Add scope perm mapping logic

rm-10378
tcdlpds 1 year ago
parent a620cffb31
commit 563077fbfb

@ -185,6 +185,8 @@
io.entgra.device.mgt.core.apimgt.webapp.publisher.exception, io.entgra.device.mgt.core.apimgt.webapp.publisher.exception,
io.entgra.device.mgt.core.apimgt.webapp.publisher.lifecycle.listener, io.entgra.device.mgt.core.apimgt.webapp.publisher.lifecycle.listener,
io.entgra.device.mgt.core.apimgt.webapp.publisher.lifecycle.util, io.entgra.device.mgt.core.apimgt.webapp.publisher.lifecycle.util,
io.entgra.device.mgt.core.device.mgt.common.exceptions,
io.entgra.device.mgt.core.device.mgt.common.metadata.mgt,
org.wso2.carbon.base;version="1.0", org.wso2.carbon.base;version="1.0",
org.wso2.carbon.context;version="4.6", org.wso2.carbon.context;version="4.6",
org.wso2.carbon;version="4.6", org.wso2.carbon;version="4.6",

@ -35,4 +35,9 @@ public interface APIPublisherService {
void publishAPI(APIConfig api) throws APIManagerPublisherException; void publishAPI(APIConfig api) throws APIManagerPublisherException;
void updateScopeRoleMapping() throws APIManagerPublisherException; void updateScopeRoleMapping() throws APIManagerPublisherException;
void addDefaultScopesIfNotExist();
void updateScopeRoleMapping(String roleName, String[] permissions) throws APIManagerPublisherException;
} }

@ -17,6 +17,7 @@
*/ */
package io.entgra.device.mgt.core.apimgt.webapp.publisher; package io.entgra.device.mgt.core.apimgt.webapp.publisher;
import io.entgra.device.mgt.core.apimgt.annotations.Scopes;
import io.entgra.device.mgt.core.apimgt.extension.rest.api.APIApplicationServices; import io.entgra.device.mgt.core.apimgt.extension.rest.api.APIApplicationServices;
import io.entgra.device.mgt.core.apimgt.extension.rest.api.APIApplicationServicesImpl; import io.entgra.device.mgt.core.apimgt.extension.rest.api.APIApplicationServicesImpl;
import io.entgra.device.mgt.core.apimgt.extension.rest.api.PublisherRESTAPIServices; import io.entgra.device.mgt.core.apimgt.extension.rest.api.PublisherRESTAPIServices;
@ -165,7 +166,7 @@ public class APIPublisherServiceImpl implements APIPublisherService {
for (int i = 0; i < apiList.length(); i++) { for (int i = 0; i < apiList.length(); i++) {
JSONObject apiObj = apiList.getJSONObject(i); JSONObject apiObj = apiList.getJSONObject(i);
if (apiObj.getString("name").equals(apiIdentifier.getApiName().replace(Constants.SPACE, if (apiObj.getString("name").equals(apiIdentifier.getApiName().replace(Constants.SPACE,
Constants.EMPTY_STRING))){ Constants.EMPTY_STRING))) {
apiFound = true; apiFound = true;
apiIdentifier.setUuid(apiObj.getString("id")); apiIdentifier.setUuid(apiObj.getString("id"));
break; break;
@ -364,7 +365,7 @@ public class APIPublisherServiceImpl implements APIPublisherService {
apiUuid, apiRevisionId, apiRevisionDeploymentList); apiUuid, apiRevisionId, apiRevisionDeploymentList);
if (CREATED_STATUS.equals(existingAPI.getString("lifeCycleStatus"))) { if (CREATED_STATUS.equals(existingAPI.getString("lifeCycleStatus"))) {
publisherRESTAPIServices.changeLifeCycleStatus(apiApplicationKey,accessTokenInfo, publisherRESTAPIServices.changeLifeCycleStatus(apiApplicationKey, accessTokenInfo,
apiUuid, PUBLISH_ACTION); apiUuid, PUBLISH_ACTION);
} }
} }
@ -435,6 +436,44 @@ public class APIPublisherServiceImpl implements APIPublisherService {
} }
} }
public void addDefaultScopesIfNotExist() {
ArrayList<String> defaultScopes = new ArrayList<>();
defaultScopes.add("dm:devices:any:permitted");
defaultScopes.add("dm:device:api:subscribe");
defaultScopes.add("am:admin:lc:app:approve");
defaultScopes.add("am:admin:lc:app:create");
defaultScopes.add("am:admin:lc:app:reject");
defaultScopes.add("am:admin:lc:app:block");
defaultScopes.add("am:admin:lc:app:review");
defaultScopes.add("am:admin:lc:app:retire");
defaultScopes.add("am:admin:lc:app:deprecate");
defaultScopes.add("am:admin:lc:app:publish");
APIApplicationServices apiApplicationServices = new APIApplicationServicesImpl();
try {
APIApplicationKey apiApplicationKey =
apiApplicationServices.createAndRetrieveApplicationCredentials();
AccessTokenInfo accessTokenInfo =
apiApplicationServices.generateAccessTokenFromRegisteredApplication(
apiApplicationKey.getClientId(), apiApplicationKey.getClientSecret());
PublisherRESTAPIServices publisherRESTAPIServices = new PublisherRESTAPIServicesImpl();
Scope scope = new Scope();
for (String defaultScope: defaultScopes) {
//todo check whether scope is available or not
scope.setName(defaultScope);
scope.setDescription(defaultScope);
scope.setKey(defaultScope);
scope.setRoles("Internal/devicemgt-user");
publisherRESTAPIServices.addNewSharedScope(apiApplicationKey, accessTokenInfo, scope);
}
} catch (BadRequestException | UnexpectedResponseException | APIServicesException e) {
log.error("Error occurred while adding default scopes");
}
}
@Override @Override
public void updateScopeRoleMapping() public void updateScopeRoleMapping()
throws APIManagerPublisherException { throws APIManagerPublisherException {
@ -573,8 +612,7 @@ public class APIPublisherServiceImpl implements APIPublisherService {
} }
} }
} } catch (APIServicesException e) {
catch (APIServicesException e) {
