Implemented a scope delegation validator

revert-70aa11f8
Milan Perera 8 years ago
parent 21d8d14b7e
commit 7ba1dc989a

@ -0,0 +1,131 @@
/*
* Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.oauth.extensions.handlers;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.device.mgt.oauth.extensions.internal.OAuthExtensionsDataHolder;
import org.wso2.carbon.identity.oauth.cache.CacheEntry;
import org.wso2.carbon.identity.oauth.cache.OAuthCache;
import org.wso2.carbon.identity.oauth.cache.OAuthCacheKey;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.model.ResourceScopeCacheEntry;
import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator;
import java.util.Map;
public class ScopeValidationHandler extends OAuth2ScopeValidator {
private final static Log log = LogFactory.getLog(ScopeValidationHandler.class);
private Map<String, OAuth2ScopeValidator> scopeValidators;
private final String DEFAULT_PREFIX = "default";
public ScopeValidationHandler() {
scopeValidators = OAuthExtensionsDataHolder.getInstance().getScopeValidators();
}
public boolean validateScope(AccessTokenDO accessTokenDO, String resource) throws IdentityOAuth2Exception {
//returns true if scope validators are not defined
if (scopeValidators == null || scopeValidators.isEmpty()) {
if(log.isDebugEnabled()){
log.debug("OAuth2 scope validators are not loaded");
}
return true;
}
String resourceScope = getResourceScope(resource);
//returns true if scope does not exist for the resource
if (resourceScope == null) {
if(log.isDebugEnabled()){
log.debug("Resource '" + resource + "' is not protected with a scope");
}
return true;
}
String scope[] = resourceScope.split(":");
String scopePrefix = scope[0];
OAuth2ScopeValidator scopeValidator = scopeValidators.get(scopePrefix);
if (scopeValidator == null) {
if(log.isDebugEnabled()){
log.debug("OAuth2 scope validator cannot be identified for '" + scopePrefix + "' scope prefix");
}
// loading default scope validator if matching validator is not found
scopeValidator = scopeValidators.get(DEFAULT_PREFIX);
if(log.isDebugEnabled()){
log.debug("Loading default scope validator");
}
if (scopeValidator == null) {
if(log.isDebugEnabled()){
log.debug("Default scope validator is not available");
}
return true;
}
}
// validate scope via relevant scope validator that matches with the prefix
return scopeValidator.validateScope(accessTokenDO, resourceScope);
}
private String getResourceScope(String resource) {
String resourceScope = null;
boolean cacheHit = false;
// Check the cache, if caching is enabled.
if (OAuthServerConfiguration.getInstance().isCacheEnabled()) {
OAuthCache oauthCache = OAuthCache.getInstance();
OAuthCacheKey cacheKey = new OAuthCacheKey(resource);
CacheEntry result = oauthCache.getValueFromCache(cacheKey);
//Cache hit
if (result instanceof ResourceScopeCacheEntry) {
resourceScope = ((ResourceScopeCacheEntry) result).getScope();
cacheHit = true;
}
}
TokenMgtDAO tokenMgtDAO = new TokenMgtDAO();
if (!cacheHit) {
try {
resourceScope = tokenMgtDAO.findScopeOfResource(resource);
} catch (IdentityOAuth2Exception e) {
log.error("Error occurred while retrieving scope for resource '" + resource + "'");
}
if (OAuthServerConfiguration.getInstance().isCacheEnabled()) {
OAuthCache oauthCache = OAuthCache.getInstance();
OAuthCacheKey cacheKey = new OAuthCacheKey(resource);
ResourceScopeCacheEntry cacheEntry = new ResourceScopeCacheEntry(resourceScope);
//Store resourceScope in cache even if it is null (to avoid database calls when accessing resources for
//which scopes haven't been defined).
