtil.java
index f83e19c62f..d13a0bebe0 100644
--- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/util/DeviceManagerUtil.java
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/util/DeviceManagerUtil.java
@@ -76,7 +76,6 @@ import org.wso2.carbon.device.mgt.common.operation.mgt.OperationManagementExcept
 import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
 import org.wso2.carbon.device.mgt.common.type.mgt.DeviceTypeMetaDefinition;
 import org.wso2.carbon.device.mgt.core.DeviceManagementConstants;
-import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheKey;
 import org.wso2.carbon.device.mgt.core.cache.DeviceCacheKey;
 import org.wso2.carbon.device.mgt.core.cache.GeoCacheKey;
 import org.wso2.carbon.device.mgt.core.config.DeviceConfigurationManager;
@@ -724,21 +723,6 @@ public final class DeviceManagerUtil {
         return deviceCache;
     }
 
-    public static Cache<APIResourcePermissionCacheKey, List<Permission>> getAPIResourcePermissionCache() {
-        CacheManager manager = getCacheManager();
-        Cache<APIResourcePermissionCacheKey, List<Permission>> apiResourcePermissionCache = null;
-            if(!isAPIResourcePermissionCacheInitialized) {
-                initializeAPIResourcePermissionCache();
-            }
-            if (manager != null) {
-                apiResourcePermissionCache = manager.getCache(DeviceManagementConstants.API_RESOURCE_PERMISSION_CACHE);
-            } else {
-                apiResourcePermissionCache =  Caching.getCacheManager(DeviceManagementConstants.DM_CACHE_MANAGER)
-                        .getCache(DeviceManagementConstants.API_RESOURCE_PERMISSION_CACHE);
-            }
-        return apiResourcePermissionCache;
-    }
-
     /**
      * Get geofence cache object
      * @return {@link Cache<GeoCacheKey, GeofenceData>}
diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java
index 6547c48f35..9e73d08ffb 100644
--- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java
@@ -21,6 +21,7 @@ package org.wso2.carbon.webapp.authenticator.framework;
 import org.apache.catalina.Context;
 import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
+import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.owasp.encoder.Encode;
@@ -194,7 +195,8 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
                 ctx = tokenizer.nextToken();
             }
         }
-        return ("carbon".equalsIgnoreCase(ctx) || "services".equalsIgnoreCase(ctx));
+        return ("carbon".equalsIgnoreCase(ctx) || "services".equalsIgnoreCase(ctx)
+                || "oauth2".equalsIgnoreCase(ctx));
     }
 
     private boolean isNonSecuredEndPoint(Request request) {
diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java
index dd3e8cceff..eb09e815df 100644
--- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java
@@ -46,6 +46,10 @@ public class PermissionAuthorizer {
             return WebappAuthenticator.Status.CONTINUE;
         }
 
+        if (requestUri.endsWith("/")) {
+            requestUri = requestUri.substring(0, requestUri.length() - 1);
+        }
+
         PermissionManagerService registryBasedPermissionManager =
                 PermissionManagerServiceImpl.getInstance();
         List<Permission> matchingPermissions = null;