From 8c62d9d64caee23616796dce922877a7c3164649 Mon Sep 17 00:00:00 2001 From: Charitha Goonetilleke Date: Wed, 4 May 2016 00:07:48 +0530 Subject: [PATCH] Add authorization check for shared devices in groups --- .../DeviceAccessAuthorizationServiceImpl.java | 74 ++++++++----------- 1 file changed, 32 insertions(+), 42 deletions(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java index 3e0dbceb75..d3d3ed09c0 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java @@ -1,17 +1,17 @@ /* - * Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. * * WSO2 Inc. licenses this file to you under the Apache License, * Version 2.0 (the "License"); you may not use this file except * in compliance with the License. - * you may obtain a copy of the License at + * You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the + * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. */ @@ -20,7 +20,6 @@ package org.wso2.carbon.device.mgt.core.authorization; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.wso2.carbon.CarbonConstants; import org.wso2.carbon.context.CarbonContext; import org.wso2.carbon.device.mgt.common.Device; import org.wso2.carbon.device.mgt.common.DeviceIdentifier; @@ -39,7 +38,6 @@ import org.wso2.carbon.user.api.UserRealm; import org.wso2.carbon.user.api.UserStoreException; import java.util.HashMap; -import java.util.Iterator; import java.util.List; import java.util.Map; @@ -51,18 +49,6 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori private final static String EMM_ADMIN_PERMISSION = "/device-mgt/admin-device-access"; private static Log log = LogFactory.getLog(DeviceAccessAuthorizationServiceImpl.class); - public static final class PermissionMethod { - private PermissionMethod() { - throw new AssertionError(); - } - - public static final String READ = "read"; - public static final String WRITE = "write"; - public static final String DELETE = "delete"; - public static final String ACTION = "action"; - public static final String UI_EXECUTE = "ui.execute"; - } - public DeviceAccessAuthorizationServiceImpl() { try { this.addAdminPermissionToRegistry(); @@ -88,7 +74,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori return false; } for (String groupPermission : groupPermissions) { - if (!checkGroupsPermission(username, tenantId, groupPermission)) { + if (!isAuthorizedViaGroup(username, deviceIdentifier, groupPermission)) { //if at least one fails, authorization fails return false; } @@ -96,8 +82,8 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori return true; } catch (GroupManagementException | UserStoreException e) { throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " + - deviceIdentifier.getId() + " for the user : " + - username, e); + deviceIdentifier.getId() + " for the user : " + + username, e); } } @@ -139,7 +125,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori //check for group permissions boolean isAuthorized = true; for (String groupPermission : groupPermissions) { - if (!checkGroupsPermission(username, tenantId, groupPermission)) { + if (!isAuthorizedViaGroup(username, deviceIdentifier, groupPermission)) { //if at least one failed, authorizations fails and break the loop isAuthorized = false; break; @@ -152,8 +138,8 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori } } catch (GroupManagementException | UserStoreException e) { throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " + - deviceIdentifier.getId() + " for the user : " + - username, e); + deviceIdentifier.getId() + " for the user : " + + username, e); } } } @@ -191,25 +177,17 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori } } - private boolean checkGroupsPermission(String username, int tenantId, String groupPermission) + private boolean isAuthorizedViaGroup(String username, DeviceIdentifier deviceIdentifier, String groupPermission) throws GroupManagementException, UserStoreException { - List groups = - DeviceManagementDataHolder.getInstance().getGroupManagementProviderService().getGroups(username, - groupPermission); - UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId); - if (userRealm != null && userRealm.getAuthorizationManager() != null) { - Iterator groupIterator = groups.iterator(); - while (groupIterator.hasNext()) { - DeviceGroup deviceGroup = groupIterator.next(); - Iterator rolesIterator = deviceGroup.getRoles().iterator(); - while (rolesIterator.hasNext()) { - String role = rolesIterator.next(); - if (userRealm.getAuthorizationManager().isRoleAuthorized( - "Internal/group-" + deviceGroup.getId() + "-" + role, groupPermission, - CarbonConstants.UI_PERMISSION_ACTION)) { - return true; - } - } + List authorizedGroups = + DeviceManagementDataHolder.getInstance().getGroupManagementProviderService() + .getGroups(username, groupPermission); + List groupsWithDevice = + DeviceManagementDataHolder.getInstance().getGroupManagementProviderService() + .getGroups(deviceIdentifier); + for (DeviceGroup group : authorizedGroups) { + if (groupsWithDevice.contains(group)) { + return true; } } return false; @@ -285,4 +263,16 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori } return ownershipData; } + + public static final class PermissionMethod { + public static final String READ = "read"; + public static final String WRITE = "write"; + public static final String DELETE = "delete"; + public static final String ACTION = "action"; + public static final String UI_EXECUTE = "ui.execute"; + + private PermissionMethod() { + throw new AssertionError(); + } + } } \ No newline at end of file