forked from community/device-mgt-core
scope-role-permission refactoring and webapp authorization See merge request entgra/carbon-device-mgt!781kernel-4.6.x
commit
dc1350a565
@ -0,0 +1,64 @@
|
||||
/*
|
||||
* Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||
*
|
||||
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||
* Version 2.0 (the "License"); you may not use this file except
|
||||
* in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
package org.wso2.carbon.device.mgt.core.cache;
|
||||
|
||||
import java.util.Objects;
|
||||
|
||||
public class APIResourcePermissionCacheKey {
|
||||
|
||||
private String context;
|
||||
private volatile int hashCode;
|
||||
|
||||
public APIResourcePermissionCacheKey(String context) {
|
||||
this.context = context;
|
||||
}
|
||||
|
||||
|
||||
public String getContext() {
|
||||
return context;
|
||||
}
|
||||
|
||||
public void setContext(String context) {
|
||||
this.context = context;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean equals(Object obj) {
|
||||
if (obj == null) {
|
||||
return false;
|
||||
}
|
||||
if (!APIResourcePermissionCacheKey.class.isAssignableFrom(obj.getClass())) {
|
||||
return false;
|
||||
}
|
||||
final APIResourcePermissionCacheKey other = (APIResourcePermissionCacheKey) obj;
|
||||
String thisId = this.context;
|
||||
String otherId = other.context;
|
||||
if (!thisId.equals(otherId)) {
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
public int hashCode() {
|
||||
if (hashCode == 0) {
|
||||
hashCode = Objects.hash(context);
|
||||
}
|
||||
return hashCode;
|
||||
}
|
||||
}
|
@ -0,0 +1,31 @@
|
||||
/*
|
||||
* Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||
*
|
||||
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||
* Version 2.0 (the "License"); you may not use this file except
|
||||
* in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
package org.wso2.carbon.device.mgt.core.cache;
|
||||
|
||||
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
public interface APIResourcePermissionCacheManager {
|
||||
|
||||
void addAPIResourcePermissionToCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions);
|
||||
|
||||
void updateAPIResourcePermissionInCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions);
|
||||
|
||||
List<Permission> getAPIResourceRermissionFromCache(APIResourcePermissionCacheKey cacheKey);
|
||||
}
|
@ -0,0 +1,84 @@
|
||||
/*
|
||||
* Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||
*
|
||||
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||
* Version 2.0 (the "License"); you may not use this file except
|
||||
* in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
package org.wso2.carbon.device.mgt.core.cache.impl;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
|
||||
import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheKey;
|
||||
import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheManager;
|
||||
import org.wso2.carbon.device.mgt.core.util.DeviceManagerUtil;
|
||||
|
||||
import javax.cache.Cache;
|
||||
import java.util.List;
|
||||
|
||||
public class APIResourcePermissionCacheManagerImpl implements APIResourcePermissionCacheManager {
|
||||
|
||||
|
||||
private static final Log log = LogFactory.getLog(APIResourcePermissionCacheManagerImpl.class);
|
||||
|
||||
private static APIResourcePermissionCacheManagerImpl apiResourceCacgeManager;
|
||||
|
||||
private APIResourcePermissionCacheManagerImpl() {
|
||||
}
|
||||
|
||||
public static APIResourcePermissionCacheManagerImpl getInstance() {
|
||||
if (apiResourceCacgeManager == null) {
|
||||
synchronized (APIResourcePermissionCacheManagerImpl.class) {
|
||||
if (apiResourceCacgeManager == null) {
|
||||
apiResourceCacgeManager = new APIResourcePermissionCacheManagerImpl();
|
||||
}
|
||||
}
|
||||
}
|
||||
return apiResourceCacgeManager;
|
||||
}
|
||||
|
||||
|
||||
@Override
|
||||
public void addAPIResourcePermissionToCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions) {
|
||||
Cache<APIResourcePermissionCacheKey, List<Permission>> lCache = DeviceManagerUtil.getAPIResourcePermissionCache();
|
||||
if (lCache != null) {
|
||||
if (lCache.containsKey(cacheKey)) {
|
||||
this.updateAPIResourcePermissionInCache(cacheKey, permissions);
|
||||
} else {
|
||||
lCache.put(cacheKey, permissions);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public void updateAPIResourcePermissionInCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions) {
|
||||
|
||||
