added api application registration filter

8 years ago · ba47af3186
parent c0240c5cbc
commit ba47af3186
9 changed files with 259 additions and 6 deletions
--- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/pom.xml
+++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/pom.xml
@ -157,6 +157,16 @@
            <artifactId>org.wso2.carbon.apimgt.application.extension</artifactId>
            <scope>provided</scope>
        </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon</groupId>
+            <artifactId>org.wso2.carbon.user.core</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon</groupId>
+            <artifactId>org.wso2.carbon.user.api</artifactId>
+            <scope>provided</scope>
+        </dependency>
    </dependencies>

    <build>
--- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationServiceImpl.java
+++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationServiceImpl.java
@ -59,6 +59,7 @@ public class ApiApplicationRegistrationServiceImpl implements ApiApplicationRegi
            }
            String username = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUserRealm()
                    .getRealmConfiguration().getAdminUserName();
+            username = username + "@" + APIUtil.getTenantDomainOftheUser();
            PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(username);
            APIManagementProviderService apiManagementProviderService = APIUtil.getAPIManagementProviderService();
            ApiApplicationKey apiApplicationKey = apiManagementProviderService.generateAndRetrieveApplicationKeys(
@ -81,7 +82,7 @@ public class ApiApplicationRegistrationServiceImpl implements ApiApplicationRegi
    @POST
    public Response register(RegistrationProfile registrationProfile) {
        try {
-            String username = APIUtil.getAuthenticatedUser();
+            String username = APIUtil.getAuthenticatedUser() + "@" + APIUtil.getTenantDomainOftheUser();
            APIManagementProviderService apiManagementProviderService = APIUtil.getAPIManagementProviderService();
            if (registrationProfile.isMappingAnExistingOAuthApp()) {
                JSONObject jsonStringObject = new JSONObject();
@ -116,7 +117,7 @@ public class ApiApplicationRegistrationServiceImpl implements ApiApplicationRegi
    @DELETE
    public Response unregister(@QueryParam("applicationName") String applicationName) {
        try {
-            String username = APIUtil.getAuthenticatedUser();
+            String username = APIUtil.getAuthenticatedUser() + "@" + APIUtil.getTenantDomainOftheUser();
            APIManagementProviderService apiManagementProviderService = APIUtil.getAPIManagementProviderService();
            apiManagementProviderService.removeAPIApplication(applicationName, username);
            return Response.status(Response.Status.ACCEPTED).build();
--- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/ApiPermissionFilter.java
+++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/ApiPermissionFilter.java
@ -0,0 +1,118 @@
+package org.wso2.carbon.apimgt.application.extension.api.filter;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.apimgt.application.extension.api.util.APIUtil;
+import org.wso2.carbon.context.PrivilegedCarbonContext;
+import org.wso2.carbon.user.api.UserRealm;
+import org.wso2.carbon.user.api.UserStoreException;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBException;
+import javax.xml.bind.Unmarshaller;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.List;
+
+/**
+ * this filter check for permission for the request
+ */
+public class ApiPermissionFilter implements Filter{
+    private static final Log log = LogFactory.getLog(ApiPermissionFilter.class);
+    private static final String UI_EXECUTE = "ui.execute";
+    private static final String PERMISSION_CONFIG_PATH = File.separator + "META-INF" + File.separator
+            + "permissions.xml";
+    private static final String PERMISSION_PREFIX = "/permission/admin";
+    private static List<Permission> permissions;
+    private static final String WEBAPP_CONTEXT = "/api-application-registration";
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+        InputStream permissionStream = filterConfig.getServletContext().getResourceAsStream(PERMISSION_CONFIG_PATH);
+        if (permissionStream != null) {
+            try {
+                JAXBContext cdmContext = JAXBContext.newInstance(PermissionConfiguration.class);
+                Unmarshaller unmarshaller = cdmContext.createUnmarshaller();
+                PermissionConfiguration permissionConfiguration = (PermissionConfiguration)
+                        unmarshaller.unmarshal(permissionStream);
+                permissions = permissionConfiguration.getPermissions();
+            } catch (JAXBException e) {
+                log.error("invalid permissions.xml", e);
+            }
+
+        }
+
+    }
+
+    @Override
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
+            throws IOException, ServletException {
+        if (servletRequest instanceof HttpServletRequest) {
+            String uri = ((HttpServletRequest)servletRequest).getRequestURI();
+            boolean status = false;
+            if (uri.contains("register/tenants")) {
+                String urlPermission = getPermission("/register/tenants/*");
+                if (urlPermission != null) {
+                    status = isUserAuthorized(PERMISSION_PREFIX + urlPermission, UI_EXECUTE);
+                }
+            } else {
+                String urlPermission = getPermission(uri);
+                if (urlPermission != null) {
+                    status = isUserAuthorized(PERMISSION_PREFIX + urlPermission, UI_EXECUTE);
+                }
+            }
+            if (status) {
+                filterChain.doFilter(servletRequest, servletResponse);
+            } else {
+                HttpServletResponse res = (HttpServletResponse) servletResponse;
+                res.setStatus(HttpServletResponse.SC_FORBIDDEN);
+                return;
+            }
+        } else {
+            HttpServletResponse res = (HttpServletResponse) servletResponse;
+            res.setStatus(HttpServletResponse.SC_FORBIDDEN);
+            return;
+        }
+    }
+
+    @Override
+    public void destroy() {
+        //do nothing
+    }
+
+    private static String getPermission(String url) {
+        if (permissions != null) {
+            for (int i = 0; i < permissions.size(); i++) {
+                Permission permission = permissions.get(i);
+                if ((WEBAPP_CONTEXT + permission.getUrl()).equals(url)) {
+                    return permission.getPath();
+                }
+            }
+        }
+        return null;
+    }
+
+    /**
+     * Check whether the client is authorized with the given permission and action.
+     * @param permission           Carbon permission that requires for the use
+     * @param action               Carbon permission action that requires for the given permission.
+     * @return boolean - true if user is authorized else return false.
+     */
+    private boolean isUserAuthorized(String permission, String action) {
+        PrivilegedCarbonContext context = PrivilegedCarbonContext.getThreadLocalCarbonContext();
+        String username = context.getUsername();
+        try {
+            UserRealm userRealm = APIUtil.getRealmService().getTenantUserRealm(PrivilegedCarbonContext
+                                .getThreadLocalCarbonContext().getTenantId());
+            return userRealm.getAuthorizationManager().isUserAuthorized(username, permission, action);
+        } catch (UserStoreException e) {
+            String errorMsg = String.format("Unable to authorize the user : %s", username, e);
+            log.error(errorMsg, e);
+            return false;
+        }
+    }
+
+}
--- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/Permission.java
+++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/Permission.java
@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * you may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.apimgt.application.extension.api.filter;
+
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+
+/**
+ * This class represents the information related to permission.
+ */
+@XmlRootElement (name = "Permission")
+public class Permission {
+
+    private String path; // permission string
+    private String url; // url of the resource
+    private String method; // http method
+
+    public String getPath() {
+        return path;
+    }
+
+    @XmlElement (name = "path", required = true)
+    public void setPath(String path) {
+        this.path = path;
+    }
+
+    public String getUrl() {
+        return url;
+    }
+
+    @XmlElement (name = "url", required = true)
+    public void setUrl(String url) {
+        this.url = url;
+    }
+
+    public String getMethod() {
+        return method;
+    }
+
+    @XmlElement (name = "method", required = true)
+    public void setMethod(String method) {
+        this.method = method;
+    }
+}
--- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/PermissionConfiguration.java
+++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/PermissionConfiguration.java
@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * you may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.apimgt.application.extension.api.filter;
+
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+import java.util.List;
+
+/**
+ * This class represents the information related to permission configuration.
+ */
+@XmlRootElement (name = "PermissionConfiguration")
+public class PermissionConfiguration {
+
+    private List<Permission> permissions;
+
+    public List<Permission> getPermissions() {
+        return permissions;
+    }
+
+    @XmlElement (name = "Permission", required = true)
+    public void setPermissions(List<Permission> permissions) {
+        this.permissions = permissions;
+    }
+}
--- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/util/APIUtil.java
+++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/util/APIUtil.java
@ -22,6 +22,7 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.apimgt.application.extension.APIManagementProviderService;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
+import org.wso2.carbon.user.core.service.RealmService;

