From 2206e258d113c841a3c8c2c89f5998c85677f1be Mon Sep 17 00:00:00 2001 From: Rasika Perera Date: Sun, 15 Jan 2017 23:40:00 +0530 Subject: [PATCH 1/4] Fixing permissions for [devicemgt-user] and [devicemgt-admin] roles --- .../jaggeryapps/devicemgt/app/modules/init.js | 16 ++++---- .../cdmf.unit.ui.navbar.nav-menu/nav-menu.hbs | 38 +++++++++---------- 2 files changed, 28 insertions(+), 26 deletions(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/init.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/init.js index bc0fa5abb04..4815edd59d0 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/init.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/init.js @@ -29,13 +29,15 @@ var carbonServer = new carbonModule.server.Server({ application.put("carbonServer", carbonServer); var permissions = { - "/permission/admin/device-mgt/devices/enroll": ["ui.execute"], - "/permission/admin/device-mgt/devices/disenroll": ["ui.execute"], - "/permission/admin/device-mgt/devices/owning-device": ["ui.execute"], - "/permission/admin/device-mgt/groups": ["ui.execute"], - "/permission/admin/device-mgt/notifications": ["ui.execute"], - "/permission/admin/device-mgt/policies": ["ui.execute"], - "/permission/admin/manage/api/subscribe": ["ui.execute"] + "/permission/admin/Login": ["ui.execute"] }; +var adminPermissions = { + "/permission/admin": ["ui.execute"] +}; + +//On Startup, admin user will get both roles: devicemgt-admin and devicemgt-user +//Average user through sign-up will only receive the role: devicemgt-user. +//Admin can setup necessary permissions for the role: devicemgt-user userModule.addRole("internal/devicemgt-user", ["admin"], permissions); +userModule.addRole("internal/devicemgt-admin", ["admin"], adminPermissions); diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.ui.navbar.nav-menu/nav-menu.hbs b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.ui.navbar.nav-menu/nav-menu.hbs index 21687eef226..51d087ca345 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.ui.navbar.nav-menu/nav-menu.hbs +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.ui.navbar.nav-menu/nav-menu.hbs @@ -45,33 +45,33 @@ {{/if}} -
  • User Management - +
  • + {{/if}} {{#if permissions.LIST_POLICIES}}
  • Policy Management
  • {{/if}} -
  • Configuration Management - +
  • + {{/if}} {{/zone}} {{#zone "navbarCollapsableRightItems"}} From f45528147c4c960bf429dd92c68b08a5359239fa Mon Sep 17 00:00:00 2001 From: Vishanth Date: Mon, 16 Jan 2017 13:13:58 +0530 Subject: [PATCH 2/4] fixing sql scripts to support multi tenancy --- .../src/main/resources/dbscripts/cdm/mssql.sql | 6 ++---- .../src/main/resources/dbscripts/cdm/mysql.sql | 9 ++------- .../src/main/resources/dbscripts/cdm/oracle.sql | 9 +++------ .../src/main/resources/dbscripts/cdm/postgresql.sql | 9 ++------- 4 files changed, 9 insertions(+), 24 deletions(-) diff --git a/features/device-mgt/org.wso2.carbon.device.mgt.server.feature/src/main/resources/dbscripts/cdm/mssql.sql b/features/device-mgt/org.wso2.carbon.device.mgt.server.feature/src/main/resources/dbscripts/cdm/mssql.sql index 900eeefde12..db405cdc1eb 100644 --- a/features/device-mgt/org.wso2.carbon.device.mgt.server.feature/src/main/resources/dbscripts/cdm/mssql.sql +++ b/features/device-mgt/org.wso2.carbon.device.mgt.server.feature/src/main/resources/dbscripts/cdm/mssql.sql @@ -192,8 +192,8 @@ CREATE TABLE DM_PROFILE ( CREATED_TIME DATETIME NOT NULL , UPDATED_TIME DATETIME NOT NULL , PRIMARY KEY (ID) , - CONSTRAINT DM_PROFILE_DEVICE_TYPE FOREIGN KEY (DEVICE_TYPE) REFERENCES - DM_DEVICE_TYPE (NAME) ON DELETE NO ACTION ON UPDATE NO ACTION + CONSTRAINT DM_PROFILE_DEVICE_TYPE FOREIGN KEY (DEVICE_TYPE, TENANT_ID) REFERENCES + DM_DEVICE_TYPE (NAME, PROVIDER_TENANT_ID) ON DELETE NO ACTION ON UPDATE NO ACTION ); IF NOT EXISTS (SELECT * FROM SYS.OBJECTS WHERE OBJECT_ID = OBJECT_ID(N'[DBO].