String errorMsg = "Error while processing Publisher REST API response"; String errorMsg = "Error while processing Publisher REST API response";
log.error(errorMsg, e); log.error(errorMsg, e);
throw new APIManagerPublisherException(e); throw new APIManagerPublisherException(e);
@ -586,11 +624,94 @@ public class APIPublisherServiceImpl implements APIPublisherService {
String errorMsg = "Unexpected response from the server"; String errorMsg = "Unexpected response from the server";
log.error(errorMsg, e); log.error(errorMsg, e);
throw new APIManagerPublisherException(e); throw new APIManagerPublisherException(e);
}finally { } finally {
PrivilegedCarbonContext.endTenantFlow(); PrivilegedCarbonContext.endTenantFlow();
} }
} }
@Override
public void updateScopeRoleMapping(String roleName, String[] permissions) throws APIManagerPublisherException {
APIApplicationServices apiApplicationServices = new APIApplicationServicesImpl();
APIApplicationKey apiApplicationKey;
AccessTokenInfo accessTokenInfo;
try {
apiApplicationKey = apiApplicationServices.createAndRetrieveApplicationCredentials();
accessTokenInfo = apiApplicationServices.generateAccessTokenFromRegisteredApplication(
apiApplicationKey.getClientId(), apiApplicationKey.getClientSecret());
} catch (APIServicesException e) {
String errorMsg = "Error occurred while generating the API application";
log.error(errorMsg, e);
throw new APIManagerPublisherException(e);
}
try {
PublisherRESTAPIServices publisherRESTAPIServices = new PublisherRESTAPIServicesImpl();
JSONObject scopeObject = publisherRESTAPIServices.getScopes(apiApplicationKey, accessTokenInfo);
Map<String, String> permScopeMap = APIPublisherDataHolder.getInstance().getPermScopeMapping();
for (String permission : permissions) {
String scopeValue = permScopeMap.get(permission);
if (scopeValue == null) {
String msg = "Found invalid permission: " + permission + ". Hence aborting the scope role " +
"mapping process";
log.error(msg);
throw new APIManagerPublisherException(msg);
}
JSONArray scopeList = (JSONArray) scopeObject.get("list");
for (int i = 0; i < scopeList.length(); i++) {
JSONObject scopeObj = scopeList.getJSONObject(i);
if (scopeObj.getString("name").equals(scopeValue)) {
Scope scope = new Scope();
scope.setName(scopeObj.getString("name"));
scope.setKey(scopeObj.getString("name"));
scope.setDescription(scopeObj.getString("description"));
scope.setId(scopeObj.getString("id"));
// Including already existing roles
JSONArray existingRolesArray = (JSONArray) scopeObj.get("bindings");
List<String> existingRoleList = new ArrayList<String>();
for (int j = 0; j < existingRolesArray.length(); j++) {
existingRoleList.add((String) existingRolesArray.get(j));
}
if (!existingRoleList.contains(roleName)) {
existingRoleList.add(roleName);
}
scope.setRoles(String.join(",", existingRoleList));
if (publisherRESTAPIServices.isSharedScopeNameExists(apiApplicationKey, accessTokenInfo, scope.getKey())) {
publisherRESTAPIServices.updateSharedScope(apiApplicationKey, accessTokenInfo, scope);
} else {
// todo: come to this level means, that scope is removed from API, but haven't removed from the scope-role-permission-mappings list
log.warn(scope.getKey() + " not available as shared scope");
}
break;
}
}
}
try {
updatePermissions(roleName, Arrays.asList(permissions));
} catch (UserStoreException e) {
String errorMsg = "Error occurred when adding permissions to role: " + roleName;
log.error(errorMsg, e);
throw new APIManagerPublisherException(errorMsg, e);
}
} catch (APIServicesException e) {
String errorMsg = "Error while processing Publisher REST API response";
log.error(errorMsg, e);
throw new APIManagerPublisherException(errorMsg, e);
} catch (BadRequestException e) {
String errorMsg = "Error while calling Publisher REST APIs";
log.error(errorMsg, e);
throw new APIManagerPublisherException(errorMsg, e);
} catch (UnexpectedResponseException e) {
String errorMsg = "Unexpected response from the server";
log.error(errorMsg, e);
throw new APIManagerPublisherException(errorMsg, e);
}
}
private void updatePermissions(String role, List<String> permissions) throws UserStoreException { private void updatePermissions(String role, List<String> permissions) throws UserStoreException {
AuthorizationManager authorizationManager = APIPublisherDataHolder.getInstance().getUserRealm() AuthorizationManager authorizationManager = APIPublisherDataHolder.getInstance().getUserRealm()
.getAuthorizationManager(); .getAuthorizationManager();
@ -730,7 +851,7 @@ public class APIPublisherServiceImpl implements APIPublisherService {
// if ws endpoint // if ws endpoint
if (config.getEndpointType() != null && "WS".equals(config.getEndpointType())) { if (config.getEndpointType() != null && "WS".equals(config.getEndpointType())) {
endpointConfig = "{\n" + endpointConfig = "{\n" +
" \"endpoint_type\": \"ws\",\n" + " \"endpoint_type\": \"ws\",\n" +
" \"sandbox_endpoints\": {\n" + " \"sandbox_endpoints\": {\n" +
" \"url\": \"" + config.getEndpoint() + "\"\n" + " \"url\": \"" + config.getEndpoint() + "\"\n" +
@ -778,4 +899,17 @@ public class APIPublisherServiceImpl implements APIPublisherService {
return apiInfo; return apiInfo;
} }
/**
* This method will construct the permission scope mapping hash map. This will call in each API publish call.
