From 14ead035d71d38eb7dfd3736cea7d428b901dcc9 Mon Sep 17 00:00:00 2001 From: ayyoob Date: Thu, 12 May 2016 13:39:44 +0530 Subject: [PATCH] few changed mqtt authoriser --- modules/distribution/src/assembly/bin.xml | 24 +----- .../pom.xml | 13 ++-- .../DeviceAccessBasedMQTTAuthorizer.java | 77 +++++++++++++------ .../internal/AuthorizationDataHolder.java | 10 --- .../AuthorizationServiceComponent.java | 21 ----- .../pom.xml | 1 - .../ConnectedCupMQttTransportHandler.java | 2 +- .../impl/ConnectedCupManagerService.java | 2 +- 8 files changed, 65 insertions(+), 85 deletions(-) diff --git a/modules/distribution/src/assembly/bin.xml b/modules/distribution/src/assembly/bin.xml index 7b510fdd..db7463cb 100644 --- a/modules/distribution/src/assembly/bin.xml +++ b/modules/distribution/src/assembly/bin.xml @@ -1344,33 +1344,17 @@ - ../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/iot/devicemgt-config.xml + ../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/etc/mqtt.properties - ${pom.artifactId}-${pom.version}/repository/conf/iot - true - 644 - - - - ../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/iot/mqtt.properties - - ${pom.artifactId}-${pom.version}/repository/conf/iot - true - 644 - - - - ../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/iot/xmpp.properties - - ${pom.artifactId}-${pom.version}/repository/conf/iot + ${pom.artifactId}-${pom.version}/repository/conf/etc true 644 - ../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/iot/devicemgt-config.xsd + ../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/etc/xmpp.properties - ${pom.artifactId}-${pom.version}/repository/conf/iot + ${pom.artifactId}-${pom.version}/repository/conf/etc true 644 diff --git a/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/pom.xml b/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/pom.xml index 02887f66..61a8ba37 100644 --- a/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/pom.xml +++ b/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/pom.xml @@ -47,12 +47,12 @@ andes - org.wso2.carbon.devicemgt - org.wso2.carbon.device.mgt.core + org.wso2.carbon + org.wso2.carbon.user.api - org.wso2.carbon.devicemgt - org.wso2.carbon.device.mgt.common + org.wso2.carbon + org.wso2.carbon.user.core @@ -83,12 +83,11 @@ org.wso2.andes.configuration.enums, org.wso2.andes.mqtt, org.wso2.carbon.context, - org.wso2.carbon.device.mgt.common, - org.wso2.carbon.device.mgt.common.authorization, org.apache.commons.logging, org.osgi.service.component, org.wso2.carbon.user.core.service, - org.wso2.carbon.user.core.tenant + org.wso2.carbon.user.core.tenant, + org.wso2.carbon.user.api diff --git a/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/DeviceAccessBasedMQTTAuthorizer.java b/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/DeviceAccessBasedMQTTAuthorizer.java index 4afc5e1c..4fe70693 100644 --- a/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/DeviceAccessBasedMQTTAuthorizer.java +++ b/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/DeviceAccessBasedMQTTAuthorizer.java @@ -24,8 +24,10 @@ import org.wso2.andes.configuration.enums.MQTTAuthoriztionPermissionLevel; import org.wso2.andes.mqtt.MQTTAuthorizationSubject; import org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.internal.AuthorizationDataHolder; import org.wso2.carbon.context.PrivilegedCarbonContext; -import org.wso2.carbon.device.mgt.common.DeviceIdentifier; -import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationException; +import org.wso2.carbon.user.api.UserRealm; +import org.wso2.carbon.user.api.UserStoreException; + +import java.util.List; /** * Authorize the connecting users against Carbon Permission Model. Intended usage is @@ -35,35 +37,32 @@ import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorization */ public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer { private static final Logger logger = Logger.getLogger(DeviceAccessBasedMQTTAuthorizer.class); + private static final String CONNECTION_PERMISSION = "/permission/admin/device-mgt/user"; + private static final String SCOPE_IDENTIFIER = "scope"; + /** * {@inheritDoc} Authorize the user against carbon device mgt model. */ @Override public boolean isAuthorizedForTopic(MQTTAuthorizationSubject authorizationSubject, String topic, MQTTAuthoriztionPermissionLevel permissionLevel) { - try { - String topics[] = topic.split("/"); - if (topics.length < 3) { - return false; - } - String tenantIdFromTopic = topics[0]; - if (!tenantIdFromTopic.equals(authorizationSubject.getTenantDomain())) { - return false; + String topics[] = topic.split("/"); + if (topics.length < 3) { + return false; + } + String tenantIdFromTopic = topics[0]; + if (!tenantIdFromTopic.equals(authorizationSubject.getTenantDomain())) { + return false; + } + String deviceTypeFromTopic = topics[1]; + String deviceIdFromTopic = topics[2]; + List scopes = (List) authorizationSubject.getProperties().get(SCOPE_IDENTIFIER); + if (scopes != null) { + for (String scope : scopes) { + //TODO : have to validate token with scopes. } - String deviceTypeFromTopic = topics[1]; - String deviceIdFromTopic = topics[2]; - PrivilegedCarbonContext.startTenantFlow(); - PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain( - authorizationSubject.getTenantDomain(), true); - PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(authorizationSubject.getUsername()); - return AuthorizationDataHolder.getInstance().getDeviceAccessAuthorizationService().isUserAuthorized( - new DeviceIdentifier(deviceIdFromTopic, deviceTypeFromTopic)); - } catch (DeviceAccessAuthorizationException e) { - logger.error("Failed on Device Access Authorization for user " + authorizationSubject.getUsername(), e); - } finally { - PrivilegedCarbonContext.endTenantFlow(); } - return false; + return true; } /** @@ -71,6 +70,36 @@ public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer { */ @Override public boolean isAuthorizedToConnect(MQTTAuthorizationSubject authorizationSubject) { - return true; + return isUserAuthorized(authorizationSubject, CONNECTION_PERMISSION, "ui.execute"); + } + + /** + * Check whether the client is authorized with the given permission and action. + * + * @param authorizationSubject this contains the client information + * @param permission Carbon permission that requires for the use + * @param action Carbon permission action that requires for the given permission. + * @return boolean - true if user is authorized else return false. + */ + private boolean isUserAuthorized(MQTTAuthorizationSubject authorizationSubject, String permission, String action) { + String username = authorizationSubject.getUsername(); + try { + PrivilegedCarbonContext.startTenantFlow(); + PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain( + authorizationSubject.getTenantDomain(), true); + int tenantId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId(); + UserRealm userRealm = AuthorizationDataHolder.getInstance().getRealmService() + .getTenantUserRealm(tenantId); + if (userRealm != null && userRealm.getAuthorizationManager() != null) { + return userRealm.getAuthorizationManager().isUserAuthorized(username, permission, action); + } + return false; + } catch (UserStoreException e) { + String errorMsg = String.format("Unable to authorize the user : %s", username); + logger.error(errorMsg, e); + return false; + } finally { + PrivilegedCarbonContext.endTenantFlow(); + } } } \ No newline at end of file diff --git a/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/internal/AuthorizationDataHolder.java b/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/internal/AuthorizationDataHolder.java index e14e4cdd..c2d9e967 100644 --- a/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/internal/AuthorizationDataHolder.java +++ b/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/internal/AuthorizationDataHolder.java @@ -18,7 +18,6 @@ package org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.internal; -import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService; import org.wso2.carbon.user.core.service.RealmService; import org.wso2.carbon.user.core.tenant.TenantManager; @@ -26,7 +25,6 @@ public class AuthorizationDataHolder { private RealmService realmService; private TenantManager tenantManager; - private DeviceAccessAuthorizationService deviceAccessAuthorizationService; private static AuthorizationDataHolder thisInstance = new AuthorizationDataHolder(); @@ -56,12 +54,4 @@ public class AuthorizationDataHolder { return tenantManager; } - public DeviceAccessAuthorizationService getDeviceAccessAuthorizationService() { - return deviceAccessAuthorizationService; - } - - public void setDeviceAccessAuthorizationService(DeviceAccessAuthorizationService deviceAccessAuthorizationService) { - this.deviceAccessAuthorizationService = deviceAccessAuthorizationService; - } - } diff --git a/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/internal/AuthorizationServiceComponent.java