From 2fbaf31b939ced4757d3fcbace1874535e010abf Mon Sep 17 00:00:00 2001 From: ayyoob Date: Thu, 12 Jan 2017 18:13:43 +0530 Subject: [PATCH] fixed permission and assigned environment variables for url context --- .../pom.xml | 5 ++ .../api/filter/ApiPermissionFilter.java | 3 + .../extension/api/util/APIUtil.java | 60 ++++++++++++++++++- .../src/main/webapp/META-INF/permissions.xml | 4 +- .../CertificateManagementAdminService.java | 13 +++- .../service/api/DeviceManagementService.java | 1 - ...DeviceAccessAuthorizationAdminService.java | 42 ++++++++++++- .../devicemgt/app/conf/config.json | 4 +- .../authenticator/framework/Utils/Utils.java | 16 +++++ .../authenticator/BSTAuthenticator.java | 2 +- .../authenticator/OAuthAuthenticator.java | 2 +- .../conf/webapp-publisher-config.xml | 2 +- .../conf/webapp-authenticator-config.xml | 5 +- 13 files changed, 145 insertions(+), 14 deletions(-) diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/pom.xml b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/pom.xml index a48a6ef2e8..2ec55c44aa 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/pom.xml +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/pom.xml @@ -173,6 +173,11 @@ org.wso2.carbon.device.mgt.common provided + + org.wso2.carbon + org.wso2.carbon.registry.core + provided + diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/ApiPermissionFilter.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/ApiPermissionFilter.java index 9c1dfac4bd..5f05dfb337 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/ApiPermissionFilter.java +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/ApiPermissionFilter.java @@ -56,6 +56,9 @@ public class ApiPermissionFilter implements Filter { PermissionConfiguration permissionConfiguration = (PermissionConfiguration) unmarshaller.unmarshal(permissionStream); permissions = permissionConfiguration.getPermissions(); + for (Permission permission : permissions) { + APIUtil.putPermission(PERMISSION_PREFIX + permission.getPath()); + } } catch (JAXBException e) { log.error("invalid permissions.xml", e); } diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/util/APIUtil.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/util/APIUtil.java index a3830019a5..cdce160c54 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/util/APIUtil.java +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/util/APIUtil.java @@ -21,12 +21,18 @@ package org.wso2.carbon.apimgt.application.extension.api.util; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.wso2.carbon.apimgt.application.extension.APIManagementProviderService; +import org.wso2.carbon.base.MultitenantConstants; import org.wso2.carbon.context.PrivilegedCarbonContext; import org.wso2.carbon.device.mgt.common.DeviceManagementException; import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService; +import org.wso2.carbon.registry.api.Resource; +import org.wso2.carbon.registry.core.Registry; +import org.wso2.carbon.registry.core.exceptions.RegistryException; +import org.wso2.carbon.registry.core.service.RegistryService; import org.wso2.carbon.user.core.service.RealmService; import java.util.List; +import java.util.StringTokenizer; /** * This class provides utility functions used by REST-API. @@ -35,6 +41,8 @@ public class APIUtil { private static Log log = LogFactory.getLog(APIUtil.class); private static final String DEFAULT_CDMF_API_TAG = "device_management"; + private static final String DEFAULT_CERT_API_TAG = "scep_management"; + public static final String PERMISSION_PROPERTY_NAME = "name"; public static String getAuthenticatedUser() { PrivilegedCarbonContext threadLocalCarbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext(); @@ -48,8 +56,7 @@ public class APIUtil { public static String getTenantDomainOftheUser() { PrivilegedCarbonContext threadLocalCarbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext(); - String tenantDomain = threadLocalCarbonContext.getTenantDomain(); - return tenantDomain; + return threadLocalCarbonContext.getTenantDomain(); } public static APIManagementProviderService getAPIManagementProviderService() { @@ -92,6 +99,55 @@ public class APIUtil { //Todo get allowed cdmf service tags from config. List allowedApisTags = getDeviceManagementProviderService().getAvailableDeviceTypes(); allowedApisTags.add(DEFAULT_CDMF_API_TAG); + allowedApisTags.add(DEFAULT_CERT_API_TAG); return allowedApisTags; } + + public static void putPermission(String permission) { + try { + StringTokenizer tokenizer = new StringTokenizer(permission, "/"); + String lastToken = "", currentToken, tempPath; + while (tokenizer.hasMoreTokens()) { + currentToken = tokenizer.nextToken(); + tempPath = lastToken + "/" + currentToken; + if (!checkResourceExists(tempPath)) { + createRegistryCollection(tempPath, currentToken); + + } + lastToken = tempPath; + } + } catch (org.wso2.carbon.registry.api.RegistryException e) { + log.error("Failed to creation permission in registry" + permission, e); + } + } + + public static void createRegistryCollection(String path, String resourceName) + throws org.wso2.carbon.registry.api.RegistryException { + Resource resource = getGovernanceRegistry().newCollection(); + resource.addProperty(PERMISSION_PROPERTY_NAME, resourceName); + getGovernanceRegistry().beginTransaction(); + getGovernanceRegistry().put(path, resource); + getGovernanceRegistry().commitTransaction(); + } + + public static boolean checkResourceExists(String path) + throws RegistryException { + return