forked from community/device-mgt-core
parent
438814eedd
commit
94dd33ffa5
@ -0,0 +1,64 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||||
|
*
|
||||||
|
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||||
|
* Version 2.0 (the "License"); you may not use this file except
|
||||||
|
* in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*/
|
||||||
|
package org.wso2.carbon.device.mgt.core.cache;
|
||||||
|
|
||||||
|
import java.util.Objects;
|
||||||
|
|
||||||
|
public class APIResourcePermissionCacheKey {
|
||||||
|
|
||||||
|
private String context;
|
||||||
|
private volatile int hashCode;
|
||||||
|
|
||||||
|
public APIResourcePermissionCacheKey(String context) {
|
||||||
|
this.context = context;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public String getContext() {
|
||||||
|
return context;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setContext(String context) {
|
||||||
|
this.context = context;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean equals(Object obj) {
|
||||||
|
if (obj == null) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
if (!APIResourcePermissionCacheKey.class.isAssignableFrom(obj.getClass())) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
final APIResourcePermissionCacheKey other = (APIResourcePermissionCacheKey) obj;
|
||||||
|
String thisId = this.context;
|
||||||
|
String otherId = other.context;
|
||||||
|
if (!thisId.equals(otherId)) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public int hashCode() {
|
||||||
|
if (hashCode == 0) {
|
||||||
|
hashCode = Objects.hash(context);
|
||||||
|
}
|
||||||
|
return hashCode;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,31 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||||
|
*
|
||||||
|
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||||
|
* Version 2.0 (the "License"); you may not use this file except
|
||||||
|
* in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*/
|
||||||
|
package org.wso2.carbon.device.mgt.core.cache;
|
||||||
|
|
||||||
|
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
public interface APIResourcePermissionCacheManager {
|
||||||
|
|
||||||
|
void addAPIResourcePermissionToCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions);
|
||||||
|
|
||||||
|
void updateAPIResourcePermissionInCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions);
|
||||||
|
|
||||||
|
List<Permission> getAPIResourceRermissionFromCache(APIResourcePermissionCacheKey cacheKey);
|
||||||
|
}
|
@ -0,0 +1,84 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||||
|
*
|
||||||
|
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||||
|
* Version 2.0 (the "License"); you may not use this file except
|
||||||
|
* in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*/
|
||||||
|
package org.wso2.carbon.device.mgt.core.cache.impl;
|
||||||
|
|
||||||
|
import org.apache.commons.logging.Log;
|
||||||
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
|
||||||
|
import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheKey;
|
||||||
|
import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheManager;
|
||||||
|
import org.wso2.carbon.device.mgt.core.util.DeviceManagerUtil;
|
||||||
|
|
||||||
|
import javax.cache.Cache;
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
public class APIResourcePermissionCacheManagerImpl implements APIResourcePermissionCacheManager {
|
||||||
|
|
||||||
|
|
||||||
|
private static final Log log = LogFactory.getLog(APIResourcePermissionCacheManagerImpl.class);
|
||||||
|
|
||||||
|
private static APIResourcePermissionCacheManagerImpl apiResourceCacgeManager;
|
||||||
|
|
||||||
|
private APIResourcePermissionCacheManagerImpl() {
|
||||||
|
}
|
||||||
|
|
||||||
|
public static APIResourcePermissionCacheManagerImpl getInstance() {
|
||||||
|
if (apiResourceCacgeManager == null) {
|
||||||
|
synchronized (APIResourcePermissionCacheManagerImpl.class) {
|
||||||
|
if (apiResourceCacgeManager == null) {
|
||||||
|
