From d8999cd3a6a23c82bc08b2dea3b71019a1cc02c9 Mon Sep 17 00:00:00 2001 From: Pahansith Date: Tue, 24 Aug 2021 13:06:37 +0530 Subject: [PATCH 1/2] Fix error while adding app install to a device group --- .../carbon/device/mgt/core/dao/impl/AbstractGroupDAOImpl.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/dao/impl/AbstractGroupDAOImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/dao/impl/AbstractGroupDAOImpl.java index c3426e3521a..f5351385211 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/dao/impl/AbstractGroupDAOImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/dao/impl/AbstractGroupDAOImpl.java @@ -1115,7 +1115,7 @@ public abstract class AbstractGroupDAOImpl implements GroupDAO { + "FROM DM_DEVICE d, " + "(SELECT dgm.DEVICE_ID " + "FROM DM_DEVICE_GROUP_MAP dgm " - + "WHERE dgm.GROUP_ID = (SELECT ID FROM DM_GROUP WHERE GROUP_NAME = ? )) dgm1 " + + "WHERE dgm.GROUP_ID = (SELECT ID FROM DM_GROUP WHERE GROUP_NAME = ? AND TENANT_ID = ?)) dgm1 " + "WHERE d.ID = dgm1.DEVICE_ID AND d.TENANT_ID = ?) gd, DM_DEVICE_TYPE t " + "WHERE gd.DEVICE_TYPE_ID = t.ID) d1 " + "WHERE d1.DEVICE_ID = e.DEVICE_ID AND TENANT_ID = ? AND e.STATUS IN (", @@ -1129,6 +1129,7 @@ public abstract class AbstractGroupDAOImpl implements GroupDAO { stmt.setString(index++, groupName); stmt.setInt(index++, tenantId); stmt.setInt(index++, tenantId); + stmt.setInt(index++, tenantId); for (String deviceId : deviceStatuses) { stmt.setObject(index++, deviceId); } From 4203226aa511d7230a829d88b32a8a8dfa7cc423 Mon Sep 17 00:00:00 2001 From: Amalka Subasinghe Date: Tue, 24 Aug 2021 15:08:38 +0530 Subject: [PATCH 2/2] fixed tenant enrol issue --- ...ApiApplicationRegistrationServiceImpl.java | 2 +- .../src/main/webapp/WEB-INF/web.xml | 6 ++- .../framework/WebappAuthenticationValve.java | 47 ++++++++++++++++++- 3 files changed, 51 insertions(+), 4 deletions(-) diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationServiceImpl.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationServiceImpl.java index 702db645279..471136864a2 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationServiceImpl.java +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationServiceImpl.java @@ -122,7 +122,7 @@ public class ApiApplicationRegistrationServiceImpl implements ApiApplicationRegi synchronized (ApiApplicationRegistrationServiceImpl.class) { ApiApplicationKey apiApplicationKey = apiManagementProviderService.generateAndRetrieveApplicationKeys( applicationName, registrationProfile.getTags(), - ApiApplicationConstants.DEFAULT_TOKEN_TYPE, username, + ApiApplicationConstants.DEFAULT_TOKEN_TYPE, registrationProfile.getUsername(), registrationProfile.isAllowedToAllDomains(), validityPeriod); return Response.status(Response.Status.CREATED).entity(apiApplicationKey.toString()).build(); } diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml index b2d4acf3c43..ab313685bfb 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml @@ -37,7 +37,7 @@ doAuthentication - false + true @@ -54,6 +54,10 @@ managed-api-owner admin + + resource-permission-validate + false + ApiPermissionFilter diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java index 9e73d08ffb3..3864954fe92 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java @@ -18,6 +18,7 @@ */ package org.wso2.carbon.webapp.authenticator.framework; +import com.google.gson.Gson; import org.apache.catalina.Context; import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; @@ -48,6 +49,9 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { private static final Log log = LogFactory.getLog(WebappAuthenticationValve.class); private static final TreeMap nonSecuredEndpoints = new TreeMap<>(); + private static final String PERMISSION_PREFIX = "/permission/admin"; + public static final String AUTHORIZE_PERMISSION = "Authorize-Permission"; + private static InetAddress inetAddress = null; @Override @@ -78,7 +82,8 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { } } - if ((this.isContextSkipped(request) || this.skipAuthentication(request))) { + if ((this.isContextSkipped(request) || this.skipAuthentication(request)) + && (StringUtils.isEmpty(request.getHeader(AUTHORIZE_PERMISSION)))) { this.getNext().invoke(request, response, compositeValve); return; } @@ -99,6 +104,39 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { // This section will allow to validate a given access token is authenticated to access given // resource(permission) if (request.getCoyoteRequest() != null + && StringUtils.isNotEmpty(request.getHeader(AUTHORIZE_PERMISSION)) + && (authenticationInfo.getStatus() == WebappAuthenticator.Status.CONTINUE || + authenticationInfo.getStatus() == WebappAuthenticator.Status.SUCCESS)) { + boolean isAllowed; + try { + isAllowed = AuthenticationFrameworkUtil.isUserAuthorized( + authenticationInfo.getTenantId(), authenticationInfo.getTenantDomain(), + authenticationInfo.getUsername(), + PERMISSION_PREFIX + request.getHeader (AUTHORIZE_PERMISSION)); + } catch (AuthenticationException e) { + String msg = "Could not authorize permission"; + log.error(msg); + AuthenticationFrameworkUtil.handleResponse(request, response, + HttpServletResponse.SC_INTERNAL_SERVER_ERROR, msg); + return; + } + + if (isAllowed) { + Gson gson = new Gson(); + AuthenticationFrameworkUtil.handleResponse(request, response, HttpServletResponse.SC_OK, + gson.toJson(authenticationInfo)); + return; + } else { + log.error("Unauthorized message from user " + authenticationInfo.getUsername()); + AuthenticationFrameworkUtil.handleResponse(request, response, + HttpServletResponse.SC_FORBIDDEN, "Unauthorized to access the API"); + return; + } + } + + // This section will allow to validate a given access token is authenticated to access permission defined per API + if (request.getCoyoteRequest() != null + && isResourcePermissionValidate(request) && (authenticationInfo.getStatus() == WebappAuthenticator.Status.CONTINUE || authenticationInfo.getStatus() == WebappAuthenticator.Status.SUCCESS)) { boolean isAllowed; @@ -112,7 +150,7 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { } } - Tenant tenant = null; + Tenant tenant = null; if (authenticationInfo.getTenantId() != -1) { try { PrivilegedCarbonContext.startTenantFlow(); @@ -178,6 +216,11 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { return (param != null && Boolean.parseBoolean(param)); } + private boolean isResourcePermissionValidate(Request request) { + String param = request.getContext().findParameter("resource-permission-validate"); + return (param == null) || Boolean.parseBoolean(param); + } + private boolean isContextSkipped(Request request) { Context context = request.getContext(); String ctx = context == null ? null :context.getPath();