* @param scopes API Scopes
*/
private void constructPemScopeMap(Set<ApiScope> scopes) {
APIPublisherDataHolder apiPublisherDataHolder = APIPublisherDataHolder.getInstance();
Map<String, String> permScopeMap = apiPublisherDataHolder.getPermScopeMapping();
for (ApiScope scope : scopes) {
permScopeMap.put(scope.getPermissions(), scope.getKey());
}
apiPublisherDataHolder.setPermScopeMapping(permScopeMap);
}
} }

@ -86,6 +86,7 @@ public class APIPublisherStartupHandler implements ServerStartupObserver {
try { try {
publisher.updateScopeRoleMapping(); publisher.updateScopeRoleMapping();
publisher.addDefaultScopesIfNotExist();
} catch (APIManagerPublisherException e) { } catch (APIManagerPublisherException e) {
log.error("failed to update scope role mapping.", e); log.error("failed to update scope role mapping.", e);
} }

@ -28,4 +28,12 @@ public class APIManagerPublisherException extends Exception {
public APIManagerPublisherException(Throwable cause) { public APIManagerPublisherException(Throwable cause) {
super(cause); super(cause);
} }
public APIManagerPublisherException(String errorMessage) {
super(errorMessage);
}
public APIManagerPublisherException(String errorMessage, Throwable cause) {
super(errorMessage, cause);
}
} }

@ -19,6 +19,7 @@ package io.entgra.device.mgt.core.apimgt.webapp.publisher.internal;
import io.entgra.device.mgt.core.apimgt.webapp.publisher.APIConfig; import io.entgra.device.mgt.core.apimgt.webapp.publisher.APIConfig;
import io.entgra.device.mgt.core.apimgt.webapp.publisher.APIPublisherService; import io.entgra.device.mgt.core.apimgt.webapp.publisher.APIPublisherService;
import io.entgra.device.mgt.core.device.mgt.common.metadata.mgt.MetadataManagementService;
import org.wso2.carbon.context.CarbonContext; import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.context.PrivilegedCarbonContext; import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.registry.core.service.RegistryService; import org.wso2.carbon.registry.core.service.RegistryService;
@ -29,6 +30,8 @@ import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.user.core.tenant.TenantManager; import org.wso2.carbon.user.core.tenant.TenantManager;
import org.wso2.carbon.utils.ConfigurationContextService; import org.wso2.carbon.utils.ConfigurationContextService;
import java.util.HashMap;
import java.util.Map;
import java.util.Stack; import java.util.Stack;
public class APIPublisherDataHolder { public class APIPublisherDataHolder {
@ -40,6 +43,10 @@ public class APIPublisherDataHolder {
private RegistryService registryService; private RegistryService registryService;
private boolean isServerStarted; private boolean isServerStarted;
private Stack<APIConfig> unpublishedApis = new Stack<>(); private Stack<APIConfig> unpublishedApis = new Stack<>();
private Map<String, String> permScopeMapping;
private MetadataManagementService metadataManagementService;
private static APIPublisherDataHolder thisInstance = new APIPublisherDataHolder(); private static APIPublisherDataHolder thisInstance = new APIPublisherDataHolder();
private APIPublisherDataHolder() { private APIPublisherDataHolder() {
@ -138,4 +145,15 @@ public class APIPublisherDataHolder {
this.unpublishedApis = unpublishedApis; this.unpublishedApis = unpublishedApis;
} }
public Map<String, String> getPermScopeMapping() {return permScopeMapping;}
public void setPermScopeMapping(Map<String, String> permScopeMapping) {this.permScopeMapping = permScopeMapping;}
public MetadataManagementService getMetadataManagementService() {
return metadataManagementService;
}
public void setMetadataManagementService(MetadataManagementService metadataManagementService) {
this.metadataManagementService = metadataManagementService;
}
} }

@ -17,6 +17,7 @@
*/ */
package io.entgra.device.mgt.core.apimgt.webapp.publisher.internal; package io.entgra.device.mgt.core.apimgt.webapp.publisher.internal;
import io.entgra.device.mgt.core.device.mgt.common.metadata.mgt.MetadataManagementService;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.osgi.framework.BundleContext; import org.osgi.framework.BundleContext;
@ -29,6 +30,8 @@ import org.wso2.carbon.core.ServerStartupObserver;
import org.wso2.carbon.registry.core.service.RegistryService; import org.wso2.carbon.registry.core.service.RegistryService;
import org.wso2.carbon.user.core.service.RealmService; import org.wso2.carbon.user.core.service.RealmService;
import java.util.HashMap;
/** /**
* @scr.component name="io.entgra.device.mgt.core.apimgt.webapp.publisher" immediate="true" * @scr.component name="io.entgra.device.mgt.core.apimgt.webapp.publisher" immediate="true"
* @scr.reference name="user.realmservice.default" * @scr.reference name="user.realmservice.default"
@ -43,6 +46,12 @@ import org.wso2.carbon.user.core.service.RealmService;
* policy="dynamic" * policy="dynamic"
* bind="setRegistryService" * bind="setRegistryService"
* unbind="unsetRegistryService" * unbind="unsetRegistryService"
* @scr.reference name="io.entgra.meta.mgt"
* interface="io.entgra.device.mgt.core.device.mgt.common.metadata.mgt.MetadataManagementService"
* cardinality="0..1"
* policy="dynamic"
* bind="setMetaDataMgtService"
* unbind="unsetMetaDataMgtService"
*/ */
public class APIPublisherServiceComponent { public class APIPublisherServiceComponent {
@ -62,6 +71,7 @@ public class APIPublisherServiceComponent {
/* Registering declarative service instances exposed by DeviceManagementServiceComponent */ /* Registering declarative service instances exposed by DeviceManagementServiceComponent */
this.registerServices(componentContext); this.registerServices(componentContext);
APIPublisherDataHolder.getInstance().setPermScopeMapping(new HashMap<>());
if (log.isDebugEnabled()) { if (log.isDebugEnabled()) {
log.debug("Webapp publisher bundle has been successfully initialized"); log.debug("Webapp publisher bundle has been successfully initialized");
@ -113,4 +123,15 @@ public class APIPublisherServiceComponent {
