scope-role-permission refactoring and webapp authorization

kernel-4.6.x
Amalka Subasinghe 4 years ago
parent 438814eedd
commit 94dd33ffa5

@ -20,4 +20,6 @@ public @interface Scope {
String[] permissions(); String[] permissions();
String[] roles();
} }

@ -37,7 +37,7 @@
</servlet-mapping> </servlet-mapping>
<context-param> <context-param>
<param-name>doAuthentication</param-name> <param-name>doAuthentication</param-name>
<param-value>true</param-value> <param-value>false</param-value>
</context-param> </context-param>
<!--This is to support basic auth.--> <!--This is to support basic auth.-->
<context-param> <context-param>

@ -18,6 +18,8 @@
*/ */
package org.wso2.carbon.apimgt.webapp.publisher; package org.wso2.carbon.apimgt.webapp.publisher;
import org.wso2.carbon.apimgt.webapp.publisher.dto.ApiScope;
import org.wso2.carbon.apimgt.webapp.publisher.dto.ApiUriTemplate;
import org.wso2.carbon.apimgt.api.APIManagementException; import org.wso2.carbon.apimgt.api.APIManagementException;
import org.wso2.carbon.apimgt.api.APIProvider; import org.wso2.carbon.apimgt.api.APIProvider;
import org.wso2.carbon.apimgt.api.FaultGatewaysException; import org.wso2.carbon.apimgt.api.FaultGatewaysException;
@ -32,7 +34,6 @@ import org.wso2.carbon.apimgt.api.model.URITemplate;
import org.wso2.carbon.apimgt.impl.APIConstants; import org.wso2.carbon.apimgt.impl.APIConstants;
import org.wso2.carbon.apimgt.impl.APIManagerFactory; import org.wso2.carbon.apimgt.impl.APIManagerFactory;
import org.wso2.carbon.apimgt.webapp.publisher.config.WebappPublisherConfig; import org.wso2.carbon.apimgt.webapp.publisher.config.WebappPublisherConfig;
import org.wso2.carbon.apimgt.webapp.publisher.dto.ApiUriTemplate;
import org.wso2.carbon.apimgt.webapp.publisher.exception.APIManagerPublisherException; import org.wso2.carbon.apimgt.webapp.publisher.exception.APIManagerPublisherException;
import org.wso2.carbon.context.PrivilegedCarbonContext; import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils; import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
@ -61,11 +62,26 @@ public class APIPublisherServiceImpl implements APIPublisherService {
PrivilegedCarbonContext.startTenantFlow(); PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true); PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true);
PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(apiConfig.getOwner()); PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(apiConfig.getOwner());
int tenantId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId();
try { try {
APIProvider apiProvider = API_MANAGER_FACTORY.getAPIProvider(apiConfig.getOwner()); APIProvider apiProvider = API_MANAGER_FACTORY.getAPIProvider(apiConfig.getOwner());
API api = getAPI(apiConfig); APIIdentifier apiIdentifier = new APIIdentifier(apiConfig.getOwner(), apiConfig.getName(), apiConfig.getVersion());
if (!apiProvider.isAPIAvailable(apiIdentifier)) {
if (!apiProvider.isAPIAvailable(api.getId())) { // add new scopes as shared scopes
Set<String> allSharedScopeKeys = apiProvider.getAllSharedScopeKeys(tenantDomain);
for (ApiScope apiScope : apiConfig.getScopes()) {
if (!allSharedScopeKeys.contains(apiScope.getKey())) {
Scope scope = new Scope();
scope.setName(apiScope.getName());
scope.setDescription(apiScope.getDescription());
scope.setKey(apiScope.getKey());
scope.setRoles(apiScope.getRoles());
apiProvider.addSharedScope(scope, tenantDomain);
}
}
API api = getAPI(apiConfig, true);
API createdAPI = apiProvider.addAPI(api); API createdAPI = apiProvider.addAPI(api);
if (CREATED_STATUS.equals(createdAPI.getStatus())) { if (CREATED_STATUS.equals(createdAPI.getStatus())) {
apiProvider.changeLifeCycleStatus(tenantDomain, createdAPI.getUuid(), PUBLISH_ACTION, null); apiProvider.changeLifeCycleStatus(tenantDomain, createdAPI.getUuid(), PUBLISH_ACTION, null);
@ -73,6 +89,7 @@ public class APIPublisherServiceImpl implements APIPublisherService {
apiRevision.setApiUUID(createdAPI.getUuid()); apiRevision.setApiUUID(createdAPI.getUuid());
apiRevision.setDescription("Initial Revision"); apiRevision.setDescription("Initial Revision");
String apiRevisionId = apiProvider.addAPIRevision(apiRevision, tenantDomain); String apiRevisionId = apiProvider.addAPIRevision(apiRevision, tenantDomain);
APIRevisionDeployment apiRevisionDeployment = new APIRevisionDeployment(); APIRevisionDeployment apiRevisionDeployment = new APIRevisionDeployment();
apiRevisionDeployment.setDeployment(API_PUBLISH_ENVIRONMENT); apiRevisionDeployment.setDeployment(API_PUBLISH_ENVIRONMENT);
apiRevisionDeployment.setVhost("localhost"); apiRevisionDeployment.setVhost("localhost");
@ -85,14 +102,83 @@ public class APIPublisherServiceImpl implements APIPublisherService {
} }
} else { } else {
if (WebappPublisherConfig.getInstance().isEnabledUpdateApi()) { if (WebappPublisherConfig.getInstance().isEnabledUpdateApi()) {
API existingAPI = apiProvider.getAPI(api.getId());
// With 4.x to 5.x upgrade
// - there cannot be same local scope assigned in 2 different APIs
// - local scopes will be deprecated in the future, so need to move all scopes as shared scopes
// if an api scope is not available as shared scope, but already assigned as local scope -> that means, the scopes available for this API has not moved as shared scopes
// in order to do that :
// 1. update the same API removing scopes from URI templates
// 2. add scopes as shared scopes
// 3. update the API again adding scopes for the URI Templates
// if an api scope is not available as shared scope, and not assigned as local scope -> that means, there are new scopes
// 1. add new scopes as shared scopes
// 2. update the API adding scopes for the URI Templates
Set<String> allSharedScopeKeys = apiProvider.getAllSharedScopeKeys(tenantDomain);
Set<ApiScope> scopesToMoveAsSharedScopes = new HashSet<>();
for (ApiScope apiScope : apiConfig.getScopes()) {
// if the scope is not available as shared scope and it is assigned to an API as a local scope
// need remove the local scope and add as a shared scope
if (!allSharedScopeKeys.contains(apiScope.getKey())) {
if (apiProvider.isScopeKeyAssignedLocally(apiIdentifier, apiScope.getKey(), tenantId)) {
// collect scope to move as shared scopes
scopesToMoveAsSharedScopes.add(apiScope);
} else {
// if new scope add as shared scope
Scope scope = new Scope();
scope.setName(apiScope.getName());
scope.setDescription(apiScope.getDescription());
scope.setKey(apiScope.getKey());
scope.setRoles(apiScope.getRoles());
apiProvider.addSharedScope(scope, tenantDomain);
}
} else {
// if already available as shared scope -> update
Scope scope = new Scope();
scope.setName(apiScope.getName());
scope.setDescription(apiScope.getDescription());
scope.setKey(apiScope.getKey());
scope.setRoles(apiScope.getRoles());
apiProvider.updateSharedScope(scope, tenantDomain);
}
}
// Get existing API
API existingAPI = apiProvider.getAPI(apiIdentifier);
if (scopesToMoveAsSharedScopes.size() > 0) {
// update API to remove local scopes
API api = getAPI(apiConfig, false);
api.setStatus(existingAPI.getStatus());
apiProvider.updateAPI(api);
for (ApiScope apiScope : scopesToMoveAsSharedScopes) {
Scope scope = new Scope();
scope.setName(apiScope.getName());
scope.setDescription(apiScope.getDescription());
scope.setKey(apiScope.getKey());
scope.setRoles(apiScope.getRoles());
apiProvider.addSharedScope(scope, tenantDomain);
}
}
existingAPI = apiProvider.getAPI(apiIdentifier);
API api = getAPI(apiConfig, true);
api.setStatus(existingAPI.getStatus()); api.setStatus(existingAPI.getStatus());
apiProvider.updateAPI(api); apiProvider.updateAPI(api);
if (api.getId().getName().equals(existingAPI.getId().getName()) &&
api.getId().getVersion().equals(existingAPI.getId().getVersion())) { if (CREATED_STATUS.equals(existingAPI.getStatus())) {
if (CREATED_STATUS.equals(existingAPI.getStatus())) { apiProvider.changeLifeCycleStatus(tenantDomain, existingAPI.getUuid(), PUBLISH_ACTION, null);
apiProvider.changeLifeCycleStatus(tenantDomain, existingAPI.getUuid(), PUBLISH_ACTION, null); APIRevision apiRevision = new APIRevision();
} apiRevision.setApiUUID(existingAPI.getUuid());
apiRevision.setDescription("Updated Revision");
String apiRevisionId = apiProvider.addAPIRevision(apiRevision, tenantDomain);
List<APIRevisionDeployment> apiRevisionDeploymentList = apiProvider.getAPIRevisionDeploymentList(apiRevisionId);
apiProvider.deployAPIRevision(existingAPI.getUuid(), apiRevisionId, apiRevisionDeploymentList);
} }
} }
} }
@ -105,7 +191,7 @@ public class APIPublisherServiceImpl implements APIPublisherService {
} }
} }
private API getAPI(APIConfig config) { private API getAPI(APIConfig config, boolean includeScopes) {
APIIdentifier apiIdentifier = new APIIdentifier(config.getOwner(), config.getName(), config.getVersion()); APIIdentifier apiIdentifier = new APIIdentifier(config.getOwner(), config.getName(), config.getVersion());
API api = new API(apiIdentifier); API api = new API(apiIdentifier);
@ -129,13 +215,15 @@ public class APIPublisherServiceImpl implements APIPublisherService {
uriTemplate.setHTTPVerb(apiUriTemplate.getHttpVerb()); uriTemplate.setHTTPVerb(apiUriTemplate.getHttpVerb());
uriTemplate.setResourceURI(apiUriTemplate.getResourceURI()); uriTemplate.setResourceURI(apiUriTemplate.getResourceURI());
uriTemplate.setUriTemplate(apiUriTemplate.getUriTemplate()); uriTemplate.setUriTemplate(apiUriTemplate.getUriTemplate());
Scope scope = new Scope(); if (includeScopes) {
if (apiUriTemplate.getScope() != null) { Scope scope = new Scope();
scope.setName(apiUriTemplate.getScope().getName()); if (apiUriTemplate.getScope() != null) {
scope.setDescription(apiUriTemplate.getScope().getDescription()); scope.setName(apiUriTemplate.getScope().getName());
scope.setKey(apiUriTemplate.getScope().getKey()); scope.setDescription(apiUriTemplate.getScope().getDescription());
scope.setRoles(apiUriTemplate.getScope().getRoles()); scope.setKey(apiUriTemplate.getScope().getKey());
uriTemplate.setScope(scope); scope.setRoles(apiUriTemplate.getScope().getRoles());
uriTemplate.setScopes(scope);
}
} }
uriTemplates.add(uriTemplate); uriTemplates.add(uriTemplate);
} }

@ -23,6 +23,7 @@ public class ApiScope {
String key; String key;
String name; String name;
String roles; String roles;
String permissions;
String description; String description;
int id; int id;
@ -61,4 +62,11 @@ public class ApiScope {
this.description = description; this.description = description;
} }
public String getPermissions() {
return permissions;
}
public void setPermissions(String permissions) {
this.permissions = permissions;
}
} }

