Merge branch 'support-4.1.15' into 'support-4.1.15'

Allow users with CDM Admin permission to retrieve activities See merge request entgra-support/support-carbon-device-mgt!73
3 years ago · a0c953d027
parent 58959705c6 bb8ffe0f5e
commit a0c953d027
2 changed files with 37 additions and 10 deletions
--- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/ActivityProviderServiceImpl.java
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/ActivityProviderServiceImpl.java
@ -66,7 +66,7 @@ public class ActivityProviderServiceImpl implements ActivityInfoProviderService
                                @HeaderParam("If-Modified-Since") String ifModifiedSince) {
        Activity activity;
        DeviceManagementProviderService dmService;
-        Response response = validateAdminUser();
+        Response response = validateAdminPermission();
        if (response == null) {
            try {
                RequestValidationUtil.validateActivityId(id);
@ -103,7 +103,7 @@ public class ActivityProviderServiceImpl implements ActivityInfoProviderService
            return Response.status(400).entity(
                    new ErrorResponse.ErrorResponseBuilder().setMessage(msg).build()).build();
        }
-        Response validationFailedResponse = validateAdminUser();
+        Response validationFailedResponse = validateAdminPermission();
        if (validationFailedResponse == null) {
            List<Activity> activities;
            ActivityList activityList = new ActivityList();
@ -184,7 +184,7 @@ public class ActivityProviderServiceImpl implements ActivityInfoProviderService
            log.debug("getActivities -> Operation Code : " +operationCode+ "offset " + offset + " limit: " + limit );
        }
        RequestValidationUtil.validatePaginationParameters(offset, limit);
-        Response response = validateAdminUser();
+        Response response = validateAdminPermission();
        if(response == null){
            List<Activity> activities;
            ActivityList activityList = new ActivityList();
@ -272,7 +272,7 @@ public class ActivityProviderServiceImpl implements ActivityInfoProviderService
        if (log.isDebugEnabled()) {
            log.debug("getActivities final timestamp " + timestamp);
        }
-        Response response = validateAdminUser();
+        Response response = validateAdminPermission();
        if (response == null) {
            ActivityList activityList = new ActivityList();
            DeviceManagementProviderService dmService;
@ -330,19 +330,21 @@ public class ActivityProviderServiceImpl implements ActivityInfoProviderService
        }
    }

-    private Response validateAdminUser(){
+    private Response validateAdminPermission() {
+        //TODO: also check initiated by field to check current user has added the operation, if so allow access.
        try {
-            if (!DeviceMgtAPIUtils.isAdmin()) {
-                return Response.status(Response.Status.UNAUTHORIZED).entity("Unauthorized operation! Only admin role can perform " +
-                        "this operation.").build();
+            if (!DeviceMgtAPIUtils.isAdminUser()) {
+                return Response.status(Response.Status.UNAUTHORIZED)
+                        .entity("Unauthorized operation! Only users with CDM ADMIN PERMISSION " +
+                                "can perform this operation.").build();
            }
            return null;
        } catch (UserStoreException e) {
-            String msg
-                    = "Error occurred while validating the user have admin role!";
+            String msg = "Error occurred while validating the user have admin permission!";
            log.error(msg, e);
            return Response.serverError().entity(
                    new ErrorResponse.ErrorResponseBuilder().setMessage(msg).build()).build();
        }
    }
+
 }
--- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/util/DeviceMgtAPIUtils.java
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/util/DeviceMgtAPIUtils.java
@ -45,6 +45,7 @@ import org.apache.commons.httpclient.protocol.Protocol;
 import org.apache.commons.httpclient.protocol.ProtocolSocketFactory;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.CarbonConstants;
 import org.wso2.carbon.analytics.stream.persistence.stub.EventStreamPersistenceAdminServiceStub;
 import org.wso2.carbon.apimgt.integration.client.service.IntegrationClientService;
 import org.wso2.carbon.base.ServerConfiguration;
@ -84,6 +85,8 @@ import org.wso2.carbon.device.mgt.common.spi.OTPManagementService;
 import org.wso2.carbon.device.mgt.core.app.mgt.ApplicationManagementProviderService;
 import org.wso2.carbon.device.mgt.core.device.details.mgt.DeviceInformationManager;
 import org.wso2.carbon.device.mgt.core.dto.DeviceTypeVersion;
+import org.wso2.carbon.device.mgt.core.internal.DeviceManagementDataHolder;
+import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionUtils;
 import org.wso2.carbon.device.mgt.core.privacy.PrivacyComplianceProvider;
 import org.wso2.carbon.device.mgt.core.search.mgt.SearchManagerService;
 import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService;
@ -144,6 +147,7 @@ import java.util.Queue;
 */
 public class DeviceMgtAPIUtils {

+    private final static String CDM_ADMIN_PERMISSION = "/device-mgt/devices/any-device/permitted-actions-under-owning-device";
    private static final String NOTIFIER_FREQUENCY = "notifierFrequency";
    private static final String STREAM_DEFINITION_PREFIX = "iot.per.device.stream.";
    private static final String DEFAULT_HTTP_PROTOCOL = "https";
@ -885,6 +889,27 @@ public class DeviceMgtAPIUtils {
        return false;
    }

+    public static boolean isAdminUser() throws UserStoreException {
+        int tenantId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId(true);
+        String userName = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUsername();
+        UserRealm userRealm = DeviceMgtAPIUtils.getRealmService().getTenantUserRealm(tenantId);
+        if (userRealm != null && userRealm.getAuthorizationManager() != null) {
+            return userRealm.getAuthorizationManager()
+                    .isUserAuthorized(removeTenantDomain(userName),
+                            PermissionUtils.getAbsolutePermissionPath(CDM_ADMIN_PERMISSION),
+                            CarbonConstants.UI_PERMISSION_ACTION);
+        }
+        return false;
+    }
+
+    private static String removeTenantDomain(String username) {
+        String tenantDomain = CarbonContext.getThreadLocalCarbonContext().getTenantDomain();
+        if (username.endsWith(tenantDomain)) {
+            return username.substring(0, username.lastIndexOf("@"));
+        }
+        return username;
+    }
+
    public static DeviceTypeVersion convertDeviceTypeVersionWrapper(String deviceTypeName, int deviceTypeId,
            DeviceTypeVersionWrapper deviceTypeVersion) {
        DeviceTypeVersion typeVersion = new DeviceTypeVersion();