From 938eda7c46215ef852c49a003f58e0beb88467b5 Mon Sep 17 00:00:00 2001 From: Rasika Perera Date: Tue, 3 May 2016 19:29:12 +0530 Subject: [PATCH] Adding group permissions checking --- .../DeviceAccessAuthorizationService.java | 61 +++++++++++++------ .../DeviceAccessAuthorizationServiceImpl.java | 44 ++++++++++--- 2 files changed, 78 insertions(+), 27 deletions(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/authorization/DeviceAccessAuthorizationService.java b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/authorization/DeviceAccessAuthorizationService.java index e54901bc6c..610727edb0 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/authorization/DeviceAccessAuthorizationService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/authorization/DeviceAccessAuthorizationService.java @@ -28,7 +28,6 @@ import java.util.List; * accessing the device information and performing MDM operations on devices. */ public interface DeviceAccessAuthorizationService { - /** * This method will check whether the currently logged-in user has the access to the device identified by the given * DeviceIdentifier. @@ -39,29 +38,55 @@ public interface DeviceAccessAuthorizationService { */ boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException; + /** + * This method will check whether the currently logged-in user has the access to the device identified by the given + * DeviceIdentifier. + * + * @param deviceIdentifier - DeviceIdentifier of the device to be checked. + * @param groupPermissions - Group Permissions. + * @return Boolean authorization result. + * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. + */ + boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String[] groupPermissions) + throws DeviceAccessAuthorizationException; + /** * This method will check whether the currently logged-in user has the access to the devices identified by the given * DeviceIdentifier list. * * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization. - * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & - * unauthorized devices. + * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized + * devices. * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. */ DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers) throws - DeviceAccessAuthorizationException; + DeviceAccessAuthorizationException; + + /** + * This method will check whether the currently logged-in user has the access to the devices identified by the given + * DeviceIdentifier list. + * + * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization. + * @param groupPermissions - Group Permissions + * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized + * devices. + * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. + */ + DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers, String[] groupPermissions) + throws DeviceAccessAuthorizationException; /** * This method will check whether the given user has the access to the device identified by the given * DeviceIdentifier. * * @param deviceIdentifier - DeviceIdentifier of the device to be checked. - * @param username - Username of the user to be checked for authorization. - * @param permission - Permission + * @param username - Username of the user to be checked for authorization. + * @param groupPermissions - Group Permissions * @return Boolean authorization result. * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. */ - boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String permission) throws DeviceAccessAuthorizationException; + boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String[] groupPermissions) + throws DeviceAccessAuthorizationException; /** * This method will check whether the given user has the access to the devices identified by the given @@ -69,20 +94,21 @@ public interface DeviceAccessAuthorizationService { * * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization. * @param username - User name - * @param permission - Permission - * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & - * unauthorized devices. + * @param groupPermissions - Group Permissions + * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized + * devices. * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. */ - DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers, String username, String permission) throws - DeviceAccessAuthorizationException; + DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers, String username, + String[] groupPermissions) throws + DeviceAccessAuthorizationException; /** * This method will check whether the given user has the access to the device identified by the given * DeviceIdentifier. * * @param deviceIdentifier - DeviceIdentifier of the device to be checked. - * @param username - Username of the user to be checked for authorization. + * @param username - Username of the user to be checked for authorization. * @return Boolean authorization result. * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. */ @@ -94,12 +120,11 @@ public interface DeviceAccessAuthorizationService { * DeviceIdentifier list. * * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization. - * @param username - Username of the user to be checked for authorization. - * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & - * unauthorized devices. + * @param username - Username of the user to be checked for authorization. + * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized + * devices. * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. */ DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers, String username) throws - DeviceAccessAuthorizationException; - + DeviceAccessAuthorizationException; } \ No newline at end of file diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java index cb0dc03ccf..3e0dbceb75 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java @@ -72,7 +72,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori } @Override - public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String permission) + public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String[] groupPermissions) throws DeviceAccessAuthorizationException { int tenantId = this.getTenantId(); if (username == null || username.isEmpty()) { @@ -84,10 +84,16 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori } //check for group permissions try { - if (permission == null || permission.isEmpty()) { + if (groupPermissions == null || groupPermissions.length == 0) { return false; } - return checkGroupsPermission(username, tenantId, permission); + for (String groupPermission : groupPermissions) { + if (!checkGroupsPermission(username, tenantId, groupPermission)) { + //if at least one fails, authorization fails + return false; + } + } + return true; } catch (GroupManagementException | UserStoreException e) { throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " + deviceIdentifier.getId() + " for the user : " + @@ -101,6 +107,12 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori return isUserAuthorized(deviceIdentifier, username, null); } + @Override + public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String[] groupPermissions) + throws DeviceAccessAuthorizationException { + return isUserAuthorized(deviceIdentifier, this.getUserName(), groupPermissions); + } + @Override public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException { return isUserAuthorized(deviceIdentifier, this.getUserName(), null); @@ -108,7 +120,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori @Override public DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers, String username, - String permission) + String[] groupPermissions) throws DeviceAccessAuthorizationException { int tenantId = this.getTenantId(); if (username == null || username.isEmpty()) { @@ -121,11 +133,19 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier); } else { try { - if (permission == null || permission.isEmpty()) { + if (groupPermissions == null || groupPermissions.length == 0) { return null; } //check for group permissions - if (checkGroupsPermission(username, tenantId, permission)) { + boolean isAuthorized = true; + for (String groupPermission : groupPermissions) { + if (!checkGroupsPermission(username, tenantId, groupPermission)) { + //if at least one failed, authorizations fails and break the loop + isAuthorized = false; + break; + } + } + if (isAuthorized) { deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier); } else { deviceAuthorizationResult.addUnauthorizedDevice(deviceIdentifier); @@ -152,6 +172,12 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori return isUserAuthorized(deviceIdentifiers, this.getUserName(), null); } + @Override + public DeviceAuthorizationResult isUserAuthorized(List deviceIdentifiers, String[] groupPermissions) + throws DeviceAccessAuthorizationException { + return isUserAuthorized(deviceIdentifiers, this.getUserName(), groupPermissions); + } + private boolean isAdminOrDeviceOwner(String username, int tenantId, DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException { try { @@ -165,11 +191,11 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori } } - private boolean checkGroupsPermission(String username, int tenantId, String permission) + private boolean checkGroupsPermission(String username, int tenantId, String groupPermission) throws GroupManagementException, UserStoreException { List groups = DeviceManagementDataHolder.getInstance().getGroupManagementProviderService().getGroups(username, - permission); + groupPermission); UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId); if (userRealm != null && userRealm.getAuthorizationManager() != null) { Iterator groupIterator = groups.iterator(); @@ -179,7 +205,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori while (rolesIterator.hasNext()) { String role = rolesIterator.next(); if (userRealm.getAuthorizationManager().isRoleAuthorized( - "Internal/group-" + deviceGroup.getId() + "-" + role, permission, + "Internal/group-" + deviceGroup.getId() + "-" + role, groupPermission, CarbonConstants.UI_PERMISSION_ACTION)) { return true; }