From c0240c5cbc57f773e75c51893f08d96d9b09cb7e Mon Sep 17 00:00:00 2001 From: ayyoob Date: Wed, 18 May 2016 02:09:12 +0530 Subject: [PATCH] few fixes in JWT client after testing with multi tenancy --- .../jaggeryapps/devicemgt/api/user-api.jag | 2 +- .../jaggeryapps/devicemgt/app/modules/init.js | 5 +++-- .../jwt/client/extension/JWTClient.java | 9 +++++++- .../service/JWTClientManagerServiceImpl.java | 2 +- .../client/extension/util/JWTClientUtil.java | 22 +++++++++++++++---- 5 files changed, 31 insertions(+), 9 deletions(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/api/user-api.jag b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/api/user-api.jag index 2dc839f9077..05364453b5b 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/api/user-api.jag +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/api/user-api.jag @@ -147,7 +147,7 @@ if (uriMatcher.match("/{context}/api/user/authenticate")) { lastname = addUserFormData.lastname; emailAddress = addUserFormData.emailAddress; password = addUserFormData.password; - userRoles = ["devicemgt-user"]; + userRoles = ["internal/devicemgt-user"]; try { result = userModule.registerUser(username, firstname, lastname, emailAddress, password, diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/init.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/init.js index 2aa4bc8f625..9474dd26976 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/init.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/init.js @@ -28,6 +28,7 @@ var userModule = require("/app/modules/user.js")["userModule"]; var utility = require("/app/modules/utility.js")["utility"]; var permissions = { - '/permission/admin/device-mgt/user': ['ui.execute'] + '/permission/admin/device-mgt/user': ['ui.execute'], + '/permission/admin/device-mgt/api/application': ['ui.execute'] }; -userModule.addRole("devicemgt-user", ["admin"], permissions); +userModule.addRole("internal/devicemgt-user", ["admin"], permissions); diff --git a/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/JWTClient.java b/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/JWTClient.java index 8251a1bceed..b4081fa600c 100644 --- a/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/JWTClient.java +++ b/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/JWTClient.java @@ -52,11 +52,18 @@ public class JWTClient { private static Log log = LogFactory.getLog(JWTClient.class); private JWTConfig jwtConfig; + private boolean isDefaultJWTClient; public JWTClient(JWTConfig jwtConfig) { this.jwtConfig = jwtConfig; } + public JWTClient(JWTConfig jwtConfig, boolean isDefaultJWTClient) { + this.jwtConfig = jwtConfig; + this.isDefaultJWTClient = isDefaultJWTClient; + } + + /** * {@inheritDoc} */ @@ -64,7 +71,7 @@ public class JWTClient { throws JWTClientException { List params = new ArrayList<>(); params.add(new BasicNameValuePair(JWTConstants.GRANT_TYPE_PARAM_NAME, JWTConstants.JWT_GRANT_TYPE)); - String assertion = JWTClientUtil.generateSignedJWTAssertion(username, jwtConfig); + String assertion = JWTClientUtil.generateSignedJWTAssertion(username, jwtConfig, isDefaultJWTClient); if (assertion == null) { throw new JWTClientException("JWT is not configured properly for user : " + username); } diff --git a/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/service/JWTClientManagerServiceImpl.java b/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/service/JWTClientManagerServiceImpl.java index eee439d7685..df9a862fad4 100644 --- a/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/service/JWTClientManagerServiceImpl.java +++ b/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/service/JWTClientManagerServiceImpl.java @@ -106,7 +106,7 @@ public class JWTClientManagerServiceImpl implements JWTClientManagerService{ if (isDefaultJwtClient) { try { JWTConfig jwtConfig = new JWTConfig(properties); - defaultJWTClient = new JWTClient(jwtConfig); + defaultJWTClient = new JWTClient(jwtConfig, true); addJWTClient(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME, defaultJWTClient); } catch (JWTClientAlreadyExistsException e) { log.warn("Attempting to register a jwt client for the super tenant" + diff --git a/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/util/JWTClientUtil.java b/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/util/JWTClientUtil.java index cbfa846c218..dea0b0754cf 100644 --- a/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/util/JWTClientUtil.java +++ b/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/util/JWTClientUtil.java @@ -33,6 +33,7 @@ import org.apache.http.conn.ssl.SSLContextBuilder; import org.apache.http.conn.ssl.TrustSelfSignedStrategy; import org.apache.http.impl.client.HttpClients; import org.apache.http.util.EntityUtils; +import org.wso2.carbon.base.MultitenantConstants; import org.wso2.carbon.context.PrivilegedCarbonContext; import org.wso2.carbon.core.util.KeyStoreManager; import org.wso2.carbon.identity.jwt.client.extension.service.JWTClientManagerService; @@ -193,7 +194,8 @@ public class JWTClientUtil { tenantRegistryLoader.loadTenantRegistry(tenantId); } - public static String generateSignedJWTAssertion(String username, JWTConfig jwtConfig) throws JWTClientException { + public static String generateSignedJWTAssertion(String username, JWTConfig jwtConfig, boolean isDefaultJWTClient) + throws JWTClientException { try { String subject = username; long currentTimeMillis = System.currentTimeMillis(); @@ -227,15 +229,27 @@ public class JWTClientUtil { String privateKeyAlias = jwtConfig.getPrivateKeyAlias(); String privateKeyPassword = jwtConfig.getPrivateKeyPassword(); KeyStore keyStore; - RSAPrivateKey rsaPrivateKey; + RSAPrivateKey rsaPrivateKey = null; if (keyStorePath != null && !keyStorePath.isEmpty()) { String keyStorePassword = jwtConfig.getKeyStorePassword(); keyStore = loadKeyStore(new File(keyStorePath), keyStorePassword, "JKS"); rsaPrivateKey = (RSAPrivateKey) keyStore.getKey(privateKeyAlias, privateKeyPassword.toCharArray()); } else { int tenantId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId(true); - KeyStoreManager tenantKeyStoreManager = KeyStoreManager.getInstance(tenantId); - rsaPrivateKey = (RSAPrivateKey) tenantKeyStoreManager.getDefaultPrivateKey(); + JWTClientUtil.loadTenantRegistry(tenantId); + if (!(MultitenantConstants.SUPER_TENANT_ID == tenantId) && !isDefaultJWTClient) { + KeyStoreManager tenantKeyStoreManager = KeyStoreManager.getInstance(tenantId); + String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(true); + String ksName = tenantDomain.trim().replace('.', '-'); + String jksName = ksName + ".jks"; + rsaPrivateKey = (RSAPrivateKey) tenantKeyStoreManager.getPrivateKey(jksName, tenantDomain); + } else { + PrivilegedCarbonContext.startTenantFlow(); + PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantId(MultitenantConstants.SUPER_TENANT_ID); + KeyStoreManager tenantKeyStoreManager = KeyStoreManager.getInstance(MultitenantConstants.SUPER_TENANT_ID); + rsaPrivateKey = (RSAPrivateKey) tenantKeyStoreManager.getDefaultPrivateKey(); + PrivilegedCarbonContext.endTenantFlow(); + } } JWSSigner signer = new RSASSASigner(rsaPrivateKey); SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), claimsSet);