Allow users with CDM Admin permission to retrieve activities

2025-10-06 02:01:45 +00:00 · 2021-11-05 20:44:06 +05:30 · 2021-11-05 20:44:06 +05:30 · 6f008ea65f
commit 6f008ea65f
parent 3fea6f79c7
2 changed files with 37 additions and 11 deletions
--- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/ActivityProviderServiceImpl.java
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/ActivityProviderServiceImpl.java
@ -66,7 +66,7 @@ public class ActivityProviderServiceImpl implements ActivityInfoProviderService
                                @HeaderParam("If-Modified-Since") String ifModifiedSince) {
        Activity activity;
        DeviceManagementProviderService dmService;
-        Response response = validateAdminUser();
+        Response response = validateAdminPermission();
        if (response == null) {
            try {
                RequestValidationUtil.validateActivityId(id);
@ -103,7 +103,7 @@ public class ActivityProviderServiceImpl implements ActivityInfoProviderService
            return Response.status(400).entity(
                    new ErrorResponse.ErrorResponseBuilder().setMessage(msg).build()).build();
        }
-        Response validationFailedResponse = validateAdminUser();
+        Response validationFailedResponse = validateAdminPermission();
        if (validationFailedResponse == null) {
            List<Activity> activities;
            ActivityList activityList = new ActivityList();
@ -184,7 +184,7 @@ public class ActivityProviderServiceImpl implements ActivityInfoProviderService
            log.debug("getActivities -> Operation Code : " +operationCode+ "offset " + offset + " limit: " + limit );
        }
        RequestValidationUtil.validatePaginationParameters(offset, limit);
-        Response response = validateAdminUser();
+        Response response = validateAdminPermission();
        if(response == null){
            List<Activity> activities;
            ActivityList activityList = new ActivityList();
@ -272,7 +272,7 @@ public class ActivityProviderServiceImpl implements ActivityInfoProviderService
        if (log.isDebugEnabled()) {
            log.debug("getActivities final timestamp " + timestamp);
        }
-        Response response = validateAdminUser();
+        Response response = validateAdminPermission();
        if (response == null) {
            ActivityList activityList = new ActivityList();
            DeviceManagementProviderService dmService;
@ -330,19 +330,21 @@ public class ActivityProviderServiceImpl implements ActivityInfoProviderService
        }
    }

-    private Response validateAdminUser(){
+    private Response validateAdminPermission() {
+        //TODO: also check initiated by field to check current user has added the operation, if so allow access.
        try {
-            if (!DeviceMgtAPIUtils.isAdmin()) {
-                return Response.status(Response.Status.UNAUTHORIZED).entity("Unauthorized operation! Only admin role can perform " +
-                        "this operation.").build();
+            if (!DeviceMgtAPIUtils.isAdminUser()) {
+                return Response.status(Response.Status.UNAUTHORIZED)
+                        .entity("Unauthorized operation! Only users with CDM ADMIN PERMISSION " +
+                                "can perform this operation.").build();
            }
            return null;
        } catch (UserStoreException e) {
-            String msg
-                    = "Error occurred while validating the user have admin role!";
+            String msg = "Error occurred while validating the user have admin permission!";
            log.error(msg, e);
            return Response.serverError().entity(
                    new ErrorResponse.ErrorResponseBuilder().setMessage(msg).build()).build();
        }
    }
+
 }
--- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/util/DeviceMgtAPIUtils.java
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/util/DeviceMgtAPIUtils.java
@ -36,6 +36,7 @@
 package org.wso2.carbon.device.mgt.jaxrs.util;

 import io.entgra.application.mgt.common.services.ApplicationManager;
+import io.entgra.application.mgt.common.services.SubscriptionManager;
 import org.apache.axis2.AxisFault;
 import org.apache.axis2.client.Options;
 import org.apache.axis2.java.security.SSLProtocolSocketFactory;
@ -46,13 +47,13 @@ import org.apache.commons.httpclient.protocol.Protocol;
 import org.apache.commons.httpclient.protocol.ProtocolSocketFactory;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.CarbonConstants;
 import org.wso2.carbon.analytics.api.AnalyticsDataAPI;
 import org.wso2.carbon.analytics.stream.persistence.stub.EventStreamPersistenceAdminServiceStub;
 import org.wso2.carbon.base.ServerConfiguration;
 import org.wso2.carbon.context.CarbonContext;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.core.util.Utils;
-import io.entgra.application.mgt.common.services.SubscriptionManager;
 import org.wso2.carbon.device.mgt.common.Device;
 import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
 import org.wso2.carbon.device.mgt.common.EnrolmentInfo;
@ -81,6 +82,7 @@ import org.wso2.carbon.device.mgt.common.spi.OTPManagementService;
 import org.wso2.carbon.device.mgt.core.app.mgt.ApplicationManagementProviderService;
 import org.wso2.carbon.device.mgt.core.device.details.mgt.DeviceInformationManager;
 import org.wso2.carbon.device.mgt.core.dto.DeviceTypeVersion;
+import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionUtils;
 import org.wso2.carbon.device.mgt.core.privacy.PrivacyComplianceProvider;
 import org.wso2.carbon.device.mgt.core.search.mgt.SearchManagerService;
 import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService;
@ -141,6 +143,7 @@ import java.util.Queue;
 */
 public class DeviceMgtAPIUtils {

+    private final static String CDM_ADMIN_PERMISSION = "/device-mgt/devices/any-device/permitted-actions-under-owning-device";
    private static final String NOTIFIER_FREQUENCY = "notifierFrequency";
    private static final String STREAM_DEFINITION_PREFIX = "iot.per.device.stream.";
    private static final String DEFAULT_HTTP_PROTOCOL = "https";
@ -873,6 +876,27 @@ public class DeviceMgtAPIUtils {
        return false;
    }

+    public static boolean isAdminUser() throws UserStoreException {
+        int tenantId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId(true);
+        String userName = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUsername();
+        UserRealm userRealm = DeviceMgtAPIUtils.getRealmService().getTenantUserRealm(tenantId);
+        if (userRealm != null && userRealm.getAuthorizationManager() != null) {
+            return userRealm.getAuthorizationManager()
+                    .isUserAuthorized(removeTenantDomain(userName),
+                            PermissionUtils.getAbsolutePermissionPath(CDM_ADMIN_PERMISSION),
+                            CarbonConstants.UI_PERMISSION_ACTION);
+        }
+        return false;
+    }
+
+    private static String removeTenantDomain(String username) {
+        String tenantDomain = CarbonContext.getThreadLocalCarbonContext().getTenantDomain();
+        if (username.endsWith(tenantDomain)) {
+            return username.substring(0, username.lastIndexOf("@"));
+        }
+        return username;
+    }
+
    public static DeviceTypeVersion convertDeviceTypeVersionWrapper(String deviceTypeName, int deviceTypeId,
            DeviceTypeVersionWrapper deviceTypeVersion) {
        DeviceTypeVersion typeVersion = new DeviceTypeVersion();