From aecc106f95319fb73d216c6ff0197b94f8a540b1 Mon Sep 17 00:00:00 2001 From: ThilinaPremachandra Date: Sun, 2 Jul 2023 01:23:13 +0530 Subject: [PATCH 1/2] add: super-tenant admin check --- .../service/impl/admin/GroupManagementAdminServiceImpl.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/admin/GroupManagementAdminServiceImpl.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/admin/GroupManagementAdminServiceImpl.java index 656eb857bc6..3e8df2c98a5 100644 --- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/admin/GroupManagementAdminServiceImpl.java +++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/admin/GroupManagementAdminServiceImpl.java @@ -101,9 +101,10 @@ public class GroupManagementAdminServiceImpl implements GroupManagementAdminServ request.setOwner(owner); request.setStatus(status); request.setDepth(depth); + boolean isAdmin = DEFAULT_ADMIN_ROLE.equals(currentUser); PaginationResult deviceGroupsResult; - if (StringUtils.isBlank(currentUser)) { + if (StringUtils.isBlank(currentUser) || isAdmin) { deviceGroupsResult = DeviceMgtAPIUtils.getGroupManagementProviderService() .getGroupsWithHierarchy(null, request, requireGroupProps); } else { From 6d012bc614a7a31d72d948fd0bc65325f2ece7c3 Mon Sep 17 00:00:00 2001 From: ThilinaPremachandra Date: Mon, 3 Jul 2023 18:53:34 +0530 Subject: [PATCH 2/2] fix: group assigned role issue --- .../impl/GroupManagementServiceImpl.java | 22 +++++++++++++++++-- .../GroupManagementAdminServiceImpl.java | 16 +++++++++++--- 2 files changed, 33 insertions(+), 5 deletions(-) diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/GroupManagementServiceImpl.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/GroupManagementServiceImpl.java index 1c077c00a51..6c75b3fb5e8 100644 --- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/GroupManagementServiceImpl.java +++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/GroupManagementServiceImpl.java @@ -29,6 +29,7 @@ import io.entgra.device.mgt.core.device.mgt.common.group.mgt.RoleDoesNotExistExc import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.wso2.carbon.CarbonConstants; +import org.wso2.carbon.context.CarbonContext; import org.wso2.carbon.context.PrivilegedCarbonContext; import io.entgra.device.mgt.core.device.mgt.common.Device; import io.entgra.device.mgt.core.device.mgt.common.DeviceIdentifier; @@ -48,6 +49,8 @@ import io.entgra.device.mgt.core.device.mgt.api.jaxrs.service.impl.util.RequestV import io.entgra.device.mgt.core.device.mgt.api.jaxrs.util.DeviceMgtAPIUtils; import io.entgra.device.mgt.core.policy.mgt.common.PolicyAdministratorPoint; import io.entgra.device.mgt.core.policy.mgt.common.PolicyManagementException; +import org.wso2.carbon.user.api.UserRealm; +import org.wso2.carbon.user.api.UserStoreException; import javax.ws.rs.DefaultValue; import javax.ws.rs.GET; @@ -56,6 +59,7 @@ import javax.ws.rs.Path; import javax.ws.rs.QueryParam; import javax.ws.rs.core.Response; import java.util.ArrayList; +import java.util.Arrays; import java.util.List; public class GroupManagementServiceImpl implements GroupManagementService { @@ -109,8 +113,18 @@ public class GroupManagementServiceImpl implements GroupManagementService { request.setGroupName(name); request.setOwner(owner); request.setDepth(depth); - PaginationResult deviceGroupsResult = DeviceMgtAPIUtils.getGroupManagementProviderService() - .getGroupsWithHierarchy(currentUser, request, requireGroupProps); + int tenantId = CarbonContext.getThreadLocalCarbonContext().getTenantId(); + UserRealm realmService = DeviceMgtAPIUtils.getRealmService().getTenantUserRealm(tenantId); + String[] roles = realmService.getUserStoreManager().getRoleListOfUser(currentUser); + boolean hasAdminRole = Arrays.asList(roles).contains(DEFAULT_ADMIN_ROLE); + PaginationResult deviceGroupsResult; + if (hasAdminRole) { + deviceGroupsResult = DeviceMgtAPIUtils.getGroupManagementProviderService() + .getGroupsWithHierarchy(null, request, requireGroupProps); + } else{ + deviceGroupsResult = DeviceMgtAPIUtils.getGroupManagementProviderService() + .getGroupsWithHierarchy(currentUser, request, requireGroupProps); + } DeviceGroupList deviceGroupList = new DeviceGroupList(); deviceGroupList.setList(deviceGroupsResult.getData()); deviceGroupList.setCount(deviceGroupsResult.getRecordsTotal()); @@ -119,6 +133,10 @@ public class GroupManagementServiceImpl implements GroupManagementService { String error = "Error occurred while retrieving groups with hierarchy."; log.error(error, e); return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(error).build(); + } catch (UserStoreException e) { + String msg = "Error occurred while getting user realm."; + log.error(msg, e); + return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(msg).build(); } } diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/admin/GroupManagementAdminServiceImpl.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/admin/GroupManagementAdminServiceImpl.java index 3e8df2c98a5..e9277825ede 100644 --- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/admin/GroupManagementAdminServiceImpl.java +++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/admin/GroupManagementAdminServiceImpl.java @@ -31,8 +31,11 @@ import io.entgra.device.mgt.core.device.mgt.api.jaxrs.beans.DeviceGroupList; import io.entgra.device.mgt.core.device.mgt.api.jaxrs.service.api.admin.GroupManagementAdminService; import io.entgra.device.mgt.core.device.mgt.api.jaxrs.service.impl.util.RequestValidationUtil; import io.entgra.device.mgt.core.device.mgt.api.jaxrs.util.DeviceMgtAPIUtils; +import org.wso2.carbon.context.CarbonContext; import org.wso2.carbon.context.PrivilegedCarbonContext; import org.apache.commons.lang.StringUtils; +import org.wso2.carbon.user.api.UserRealm; +import org.wso2.carbon.user.api.UserStoreException; import javax.ws.rs.DefaultValue; import javax.ws.rs.GET; @@ -41,6 +44,7 @@ import javax.ws.rs.Path; import javax.ws.rs.QueryParam; import javax.ws.rs.core.Response; import java.util.ArrayList; +import java.util.Arrays; public class GroupManagementAdminServiceImpl implements GroupManagementAdminService { @@ -101,17 +105,19 @@ public class GroupManagementAdminServiceImpl implements GroupManagementAdminServ request.setOwner(owner); request.setStatus(status); request.setDepth(depth); + int tenantId = CarbonContext.getThreadLocalCarbonContext().getTenantId(); + UserRealm realmService = DeviceMgtAPIUtils.getRealmService().getTenantUserRealm(tenantId); + String[] roles = realmService.getUserStoreManager().getRoleListOfUser(currentUser); boolean isAdmin = DEFAULT_ADMIN_ROLE.equals(currentUser); - + boolean hasAdminRole = Arrays.asList(roles).contains(DEFAULT_ADMIN_ROLE); PaginationResult deviceGroupsResult; - if (StringUtils.isBlank(currentUser) || isAdmin) { + if (StringUtils.isBlank(currentUser) || isAdmin || hasAdminRole) { deviceGroupsResult = DeviceMgtAPIUtils.getGroupManagementProviderService() .getGroupsWithHierarchy(null, request, requireGroupProps); } else { deviceGroupsResult = DeviceMgtAPIUtils.getGroupManagementProviderService() .getGroupsWithHierarchy(currentUser, request, requireGroupProps); } - DeviceGroupList deviceGroupList = new DeviceGroupList(); deviceGroupList.setList(deviceGroupsResult.getData()); deviceGroupList.setCount(deviceGroupsResult.getRecordsTotal()); @@ -120,6 +126,10 @@ public class GroupManagementAdminServiceImpl implements GroupManagementAdminServ String error = "Error occurred while retrieving groups with hierarchy."; log.error(error, e); return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(error).build(); + } catch (UserStoreException e) { + String msg = "Error occurred while getting user realm."; + log.error(msg, e); + return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(msg).build(); } }