@ -70,6 +70,7 @@ public class AnnotationProcessor {
private static final String SWAGGER_ANNOTATIONS_PROPERTIES_DESCRIPTION = "description"; private static final String SWAGGER_ANNOTATIONS_PROPERTIES_DESCRIPTION = "description";
private static final String SWAGGER_ANNOTATIONS_PROPERTIES_KEY = "key"; private static final String SWAGGER_ANNOTATIONS_PROPERTIES_KEY = "key";
private static final String SWAGGER_ANNOTATIONS_PROPERTIES_PERMISSIONS = "permissions"; private static final String SWAGGER_ANNOTATIONS_PROPERTIES_PERMISSIONS = "permissions";
private static final String SWAGGER_ANNOTATIONS_PROPERTIES_ROLES = "roles";
private static final String SWAGGER_ANNOTATIONS_PROPERTIES_VERSION = "version"; private static final String SWAGGER_ANNOTATIONS_PROPERTIES_VERSION = "version";
private static final String SWAGGER_ANNOTATIONS_PROPERTIES_CONTEXT = "context"; private static final String SWAGGER_ANNOTATIONS_PROPERTIES_CONTEXT = "context";
private static final String SWAGGER_ANNOTATIONS_PROPERTIES_VALUE = "value"; private static final String SWAGGER_ANNOTATIONS_PROPERTIES_VALUE = "value";
@ -78,6 +79,7 @@ public class AnnotationProcessor {
private static final String DEFAULT_SCOPE_NAME = "default admin scope"; private static final String DEFAULT_SCOPE_NAME = "default admin scope";
private static final String DEFAULT_SCOPE_KEY = "perm:admin"; private static final String DEFAULT_SCOPE_KEY = "perm:admin";
private static final String DEFAULT_SCOPE_PERMISSION = "/permision/device-mgt"; private static final String DEFAULT_SCOPE_PERMISSION = "/permision/device-mgt";
private static final String DEFAULT_SCOPE_ROLE = "admin";
private static final String PERMISSION_PREFIX = "/permission/admin"; private static final String PERMISSION_PREFIX = "/permission/admin";
@ -217,8 +219,11 @@ public class AnnotationProcessor {
ApiScope scope; ApiScope scope;
String permissions[]; String permissions[];
StringBuilder aggregatedPermissions; StringBuilder aggregatedPermissions;
String roles[];
StringBuilder aggregatedRoles;
for(int i=0; i<annotatedScopes.length; i++){ for(int i=0; i<annotatedScopes.length; i++){
aggregatedPermissions = new StringBuilder(); aggregatedPermissions = new StringBuilder();
aggregatedRoles = new StringBuilder();
methodHandler = Proxy.getInvocationHandler(annotatedScopes[i]); methodHandler = Proxy.getInvocationHandler(annotatedScopes[i]);
scope = new ApiScope(); scope = new ApiScope();
scope.setName(invokeMethod(scopeClass scope.setName(invokeMethod(scopeClass
@ -234,7 +239,14 @@ public class AnnotationProcessor {
aggregatedPermissions.append(permission); aggregatedPermissions.append(permission);
aggregatedPermissions.append(" "); aggregatedPermissions.append(" ");
} }
scope.setRoles(aggregatedPermissions.toString().trim()); scope.setPermissions(aggregatedPermissions.toString().trim());
roles = (String[])methodHandler.invoke(annotatedScopes[i], scopeClass
.getMethod(SWAGGER_ANNOTATIONS_PROPERTIES_ROLES, null),null);
for (String role : roles) {
aggregatedRoles.append(role);
aggregatedRoles.append(",");
}
scope.setRoles(aggregatedRoles.substring(0, aggregatedRoles.lastIndexOf(",")));
scopes.put(scope.getKey(), scope); scopes.put(scope.getKey(), scope);
} }
return scopes; return scopes;
@ -288,7 +300,8 @@ public class AnnotationProcessor {
scope.setName(DEFAULT_SCOPE_NAME); scope.setName(DEFAULT_SCOPE_NAME);
scope.setDescription(DEFAULT_SCOPE_NAME); scope.setDescription(DEFAULT_SCOPE_NAME);
scope.setKey(DEFAULT_SCOPE_KEY); scope.setKey(DEFAULT_SCOPE_KEY);
scope.setRoles(DEFAULT_SCOPE_PERMISSION); scope.setRoles(DEFAULT_SCOPE_ROLE);
scope.setPermissions(DEFAULT_SCOPE_PERMISSION);
resource.setScope(scope); resource.setScope(scope);
} }
} }

@ -86,12 +86,14 @@ import javax.ws.rs.core.Response;
name = "Get ApplicationDTO Details", name = "Get ApplicationDTO Details",
description = "Get application details", description = "Get application details",
key = "perm:app:publisher:view", key = "perm:app:publisher:view",
roles = {"Internal/everyone"},
permissions = {"/app-mgt/publisher/application/view"} permissions = {"/app-mgt/publisher/application/view"}
), ),
@Scope( @Scope(
name = "Update an ApplicationDTO", name = "Update an ApplicationDTO",
description = "Update an application", description = "Update an application",
key = "perm:app:publisher:update", key = "perm:app:publisher:update",
roles = {"Internal/everyone"},
permissions = {"/app-mgt/publisher/application/update"} permissions = {"/app-mgt/publisher/application/update"}
) )
} }

@ -68,6 +68,7 @@ import java.util.List;
name = "Delete Application Release", name = "Delete Application Release",
description = "Delete Application Release", description = "Delete Application Release",
key = "perm:admin:app:publisher:update", key = "perm:admin:app:publisher:update",
roles = {"admin"},
permissions = {"/app-mgt/publisher/admin/application/update"} permissions = {"/app-mgt/publisher/admin/application/update"}
) )
} }

@ -65,12 +65,14 @@ scopes = {
name = "Update a Review", name = "Update a Review",
description = "Update a Review of application.", description = "Update a Review of application.",
key = "perm:admin:app:review:update", key = "perm:admin:app:review:update",
roles = {"admin"},
permissions = {"/app-mgt/publisher/admin/review/update"} permissions = {"/app-mgt/publisher/admin/review/update"}
), ),
@Scope( @Scope(
name = "Get Review Details", name = "Get Review Details",
description = "Get review details of application.", description = "Get review details of application.",
key = "perm:admin:app:review:view", key = "perm:admin:app:review:view",
roles = {"admin"},
permissions = {"/app-mgt/publisher/admin/review/view"} permissions = {"/app-mgt/publisher/admin/review/view"}
) )
} }

@ -68,6 +68,7 @@ import javax.ws.rs.core.Response;
name = "Get Application Details", name = "Get Application Details",
description = "Get application details", description = "Get application details",
key = "perm:app:store:view", key = "perm:app:store:view",
roles = {"Internal/everyone"},
permissions = {"/app-mgt/store/application/view"} permissions = {"/app-mgt/store/application/view"}
) )
} }

@ -73,12 +73,14 @@ import java.util.List;
name = "Get Review Details", name = "Get Review Details",
description = "Get review details from application store.", description = "Get review details from application store.",
key = "perm:app:review:view", key = "perm:app:review:view",
roles = {"Internal/everyone"},
permissions = {"/app-mgt/store/review/view"} permissions = {"/app-mgt/store/review/view"}
), ),
@Scope( @Scope(
name = "Update a Review", name = "Update a Review",
description = "Update a Review from the application store.", description = "Update a Review from the application store.",
key = "perm:app:review:update", key = "perm:app:review:update",
roles = {"Internal/everyone"},
permissions = {"/app-mgt/store/review/update"} permissions = {"/app-mgt/store/review/update"}
), ),
} }

@ -27,6 +27,7 @@ import io.swagger.annotations.ExtensionProperty;
import io.swagger.annotations.Info; import io.swagger.annotations.Info;
import io.swagger.annotations.SwaggerDefinition; import io.swagger.annotations.SwaggerDefinition;
import io.swagger.annotations.Tag; import io.swagger.annotations.Tag;
import org.wso2.carbon.apimgt.annotations.api.Scope;
import org.wso2.carbon.apimgt.annotations.api.Scopes; import org.wso2.carbon.apimgt.annotations.api.Scopes;
import org.wso2.carbon.device.application.mgt.common.ErrorResponse; import org.wso2.carbon.device.application.mgt.common.ErrorResponse;
import org.wso2.carbon.device.mgt.common.DeviceIdentifier; import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
@ -65,16 +66,18 @@ import java.util.List;
) )
@Scopes( @Scopes(
scopes = { scopes = {
@org.wso2.carbon.apimgt.annotations.api.Scope( @Scope(
name = "Install an ApplicationDTO", name = "Install an ApplicationDTO",
description = "Install an application", description = "Install an application",
key = "perm:app:subscription:install", key = "perm:app:subscription:install",
roles = {"Internal/everyone"},
permissions = {"/app-mgt/store/subscription/install"} permissions = {"/app-mgt/store/subscription/install"}
), ),
@org.wso2.carbon.apimgt.annotations.api.Scope( @Scope(
name = "Uninstall an Application", name = "Uninstall an Application",
description = "Uninstall an application", description = "Uninstall an application",
key = "perm:app:subscription:uninstall", key = "perm:app:subscription:uninstall",
roles = {"Internal/everyone"},
permissions = {"/app-mgt/store/subscription/uninstall"} permissions = {"/app-mgt/store/subscription/uninstall"}
) )
} }

@ -63,6 +63,7 @@ scopes = {
name = "Update a Review", name = "Update a Review",
description = "Update a Review of applications.", description = "Update a Review of applications.",
key = "perm:admin:app:review:update", key = "perm:admin:app:review:update",
roles = {"admin"},
permissions = {"/app-mgt/store/admin/review/update"} permissions = {"/app-mgt/store/admin/review/update"}
) )
} }

@ -67,6 +67,7 @@ import java.util.List;
name = "View Application Subscriptions", name = "View Application Subscriptions",
description = "View Application Subscriptions.", description = "View Application Subscriptions.",
key = "perm:admin:app:subscription:view", key = "perm:admin:app:subscription:view",
roles = {"admin"},
permissions = {"/app-mgt/store/admin/subscription/view"} permissions = {"/app-mgt/store/admin/subscription/view"}
) )
} }

@ -41,6 +41,7 @@ import javax.ws.rs.core.Response;
name = "Sign CSR", name = "Sign CSR",
description = "Sign CSR", description = "Sign CSR",
key = "perm:sign-csr", key = "perm:sign-csr",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/certificates/manage"} permissions = {"/device-mgt/certificates/manage"}
) )
} }

@ -45,30 +45,35 @@ import javax.ws.rs.core.Response;
name = "Adding a new SSL certificate", name = "Adding a new SSL certificate",
description = "Adding a new SSL certificate", description = "Adding a new SSL certificate",
key = "perm:admin:certificates:add", key = "perm:admin:certificates:add",
roles = {"admin"},
permissions = {"/device-mgt/admin/certificates/add"} permissions = {"/device-mgt/admin/certificates/add"}
), ),
@Scope( @Scope(
name = "Getting Details of an SSL Certificate", name = "Getting Details of an SSL Certificate",
description = "Getting Details of an SSL Certificate", description = "Getting Details of an SSL Certificate",
key = "perm:admin:certificates:details", key = "perm:admin:certificates:details",
roles = {"admin"},
permissions = {"/device-mgt/admin/certificates/details"} permissions = {"/device-mgt/admin/certificates/details"}
), ),
@Scope( @Scope(
name = "Getting Details of Certificates", name = "Getting Details of Certificates",
description = "Getting Details of Certificates", description = "Getting Details of Certificates",
key = "perm:admin:certificates:view", key = "perm:admin:certificates:view",
roles = {"admin"},
permissions = {"/device-mgt/admin/certificates/view"} permissions = {"/device-mgt/admin/certificates/view"}
), ),
@Scope( @Scope(
name = "Deleting an SSL Certificate", name = "Deleting an SSL Certificate",
description = "Deleting an SSL Certificate", description = "Deleting an SSL Certificate",
key = "perm:admin:certificates:delete", key = "perm:admin:certificates:delete",
roles = {"admin"},
permissions = {"/device-mgt/admin/certificates/delete"} permissions = {"/device-mgt/admin/certificates/delete"}
), ),
@Scope( @Scope(
name = "Verify SSL certificate", name = "Verify SSL certificate",
description = "Verify SSL certificate", description = "Verify SSL certificate",
key = "perm:admin:certificates:verify", key = "perm:admin:certificates:verify",
roles = {"admin"},
permissions = {"/device-mgt/admin/certificates/verify"} permissions = {"/device-mgt/admin/certificates/verify"}
) )
} }

@ -71,24 +71,28 @@ import java.util.List;
name = "View configurations", name = "View configurations",
description = "", description = "",
key = "perm:view-configuration", key = "perm:view-configuration",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/platform-configurations/view"} permissions = {"/device-mgt/platform-configurations/view"}
), ),
@Scope( @Scope(
name = "Manage configurations", name = "Manage configurations",
description = "", description = "",
key = "perm:manage-configuration", key = "perm:manage-configuration",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/platform-configurations/manage"} permissions = {"/device-mgt/platform-configurations/manage"}
), ),
@Scope( @Scope(
name = "Getting Details of Device tenants", name = "Getting Details of Device tenants",
description = "Getting Details of Device tenants", description = "Getting Details of Device tenants",
key = "perm:admin:tenant:view", key = "perm:admin:tenant:view",
roles = {"Internal/everyone"},
permissions = {"/tenants/view"} permissions = {"/tenants/view"}
), ),
@Scope( @Scope(
name = "Add a permission to the permission tree", name = "Add a permission to the permission tree",
description = "Add a permission to the permission tree", description = "Add a permission to the permission tree",
key = "perm:admin:permissions:add", key = "perm:admin:permissions:add",
roles = {"Internal/everyone"},
permissions = {"/permissions/add"} permissions = {"/permissions/add"}
) )
} }

