|
|
|
@ -1,17 +1,17 @@
|
|
|
|
|
/*
|
|
|
|
|
* Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
|
|
|
|
* Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
|
|
|
|
*
|
|
|
|
|
* WSO2 Inc. licenses this file to you under the Apache License,
|
|
|
|
|
* Version 2.0 (the "License"); you may not use this file except
|
|
|
|
|
* in compliance with the License.
|
|
|
|
|
* you may obtain a copy of the License at
|
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
|
*
|
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
*
|
|
|
|
|
* Unless required by applicable law or agreed to in writing,
|
|
|
|
|
* software distributed under the License is distributed on an
|
|
|
|
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
|
|
|
* KIND, either express or implied. See the License for the
|
|
|
|
|
* KIND, either express or implied. See the License for the
|
|
|
|
|
* specific language governing permissions and limitations
|
|
|
|
|
* under the License.
|
|
|
|
|
*/
|
|
|
|
@ -20,7 +20,6 @@ package org.wso2.carbon.device.mgt.core.authorization;
|
|
|
|
|
|
|
|
|
|
import org.apache.commons.logging.Log;
|
|
|
|
|
import org.apache.commons.logging.LogFactory;
|
|
|
|
|
import org.wso2.carbon.CarbonConstants;
|
|
|
|
|
import org.wso2.carbon.context.CarbonContext;
|
|
|
|
|
import org.wso2.carbon.device.mgt.common.Device;
|
|
|
|
|
import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
|
|
|
|
@ -39,7 +38,6 @@ import org.wso2.carbon.user.api.UserRealm;
|
|
|
|
|
import org.wso2.carbon.user.api.UserStoreException;
|
|
|
|
|
|
|
|
|
|
import java.util.HashMap;
|
|
|
|
|
import java.util.Iterator;
|
|
|
|
|
import java.util.List;
|
|
|
|
|
import java.util.Map;
|
|
|
|
|
|
|
|
|
@ -51,18 +49,6 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
|
|
|
|
|
private final static String EMM_ADMIN_PERMISSION = "/device-mgt/admin-device-access";
|
|
|
|
|
private static Log log = LogFactory.getLog(DeviceAccessAuthorizationServiceImpl.class);
|
|
|
|
|
|
|
|
|
|
public static final class PermissionMethod {
|
|
|
|
|
private PermissionMethod() {
|
|
|
|
|
throw new AssertionError();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public static final String READ = "read";
|
|
|
|
|
public static final String WRITE = "write";
|
|
|
|
|
public static final String DELETE = "delete";
|
|
|
|
|
public static final String ACTION = "action";
|
|
|
|
|
public static final String UI_EXECUTE = "ui.execute";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public DeviceAccessAuthorizationServiceImpl() {
|
|
|
|
|
try {
|
|
|
|
|
this.addAdminPermissionToRegistry();
|
|
|
|
@ -88,7 +74,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
for (String groupPermission : groupPermissions) {
|
|
|
|
|
if (!checkGroupsPermission(username, tenantId, groupPermission)) {
|
|
|
|
|
if (!isAuthorizedViaGroup(username, deviceIdentifier, groupPermission)) {
|
|
|
|
|
//if at least one fails, authorization fails
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
@ -96,8 +82,8 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
|
|
|
|
|
return true;
|
|
|
|
|
} catch (GroupManagementException | UserStoreException e) {
|
|
|
|
|
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
|
|
|
|
|
deviceIdentifier.getId() + " for the user : " +
|
|
|
|
|
username, e);
|
|
|
|
|
deviceIdentifier.getId() + " for the user : " +
|
|
|
|
|
username, e);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -139,7 +125,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
|
|
|
|
|
//check for group permissions
|
|
|
|
|
boolean isAuthorized = true;
|
|
|
|
|
for (String groupPermission : groupPermissions) {
|
|
|
|
|
if (!checkGroupsPermission(username, tenantId, groupPermission)) {
|
|
|
|
|
if (!isAuthorizedViaGroup(username, deviceIdentifier, groupPermission)) {
|
|
|
|
|
//if at least one failed, authorizations fails and break the loop
|
|
|
|
|
isAuthorized = false;
|
|
|
|
|
break;
|
|
|
|
@ -152,8 +138,8 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
|
|
|
|
|
}
|
|
|
|
|
} catch (GroupManagementException | UserStoreException e) {
|
|
|
|
|
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
|
|
|
|
|
deviceIdentifier.getId() + " for the user : " +
|
|
|
|
|
username, e);
|
|
|
|
|
deviceIdentifier.getId() + " for the user : " +
|
|
|
|
|
username, e);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
@ -191,25 +177,17 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private boolean checkGroupsPermission(String username, int tenantId, String groupPermission)
|
|
|
|
|
private boolean isAuthorizedViaGroup(String username, DeviceIdentifier deviceIdentifier, String groupPermission)
|
|
|
|
|
throws GroupManagementException, UserStoreException {
|
|
|
|
|
List<DeviceGroup> groups =
|
|
|
|
|
DeviceManagementDataHolder.getInstance().getGroupManagementProviderService().getGroups(username,
|
|
|
|
|
groupPermission);
|
|
|
|
|
UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId);
|
|
|
|
|
if (userRealm != null && userRealm.getAuthorizationManager() != null) {
|
|
|
|
|
Iterator<DeviceGroup> groupIterator = groups.iterator();
|
|
|
|
|
while (groupIterator.hasNext()) {
|
|
|
|
|
DeviceGroup deviceGroup = groupIterator.next();
|
|
|
|
|
Iterator<String> rolesIterator = deviceGroup.getRoles().iterator();
|
|
|
|
|
while (rolesIterator.hasNext()) {
|
|
|
|
|
String role = rolesIterator.next();
|
|
|
|
|
if (userRealm.getAuthorizationManager().isRoleAuthorized(
|
|
|
|
|
"Internal/group-" + deviceGroup.getId() + "-" + role, groupPermission,
|
|
|
|
|
CarbonConstants.UI_PERMISSION_ACTION)) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
List<DeviceGroup> authorizedGroups =
|
|
|
|
|
DeviceManagementDataHolder.getInstance().getGroupManagementProviderService()
|
|
|
|
|
.getGroups(username, groupPermission);
|
|
|
|
|
List<DeviceGroup> groupsWithDevice =
|
|
|
|
|
DeviceManagementDataHolder.getInstance().getGroupManagementProviderService()
|
|
|
|
|
.getGroups(deviceIdentifier);
|
|
|
|
|
for (DeviceGroup group : authorizedGroups) {
|
|
|
|
|
if (groupsWithDevice.contains(group)) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
@ -285,4 +263,16 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
|
|
|
|
|
}
|
|
|
|
|
return ownershipData;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public static final class PermissionMethod {
|
|
|
|
|
public static final String READ = "read";
|
|
|
|
|
public static final String WRITE = "write";
|
|
|
|
|
public static final String DELETE = "delete";
|
|
|
|
|
public static final String ACTION = "action";
|
|
|
|
|
public static final String UI_EXECUTE = "ui.execute";
|
|
|
|
|
|
|
|
|
|
private PermissionMethod() {
|
|
|
|
|
throw new AssertionError();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|