[DM_POLICY]') AND TYPE IN (N'U')) @@ -234,8 +234,6 @@ CREATE TABLE DM_DEVICE_TYPE_POLICY ( POLICY_ID INTEGER NOT NULL , PRIMARY KEY (ID) , CONSTRAINT FK_DEVICE_TYPE_POLICY FOREIGN KEY (POLICY_ID) REFERENCES DM_POLICY (ID) - ON DELETE NO ACTION ON UPDATE NO ACTION, - CONSTRAINT FK_DEVICE_TYPE_POLICY_DEVICE_TYPE FOREIGN KEY (DEVICE_TYPE_ID) REFERENCES DM_DEVICE_TYPE (ID) ON DELETE NO ACTION ON UPDATE NO ACTION ); diff --git a/features/device-mgt/org.wso2.carbon.device.mgt.server.feature/src/main/resources/dbscripts/cdm/mysql.sql b/features/device-mgt/org.wso2.carbon.device.mgt.server.feature/src/main/resources/dbscripts/cdm/mysql.sql index e5c79b2f392..5d8faece3f2 100644 --- a/features/device-mgt/org.wso2.carbon.device.mgt.server.feature/src/main/resources/dbscripts/cdm/mysql.sql +++ b/features/device-mgt/org.wso2.carbon.device.mgt.server.feature/src/main/resources/dbscripts/cdm/mysql.sql @@ -170,8 +170,8 @@ CREATE TABLE IF NOT EXISTS DM_PROFILE ( UPDATED_TIME DATETIME NOT NULL , PRIMARY KEY (ID) , CONSTRAINT DM_PROFILE_DEVICE_TYPE - FOREIGN KEY (DEVICE_TYPE) - REFERENCES DM_DEVICE_TYPE (NAME) + FOREIGN KEY (DEVICE_TYPE, TENANT_ID) + REFERENCES DM_DEVICE_TYPE (NAME, PROVIDER_TENANT_ID) ON DELETE NO ACTION ON UPDATE NO ACTION )ENGINE = InnoDB; @@ -226,11 +226,6 @@ CREATE TABLE IF NOT EXISTS DM_DEVICE_TYPE_POLICY ( FOREIGN KEY (POLICY_ID ) REFERENCES DM_POLICY (ID ) ON DELETE NO ACTION - ON UPDATE NO ACTION, - CONSTRAINT FK_DEVICE_TYPE_POLICY_DEVICE_TYPE - FOREIGN KEY (DEVICE_TYPE ) - REFERENCES DM_DEVICE_TYPE (NAME ) - ON DELETE NO ACTION ON UPDATE NO ACTION )ENGINE = InnoDB; diff --git a/features/device-mgt/org.wso2.carbon.device.mgt.server.feature/src/main/resources/dbscripts/cdm/oracle.sql b/features/device-mgt/org.wso2.carbon.device.mgt.server.feature/src/main/resources/dbscripts/cdm/oracle.sql index c29c6bcb532..f2e71c9c9c3 100644 --- a/features/device-mgt/org.wso2.carbon.device.mgt.server.feature/src/main/resources/dbscripts/cdm/oracle.sql +++ b/features/device-mgt/org.wso2.carbon.device.mgt.server.feature/src/main/resources/dbscripts/cdm/oracle.sql @@ -270,8 +270,8 @@ CREATE TABLE DM_PROFILE ( UPDATED_TIME TIMESTAMP(0) NOT NULL , CONSTRAINT PK_DM_PROFILE PRIMARY KEY (ID) , CONSTRAINT DM_PROFILE_DEVICE_TYPE - FOREIGN KEY (DEVICE_TYPE ) - REFERENCES DM_DEVICE_TYPE (NAME ) + FOREIGN KEY (DEVICE_TYPE, TENANT_ID) + REFERENCES DM_DEVICE_TYPE (NAME, PROVIDER_TENANT_ID) ) / -- Generate ID using sequence and trigger @@ -358,10 +358,7 @@ CREATE TABLE DM_DEVICE_TYPE_POLICY ( CONSTRAINT PK_DEV_TYPE_POLICY PRIMARY KEY (ID) , CONSTRAINT FK_DEV_TYPE_POLICY FOREIGN KEY (POLICY_ID ) - REFERENCES DM_POLICY (ID ), - CONSTRAINT FK_DEV_TYPE_POLICY_DEV_TYPE - FOREIGN KEY (DEVICE_TYPE ) - REFERENCES DM_DEVICE_TYPE (NAME ) + REFERENCES DM_POLICY (ID ) ) / diff --git a/features/device-mgt/org.wso2.carbon.device.mgt.server.feature/src/main/resources/dbscripts/cdm/postgresql.sql b/features/device-mgt/org.wso2.carbon.device.mgt.server.feature/src/main/resources/dbscripts/cdm/postgresql.sql index a5ea7af0421..d5c035e26b1 100644 --- a/features/device-mgt/org.wso2.carbon.device.mgt.server.feature/src/main/resources/dbscripts/cdm/postgresql.sql +++ b/features/device-mgt/org.wso2.carbon.device.mgt.server.feature/src/main/resources/dbscripts/cdm/postgresql.sql @@ -150,8 +150,8 @@ CREATE TABLE IF NOT EXISTS DM_PROFILE ( CREATED_TIME TIMESTAMP NOT NULL , UPDATED_TIME