@ -37,13 +37,13 @@ import org.wso2.carbon.device.mgt.common.exceptions.DeviceManagementException;
import org.wso2.carbon.device.mgt.common.exceptions.DeviceNotFoundException; import org.wso2.carbon.device.mgt.common.exceptions.DeviceNotFoundException;
import org.wso2.carbon.device.mgt.common.general.TenantDetail; import org.wso2.carbon.device.mgt.common.general.TenantDetail;
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException; import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService;
import org.wso2.carbon.device.mgt.core.DeviceManagementConstants; import org.wso2.carbon.device.mgt.core.DeviceManagementConstants;
import org.wso2.carbon.device.mgt.core.config.DeviceConfigurationManager; import org.wso2.carbon.device.mgt.core.config.DeviceConfigurationManager;
import org.wso2.carbon.device.mgt.core.config.DeviceManagementConfig; import org.wso2.carbon.device.mgt.core.config.DeviceManagementConfig;
import org.wso2.carbon.device.mgt.core.config.keymanager.KeyManagerConfigurations; import org.wso2.carbon.device.mgt.core.config.keymanager.KeyManagerConfigurations;
import org.wso2.carbon.device.mgt.core.config.ui.UIConfiguration; import org.wso2.carbon.device.mgt.core.config.ui.UIConfiguration;
import org.wso2.carbon.device.mgt.core.config.ui.UIConfigurationManager; import org.wso2.carbon.device.mgt.core.config.ui.UIConfigurationManager;
import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionUtils;
import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService; import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService;
import org.wso2.carbon.device.mgt.core.util.DeviceManagerUtil; import org.wso2.carbon.device.mgt.core.util.DeviceManagerUtil;
import org.wso2.carbon.identity.jwt.client.extension.dto.AccessTokenInfo; import org.wso2.carbon.identity.jwt.client.extension.dto.AccessTokenInfo;
@ -274,15 +274,16 @@ public class DeviceManagementConfigServiceImpl implements DeviceManagementConfig
@Path("/permissions") @Path("/permissions")
@Produces({MediaType.APPLICATION_JSON}) @Produces({MediaType.APPLICATION_JSON})
public Response addPermission(List<String> permissions) { public Response addPermission(List<String> permissions) {
PermissionManagerService permissionService = DeviceMgtAPIUtils.getPermissionManagerService(); // PermissionManagerService permissionService = DeviceMgtAPIUtils.getPermissionManagerService();
org.wso2.carbon.device.mgt.common.permission.mgt.Permission permission = new org // org.wso2.carbon.device.mgt.common.permission.mgt.Permission permission = new org
.wso2.carbon.device.mgt.common.permission.mgt.Permission(); // .wso2.carbon.device.mgt.common.permission.mgt.Permission();
for (String path : permissions) { for (String path : permissions) {
permission.setPath(path); // permission.setPath(path);
permission.setUrl(path); // permission.setUrl(path);
try { try {
permissionService.addPermission(permission); PermissionUtils.putPermission(path);
// permissionService.addPermission(permission);
} catch (PermissionManagementException e) { } catch (PermissionManagementException e) {
String msg = "Error occurred adding permission"; String msg = "Error occurred adding permission";
log.error(msg, e); log.error(msg, e);

@ -21,7 +21,6 @@ package io.entgra.carbon.device.mgt.config.jaxrs.util;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.context.PrivilegedCarbonContext; import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService;
import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService; import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService;
import org.wso2.carbon.user.core.service.RealmService; import org.wso2.carbon.user.core.service.RealmService;
@ -33,7 +32,6 @@ public class DeviceMgtAPIUtils {
private static final Log log = LogFactory.getLog(DeviceMgtAPIUtils.class); private static final Log log = LogFactory.getLog(DeviceMgtAPIUtils.class);
private static DeviceManagementProviderService deviceManagementProviderService = null; private static DeviceManagementProviderService deviceManagementProviderService = null;
private static PermissionManagerService permissionManagerService = null;
private static RealmService realmService = null; private static RealmService realmService = null;
public static DeviceManagementProviderService getDeviceManagementService() { public static DeviceManagementProviderService getDeviceManagementService() {
@ -50,20 +48,6 @@ public class DeviceMgtAPIUtils {
return deviceManagementProviderService; return deviceManagementProviderService;
} }
public static PermissionManagerService getPermissionManagerService() {
if (permissionManagerService == null) {
PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext();
permissionManagerService =
(PermissionManagerService) ctx.getOSGiService(PermissionManagerService.class, null);
if (permissionManagerService == null) {
String msg = "Permission Management provider service has not initialized.";
log.error(msg);
throw new IllegalStateException(msg);
}
}
return permissionManagerService;
}
public static RealmService getRealmService() { public static RealmService getRealmService() {
if (realmService == null) { if (realmService == null) {
PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext(); PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext();

@ -76,6 +76,7 @@ import javax.ws.rs.core.Response;
name = "Get activities", name = "Get activities",
description = "Get activities", description = "Get activities",
key = "perm:get-activity", key = "perm:get-activity",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/owning-device/view"} permissions = {"/device-mgt/devices/owning-device/view"}
) )
} }

@ -68,41 +68,49 @@ import javax.ws.rs.core.Response;
name = "Create Event Stream Artifact", name = "Create Event Stream Artifact",
description = "Create Event Stream Artifact", description = "Create Event Stream Artifact",
key = "perm:analytics:artifacts:stream", key = "perm:analytics:artifacts:stream",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/analytics/artifacts/stream/add"}), permissions = {"/device-mgt/analytics/artifacts/stream/add"}),
@Scope( @Scope(
name = "Delete Stream Artifact", name = "Delete Stream Artifact",
description = "Delete Stream Artifact", description = "Delete Stream Artifact",
key = "perm:analytics:artifacts:stream:delete", key = "perm:analytics:artifacts:stream:delete",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/analytics/artifacts/stream/delete"}), permissions = {"/device-mgt/analytics/artifacts/stream/delete"}),
@Scope( @Scope(
name = "Create Event Receiver Artifact", name = "Create Event Receiver Artifact",
description = "Create Event Receiver Artifact", description = "Create Event Receiver Artifact",
key = "perm:analytics:artifacts:receiver", key = "perm:analytics:artifacts:receiver",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/analytics/artifacts/receiver/add"}), permissions = {"/device-mgt/analytics/artifacts/receiver/add"}),
@Scope( @Scope(
name = "Delete Receiver Artifact", name = "Delete Receiver Artifact",
description = "Delete Receiver Artifact", description = "Delete Receiver Artifact",
key = "perm:analytics:artifacts:receiver:delete", key = "perm:analytics:artifacts:receiver:delete",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/analytics/artifacts/receiver/delete"}), permissions = {"/device-mgt/analytics/artifacts/receiver/delete"}),
@Scope( @Scope(
name = "Create Event Publisher Artifact", name = "Create Event Publisher Artifact",
description = "Create Event Publisher Artifact", description = "Create Event Publisher Artifact",
key = "perm:analytics:artifacts:publisher", key = "perm:analytics:artifacts:publisher",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/analytics/artifacts/publisher/add"}), permissions = {"/device-mgt/analytics/artifacts/publisher/add"}),
@Scope( @Scope(
name = "Delete Publisher Artifact", name = "Delete Publisher Artifact",
description = "Delete Publisher Artifact", description = "Delete Publisher Artifact",
key = "perm:analytics:artifacts:publisher:delete", key = "perm:analytics:artifacts:publisher:delete",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/analytics/artifacts/publisher/delete"}), permissions = {"/device-mgt/analytics/artifacts/publisher/delete"}),
@Scope( @Scope(
name = "Create Siddhi Script Artifact", name = "Create Siddhi Script Artifact",
description = "Create Siddhi Script Artifact", description = "Create Siddhi Script Artifact",
key = "perm:analytics:artifacts:siddhi", key = "perm:analytics:artifacts:siddhi",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/analytics/artifacts/siddhi-script/add"}), permissions = {"/device-mgt/analytics/artifacts/siddhi-script/add"}),
@Scope( @Scope(
name = "Delete Siddhi Script Artifact", name = "Delete Siddhi Script Artifact",
description = "Delete Siddhi Script Artifact", description = "Delete Siddhi Script Artifact",
key = "perm:analytics:artifacts:siddhi:delete", key = "perm:analytics:artifacts:siddhi:delete",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/analytics/artifacts/siddhi-script/delete"}) permissions = {"/device-mgt/analytics/artifacts/siddhi-script/delete"})
} }
) )

@ -69,12 +69,14 @@ import javax.ws.rs.core.Response;
name = "View configurations", name = "View configurations",
description = "", description = "",
key = "perm:view-configuration", key = "perm:view-configuration",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/platform-configurations/view"} permissions = {"/device-mgt/platform-configurations/view"}
), ),
@Scope( @Scope(
name = "Manage configurations", name = "Manage configurations",
description = "", description = "",
key = "perm:manage-configuration", key = "perm:manage-configuration",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/platform-configurations/manage"} permissions = {"/device-mgt/platform-configurations/manage"}
) )
} }

@ -77,30 +77,35 @@ import java.util.Map;
name = "Enroll Device", name = "Enroll Device",
description = "Register a device", description = "Register a device",
key = "perm:device:enroll", key = "perm:device:enroll",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/owning-device/add"} permissions = {"/device-mgt/devices/owning-device/add"}
), ),
@Scope( @Scope(
name = "Modify Device", name = "Modify Device",
description = "Modify a device", description = "Modify a device",
key = "perm:device:modify", key = "perm:device:modify",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/owning-device/modify"} permissions = {"/device-mgt/devices/owning-device/modify"}
), ),
@Scope( @Scope(
name = "Disenroll Device", name = "Disenroll Device",
description = "Disenroll a device", description = "Disenroll a device",
key = "perm:device:disenroll", key = "perm:device:disenroll",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/owning-device/remove"} permissions = {"/device-mgt/devices/owning-device/remove"}
), ),
@Scope( @Scope(
name = "Publish Event", name = "Publish Event",
description = "publish device event", description = "publish device event",
key = "perm:device:publish-event", key = "perm:device:publish-event",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/owning-device/event"} permissions = {"/device-mgt/devices/owning-device/event"}
), ),
@Scope( @Scope(
name = "Getting Device Operation Details", name = "Getting Device Operation Details",
description = "Getting Device Operation Details", description = "Getting Device Operation Details",
key = "perm:device:operations", key = "perm:device:operations",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/owning-device/view"} permissions = {"/device-mgt/devices/owning-device/view"}
) )
} }

@ -51,12 +51,14 @@ import javax.ws.rs.core.Response;
name = "Add or Delete Event Definition for device type", name = "Add or Delete Event Definition for device type",
description = "Add or Delete Event Definition for device type", description = "Add or Delete Event Definition for device type",
key = "perm:device-types:events", key = "perm:device-types:events",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/device-type/add"} permissions = {"/device-mgt/device-type/add"}
), ),
@Scope( @Scope(
name = "Get Events Details of a Device Type", name = "Get Events Details of a Device Type",
description = "Get Events Details of a Device Type", description = "Get Events Details of a Device Type",
key = "perm:device-types:events:view", key = "perm:device-types:events:view",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/owning-device/view"} permissions = {"/device-mgt/devices/owning-device/view"}
) )
} }

@ -107,66 +107,77 @@ import java.util.List;
name = "Getting Details of Registered Devices", name = "Getting Details of Registered Devices",
description = "Getting Details of Registered Devices", description = "Getting Details of Registered Devices",
key = "perm:devices:view", key = "perm:devices:view",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/owning-device/view"} permissions = {"/device-mgt/devices/owning-device/view"}
), ),
@Scope( @Scope(
name = "Getting Details of a Device", name = "Getting Details of a Device",
description = "Getting Details of a Device", description = "Getting Details of a Device",
key = "perm:devices:details", key = "perm:devices:details",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/owning-device/view"} permissions = {"/device-mgt/devices/owning-device/view"}
), ),
@Scope( @Scope(
name = "Update the device specified by device id", name = "Update the device specified by device id",
description = "Update the device specified by device id", description = "Update the device specified by device id",
key = "perm:devices:update", key = "perm:devices:update",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/owning-device/view"} permissions = {"/device-mgt/devices/owning-device/view"}
), ),
@Scope( @Scope(
name = "Delete the device specified by device id", name = "Delete the device specified by device id",
description = "Delete the device specified by device id", description = "Delete the device specified by device id",
key = "perm:devices:delete", key = "perm:devices:delete",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/owning-device/view"} permissions = {"/device-mgt/devices/owning-device/view"}
), ),
@Scope( @Scope(
name = "Getting Feature Details of a Device", name = "Getting Feature Details of a Device",
description = "Getting Feature Details of a Device", description = "Getting Feature Details of a Device",
key = "perm:devices:features", key = "perm:devices:features",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/owning-device/view"} permissions = {"/device-mgt/devices/owning-device/view"}
), ),
@Scope( @Scope(
name = "Advanced Search for Devices", name = "Advanced Search for Devices",
description = "Advanced Search for Devices", description = "Advanced Search for Devices",
key = "perm:devices:search", key = "perm:devices:search",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/owning-device/view"} permissions = {"/device-mgt/devices/owning-device/view"}
), ),
@Scope( @Scope(
name = "Getting Installed Application Details of a Device", name = "Getting Installed Application Details of a Device",
description = "Getting Installed Application Details of a Device", description = "Getting Installed Application Details of a Device",
key = "perm:devices:applications", key = "perm:devices:applications",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/owning-device/view"} permissions = {"/device-mgt/devices/owning-device/view"}
), ),
@Scope( @Scope(
name = "Getting Device Operation Details", name = "Getting Device Operation Details",
description = "Getting Device Operation Details", description = "Getting Device Operation Details",
key = "perm:devices:operations", key = "perm:devices:operations",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/owning-device/view"} permissions = {"/device-mgt/devices/owning-device/view"}
), ),
@Scope( @Scope(
name = "Get the details of the policy that is enforced on a device.", name = "Get the details of the policy that is enforced on a device.",
description = "Get the details of the policy that is enforced on a device.", description = "Get the details of the policy that is enforced on a device.",
key = "perm:devices:effective-policy", key = "perm:devices:effective-policy",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/owning-device/view"} permissions = {"/device-mgt/devices/owning-device/view"}
), ),
@Scope( @Scope(
name = "Getting Policy Compliance Details of a Device", name = "Getting Policy Compliance Details of a Device",
description = "Getting Policy Compliance Details of a Device", description = "Getting Policy Compliance Details of a Device",
key = "perm:devices:compliance-data", key = "perm:devices:compliance-data",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/owning-device/view"} permissions = {"/device-mgt/devices/owning-device/view"}
), ),
@Scope( @Scope(
name = "Change device status.", name = "Change device status.",
description = "Change device status.", description = "Change device status.",
key = "perm:devices:change-status", key = "perm:devices:change-status",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/change-status"} permissions = {"/device-mgt/devices/change-status"}
), ),
} }