b/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/internal/AuthorizationServiceComponent.java index 3ebb099e..b0827e1b 100644 --- a/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/internal/AuthorizationServiceComponent.java +++ b/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/internal/AuthorizationServiceComponent.java @@ -21,7 +21,6 @@ package org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.internal; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.osgi.service.component.ComponentContext; -import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService; import org.wso2.carbon.user.core.service.RealmService; /** @@ -32,12 +31,6 @@ import org.wso2.carbon.user.core.service.RealmService; * policy="dynamic" * bind="setRealmService" * unbind="unsetRealmService" - * @scr.reference name="org.wso2.carbon.device.access.authorization" - * interface="org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService" - * cardinality="1..1" - * policy="dynamic" - * bind="setDeviceAccessAuthorizationService" - * unbind="unsetDeviceAccessAuthorizationService" */ @SuppressWarnings("unused") public class AuthorizationServiceComponent { @@ -76,18 +69,4 @@ public class AuthorizationServiceComponent { AuthorizationDataHolder.getInstance().setRealmService(null); } - protected void setDeviceAccessAuthorizationService(DeviceAccessAuthorizationService deviceAccessAuthorizationService) { - if (log.isDebugEnabled()) { - log.debug("Setting Device Access Authorization Service"); - } - AuthorizationDataHolder.getInstance().setDeviceAccessAuthorizationService(deviceAccessAuthorizationService); - } - - protected void unsetDeviceAccessAuthorizationService(DeviceAccessAuthorizationService deviceAccessAuthorizationService) { - if (log.isDebugEnabled()) { - log.debug("Removing Device Access Authorization Service"); - } - AuthorizationDataHolder.getInstance().setDeviceAccessAuthorizationService(null); - } - } diff --git a/modules/iot-extensions/features/mb-extensions-feature/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.feature/pom.xml b/modules/iot-extensions/features/mb-extensions-feature/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.feature/pom.xml index 41fba9b0..5b54749e 100644 --- a/modules/iot-extensions/features/mb-extensions-feature/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.feature/pom.xml +++ b/modules/iot-extensions/features/mb-extensions-feature/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.feature/pom.xml @@ -69,7 +69,6 @@ org.wso2.carbon.core.server:${carbon.kernel.version} - org.wso2.carbon.device.mgt.server:${carbon.device.mgt.version} diff --git a/modules/samples/connectedcup/component/agent/src/main/java/org/coffeeking/agent/transport/mqtt/ConnectedCupMQttTransportHandler.java b/modules/samples/connectedcup/component/agent/src/main/java/org/coffeeking/agent/transport/mqtt/ConnectedCupMQttTransportHandler.java index fe7d4669..797ddc3b 100644 --- a/modules/samples/connectedcup/component/agent/src/main/java/org/coffeeking/agent/transport/mqtt/ConnectedCupMQttTransportHandler.java +++ b/modules/samples/connectedcup/component/agent/src/main/java/org/coffeeking/agent/transport/mqtt/ConnectedCupMQttTransportHandler.java @@ -20,7 +20,7 @@ public class ConnectedCupMQttTransportHandler extends MQTTTransportHandler { private static ConnectedCupMQttTransportHandler connectedCupMQttTransportHandler; - private static String publishTopic = "wso2/%s/" + DEVICE_TYPE + "/%s"; + private static String publishTopic = "%s/" + DEVICE_TYPE + "/%s"; protected ConnectedCupMQttTransportHandler() { super(iotServerSubscriber, DEVICE_TYPE, "tcp://localhost:1883", ""); diff --git a/modules/samples/connectedcup/component/plugin/src/main/java/org/coffeeking/connectedcup/plugin/impl/ConnectedCupManagerService.java b/modules/samples/connectedcup/component/plugin/src/main/java/org/coffeeking/connectedcup/plugin/impl/ConnectedCupManagerService.java index d7ad1aa8..0f007334 100644 --- a/modules/samples/connectedcup/component/plugin/src/main/java/org/coffeeking/connectedcup/plugin/impl/ConnectedCupManagerService.java +++ b/modules/samples/connectedcup/component/plugin/src/main/java/org/coffeeking/connectedcup/plugin/impl/ConnectedCupManagerService.java @@ -57,7 +57,7 @@ public class ConnectedCupManagerService implements DeviceManagementService{ @Override public ProvisioningConfig getProvisioningConfig() { - return new ProvisioningConfig("carbon.super", true); + return new ProvisioningConfig("carbon.super", false); } @Override