Merge pull request #266 from ayyoob/transport

added api application registration filter
revert-70aa11f8
sumedharubasinghe 9 years ago
commit 067f0a8050

@ -157,6 +157,16 @@
<artifactId>org.wso2.carbon.apimgt.application.extension</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.wso2.carbon</groupId>
<artifactId>org.wso2.carbon.user.core</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.wso2.carbon</groupId>
<artifactId>org.wso2.carbon.user.api</artifactId>
<scope>provided</scope>
</dependency>
</dependencies>
<build>

@ -59,6 +59,7 @@ public class ApiApplicationRegistrationServiceImpl implements ApiApplicationRegi
}
String username = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUserRealm()
.getRealmConfiguration().getAdminUserName();
username = username + "@" + APIUtil.getTenantDomainOftheUser();
PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(username);
APIManagementProviderService apiManagementProviderService = APIUtil.getAPIManagementProviderService();
ApiApplicationKey apiApplicationKey = apiManagementProviderService.generateAndRetrieveApplicationKeys(
@ -81,7 +82,7 @@ public class ApiApplicationRegistrationServiceImpl implements ApiApplicationRegi
@POST
public Response register(RegistrationProfile registrationProfile) {
try {
String username = APIUtil.getAuthenticatedUser();
String username = APIUtil.getAuthenticatedUser() + "@" + APIUtil.getTenantDomainOftheUser();
APIManagementProviderService apiManagementProviderService = APIUtil.getAPIManagementProviderService();
if (registrationProfile.isMappingAnExistingOAuthApp()) {
JSONObject jsonStringObject = new JSONObject();
@ -116,7 +117,7 @@ public class ApiApplicationRegistrationServiceImpl implements ApiApplicationRegi
@DELETE
public Response unregister(@QueryParam("applicationName") String applicationName) {
try {
String username = APIUtil.getAuthenticatedUser();
String username = APIUtil.getAuthenticatedUser() + "@" + APIUtil.getTenantDomainOftheUser();
APIManagementProviderService apiManagementProviderService = APIUtil.getAPIManagementProviderService();
apiManagementProviderService.removeAPIApplication(applicationName, username);
return Response.status(Response.Status.ACCEPTED).build();

@ -0,0 +1,118 @@
package org.wso2.carbon.apimgt.application.extension.api.filter;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.apimgt.application.extension.api.util.APIUtil;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException;
import javax.xml.bind.Unmarshaller;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.util.List;
/**
* this filter check for permission for the request
*/
public class ApiPermissionFilter implements Filter{
private static final Log log = LogFactory.getLog(ApiPermissionFilter.class);
private static final String UI_EXECUTE = "ui.execute";
private static final String PERMISSION_CONFIG_PATH = File.separator + "META-INF" + File.separator
+ "permissions.xml";
private static final String PERMISSION_PREFIX = "/permission/admin";
private static List<Permission> permissions;
private static final String WEBAPP_CONTEXT = "/api-application-registration";
@Override
public void init(FilterConfig filterConfig) throws ServletException {
InputStream permissionStream = filterConfig.getServletContext().getResourceAsStream(PERMISSION_CONFIG_PATH);
if (permissionStream != null) {
try {
JAXBContext cdmContext = JAXBContext.newInstance(PermissionConfiguration.class);
Unmarshaller unmarshaller = cdmContext.createUnmarshaller();
PermissionConfiguration permissionConfiguration = (PermissionConfiguration)
unmarshaller.unmarshal(permissionStream);
permissions = permissionConfiguration.getPermissions();
} catch (JAXBException e) {
log.error("invalid permissions.xml", e);
}
}
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException {
if (servletRequest instanceof HttpServletRequest) {
String uri = ((HttpServletRequest)servletRequest).getRequestURI();
boolean status = false;
if (uri.contains("register/tenants")) {
String urlPermission = getPermission("/register/tenants/*");
if (urlPermission != null) {
status = isUserAuthorized(PERMISSION_PREFIX + urlPermission, UI_EXECUTE);
}
} else {
String urlPermission = getPermission(uri);
if (urlPermission != null) {
status = isUserAuthorized(PERMISSION_PREFIX + urlPermission, UI_EXECUTE);
}
}
if (status) {
filterChain.doFilter(servletRequest, servletResponse);
} else {
HttpServletResponse res = (HttpServletResponse) servletResponse;
res.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
} else {
HttpServletResponse res = (HttpServletResponse) servletResponse;
res.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
}
@Override
public void destroy() {
//do nothing
}
private static String getPermission(String url) {
if (permissions != null) {
for (int i = 0; i < permissions.size(); i++) {
Permission permission = permissions.get(i);
if ((WEBAPP_CONTEXT + permission.getUrl()).equals(url)) {
return permission.getPath();
}
}
}
return null;
}
/**
* Check whether the client is authorized with the given permission and action.
* @param permission Carbon permission that requires for the use
* @param action Carbon permission action that requires for the given permission.
* @return boolean - true if user is authorized else return false.
*/
private boolean isUserAuthorized(String permission, String action) {
PrivilegedCarbonContext context = PrivilegedCarbonContext.getThreadLocalCarbonContext();
String username = context.getUsername();
try {
UserRealm userRealm = APIUtil.getRealmService().getTenantUserRealm(PrivilegedCarbonContext
.getThreadLocalCarbonContext().getTenantId());
return userRealm.getAuthorizationManager().isUserAuthorized(username, permission, action);
} catch (UserStoreException e) {
String errorMsg = String.format("Unable to authorize the user : %s", username, e);
log.error(errorMsg, e);
return false;
}
}
}

