Added scope validator and refactored code

9 years ago · 77f5f466d6
parent 648d8ec209
commit 77f5f466d6
14 changed files with 62 additions and 127 deletions
--- a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/permission/mgt/Permission.java
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/permission/mgt/Permission.java
@ -55,7 +55,7 @@ public class Permission {
        return scope;
    }

-    @XmlElement(name = "scope", required = true)
+    @XmlElement(name = "scope", required = false)
 	public void setScope(String scope) {
 		this.scope = scope;
 	}
--- a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/permission/mgt/PermissionManagementException.java
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/permission/mgt/PermissionManagementException.java
@ -17,6 +17,9 @@
 */
 package org.wso2.carbon.device.mgt.common.permission.mgt;

+/**
+ * Custom exception class of Permission related operations.
+ */
 public class PermissionManagementException extends Exception {

    private static final long serialVersionUID = -3151279311929070298L;
--- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/config/permission/lifecycle/WebAppDeploymentLifecycleListener.java
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/config/permission/lifecycle/WebAppDeploymentLifecycleListener.java
@ -26,7 +26,7 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
 import org.wso2.carbon.device.mgt.core.config.permission.PermissionConfiguration;
-import org.wso2.carbon.device.mgt.core.permission.mgt.RegistryBasedPermissionManagerServiceImpl;
+import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionManagerServiceImpl;

 import javax.servlet.ServletContext;
 import javax.xml.bind.JAXBContext;
@ -35,6 +35,10 @@ import javax.xml.bind.Unmarshaller;
 import java.io.File;
 import java.io.InputStream;

+/**
+ * This listener class will initiate the permission addition of permissions defined in
+ * permission.xml of any web-app.
+ */
@SuppressWarnings("unused")
 public class WebAppDeploymentLifecycleListener implements LifecycleListener {

@ -56,7 +60,7 @@ public class WebAppDeploymentLifecycleListener implements LifecycleListener {
 							unmarshaller.unmarshal(permissionStream);
 					if (permissionConfiguration != null &&
 					    permissionConfiguration.getPermissions() != null) {
-						RegistryBasedPermissionManagerServiceImpl.getInstance().addPermissions(
+						PermissionManagerServiceImpl.getInstance().addPermissions(
 								permissionConfiguration.getPermissions());
 					}
 				}
--- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementServiceComponent.java
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementServiceComponent.java
@ -45,7 +45,7 @@ import org.wso2.carbon.device.mgt.core.notification.mgt.NotificationManagementSe
 import org.wso2.carbon.device.mgt.core.notification.mgt.dao.NotificationManagementDAOFactory;
 import org.wso2.carbon.device.mgt.core.operation.mgt.OperationManagerImpl;
 import org.wso2.carbon.device.mgt.core.operation.mgt.dao.OperationManagementDAOFactory;
-import org.wso2.carbon.device.mgt.core.permission.mgt.RegistryBasedPermissionManagerServiceImpl;
+import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionManagerServiceImpl;
 import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService;
 import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderServiceImpl;
 import org.wso2.carbon.device.mgt.core.util.DeviceManagementSchemaInitializer;
@ -191,7 +191,7 @@ public class DeviceManagementServiceComponent {

        /* Registering PermissionManager Service */
        PermissionManagerService permissionManagerService
-                = RegistryBasedPermissionManagerServiceImpl.getInstance();
+                = PermissionManagerServiceImpl.getInstance();
        bundleContext.registerService(PermissionManagerService.class.getName(), permissionManagerService, null);

 	     /* Registering App Management service */
--- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/permission/mgt/RegistryBasedPermissionManagerServiceImpl.java
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/permission/mgt/RegistryBasedPermissionManagerServiceImpl.java
@ -29,21 +29,21 @@ import java.util.Properties;
 * This class will add, update custom permissions defined in permission.xml in webapps and it will
 * use Registry as the persistence storage.
 */
-public class RegistryBasedPermissionManagerServiceImpl implements PermissionManagerService {
+public class PermissionManagerServiceImpl implements PermissionManagerService {

    public static final String URL_PROPERTY = "URL";
    public static final String HTTP_METHOD_PROPERTY = "HTTP_METHOD";
-    private static RegistryBasedPermissionManagerServiceImpl registryBasedPermissionManager;
+    private static PermissionManagerServiceImpl registryBasedPermissionManager;
    private static PermissionTree permissionTree; // holds the permissions at runtime.