getGovernanceRegistry().resourceExists(path); + } + + public static Registry getGovernanceRegistry() throws RegistryException { + return getRegistryService().getGovernanceSystemRegistry(MultitenantConstants.SUPER_TENANT_ID); + } + + public static RegistryService getRegistryService() { + PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext(); + RegistryService registryService = + (RegistryService) ctx.getOSGiService(RegistryService.class, null); + if (registryService == null) { + String msg = "registry service has not initialized."; + log.error(msg); + throw new IllegalStateException(msg); + } + return registryService; + } } diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/META-INF/permissions.xml b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/META-INF/permissions.xml index 0124990741..591725fa12 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/META-INF/permissions.xml +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/META-INF/permissions.xml @@ -37,14 +37,14 @@ Register application - /device-mgt/user/api/application + /device-mgt/api/application /register POST application_user Delete application - /device-mgt/user/api/application + /device-mgt/api/application /unregister DELETE application_user diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/CertificateManagementAdminService.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/CertificateManagementAdminService.java index 14d06f00f0..f4a4c52c36 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/CertificateManagementAdminService.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/CertificateManagementAdminService.java @@ -64,6 +64,12 @@ import javax.ws.rs.core.Response; description = "Deleting an SSL Certificate", key = "perm:admin:certificates:delete", permissions = {"/device-mgt/admin/certificates/delete"} + ), + @Scope( + name = "Verify SSL certificate", + description = "Verify SSL certificate", + key = "perm:admin:certificates:verify", + permissions = {"/device-mgt/admin/certificates/verify"} ) } ) @@ -428,7 +434,12 @@ public interface CertificateManagementAdminService { httpMethod = "POST", value = "Verify Android SSL certificate", notes = "Verify Android Certificate for the API security filter.\n", - tags = "Certificate Management") + tags = "Certificate Management", + extensions = { + @Extension(properties = { + @ExtensionProperty(name = SCOPE, value = "perm:admin:certificates:add") + }) + }) @ApiResponses( value = { @ApiResponse( diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceManagementService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceManagementService.java index 621ec26d73..ca9be507a6 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceManagementService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceManagementService.java @@ -29,7 +29,6 @@ import io.swagger.annotations.ApiParam; import io.swagger.annotations.ApiResponse; import io.swagger.annotations.ApiResponses; import io.swagger.annotations.ResponseHeader; -import org.json.JSONObject; import org.wso2.carbon.apimgt.annotations.api.Scope; import org.wso2.carbon.apimgt.annotations.api.Scopes; import org.wso2.carbon.device.mgt.common.Device; diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceAccessAuthorizationAdminService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceAccessAuthorizationAdminService.java index bea9ebedd5..8a46b9b194 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceAccessAuthorizationAdminService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceAccessAuthorizationAdminService.java @@ -22,9 +22,17 @@ import io.swagger.annotations.Api; import io.swagger.annotations.ApiOperation; import io.swagger.annotations.ApiResponse; import io.swagger.annotations.ApiResponses; +import io.swagger.annotations.Extension; +import io.swagger.annotations.ExtensionProperty; +import io.swagger.annotations.Info; +import io.swagger.annotations.SwaggerDefinition; +import io.swagger.annotations.Tag; +import org.wso2.carbon.apimgt.annotations.api.Scope; +import org.wso2.carbon.apimgt.annotations.api.Scopes; import org.wso2.carbon.device.mgt.common.authorization.DeviceAuthorizationResult; import org.wso2.carbon.device.mgt.jaxrs.beans.AuthorizationRequest; import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse; +import org.wso2.carbon.device.mgt.jaxrs.util.Constants; import javax.ws.rs.Consumes; import javax.ws.rs.POST; @@ -37,6 +45,32 @@ import javax.ws.rs.core.Response; @Api(value = "Device Authorization Administrative Service", description = "This an API intended to be used by " + "'internal' components to log in as an admin user and validate whether the user/device are trusted entity." + "Further, this is strictly restricted to admin users only ") + +@SwaggerDefinition( + info = @Info( + version = "1.0.0", + title = "", + extensions = { + @Extension(properties = { + @ExtensionProperty(name = "name", value = "DeviceAccessAuthorizationAdminService"), + @ExtensionProperty(name = "context", value = "/api/device-mgt/v1.0/admin/authorization"), + }) + } + ), + tags = { + @Tag(name = "device_management", description = "") + } +) +@Scopes( + scopes = { + @Scope( + name = "Verify device authorization", + description = "Verify device authorization", + key = "perm:authorization:verify", + permissions = {"/device-mgt/authorization/verify"} + ) + } +) @Produces(MediaType.APPLICATION_JSON) @Consumes(MediaType.APPLICATION_JSON) /** @@ -52,7 +86,13 @@ public interface DeviceAccessAuthorizationAdminService { value = "Check for device access