From 510a90a59f5efbf3618d83a69d1b25c174462b92 Mon Sep 17 00:00:00 2001 From: Amalka Subasinghe Date: Fri, 9 Jul 2021 14:46:28 +0530 Subject: [PATCH] bug fixing authorize flow --- .../cache/APIResourcePermissionCacheKey.java | 64 -------------- ...APIResourcePermissionCacheManagerImpl.java | 84 ------------------- .../core/internal/UserRoleCreateObserver.java | 42 ++++++++-- .../mgt/APIResourcePermissions.java} | 23 +++-- .../mgt/PermissionManagerServiceImpl.java | 14 +--- .../mgt/core/util/DeviceManagerUtil.java | 16 ---- .../framework/WebappAuthenticationValve.java | 4 +- .../authorizer/PermissionAuthorizer.java | 4 + 8 files changed, 60 insertions(+), 191 deletions(-) delete mode 100644 components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheKey.java delete mode 100644 components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/impl/APIResourcePermissionCacheManagerImpl.java rename components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/{cache/APIResourcePermissionCacheManager.java => permission/mgt/APIResourcePermissions.java} (50%) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheKey.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheKey.java deleted file mode 100644 index 2db061a6d01..00000000000 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheKey.java +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. - * - * WSO2 Inc. licenses this file to you under the Apache License, - * Version 2.0 (the "License"); you may not use this file except - * in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.wso2.carbon.device.mgt.core.cache; - -import java.util.Objects; - -public class APIResourcePermissionCacheKey { - - private String context; - private volatile int hashCode; - - public APIResourcePermissionCacheKey(String context) { - this.context = context; - } - - - public String getContext() { - return context; - } - - public void setContext(String context) { - this.context = context; - } - - @Override - public boolean equals(Object obj) { - if (obj == null) { - return false; - } - if (!APIResourcePermissionCacheKey.class.isAssignableFrom(obj.getClass())) { - return false; - } - final APIResourcePermissionCacheKey other = (APIResourcePermissionCacheKey) obj; - String thisId = this.context; - String otherId = other.context; - if (!thisId.equals(otherId)) { - return false; - } - return true; - } - - @Override - public int hashCode() { - if (hashCode == 0) { - hashCode = Objects.hash(context); - } - return hashCode; - } -} diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/impl/APIResourcePermissionCacheManagerImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/impl/APIResourcePermissionCacheManagerImpl.java deleted file mode 100644 index 3b08a8d8b2a..00000000000 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/impl/APIResourcePermissionCacheManagerImpl.java +++ /dev/null @@ -1,84 +0,0 @@ -/* - * Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. - * - * WSO2 Inc. licenses this file to you under the Apache License, - * Version 2.0 (the "License"); you may not use this file except - * in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.wso2.carbon.device.mgt.core.cache.impl; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.wso2.carbon.device.mgt.common.permission.mgt.Permission; -import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheKey; -import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheManager; -import org.wso2.carbon.device.mgt.core.util.DeviceManagerUtil; - -import javax.cache.Cache; -import java.util.List; - -public class APIResourcePermissionCacheManagerImpl implements APIResourcePermissionCacheManager { - - - private static final Log log = LogFactory.getLog(APIResourcePermissionCacheManagerImpl.class); - - private static APIResourcePermissionCacheManagerImpl apiResourceCacgeManager; - - private APIResourcePermissionCacheManagerImpl() { - } - - public static APIResourcePermissionCacheManagerImpl getInstance() { - if (apiResourceCacgeManager == null) { - synchronized (APIResourcePermissionCacheManagerImpl.class) { - if (apiResourceCacgeManager == null) { - apiResourceCacgeManager = new APIResourcePermissionCacheManagerImpl(); - } - } - } - return apiResourceCacgeManager; - } - - - @Override - public void addAPIResourcePermissionToCache(APIResourcePermissionCacheKey cacheKey, List permissions) { - Cache> lCache = DeviceManagerUtil.getAPIResourcePermissionCache(); - if (lCache != null) { - if (lCache.containsKey(cacheKey)) { - this.updateAPIResourcePermissionInCache(cacheKey, permissions); - } else { - lCache.put(cacheKey, permissions); - } - } - } - - @Override - public void updateAPIResourcePermissionInCache(APIResourcePermissionCacheKey cacheKey, List permissions) { - - Cache> lCache = DeviceManagerUtil.getAPIResourcePermissionCache(); - if (lCache != null) { - if (lCache.containsKey(cacheKey)) { - lCache.replace(cacheKey, permissions); - } - } - - } - - @Override - public List getAPIResourceRermissionFromCache(APIResourcePermissionCacheKey cacheKey) { - Cache> lCache = DeviceManagerUtil.getAPIResourcePermissionCache(); - if (lCache != null) { - return lCache.get(cacheKey); - } - return null; - } -} diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/UserRoleCreateObserver.