@ -0,0 +1,60 @@
/*
* Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* you may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.apimgt.application.extension.api.filter;
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlRootElement;
/**
* This class represents the information related to permission.
*/
@XmlRootElement (name = "Permission")
public class Permission {
private String path; // permission string
private String url; // url of the resource
private String method; // http method
public String getPath() {
return path;
}
@XmlElement (name = "path", required = true)
public void setPath(String path) {
this.path = path;
}
public String getUrl() {
return url;
}
@XmlElement (name = "url", required = true)
public void setUrl(String url) {
this.url = url;
}
public String getMethod() {
return method;
}
@XmlElement (name = "method", required = true)
public void setMethod(String method) {
this.method = method;
}
}

@ -0,0 +1,41 @@
/*
* Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* you may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.apimgt.application.extension.api.filter;
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlRootElement;
import java.util.List;
/**
* This class represents the information related to permission configuration.
*/
@XmlRootElement (name = "PermissionConfiguration")
public class PermissionConfiguration {
private List<Permission> permissions;
public List<Permission> getPermissions() {
return permissions;
}
@XmlElement (name = "Permission", required = true)
public void setPermissions(List<Permission> permissions) {
this.permissions = permissions;
}
}

@ -22,6 +22,7 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.apimgt.application.extension.APIManagementProviderService;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.user.core.service.RealmService;
/**
* This class provides utility functions used by REST-API.
@ -57,4 +58,16 @@ public class APIUtil {
}
return apiManagementProviderService;
}
public static RealmService getRealmService() {
PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext();
RealmService realmService =
(RealmService) ctx.getOSGiService(RealmService.class, null);
if (realmService == null) {
String msg = "Device Management service has not initialized.";
log.error(msg);
throw new IllegalStateException(msg);
}
return realmService;
}
}

@ -30,21 +30,21 @@
<!-- Device related APIs -->
<Permission>
<name>Register tenant specific application</name>
<path>/device-mgt</path>
<path>/device-mgt/admin</path>
<url>/register/tenants/*</url>
<method>POST</method>
<scope>super_admin_user</scope>
</Permission>
<Permission>
<name>Register application</name>
<path>/device-mgt/api/application/add</path>
<path>/device-mgt/user/api/application</path>
<url>/register</url>
<method>POST</method>
<scope>application_user</scope>
</Permission>
<Permission>
<name>Delete application</name>
<path>/device-mgt/api/application/remove</path>
<path>/device-mgt/user/api/application</path>
<url>/unregister</url>
<method>DELETE</method>
<scope>application_user</scope>

@ -49,4 +49,14 @@
<param-name>managed-api-enabled</param-name>
<param-value>false</param-value>
</context-param>
<filter>
<filter-name>ApiPermissionFilter</filter-name>
<filter-class>org.wso2.carbon.apimgt.application.extension.api.filter.ApiPermissionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ApiPermissionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>

@ -29,6 +29,6 @@ var utility = require("/app/modules/utility.js")["utility"];
var permissions = {
'/permission/admin/device-mgt/user': ['ui.execute'],
'/permission/admin/device-mgt/api/application': ['ui.execute']
'/permission/admin/manage/api/subscribe': ['ui.execute']
};
userModule.addRole("internal/devicemgt-user", ["admin"], permissions);

Loading…
Cancel
Save