Added device scope based authorisation for mqtt

9 years ago · 1dd689e8d4
parent 599ad73a72
commit 1dd689e8d4
4 changed files with 24 additions and 5 deletions
--- a/modules/distribution/src/repository/conf/api-manager.xml
+++ b/modules/distribution/src/repository/conf/api-manager.xml
@ -356,6 +356,11 @@
            <Scope>device_scope</Scope>
        </ScopeWhitelist>

+        <!-- This hold the prefix of device scopes. If a device specific token needs to be issues then token
+        needs to be sent with the prefix of Device Scope with the format of
+        DeviceScope/DeviceType/DeviceId -->
+        <DeviceScope>cdmf</DeviceScope>
+
    </APIKeyValidator>

    <!--
--- a/modules/distribution/src/repository/conf/identity/identity.xml
+++ b/modules/distribution/src/repository/conf/identity/identity.xml
@ -150,7 +150,7 @@
            </SupportedGrantType>
            <SupportedGrantType>
                <GrantTypeName>urn:ietf:params:oauth:grant-type:jwt-bearer</GrantTypeName>
-                <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTBearerGrantHandler</GrantTypeHandlerImplClass>
+                <GrantTypeHandlerImplClass>org.wso2.carbon.device.mgt.oauth.extensions.handlers.grant.ExtendedJWTBearerGrantHandler</GrantTypeHandlerImplClass>
                <GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator</GrantTypeValidatorImplClass>
            </SupportedGrantType>
        </SupportedGrantTypes>
--- a/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/DeviceAccessBasedMQTTAuthorizer.java
+++ b/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/DeviceAccessBasedMQTTAuthorizer.java
@ -38,7 +38,11 @@ import java.util.List;
 public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer {
    private static final Logger logger = Logger.getLogger(DeviceAccessBasedMQTTAuthorizer.class);
    private static final String CONNECTION_PERMISSION = "/permission/admin/device-mgt/user";
+    private static final String ADMIN_PERMISSION = "/permission/admin/device-mgt/admin";
    private static final String SCOPE_IDENTIFIER = "scope";
+    private static final String CDMF_SCOPE_PREFIX = "cdmf";
+    private static final String CDMF_SCOPE_SEPERATOR = "/";
+    private static final String UI_EXECUTE = "ui.execute";

    /**
     * {@inheritDoc} Authorize the user against carbon device mgt model.
@ -46,6 +50,9 @@ public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer {
    @Override
    public boolean isAuthorizedForTopic(MQTTAuthorizationSubject authorizationSubject, String topic,
                                        MQTTAuthoriztionPermissionLevel permissionLevel) {
+        if (isUserAuthorized(authorizationSubject, ADMIN_PERMISSION, UI_EXECUTE)) {
+            return true;
+        }
        String topics[] = topic.split("/");
        if (topics.length < 3) {
            return false;
@ -59,10 +66,17 @@ public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer {
        List<String> scopes = (List<String>) authorizationSubject.getProperties().get(SCOPE_IDENTIFIER);
        if (scopes != null) {
            for (String scope : scopes) {
-                //TODO : have to validate token with scopes.
+                if (scope.startsWith(CDMF_SCOPE_PREFIX)) {
+                    String deviceId[] = scope.split(CDMF_SCOPE_SEPERATOR);
+                    if (deviceId.length == 3) {
+                        if (deviceIdFromTopic.equals(deviceId[2]) && deviceTypeFromTopic.equals(deviceId[1])) {
+                            return true;
+                        }
+                    }
+                }
            }
        }
-        return true;
+        return false;
    }

    /**
@ -70,7 +84,7 @@ public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer {
     */
    @Override
    public boolean isAuthorizedToConnect(MQTTAuthorizationSubject authorizationSubject) {
-        return isUserAuthorized(authorizationSubject, CONNECTION_PERMISSION, "ui.execute");
+        return isUserAuthorized(authorizationSubject, CONNECTION_PERMISSION, UI_EXECUTE);
    }

    /**
--- a/pom.xml
+++ b/pom.xml
@ -1155,7 +1155,7 @@
        <carbon.metrics.version>1.2.0</carbon.metrics.version>

        <!--JWT grant type extension feature-->
-        <identity.jwt.extension.version>1.0.0</identity.jwt.extension.version>
+        <identity.jwt.extension.version>1.0.2</identity.jwt.extension.version>
        <!--http client version-->
        <httpclient.version>4.3.1.wso2v2</httpclient.version>
        <httpclient.version.range>[4.3.1, 5.0.0)</httpclient.version.range>