@ -87,24 +87,28 @@ import javax.ws.rs.core.Response;
name = "Getting the Supported Device Platforms", name = "Getting the Supported Device Platforms",
description = "Getting the Supported Device Platforms", description = "Getting the Supported Device Platforms",
key = "perm:device-types:types", key = "perm:device-types:types",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/device-type/view"} permissions = {"/device-mgt/device-type/view"}
), ),
@Scope( @Scope(
name = "Get Feature Details of a Device Type", name = "Get Feature Details of a Device Type",
description = "Get Feature Details of a Device Type", description = "Get Feature Details of a Device Type",
key = "perm:device-types:features", key = "perm:device-types:features",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/device-type/features/view"} permissions = {"/device-mgt/device-type/features/view"}
), ),
@Scope( @Scope(
name = "Get Config Details of a Device Type", name = "Get Config Details of a Device Type",
description = "Get Config Details of a Device Type", description = "Get Config Details of a Device Type",
key = "perm:device-types:configs", key = "perm:device-types:configs",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/device-type/config/view"} permissions = {"/device-mgt/device-type/config/view"}
), ),
@Scope( @Scope(
name = "Getting Details of Policies", name = "Getting Details of Policies",
description = "Getting Details of Policies", description = "Getting Details of Policies",
key = "perm:policies:get-details", key = "perm:policies:get-details",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/policies/view"} permissions = {"/device-mgt/policies/view"}
) )
} }

@ -73,18 +73,21 @@ import java.util.List;
name = "View Analytics", name = "View Analytics",
description = "", description = "",
key = "perm:geo-service:analytics-view", key = "perm:geo-service:analytics-view",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/owning-device/view-analytics"} permissions = {"/device-mgt/devices/owning-device/view-analytics"}
), ),
@Scope( @Scope(
name = "Manage Alerts", name = "Manage Alerts",
description = "", description = "",
key = "perm:geo-service:alerts-manage", key = "perm:geo-service:alerts-manage",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/owning-device/manage-alerts"} permissions = {"/device-mgt/devices/owning-device/manage-alerts"}
), ),
@Scope( @Scope(
name = "Manage Geo Fences", name = "Manage Geo Fences",
description = "", description = "",
key = "perm:geo-service:geo-fence", key = "perm:geo-service:geo-fence",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/owning-device/manage-geo-fence"} permissions = {"/device-mgt/devices/owning-device/manage-geo-fence"}
) )
} }

@ -82,84 +82,98 @@ import java.util.List;
name = "Get the list of groups belongs to current user.", name = "Get the list of groups belongs to current user.",
description = "Get the list of groups belongs to current user.", description = "Get the list of groups belongs to current user.",
key = "perm:groups:groups", key = "perm:groups:groups",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/groups/view"} permissions = {"/device-mgt/groups/view"}
), ),
@Scope( @Scope(
name = "Get the count of groups belongs to current user.", name = "Get the count of groups belongs to current user.",
description = "Get the count of groups belongs to current user.", description = "Get the count of groups belongs to current user.",
key = "perm:groups:count", key = "perm:groups:count",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/groups/view"} permissions = {"/device-mgt/groups/view"}
), ),
@Scope( @Scope(
name = "Add new device group to the system.", name = "Add new device group to the system.",
description = "Add new device group to the system.", description = "Add new device group to the system.",
key = "perm:groups:add", key = "perm:groups:add",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/groups/add"} permissions = {"/device-mgt/groups/add"}
), ),
@Scope( @Scope(
name = "View group specified", name = "View group specified",
description = "View group specified", description = "View group specified",
key = "perm:groups:groups-view", key = "perm:groups:groups-view",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/groups/view"} permissions = {"/device-mgt/groups/view"}
), ),
@Scope( @Scope(
name = "Update a group", name = "Update a group",
description = "Update a group", description = "Update a group",
key = "perm:groups:update", key = "perm:groups:update",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/groups/update"} permissions = {"/device-mgt/groups/update"}
), ),
@Scope( @Scope(
name = "Delete a group", name = "Delete a group",
description = "Delete a group", description = "Delete a group",
key = "perm:groups:remove", key = "perm:groups:remove",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/groups/remove"} permissions = {"/device-mgt/groups/remove"}
), ),
@Scope( @Scope(
name = "Manage group sharing with a user", name = "Manage group sharing with a user",
description = "Manage group sharing with a user", description = "Manage group sharing with a user",
key = "perm:groups:share", key = "perm:groups:share",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/groups/share"} permissions = {"/device-mgt/groups/share"}
), ),
@Scope( @Scope(
name = "View list of roles of a device group", name = "View list of roles of a device group",
description = "View list of roles of a device group", description = "View list of roles of a device group",
key = "perm:groups:roles", key = "perm:groups:roles",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/groups/roles/view"} permissions = {"/device-mgt/groups/roles/view"}
), ),
@Scope( @Scope(
name = "View list of devices in the device group", name = "View list of devices in the device group",
description = "View list of devices in the device group", description = "View list of devices in the device group",
key = "perm:groups:devices", key = "perm:groups:devices",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/groups/devices/view"} permissions = {"/device-mgt/groups/devices/view"}
), ),
@Scope( @Scope(
name = "View list of device count in the device group", name = "View list of device count in the device group",
description = "View list of device count in the device group", description = "View list of device count in the device group",
key = "perm:groups:devices-count", key = "perm:groups:devices-count",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/groups/devices/view"} permissions = {"/device-mgt/groups/devices/view"}
), ),
@Scope( @Scope(
name = "Add devices to group", name = "Add devices to group",
description = "Add devices to group", description = "Add devices to group",
key = "perm:groups:devices-add", key = "perm:groups:devices-add",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/groups/devices/add"} permissions = {"/device-mgt/groups/devices/add"}
), ),
@Scope( @Scope(
name = "Remove devices from group", name = "Remove devices from group",
description = "Remove devices from group", description = "Remove devices from group",
key = "perm:groups:devices-remove", key = "perm:groups:devices-remove",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/groups/devices/remove"} permissions = {"/device-mgt/groups/devices/remove"}
), ),
@Scope( @Scope(
name = "Assign devices to groups", name = "Assign devices to groups",
description = "Assign devices to groups", description = "Assign devices to groups",
key = "perm:groups:assign", key = "perm:groups:assign",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/groups/devices/add"} permissions = {"/device-mgt/groups/devices/add"}
), ),
@Scope( @Scope(
name = "List of groups that have the device", name = "List of groups that have the device",
description = "List of groups that have the device", description = "List of groups that have the device",
key = "perm:groups:device", key = "perm:groups:device",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/groups/devices/view"} permissions = {"/device-mgt/groups/devices/view"}
) )
} }

@ -73,24 +73,28 @@ import javax.ws.rs.core.Response;
name = "View metadata records", name = "View metadata records",
description = "View metadata records", description = "View metadata records",
key = "perm:metadata:view", key = "perm:metadata:view",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/metadata/view"} permissions = {"/device-mgt/metadata/view"}
), ),
@Scope( @Scope(
name = "Create a metadata record", name = "Create a metadata record",
description = "Create a metadata record", description = "Create a metadata record",
key = "perm:metadata:create", key = "perm:metadata:create",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/metadata/create"} permissions = {"/device-mgt/metadata/create"}
), ),
@Scope( @Scope(
name = "Update a metadata record", name = "Update a metadata record",
description = "Updating a specified metadata record", description = "Updating a specified metadata record",
key = "perm:metadata:update", key = "perm:metadata:update",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/metadata/update"} permissions = {"/device-mgt/metadata/update"}
), ),
@Scope( @Scope(
name = "Delete a metadata record", name = "Delete a metadata record",
description = "Delete a specified metadata record", description = "Delete a specified metadata record",
key = "perm:metadata:remove", key = "perm:metadata:remove",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/metadata/remove"} permissions = {"/device-mgt/metadata/remove"}
) )
} }

@ -73,12 +73,14 @@ import javax.ws.rs.core.Response;
name = "Getting All Device Notification Details", name = "Getting All Device Notification Details",
description = "Getting All Device Notification Details", description = "Getting All Device Notification Details",
key = "perm:notifications:view", key = "perm:notifications:view",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/notifications/view"} permissions = {"/device-mgt/notifications/view"}
), ),
@Scope( @Scope(
name = "Updating the Device Notification Status", name = "Updating the Device Notification Status",
description = "Updating the Device Notification Status", description = "Updating the Device Notification Status",
key = "perm:notifications:mark-checked", key = "perm:notifications:mark-checked",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/notifications/view"} permissions = {"/device-mgt/notifications/view"}
) )
} }

@ -79,60 +79,70 @@ import java.util.List;
name = "Adding a Policy", name = "Adding a Policy",
description = "Adding a Policy", description = "Adding a Policy",
key = "perm:policies:manage", key = "perm:policies:manage",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/policies/manage"} permissions = {"/device-mgt/policies/manage"}
), ),
@Scope( @Scope(
name = "Getting Details of Policies", name = "Getting Details of Policies",
description = "Getting Details of Policies", description = "Getting Details of Policies",
key = "perm:policies:get-details", key = "perm:policies:get-details",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/policies/view"} permissions = {"/device-mgt/policies/view"}
), ),
@Scope( @Scope(
name = "Getting Details of a Policy", name = "Getting Details of a Policy",
description = "Getting Details of a Policy", description = "Getting Details of a Policy",
key = "perm:policies:get-policy-details", key = "perm:policies:get-policy-details",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/policies/view"} permissions = {"/device-mgt/policies/view"}
), ),
@Scope( @Scope(
name = "Updating a Policy", name = "Updating a Policy",
description = "Updating a Policy", description = "Updating a Policy",
key = "perm:policies:update", key = "perm:policies:update",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/policies/manage"} permissions = {"/device-mgt/policies/manage"}
), ),
@Scope( @Scope(
name = "Removing Multiple Policies", name = "Removing Multiple Policies",
description = "Removing Multiple Policies", description = "Removing Multiple Policies",
key = "perm:policies:remove", key = "perm:policies:remove",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/policies/manage"} permissions = {"/device-mgt/policies/manage"}
), ),
@Scope( @Scope(
name = "Activating Policies", name = "Activating Policies",
description = "Activating Policies", description = "Activating Policies",
key = "perm:policies:activate", key = "perm:policies:activate",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/policies/manage"} permissions = {"/device-mgt/policies/manage"}
), ),
@Scope( @Scope(
name = "Deactivating Policies", name = "Deactivating Policies",
description = "Deactivating Policies", description = "Deactivating Policies",
key = "perm:policies:deactivate", key = "perm:policies:deactivate",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/policies/manage"} permissions = {"/device-mgt/policies/manage"}
), ),
@Scope( @Scope(
name = "Applying Changes on Policies", name = "Applying Changes on Policies",
description = "Applying Changes on Policies", description = "Applying Changes on Policies",
key = "perm:policies:changes", key = "perm:policies:changes",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/policies/manage"} permissions = {"/device-mgt/policies/manage"}
), ),
@Scope( @Scope(
name = "Updating the Policy Priorities", name = "Updating the Policy Priorities",
description = "Updating the Policy Priorities", description = "Updating the Policy Priorities",
key = "perm:policies:priorities", key = "perm:policies:priorities",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/policies/manage"} permissions = {"/device-mgt/policies/manage"}
), ),
@Scope( @Scope(
name = "Fetching the Effective Policy", name = "Fetching the Effective Policy",
description = "Fetching the Effective Policy", description = "Fetching the Effective Policy",
key = "perm:policies:effective-policy", key = "perm:policies:effective-policy",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/policies/view"} permissions = {"/device-mgt/policies/view"}
) )
} }

@ -61,6 +61,7 @@ import javax.ws.rs.core.Response;
name = "Remote Session Connection", name = "Remote Session Connection",
description = "", description = "",
key = "perm:remote-session-service:connect", key = "perm:remote-session-service:connect",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/owning-device/remote-session"} permissions = {"/device-mgt/devices/owning-device/remote-session"}
) )
} }

@ -66,6 +66,7 @@ import java.util.List;
name = "Getting Details of Registered Devices", name = "Getting Details of Registered Devices",
description = "Getting Details of Registered Devices", description = "Getting Details of Registered Devices",
key = "perm:devices:view", key = "perm:devices:view",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/owning-device/view"} permissions = {"/device-mgt/devices/owning-device/view"}
), ),
} }

@ -53,48 +53,56 @@ import java.util.List;
name = "Getting the List of Roles", name = "Getting the List of Roles",
description = "Getting the List of Roles", description = "Getting the List of Roles",
key = "perm:roles:view", key = "perm:roles:view",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/roles/view"} permissions = {"/device-mgt/roles/view"}
), ),
@Scope( @Scope(
name = "Getting Permission Details of a Role", name = "Getting Permission Details of a Role",
description = "Getting Permission Details of a Role", description = "Getting Permission Details of a Role",
key = "perm:roles:permissions", key = "perm:roles:permissions",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/roles/view"} permissions = {"/device-mgt/roles/view"}
), ),
@Scope( @Scope(
name = "Getting the List of Roles", name = "Getting the List of Roles",
description = "Getting the List of Roles", description = "Getting the List of Roles",
key = "perm:roles:details", key = "perm:roles:details",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/roles/view"} permissions = {"/device-mgt/roles/view"}
), ),
@Scope( @Scope(
name = "Adding a Role", name = "Adding a Role",
description = "Adding a Role", description = "Adding a Role",
key = "perm:roles:add", key = "perm:roles:add",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/roles/manage"} permissions = {"/device-mgt/roles/manage"}
), ),
@Scope( @Scope(
name = "Adding a combined Role", name = "Adding a combined Role",
description = "Adding a combined Role", description = "Adding a combined Role",
key = "perm:roles:create-combined-role", key = "perm:roles:create-combined-role",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/roles/manage"} permissions = {"/device-mgt/roles/manage"}
), ),
@Scope( @Scope(
name = "Updating Role Details", name = "Updating Role Details",
description = "Updating Role Details", description = "Updating Role Details",
key = "perm:roles:update", key = "perm:roles:update",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/roles/manage"} permissions = {"/device-mgt/roles/manage"}
), ),
@Scope( @Scope(
name = "Deleting a Role", name = "Deleting a Role",
description = "Deleting a Role", description = "Deleting a Role",
key = "perm:roles:delete", key = "perm:roles:delete",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/roles/manage"} permissions = {"/device-mgt/roles/manage"}
), ),
@Scope( @Scope(
name = "Adding Users to a Role", name = "Adding Users to a Role",
description = "Adding Users to a Role", description = "Adding Users to a Role",
key = "perm:roles:add-users", key = "perm:roles:add-users",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/roles/manage"} permissions = {"/device-mgt/roles/manage"}
) )
} }