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/UserRoleCreateObserver.java index ce168665241..5fb9509629e 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/UserRoleCreateObserver.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/UserRoleCreateObserver.java @@ -21,6 +21,8 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.wso2.carbon.core.ServerStartupObserver; import org.wso2.carbon.device.mgt.core.DeviceManagementConstants; +import org.wso2.carbon.user.api.AuthorizationManager; +import org.wso2.carbon.user.api.Permission; import org.wso2.carbon.user.api.UserStoreException; import org.wso2.carbon.user.api.UserStoreManager; import org.wso2.carbon.utils.multitenancy.MultitenantConstants; @@ -35,20 +37,42 @@ public class UserRoleCreateObserver implements ServerStartupObserver { @Override public void completedServerStartup() { String tenantDomain = MultitenantConstants.SUPER_TENANT_DOMAIN_NAME; - String tenantAdminName = "admin"; try { UserStoreManager userStoreManager = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm( MultitenantConstants.SUPER_TENANT_ID).getUserStoreManager(); - userStoreManager.addRole( - DeviceManagementConstants.User.DEFAULT_DEVICE_ADMIN, - new String[]{tenantAdminName}, - DeviceManagementConstants.User.PERMISSIONS_FOR_DEVICE_ADMIN); - userStoreManager.addRole( - DeviceManagementConstants.User.DEFAULT_DEVICE_USER, - new String[]{tenantAdminName}, - DeviceManagementConstants.User.PERMISSIONS_FOR_DEVICE_USER); + String tenantAdminName = + DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm( + MultitenantConstants.SUPER_TENANT_ID).getRealmConfiguration().getAdminUserName(); + AuthorizationManager authorizationManager = DeviceManagementDataHolder.getInstance().getRealmService() + .getTenantUserRealm(MultitenantConstants.SUPER_TENANT_ID).getAuthorizationManager(); + + if (!userStoreManager.isExistingRole(DeviceManagementConstants.User.DEFAULT_DEVICE_ADMIN)) { + userStoreManager.addRole( + DeviceManagementConstants.User.DEFAULT_DEVICE_ADMIN, + null, + DeviceManagementConstants.User.PERMISSIONS_FOR_DEVICE_ADMIN); + } else { + for (Permission permission : DeviceManagementConstants.User.PERMISSIONS_FOR_DEVICE_ADMIN) { + authorizationManager.authorizeRole(DeviceManagementConstants.User.DEFAULT_DEVICE_ADMIN, + permission.getResourceId(), permission.getAction()); + } + } + if (!userStoreManager.isExistingRole(DeviceManagementConstants.User.DEFAULT_DEVICE_USER)) { + userStoreManager.addRole( + DeviceManagementConstants.User.DEFAULT_DEVICE_USER, + null, + DeviceManagementConstants.User.PERMISSIONS_FOR_DEVICE_USER); + } else { + for (Permission permission : DeviceManagementConstants.User.PERMISSIONS_FOR_DEVICE_USER) { + authorizationManager.authorizeRole(DeviceManagementConstants.User.DEFAULT_DEVICE_USER, + permission.getResourceId(), permission.getAction()); + } + } + userStoreManager.updateRoleListOfUser(tenantAdminName, null, + new String[] {DeviceManagementConstants.User.DEFAULT_DEVICE_ADMIN, + DeviceManagementConstants.User.DEFAULT_DEVICE_USER}); if (log.isDebugEnabled()) { log.debug("Device management roles: " + DeviceManagementConstants.User.DEFAULT_DEVICE_USER + ", " + diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheManager.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/permission/mgt/APIResourcePermissions.java similarity index 50% rename from components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheManager.java rename to components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/permission/mgt/APIResourcePermissions.java index 4dac439cc4b..703d9f6eda8 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheManager.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/permission/mgt/APIResourcePermissions.java @@ -4,9 +4,9 @@ * WSO2 Inc. licenses this file to you under the Apache License, * Version 2.0 (the "License"); you may not use this file except * in compliance with the License. - * You may obtain a copy of the License at + * you may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an @@ -15,17 +15,26 @@ * specific language governing permissions and limitations * under the License. */ -package org.wso2.carbon.device.mgt.core.cache; +package org.wso2.carbon.device.mgt.core.permission.mgt; import org.wso2.carbon.device.mgt.common.permission.mgt.Permission; +import java.util.HashMap; import java.util.List; +import java.util.Map; -public interface APIResourcePermissionCacheManager { +public class APIResourcePermissions { + private Map> apiResourcePermissions; - void addAPIResourcePermissionToCache(APIResourcePermissionCacheKey cacheKey, List permissions); + public APIResourcePermissions() { + apiResourcePermissions = new HashMap<>(); + } - void updateAPIResourcePermissionInCache(APIResourcePermissionCacheKey cacheKey, List permissions); + public void addPermissionList(String context, List permissions){ + apiResourcePermissions.put(context, permissions); + } - List getAPIResourceRermissionFromCache(APIResourcePermissionCacheKey cacheKey); + public List getPermissions(String context) { + return apiResourcePermissions.get(context); + } } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/permission/mgt/PermissionManagerServiceImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/permission/mgt/PermissionManagerServiceImpl.java