community/device-mgt-core
1
0
Fork 0
mirror of https://repository.entgra.net/community/device-mgt-core.git synced 2025-10-06 02:01:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Adding group permission checking for Device Access Authorizations

Browse Source
This commit is contained in:
Rasika Perera 2016-05-03 00:33:19 +05:30
parent 07c0aa1045
commit 38cdd94f3c
4 changed files with 156 additions and 122 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/authorization/DeviceAccessAuthorizationService.java
View File

@ -51,6 +51,32 @@ public interface DeviceAccessAuthorizationService {
DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers) throws DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers) throws
DeviceAccessAuthorizationException; DeviceAccessAuthorizationException;
/**
* This method will check whether the given user has the access to the device identified by the given
* DeviceIdentifier.
*
* @param deviceIdentifier - DeviceIdentifier of the device to be checked.
* @param username - Username of the user to be checked for authorization.
* @param permission - Permission
* @return Boolean authorization result.
* @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
*/
boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String permission) throws DeviceAccessAuthorizationException;
/**
* This method will check whether the given user has the access to the devices identified by the given
* DeviceIdentifier list.
*
* @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization.
* @param username - User name
* @param permission - Permission
* @return DeviceAuthorizationResult - Authorization result including the list of authorized devices &
* unauthorized devices.
* @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
*/
DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username, String permission) throws
DeviceAccessAuthorizationException;
/** /**
* This method will check whether the given user has the access to the device identified by the given * This method will check whether the given user has the access to the device identified by the given
* DeviceIdentifier. * DeviceIdentifier.

224
components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java
View File