@ -97,78 +97,91 @@ import javax.ws.rs.core.Response;
name = "Adding a User", name = "Adding a User",
description = "Adding a User", description = "Adding a User",
key = "perm:users:add", key = "perm:users:add",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/users/manage"} permissions = {"/device-mgt/users/manage"}
), ),
@Scope( @Scope(
name = "Getting Details of a User", name = "Getting Details of a User",
description = "Getting Details of a User", description = "Getting Details of a User",
key = "perm:users:details", key = "perm:users:details",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/users/view"} permissions = {"/device-mgt/users/view"}
), ),
@Scope( @Scope(
name = "Updating Details of a User", name = "Updating Details of a User",
description = "Updating Details of a User", description = "Updating Details of a User",
key = "perm:users:update", key = "perm:users:update",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/users/manage"} permissions = {"/device-mgt/users/manage"}
), ),
@Scope( @Scope(
name = "Deleting a User", name = "Deleting a User",
description = "Deleting a User", description = "Deleting a User",
key = "perm:users:delete", key = "perm:users:delete",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/users/manage"} permissions = {"/device-mgt/users/manage"}
), ),
@Scope( @Scope(
name = "Getting the Role Details of a User", name = "Getting the Role Details of a User",
description = "Getting the Role Details of a User", description = "Getting the Role Details of a User",
key = "perm:users:roles", key = "perm:users:roles",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/users/view"} permissions = {"/device-mgt/users/view"}
), ),
@Scope( @Scope(
name = "Getting Details of Users", name = "Getting Details of Users",
description = "Getting Details of Users", description = "Getting Details of Users",
key = "perm:users:user-details", key = "perm:users:user-details",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/users/view"} permissions = {"/device-mgt/users/view"}
), ),
@Scope( @Scope(
name = "Getting the User Count", name = "Getting the User Count",
description = "Getting the User Count", description = "Getting the User Count",
key = "perm:users:count", key = "perm:users:count",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/users/view"} permissions = {"/device-mgt/users/view"}
), ),
@Scope( @Scope(
name = "Getting the User existence status", name = "Getting the User existence status",
description = "Getting the User existence status", description = "Getting the User existence status",
key = "perm:users:is-exist", key = "perm:users:is-exist",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/users/view"} permissions = {"/device-mgt/users/view"}
), ),
@Scope( @Scope(
name = "Searching for a User Name", name = "Searching for a User Name",
description = "Searching for a User Name", description = "Searching for a User Name",
key = "perm:users:search", key = "perm:users:search",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/users/view"} permissions = {"/device-mgt/users/view"}
), ),
@Scope( @Scope(
name = "Changing the User Password", name = "Changing the User Password",
description = "Adding a User", description = "Adding a User",
key = "perm:users:credentials", key = "perm:users:credentials",
roles = {"Internal/everyone"},
permissions = {"/login"} permissions = {"/login"}
), ),
@Scope( @Scope(
name = "Sending Enrollment Invitations to Users", name = "Sending Enrollment Invitations to Users",
description = "Sending Enrollment Invitations to Users", description = "Sending Enrollment Invitations to Users",
key = "perm:users:send-invitation", key = "perm:users:send-invitation",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/users/manage"} permissions = {"/device-mgt/users/manage"}
), ),
@Scope( @Scope(
name = "Get activities", name = "Get activities",
description = "Get activities", description = "Get activities",
key = "perm:get-activity", key = "perm:get-activity",
roles = {"Internal/everyone"},
permissions = {"/device-mgt/devices/owning-device/view"} permissions = {"/device-mgt/devices/owning-device/view"}
), ),
@Scope( @Scope(
name = "Getting the Permissions of the User", name = "Getting the Permissions of the User",
description = "Getting the Permissions of the User", description = "Getting the Permissions of the User",
key = "perm:user:permission-view", key = "perm:user:permission-view",
roles = {"Internal/everyone"},
permissions = {"/login"} permissions = {"/login"}
) )
} }

@ -67,12 +67,14 @@ import javax.ws.rs.core.Response;
name = "Installing an Application (Internal API)", name = "Installing an Application (Internal API)",
description = "Installing an Application (Internal API)", description = "Installing an Application (Internal API)",
key = "perm:applications:install", key = "perm:applications:install",
roles = {"admin"},
permissions = {"/device-mgt/applications/manage"} permissions = {"/device-mgt/applications/manage"}
), ),
@Scope( @Scope(
name = "Uninstalling an Application (Internal API)", name = "Uninstalling an Application (Internal API)",
description = "Uninstalling an Application (Internal API)", description = "Uninstalling an Application (Internal API)",
key = "perm:applications:uninstall", key = "perm:applications:uninstall",
roles = {"admin"},
permissions = {"/device-mgt/applications/manage"} permissions = {"/device-mgt/applications/manage"}
) )
} }

@ -67,6 +67,7 @@ import javax.ws.rs.core.Response;
name = "Verify device authorization", name = "Verify device authorization",
description = "Verify device authorization", description = "Verify device authorization",
key = "perm:authorization:verify", key = "perm:authorization:verify",
roles = {"admin"},
permissions = {"/device-mgt/authorization/verify"} permissions = {"/device-mgt/authorization/verify"}
) )
} }

@ -57,6 +57,7 @@ import javax.ws.rs.core.Response;
name = "Devicetype deployment", name = "Devicetype deployment",
description = "Deploy devicetype", description = "Deploy devicetype",
key = "perm:devicetype:deployment", key = "perm:devicetype:deployment",
roles = {"admin"},
permissions = {"/device-mgt/devicetype/deploy"} permissions = {"/device-mgt/devicetype/deploy"}
) )
} }

@ -94,18 +94,21 @@ import java.util.List;
name = "Getting Details of a Device", name = "Getting Details of a Device",
description = "Getting Details of a Device", description = "Getting Details of a Device",
key = "perm:admin:devices:view", key = "perm:admin:devices:view",
roles = {"admin"},
permissions = {"/device-mgt/devices/owning-device/view"} permissions = {"/device-mgt/devices/owning-device/view"}
), ),
@Scope( @Scope(
name = "Update the Device Owner", name = "Update the Device Owner",
description = "Update the ownership of the device", description = "Update the ownership of the device",
key = "perm:admin:devices:update-enrollment", key = "perm:admin:devices:update-enrollment",
roles = {"admin"},
permissions = {"/device-mgt/admin/devices/update-enrollment"} permissions = {"/device-mgt/admin/devices/update-enrollment"}
), ),
@Scope( @Scope(
name = "Permanently Delete the device specified by device id", name = "Permanently Delete the device specified by device id",
description = "Permanently Delete the device specified by device id", description = "Permanently Delete the device specified by device id",
key = "perm:devices:permanent-delete", key = "perm:devices:permanent-delete",
roles = {"admin"},
permissions = {"/device-mgt/admin/devices/permanent-delete"} permissions = {"/device-mgt/admin/devices/permanent-delete"}
) )
} }

@ -92,18 +92,21 @@ import javax.ws.rs.core.Response;
name = "Manage a Device Type", name = "Manage a Device Type",
description = "Add, Edit or View a Device Type", description = "Add, Edit or View a Device Type",
key = "perm:admin:device-type", key = "perm:admin:device-type",
roles = {"admin"},
permissions = {"/device-mgt/admin/device-type"} permissions = {"/device-mgt/admin/device-type"}
), ),
@Scope( @Scope(
name = "Getting Details of a Device Type", name = "Getting Details of a Device Type",
description = "Getting Details of a Device Type", description = "Getting Details of a Device Type",
key = "perm:admin:device-type:view", key = "perm:admin:device-type:view",
roles = {"admin"},
permissions = {"/device-mgt/admin/device-type/view"} permissions = {"/device-mgt/admin/device-type/view"}
), ),
@Scope( @Scope(
name = "Add Device Type Config", name = "Add Device Type Config",
description = "Add Platform Config of a Device Type", description = "Add Platform Config of a Device Type",
key = "perm:admin:device-type:configs", key = "perm:admin:device-type:configs",
roles = {"admin"},
permissions = {"/device-mgt/admin/device-type/config"} permissions = {"/device-mgt/admin/device-type/config"}
) )
} }

@ -70,18 +70,21 @@ import javax.ws.rs.core.Response;
name = "View groups", name = "View groups",
description = "", description = "",
key = "perm:admin-groups:view", key = "perm:admin-groups:view",
roles = {"admin"},
permissions = {"/device-mgt/admin/groups/view"} permissions = {"/device-mgt/admin/groups/view"}
), ),
@Scope( @Scope(
name = "Count groups", name = "Count groups",
description = "", description = "",
key = "perm:admin-groups:count", key = "perm:admin-groups:count",
roles = {"admin"},
permissions = {"/device-mgt/admin/groups/view"} permissions = {"/device-mgt/admin/groups/view"}
), ),
@Scope( @Scope(
name = "Add groups", name = "Add groups",
description = "", description = "",
key = "perm:admin-groups:add", key = "perm:admin-groups:add",
roles = {"admin"},
permissions = {"/device-mgt/admin/groups/add"} permissions = {"/device-mgt/admin/groups/add"}
) )
} }

@ -53,12 +53,14 @@ import javax.ws.rs.core.Response;
name = "View Users", name = "View Users",
description = "View Users", description = "View Users",
key = "perm:admin-users:view", key = "perm:admin-users:view",
roles = {"admin"},
permissions = {"/device-mgt/users/manage"} permissions = {"/device-mgt/users/manage"}
), ),
@Scope( @Scope(
name = "Delete Users Device Information", name = "Delete Users Device Information",
description = "Delete users device details", description = "Delete users device details",
key = "perm:admin-users:remove", key = "perm:admin-users:remove",
roles = {"admin"},
permissions = {"/device-mgt/users/manage"} permissions = {"/device-mgt/users/manage"}
) )
} }

@ -74,7 +74,6 @@ import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException;
import org.wso2.carbon.device.mgt.common.metadata.mgt.MetadataManagementService; import org.wso2.carbon.device.mgt.common.metadata.mgt.MetadataManagementService;
import org.wso2.carbon.device.mgt.common.notification.mgt.NotificationManagementService; import org.wso2.carbon.device.mgt.common.notification.mgt.NotificationManagementService;
import org.wso2.carbon.device.mgt.common.operation.mgt.Operation; import org.wso2.carbon.device.mgt.common.operation.mgt.Operation;
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService;
import org.wso2.carbon.device.mgt.common.report.mgt.ReportManagementService; import org.wso2.carbon.device.mgt.common.report.mgt.ReportManagementService;
import org.wso2.carbon.device.mgt.common.spi.DeviceTypeGeneratorService; import org.wso2.carbon.device.mgt.common.spi.DeviceTypeGeneratorService;
import org.wso2.carbon.device.mgt.common.spi.OTPManagementService; import org.wso2.carbon.device.mgt.common.spi.OTPManagementService;
@ -549,16 +548,6 @@ public class DeviceMgtAPIUtils {
return searchManagerService; return searchManagerService;
} }
public static PermissionManagerService getPermissionManagerService() {
PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext();
PermissionManagerService PermissionManagerService =
(PermissionManagerService) ctx.getOSGiService(PermissionManagerService.class, null);
if (PermissionManagerService == null) {
throw new IllegalStateException("Permission manager service is not initialized.");
}
return PermissionManagerService;
}
public static GeoLocationProviderService getGeoService() { public static GeoLocationProviderService getGeoService() {
PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext(); PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext();
GeoLocationProviderService GeoLocationProviderService

@ -18,9 +18,6 @@
package org.wso2.carbon.device.mgt.common.permission.mgt; package org.wso2.carbon.device.mgt.common.permission.mgt;
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlRootElement;
/** /**
* This class represents the information related to permission. * This class represents the information related to permission.
*/ */
@ -30,6 +27,7 @@ public class Permission {
private String path; // permission string private String path; // permission string
private String url; // url of the resource private String url; // url of the resource
private String method; // http method private String method; // http method
private String urlPattern;
public String getUrl() { public String getUrl() {
return url; return url;
@ -62,4 +60,12 @@ public class Permission {
public void setPath(String path) { public void setPath(String path) {
this.path = path; this.path = path;
} }
public String getUrlPattern() {
return urlPattern;
}
public void setUrlPattern(String urlPattern) {
this.urlPattern = urlPattern;
}
} }

