Adding group permissions checking

9 years ago · 938eda7c46
parent 9cb24d8cec
commit 938eda7c46
2 changed files with 78 additions and 27 deletions
--- a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/authorization/DeviceAccessAuthorizationService.java
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/authorization/DeviceAccessAuthorizationService.java
@ -28,7 +28,6 @@ import java.util.List;
 * accessing the device information and performing MDM operations on devices.
 */
 public interface DeviceAccessAuthorizationService {
-
    /**
     * This method will check whether the currently logged-in user has the access to the device identified by the given
     * DeviceIdentifier.
@ -39,29 +38,55 @@ public interface DeviceAccessAuthorizationService {
     */
    boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException;

+    /**
+     * This method will check whether the currently logged-in user has the access to the device identified by the given
+     * DeviceIdentifier.
+     *
+     * @param deviceIdentifier - DeviceIdentifier of the device to be checked.
+     * @param groupPermissions - Group Permissions.
+     * @return Boolean authorization result.
+     * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
+     */
+    boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String[] groupPermissions)
+            throws DeviceAccessAuthorizationException;
+
    /**
     * This method will check whether the currently logged-in user has the access to the devices identified by the given
     * DeviceIdentifier list.
     *
     * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization.
-     * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices &
-     * unauthorized devices.
+     * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized
+     * devices.
     * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
     */
    DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers) throws
                                                                                         DeviceAccessAuthorizationException;

+    /**
+     * This method will check whether the currently logged-in user has the access to the devices identified by the given
+     * DeviceIdentifier list.
+     *
+     * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization.
+     * @param groupPermissions  - Group Permissions
+     * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized
+     * devices.
+     * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
+     */
+    DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String[] groupPermissions)
+            throws DeviceAccessAuthorizationException;
+
    /**
     * This method will check whether the given user has the access to the device identified by the given
     * DeviceIdentifier.
     *
     * @param deviceIdentifier - DeviceIdentifier of the device to be checked.
     * @param username         - Username of the user to be checked for authorization.
-     * @param permission       - Permission
+     * @param groupPermissions - Group Permissions
     * @return Boolean authorization result.
     * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
     */
-     boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String permission) throws DeviceAccessAuthorizationException;
+    boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String[] groupPermissions)
+            throws DeviceAccessAuthorizationException;

    /**
     * This method will check whether the given user has the access to the devices identified by the given
@ -69,12 +94,13 @@ public interface DeviceAccessAuthorizationService {
     *
     * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization.
     * @param username          - User name
-     * @param permission        - Permission
-     * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices &
-     * unauthorized devices.
+     * @param groupPermissions  - Group Permissions
+     * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized
+     * devices.
     * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
     */
-    DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username, String permission) throws
+    DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username,
+                                               String[] groupPermissions) throws
                                                                          DeviceAccessAuthorizationException;

    /**
@ -95,11 +121,10 @@ public interface DeviceAccessAuthorizationService {
     *
     * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization.
     * @param username          - Username of the user to be checked for authorization.
-     * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices &
-     * unauthorized devices.
+     * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized
+     * devices.
     * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
     */
    DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username) throws
                                                                                                          DeviceAccessAuthorizationException;
-
 }
--- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java
@ -72,7 +72,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
    }

    @Override
-    public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String permission)
+    public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String[] groupPermissions)
            throws DeviceAccessAuthorizationException {
        int tenantId = this.getTenantId();
        if (username == null || username.isEmpty()) {
@ -84,10 +84,16 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
        }
        //check for group permissions
        try {
-            if (permission == null || permission.isEmpty()) {
+            if (groupPermissions == null || groupPermissions.length == 0) {
                return false;
            }
-            return checkGroupsPermission(username, tenantId, permission);
+            for (String groupPermission : groupPermissions) {
+                if (!checkGroupsPermission(username, tenantId, groupPermission)) {
+                    //if at least one fails, authorization fails
+                    return false;
+                }
+            }
+            return true;
        } catch (GroupManagementException | UserStoreException e) {
            throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
                                                                 deviceIdentifier.getId() + " for the user : " +
@ -101,6 +107,12 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
        return isUserAuthorized(deviceIdentifier, username, null);
    }

+    @Override
+    public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String[] groupPermissions)
+            throws DeviceAccessAuthorizationException {
+        return isUserAuthorized(deviceIdentifier, this.getUserName(), groupPermissions);
+    }
+
    @Override
    public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException {
        return isUserAuthorized(deviceIdentifier, this.getUserName(), null);
@ -108,7 +120,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori

    @Override
    public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username,
-                                                      String permission)
+                                                      String[] groupPermissions)
            throws DeviceAccessAuthorizationException {
        int tenantId = this.getTenantId();
        if (username == null || username.isEmpty()) {
@ -121,11 +133,19 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
                deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
            } else {
                try {
-                    if (permission == null || permission.isEmpty()) {
+                    if (groupPermissions == null || groupPermissions.length == 0) {
                        return null;
                    }
                    //check for group permissions
-                    if (checkGroupsPermission(username, tenantId, permission)) {
+                    boolean isAuthorized = true;
+                    for (String groupPermission : groupPermissions) {
+                        if (!checkGroupsPermission(username, tenantId, groupPermission)) {
+                            //if at least one failed, authorizations fails and break the loop
+                            isAuthorized = false;
+                            break;
+                        }
+                    }
+                    if (isAuthorized) {
                        deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
                    } else {
                        deviceAuthorizationResult.addUnauthorizedDevice(deviceIdentifier);
@ -152,6 +172,12 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
        return isUserAuthorized(deviceIdentifiers, this.getUserName(), null);
    }

+    @Override
+    public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String[] groupPermissions)
+            throws DeviceAccessAuthorizationException {
+        return isUserAuthorized(deviceIdentifiers, this.getUserName(), groupPermissions);
+    }
+
    private boolean isAdminOrDeviceOwner(String username, int tenantId, DeviceIdentifier deviceIdentifier)
            throws DeviceAccessAuthorizationException {
        try {
@ -165,11 +191,11 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
        }
    }

-    private boolean checkGroupsPermission(String username, int tenantId, String permission)
+    private boolean checkGroupsPermission(String username, int tenantId, String groupPermission)
            throws GroupManagementException, UserStoreException {
        List<DeviceGroup> groups =
                DeviceManagementDataHolder.getInstance().getGroupManagementProviderService().getGroups(username,
-                                                                                                       permission);
+                                                                                                       groupPermission);
        UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId);
        if (userRealm != null && userRealm.getAuthorizationManager() != null) {
            Iterator<DeviceGroup> groupIterator = groups.iterator();
@ -179,7 +205,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
                while (rolesIterator.hasNext()) {
                    String role = rolesIterator.next();
                    if (userRealm.getAuthorizationManager().isRoleAuthorized(
-                            "Internal/group-" + deviceGroup.getId() + "-" + role, permission,
+                            "Internal/group-" + deviceGroup.getId() + "-" + role, groupPermission,
                            CarbonConstants.UI_PERMISSION_ACTION)) {
                        return true;
                    }