@ -20,20 +20,26 @@ package org.wso2.carbon.device.mgt.core.authorization;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.context.CarbonContext; import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.device.mgt.common.*; import org.wso2.carbon.device.mgt.common.Device;
import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
import org.wso2.carbon.device.mgt.common.DeviceManagementException;
import org.wso2.carbon.device.mgt.common.EnrolmentInfo;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationException; import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationException;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService; import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAuthorizationResult; import org.wso2.carbon.device.mgt.common.authorization.DeviceAuthorizationResult;
import org.wso2.carbon.device.mgt.common.group.mgt.DeviceGroup;
import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException;
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission; import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException; import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
import org.wso2.carbon.device.mgt.core.internal.DeviceManagementDataHolder; import org.wso2.carbon.device.mgt.core.internal.DeviceManagementDataHolder;
import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionUtils; import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionUtils;
import org.wso2.carbon.user.api.UserRealm; import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException; import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.api.UserStoreManager;
import java.util.HashMap; import java.util.HashMap;
import java.util.Iterator;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
@ -66,157 +72,147 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
} }
@Override @Override
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException { public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String permission)
boolean status; throws DeviceAccessAuthorizationException {
String username = this.getUserName();
int tenantId = this.getTenantId(); int tenantId = this.getTenantId();
if (username == null || username.isEmpty()) { if (username == null || username.isEmpty()) {
return !DeviceManagementDataHolder.getInstance().requireDeviceAuthorization(deviceIdentifier.getType()); return false;
} }
//check for admin and ownership permissions
if (isAdminOrDeviceOwner(username, tenantId, deviceIdentifier)) {
return true;
}
//check for group permissions
try { try {
//Check for admin users. If the user is an admin user we authorize the access to that device. if (permission == null || permission.isEmpty()) {
status = isAdminUser(username, tenantId); return false;
} catch (UserStoreException e) { }
return checkGroupsPermission(username, tenantId, permission);
} catch (GroupManagementException | UserStoreException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " + throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
deviceIdentifier.getId() + " for the user : " + username, e); deviceIdentifier.getId() + " for the user : " +
}
//Check for device ownership. If the user is the owner of the device we allow the access.
if (!status) {
try {
Device device = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider().
getDevice(deviceIdentifier);
EnrolmentInfo enrolmentInfo = device.getEnrolmentInfo();
if (enrolmentInfo != null && username.equalsIgnoreCase(enrolmentInfo.getOwner())) {
status = true;
}
} catch (DeviceManagementException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
deviceIdentifier.getId() + " for the user : " + username, e);
}
}
return status;
}
@Override
public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers) throws
DeviceAccessAuthorizationException {
boolean status;
DeviceAuthorizationResult deviceAuthorizationResult = new DeviceAuthorizationResult();
String username = this.getUserName();
int tenantId = this.getTenantId();
if (username == null || username.isEmpty()) {
return deviceAuthorizationResult;
}
try {
//Check for admin users. If the user is an admin user we authorize the access to that device.
status = isAdminUser(username, tenantId);
} catch (UserStoreException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : " +
username, e); username, e);
} }
//Check for device ownership. If the user is the owner of the device we allow the access.
if (!status) {
try {
//Get the list of devices of the user
List<Device> devicesOfUser = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider().
getDevicesOfUser(username);
//Convert device-list to a Map
Map<String, String> ownershipData = this.getOwnershipOfDevices(devicesOfUser);
for (DeviceIdentifier deviceIdentifier : deviceIdentifiers) {
if (ownershipData.containsKey(deviceIdentifier.getId())) {
deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
} else {
deviceAuthorizationResult.addUnauthorizedDevice(deviceIdentifier);
}
}
} catch (DeviceManagementException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : "
+ username, e);
}
} else {
deviceAuthorizationResult.setAuthorizedDevices(deviceIdentifiers);
}
return deviceAuthorizationResult;
} }
@Override @Override
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username) public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username)
throws DeviceAccessAuthorizationException { throws DeviceAccessAuthorizationException {
boolean status; return isUserAuthorized(deviceIdentifier, username, null);
}
@Override
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException {
return isUserAuthorized(deviceIdentifier, this.getUserName(), null);
}
@Override
public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username,
String permission)
throws DeviceAccessAuthorizationException {
int tenantId = this.getTenantId(); int tenantId = this.getTenantId();
if (username == null || username.isEmpty()) { if (username == null || username.isEmpty()) {
return false; return null;
} }
DeviceAuthorizationResult deviceAuthorizationResult = new DeviceAuthorizationResult();
for (DeviceIdentifier deviceIdentifier : deviceIdentifiers) {
//check for admin and ownership permissions
if (isAdminOrDeviceOwner(username, tenantId, deviceIdentifier)) {
deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
} else {
try { try {
//Check for admin users. If the user is an admin user we authorize the access to that device. if (permission == null || permission.isEmpty()) {
status = isAdminUser(username, tenantId); return null;
} catch (UserStoreException e) { }
//check for group permissions
if (checkGroupsPermission(username, tenantId, permission)) {
deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
} else {
deviceAuthorizationResult.addUnauthorizedDevice(deviceIdentifier);
}
} catch (GroupManagementException | UserStoreException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " + throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
deviceIdentifier.getId() + " for the user : " + username, e); deviceIdentifier.getId() + " for the user : " +
} username, e);
//Check for device ownership. If the user is the owner of the device we allow the access.
if (!status) {
try {
Device device = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider().
getDevice(deviceIdentifier);
EnrolmentInfo enrolmentInfo = device.getEnrolmentInfo();
if (enrolmentInfo != null && username.equalsIgnoreCase(enrolmentInfo.getOwner())) {
status = true;
}
} catch (DeviceManagementException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
deviceIdentifier.getId() + " for the user : " + username, e);
} }
} }
return status; }
return deviceAuthorizationResult;
} }
@Override @Override
public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username) public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username)
throws DeviceAccessAuthorizationException { throws DeviceAccessAuthorizationException {
boolean status; return isUserAuthorized(deviceIdentifiers, username, null);
int tenantId = this.getTenantId();
DeviceAuthorizationResult deviceAuthorizationResult = new DeviceAuthorizationResult();
if (username == null || username.isEmpty()) {
return null;
} }
@Override
public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers)
throws DeviceAccessAuthorizationException {
return isUserAuthorized(deviceIdentifiers, this.getUserName(), null);
}
private boolean isAdminOrDeviceOwner(String username, int tenantId, DeviceIdentifier deviceIdentifier)
throws DeviceAccessAuthorizationException {
try { try {
//Check for admin users. If the user is an admin user we authorize the access to that device. //First Check for admin users. If the user is an admin user we authorize the access to that device.
status = isAdminUser(username, tenantId); //Secondly Check for device ownership. If the user is the owner of the device we allow the access.
return (isAdminUser(username, tenantId) || isDeviceOwner(deviceIdentifier, username));
} catch (UserStoreException e) { } catch (UserStoreException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : " + throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
deviceIdentifier.getId() + " for the user : " +
username, e); username, e);
} }
//Check for device ownership. If the user is the owner of the device we allow the access.
if (!status) {
try {
Device device;
EnrolmentInfo enrolmentInfo;
for (DeviceIdentifier deviceIdentifier : deviceIdentifiers) {
device = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider().
getDevice(deviceIdentifier);
enrolmentInfo = device.getEnrolmentInfo();
if (enrolmentInfo != null && username.equalsIgnoreCase(enrolmentInfo.getOwner())) {
deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
} else {
deviceAuthorizationResult.addUnauthorizedDevice(deviceIdentifier);
} }
private boolean checkGroupsPermission(String username, int tenantId, String permission)
throws GroupManagementException, UserStoreException {
List<DeviceGroup> groups =
DeviceManagementDataHolder.getInstance().getGroupManagementProviderService().getGroups(username,
permission);
UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId);
if (userRealm != null && userRealm.getAuthorizationManager() != null) {
Iterator<DeviceGroup> groupIterator = groups.iterator();
while (groupIterator.hasNext()) {
DeviceGroup deviceGroup = groupIterator.next();
Iterator<String> rolesIterator = deviceGroup.getRoles().iterator();
while (rolesIterator.hasNext()) {
String role = rolesIterator.next();
if (userRealm.getAuthorizationManager().isRoleAuthorized(
"Internal/group-" + deviceGroup.getId() + "-" + role, permission,
CarbonConstants.UI_PERMISSION_ACTION)) {
return true;
}
}
}
}
return false;
}
private boolean isDeviceOwner(DeviceIdentifier deviceIdentifier, String username)
throws DeviceAccessAuthorizationException {
//Check for device ownership. If the user is the owner of the device we allow the access.
try {
Device device = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider().
getDevice(deviceIdentifier);
EnrolmentInfo enrolmentInfo = device.getEnrolmentInfo();
if (enrolmentInfo != null && username.equalsIgnoreCase(enrolmentInfo.getOwner())) {
return true;
} }
} catch (DeviceManagementException e) { } catch (DeviceManagementException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : " throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
+ username, e); deviceIdentifier.getId() + " for the user : " +
username, e);
} }
} else { return false;
deviceAuthorizationResult.setAuthorizedDevices(deviceIdentifiers);
}
return deviceAuthorizationResult;
} }
private boolean isAdminUser(String username, int tenantId) throws UserStoreException { private boolean isAdminUser(String username, int tenantId) throws UserStoreException {
UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId); UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId);
if (userRealm != null && userRealm.getAuthorizationManager() != null) { if (userRealm != null && userRealm.getAuthorizationManager() != null) {
return userRealm.getAuthorizationManager() return userRealm.getAuthorizationManager()
.isUserAuthorized(removeTenantDomain(username), PermissionUtils.getAbsolutePermissionPath(EMM_ADMIN_PERMISSION), .isUserAuthorized(removeTenantDomain(username),
PermissionUtils.getAbsolutePermissionPath(EMM_ADMIN_PERMISSION),
PermissionMethod.UI_EXECUTE); PermissionMethod.UI_EXECUTE);
} }
return false; return false;

