From 9011273ff4b2531b0d46b091491586980f5175d1 Mon Sep 17 00:00:00 2001 From: Charitha Goonetilleke Date: Tue, 12 Sep 2023 11:55:29 +0530 Subject: [PATCH] Apply role permission mapping along with scope role mapping --- .../pom.xml | 2 +- .../publisher/APIPublisherServiceImpl.java | 75 ++++++++++++++++--- .../internal/APIPublisherDataHolder.java | 24 ++++++ 3 files changed, 90 insertions(+), 11 deletions(-) diff --git a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/pom.xml b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/pom.xml index e108eb7fb1..876a269e11 100644 --- a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/pom.xml +++ b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/pom.xml @@ -187,6 +187,7 @@ io.entgra.device.mgt.core.apimgt.webapp.publisher.lifecycle.util, org.wso2.carbon.base;version="1.0", org.wso2.carbon.context;version="4.6", + org.wso2.carbon;version="4.6", org.wso2.carbon.core;version="4.6", org.wso2.carbon.core.util;version="4.6", org.wso2.carbon.registry.core.service;version="1.0", @@ -195,7 +196,6 @@ org.wso2.carbon.user.core.tenant;version="4.6", org.wso2.carbon.utils;version="4.6", org.wso2.carbon.utils.multitenancy;version="4.6", - org.wso2.carbon.apimgt.impl.definitions, org.apache.commons.lang, org.json diff --git a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherServiceImpl.java b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherServiceImpl.java index 61196a1da0..e815b5877a 100644 --- a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherServiceImpl.java +++ b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherServiceImpl.java @@ -38,23 +38,24 @@ import io.entgra.device.mgt.core.apimgt.webapp.publisher.config.WebappPublisherC import io.entgra.device.mgt.core.apimgt.webapp.publisher.dto.ApiScope; import io.entgra.device.mgt.core.apimgt.webapp.publisher.dto.ApiUriTemplate; import io.entgra.device.mgt.core.apimgt.webapp.publisher.exception.APIManagerPublisherException; +import io.entgra.device.mgt.core.apimgt.webapp.publisher.internal.APIPublisherDataHolder; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.json.JSONArray; import org.json.JSONObject; +import org.wso2.carbon.CarbonConstants; import org.wso2.carbon.apimgt.api.APIManagementException; import org.wso2.carbon.apimgt.api.APIProvider; import org.wso2.carbon.apimgt.api.model.APIIdentifier; import org.wso2.carbon.apimgt.impl.APIConstants; import org.wso2.carbon.apimgt.impl.APIManagerFactory; import org.wso2.carbon.apimgt.impl.utils.APIUtil; -import io.entgra.device.mgt.core.apimgt.webapp.publisher.config.WebappPublisherConfig; -import io.entgra.device.mgt.core.apimgt.webapp.publisher.dto.ApiScope; -import io.entgra.device.mgt.core.apimgt.webapp.publisher.dto.ApiUriTemplate; -import io.entgra.device.mgt.core.apimgt.webapp.publisher.exception.APIManagerPublisherException; import org.wso2.carbon.context.PrivilegedCarbonContext; +import org.wso2.carbon.user.api.AuthorizationManager; +import org.wso2.carbon.user.api.Permission; import org.wso2.carbon.user.api.UserStoreException; +import org.wso2.carbon.user.api.UserStoreManager; import org.wso2.carbon.user.core.service.RealmService; import org.wso2.carbon.user.core.tenant.Tenant; import org.wso2.carbon.user.core.tenant.TenantSearchResult; @@ -454,6 +455,7 @@ public class APIPublisherServiceImpl implements APIPublisherService { log.error(errorMsg, e); throw new APIManagerPublisherException(e); } + UserStoreManager userStoreManager; try { for (String tenantDomain : tenants) { @@ -466,20 +468,40 @@ public class APIPublisherServiceImpl implements APIPublisherService { String fileName = CarbonUtils.getCarbonConfigDirPath() + File.separator + "etc" + File.separator + tenantDomain + ".csv"; + try { + userStoreManager = APIPublisherDataHolder.getInstance().getUserStoreManager(); + } catch (UserStoreException e) { + log.error("Unable to retrieve user store manager for tenant: " + tenantDomain); + return; + } if (Files.exists(Paths.get(fileName))) { BufferedReader br = new BufferedReader(new FileReader(fileName)); int lineNumber = 0; Map roles = new HashMap<>(); - String line = ""; + Map> rolePermissions = new HashMap<>(); + String line; String splitBy = ","; - while ((line = br.readLine()) != null) //returns a Boolean value - { + while ((line = br.readLine()) != null) { //returns a Boolean value lineNumber++; String[] scopeMapping = line.split(splitBy); // use comma as separator + String role; if (lineNumber == 1) { // skip titles - for (int i = 0; i < scopeMapping.length; i++) { - if (i > 3) { - roles.put(i, scopeMapping[i]); // add roles to the map + for (int i = 4; i < scopeMapping.length; i++) { + role = scopeMapping[i]; + roles.put(i, role); // add roles to the map + if (!"admin".equals(role)) { + try { + if (!userStoreManager.isExistingRole(role)) { + try { + addRole(role); + } catch (UserStoreException e) { + log.error("Error occurred when adding new role: " + role, e); + } + } + } catch (UserStoreException e) { + log.error("Error occurred when checking the existence of role: " + role, e); + } + rolePermissions.put(role, new ArrayList<>()); } } continue; @@ -494,11 +516,15 @@ public class APIPublisherServiceImpl implements APIPublisherService { scopeMapping[2] != null ? StringUtils.trim(scopeMapping[2]) : StringUtils.EMPTY); // scope.setPermissions( // scopeMapping[3] != null ? StringUtils.trim(scopeMapping[3]) : StringUtils.EMPTY); + String permission = scopeMapping[3] != null ? StringUtils.trim(scopeMapping[3]) : StringUtils.EMPTY; String roleString = ""; for (int i = 4; i < scopeMapping.length; i++) { if (scopeMapping[i] != null && StringUtils.trim(scopeMapping[i]).equals("Yes")) { roleString = roleString + "," + roles.get(i); + if (rolePermissions.containsKey(roles.get(i)) && StringUtils.isNotEmpty(permission)) { + rolePermissions.get(roles.get(i)).add(permission); + } } } if (roleString.length() > 1) { @@ -532,6 +558,13 @@ public class APIPublisherServiceImpl implements APIPublisherService { } } } + for (String role : rolePermissions.keySet()) { + try { + updatePermissions(role, rolePermissions.get(role)); + } catch (UserStoreException e) { + log.error("Error occurred when adding permissions to role: " + role, e); + } + } } } catch (IOException | DirectoryIteratorException ex) { log.error("failed to read scopes from file.", ex); @@ -560,6 +593,28 @@ public class APIPublisherServiceImpl implements APIPublisherService { } } + private void updatePermissions(String role, List permissions) throws UserStoreException { + AuthorizationManager authorizationManager = APIPublisherDataHolder.getInstance().getUserRealm() + .getAuthorizationManager(); + if (log.isDebugEnabled()) { + log.debug("Updating the role '" + role + "'"); + } + if (permissions != null && !permissions.isEmpty()) { + authorizationManager.clearRoleAuthorization(role); + for (String permission : permissions) { + authorizationManager.authorizeRole(role, permission, CarbonConstants.UI_PERMISSION_ACTION); + } + } + } + + private void addRole(String role) throws UserStoreException { + UserStoreManager userStoreManager = APIPublisherDataHolder.getInstance().getUserStoreManager(); + if (log.isDebugEnabled()) { + log.debug("Persisting the role " + role + " in the underlying user store"); + } + userStoreManager.addRole(role, new String[]{"admin"}, new Permission[0]); + } + private APIInfo getAPI(APIConfig config, boolean includeScopes) { APIInfo apiInfo = new APIInfo(); diff --git a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/internal/APIPublisherDataHolder.java b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/internal/APIPublisherDataHolder.java index bc7b8af32c..4b47f8ba0f 100644 --- a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/internal/APIPublisherDataHolder.java +++ b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/internal/APIPublisherDataHolder.java @@ -19,7 +19,12 @@ package io.entgra.device.mgt.core.apimgt.webapp.publisher.internal; import io.entgra.device.mgt.core.apimgt.webapp.publisher.APIConfig; import io.entgra.device.mgt.core.apimgt.webapp.publisher.APIPublisherService; +import org.wso2.carbon.context.CarbonContext; +import org.wso2.carbon.context.PrivilegedCarbonContext; import org.wso2.carbon.registry.core.service.RegistryService; +import org.wso2.carbon.user.api.UserRealm; +import org.wso2.carbon.user.api.UserStoreException; +import org.wso2.carbon.user.api.UserStoreManager; import org.wso2.carbon.user.core.service.RealmService; import org.wso2.carbon.user.core.tenant.TenantManager; import org.wso2.carbon.utils.ConfigurationContextService; @@ -79,6 +84,25 @@ public class APIPublisherDataHolder { realmService.getTenantManager() : null); } + public UserStoreManager getUserStoreManager() throws UserStoreException { + if (realmService == null) { + String msg = "Realm service has not initialized."; + throw new IllegalStateException(msg); + } + int tenantId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId(); + return realmService.getTenantUserRealm(tenantId).getUserStoreManager(); + } + + public UserRealm getUserRealm() throws UserStoreException { + UserRealm realm; + if (realmService == null) { + throw new IllegalStateException("Realm service not initialized"); + } + int tenantId = CarbonContext.getThreadLocalCarbonContext().getTenantId(); + realm = realmService.getTenantUserRealm(tenantId); + return realm; + } + private void setTenantManager(TenantManager tenantManager) { this.tenantManager = tenantManager; }