authorization\n", notes = "This is an internal API that can be used to check for authorization.", response = DeviceAuthorizationResult.class, - tags = "Authorization Administrative Service") + tags = "Authorization Administrative Service", + extensions = { + @Extension(properties = { + @ExtensionProperty(name = Constants.SCOPE, value = "perm:authorization:verify") + }) + }) + @ApiResponses(value = { @ApiResponse( code = 200, diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/conf/config.json b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/conf/config.json index 83671e61be..b242743a43 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/conf/config.json +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/conf/config.json @@ -1,7 +1,7 @@ { "appContext": "/devicemgt/", - "httpsURL" : "https://localhost:8243", - "httpURL" : "http://localhost:8280", + "httpsURL" : "https://%server.ip%:8243", + "httpURL" : "http://%server.ip%:8280", "wssURL" : "https://localhost:9445", "wsURL" : "%http.ip%", "portalURL": "https://%server.ip%:9445", diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/Utils/Utils.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/Utils/Utils.java index ac0130a39f..b139fa9e89 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/Utils/Utils.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/Utils/Utils.java @@ -35,6 +35,8 @@ import org.wso2.carbon.utils.multitenancy.MultitenantUtils; import org.wso2.carbon.webapp.authenticator.framework.AuthenticationException; import java.util.Properties; +import java.util.regex.Matcher; +import java.util.regex.Pattern; public class Utils { @@ -86,4 +88,18 @@ public class Utils { } } + public static String replaceSystemProperty(String urlWithPlaceholders) { + String regex = "\\$\\{(.*?)\\}"; + Pattern pattern = Pattern.compile(regex); + Matcher matchPattern = pattern.matcher(urlWithPlaceholders); + while (matchPattern.find()) { + String sysPropertyName = matchPattern.group(1); + String sysPropertyValue = System.getProperty(sysPropertyName); + if (sysPropertyValue != null && !sysPropertyName.isEmpty()) { + urlWithPlaceholders = urlWithPlaceholders.replaceAll("\\$\\{(" + sysPropertyName + ")\\}", sysPropertyValue); + } + } + return urlWithPlaceholders; + } + } diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/BSTAuthenticator.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/BSTAuthenticator.java index 51e92a139b..ceb78d8a34 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/BSTAuthenticator.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/BSTAuthenticator.java @@ -66,7 +66,7 @@ public class BSTAuthenticator implements WebappAuthenticator { "are not provided"); } - String url = this.properties.getProperty("TokenValidationEndpointUrl"); + String url = Utils.replaceSystemProperty(this.properties.getProperty("TokenValidationEndpointUrl")); if ((url == null) || (url.isEmpty())) { throw new IllegalArgumentException("OAuth token validation endpoint url is not provided"); } diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/OAuthAuthenticator.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/OAuthAuthenticator.java index 797a4f5afd..0033e54dd8 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/OAuthAuthenticator.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/OAuthAuthenticator.java @@ -55,7 +55,7 @@ public class OAuthAuthenticator implements WebappAuthenticator { "are not provided"); } - String url = this.properties.getProperty("TokenValidationEndpointUrl"); + String url = Utils.replaceSystemProperty(this.properties.getProperty("TokenValidationEndpointUrl")); if ((url == null) || (url.isEmpty())) { throw new IllegalArgumentException("OAuth token validation endpoint url is not provided"); } diff --git a/features/apimgt-extensions/org.wso2.carbon.apimgt.webapp.publisher.feature/src/main/resources/conf/webapp-publisher-config.xml b/features/apimgt-extensions/org.wso2.carbon.apimgt.webapp.publisher.feature/src/main/resources/conf/webapp-publisher-config.xml index 214e5aa38d..067a6af7f8 100644 --- a/features/apimgt-extensions/org.wso2.carbon.apimgt.webapp.publisher.feature/src/main/resources/conf/webapp-publisher-config.xml +++ b/features/apimgt-extensions/org.wso2.carbon.apimgt.webapp.publisher.feature/src/main/resources/conf/webapp-publisher-config.xml @@ -24,7 +24,7 @@ - https://localhost:${carbon.https.port} + https://${iot.core.host}:${iot.core.https.port} true diff --git a/features/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework.server.feature/src/main/resources/conf/webapp-authenticator-config.xml b/features/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework.server.feature/src/main/resources/conf/webapp-authenticator-config.xml index 8725f4a99a..b3a4f47c17 100644 --- a/features/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework.server.feature/src/main/resources/conf/webapp-authenticator-config.xml +++ b/features/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework.server.feature/src/main/resources/conf/webapp-authenticator-config.xml @@ -5,7 +5,7 @@ org.wso2.carbon.webapp.authenticator.framework.authenticator.OAuthAuthenticator false - https://localhost:9443 + https://${iot.keymanager.host}:${iot.keymanager.https.port} admin admin 100 @@ -23,6 +23,7 @@ wso2carbon wso2carbon + wso2carbon @@ -34,7 +35,7 @@ org.wso2.carbon.webapp.authenticator.framework.authenticator.BSTAuthenticator false - https://localhost:9443 + https://${iot.keymanager.host}:${iot.keymanager.https.port} admin admin 100