@ -18,7 +18,7 @@
package org.wso2.carbon.device.mgt.common.permission.mgt; package org.wso2.carbon.device.mgt.common.permission.mgt;
import java.util.Properties; import java.util.List;
/** /**
* This represents the Permission management functionality which should be implemented by * This represents the Permission management functionality which should be implemented by
@ -26,22 +26,8 @@ import java.util.Properties;
*/ */
public interface PermissionManagerService { public interface PermissionManagerService {
/** boolean addPermission(String context, List<Permission> permissions) throws PermissionManagementException;
* Adds a permission.
*
* @param permission - Permission to be added
* @return A boolean indicating the status of the operation.
* @throws PermissionManagementException If some unusual behaviour is observed while adding the permission.
*/
boolean addPermission(Permission permission) throws PermissionManagementException;
/** List<Permission> getPermission(String context) throws PermissionManagementException;
* Fetches a given permission.
*
* @param properties - Properties of the permission to be fetched.
* @return The matched Permission object.
* @throws PermissionManagementException If some unusual behaviour is observed while fetching the permission.
*/
Permission getPermission(Properties properties) throws PermissionManagementException;
} }

@ -42,6 +42,7 @@ public final class DeviceManagementConstants {
public static final String DM_CACHE_MANAGER = "DM_CACHE_MANAGER"; public static final String DM_CACHE_MANAGER = "DM_CACHE_MANAGER";
public static final String DEVICE_CACHE = "DEVICE_CACHE"; public static final String DEVICE_CACHE = "DEVICE_CACHE";
public static final String API_RESOURCE_PERMISSION_CACHE = "API_RESOURCE_CACHE_CACHE";
public static final String GEOFENCE_CACHE = "GEOFENCE_CACHE"; public static final String GEOFENCE_CACHE = "GEOFENCE_CACHE";
public static final String ENROLLMENT_NOTIFICATION_API_ENDPOINT = "/api/device-mgt/enrollment-notification"; public static final String ENROLLMENT_NOTIFICATION_API_ENDPOINT = "/api/device-mgt/enrollment-notification";
public static final String URL_SEPERATOR = "/"; public static final String URL_SEPERATOR = "/";

@ -0,0 +1,64 @@
/*
* Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.core.cache;
import java.util.Objects;
public class APIResourcePermissionCacheKey {
private String context;
private volatile int hashCode;
public APIResourcePermissionCacheKey(String context) {
this.context = context;
}
public String getContext() {
return context;
}
public void setContext(String context) {
this.context = context;
}
@Override
public boolean equals(Object obj) {
if (obj == null) {
return false;
}
if (!APIResourcePermissionCacheKey.class.isAssignableFrom(obj.getClass())) {
return false;
}
final APIResourcePermissionCacheKey other = (APIResourcePermissionCacheKey) obj;
String thisId = this.context;
String otherId = other.context;
if (!thisId.equals(otherId)) {
return false;
}
return true;
}
@Override
public int hashCode() {
if (hashCode == 0) {
hashCode = Objects.hash(context);
}
return hashCode;
}
}

@ -0,0 +1,31 @@
/*
* Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.core.cache;
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
import java.util.List;
public interface APIResourcePermissionCacheManager {
void addAPIResourcePermissionToCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions);
void updateAPIResourcePermissionInCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions);
List<Permission> getAPIResourceRermissionFromCache(APIResourcePermissionCacheKey cacheKey);
}

@ -0,0 +1,84 @@
/*
* Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.core.cache.impl;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheKey;
import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheManager;
import org.wso2.carbon.device.mgt.core.util.DeviceManagerUtil;
import javax.cache.Cache;
import java.util.List;
public class APIResourcePermissionCacheManagerImpl implements APIResourcePermissionCacheManager {
private static final Log log = LogFactory.getLog(APIResourcePermissionCacheManagerImpl.class);
private static APIResourcePermissionCacheManagerImpl apiResourceCacgeManager;
private APIResourcePermissionCacheManagerImpl() {
}
public static APIResourcePermissionCacheManagerImpl getInstance() {
if (apiResourceCacgeManager == null) {
synchronized (APIResourcePermissionCacheManagerImpl.class) {
if (apiResourceCacgeManager == null) {
apiResourceCacgeManager = new APIResourcePermissionCacheManagerImpl();
}
}
}
return apiResourceCacgeManager;
}
@Override
public void addAPIResourcePermissionToCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions) {
Cache<APIResourcePermissionCacheKey, List<Permission>> lCache = DeviceManagerUtil.getAPIResourcePermissionCache();
if (lCache != null) {
if (lCache.containsKey(cacheKey)) {
this.updateAPIResourcePermissionInCache(cacheKey, permissions);
} else {
lCache.put(cacheKey, permissions);
}
}
}
@Override
public void updateAPIResourcePermissionInCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions) {
Cache<APIResourcePermissionCacheKey, List<Permission>> lCache = DeviceManagerUtil.getAPIResourcePermissionCache();
if (lCache != null) {
if (lCache.containsKey(cacheKey)) {
lCache.replace(cacheKey, permissions);
}
}
}
@Override
public List<Permission> getAPIResourceRermissionFromCache(APIResourcePermissionCacheKey cacheKey) {
Cache<APIResourcePermissionCacheKey, List<Permission>> lCache = DeviceManagerUtil.getAPIResourcePermissionCache();
if (lCache != null) {
return lCache.get(cacheKey);
}
return null;
}
}

@ -67,6 +67,7 @@ public class AnnotationProcessor {
private static final String SWAGGER_ANNOTATIONS_PROPERTIES_DESCRIPTION = "description"; private static final String SWAGGER_ANNOTATIONS_PROPERTIES_DESCRIPTION = "description";
private static final String SWAGGER_ANNOTATIONS_PROPERTIES_KEY = "key"; private static final String SWAGGER_ANNOTATIONS_PROPERTIES_KEY = "key";
private static final String SWAGGER_ANNOTATIONS_PROPERTIES_PERMISSIONS = "permissions"; private static final String SWAGGER_ANNOTATIONS_PROPERTIES_PERMISSIONS = "permissions";
private static final String SWAGGER_ANNOTATIONS_PROPERTIES_ROLES = "roles";
private static final String ANNOTATIONS_SCOPES = "scopes"; private static final String ANNOTATIONS_SCOPES = "scopes";
private static final String ANNOTATIONS_SCOPE = "scope"; private static final String ANNOTATIONS_SCOPE = "scope";
private static final String DEFAULT_PERM_NAME = "default"; private static final String DEFAULT_PERM_NAME = "default";
@ -239,6 +240,7 @@ public class AnnotationProcessor {
subCtx = makeContextURLReady(resourceRootContext) + makeContextURLReady(subCtx); subCtx = makeContextURLReady(resourceRootContext) + makeContextURLReady(subCtx);
} }
permission.setUrl(replaceDynamicPathVariables(subCtx)); permission.setUrl(replaceDynamicPathVariables(subCtx));
permission.setUrlPattern(permission.getUrl().replace("*", "[a-zA-Z0-9-_]+"));
String httpMethod; String httpMethod;
for (int i = 0; i < annotations.length; i++) { for (int i = 0; i < annotations.length; i++) {
httpMethod = getHTTPMethodAnnotation(annotations[i]); httpMethod = getHTTPMethodAnnotation(annotations[i]);
@ -398,7 +400,7 @@ public class AnnotationProcessor {
if (scope != null) { if (scope != null) {
permission.setName(scope.getName()); permission.setName(scope.getName());
//TODO: currently permission tree supports only adding one permission per API point. //TODO: currently permission tree supports only adding one permission per API point.
permission.setPath(scope.getRoles().split(" ")[0]); permission.setPath(scope.getPermissions().split(" ")[0]);
} else { } else {
log.warn("No Scope mapping is done for scope key: " + scopeKey); log.warn("No Scope mapping is done for scope key: " + scopeKey);
permission.setName(DEFAULT_PERM_NAME); permission.setName(DEFAULT_PERM_NAME);
@ -420,8 +422,11 @@ public class AnnotationProcessor {
Scope scope; Scope scope;
String permissions[]; String permissions[];
StringBuilder aggregatedPermissions; StringBuilder aggregatedPermissions;
String roles[];
StringBuilder aggregatedRoles;
for(int i=0; i<annotatedScopes.length; i++){ for(int i=0; i<annotatedScopes.length; i++){
aggregatedPermissions = new StringBuilder(); aggregatedPermissions = new StringBuilder();
aggregatedRoles = new StringBuilder();
methodHandler = Proxy.getInvocationHandler(annotatedScopes[i]); methodHandler = Proxy.getInvocationHandler(annotatedScopes[i]);
scope = new Scope(); scope = new Scope();
scope.setName(invokeMethod(scopeClass scope.setName(invokeMethod(scopeClass
@ -437,7 +442,14 @@ public class AnnotationProcessor {
aggregatedPermissions.append(permission); aggregatedPermissions.append(permission);
aggregatedPermissions.append(" "); aggregatedPermissions.append(" ");
} }
scope.setRoles(aggregatedPermissions.toString()); scope.setPermissions(aggregatedPermissions.toString().trim());
roles = (String[])methodHandler.invoke(annotatedScopes[i], scopeClass
.getMethod(SWAGGER_ANNOTATIONS_PROPERTIES_ROLES, null),null);
for (String role : roles) {
aggregatedRoles.append(role);
aggregatedRoles.append(",");
}
scope.setRoles(aggregatedRoles.toString().substring(0, aggregatedRoles.lastIndexOf(",")));
scopes.put(scope.getKey(), scope); scopes.put(scope.getKey(), scope);
} }
return scopes; return scopes;

@ -21,6 +21,7 @@ public class Scope implements Serializable {
String key; String key;
String name; String name;
String roles; String roles;
String permissions;
String description; String description;
int id; int id;
@ -66,5 +67,13 @@ public class Scope implements Serializable {
public void setId(int id) { public void setId(int id) {
this.id = id; this.id = id;
} }
public String getPermissions() {
return permissions;
}
public void setPermissions(String permissions) {
this.permissions = permissions;
}
} }

@ -62,11 +62,8 @@ public class WebAppDeploymentLifecycleListener implements LifecycleListener {
scanStandardContext(io.swagger.annotations.SwaggerDefinition.class.getName()); scanStandardContext(io.swagger.annotations.SwaggerDefinition.class.getName());
List<Permission> permissions = annotationProcessor.extractPermissions(annotatedAPIClasses); List<Permission> permissions = annotationProcessor.extractPermissions(annotatedAPIClasses);
PermissionManagerService permissionManagerService = PermissionManagerServiceImpl.getInstance(); PermissionManagerService permissionManagerService = PermissionManagerServiceImpl.getInstance();
if (permissions != null) { permissionManagerService.addPermission(contextPath, permissions);
for (Permission permission : permissions) {
permissionManagerService.addPermission(permission);
}
}
} catch (PermissionManagementException e) { } catch (PermissionManagementException e) {
log.error("Exception occurred while adding the permissions from webapp : " log.error("Exception occurred while adding the permissions from webapp : "
+ servletContext.getContextPath(), e); + servletContext.getContextPath(), e);

@ -22,11 +22,11 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.osgi.framework.BundleContext; import org.osgi.framework.BundleContext;
import org.osgi.service.component.ComponentContext; import org.osgi.service.component.ComponentContext;
import org.wso2.carbon.device.mgt.common.event.config.EventConfigurationProviderService;
import org.wso2.carbon.device.mgt.common.exceptions.DeviceManagementException;
import org.wso2.carbon.device.mgt.common.app.mgt.ApplicationManagementException; import org.wso2.carbon.device.mgt.common.app.mgt.ApplicationManagementException;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService; import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService;
import org.wso2.carbon.device.mgt.common.configuration.mgt.PlatformConfigurationManagementService; import org.wso2.carbon.device.mgt.common.configuration.mgt.PlatformConfigurationManagementService;
import org.wso2.carbon.device.mgt.common.event.config.EventConfigurationProviderService;
import org.wso2.carbon.device.mgt.common.exceptions.DeviceManagementException;
import org.wso2.carbon.device.mgt.common.geo.service.GeoLocationProviderService; import org.wso2.carbon.device.mgt.common.geo.service.GeoLocationProviderService;
import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException; import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException;
import org.wso2.carbon.device.mgt.common.metadata.mgt.MetadataManagementService; import org.wso2.carbon.device.mgt.common.metadata.mgt.MetadataManagementService;
@ -48,6 +48,7 @@ import org.wso2.carbon.device.mgt.core.config.DeviceConfigurationManager;
import org.wso2.carbon.device.mgt.core.config.DeviceManagementConfig; import org.wso2.carbon.device.mgt.core.config.DeviceManagementConfig;
import org.wso2.carbon.device.mgt.core.config.datasource.DataSourceConfig; import org.wso2.carbon.device.mgt.core.config.datasource.DataSourceConfig;
import org.wso2.carbon.device.mgt.core.config.tenant.PlatformConfigurationManagementServiceImpl; import org.wso2.carbon.device.mgt.core.config.tenant.PlatformConfigurationManagementServiceImpl;
import org.wso2.carbon.device.mgt.core.config.ui.UIConfigurationManager;
import org.wso2.carbon.device.mgt.core.dao.DeviceManagementDAOFactory; import org.wso2.carbon.device.mgt.core.dao.DeviceManagementDAOFactory;
import org.wso2.carbon.device.mgt.core.dao.GroupManagementDAOFactory; import org.wso2.carbon.device.mgt.core.dao.GroupManagementDAOFactory;
import org.wso2.carbon.device.mgt.core.device.details.mgt.DeviceInformationManager; import org.wso2.carbon.device.mgt.core.device.details.mgt.DeviceInformationManager;
@ -75,7 +76,6 @@ import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderServiceIm
import org.wso2.carbon.device.mgt.core.service.GroupManagementProviderService; import org.wso2.carbon.device.mgt.core.service.GroupManagementProviderService;
import org.wso2.carbon.device.mgt.core.service.GroupManagementProviderServiceImpl; import org.wso2.carbon.device.mgt.core.service.GroupManagementProviderServiceImpl;
import org.wso2.carbon.device.mgt.core.task.DeviceTaskManagerService; import org.wso2.carbon.device.mgt.core.task.DeviceTaskManagerService;
import org.wso2.carbon.device.mgt.core.config.ui.UIConfigurationManager;
import org.wso2.carbon.device.mgt.core.util.DeviceManagementSchemaInitializer; import org.wso2.carbon.device.mgt.core.util.DeviceManagementSchemaInitializer;
import org.wso2.carbon.device.mgt.core.util.DeviceManagerUtil; import org.wso2.carbon.device.mgt.core.util.DeviceManagerUtil;
import org.wso2.carbon.device.mgt.core.util.DeviceMgtTenantMgtListener; import org.wso2.carbon.device.mgt.core.util.DeviceMgtTenantMgtListener;

