Added device scope based authorisation for mqtt

application-manager-new
ayyoob 9 years ago
parent 599ad73a72
commit 1dd689e8d4

@ -356,6 +356,11 @@
<Scope>device_scope</Scope> <Scope>device_scope</Scope>
</ScopeWhitelist> </ScopeWhitelist>
<!-- This hold the prefix of device scopes. If a device specific token needs to be issues then token
needs to be sent with the prefix of Device Scope with the format of
DeviceScope/DeviceType/DeviceId -->
<DeviceScope>cdmf</DeviceScope>
</APIKeyValidator> </APIKeyValidator>
<!-- <!--

@ -150,7 +150,7 @@
</SupportedGrantType> </SupportedGrantType>
<SupportedGrantType> <SupportedGrantType>
<GrantTypeName>urn:ietf:params:oauth:grant-type:jwt-bearer</GrantTypeName> <GrantTypeName>urn:ietf:params:oauth:grant-type:jwt-bearer</GrantTypeName>
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTBearerGrantHandler</GrantTypeHandlerImplClass> <GrantTypeHandlerImplClass>org.wso2.carbon.device.mgt.oauth.extensions.handlers.grant.ExtendedJWTBearerGrantHandler</GrantTypeHandlerImplClass>
<GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator</GrantTypeValidatorImplClass> <GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator</GrantTypeValidatorImplClass>
</SupportedGrantType> </SupportedGrantType>
</SupportedGrantTypes> </SupportedGrantTypes>

@ -38,7 +38,11 @@ import java.util.List;
public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer { public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer {
private static final Logger logger = Logger.getLogger(DeviceAccessBasedMQTTAuthorizer.class); private static final Logger logger = Logger.getLogger(DeviceAccessBasedMQTTAuthorizer.class);
private static final String CONNECTION_PERMISSION = "/permission/admin/device-mgt/user"; private static final String CONNECTION_PERMISSION = "/permission/admin/device-mgt/user";
private static final String ADMIN_PERMISSION = "/permission/admin/device-mgt/admin";
private static final String SCOPE_IDENTIFIER = "scope"; private static final String SCOPE_IDENTIFIER = "scope";
private static final String CDMF_SCOPE_PREFIX = "cdmf";
private static final String CDMF_SCOPE_SEPERATOR = "/";
private static final String UI_EXECUTE = "ui.execute";
/** /**
* {@inheritDoc} Authorize the user against carbon device mgt model. * {@inheritDoc} Authorize the user against carbon device mgt model.
@ -46,6 +50,9 @@ public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer {
@Override @Override
public boolean isAuthorizedForTopic(MQTTAuthorizationSubject authorizationSubject, String topic, public boolean isAuthorizedForTopic(MQTTAuthorizationSubject authorizationSubject, String topic,
MQTTAuthoriztionPermissionLevel permissionLevel) { MQTTAuthoriztionPermissionLevel permissionLevel) {
if (isUserAuthorized(authorizationSubject, ADMIN_PERMISSION, UI_EXECUTE)) {
return true;
}
String topics[] = topic.split("/"); String topics[] = topic.split("/");
if (topics.length < 3) { if (topics.length < 3) {
return false; return false;
@ -59,10 +66,17 @@ public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer {
List<String> scopes = (List<String>) authorizationSubject.getProperties().get(SCOPE_IDENTIFIER); List<String> scopes = (List<String>) authorizationSubject.getProperties().get(SCOPE_IDENTIFIER);
if (scopes != null) { if (scopes != null) {
for (String scope : scopes) { for (String scope : scopes) {
//TODO : have to validate token with scopes. if (scope.startsWith(CDMF_SCOPE_PREFIX)) {
String deviceId[] = scope.split(CDMF_SCOPE_SEPERATOR);
if (deviceId.length == 3) {
if (deviceIdFromTopic.equals(deviceId[2]) && deviceTypeFromTopic.equals(deviceId[1])) {
return true;
} }
} }
return true; }
}
}
return false;
} }
/** /**
@ -70,7 +84,7 @@ public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer {
*/ */
@Override @Override
public boolean isAuthorizedToConnect(MQTTAuthorizationSubject authorizationSubject) { public boolean isAuthorizedToConnect(MQTTAuthorizationSubject authorizationSubject) {
return isUserAuthorized(authorizationSubject, CONNECTION_PERMISSION, "ui.execute"); return isUserAuthorized(authorizationSubject, CONNECTION_PERMISSION, UI_EXECUTE);
} }
/** /**

@ -1155,7 +1155,7 @@
<carbon.metrics.version>1.2.0</carbon.metrics.version> <carbon.metrics.version>1.2.0</carbon.metrics.version>
<!--JWT grant type extension feature--> <!--JWT grant type extension feature-->
<identity.jwt.extension.version>1.0.0</identity.jwt.extension.version> <identity.jwt.extension.version>1.0.2</identity.jwt.extension.version>
<!--http client version--> <!--http client version-->
<httpclient.version>4.3.1.wso2v2</httpclient.version> <httpclient.version>4.3.1.wso2v2</httpclient.version>
<httpclient.version.range>[4.3.1, 5.0.0)</httpclient.version.range> <httpclient.version.range>[4.3.1, 5.0.0)</httpclient.version.range>

Loading…
Cancel
Save