 /**
 * This class provides utility functions used by REST-API.
@ -57,4 +58,16 @@ public class APIUtil {
        }
        return apiManagementProviderService;
    }
+
+    public static RealmService getRealmService() {
+        PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext();
+        RealmService realmService =
+                (RealmService) ctx.getOSGiService(RealmService.class, null);
+        if (realmService == null) {
+            String msg = "Device Management service has not initialized.";
+            log.error(msg);
+            throw new IllegalStateException(msg);
+        }
+        return realmService;
+    }
 }
--- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/META-INF/permissions.xml
+++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/META-INF/permissions.xml
@ -30,21 +30,21 @@
    <!-- Device related APIs -->
    <Permission>
        <name>Register tenant specific application</name>
-        <path>/device-mgt</path>
+        <path>/device-mgt/admin</path>
        <url>/register/tenants/*</url>
        <method>POST</method>
        <scope>super_admin_user</scope>
    </Permission>
    <Permission>
        <name>Register application</name>
-        <path>/device-mgt/api/application/add</path>
+        <path>/device-mgt/user/api/application</path>
        <url>/register</url>
        <method>POST</method>
        <scope>application_user</scope>
    </Permission>
    <Permission>
        <name>Delete application</name>
-        <path>/device-mgt/api/application/remove</path>
+        <path>/device-mgt/user/api/application</path>
        <url>/unregister</url>
        <method>DELETE</method>
        <scope>application_user</scope>
--- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml
+++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml
@ -49,4 +49,14 @@
        <param-name>managed-api-enabled</param-name>
        <param-value>false</param-value>
    </context-param>
+
+    <filter>
+        <filter-name>ApiPermissionFilter</filter-name>
+        <filter-class>org.wso2.carbon.apimgt.application.extension.api.filter.ApiPermissionFilter</filter-class>
+    </filter>
+    <filter-mapping>
+        <filter-name>ApiPermissionFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
 </web-app>
--- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/init.js
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/init.js
@ -29,6 +29,6 @@ var utility = require("/app/modules/utility.js")["utility"];

 var permissions = {
    '/permission/admin/device-mgt/user': ['ui.execute'],
-    '/permission/admin/device-mgt/api/application': ['ui.execute']
+    '/permission/admin/manage/api/subscribe': ['ui.execute']
 };
 userModule.addRole("internal/devicemgt-user", ["admin"], permissions);