APIPublisherDataHolder.getInstance().setRegistryService(null); APIPublisherDataHolder.getInstance().setRegistryService(null);
} }
protected void setMetaDataMgtService(MetadataManagementService metadataManagementService) {
if (metadataManagementService != null && log.isDebugEnabled()) {
log.debug("Meta data mgt mgt service initialized");
}
APIPublisherDataHolder.getInstance().setMetadataManagementService(metadataManagementService);
}
protected void unsetMetaDataMgtService(MetadataManagementService metadataManagementService) {
APIPublisherDataHolder.getInstance().setMetadataManagementService(null);
}
} }

@ -17,6 +17,18 @@
*/ */
package io.entgra.device.mgt.core.apimgt.webapp.publisher.lifecycle.listener; package io.entgra.device.mgt.core.apimgt.webapp.publisher.lifecycle.listener;
import com.google.gson.Gson;
import io.entgra.device.mgt.core.apimgt.extension.rest.api.APIApplicationServices;
import io.entgra.device.mgt.core.apimgt.extension.rest.api.APIApplicationServicesImpl;
import io.entgra.device.mgt.core.apimgt.extension.rest.api.PublisherRESTAPIServices;
import io.entgra.device.mgt.core.apimgt.extension.rest.api.PublisherRESTAPIServicesImpl;
import io.entgra.device.mgt.core.apimgt.extension.rest.api.dto.APIApplicationKey;
import io.entgra.device.mgt.core.apimgt.extension.rest.api.dto.APIInfo.Scope;
import io.entgra.device.mgt.core.apimgt.extension.rest.api.dto.AccessTokenInfo;
import io.entgra.device.mgt.core.apimgt.webapp.publisher.dto.ApiScope;
import io.entgra.device.mgt.core.device.mgt.common.exceptions.MetadataManagementException;
import io.entgra.device.mgt.core.device.mgt.common.metadata.mgt.Metadata;
import io.entgra.device.mgt.core.device.mgt.common.metadata.mgt.MetadataManagementService;
import org.apache.catalina.Lifecycle; import org.apache.catalina.Lifecycle;
import org.apache.catalina.LifecycleEvent; import org.apache.catalina.LifecycleEvent;
import org.apache.catalina.LifecycleListener; import org.apache.catalina.LifecycleListener;
@ -35,8 +47,7 @@ import org.wso2.carbon.user.api.UserStoreException;
import javax.servlet.ServletContext; import javax.servlet.ServletContext;
import java.io.IOException; import java.io.IOException;
import java.util.List; import java.util.*;
import java.util.Set;
@SuppressWarnings("unused") @SuppressWarnings("unused")
public class APIPublisherLifecycleListener implements LifecycleListener { public class APIPublisherLifecycleListener implements LifecycleListener {
@ -49,68 +60,142 @@ public class APIPublisherLifecycleListener implements LifecycleListener {
@Override @Override
public void lifecycleEvent(LifecycleEvent lifecycleEvent) { public void lifecycleEvent(LifecycleEvent lifecycleEvent) {
if (Lifecycle.AFTER_START_EVENT.equals(lifecycleEvent.getType()) && WebappPublisherConfig.getInstance() if (Lifecycle.AFTER_START_EVENT.equals(lifecycleEvent.getType()) ) {
.isPublished()) { if (WebappPublisherConfig.getInstance()
StandardContext context = (StandardContext) lifecycleEvent.getLifecycle(); .isPublished()) {
ServletContext servletContext = context.getServletContext(); StandardContext context = (StandardContext) lifecycleEvent.getLifecycle();
String param = servletContext.getInitParameter(PARAM_MANAGED_API_ENABLED); ServletContext servletContext = context.getServletContext();
boolean isManagedApi = (param != null && !param.isEmpty()) && Boolean.parseBoolean(param); String param = servletContext.getInitParameter(PARAM_MANAGED_API_ENABLED);
boolean isManagedApi = (param != null && !param.isEmpty()) && Boolean.parseBoolean(param);
String profile = System.getProperty(PROPERTY_PROFILE); String profile = System.getProperty(PROPERTY_PROFILE);
if (WebappPublisherConfig.getInstance().getProfiles().getProfile().contains(profile.toLowerCase()) if (WebappPublisherConfig.getInstance().getProfiles().getProfile().contains(profile.toLowerCase())
&& isManagedApi) { && isManagedApi) {
try { try {
AnnotationProcessor annotationProcessor = new AnnotationProcessor(context); AnnotationProcessor annotationProcessor = new AnnotationProcessor(context);
Set<String> annotatedSwaggerAPIClasses = annotationProcessor. Set<String> annotatedSwaggerAPIClasses = annotationProcessor.
scanStandardContext(io.swagger.annotations.SwaggerDefinition.class.getName()); scanStandardContext(io.swagger.annotations.SwaggerDefinition.class.getName());
List<APIResourceConfiguration> apiDefinitions = annotationProcessor.extractAPIInfo(servletContext, List<APIResourceConfiguration> apiDefinitions = annotationProcessor.extractAPIInfo(servletContext,
annotatedSwaggerAPIClasses); annotatedSwaggerAPIClasses);
for (APIResourceConfiguration apiDefinition : apiDefinitions) {
APIConfig apiConfig = APIPublisherUtil.buildApiConfig(servletContext, apiDefinition); APIPublisherDataHolder apiPublisherDataHolder = APIPublisherDataHolder.getInstance();
APIPublisherUtil.setResourceAuthTypes(servletContext,apiConfig); MetadataManagementService metadataManagementService =
try { apiPublisherDataHolder.getMetadataManagementService();
int tenantId = APIPublisherDataHolder.getInstance().getTenantManager(). Metadata metadata = metadataManagementService.retrieveMetadata("perm-scope-mapping");
getTenantId(apiConfig.getTenantDomain()); if (metadata != null) {
HashMap<String, String> permScopeMapping =
new Gson().fromJson(metadata.getMetaValue().toString(), HashMap.class);
apiPublisherDataHolder.setPermScopeMapping(permScopeMapping);
}
Map<String, String> permScopeMap = apiPublisherDataHolder.getPermScopeMapping();
for (APIResourceConfiguration apiDefinition : apiDefinitions) {
APIConfig apiConfig = APIPublisherUtil.buildApiConfig(servletContext, apiDefinition);
for (ApiScope scope : apiConfig.getScopes()) {
permScopeMap.put(scope.getPermissions(), scope.getKey());
}
APIPublisherUtil.setResourceAuthTypes(servletContext,apiConfig);
try {
int tenantId = APIPublisherDataHolder.getInstance().getTenantManager().