-    private RegistryBasedPermissionManagerServiceImpl() {
+    private PermissionManagerServiceImpl() {
    }

-    public static RegistryBasedPermissionManagerServiceImpl getInstance() {
+    public static PermissionManagerServiceImpl getInstance() {
        if (registryBasedPermissionManager == null) {
-            synchronized (RegistryBasedPermissionManagerServiceImpl.class) {
+            synchronized (PermissionManagerServiceImpl.class) {
                if (registryBasedPermissionManager == null) {
-                    registryBasedPermissionManager = new RegistryBasedPermissionManagerServiceImpl();
+                    registryBasedPermissionManager = new PermissionManagerServiceImpl();
                    permissionTree = new PermissionTree();
                }
            }
--- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/permission/mgt/PermissionUtils.java
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/permission/mgt/PermissionUtils.java
@ -31,6 +31,7 @@ import org.wso2.carbon.registry.core.Registry;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import java.io.File;
+import java.util.StringTokenizer;

 /**
 * Utility class which holds necessary utility methods required for persisting permissions in
@ -71,12 +72,16 @@ public class PermissionUtils {
 			throws PermissionManagementException {
 		boolean status;
 		try {
-			Resource resource = PermissionUtils.getGovernanceRegistry().newCollection();
-			resource.addProperty(PERMISSION_PROPERTY_NAME, permission.getName());
-			PermissionUtils.getGovernanceRegistry().beginTransaction();
-			PermissionUtils.getGovernanceRegistry().put(ADMIN_PERMISSION_REGISTRY_PATH +
-			                                         permission.getPath(), resource);
-			PermissionUtils.getGovernanceRegistry().commitTransaction();
+			StringTokenizer tokenizer = new StringTokenizer(permission.getPath(), "/");
+			String lastToken = "", currentToken, tempPath;
+			while(tokenizer.hasMoreTokens()){
+				currentToken = tokenizer.nextToken();
+				tempPath = lastToken + "/" + currentToken;
+				if(!checkResourceExists(tempPath)){
+                    createRegistryCollection(tempPath, currentToken.substring(0));
+				}
+				lastToken = tempPath;
+			}
 			status = true;
 		} catch (RegistryException e) {
 			throw new PermissionManagementException(
@ -86,10 +91,21 @@ public class PermissionUtils {
 		return status;
 	}

-	public static boolean checkPermissionExistence(Permission permission)
+	public static void createRegistryCollection(String path, String resourceName)
+			throws PermissionManagementException,
+			       RegistryException {
+		Resource resource = PermissionUtils.getGovernanceRegistry().newCollection();
+		resource.addProperty(PERMISSION_PROPERTY_NAME, resourceName);
+		PermissionUtils.getGovernanceRegistry().beginTransaction();
+		PermissionUtils.getGovernanceRegistry().put(ADMIN_PERMISSION_REGISTRY_PATH +
+		                                            path, resource);
+		PermissionUtils.getGovernanceRegistry().commitTransaction();
+	}
+
+	public static boolean checkResourceExists(String path)
 			throws PermissionManagementException,
 			       org.wso2.carbon.registry.core.exceptions.RegistryException {
-		return PermissionUtils.getGovernanceRegistry().resourceExists(permission.getPath());
+		return PermissionUtils.getGovernanceRegistry().resourceExists(path);
 	}

