From ba47af3186237930f011585396b6fd795b5df79c Mon Sep 17 00:00:00 2001 From: ayyoob Date: Wed, 18 May 2016 19:33:04 +0530 Subject: [PATCH] added api application registration filter --- .../pom.xml | 10 ++ ...ApiApplicationRegistrationServiceImpl.java | 5 +- .../api/filter/ApiPermissionFilter.java | 118 ++++++++++++++++++ .../extension/api/filter/Permission.java | 60 +++++++++ .../api/filter/PermissionConfiguration.java | 41 ++++++ .../extension/api/util/APIUtil.java | 13 ++ .../src/main/webapp/META-INF/permissions.xml | 6 +- .../src/main/webapp/WEB-INF/web.xml | 10 ++ .../jaggeryapps/devicemgt/app/modules/init.js | 2 +- 9 files changed, 259 insertions(+), 6 deletions(-) create mode 100644 components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/ApiPermissionFilter.java create mode 100644 components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/Permission.java create mode 100644 components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/PermissionConfiguration.java diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/pom.xml b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/pom.xml index b1c7c57bcb..14379e2e3b 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/pom.xml +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/pom.xml @@ -157,6 +157,16 @@ org.wso2.carbon.apimgt.application.extension provided + + org.wso2.carbon + org.wso2.carbon.user.core + provided + + + org.wso2.carbon + org.wso2.carbon.user.api + provided + diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationServiceImpl.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationServiceImpl.java index 7c24b40ffd..cc0bb20a9f 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationServiceImpl.java +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationServiceImpl.java @@ -59,6 +59,7 @@ public class ApiApplicationRegistrationServiceImpl implements ApiApplicationRegi } String username = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUserRealm() .getRealmConfiguration().getAdminUserName(); + username = username + "@" + APIUtil.getTenantDomainOftheUser(); PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(username); APIManagementProviderService apiManagementProviderService = APIUtil.getAPIManagementProviderService(); ApiApplicationKey apiApplicationKey = apiManagementProviderService.generateAndRetrieveApplicationKeys( @@ -81,7 +82,7 @@ public class ApiApplicationRegistrationServiceImpl implements ApiApplicationRegi @POST public Response register(RegistrationProfile registrationProfile) { try { - String username = APIUtil.getAuthenticatedUser(); + String username = APIUtil.getAuthenticatedUser() + "@" + APIUtil.getTenantDomainOftheUser(); APIManagementProviderService apiManagementProviderService = APIUtil.getAPIManagementProviderService(); if (registrationProfile.isMappingAnExistingOAuthApp()) { JSONObject jsonStringObject = new JSONObject(); @@ -116,7 +117,7 @@ public class ApiApplicationRegistrationServiceImpl implements ApiApplicationRegi @DELETE public Response unregister(@QueryParam("applicationName") String applicationName) { try { - String username = APIUtil.getAuthenticatedUser(); + String username = APIUtil.getAuthenticatedUser() + "@" + APIUtil.getTenantDomainOftheUser(); APIManagementProviderService apiManagementProviderService = APIUtil.getAPIManagementProviderService(); apiManagementProviderService.removeAPIApplication(applicationName, username); return Response.status(Response.Status.ACCEPTED).build(); diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/ApiPermissionFilter.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/ApiPermissionFilter.java new file mode 100644 index 0000000000..1395566b70 --- /dev/null +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/ApiPermissionFilter.java @@ -0,0 +1,118 @@ +package org.wso2.carbon.apimgt.application.extension.api.filter; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.wso2.carbon.apimgt.application.extension.api.util.APIUtil; +import org.wso2.carbon.context.PrivilegedCarbonContext; +import org.wso2.carbon.user.api.UserRealm; +import org.wso2.carbon.user.api.UserStoreException; + +import javax.servlet.*; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBException; +import javax.xml.bind.Unmarshaller; +import java.io.File; +import java.io.IOException; +import java.io.InputStream; +import java.util.List; + +/** + * this filter check for permission for the request + */ +public class ApiPermissionFilter implements Filter{ + private static final Log log = LogFactory.getLog(ApiPermissionFilter.class); + private static final String UI_EXECUTE = "ui.execute"; + private static final String PERMISSION_CONFIG_PATH = File.separator + "META-INF" + File.separator + + "permissions.xml"; + private static final String PERMISSION_PREFIX = "/permission/admin"; + private static List permissions; + private static final String WEBAPP_CONTEXT = "/api-application-registration"; + @Override + public void init(FilterConfig filterConfig) throws ServletException { + InputStream permissionStream = filterConfig.getServletContext().getResourceAsStream(PERMISSION_CONFIG_PATH); + if (permissionStream != null) { + try { + JAXBContext cdmContext = JAXBContext.newInstance(PermissionConfiguration.class); + Unmarshaller unmarshaller = cdmContext.createUnmarshaller(); + PermissionConfiguration permissionConfiguration = (PermissionConfiguration) + unmarshaller.unmarshal(permissionStream); + permissions = permissionConfiguration.getPermissions(); + } catch (JAXBException e) { + log.error("invalid permissions.xml", e); + } + + } + + } + + @Override + public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) + throws IOException, ServletException { + if (servletRequest instanceof HttpServletRequest) { + String uri = ((HttpServletRequest)servletRequest).getRequestURI(); + boolean status = false; + if (uri.contains("register/tenants")) { + String urlPermission = getPermission("/register/tenants/*"); + if (urlPermission != null) { + status = isUserAuthorized(PERMISSION_PREFIX + urlPermission, UI_EXECUTE); + } + } else { + String urlPermission = getPermission(uri); + if (urlPermission != null) { + status = isUserAuthorized(PERMISSION_PREFIX + urlPermission, UI_EXECUTE); + } + } + if (status) { + filterChain.doFilter(servletRequest, servletResponse); + } else { + HttpServletResponse res = (HttpServletResponse) servletResponse; + res.setStatus(HttpServletResponse.SC_FORBIDDEN); + return; + } + } else { + HttpServletResponse res = (HttpServletResponse) servletResponse; + res.setStatus(HttpServletResponse.SC_FORBIDDEN); + return; + } + } + + @Override + public void destroy() { + //do nothing + } + + private static String getPermission(String url) { + if (permissions != null) { + for (int i = 0; i < permissions.size(); i++) { + Permission permission = permissions.get(i); + if ((WEBAPP_CONTEXT + permission.getUrl()).equals(url)) { + return permission.getPath(); + } + } + } + return null; + } + + /** + * Check whether the client is authorized with the given permission and action. + * @param permission Carbon permission that requires for the use + * @param action Carbon permission action that requires for the given permission. + * @return boolean - true if user is authorized else return false. + */ + private boolean isUserAuthorized(String permission, String action) { + PrivilegedCarbonContext context = PrivilegedCarbonContext.getThreadLocalCarbonContext(); + String username = context.getUsername(); + try { + UserRealm userRealm = APIUtil.getRealmService().getTenantUserRealm(PrivilegedCarbonContext + .getThreadLocalCarbonContext().getTenantId()); + return userRealm.getAuthorizationManager().isUserAuthorized(username, permission, action); + } catch (UserStoreException e) { + String errorMsg = String.format("Unable to authorize the user : %s", username, e); + log.error(errorMsg, e); + return false; + } + } + +} diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/Permission.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/Permission.java new file mode 100644 index 0000000000..069e94473c --- /dev/null +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/Permission.java @@ -0,0 +1,60 @@ +/* + * Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * you may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.wso2.carbon.apimgt.application.extension.api.filter; + +import javax.xml.bind.annotation.XmlElement; +import javax.xml.bind.annotation.XmlRootElement; + +/** + * This class represents the information related to permission. + */ +@XmlRootElement (name = "Permission") +public class Permission { + + private String path; // permission string + private String url; // url of the resource + private String method; // http method + + public String getPath() { + return path; + } + + @XmlElement (name = "path", required = true) + public void setPath(String path) { + this.path = path; + } + + public String getUrl() { + return url; + } + + @XmlElement (name = "url", required = true) + public void setUrl(String url) { + this.url = url; + } + + public String getMethod() { + return method; + } + + @XmlElement (name = "method", required = true) + public void setMethod(String method) { + this.method = method; + } +} diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/PermissionConfiguration.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/PermissionConfiguration.java new file mode 100644 index 0000000000..22a416873a --- /dev/null +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/PermissionConfiguration.java @@ -0,0 +1,41 @@ +/* + * Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * you may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.wso2.carbon.apimgt.application.extension.api.filter; + +import javax.xml.bind.annotation.XmlElement; +import javax.xml.bind.annotation.XmlRootElement; +import java.util.List; + +/** + * This class represents the information related to permission configuration. + */ +@XmlRootElement (name = "PermissionConfiguration") +public class PermissionConfiguration { + + private List permissions; + + public List getPermissions() { + return permissions; + } + + @XmlElement (name = "Permission", required = true) + public void setPermissions(List permissions) { + this.permissions = permissions; + } +} diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/util/APIUtil.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/util/APIUtil.java index b15bcd1944..299ff01c3d 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/util/APIUtil.java +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/util/APIUtil.java @@ -22,6 +22,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.wso2.carbon.apimgt.application.extension.APIManagementProviderService; import org.wso2.carbon.context.PrivilegedCarbonContext; +import org.wso2.carbon.user.core.service.RealmService; /** * This class provides utility functions used by REST-API. @@ -57,4 +58,16 @@ public class APIUtil { } return apiManagementProviderService; } + + public static RealmService getRealmService() { + PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext(); + RealmService realmService = + (RealmService) ctx.getOSGiService(RealmService.class, null); + if (realmService == null) { + String msg = "Device Management service has not initialized."; + log.error(msg); + throw new IllegalStateException(msg); + } + return realmService; + } } diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/META-INF/permissions.xml b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/META-INF/permissions.xml index 213141cc67..1feabf3925 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/META-INF/permissions.xml +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/META-INF/permissions.xml @@ -30,21 +30,21 @@ Register tenant specific application - /device-mgt + /device-mgt/admin /register/tenants/* POST super_admin_user Register application - /device-mgt/api/application/add + /device-mgt/user/api/application /register POST application_user Delete application - /device-mgt/api/application/remove + /device-mgt/user/api/application /unregister DELETE application_user diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml index 7aaaf3002d..549bf4c1bd 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml @@ -49,4 +49,14 @@ managed-api-enabled false + + + ApiPermissionFilter + org.wso2.carbon.apimgt.application.extension.api.filter.ApiPermissionFilter + + + ApiPermissionFilter + /* + + diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/init.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/init.js index 9474dd2697..8d2b0c197f 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/init.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/init.js @@ -29,6 +29,6 @@ var utility = require("/app/modules/utility.js")["utility"]; var permissions = { '/permission/admin/device-mgt/user': ['ui.execute'], - '/permission/admin/device-mgt/api/application': ['ui.execute'] + '/permission/admin/manage/api/subscribe': ['ui.execute'] }; userModule.addRole("internal/devicemgt-user", ["admin"], permissions);