getTenantId(apiConfig.getTenantDomain());
boolean isTenantActive = APIPublisherDataHolder.getInstance(). boolean isTenantActive = APIPublisherDataHolder.getInstance().
getTenantManager().isTenantActive(tenantId); getTenantManager().isTenantActive(tenantId);
if (isTenantActive) { if (isTenantActive) {
boolean isServerStarted = APIPublisherDataHolder.getInstance().isServerStarted(); boolean isServerStarted = APIPublisherDataHolder.getInstance().isServerStarted();
if (isServerStarted) { if (isServerStarted) {
APIPublisherService apiPublisherService = APIPublisherService apiPublisherService =
APIPublisherDataHolder.getInstance().getApiPublisherService(); APIPublisherDataHolder.getInstance().getApiPublisherService();
if (apiPublisherService == null) { if (apiPublisherService == null) {
throw new IllegalStateException( throw new IllegalStateException(
"API Publisher service is not initialized properly"); "API Publisher service is not initialized properly");
}
apiPublisherService.publishAPI(apiConfig);
} else {
if (log.isDebugEnabled()) {
log.debug("Server has not started yet. Hence adding API '" +
apiConfig.getName() + "' to the queue");
}
APIPublisherDataHolder.getInstance().getUnpublishedApis().push(apiConfig);
} }
apiPublisherService.publishAPI(apiConfig);
} else { } else {
if (log.isDebugEnabled()) { log.error("No tenant [" + apiConfig.getTenantDomain() + "] " +
log.debug("Server has not started yet. Hence adding API '" + "found when publishing the Web app");
apiConfig.getName() + "' to the queue");
}
APIPublisherDataHolder.getInstance().getUnpublishedApis().push(apiConfig);
} }
} catch (Throwable e) {
log.error("Error occurred while publishing API '" + apiConfig.getName() +
"' with the context '" + apiConfig.getContext() +
"' and version '" + apiConfig.getVersion() + "'", e);
}
}
apiPublisherDataHolder.setPermScopeMapping(permScopeMap);
Map<String, String> permScopeMapping = apiPublisherDataHolder.getPermScopeMapping();
if (!permScopeMapping.isEmpty()) {
Metadata existingMetaData = metadataManagementService.retrieveMetadata("perm-scope" +
"-mapping");
if (existingMetaData != null) {
existingMetaData.setMetaValue(new Gson().toJson(apiPublisherDataHolder.getPermScopeMapping()
));
metadataManagementService.updateMetadata(existingMetaData);
} else { } else {
log.error("No tenant [" + apiConfig.getTenantDomain() + "] " + Metadata newMetaData = new Metadata();
"found when publishing the Web app"); newMetaData.setMetaKey("perm-scope-mapping");
permScopeMapping =
apiPublisherDataHolder.getPermScopeMapping();
//Todo fix this properly with a config
Map<String, String> defaultScopePermMap = new HashMap<>();
defaultScopePermMap.put("/permission/admin/device-mgt/devices/any-device/permitted-actions-under-owning-device", "dm:devices:any:permitted");
defaultScopePermMap.put("/permission/admin/device-mgt/device/api/subscribe", "dm:device:api:subscribe");
defaultScopePermMap.put("/permission/admin/app-mgt/life-cycle/application/approve", "am:admin:lc:app:approve");
defaultScopePermMap.put("/permission/admin/app-mgt/life-cycle/application/create", "am:admin:lc:app:create");
defaultScopePermMap.put("/permission/admin/app-mgt/life-cycle/application/reject", "am:admin:lc:app:reject");
defaultScopePermMap.put("/permission/admin/app-mgt/life-cycle/application/block", "am:admin:lc:app:block");
defaultScopePermMap.put("/permission/admin/app-mgt/life-cycle/application/review", "am:admin:lc:app:review");
defaultScopePermMap.put("/permission/admin/app-mgt/life-cycle/application/retire", "am:admin:lc:app:retire");
defaultScopePermMap.put("/permission/admin/app-mgt/life-cycle/application/deprecate", "am:admin:lc:app:deprecate");
defaultScopePermMap.put("/permission/admin/app-mgt/life-cycle/application/publish", "am:admin:lc:app:publish");
for (Map.Entry<String,String> mapElement : defaultScopePermMap.entrySet()) {
String key = mapElement.getKey();
String value = mapElement.getValue();
permScopeMapping.put(key,value);
}
apiPublisherDataHolder.setPermScopeMapping(permScopeMapping);
newMetaData.setMetaValue(new Gson().toJson(permScopeMapping));
metadataManagementService.createMetadata(newMetaData);
} }
} catch (Throwable e) {
log.error("Error occurred while publishing API '" + apiConfig.getName() +
"' with the context '" + apiConfig.getContext() +
"' and version '" + apiConfig.getVersion() + "'", e);
} }
} catch (IOException e) {
log.error("Error encountered while discovering annotated classes", e);
} catch (ClassNotFoundException e) {
log.error("Error while scanning class for annotations", e);
} catch (UserStoreException e) {
log.error("Error while retrieving tenant admin user for the tenant domain"
+ PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(), e);
} catch (Throwable e) {
// This is done to stop tomcat failure if a webapp failed to publish apis.