TIMESTAMP NOT NULL , CONSTRAINT DM_PROFILE_DEVICE_TYPE - FOREIGN KEY (DEVICE_TYPE ) - REFERENCES DM_DEVICE_TYPE (NAME ) + FOREIGN KEY (DEVICE_TYPE, TENANT_ID) + REFERENCES DM_DEVICE_TYPE (NAME, PROVIDER_TENANT_ID) ON DELETE NO ACTION ON UPDATE NO ACTION ); @@ -201,11 +201,6 @@ CREATE TABLE IF NOT EXISTS DM_DEVICE_TYPE_POLICY ( FOREIGN KEY (POLICY_ID ) REFERENCES DM_POLICY (ID ) ON DELETE NO ACTION - ON UPDATE NO ACTION, - CONSTRAINT FK_DEVICE_TYPE_POLICY_DEVICE_TYPE - FOREIGN KEY (DEVICE_TYPE ) - REFERENCES DM_DEVICE_TYPE (NAME ) - ON DELETE NO ACTION ON UPDATE NO ACTION ); From 4fbab807820e5d99fa0f52ee2aba17da123f33bb Mon Sep 17 00:00:00 2001 From: Maninda Date: Mon, 16 Jan 2017 14:40:33 +0530 Subject: [PATCH 3/4] Added security filters to jaggery.conf --- .../jaggeryapps/devicemgt/jaggery.conf | 29 ++++++++++++++----- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/jaggery.conf b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/jaggery.conf index 832c1ab2528..fd500822e09 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/jaggery.conf +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/jaggery.conf @@ -66,24 +66,39 @@ }, "filters": [ { - "name": "URLBasedCachePreventionFilter", - "class": "org.wso2.carbon.ui.filters.cache.URLBasedCachePreventionFilter" + "name": "ContentTypeBasedCachePreventionFilter", + "class": "org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter", + "params" : [ + {"name" : "patterns", "value" : "text/html\" ,application/json\" ,text/plain"}, + {"name" : "filterAction", "value" : "enforce"}, + {"name" : "httpHeaders", "value" : "Cache-Control: no-store, no-cache, must-revalidate, private"} + ] }, { "name":"HttpHeaderSecurityFilter", "class":"org.apache.catalina.filters.HttpHeaderSecurityFilter", "params" : [{"name" : "hstsEnabled", "value" : "false"}] + }, + { + "name" : "CSRFGuard", + "class" : "org.owasp.csrfguard.CsrfGuardFilter" } + ], "filterMappings": [ - { - "name": "URLBasedCachePreventionFilter", - "url": "/api/*" - }, { "name":"HttpHeaderSecurityFilter", "url":"*" + }, + { + "name" : "CSRFGuard", + "url" : "/*" + }, + { + "name":"ContentTypeBasedCachePreventionFilter", + "url":"*" } + ], "listeners" : [ { @@ -108,7 +123,7 @@ "contextParams" : [ { "name" : "Owasp.CsrfGuard.Config", - "value" : "/repository/conf/security/Owasp.CsrfGuard.dashboard.properties" + "value" : "repository/conf/security/Owasp.CsrfGuard.dashboard.properties" } ] } \ No newline at end of file From 8aed7c67a91c52cb751c3e2b56d0f74756e52415 Mon Sep 17 00:00:00 2001 From: Maninda Date: Mon, 16 Jan 2017 15:00:03 +0530 Subject: [PATCH 4/4] Added devicemgt web app configs to secure web app --- .../src/main/webapp/WEB-INF/web.xml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/webapp/WEB-INF/web.xml b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/webapp/WEB-INF/web.xml index dc7eda629b9..aa494825575 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/webapp/WEB-INF/web.xml +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/webapp/WEB-INF/web.xml @@ -74,6 +74,43 @@ ApiOriginFilter org.wso2.carbon.device.mgt.jaxrs.ApiOriginFilter + + + HttpHeaderSecurityFilter + org.apache.catalina.filters.HttpHeaderSecurityFilter + + hstsEnabled + false + + + + + ContentTypeBasedCachePreventionFilter + org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter + + patterns + "text/html*","application/json*","text/plain*" + + + filterAction + enforce + + + httpHeaders + Cache-Control: no-store, no-cache, must-revalidate, private + + + + + HttpHeaderSecurityFilter + /* + + + + ContentTypeBasedCachePreventionFilter + /* + + ApiOriginFilter /*