Allow users with CDM Admin permission to retrieve activities

temp
Charitha Goonetilleke 3 years ago
parent 3fea6f79c7
commit 6f008ea65f

@ -66,7 +66,7 @@ public class ActivityProviderServiceImpl implements ActivityInfoProviderService
@HeaderParam("If-Modified-Since") String ifModifiedSince) { @HeaderParam("If-Modified-Since") String ifModifiedSince) {
Activity activity; Activity activity;
DeviceManagementProviderService dmService; DeviceManagementProviderService dmService;
Response response = validateAdminUser(); Response response = validateAdminPermission();
if (response == null) { if (response == null) {
try { try {
RequestValidationUtil.validateActivityId(id); RequestValidationUtil.validateActivityId(id);
@ -103,7 +103,7 @@ public class ActivityProviderServiceImpl implements ActivityInfoProviderService
return Response.status(400).entity( return Response.status(400).entity(
new ErrorResponse.ErrorResponseBuilder().setMessage(msg).build()).build(); new ErrorResponse.ErrorResponseBuilder().setMessage(msg).build()).build();
} }
Response validationFailedResponse = validateAdminUser(); Response validationFailedResponse = validateAdminPermission();
if (validationFailedResponse == null) { if (validationFailedResponse == null) {
List<Activity> activities; List<Activity> activities;
ActivityList activityList = new ActivityList(); ActivityList activityList = new ActivityList();
@ -184,7 +184,7 @@ public class ActivityProviderServiceImpl implements ActivityInfoProviderService
log.debug("getActivities -> Operation Code : " +operationCode+ "offset " + offset + " limit: " + limit ); log.debug("getActivities -> Operation Code : " +operationCode+ "offset " + offset + " limit: " + limit );
} }
RequestValidationUtil.validatePaginationParameters(offset, limit); RequestValidationUtil.validatePaginationParameters(offset, limit);
Response response = validateAdminUser(); Response response = validateAdminPermission();
if(response == null){ if(response == null){
List<Activity> activities; List<Activity> activities;
ActivityList activityList = new ActivityList(); ActivityList activityList = new ActivityList();
@ -272,7 +272,7 @@ public class ActivityProviderServiceImpl implements ActivityInfoProviderService
if (log.isDebugEnabled()) { if (log.isDebugEnabled()) {
log.debug("getActivities final timestamp " + timestamp); log.debug("getActivities final timestamp " + timestamp);
} }
Response response = validateAdminUser(); Response response = validateAdminPermission();
if (response == null) { if (response == null) {
ActivityList activityList = new ActivityList(); ActivityList activityList = new ActivityList();
DeviceManagementProviderService dmService; DeviceManagementProviderService dmService;
@ -330,19 +330,21 @@ public class ActivityProviderServiceImpl implements ActivityInfoProviderService
} }
} }
private Response validateAdminUser(){ private Response validateAdminPermission() {
//TODO: also check initiated by field to check current user has added the operation, if so allow access.
try { try {
if (!DeviceMgtAPIUtils.isAdmin()) { if (!DeviceMgtAPIUtils.isAdminUser()) {
return Response.status(Response.Status.UNAUTHORIZED).entity("Unauthorized operation! Only admin role can perform " + return Response.status(Response.Status.UNAUTHORIZED)
"this operation.").build(); .entity("Unauthorized operation! Only users with CDM ADMIN PERMISSION " +
"can perform this operation.").build();
} }
return null; return null;
} catch (UserStoreException e) { } catch (UserStoreException e) {
String msg String msg = "Error occurred while validating the user have admin permission!";
= "Error occurred while validating the user have admin role!";
log.error(msg, e); log.error(msg, e);
return Response.serverError().entity( return Response.serverError().entity(
new ErrorResponse.ErrorResponseBuilder().setMessage(msg).build()).build(); new ErrorResponse.ErrorResponseBuilder().setMessage(msg).build()).build();
} }
} }
} }