log.error("Failed to Publish api from " + servletContext.getContextPath(), e);
}
}
} else {
APIPublisherDataHolder apiPublisherDataHolder = APIPublisherDataHolder.getInstance();
MetadataManagementService metadataManagementService =
apiPublisherDataHolder.getMetadataManagementService();
try {
Metadata existingMetaData = metadataManagementService.retrieveMetadata("perm-scope" +
"-mapping");
if (existingMetaData != null) {
existingMetaData.setMetaValue(new Gson().toJson(apiPublisherDataHolder.getPermScopeMapping()
));
metadataManagementService.updateMetadata(existingMetaData);
} else {
log.error("Couldn't find 'perm-scope-mapping' Meta entry while API publishing has been turned" +
" off.");
} }
} catch (IOException e) { } catch (MetadataManagementException e) {
log.error("Error encountered while discovering annotated classes", e); log.error("Failed to Load Meta-Mgt data.", e);
} catch (ClassNotFoundException e) {
log.error("Error while scanning class for annotations", e);
} catch (UserStoreException e) {
log.error("Error while retrieving tenant admin user for the tenant domain"
+ PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(), e);
} catch (Throwable e) {
// This is done to stop tomcat failure if a webapp failed to publish apis.
log.error("Failed to Publish api from " + servletContext.getContextPath(), e);
} }
} }
} }

@ -455,5 +455,10 @@
<artifactId>io.entgra.device.mgt.core.apimgt.analytics.extension</artifactId> <artifactId>io.entgra.device.mgt.core.apimgt.analytics.extension</artifactId>
<scope>provided</scope> <scope>provided</scope>
</dependency> </dependency>
<dependency>
<groupId>io.entgra.device.mgt.core</groupId>
<artifactId>io.entgra.device.mgt.core.apimgt.webapp.publisher</artifactId>
<scope>provided</scope>
</dependency>
</dependencies> </dependencies>
</project> </project>

@ -17,6 +17,7 @@
*/ */
package io.entgra.device.mgt.core.device.mgt.api.jaxrs.service.impl; package io.entgra.device.mgt.core.device.mgt.api.jaxrs.service.impl;
import io.entgra.device.mgt.core.apimgt.webapp.publisher.exception.APIManagerPublisherException;
import io.entgra.device.mgt.core.device.mgt.common.exceptions.MetadataManagementException; import io.entgra.device.mgt.core.device.mgt.common.exceptions.MetadataManagementException;
import io.entgra.device.mgt.core.device.mgt.common.group.mgt.GroupManagementException; import io.entgra.device.mgt.core.device.mgt.common.group.mgt.GroupManagementException;
import io.entgra.device.mgt.core.device.mgt.common.metadata.mgt.Metadata; import io.entgra.device.mgt.core.device.mgt.common.metadata.mgt.Metadata;
@ -28,6 +29,7 @@ import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.CarbonConstants; import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.base.MultitenantConstants; import org.wso2.carbon.base.MultitenantConstants;
import org.wso2.carbon.context.CarbonContext; import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.context.RegistryType; import org.wso2.carbon.context.RegistryType;
import io.entgra.device.mgt.core.device.mgt.api.jaxrs.beans.ErrorResponse; import io.entgra.device.mgt.core.device.mgt.api.jaxrs.beans.ErrorResponse;
import io.entgra.device.mgt.core.device.mgt.api.jaxrs.beans.RoleInfo; import io.entgra.device.mgt.core.device.mgt.api.jaxrs.beans.RoleInfo;
@ -56,6 +58,8 @@ import java.net.URI;
import java.net.URISyntaxException; import java.net.URISyntaxException;
import java.net.URLEncoder; import java.net.URLEncoder;
import java.util.*; import java.util.*;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import static io.entgra.device.mgt.core.device.mgt.api.jaxrs.util.Constants.PRIMARY_USER_STORE; import static io.entgra.device.mgt.core.device.mgt.api.jaxrs.util.Constants.PRIMARY_USER_STORE;
@ -277,15 +281,32 @@ public class RoleManagementServiceImpl implements RoleManagementService {
} }
} }
private UIPermissionNode getAllRolePermissions(String roleName, UserRealm userRealm) throws UserAdminException { private List<String> processAndFilterPermissions(UIPermissionNode[] rolePermissions, List<String> permissionPaths, List<String> permissions) {
org.wso2.carbon.user.core.UserRealm userRealmCore = null;
if (userRealm instanceof org.wso2.carbon.user.core.UserRealm) { for (UIPermissionNode rolePermission : rolePermissions) {
userRealmCore = (org.wso2.carbon.user.core.UserRealm) userRealm; if (permissionPaths.isEmpty()) {
return permissions;
}
if (rolePermission.getNodeList().length == 0) {
if (permissionPaths.contains(rolePermission.getResourcePath())) {
permissions.add(rolePermission.getResourcePath());
}
}
permissionPaths.remove(rolePermission.getResourcePath());
if (rolePermission.getNodeList().length != 0) {
processAndFilterPermissions(rolePermission.getNodeList(), permissionPaths, permissions);
}
} }
final UserRealmProxy userRealmProxy = new UserRealmProxy(userRealmCore); return permissions;
final UIPermissionNode rolePermissions = }
userRealmProxy.getRolePermissions(roleName, MultitenantConstants.SUPER_TENANT_ID);
return rolePermissions; private String[] getPlatformUIPermissions(String roleName, UserRealm userRealm, String[] permissions)
throws UserAdminException {
UIPermissionNode uiPermissionNode = getUIPermissionNode(roleName, userRealm);
List<String> permissionsArray = processAndFilterPermissions(uiPermissionNode.getNodeList(), new ArrayList<>(Arrays.asList(permissions)),
new ArrayList<>());
return permissionsArray.toArray(new String[0]);
} }
private UIPermissionNode getUIPermissionNode(String roleName, UserRealm userRealm) private UIPermissionNode getUIPermissionNode(String roleName, UserRealm userRealm)
@ -361,18 +382,6 @@ public class RoleManagementServiceImpl implements RoleManagementService {
} }
} }
private List<String> getAuthorizedPermissions(UIPermissionNode uiPermissionNode, List<String> list) {
for (UIPermissionNode permissionNode : uiPermissionNode.getNodeList()) {
if (permissionNode.isSelected()) {
list.add(permissionNode.getResourcePath());
}
if (permissionNode.getNodeList() != null && permissionNode.getNodeList().length > 0) {
getAuthorizedPermissions(permissionNode, list);
}
}
return list;
}
@POST @POST
@Override @Override
public Response addRole(RoleInfo roleInfo) { public Response addRole(RoleInfo roleInfo) {
@ -383,6 +392,7 @@ public class RoleManagementServiceImpl implements RoleManagementService {
if (log.isDebugEnabled()) { if (log.isDebugEnabled()) {
log.debug("Persisting the role in the underlying user store"); log.debug("Persisting the role in the underlying user store");
} }
Permission[] permissions = null; Permission[] permissions = null;
if (roleInfo.getPermissions() != null && roleInfo.getPermissions().length > 0) { if (roleInfo.getPermissions() != null && roleInfo.getPermissions().length > 0) {