oauthCache.addToCache(cacheKey, cacheEntry);
}
}
return resourceScope;
}
}

@ -24,7 +24,10 @@ import org.osgi.service.component.ComponentContext;
import org.wso2.carbon.apimgt.api.APIManagementException; import org.wso2.carbon.apimgt.api.APIManagementException;
import org.wso2.carbon.apimgt.impl.APIConstants; import org.wso2.carbon.apimgt.impl.APIConstants;
import org.wso2.carbon.apimgt.impl.APIManagerConfiguration; import org.wso2.carbon.apimgt.impl.APIManagerConfiguration;
import org.wso2.carbon.device.mgt.oauth.extensions.validators.ExtendedJDBCScopeValidator;
import org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService; import org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService;
import org.wso2.carbon.identity.oauth2.validators.JDBCScopeValidator;
import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator;
import org.wso2.carbon.user.core.service.RealmService; import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.utils.CarbonUtils; import org.wso2.carbon.utils.CarbonUtils;
@ -46,6 +49,12 @@ import java.util.List;
* policy="dynamic" * policy="dynamic"
* bind="setOAuth2ValidationService" * bind="setOAuth2ValidationService"
* unbind="unsetOAuth2ValidationService" * unbind="unsetOAuth2ValidationService"
* * @scr.reference name="scope.validator.service"
* interface="org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator"
* cardinality="0..n"
* policy="dynamic"
* bind="addScopeValidator"
* unbind="removeScopeValidator"
*/ */
public class OAuthExtensionServiceComponent { public class OAuthExtensionServiceComponent {
@ -53,6 +62,8 @@ public class OAuthExtensionServiceComponent {
private static final String REPOSITORY = "repository"; private static final String REPOSITORY = "repository";
private static final String CONFIGURATION = "conf"; private static final String CONFIGURATION = "conf";
private static final String APIM_CONF_FILE = "api-manager.xml"; private static final String APIM_CONF_FILE = "api-manager.xml";
private static final String PERMISSION_SCOPE_PREFIX = "perm";
private static final String DEFAULT_PREFIX = "default";
@SuppressWarnings("unused") @SuppressWarnings("unused")
@ -87,6 +98,13 @@ public class OAuthExtensionServiceComponent {
} }
OAuthExtensionsDataHolder.getInstance().setWhitelistedScopes(whiteList); OAuthExtensionsDataHolder.getInstance().setWhitelistedScopes(whiteList);
ExtendedJDBCScopeValidator permissionBasedScopeValidator = new ExtendedJDBCScopeValidator();
JDBCScopeValidator roleBasedScopeValidator = new JDBCScopeValidator();
OAuthExtensionsDataHolder.getInstance().addScopeValidator(permissionBasedScopeValidator,
PERMISSION_SCOPE_PREFIX);
OAuthExtensionsDataHolder.getInstance().addScopeValidator(roleBasedScopeValidator,
DEFAULT_PREFIX);
} catch (APIManagementException e) { } catch (APIManagementException e) {
log.error("Error occurred while loading DeviceMgtConfig configurations", e); log.error("Error occurred while loading DeviceMgtConfig configurations", e);
} }
@ -147,5 +165,21 @@ public class OAuthExtensionServiceComponent {
OAuthExtensionsDataHolder.getInstance().setoAuth2TokenValidationService(null); OAuthExtensionsDataHolder.getInstance().setoAuth2TokenValidationService(null);
} }
/**
* Add scope validator to the map.
* @param scopesValidator
*/
protected void addScopeValidator(OAuth2ScopeValidator scopesValidator) {
OAuthExtensionsDataHolder.getInstance().addScopeValidator(scopesValidator, DEFAULT_PREFIX);
}
/**
* unset scope validator.
* @param scopesValidator
*/
protected void removeScopeValidator(OAuth2ScopeValidator scopesValidator) {
OAuthExtensionsDataHolder.getInstance().removeScopeValidator();
}
} }

@ -19,9 +19,12 @@
package org.wso2.carbon.device.mgt.oauth.extensions.internal; package org.wso2.carbon.device.mgt.oauth.extensions.internal;
import org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService; import org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService;
import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator;
import org.wso2.carbon.user.core.service.RealmService; import org.wso2.carbon.user.core.service.RealmService;
import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map;
/** /**
* This holds the OSGi service references required for oauth extensions bundle. * This holds the OSGi service references required for oauth extensions bundle.