@ -36,6 +36,7 @@
package org.wso2.carbon.device.mgt.jaxrs.util; package org.wso2.carbon.device.mgt.jaxrs.util;
import io.entgra.application.mgt.common.services.ApplicationManager; import io.entgra.application.mgt.common.services.ApplicationManager;
import io.entgra.application.mgt.common.services.SubscriptionManager;
import org.apache.axis2.AxisFault; import org.apache.axis2.AxisFault;
import org.apache.axis2.client.Options; import org.apache.axis2.client.Options;
import org.apache.axis2.java.security.SSLProtocolSocketFactory; import org.apache.axis2.java.security.SSLProtocolSocketFactory;
@ -46,13 +47,13 @@ import org.apache.commons.httpclient.protocol.Protocol;
import org.apache.commons.httpclient.protocol.ProtocolSocketFactory; import org.apache.commons.httpclient.protocol.ProtocolSocketFactory;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.analytics.api.AnalyticsDataAPI; import org.wso2.carbon.analytics.api.AnalyticsDataAPI;
import org.wso2.carbon.analytics.stream.persistence.stub.EventStreamPersistenceAdminServiceStub; import org.wso2.carbon.analytics.stream.persistence.stub.EventStreamPersistenceAdminServiceStub;
import org.wso2.carbon.base.ServerConfiguration; import org.wso2.carbon.base.ServerConfiguration;
import org.wso2.carbon.context.CarbonContext; import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.context.PrivilegedCarbonContext; import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.core.util.Utils; import org.wso2.carbon.core.util.Utils;
import io.entgra.application.mgt.common.services.SubscriptionManager;
import org.wso2.carbon.device.mgt.common.Device; import org.wso2.carbon.device.mgt.common.Device;
import org.wso2.carbon.device.mgt.common.DeviceIdentifier; import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
import org.wso2.carbon.device.mgt.common.EnrolmentInfo; import org.wso2.carbon.device.mgt.common.EnrolmentInfo;
@ -81,6 +82,7 @@ import org.wso2.carbon.device.mgt.common.spi.OTPManagementService;
import org.wso2.carbon.device.mgt.core.app.mgt.ApplicationManagementProviderService; import org.wso2.carbon.device.mgt.core.app.mgt.ApplicationManagementProviderService;
import org.wso2.carbon.device.mgt.core.device.details.mgt.DeviceInformationManager; import org.wso2.carbon.device.mgt.core.device.details.mgt.DeviceInformationManager;
import org.wso2.carbon.device.mgt.core.dto.DeviceTypeVersion; import org.wso2.carbon.device.mgt.core.dto.DeviceTypeVersion;
import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionUtils;
import org.wso2.carbon.device.mgt.core.privacy.PrivacyComplianceProvider; import org.wso2.carbon.device.mgt.core.privacy.PrivacyComplianceProvider;
import org.wso2.carbon.device.mgt.core.search.mgt.SearchManagerService; import org.wso2.carbon.device.mgt.core.search.mgt.SearchManagerService;
import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService; import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService;
@ -141,6 +143,7 @@ import java.util.Queue;
*/ */
public class DeviceMgtAPIUtils { public class DeviceMgtAPIUtils {
private final static String CDM_ADMIN_PERMISSION = "/device-mgt/devices/any-device/permitted-actions-under-owning-device";
private static final String NOTIFIER_FREQUENCY = "notifierFrequency"; private static final String NOTIFIER_FREQUENCY = "notifierFrequency";
private static final String STREAM_DEFINITION_PREFIX = "iot.per.device.stream."; private static final String STREAM_DEFINITION_PREFIX = "iot.per.device.stream.";
private static final String DEFAULT_HTTP_PROTOCOL = "https"; private static final String DEFAULT_HTTP_PROTOCOL = "https";
@ -873,6 +876,27 @@ public class DeviceMgtAPIUtils {
return false; return false;
} }
public static boolean isAdminUser() throws UserStoreException {
int tenantId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId(true);
String userName = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUsername();
UserRealm userRealm = DeviceMgtAPIUtils.getRealmService().getTenantUserRealm(tenantId);
if (userRealm != null && userRealm.getAuthorizationManager() != null) {
return userRealm.getAuthorizationManager()
.isUserAuthorized(removeTenantDomain(userName),
PermissionUtils.getAbsolutePermissionPath(CDM_ADMIN_PERMISSION),
CarbonConstants.UI_PERMISSION_ACTION);
}
return false;
}
private static String removeTenantDomain(String username) {
String tenantDomain = CarbonContext.getThreadLocalCarbonContext().getTenantDomain();
if (username.endsWith(tenantDomain)) {
return username.substring(0, username.lastIndexOf("@"));
}
return username;
}
public static DeviceTypeVersion convertDeviceTypeVersionWrapper(String deviceTypeName, int deviceTypeId, public static DeviceTypeVersion convertDeviceTypeVersionWrapper(String deviceTypeName, int deviceTypeId,
DeviceTypeVersionWrapper deviceTypeVersion) { DeviceTypeVersionWrapper deviceTypeVersion) {
DeviceTypeVersion typeVersion = new DeviceTypeVersion(); DeviceTypeVersion typeVersion = new DeviceTypeVersion();

Loading…
Cancel
Save