permissions = new Permission[roleInfo.getPermissions().length]; permissions = new Permission[roleInfo.getPermissions().length];
@ -392,7 +402,33 @@ public class RoleManagementServiceImpl implements RoleManagementService {
} }
} }
userStoreManager.addRole(roleInfo.getRoleName(), roleInfo.getUsers(), permissions); userStoreManager.addRole(roleInfo.getRoleName(), roleInfo.getUsers(), permissions);
authorizeRoleForAppmgt(roleInfo.getRoleName(), roleInfo.getPermissions()); try {
if (roleInfo.getPermissions() != null && roleInfo.getPermissions().length > 0) {
String finalRoleName = roleInfo.getRoleName();
String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(true);
final UserRealm userRealm = DeviceMgtAPIUtils.getUserRealm();
Thread thread = new Thread(new Runnable() {
@Override
public void run() {
try {
PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true);
DeviceMgtAPIUtils.getApiPublisher().updateScopeRoleMapping(roleInfo.getRoleName(),
RoleManagementServiceImpl.this.getPlatformUIPermissions(finalRoleName, userRealm, roleInfo.getPermissions()));
} catch (APIManagerPublisherException | UserAdminException e) {
log.error("Error Occurred while updating role scope mapping. ", e);
} finally {
PrivilegedCarbonContext.endTenantFlow();
}
}
});
thread.start();
}
} catch (UserStoreException e) {
String msg = "Error occurred while loading the user store.";
log.error(msg, e);
return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(msg).build();
}
//TODO fix what's returned in the entity //TODO fix what's returned in the entity
return Response.created(new URI(API_BASE_PATH + "/" + URLEncoder.encode(roleInfo.getRoleName(), "UTF-8"))). return Response.created(new URI(API_BASE_PATH + "/" + URLEncoder.encode(roleInfo.getRoleName(), "UTF-8"))).
@ -502,11 +538,10 @@ public class RoleManagementServiceImpl implements RoleManagementService {
final UserRealm userRealm = DeviceMgtAPIUtils.getUserRealm(); final UserRealm userRealm = DeviceMgtAPIUtils.getUserRealm();
final UserStoreManager userStoreManager = userRealm.getUserStoreManager(); final UserStoreManager userStoreManager = userRealm.getUserStoreManager();
if (!userStoreManager.isExistingRole(roleName)) { if (!userStoreManager.isExistingRole(roleName)) {
String msg = "No role exists with the name : " + roleName ; String msg = "No role exists with the name : " + roleName;
return Response.status(404).entity(msg).build(); return Response.status(404).entity(msg).build();
} }
final AuthorizationManager authorizationManager = userRealm.getAuthorizationManager();
if (log.isDebugEnabled()) { if (log.isDebugEnabled()) {
log.debug("Updating the role to user store"); log.debug("Updating the role to user store");
} }
@ -528,31 +563,24 @@ public class RoleManagementServiceImpl implements RoleManagementService {
} }
if (roleInfo.getPermissions() != null) { if (roleInfo.getPermissions() != null) {
// Get all role permissions String finalRoleName = roleName;
final UIPermissionNode rolePermissions = this.getAllRolePermissions(roleName, userRealm); String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(true);
List<String> permissions = new ArrayList<String>(); Thread thread = new Thread(new Runnable() {
final UIPermissionNode emmRolePermissions = (UIPermissionNode) this.getRolePermissions(roleName); @Override
List<String> emmConsolePermissions = new ArrayList<String>(); public void run() {
this.getAuthorizedPermissions(emmRolePermissions, emmConsolePermissions); try {
emmConsolePermissions.removeAll(new ArrayList<String>(Arrays.asList(roleInfo.getPermissions()))); PrivilegedCarbonContext.startTenantFlow();
this.getAuthorizedPermissions(rolePermissions, permissions); PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true);
for (String permission : roleInfo.getPermissions()) { DeviceMgtAPIUtils.getApiPublisher().updateScopeRoleMapping(roleInfo.getRoleName(),
permissions.add(permission); RoleManagementServiceImpl.this.getPlatformUIPermissions(finalRoleName, userRealm, roleInfo.getPermissions()));
} } catch (APIManagerPublisherException | UserAdminException e) {
permissions.removeAll(emmConsolePermissions); log.error("Error Occurred while updating role scope mapping. ", e);
String[] allApplicablePerms = new String[permissions.size()]; } finally {
allApplicablePerms = permissions.toArray(allApplicablePerms); PrivilegedCarbonContext.endTenantFlow();
roleInfo.setPermissions(allApplicablePerms); }
// Delete all authorizations for the current role before authorizing the permission tree
authorizationManager.clearRoleAuthorization(roleName);
if (roleInfo.getPermissions().length > 0) {
for (int i = 0; i < roleInfo.getPermissions().length; i++) {
String permission = roleInfo.getPermissions()[i];
authorizationManager.authorizeRole(roleName, permission, CarbonConstants.UI_PERMISSION_ACTION);
} }
} });
authorizeRoleForAppmgt(roleName, roleInfo.getPermissions()); thread.start();
} }
//TODO: Need to send the updated role information in the entity back to the client //TODO: Need to send the updated role information in the entity back to the client
return Response.status(Response.Status.OK).entity("Role '" + roleInfo.getRoleName() + "' has " + return Response.status(Response.Status.OK).entity("Role '" + roleInfo.getRoleName() + "' has " +
@ -569,70 +597,12 @@ public class RoleManagementServiceImpl implements RoleManagementService {
String msg = "Role already exists with name : " + role + ". Try with another role name."; String msg = "Role already exists with name : " + role + ". Try with another role name.";
log.warn(msg); log.warn(msg);
return Response.status(Response.Status.CONFLICT).entity(msg).build(); return Response.status(Response.Status.CONFLICT).entity(msg).build();
}else{ } else {
String msg = "Error occurred while updating role '" + roleName + "'"; String msg = "Error occurred while updating role '" + roleName + "'";
log.error(msg, e); log.error(msg, e);
return Response.serverError().entity( return Response.serverError().entity(
new ErrorResponse.ErrorResponseBuilder().setMessage(msg).build()).build(); new ErrorResponse.ErrorResponseBuilder().setMessage(msg).build()).build();
} }
} catch (UserAdminException e) {
String msg = "Error occurred while updating permissions of the role '" + roleName + "'";
log.error(msg, e);
return Response.serverError().entity(
new ErrorResponse.ErrorResponseBuilder().setMessage(msg).build()).build();
}
}
/**
* When presented with role and a set of permissions, if given role has permission to
* perform mobile app management, said role will be given rights mobile app collection in the
* governance registry.