apiResourceCacgeManager = new APIResourcePermissionCacheManagerImpl();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return apiResourceCacgeManager;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void addAPIResourcePermissionToCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions) {
|
||||||
|
Cache<APIResourcePermissionCacheKey, List<Permission>> lCache = DeviceManagerUtil.getAPIResourcePermissionCache();
|
||||||
|
if (lCache != null) {
|
||||||
|
if (lCache.containsKey(cacheKey)) {
|
||||||
|
this.updateAPIResourcePermissionInCache(cacheKey, permissions);
|
||||||
|
} else {
|
||||||
|
lCache.put(cacheKey, permissions);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void updateAPIResourcePermissionInCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions) {
|
||||||
|
|
||||||
|
Cache<APIResourcePermissionCacheKey, List<Permission>> lCache = DeviceManagerUtil.getAPIResourcePermissionCache();
|
||||||
|
if (lCache != null) {
|
||||||
|
if (lCache.containsKey(cacheKey)) {
|
||||||
|
lCache.replace(cacheKey, permissions);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public List<Permission> getAPIResourceRermissionFromCache(APIResourcePermissionCacheKey cacheKey) {
|
||||||
|
Cache<APIResourcePermissionCacheKey, List<Permission>> lCache = DeviceManagerUtil.getAPIResourcePermissionCache();
|
||||||
|
if (lCache != null) {
|
||||||
|
return lCache.get(cacheKey);
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,30 @@
|
|||||||
|
package org.wso2.carbon.webapp.authenticator.framework.authorizer;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Created by amalka on 6/26/21.
|
||||||
|
*/
|
||||||
|
public class MatchingResource {
|
||||||
|
private String urlPattern;
|
||||||
|
private String permission;
|
||||||
|
|
||||||
|
public MatchingResource(String urlPattern, String permission) {
|
||||||
|
this.urlPattern = urlPattern;
|
||||||
|
this.permission = permission;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getUrlPattern() {
|
||||||
|
return urlPattern;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setUrlPattern(String urlPattern) {
|
||||||
|
this.urlPattern = urlPattern;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getPermission() {
|
||||||
|
return permission;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setPermission(String permission) {
|
||||||
|
this.permission = permission;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,143 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||||
|
*
|
||||||
|
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||||
|
* Version 2.0 (the "License"); you may not use this file except
|
||||||
|
* in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*/
|
||||||
|
package org.wso2.carbon.webapp.authenticator.framework.authorizer;
|
||||||
|
|
||||||
|
import org.apache.catalina.connector.Request;
|
||||||
|
import org.apache.commons.logging.Log;
|
||||||
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
|
||||||
|
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
|
||||||
|
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService;
|
||||||
|
import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionManagerServiceImpl;
|
||||||
|
import org.wso2.carbon.webapp.authenticator.framework.AuthenticationException;
|
||||||
|
import org.wso2.carbon.webapp.authenticator.framework.AuthenticationFrameworkUtil;
|
||||||
|
import org.wso2.carbon.webapp.authenticator.framework.AuthenticationInfo;
|
||||||
|
import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;
|
||||||
|
|
||||||
|
import java.util.ArrayList;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.StringTokenizer;
|
||||||
|
|
||||||
|
public class PermissionAuthorizer {
|
||||||
|
|
||||||
|
private static final Log log = LogFactory.getLog(PermissionAuthorizer.class);
|
||||||
|
|
||||||
|
public static WebappAuthenticator.Status authorize(Request request, AuthenticationInfo authenticationInfo) {
|
||||||
|
String requestUri = request.getRequestURI();
|
||||||
|
String requestMethod = request.getMethod();
|
||||||
|
String context = request.getContextPath();
|
||||||
|
|
||||||
|