@ -18,13 +18,16 @@
package org.wso2.carbon.device.mgt.core.permission.mgt; package org.wso2.carbon.device.mgt.core.permission.mgt;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission; import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException; import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService; import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService;
import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheKey;
import org.wso2.carbon.device.mgt.core.cache.impl.APIResourcePermissionCacheManagerImpl;
import java.util.HashSet; import java.util.List;
import java.util.Properties; import java.util.Properties;
import java.util.Set;
/** /**
* This class will add, update custom permissions defined in permission.xml in webapps and it will * This class will add, update custom permissions defined in permission.xml in webapps and it will
@ -32,10 +35,7 @@ import java.util.Set;
*/ */
public class PermissionManagerServiceImpl implements PermissionManagerService { public class PermissionManagerServiceImpl implements PermissionManagerService {
public static final String URL_PROPERTY = "URL";
public static final String HTTP_METHOD_PROPERTY = "HTTP_METHOD";
private static PermissionManagerServiceImpl registryBasedPermissionManager; private static PermissionManagerServiceImpl registryBasedPermissionManager;
private static PermissionTree permissionTree; // holds the permissions at runtime.
private PermissionManagerServiceImpl() { private PermissionManagerServiceImpl() {
} }
@ -45,7 +45,6 @@ public class PermissionManagerServiceImpl implements PermissionManagerService {
synchronized (PermissionManagerServiceImpl.class) { synchronized (PermissionManagerServiceImpl.class) {
if (registryBasedPermissionManager == null) { if (registryBasedPermissionManager == null) {
registryBasedPermissionManager = new PermissionManagerServiceImpl(); registryBasedPermissionManager = new PermissionManagerServiceImpl();
permissionTree = new PermissionTree();
} }
} }
} }
@ -53,21 +52,22 @@ public class PermissionManagerServiceImpl implements PermissionManagerService {
} }
@Override @Override
public boolean addPermission(Permission permission) throws PermissionManagementException { public boolean addPermission(String context, List<Permission> permissions) throws PermissionManagementException {
// adding a permission to the tree try {
permission.setPath(permission.getPath()); for (Permission permission : permissions) {
permissionTree.addPermission(permission); PermissionUtils.putPermission(permission);
return PermissionUtils.putPermission(permission); }
APIResourcePermissionCacheManagerImpl.getInstance().addAPIResourcePermissionToCache(
new APIResourcePermissionCacheKey(context), permissions);
} catch (PermissionManagementException e) {
return false;
}
return true;
} }
@Override @Override
public Permission getPermission(Properties properties) throws PermissionManagementException { public List<Permission> getPermission(String context) throws PermissionManagementException {
String url = (String) properties.get(URL_PROPERTY); return APIResourcePermissionCacheManagerImpl.getInstance().getAPIResourceRermissionFromCache(
String httpMethod = (String) properties.get(HTTP_METHOD_PROPERTY); new APIResourcePermissionCacheKey(context));
if (url == null || url.isEmpty() || httpMethod == null || httpMethod.isEmpty()) {
throw new PermissionManagementException("Resource URI/HTTP method is empty");
}
return permissionTree.getPermission(url, httpMethod);
} }
} }

@ -73,8 +73,10 @@ import org.wso2.carbon.device.mgt.common.group.mgt.DeviceGroup;
import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException; import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException;
import org.wso2.carbon.device.mgt.common.notification.mgt.NotificationManagementException; import org.wso2.carbon.device.mgt.common.notification.mgt.NotificationManagementException;
import org.wso2.carbon.device.mgt.common.operation.mgt.OperationManagementException; import org.wso2.carbon.device.mgt.common.operation.mgt.OperationManagementException;
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
import org.wso2.carbon.device.mgt.common.type.mgt.DeviceTypeMetaDefinition; import org.wso2.carbon.device.mgt.common.type.mgt.DeviceTypeMetaDefinition;
import org.wso2.carbon.device.mgt.core.DeviceManagementConstants; import org.wso2.carbon.device.mgt.core.DeviceManagementConstants;
import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheKey;
import org.wso2.carbon.device.mgt.core.cache.DeviceCacheKey; import org.wso2.carbon.device.mgt.core.cache.DeviceCacheKey;
import org.wso2.carbon.device.mgt.core.cache.GeoCacheKey; import org.wso2.carbon.device.mgt.core.cache.GeoCacheKey;
import org.wso2.carbon.device.mgt.core.config.DeviceConfigurationManager; import org.wso2.carbon.device.mgt.core.config.DeviceConfigurationManager;
@ -136,6 +138,7 @@ public final class DeviceManagerUtil {
public static final String GENERAL_CONFIG_RESOURCE_PATH = "general"; public static final String GENERAL_CONFIG_RESOURCE_PATH = "general";
private static boolean isDeviceCacheInitialized = false; private static boolean isDeviceCacheInitialized = false;
private static boolean isAPIResourcePermissionCacheInitialized = false;
private static boolean isGeoFenceCacheInitialized = false; private static boolean isGeoFenceCacheInitialized = false;
public static Document convertToDocument(File file) throws DeviceManagementException { public static Document convertToDocument(File file) throws DeviceManagementException {
@ -663,6 +666,44 @@ public final class DeviceManagerUtil {
} }
} }
public static void initializeAPIResourcePermissionCache() {
// DeviceManagementConfig config = DeviceConfigurationManager.getInstance().getDeviceManagementConfig();
// int deviceCacheExpiry = config.getDeviceCacheConfiguration().getExpiryTime();
// long deviceCacheCapacity = config.getDeviceCacheConfiguration().getCapacity();
CacheManager manager = getCacheManager();
// if (config.getDeviceCacheConfiguration().isEnabled()) {
if(!isDeviceCacheInitialized) {
isDeviceCacheInitialized = true;
if (manager != null) {
// if (deviceCacheExpiry > 0) {
// manager.<DeviceCacheKey, Device>createCacheBuilder(DeviceManagementConstants.DEVICE_CACHE).
// setExpiry(CacheConfiguration.ExpiryType.MODIFIED, new CacheConfiguration.Duration(TimeUnit.SECONDS,
// deviceCacheExpiry)).setExpiry(CacheConfiguration.ExpiryType.ACCESSED, new CacheConfiguration.
// Duration(TimeUnit.SECONDS, deviceCacheExpiry)).setStoreByValue(true).build();
// if(deviceCacheCapacity > 0 ) {
// ((CacheImpl) manager.<DeviceCacheKey, Device>getCache(DeviceManagementConstants.DEVICE_CACHE)).
// setCapacity(deviceCacheCapacity);
// }
// } else {
manager.<DeviceCacheKey, Device>getCache(DeviceManagementConstants.API_RESOURCE_PERMISSION_CACHE);
// }
} else {
// if (deviceCacheExpiry > 0) {
// Caching.getCacheManager().
// <DeviceCacheKey, Device>createCacheBuilder(DeviceManagementConstants.DEVICE_CACHE).
// setExpiry(CacheConfiguration.ExpiryType.MODIFIED, new CacheConfiguration.Duration(TimeUnit.SECONDS,
// deviceCacheExpiry)).setExpiry(CacheConfiguration.ExpiryType.ACCESSED, new CacheConfiguration.
// Duration(TimeUnit.SECONDS, deviceCacheExpiry)).setStoreByValue(true).build();
// ((CacheImpl)(manager.<DeviceCacheKey, Device>getCache(DeviceManagementConstants.DEVICE_CACHE))).
// setCapacity(deviceCacheCapacity);
// } else {
Caching.getCacheManager().<DeviceCacheKey, Device>getCache(DeviceManagementConstants.API_RESOURCE_PERMISSION_CACHE);
// }
}
}
// }
}
/** /**
* Enable Geofence caching according to the configurations proviced by cdm-config.xml * Enable Geofence caching according to the configurations proviced by cdm-config.xml
*/ */
@ -722,6 +763,24 @@ public final class DeviceManagerUtil {
return deviceCache; return deviceCache;
} }
public static Cache<APIResourcePermissionCacheKey, List<Permission>> getAPIResourcePermissionCache() {
// DeviceManagementConfig config = DeviceConfigurationManager.getInstance().getDeviceManagementConfig();
CacheManager manager = getCacheManager();
Cache<APIResourcePermissionCacheKey, List<Permission>> apiResourcePermissionCache = null;
// if (config.getDeviceCacheConfiguration().isEnabled()) {
if(!isAPIResourcePermissionCacheInitialized) {
initializeAPIResourcePermissionCache();
}
if (manager != null) {
apiResourcePermissionCache = manager.getCache(DeviceManagementConstants.API_RESOURCE_PERMISSION_CACHE);
} else {
apiResourcePermissionCache = Caching.getCacheManager(DeviceManagementConstants.DM_CACHE_MANAGER)
.getCache(DeviceManagementConstants.API_RESOURCE_PERMISSION_CACHE);
}
// }
return apiResourcePermissionCache;
}
/** /**
* Get geofence cache object * Get geofence cache object
* @return {@link Cache<GeoCacheKey, GeofenceData>} * @return {@link Cache<GeoCacheKey, GeofenceData>}

@ -232,18 +232,18 @@ public class JWTClientUtil {
} }
List<String> aud = jwtConfig.getAudiences(); List<String> aud = jwtConfig.getAudiences();
//set up the basic claims //set up the basic claims
JWTClaimsSet claimsSet = new JWTClaimsSet(); JWTClaimsSet.Builder claimsSet = new JWTClaimsSet.Builder();
claimsSet.setIssueTime(new Date(iat)); claimsSet.issueTime(new Date(iat));
claimsSet.setExpirationTime(new Date(exp)); claimsSet.expirationTime(new Date(exp));
claimsSet.setIssuer(iss); claimsSet.issuer(iss);
claimsSet.setSubject(username); claimsSet.subject(username);
claimsSet.setNotBeforeTime(new Date(nbf)); claimsSet.notBeforeTime(new Date(nbf));
claimsSet.setJWTID(jti); claimsSet.jwtID(jti);
claimsSet.setAudience(aud); claimsSet.audience(aud);
claimsSet.setClaim(SIGNED_JWT_AUTH_USERNAME, username); claimsSet.claim(SIGNED_JWT_AUTH_USERNAME, username);
if (customClaims != null && !customClaims.isEmpty()) { if (customClaims != null && !customClaims.isEmpty()) {
for (String key : customClaims.keySet()) { for (String key : customClaims.keySet()) {
claimsSet.setClaim(key, customClaims.get(key)); claimsSet.claim(key, customClaims.get(key));
} }
} }
@ -280,7 +280,7 @@ public class JWTClientUtil {
} }
} }
JWSSigner signer = new RSASSASigner(rsaPrivateKey); JWSSigner signer = new RSASSASigner(rsaPrivateKey);
SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), claimsSet); SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), claimsSet.build());
signedJWT.sign(signer); signedJWT.sign(signer);
String assertion = signedJWT.serialize(); String assertion = signedJWT.serialize();
return assertion; return assertion;

@ -64,6 +64,7 @@ import javax.ws.rs.core.Response;
name = "View configurations", name = "View configurations",
description = "", description = "",
key = "perm:sms-handler:view-configuration", key = "perm:sms-handler:view-configuration",
roles = {"Internal/everyone"},
permissions = {"/sms-handler/platform-configurations/view"} permissions = {"/sms-handler/platform-configurations/view"}
) )
}) })