@ -31,10 +34,13 @@ public class OAuthExtensionsDataHolder {
private RealmService realmService; private RealmService realmService;
private OAuth2TokenValidationService oAuth2TokenValidationService; private OAuth2TokenValidationService oAuth2TokenValidationService;
private List<String> whitelistedScopes; private List<String> whitelistedScopes;
private Map<String, OAuth2ScopeValidator> scopeValidators;
private static OAuthExtensionsDataHolder thisInstance = new OAuthExtensionsDataHolder(); private static OAuthExtensionsDataHolder thisInstance = new OAuthExtensionsDataHolder();
private OAuthExtensionsDataHolder() {} private OAuthExtensionsDataHolder() {
scopeValidators = new HashMap<>();
}
public static OAuthExtensionsDataHolder getInstance() { public static OAuthExtensionsDataHolder getInstance() {
return thisInstance; return thisInstance;
@ -71,4 +77,20 @@ public class OAuthExtensionsDataHolder {
this.whitelistedScopes = whitelistedScopes; this.whitelistedScopes = whitelistedScopes;
} }
public Map<String, OAuth2ScopeValidator> getScopeValidators() {
return scopeValidators;
}
public void setScopeValidators(Map<String, OAuth2ScopeValidator> scopeValidators) {
this.scopeValidators = scopeValidators;
}
public void addScopeValidator(OAuth2ScopeValidator oAuth2ScopeValidator, String prefix) {
scopeValidators.put(prefix, oAuth2ScopeValidator);
}
public void removeScopeValidator() {
scopeValidators = null;
}
} }

@ -0,0 +1,159 @@
/*
* Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.oauth.extensions.validators;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.base.MultitenantConstants;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.device.mgt.oauth.extensions.internal.OAuthExtensionsDataHolder;
import org.wso2.carbon.identity.application.common.model.User;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator;
import org.wso2.carbon.user.api.AuthorizationManager;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Set;
@SuppressWarnings("unused")
public class PermissionBasedScopeValidator extends OAuth2ScopeValidator {
private static final Log log = LogFactory.getLog(PermissionBasedScopeValidator.class);
private static final String UI_EXECUTE = "ui.execute";
@Override
public boolean validateScope(AccessTokenDO accessTokenDO, String resourceScope) throws IdentityOAuth2Exception {
//Get the list of scopes associated with the access token
String[] scopes = accessTokenDO.getScope();
//If no scopes are associated with the token
if (scopes == null || scopes.length == 0) {
return true;
}
TokenMgtDAO tokenMgtDAO = new TokenMgtDAO();
List<String> scopeList = new ArrayList<>(Arrays.asList(scopes));
//If the access token does not bear the scope required for accessing the Resource.
if(!scopeList.contains(resourceScope)){
if(log.isDebugEnabled()){
log.debug("Access token '" + accessTokenDO.getAccessToken() + "' does not bear the scope '" +
resourceScope + "'");
}
return false;
}
try {
//Get the permissions associated with the scope, if any
Set<String> permissionsOfScope = tokenMgtDAO.getRolesOfScopeByScopeKey(resourceScope);
//If the scope doesn't have any permissions associated with it.
if(permissionsOfScope == null || permissionsOfScope.isEmpty()){
if(log.isDebugEnabled()){
log.debug("Did not find any roles associated to the scope " + resourceScope);
}
return true;
}
if(log.isDebugEnabled()){
StringBuilder logMessage = new StringBuilder("Found permissions of scope '" + resourceScope + "' ");
for(String permission : permissionsOfScope){
logMessage.append(permission);
logMessage.append(", ");
}
log.debug(logMessage.toString());
}
User authorizedUser = accessTokenDO.getAuthzUser();
RealmService realmService = OAuthExtensionsDataHolder.getInstance().getRealmService();
int tenantId = realmService.getTenantManager().getTenantId(authorizedUser.getTenantDomain());
if (tenantId == 0 || tenantId == -1) {
tenantId = IdentityTenantUtil.getTenantIdOfUser(authorizedUser.getUserName());
}
AuthorizationManager authorizationManager;
String[] userRoles;
boolean tenantFlowStarted = false;
try{
//If this is a tenant user
if(tenantId != MultitenantConstants.SUPER_TENANT_ID){
PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(
realmService.getTenantManager().getDomain(tenantId),true);
tenantFlowStarted = true;
}
authorizationManager = realmService.getTenantUserRealm(tenantId).getAuthorizationManager();
} finally {
if (tenantFlowStarted) {
PrivilegedCarbonContext.endTenantFlow();
}
}
boolean status = false;
String username = MultitenantUtils.getTenantAwareUsername(authorizedUser.getUserName());
for (String permission : permissionsOfScope) {
if (authorizationManager != null) {
String userStore = authorizedUser.getUserStoreDomain();
if (userStore != null) {
status = authorizationManager
.isUserAuthorized(userStore + "/" + username, permission, UI_EXECUTE);
} else {
status = authorizationManager.isUserAuthorized(username , permission, UI_EXECUTE);
}
if (status) {
break;
}
}
}
if (status) {
if(log.isDebugEnabled()){
log.debug("User '" + authorizedUser.getUserName() + "' is authorized");
}
return true;
}
if(log.isDebugEnabled()){
log.debug("No permissions associated for the user " + authorizedUser.getUserName());
}
return false;
} catch (UserStoreException e) {
//Log and return since we do not want to stop issuing the token in case of scope validation failures.