index c2591a1df66..8a222ea3f1b 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/permission/mgt/PermissionManagerServiceImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/permission/mgt/PermissionManagerServiceImpl.java @@ -18,16 +18,11 @@ package org.wso2.carbon.device.mgt.core.permission.mgt; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; import org.wso2.carbon.device.mgt.common.permission.mgt.Permission; import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException; import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService; -import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheKey; -import org.wso2.carbon.device.mgt.core.cache.impl.APIResourcePermissionCacheManagerImpl; import java.util.List; -import java.util.Properties; /** * This class will add, update custom permissions defined in permission.xml in webapps and it will @@ -36,7 +31,7 @@ import java.util.Properties; public class PermissionManagerServiceImpl implements PermissionManagerService { private static PermissionManagerServiceImpl registryBasedPermissionManager; - + private static APIResourcePermissions apiResourcePermissions; private PermissionManagerServiceImpl() { } @@ -45,6 +40,7 @@ public class PermissionManagerServiceImpl implements PermissionManagerService { synchronized (PermissionManagerServiceImpl.class) { if (registryBasedPermissionManager == null) { registryBasedPermissionManager = new PermissionManagerServiceImpl(); + apiResourcePermissions = new APIResourcePermissions(); } } } @@ -57,8 +53,7 @@ public class PermissionManagerServiceImpl implements PermissionManagerService { for (Permission permission : permissions) { PermissionUtils.putPermission(permission); } - APIResourcePermissionCacheManagerImpl.getInstance().addAPIResourcePermissionToCache( - new APIResourcePermissionCacheKey(context), permissions); + apiResourcePermissions.addPermissionList(context, permissions); } catch (PermissionManagementException e) { return false; } @@ -67,7 +62,6 @@ public class PermissionManagerServiceImpl implements PermissionManagerService { @Override public List getPermission(String context) throws PermissionManagementException { - return APIResourcePermissionCacheManagerImpl.getInstance().getAPIResourceRermissionFromCache( - new APIResourcePermissionCacheKey(context)); + return apiResourcePermissions.getPermissions(context); } } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/util/DeviceManagerUtil.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/util/DeviceManagerUtil.java index f83e19c62f5..d13a0bebe0b 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/util/DeviceManagerUtil.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/util/DeviceManagerUtil.java @@ -76,7 +76,6 @@ import org.wso2.carbon.device.mgt.common.operation.mgt.OperationManagementExcept import org.wso2.carbon.device.mgt.common.permission.mgt.Permission; import org.wso2.carbon.device.mgt.common.type.mgt.DeviceTypeMetaDefinition; import org.wso2.carbon.device.mgt.core.DeviceManagementConstants; -import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheKey; import org.wso2.carbon.device.mgt.core.cache.DeviceCacheKey; import org.wso2.carbon.device.mgt.core.cache.GeoCacheKey; import org.wso2.carbon.device.mgt.core.config.DeviceConfigurationManager; @@ -724,21 +723,6 @@ public final class DeviceManagerUtil { return deviceCache; } - public static Cache> getAPIResourcePermissionCache() { - CacheManager manager = getCacheManager(); - Cache> apiResourcePermissionCache = null; - if(!isAPIResourcePermissionCacheInitialized) { - initializeAPIResourcePermissionCache(); - } - if (manager != null) { - apiResourcePermissionCache = manager.getCache(DeviceManagementConstants.API_RESOURCE_PERMISSION_CACHE); - } else { - apiResourcePermissionCache = Caching.getCacheManager(DeviceManagementConstants.DM_CACHE_MANAGER) - .getCache(DeviceManagementConstants.API_RESOURCE_PERMISSION_CACHE); - } - return apiResourcePermissionCache; - } - /** * Get geofence cache object * @return {@link Cache} diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java index 6547c48f354..9e73d08ffb3 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java @@ -21,6 +21,7 @@ package org.wso2.carbon.webapp.authenticator.framework; import org.apache.catalina.Context; import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; +import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.owasp.encoder.Encode; @@ -194,7 +195,8 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { ctx = tokenizer.nextToken(); } } - return ("carbon".equalsIgnoreCase(ctx) || "services".equalsIgnoreCase(ctx)); + return ("carbon".equalsIgnoreCase(ctx) || "services".equalsIgnoreCase(ctx) + || "oauth2".equalsIgnoreCase(ctx)); } private boolean isNonSecuredEndPoint(Request request) { diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java index dd3e8ccefff..eb09e815df2 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java @@ -46,6 +46,10 @@ public class PermissionAuthorizer { return WebappAuthenticator.Status.CONTINUE; } + if (requestUri.endsWith("/")) { + requestUri = requestUri.substring(0, requestUri.length() - 1); + } + PermissionManagerService registryBasedPermissionManager = PermissionManagerServiceImpl.getInstance(); List matchingPermissions = null;