@ -55,22 +55,22 @@
org.wso2.carbon.webapp.authenticator.framework.* org.wso2.carbon.webapp.authenticator.framework.*
</Export-Package> </Export-Package>
<Import-Package> <Import-Package>
com.nimbusds.jose, com.nimbusds.jose;version="${nimbus.orbit.version.range}",
com.nimbusds.jose.crypto, com.nimbusds.jose.crypto;version="${nimbus.orbit.version.range}",
com.nimbusds.jwt, com.nimbusds.jwt;version="${nimbus.orbit.version.range}",
javax.xml.bind, javax.xml.bind,
javax.xml.bind.annotation, javax.xml.bind.annotation,
javax.xml.parsers;version="${javax.xml.parsers.import.pkg.version}";resolution:=optional, javax.xml.parsers;version="${javax.xml.parsers.import.pkg.version}";resolution:=optional,
javax.xml.validation, javax.xml.validation,
<!--org.apache.catalina,--> org.apache.catalina;version="9.0",
<!--org.apache.catalina.connector,--> org.apache.catalina.connector;version="9.0",
<!--org.apache.catalina.util,--> org.apache.catalina.util;version="9.0",
org.apache.commons.logging, org.apache.commons.logging,
<!--org.apache.coyote,--> org.apache.coyote;version="9.0",
<!--org.apache.tomcat.util.buf,--> org.apache.tomcat.util.buf;version="9.0",
<!--org.apache.tomcat.util.http,--> org.apache.tomcat.util.http;version="9.0",
org.osgi.service.component, org.osgi.framework.*;version="${imp.package.version.osgi.framework}",
org.osgi.framework, org.osgi.service.*;version="${imp.package.version.osgi.service}",
org.w3c.dom, org.w3c.dom,
org.wso2.carbon.context, org.wso2.carbon.context,
org.wso2.carbon.core.util, org.wso2.carbon.core.util,
@ -85,15 +85,15 @@
org.wso2.carbon.utils, org.wso2.carbon.utils,
org.wso2.carbon.utils.multitenancy, org.wso2.carbon.utils.multitenancy,
org.xml.sax, org.xml.sax,
com.google.gson.*, <!--com.google.gson.*,-->
javax.servlet, javax.servlet,
javax.servlet.http, javax.servlet.http,
javax.xml, javax.xml,
org.apache.axis2.transport.http, org.apache.axis2.transport.http,
org.wso2.carbon.certificate.mgt.core.*, org.wso2.carbon.certificate.mgt.core.*,
org.wso2.carbon.device.mgt.core.permission.mgt, org.wso2.carbon.device.mgt.core.permission.mgt.*,
org.wso2.carbon.device.mgt.common.*, org.wso2.carbon.device.mgt.common.*,
org.wso2.carbon.device.mgt.common.permission.mgt, org.wso2.carbon.device.mgt.common.permission.mgt.*,
org.apache.axis2, org.apache.axis2,
org.apache.axis2.client, org.apache.axis2.client,
org.apache.commons.codec.binary;version="${commons-codec.wso2.osgi.version.range}", org.apache.commons.codec.binary;version="${commons-codec.wso2.osgi.version.range}",
@ -114,6 +114,9 @@
org.wso2.carbon.base, org.wso2.carbon.base,
org.owasp.encoder org.owasp.encoder
</Import-Package> </Import-Package>
<!--<Embed-Dependency>-->
<!--tomcat-coyote,-->
<!--</Embed-Dependency>-->
</instructions> </instructions>
</configuration> </configuration>
</plugin> </plugin>
@ -194,6 +197,22 @@
<dependency> <dependency>
<groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId> <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
<artifactId>org.wso2.carbon.identity.oauth</artifactId> <artifactId>org.wso2.carbon.identity.oauth</artifactId>
<exclusions>
<exclusion>
<!--<dependency>-->
<groupId>org.wso2.orbit.com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
<!--</dependency>-->
</exclusion>
<exclusion>
<!--<dependency>-->
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
<!--<version>9.10</version>-->
<!--</dependency>-->
</exclusion>
</exclusions>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.wso2.carbon</groupId> <groupId>org.wso2.carbon</groupId>
@ -202,6 +221,7 @@
<dependency> <dependency>
<groupId>org.wso2.orbit.com.nimbusds</groupId> <groupId>org.wso2.orbit.com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId> <artifactId>nimbus-jose-jwt</artifactId>
<scope>compile</scope>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.wso2.carbon.devicemgt</groupId> <groupId>org.wso2.carbon.devicemgt</groupId>

@ -73,7 +73,7 @@ public class AuthenticationFrameworkUtil {
} }
} }
static boolean isUserAuthorized(int tenantId, String tenantDomain, String username, String public static boolean isUserAuthorized(int tenantId, String tenantDomain, String username, String
permission) throws permission) throws
AuthenticationException { AuthenticationException {
boolean tenantFlowStarted = false; boolean tenantFlowStarted = false;

@ -18,11 +18,9 @@
*/ */
package org.wso2.carbon.webapp.authenticator.framework; package org.wso2.carbon.webapp.authenticator.framework;
import com.google.gson.Gson;
import org.apache.catalina.Context; import org.apache.catalina.Context;
import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response; import org.apache.catalina.connector.Response;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.owasp.encoder.Encode; import org.owasp.encoder.Encode;
@ -33,6 +31,7 @@ import org.wso2.carbon.user.api.Tenant;
import org.wso2.carbon.user.api.UserStoreException; import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.service.RealmService; import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator; import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;
import org.wso2.carbon.webapp.authenticator.framework.authorizer.PermissionAuthorizer;
import org.wso2.carbon.webapp.authenticator.framework.authorizer.WebappTenantAuthorizer; import org.wso2.carbon.webapp.authenticator.framework.authorizer.WebappTenantAuthorizer;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
@ -48,9 +47,6 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
private static final Log log = LogFactory.getLog(WebappAuthenticationValve.class); private static final Log log = LogFactory.getLog(WebappAuthenticationValve.class);
private static final TreeMap<String, String> nonSecuredEndpoints = new TreeMap<>(); private static final TreeMap<String, String> nonSecuredEndpoints = new TreeMap<>();
private static final String PERMISSION_PREFIX = "/permission/admin";
public static final String AUTHORIZE_PERMISSION = "Authorize-Permission";
private static InetAddress inetAddress = null; private static InetAddress inetAddress = null;
@Override @Override
@ -81,8 +77,7 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
} }
} }
if ((this.isContextSkipped(request) || this.skipAuthentication(request)) if ((this.isContextSkipped(request) || this.skipAuthentication(request))) {
&& (StringUtils.isEmpty(request.getHeader(AUTHORIZE_PERMISSION)))) {
this.getNext().invoke(request, response, compositeValve); this.getNext().invoke(request, response, compositeValve);
return; return;
} }
@ -103,29 +98,12 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
// This section will allow to validate a given access token is authenticated to access given // This section will allow to validate a given access token is authenticated to access given
// resource(permission) // resource(permission)
if (request.getCoyoteRequest() != null if (request.getCoyoteRequest() != null
&& StringUtils.isNotEmpty(request.getHeader(AUTHORIZE_PERMISSION))
&& (authenticationInfo.getStatus() == WebappAuthenticator.Status.CONTINUE || && (authenticationInfo.getStatus() == WebappAuthenticator.Status.CONTINUE ||
authenticationInfo.getStatus() == WebappAuthenticator.Status.SUCCESS)) { authenticationInfo.getStatus() == WebappAuthenticator.Status.SUCCESS)) {
boolean isAllowed; boolean isAllowed;
try { WebappAuthenticator.Status authorizeStatus = PermissionAuthorizer.authorize(request, authenticationInfo);
isAllowed = AuthenticationFrameworkUtil.isUserAuthorized( isAllowed = WebappAuthenticator.Status.SUCCESS == authorizeStatus;
authenticationInfo.getTenantId(), authenticationInfo.getTenantDomain(), if (!isAllowed) {
authenticationInfo.getUsername(),
PERMISSION_PREFIX + request.getHeader (AUTHORIZE_PERMISSION));
} catch (AuthenticationException e) {
String msg = "Could not authorize permission";
log.error(msg);
AuthenticationFrameworkUtil.handleResponse(request, response,
HttpServletResponse.SC_INTERNAL_SERVER_ERROR, msg);
return;
}
if (isAllowed) {
Gson gson = new Gson();
AuthenticationFrameworkUtil.handleResponse(request, response, HttpServletResponse.SC_OK,
gson.toJson(authenticationInfo));
return;
} else {
log.error("Unauthorized message from user " + authenticationInfo.getUsername()); log.error("Unauthorized message from user " + authenticationInfo.getUsername());
AuthenticationFrameworkUtil.handleResponse(request, response, AuthenticationFrameworkUtil.handleResponse(request, response,
HttpServletResponse.SC_FORBIDDEN, "Unauthorized to access the API"); HttpServletResponse.SC_FORBIDDEN, "Unauthorized to access the API");
@ -133,7 +111,7 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
} }
} }
Tenant tenant = null; Tenant tenant = null;
if (authenticationInfo.getTenantId() != -1) { if (authenticationInfo.getTenantId() != -1) {
try { try {
PrivilegedCarbonContext.startTenantFlow(); PrivilegedCarbonContext.startTenantFlow();

@ -0,0 +1,30 @@
package org.wso2.carbon.webapp.authenticator.framework.authorizer;
/**
* Created by amalka on 6/26/21.
*/
public class MatchingResource {
private String urlPattern;
private String permission;
public MatchingResource(String urlPattern, String permission) {
this.urlPattern = urlPattern;
this.permission = permission;
}
public String getUrlPattern() {
return urlPattern;
}
public void setUrlPattern(String urlPattern) {
this.urlPattern = urlPattern;
}
public String getPermission() {
return permission;
}
public void setPermission(String permission) {
this.permission = permission;
}
}

@ -0,0 +1,143 @@
/*
* Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.webapp.authenticator.framework.authorizer;
import org.apache.catalina.connector.Request;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService;
import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionManagerServiceImpl;
import org.wso2.carbon.webapp.authenticator.framework.AuthenticationException;
import org.wso2.carbon.webapp.authenticator.framework.AuthenticationFrameworkUtil;
import org.wso2.carbon.webapp.authenticator.framework.AuthenticationInfo;
import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;
import java.util.ArrayList;
import java.util.List;
import java.util.StringTokenizer;
public class PermissionAuthorizer {
private static final Log log = LogFactory.getLog(PermissionAuthorizer.class);
public static WebappAuthenticator.Status authorize(Request request, AuthenticationInfo authenticationInfo) {
String requestUri = request.getRequestURI();
String requestMethod = request.getMethod();
String context = request.getContextPath();
if (requestUri == null || requestUri.isEmpty() || requestMethod == null || requestMethod.isEmpty()) {
return WebappAuthenticator.Status.CONTINUE;
}
PermissionManagerService registryBasedPermissionManager =
PermissionManagerServiceImpl.getInstance();
List<Permission> matchingPermissions = null;
try {
matchingPermissions = registryBasedPermissionManager.getPermission(context);
} catch (PermissionManagementException e) {
log.error(
"Error occurred while fetching the permission for URI : " + requestUri +
", msg = " + e.getMessage());
}
if (matchingPermissions == null) {
if (log.isDebugEnabled()) {
log.debug("Permission to request '" + requestUri + "' is not defined in the configuration");
}
return WebappAuthenticator.Status.FAILURE;
}
String requiredPermission = null;
List<MatchingResource> matchingResources = new ArrayList<>();
for (Permission permission : matchingPermissions) {
if (requestMethod.equals(permission.getMethod()) && requestUri.matches(permission.getUrlPattern())) {
if (requestUri.equals(permission.getUrl())) { // is there a exact match
requiredPermission = permission.getPath();
break;
} else { // all templated urls add to a list
matchingResources.add(new MatchingResource(permission.getUrlPattern().replace(context, ""), permission.getPath()));
}
}
}
if (requiredPermission == null) {
if (matchingResources.size() == 1) { // only 1 templated url found
requiredPermission = matchingResources.get(0).getPermission();
}
if (matchingResources.size() > 1) { // more than 1 templated urls found
String urlWithoutContext = requestUri.replace(context, "");
StringTokenizer st = new StringTokenizer(urlWithoutContext, "/");
int tokenPosition = 1;
while (st.hasMoreTokens()) {
List<MatchingResource> tempList = new ArrayList<>();
String currentToken = st.nextToken();
for (MatchingResource matchingResource : matchingResources) {
StringTokenizer stmr = new StringTokenizer(matchingResource.getUrlPattern(), "/");
int internalTokenPosition = 1;
while (stmr.hasMoreTokens()) {
String internalToken = stmr.nextToken();
if ((tokenPosition == internalTokenPosition) && currentToken.equals(internalToken)) {
tempList.add(matchingResource);
}
internalTokenPosition++;
if (tokenPosition < internalTokenPosition) {
break;
}
}
}
if (tempList.size() == 1) {
requiredPermission = tempList.get(0).getPermission();
break;
}
tokenPosition++;
}
}
}
if (requiredPermission == null) {
if (log.isDebugEnabled()) {
log.debug("Matching permission not found for " + requestUri);
}
return WebappAuthenticator.Status.FAILURE;
}
boolean isUserAuthorized;
try {
isUserAuthorized = AuthenticationFrameworkUtil.isUserAuthorized(
authenticationInfo.getTenantId(), authenticationInfo.getTenantDomain(),
authenticationInfo.getUsername(), requiredPermission);
} catch (AuthenticationException e) {
log.error("Error occurred while retrieving user store. " + e.getMessage());
return WebappAuthenticator.Status.FAILURE;
}
if (isUserAuthorized) {
return WebappAuthenticator.Status.SUCCESS;
} else {
return WebappAuthenticator.Status.FAILURE;
}
}
}

@ -2175,8 +2175,8 @@
<eclipse.paho.version>1.0.2</eclipse.paho.version> <eclipse.paho.version>1.0.2</eclipse.paho.version>
<!-- Nimbus Jose--> <!-- Nimbus Jose-->
<nimbus.orbit.version>2.26.1.wso2v3</nimbus.orbit.version> <nimbus.orbit.version>7.3.0.wso2v1</nimbus.orbit.version>
<nimbus.orbit.version.range>[2.26.1, 3.0.0)</nimbus.orbit.version.range> <nimbus.orbit.version.range>[7.3, 8)</nimbus.orbit.version.range>
<!--javax ws rs version--> <!--javax ws rs version-->
<javax.ws.rs.version>2.0.1</javax.ws.rs.version> <javax.ws.rs.version>2.0.1</javax.ws.rs.version>

Loading…
Cancel
Save