if (requestUri == null || requestUri.isEmpty() || requestMethod == null || requestMethod.isEmpty()) {
|
||||||
|
return WebappAuthenticator.Status.CONTINUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
PermissionManagerService registryBasedPermissionManager =
|
||||||
|
PermissionManagerServiceImpl.getInstance();
|
||||||
|
List<Permission> matchingPermissions = null;
|
||||||
|
try {
|
||||||
|
matchingPermissions = registryBasedPermissionManager.getPermission(context);
|
||||||
|
} catch (PermissionManagementException e) {
|
||||||
|
log.error(
|
||||||
|
"Error occurred while fetching the permission for URI : " + requestUri +
|
||||||
|
", msg = " + e.getMessage());
|
||||||
|
}
|
||||||
|
|
||||||
|
if (matchingPermissions == null) {
|
||||||
|
if (log.isDebugEnabled()) {
|
||||||
|
log.debug("Permission to request '" + requestUri + "' is not defined in the configuration");
|
||||||
|
}
|
||||||
|
return WebappAuthenticator.Status.FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
|
String requiredPermission = null;
|
||||||
|
List<MatchingResource> matchingResources = new ArrayList<>();
|
||||||
|
for (Permission permission : matchingPermissions) {
|
||||||
|
if (requestMethod.equals(permission.getMethod()) && requestUri.matches(permission.getUrlPattern())) {
|
||||||
|
if (requestUri.equals(permission.getUrl())) { // is there a exact match
|
||||||
|
requiredPermission = permission.getPath();
|
||||||
|
break;
|
||||||
|
} else { // all templated urls add to a list
|
||||||
|
matchingResources.add(new MatchingResource(permission.getUrlPattern().replace(context, ""), permission.getPath()));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (requiredPermission == null) {
|
||||||
|
if (matchingResources.size() == 1) { // only 1 templated url found
|
||||||
|
requiredPermission = matchingResources.get(0).getPermission();
|
||||||
|
}
|
||||||
|
|
||||||
|
if (matchingResources.size() > 1) { // more than 1 templated urls found
|
||||||
|
String urlWithoutContext = requestUri.replace(context, "");
|
||||||
|
StringTokenizer st = new StringTokenizer(urlWithoutContext, "/");
|
||||||
|
int tokenPosition = 1;
|
||||||
|
while (st.hasMoreTokens()) {
|
||||||
|
List<MatchingResource> tempList = new ArrayList<>();
|
||||||
|
String currentToken = st.nextToken();
|
||||||
|
for (MatchingResource matchingResource : matchingResources) {
|
||||||
|
StringTokenizer stmr = new StringTokenizer(matchingResource.getUrlPattern(), "/");
|
||||||
|
int internalTokenPosition = 1;
|
||||||
|
while (stmr.hasMoreTokens()) {
|
||||||
|
String internalToken = stmr.nextToken();
|
||||||
|
if ((tokenPosition == internalTokenPosition) && currentToken.equals(internalToken)) {
|
||||||
|
tempList.add(matchingResource);
|
||||||
|
}
|
||||||
|
internalTokenPosition++;
|
||||||
|
if (tokenPosition < internalTokenPosition) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (tempList.size() == 1) {
|
||||||
|
requiredPermission = tempList.get(0).getPermission();
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
tokenPosition++;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (requiredPermission == null) {
|
||||||
|
if (log.isDebugEnabled()) {
|
||||||
|
log.debug("Matching permission not found for " + requestUri);
|
||||||
|
}
|
||||||
|
return WebappAuthenticator.Status.FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
|
boolean isUserAuthorized;
|
||||||
|
try {
|
||||||
|
isUserAuthorized = AuthenticationFrameworkUtil.isUserAuthorized(
|
||||||
|
authenticationInfo.getTenantId(), authenticationInfo.getTenantDomain(),
|
||||||
|
authenticationInfo.getUsername(), requiredPermission);
|
||||||
|
} catch (AuthenticationException e) {
|
||||||
|
log.error("Error occurred while retrieving user store. " + e.getMessage());
|
||||||
|
return WebappAuthenticator.Status.FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (isUserAuthorized) {
|
||||||
|
return WebappAuthenticator.Status.SUCCESS;
|
||||||
|
} else {
|
||||||
|
return WebappAuthenticator.Status.FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in new issue