 	public static Document convertToDocument(File file) throws PermissionManagementException {
--- a/components/identity-extensions/dynamic-client-registration/org.wso2.carbon.dynamic.client.web.app.registration/src/main/java/org/wso2/carbon/dynamic/client/web/app/registration/DynamicRegistrationManager.java
+++ b/components/identity-extensions/dynamic-client-registration/org.wso2.carbon.dynamic.client.web.app.registration/src/main/java/org/wso2/carbon/dynamic/client/web/app/registration/DynamicRegistrationManager.java
@ -123,8 +123,8 @@ public class DynamicRegistrationManager {
            //Check whether this is an already registered application
            if (!dynamicRegistrationManager.isRegisteredOAuthApplication(webAppName)) {
                //Construct the RegistrationProfile
-                registrationProfile = DynamicClientWebAppRegistrationUtil
-                        .constructRegistrationProfile(servletContext, webAppName);
+                registrationProfile = DynamicClientWebAppRegistrationUtil.
+                                           constructRegistrationProfile(servletContext, webAppName);
                //Register the OAuth application
                oAuthApp = dynamicRegistrationManager.registerOAuthApplication(
                        registrationProfile);
--- a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/OAuthExtensionsUtils.java
+++ b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/OAuthExtensionsUtils.java
@ -1,63 +0,0 @@
-/*
- * Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
- *
- * WSO2 Inc. licenses this file to you under the Apache License,
- * Version 2.0 (the "License"); you may not use this file except
- * in compliance with the License.
- * you may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.wso2.carbon.device.mgt.oauth.extensions;
-
-import org.wso2.carbon.device.mgt.oauth.extensions.internal.OAuthExtensionsDataHolder;
-import org.wso2.carbon.user.api.AuthorizationManager;
-import org.wso2.carbon.user.api.UserStoreException;
-import org.wso2.carbon.user.api.UserStoreManager;
-import org.wso2.carbon.user.core.service.RealmService;
-
-/**
- * Created by harshan on 10/2/15.
- */
-public class OAuthExtensionsUtils {
-
-    public static void getRolePermissions(String role){
-        RealmService realmService = OAuthExtensionsDataHolder.getInstance().getRealmService();
-        try {
-           int tenantId = realmService.getTenantManager().getTenantId("tenant-domain");
-           AuthorizationManager
-                   authorizationManager = realmService.getTenantUserRealm(tenantId).getAuthorizationManager();
-          // authorizationManager.is
-        } catch (UserStoreException e) {
-            e.printStackTrace();
-        }
-    }
-
-    public static void getUserPermissions(String userName){
-
-    }
-
-    public static String[] getUserRoles(String userName){
-        RealmService realmService = OAuthExtensionsDataHolder.getInstance().getRealmService();
-        try {
-            int tenantId = realmService.getTenantManager().getTenantId("tenant-domain");
-            UserStoreManager userStoreManager = realmService.getTenantUserRealm(tenantId).getUserStoreManager();
-            return userStoreManager.getRoleListOfUser(userName);
-        } catch (UserStoreException e) {
-            e.printStackTrace();
-        }
-        return new String[0];
-    }
-
-    public static void getScopePermissions(String scopeKey){
-
-    }
-}
--- a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/handlers/DeviceMgtOAuthCallbackHandler.java
+++ b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/handlers/DeviceMgtOAuthCallbackHandler.java
@ -27,7 +27,8 @@ import javax.security.auth.callback.UnsupportedCallbackException;
 import java.io.IOException;

 /**
- * Created by harshan on 10/1/15.
+ * This class represents a Custom OAuthCallback Handler implementation. This should be implemented
+ * if there's any necessity of custom logic to authorize OAuthCallbacks.
 */
 public class DeviceMgtOAuthCallbackHandler  extends AbstractOAuthCallbackHandler {

@ -55,7 +56,7 @@ public class DeviceMgtOAuthCallbackHandler  extends AbstractOAuthCallbackHandler
                String[] scopes = oauthCallback.getRequestedScope();
                oauthCallback.setApprovedScope(scopes);
                oauthCallback.setValidScope(true);
-                //TODO Need to write the necessary logic to validate the scope
+                //Add the necessary logic if we are doing the scope validation upon token issue
            }
        }

--- a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/internal/OAuthExtensionsDataHolder.java
+++ b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/internal/OAuthExtensionsDataHolder.java
@ -23,7 +23,7 @@ import org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService;
 import org.wso2.carbon.user.core.service.RealmService;

 /**
- * Created by harshan on 10/2/15.
+ * This holds the OSGi service references required for oauth extensions bundle.
 */
 public class OAuthExtensionsDataHolder {