11
components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementDataHolder.java
View File

@ -25,6 +25,7 @@ import org.wso2.carbon.device.mgt.common.operation.mgt.OperationManager;
import org.wso2.carbon.device.mgt.core.app.mgt.config.AppManagementConfig; import org.wso2.carbon.device.mgt.core.app.mgt.config.AppManagementConfig;
import org.wso2.carbon.device.mgt.core.config.license.LicenseConfig; import org.wso2.carbon.device.mgt.core.config.license.LicenseConfig;
import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService; import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService;
import org.wso2.carbon.device.mgt.core.service.GroupManagementProviderService;
import org.wso2.carbon.ntask.core.service.TaskService; import org.wso2.carbon.ntask.core.service.TaskService;
import org.wso2.carbon.registry.core.service.RegistryService; import org.wso2.carbon.registry.core.service.RegistryService;
import org.wso2.carbon.user.core.service.RealmService; import org.wso2.carbon.user.core.service.RealmService;
@ -47,6 +48,7 @@ public class DeviceManagementDataHolder {
private ConfigurationContextService configurationContextService; private ConfigurationContextService configurationContextService;
private HashMap<String,Boolean> requireDeviceAuthorization = new HashMap<>(); private HashMap<String,Boolean> requireDeviceAuthorization = new HashMap<>();
private DeviceAccessAuthorizationService deviceAccessAuthorizationService; private DeviceAccessAuthorizationService deviceAccessAuthorizationService;
private GroupManagementProviderService groupManagementProviderService;
private TaskService taskService; private TaskService taskService;
//private EmailSenderService emailSenderService; //private EmailSenderService emailSenderService;
@ -91,6 +93,15 @@ public class DeviceManagementDataHolder {
this.deviceManagerProvider = deviceManagerProvider; this.deviceManagerProvider = deviceManagerProvider;
} }
public GroupManagementProviderService getGroupManagementProviderService() {
return groupManagementProviderService;
}
public void setGroupManagementProviderService(
GroupManagementProviderService groupManagementProviderService) {
this.groupManagementProviderService = groupManagementProviderService;
}
public RegistryService getRegistryService() { public RegistryService getRegistryService() {
if (registryService == null) { if (registryService == null) {
throw new IllegalStateException("Registry service is not initialized properly"); throw new IllegalStateException("Registry service is not initialized properly");

1
components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementServiceComponent.java
View File

@ -195,6 +195,7 @@ public class DeviceManagementServiceComponent {
/* Registering Group Management Service */ /* Registering Group Management Service */
GroupManagementProviderService groupManagementProvider = new GroupManagementProviderServiceImpl(); GroupManagementProviderService groupManagementProvider = new GroupManagementProviderServiceImpl();
DeviceManagementDataHolder.getInstance().setGroupManagementProviderService(groupManagementProvider);
bundleContext.registerService(GroupManagementProviderService.class.getName(), groupManagementProvider, null); bundleContext.registerService(GroupManagementProviderService.class.getName(), groupManagementProvider, null);
/* Registering Tenant Configuration Management Service */ /* Registering Tenant Configuration Management Service */