log.error("Error when getting the tenant's UserStoreManager or when getting roles of user ", e);
return false;
}
}
}

@ -0,0 +1,158 @@
/*
* Copyright (c) 2013, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.oauth.extensions.validators;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.base.MultitenantConstants;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.device.mgt.oauth.extensions.internal.OAuthExtensionsDataHolder;
import org.wso2.carbon.identity.application.common.model.User;
import org.wso2.carbon.identity.base.IdentityConstants;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.api.UserStoreManager;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Set;
/**
* The JDBC Scope Validation implementation. This validates the Resource's scope (stored in IDN_OAUTH2_RESOURCE_SCOPE)
* against the Access Token's scopes.
*/
public class RoleBasedScopeValidator extends OAuth2ScopeValidator {
Log log = LogFactory.getLog(RoleBasedScopeValidator.class);
@Override
public boolean validateScope(AccessTokenDO accessTokenDO, String resourceScope) throws IdentityOAuth2Exception {
//Get the list of scopes associated with the access token
String[] scopes = accessTokenDO.getScope();
//If no scopes are associated with the token
if (scopes == null || scopes.length == 0) {
return true;
}
TokenMgtDAO tokenMgtDAO = new TokenMgtDAO();
List<String> scopeList = new ArrayList<>(Arrays.asList(scopes));
//If the access token does not bear the scope required for accessing the Resource.
if(!scopeList.contains(resourceScope)){
if(log.isDebugEnabled() && IdentityUtil.isTokenLoggable(IdentityConstants.IdentityTokens.ACCESS_TOKEN)){
log.debug("Access token '" + accessTokenDO.getAccessToken() + "' does not bear the scope '" +
resourceScope + "'");
}
return false;
}
try {
//Get the roles associated with the scope, if any
Set<String> rolesOfScope = tokenMgtDAO.getRolesOfScopeByScopeKey(resourceScope);
//If the scope doesn't have any roles associated with it.
if(rolesOfScope == null || rolesOfScope.isEmpty()){
if(log.isDebugEnabled()){
log.debug("Did not find any roles associated to the scope " + resourceScope);
}
return true;
}
if(log.isDebugEnabled()){
StringBuilder logMessage = new StringBuilder("Found roles of scope '" + resourceScope + "' ");
for(String role : rolesOfScope){
logMessage.append(role);
logMessage.append(", ");
}
log.debug(logMessage.toString());
}
User authzUser = accessTokenDO.getAuthzUser();
RealmService realmService = OAuthExtensionsDataHolder.getInstance().getRealmService();
int tenantId = realmService.getTenantManager().
getTenantId(authzUser.getTenantDomain());
if (tenantId == 0 || tenantId == -1) {
tenantId = IdentityTenantUtil.getTenantIdOfUser(authzUser.getUserName());
}
UserStoreManager userStoreManager;
String[] userRoles;
boolean tenantFlowStarted = false;
try{
//If this is a tenant user
if(tenantId != MultitenantConstants.SUPER_TENANT_ID){
PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(
realmService.getTenantManager().getDomain(tenantId),true);
tenantFlowStarted = true;
}
userStoreManager = realmService.getTenantUserRealm(tenantId).getUserStoreManager();
userRoles = userStoreManager.getRoleListOfUser(
MultitenantUtils.getTenantAwareUsername(authzUser.getUserName()));
} finally {
if (tenantFlowStarted) {
PrivilegedCarbonContext.endTenantFlow();
}
}
if(userRoles != null && userRoles.length > 0){
if(log.isDebugEnabled()){
StringBuilder logMessage = new StringBuilder("Found roles of user ");
logMessage.append(authzUser.getUserName());
logMessage.append(" ");
for(String role : userRoles){
logMessage.append(role);
logMessage.append(", ");
}
log.debug(logMessage.toString());
}
//Check if the user still has a valid role for this scope.
rolesOfScope.retainAll(Arrays.asList(userRoles));
return !rolesOfScope.isEmpty();
}
else{
if(log.isDebugEnabled()){
log.debug("No roles associated for the user " + authzUser.getUserName());
}
return false;
}
} catch (UserStoreException e) {
//Log and return since we do not want to stop issuing the token in case of scope validation failures.
log.error("Error when getting the tenant's UserStoreManager or when getting roles of user ", e);
return false;
}
}
}
Loading…
Cancel
Save