--- a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/OAuth2TokenValidator.java
+++ b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/OAuth2TokenValidator.java
@ -1,37 +0,0 @@
-/*
- * Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
- *
- * WSO2 Inc. licenses this file to you under the Apache License,
- * Version 2.0 (the "License"); you may not use this file except
- * in compliance with the License.
- * you may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.wso2.carbon.device.mgt.oauth.extensions.validators;
-
-import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
-import org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2TokenValidator;
-import org.wso2.carbon.identity.oauth2.validators.OAuth2TokenValidationMessageContext;
-
-/**
- * OAuth2 Token validator implementation which supports custom token validation logic specific
- * to MDM.
- */
-public class OAuth2TokenValidator extends DefaultOAuth2TokenValidator {
-
-    @Override
-    public boolean validateAccessToken(
-            OAuth2TokenValidationMessageContext validationReqDTO) throws IdentityOAuth2Exception {
-        //for now there's no specific logic to handle in token validation
-        return true;
-    }
-}
--- a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/ScopeValidator.java
+++ b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/ScopeValidator.java
@ -28,12 +28,14 @@ import org.wso2.carbon.device.mgt.oauth.extensions.internal.OAuthExtensionsDataH
 import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
 import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
 import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator;
+import org.wso2.carbon.user.api.UserRealm;
 import org.wso2.carbon.user.api.UserStoreException;

 import java.util.Properties;

 /**
- * Custom OAuth2Token Scope validation implementation.
+ * Custom OAuth2Token Scope validation implementation for DeviceManagement. This will validate the
+ * user permissions before dispatching the HTTP request to the actual endpoint.
 */
 public class ScopeValidator extends OAuth2ScopeValidator {

@ -72,6 +74,11 @@ public class ScopeValidator extends OAuth2ScopeValidator {
            status = CarbonContext.getThreadLocalCarbonContext().getUserRealm().
                    getAuthorizationManager().isUserAuthorized(username, permission.getPath(),
                                                               ScopeValidator.PermissionMethod.READ);
+            UserRealm userRealm = CarbonContext.getThreadLocalCarbonContext().getUserRealm();
+            if(userRealm != null && userRealm.getAuthorizationManager() != null){
+                status = userRealm.getAuthorizationManager().isUserAuthorized(username, permission.getPath(),
+                                                                              ScopeValidator.PermissionMethod.READ);
+            }

        } catch (PermissionManagementException e) {
            log.error("Error occurred while validating the resource scope for : " + resource +
--- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/OAuthAuthenticator.java
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/OAuthAuthenticator.java
@ -30,6 +30,7 @@ import org.wso2.carbon.identity.base.IdentityException;
 import org.wso2.carbon.identity.core.util.IdentityUtil;
 import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationRequestDTO;
 import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationResponseDTO;
+import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
 import org.wso2.carbon.webapp.authenticator.framework.AuthenticationException;
 import org.wso2.carbon.webapp.authenticator.framework.AuthenticationFrameworkUtil;
 import org.wso2.carbon.webapp.authenticator.framework.Constants;
@ -122,6 +123,8 @@ public class OAuthAuthenticator implements WebappAuthenticator {
                        PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantId(
                                IdentityUtil.getTenantIdOFUser(username));
                        PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(username);
+                        PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(
+                                MultitenantUtils.getTenantDomain(username));
                    } catch (IdentityException e) {
                        throw new AuthenticationException(
                                "Error occurred while retrieving the tenant ID of user '" +
--- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java
@ -25,7 +25,7 @@ import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.context.CarbonContext;
 import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
 import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
-import org.wso2.carbon.device.mgt.core.permission.mgt.RegistryBasedPermissionManagerServiceImpl;
+import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionManagerServiceImpl;
 import org.wso2.carbon.user.api.UserStoreException;
 import org.wso2.carbon.webapp.authenticator.framework.Constants;
 import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;
@ -49,7 +49,8 @@ public class PermissionAuthorizer {
            return WebappAuthenticator.Status.CONTINUE;
        }

-        RegistryBasedPermissionManagerServiceImpl registryBasedPermissionManager = RegistryBasedPermissionManagerServiceImpl.getInstance();
+        PermissionManagerServiceImpl
+                registryBasedPermissionManager = PermissionManagerServiceImpl.getInstance();
        Properties properties = new Properties();
        properties.put("",requestUri);
        properties.put("",requestMethod);