Cache<APIResourcePermissionCacheKey, List<Permission>> lCache = DeviceManagerUtil.getAPIResourcePermissionCache();
|
||||
if (lCache != null) {
|
||||
if (lCache.containsKey(cacheKey)) {
|
||||
lCache.replace(cacheKey, permissions);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<Permission> getAPIResourceRermissionFromCache(APIResourcePermissionCacheKey cacheKey) {
|
||||
Cache<APIResourcePermissionCacheKey, List<Permission>> lCache = DeviceManagerUtil.getAPIResourcePermissionCache();
|
||||
if (lCache != null) {
|
||||
return lCache.get(cacheKey);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
}
|
@ -0,0 +1,65 @@
|
||||
/*
|
||||
* Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||
*
|
||||
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||
* Version 2.0 (the "License"); you may not use this file except
|
||||
* in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
package org.wso2.carbon.device.mgt.core.internal;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.wso2.carbon.core.ServerStartupObserver;
|
||||
import org.wso2.carbon.device.mgt.core.DeviceManagementConstants;
|
||||
import org.wso2.carbon.user.api.UserStoreException;
|
||||
import org.wso2.carbon.user.api.UserStoreManager;
|
||||
import org.wso2.carbon.utils.multitenancy.MultitenantConstants;
|
||||
|
||||
public class UserRoleCreateObserver implements ServerStartupObserver {
|
||||
private static final Log log = LogFactory.getLog(UserRoleCreateObserver.class);
|
||||
@Override
|
||||
public void completingServerStartup() {
|
||||
|
||||
}
|
||||
|
||||
@Override
|
||||
public void completedServerStartup() {
|
||||
String tenantDomain = MultitenantConstants.SUPER_TENANT_DOMAIN_NAME;
|
||||
String tenantAdminName = "admin";
|
||||
|
||||
try {
|
||||
UserStoreManager userStoreManager =
|
||||
DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(
|
||||
MultitenantConstants.SUPER_TENANT_ID).getUserStoreManager();
|
||||
userStoreManager.addRole(
|
||||
DeviceManagementConstants.User.DEFAULT_DEVICE_ADMIN,
|
||||
new String[]{tenantAdminName},
|
||||
DeviceManagementConstants.User.PERMISSIONS_FOR_DEVICE_ADMIN);
|
||||
userStoreManager.addRole(
|
||||
DeviceManagementConstants.User.DEFAULT_DEVICE_USER,
|
||||
new String[]{tenantAdminName},
|
||||
DeviceManagementConstants.User.PERMISSIONS_FOR_DEVICE_USER);
|
||||
|
||||
if (log.isDebugEnabled()) {
|
||||
log.debug("Device management roles: " + DeviceManagementConstants.User.DEFAULT_DEVICE_USER + ", " +
|
||||
DeviceManagementConstants.User.DEFAULT_DEVICE_ADMIN + " created for the tenant:" + tenantDomain + "."
|
||||
);
|
||||
log.debug("Tenant administrator: " + tenantAdminName + "@" + tenantDomain +
|
||||
" is assigned to the role:" + DeviceManagementConstants.User.DEFAULT_DEVICE_ADMIN + "."
|
||||
);
|
||||
}
|
||||
} catch (UserStoreException e) {
|
||||
log.error("Error occurred while creating roles for the tenant: " + tenantDomain + ".");
|
||||
}
|
||||
}
|
||||
}
|
@ -0,0 +1,30 @@
|
||||
package org.wso2.carbon.webapp.authenticator.framework.authorizer;
|
||||
|
||||
/**
|
||||
* Created by amalka on 6/26/21.
|
||||
*/
|
||||
public class MatchingResource {
|
||||
private String urlPattern;
|
||||
private String permission;
|
||||
|
||||
public MatchingResource(String urlPattern, String permission) {
|
||||
this.urlPattern = urlPattern;
|
||||
this.permission = permission;
|
||||
}
|
||||
|
||||
public String getUrlPattern() {
|
||||
return urlPattern;
|
||||
}
|
||||
|
||||
public void setUrlPattern(String urlPattern) {
|
||||
this.urlPattern = urlPattern;
|
||||
}
|
||||
|
||||
public String getPermission() {
|
||||
return permission;
|
||||
}
|
||||
|
||||
public void setPermission(String permission) {
|
||||
this.permission = permission;
|
||||
}
|
||||
}
|
@ -0,0 +1,143 @@
|
||||
/*
|
||||
* Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||
*
|
||||
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||
* Version 2.0 (the "License"); you may not use this file except
|
||||
* in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
package org.wso2.carbon.webapp.authenticator.framework.authorizer;
|
||||
|
||||
import org.apache.catalina.connector.Request;
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
|
||||
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
|
||||
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService;
|
||||
import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionManagerServiceImpl;
|
||||
