Merge pull request #168 from ayyoob/das-ext

Added device scope based authorisation for mqtt

modules/distribution/src/assembly/bin.xml

@@ -1214,22 +1214,6 @@
             <outputDirectory>${pom.artifactId}-${pom.version}/repository/deployment/server/webapps</outputDirectory>
             <fileMode>644</fileMode>
         </file>
-        <file>
-            <source>
-                ../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/etc/mqtt.properties
-            </source>
-            <outputDirectory>${pom.artifactId}-${pom.version}/repository/conf/etc</outputDirectory>
-            <filtered>true</filtered>
-            <fileMode>644</fileMode>
-        </file>
-        <file>
-            <source>
-                ../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/etc/xmpp.properties
-            </source>
-            <outputDirectory>${pom.artifactId}-${pom.version}/repository/conf/etc</outputDirectory>
-            <filtered>true</filtered>
-            <fileMode>644</fileMode>
-        </file>
         <file>
             <source>
                 ../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/etc/jwt.properties

modules/distribution/src/repository/conf/api-manager.xml

@@ -356,6 +356,11 @@
             <Scope>device_scope</Scope>
         </ScopeWhitelist>
 
+        <!-- This hold the prefix of device scopes. If a device specific token needs to be issues then token
+        needs to be sent with the prefix of Device Scope with the format of
+        DeviceScope/DeviceType/DeviceId -->
+        <DeviceScope>cdmf</DeviceScope>
+
     </APIKeyValidator>
 
     <!--

modules/distribution/src/repository/conf/identity/identity.xml

@@ -150,7 +150,7 @@
             </SupportedGrantType>
             <SupportedGrantType>
                 <GrantTypeName>urn:ietf:params:oauth:grant-type:jwt-bearer</GrantTypeName>
-                <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTBearerGrantHandler</GrantTypeHandlerImplClass>
+                <GrantTypeHandlerImplClass>org.wso2.carbon.device.mgt.oauth.extensions.handlers.grant.ExtendedJWTBearerGrantHandler</GrantTypeHandlerImplClass>
                 <GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator</GrantTypeValidatorImplClass>
             </SupportedGrantType>
         </SupportedGrantTypes>

modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/DeviceAccessBasedMQTTAuthorizer.java

@@ -38,7 +38,11 @@ import java.util.List;
 public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer {
     private static final Logger logger = Logger.getLogger(DeviceAccessBasedMQTTAuthorizer.class);
     private static final String CONNECTION_PERMISSION = "/permission/admin/device-mgt/user";
+    private static final String ADMIN_PERMISSION = "/permission/admin/device-mgt/admin";
     private static final String SCOPE_IDENTIFIER = "scope";
+    private static final String CDMF_SCOPE_PREFIX = "cdmf";
+    private static final String CDMF_SCOPE_SEPERATOR = "/";
+    private static final String UI_EXECUTE = "ui.execute";
 
     /**
      * {@inheritDoc} Authorize the user against carbon device mgt model.
@@ -46,6 +50,9 @@ public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer {
     @Override
     public boolean isAuthorizedForTopic(MQTTAuthorizationSubject authorizationSubject, String topic,
                                         MQTTAuthoriztionPermissionLevel permissionLevel) {
+        if (isUserAuthorized(authorizationSubject, ADMIN_PERMISSION, UI_EXECUTE)) {
+            return true;
+        }
         String topics[] = topic.split("/");
         if (topics.length < 3) {
             return false;
@@ -59,10 +66,17 @@ public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer {
         List<String> scopes = (List<String>) authorizationSubject.getProperties().get(SCOPE_IDENTIFIER);
         if (scopes != null) {
             for (String scope : scopes) {
-                //TODO : have to validate token with scopes.
+                if (scope.startsWith(CDMF_SCOPE_PREFIX)) {
+                    String deviceId[] = scope.split(CDMF_SCOPE_SEPERATOR);
+                    if (deviceId.length == 3) {
+                        if (deviceIdFromTopic.equals(deviceId[2]) && deviceTypeFromTopic.equals(deviceId[1])) {
+                            return true;
                         }
                     }
-        return true;
+                }
+            }
+        }
+        return false;
     }
 
     /**
@@ -70,7 +84,7 @@ public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer {
      */
     @Override
     public boolean isAuthorizedToConnect(MQTTAuthorizationSubject authorizationSubject) {
-        return isUserAuthorized(authorizationSubject, CONNECTION_PERMISSION, "ui.execute");
+        return isUserAuthorized(authorizationSubject, CONNECTION_PERMISSION, UI_EXECUTE);
     }
 
     /**

pom.xml

@@ -1155,7 +1155,7 @@
         <carbon.metrics.version>1.2.0</carbon.metrics.version>
 
         <!--JWT grant type extension feature-->
-        <identity.jwt.extension.version>1.0.0</identity.jwt.extension.version>
+        <identity.jwt.extension.version>1.0.2</identity.jwt.extension.version>
         <!--http client version-->
         <httpclient.version>4.3.1.wso2v2</httpclient.version>
         <httpclient.version.range>[4.3.1, 5.0.0)</httpclient.version.range>