Merge branch 'kernel-4.6.2' into 'kernel-4.6.x'

fixed tenant enrol issue See merge request entgra/carbon-device-mgt!794
3 years ago · e349e9f029
parent ff747fa797 7dc5d7f45d
commit e349e9f029
4 changed files with 53 additions and 5 deletions
--- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationServiceImpl.java
+++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationServiceImpl.java
@ -122,7 +122,7 @@ public class ApiApplicationRegistrationServiceImpl implements ApiApplicationRegi
            synchronized (ApiApplicationRegistrationServiceImpl.class) {
                ApiApplicationKey apiApplicationKey = apiManagementProviderService.generateAndRetrieveApplicationKeys(
                        applicationName, registrationProfile.getTags(),
-                        ApiApplicationConstants.DEFAULT_TOKEN_TYPE, username,
+                        ApiApplicationConstants.DEFAULT_TOKEN_TYPE, registrationProfile.getUsername(),
                        registrationProfile.isAllowedToAllDomains(), validityPeriod);
                return Response.status(Response.Status.CREATED).entity(apiApplicationKey.toString()).build();
            }
--- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml
+++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml
@ -37,7 +37,7 @@
    </servlet-mapping>
    <context-param>
        <param-name>doAuthentication</param-name>
-        <param-value>false</param-value>
+        <param-value>true</param-value>
    </context-param>
 	<!--This is to support basic auth.-->
 	<context-param>
@ -54,6 +54,10 @@
        <param-name>managed-api-owner</param-name>
        <param-value>admin</param-value>
    </context-param>
+    <context-param>
+        <param-name>resource-permission-validate</param-name>
+        <param-value>false</param-value>
+    </context-param>

    <filter>
        <filter-name>ApiPermissionFilter</filter-name>
--- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/dao/impl/AbstractGroupDAOImpl.java
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/dao/impl/AbstractGroupDAOImpl.java
@ -1115,7 +1115,7 @@ public abstract class AbstractGroupDAOImpl implements GroupDAO {
                    + "FROM DM_DEVICE d, "
                    + "(SELECT dgm.DEVICE_ID "
                    + "FROM DM_DEVICE_GROUP_MAP dgm "
-                    + "WHERE dgm.GROUP_ID = (SELECT ID FROM DM_GROUP WHERE GROUP_NAME = ? )) dgm1 "
+                    + "WHERE dgm.GROUP_ID = (SELECT ID FROM DM_GROUP WHERE GROUP_NAME = ? AND TENANT_ID = ?)) dgm1 "
                    + "WHERE d.ID = dgm1.DEVICE_ID AND d.TENANT_ID = ?) gd, DM_DEVICE_TYPE t "
                    + "WHERE gd.DEVICE_TYPE_ID = t.ID) d1 "
                    + "WHERE d1.DEVICE_ID = e.DEVICE_ID AND TENANT_ID = ? AND e.STATUS IN (",
@ -1129,6 +1129,7 @@ public abstract class AbstractGroupDAOImpl implements GroupDAO {
                stmt.setString(index++, groupName);
                stmt.setInt(index++, tenantId);
                stmt.setInt(index++, tenantId);
+                stmt.setInt(index++, tenantId);
                for (String deviceId : deviceStatuses) {
                    stmt.setObject(index++, deviceId);
                }
--- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java
@ -18,6 +18,7 @@
 */
 package org.wso2.carbon.webapp.authenticator.framework;

+import com.google.gson.Gson;
 import org.apache.catalina.Context;
 import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
@ -48,6 +49,9 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {

    private static final Log log = LogFactory.getLog(WebappAuthenticationValve.class);
    private static final TreeMap<String, String> nonSecuredEndpoints = new TreeMap<>();
+    private static final String PERMISSION_PREFIX = "/permission/admin";
+    public static final String AUTHORIZE_PERMISSION = "Authorize-Permission";
+
    private static InetAddress inetAddress = null;

    @Override
@ -78,7 +82,8 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
            }
        }

-        if ((this.isContextSkipped(request) ||  this.skipAuthentication(request))) {
+        if ((this.isContextSkipped(request) ||  this.skipAuthentication(request))
+                && (StringUtils.isEmpty(request.getHeader(AUTHORIZE_PERMISSION)))) {
                this.getNext().invoke(request, response, compositeValve);
            return;
        }
@ -99,6 +104,39 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
        // This section will allow to validate a given access token is authenticated to access given
        // resource(permission)
        if (request.getCoyoteRequest() != null
+                && StringUtils.isNotEmpty(request.getHeader(AUTHORIZE_PERMISSION))
+                && (authenticationInfo.getStatus() == WebappAuthenticator.Status.CONTINUE ||
+                authenticationInfo.getStatus() == WebappAuthenticator.Status.SUCCESS)) {
+            boolean isAllowed;
+            try {
+                isAllowed = AuthenticationFrameworkUtil.isUserAuthorized(
+                        authenticationInfo.getTenantId(), authenticationInfo.getTenantDomain(),
+                        authenticationInfo.getUsername(),
+                        PERMISSION_PREFIX + request.getHeader (AUTHORIZE_PERMISSION));
+            } catch (AuthenticationException e) {
+                String msg = "Could not authorize permission";
+                log.error(msg);
+                AuthenticationFrameworkUtil.handleResponse(request, response,
+                        HttpServletResponse.SC_INTERNAL_SERVER_ERROR, msg);
+                return;
+            }
+
+            if (isAllowed) {
+                Gson gson = new Gson();
+                AuthenticationFrameworkUtil.handleResponse(request, response, HttpServletResponse.SC_OK,
+                        gson.toJson(authenticationInfo));
+                return;
+            } else {
+                log.error("Unauthorized message from user " + authenticationInfo.getUsername());
+                AuthenticationFrameworkUtil.handleResponse(request, response,
+                        HttpServletResponse.SC_FORBIDDEN, "Unauthorized to access the API");
+                return;
+            }
+        }
+
+        // This section will allow to validate a given access token is authenticated to access permission defined per API
+        if (request.getCoyoteRequest() != null
+                && isResourcePermissionValidate(request)
                && (authenticationInfo.getStatus() == WebappAuthenticator.Status.CONTINUE ||
                authenticationInfo.getStatus() == WebappAuthenticator.Status.SUCCESS)) {
            boolean isAllowed;
@ -178,6 +216,11 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
        return (param != null && Boolean.parseBoolean(param));
    }

+    private boolean isResourcePermissionValidate(Request request) {
+        String param = request.getContext().findParameter("resource-permission-validate");
+        return (param == null) ||  Boolean.parseBoolean(param);
+    }
+
    private boolean isContextSkipped(Request request) {
        Context context = request.getContext();
        String ctx = context == null ? null :context.getPath();