import org.wso2.carbon.webapp.authenticator.framework.AuthenticationException;
|
||||
import org.wso2.carbon.webapp.authenticator.framework.AuthenticationFrameworkUtil;
|
||||
import org.wso2.carbon.webapp.authenticator.framework.AuthenticationInfo;
|
||||
import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.StringTokenizer;
|
||||
|
||||
public class PermissionAuthorizer {
|
||||
|
||||
private static final Log log = LogFactory.getLog(PermissionAuthorizer.class);
|
||||
|
||||
public static WebappAuthenticator.Status authorize(Request request, AuthenticationInfo authenticationInfo) {
|
||||
String requestUri = request.getRequestURI();
|
||||
String requestMethod = request.getMethod();
|
||||
String context = request.getContextPath();
|
||||
|
||||
if (requestUri == null || requestUri.isEmpty() || requestMethod == null || requestMethod.isEmpty()) {
|
||||
return WebappAuthenticator.Status.CONTINUE;
|
||||
}
|
||||
|
||||
PermissionManagerService registryBasedPermissionManager =
|
||||
PermissionManagerServiceImpl.getInstance();
|
||||
List<Permission> matchingPermissions = null;
|
||||
try {
|
||||
matchingPermissions = registryBasedPermissionManager.getPermission(context);
|
||||
} catch (PermissionManagementException e) {
|
||||
log.error(
|
||||
"Error occurred while fetching the permission for URI : " + requestUri +
|
||||
", msg = " + e.getMessage());
|
||||
}
|
||||
|
||||
if (matchingPermissions == null) {
|
||||
if (log.isDebugEnabled()) {
|
||||
log.debug("Permission to request '" + requestUri + "' is not defined in the configuration");
|
||||
}
|
||||
return WebappAuthenticator.Status.FAILURE;
|
||||
}
|
||||
|
||||
String requiredPermission = null;
|
||||
List<MatchingResource> matchingResources = new ArrayList<>();
|
||||
for (Permission permission : matchingPermissions) {
|
||||
if (requestMethod.equals(permission.getMethod()) && requestUri.matches(permission.getUrlPattern())) {
|
||||
if (requestUri.equals(permission.getUrl())) { // is there a exact match
|
||||
requiredPermission = permission.getPath();
|
||||
break;
|
||||
} else { // all templated urls add to a list
|
||||
matchingResources.add(new MatchingResource(permission.getUrlPattern().replace(context, ""), permission.getPath()));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (requiredPermission == null) {
|
||||
if (matchingResources.size() == 1) { // only 1 templated url found
|
||||
requiredPermission = matchingResources.get(0).getPermission();
|
||||
}
|
||||
|
||||
if (matchingResources.size() > 1) { // more than 1 templated urls found
|
||||
String urlWithoutContext = requestUri.replace(context, "");
|
||||
StringTokenizer st = new StringTokenizer(urlWithoutContext, "/");
|
||||
int tokenPosition = 1;
|
||||
while (st.hasMoreTokens()) {
|
||||
List<MatchingResource> tempList = new ArrayList<>();
|
||||
String currentToken = st.nextToken();
|
||||
for (MatchingResource matchingResource : matchingResources) {
|
||||
StringTokenizer stmr = new StringTokenizer(matchingResource.getUrlPattern(), "/");
|
||||
int internalTokenPosition = 1;
|
||||
while (stmr.hasMoreTokens()) {
|
||||
String internalToken = stmr.nextToken();
|
||||
if ((tokenPosition == internalTokenPosition) && currentToken.equals(internalToken)) {
|
||||
tempList.add(matchingResource);
|
||||
}
|
||||
internalTokenPosition++;
|
||||
if (tokenPosition < internalTokenPosition) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (tempList.size() == 1) {
|
||||
requiredPermission = tempList.get(0).getPermission();
|
||||
break;
|
||||
}
|
||||
tokenPosition++;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (requiredPermission == null) {
|
||||
if (log.isDebugEnabled()) {
|
||||
log.debug("Matching permission not found for " + requestUri);
|
||||
}
|
||||
return WebappAuthenticator.Status.FAILURE;
|
||||
}
|
||||
|
||||
boolean isUserAuthorized;
|
||||
try {
|
||||
isUserAuthorized = AuthenticationFrameworkUtil.isUserAuthorized(
|
||||
authenticationInfo.getTenantId(), authenticationInfo.getTenantDomain(),
|
||||
authenticationInfo.getUsername(), requiredPermission);
|
||||
} catch (AuthenticationException e) {
|
||||
log.error("Error occurred while retrieving user store. " + e.getMessage());
|
||||
return WebappAuthenticator.Status.FAILURE;
|
||||
}
|
||||
|
||||
if (isUserAuthorized) {
|
||||
return WebappAuthenticator.Status.SUCCESS;
|
||||
} else {
|
||||
return WebappAuthenticator.Status.FAILURE;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
Loading…
Reference in new issue