*
* @param role
* @param permissions
* @return state of role update Operation
*/
private boolean authorizeRoleForAppmgt(String role, String[] permissions) {
String permissionString =
"ra^true:rd^false:wa^true:wd^false:da^true:dd^false:aa^true:ad^false";
String resourcePath = "/_system/governance/mobileapps/";
boolean appmPermAvailable = false;
if (permissions != null) {
for (int i = 0; i < permissions.length; i++)
switch (permissions[i]) {
case "/permission/admin/manage/mobileapp":
appmPermAvailable = true;
break;
case "/permission/admin/manage/mobileapp/create":
appmPermAvailable = true;
break;
case "/permission/admin/manage/mobileapp/publish":
appmPermAvailable = true;
break;
}
}
if (appmPermAvailable) {
try {
Registry registry = CarbonContext.getThreadLocalCarbonContext().
getRegistry(RegistryType.SYSTEM_GOVERNANCE);
ChangeRolePermissionsUtil.changeRolePermissions((UserRegistry) registry,
resourcePath, role + ":" + permissionString);
return true;
} catch (Exception e) {
String msg = "Error while retrieving user registry in order to update permissions "
+ "for resource : " + resourcePath;
log.error(msg, e);
return false;
}
} else {
if (log.isDebugEnabled()) {
log.debug("Mobile App Management permissions not selected, therefore role : " +
role + " not given permission for registry collection : " + resourcePath);
}
return false;
} }
} }

@ -18,6 +18,7 @@
package io.entgra.device.mgt.core.device.mgt.api.jaxrs.util; package io.entgra.device.mgt.core.device.mgt.api.jaxrs.util;
import io.entgra.device.mgt.core.apimgt.webapp.publisher.APIPublisherService;
import io.entgra.device.mgt.core.application.mgt.common.services.ApplicationManager; import io.entgra.device.mgt.core.application.mgt.common.services.ApplicationManager;
import io.entgra.device.mgt.core.application.mgt.common.services.SubscriptionManager; import io.entgra.device.mgt.core.application.mgt.common.services.SubscriptionManager;
import org.apache.axis2.AxisFault; import org.apache.axis2.AxisFault;
@ -157,6 +158,8 @@ public class DeviceMgtAPIUtils {
private static volatile SubscriptionManager subscriptionManager; private static volatile SubscriptionManager subscriptionManager;
private static volatile ApplicationManager applicationManager; private static volatile ApplicationManager applicationManager;
private static volatile APIPublisherService apiPublisher;
static { static {
String keyStorePassword = ServerConfiguration.getInstance().getFirstProperty("Security.KeyStore.Password"); String keyStorePassword = ServerConfiguration.getInstance().getFirstProperty("Security.KeyStore.Password");
String trustStorePassword = ServerConfiguration.getInstance().getFirstProperty( String trustStorePassword = ServerConfiguration.getInstance().getFirstProperty(
@ -235,6 +238,24 @@ public class DeviceMgtAPIUtils {
return applicationManager; return applicationManager;
} }
public static APIPublisherService getApiPublisher() {
if (apiPublisher == null) {
synchronized (DeviceMgtAPIUtils.class) {
if (apiPublisher == null) {
PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext();
apiPublisher =
(APIPublisherService) ctx.getOSGiService(APIPublisherService.class, null);
if (apiPublisher == null) {
String msg = "Application Manager service has not initialized.";
log.error(msg);
throw new IllegalStateException(msg);
}
}
}
}
return apiPublisher;
}
public static void scheduleTaskService(int notifierFrequency) { public static void scheduleTaskService(int notifierFrequency) {
TaskScheduleService taskScheduleService; TaskScheduleService taskScheduleService;
try { try {

@ -594,7 +594,7 @@ CREATE TABLE IF NOT EXISTS DM_METADATA (
METADATA_ID INT AUTO_INCREMENT NOT NULL, METADATA_ID INT AUTO_INCREMENT NOT NULL,
DATA_TYPE VARCHAR(16) NOT NULL, DATA_TYPE VARCHAR(16) NOT NULL,
METADATA_KEY VARCHAR(128) NOT NULL, METADATA_KEY VARCHAR(128) NOT NULL,
METADATA_VALUE VARCHAR(8000) NOT NULL, METADATA_VALUE VARCHAR(20000) NOT NULL,
TENANT_ID INTEGER NOT NULL, TENANT_ID INTEGER NOT NULL,
PRIMARY KEY (METADATA_ID), PRIMARY KEY (METADATA_ID),
CONSTRAINT METADATA_KEY_TENANT_ID UNIQUE (METADATA_KEY, TENANT_ID) CONSTRAINT METADATA_KEY_TENANT_ID UNIQUE (METADATA_KEY, TENANT_ID)

Loading…
Cancel
Save