mirror of
https://repository.entgra.net/community/device-mgt-core.git
synced 2025-10-06 02:01:45 +00:00
Adding group permissions checking
This commit is contained in:
Rasika Perera
parent
9cb24d8cec
commit
938eda7c46
@ -28,7 +28,6 @@ import java.util.List;
|
||||
* accessing the device information and performing MDM operations on devices.
|
||||
*/
|
||||
public interface DeviceAccessAuthorizationService {
|
||||
|
||||
/**
|
||||
* This method will check whether the currently logged-in user has the access to the device identified by the given
|
||||
* DeviceIdentifier.
|
||||
@ -39,29 +38,55 @@ public interface DeviceAccessAuthorizationService {
|
||||
*/
|
||||
boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException;
|
||||
|
||||
/**
|
||||
* This method will check whether the currently logged-in user has the access to the device identified by the given
|
||||
* DeviceIdentifier.
|
||||
*
|
||||
* @param deviceIdentifier - DeviceIdentifier of the device to be checked.
|
||||
* @param groupPermissions - Group Permissions.
|
||||
* @return Boolean authorization result.
|
||||
* @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
|
||||
*/
|
||||
boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String[] groupPermissions)
|
||||
throws DeviceAccessAuthorizationException;
|
||||
|
||||
/**
|
||||
* This method will check whether the currently logged-in user has the access to the devices identified by the given
|
||||
* DeviceIdentifier list.
|
||||
*
|
||||
* @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization.
|
||||
* @return DeviceAuthorizationResult - Authorization result including the list of authorized devices &
|
||||
* unauthorized devices.
|
||||
* @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized
|
||||
* devices.
|
||||
* @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
|
||||
*/
|
||||
DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers) throws
|
||||
DeviceAccessAuthorizationException;
|
||||
DeviceAccessAuthorizationException;
|
||||
|
||||
/**
|
||||
* This method will check whether the currently logged-in user has the access to the devices identified by the given
|
||||
* DeviceIdentifier list.
|
||||
*
|
||||
* @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization.
|
||||
* @param groupPermissions - Group Permissions
|
||||
* @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized
|
||||
* devices.
|
||||
* @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
|
||||
*/
|
||||
DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String[] groupPermissions)
|
||||
throws DeviceAccessAuthorizationException;
|
||||
|
||||
/**
|
||||
* This method will check whether the given user has the access to the device identified by the given
|
||||
* DeviceIdentifier.
|
||||
*
|
||||
* @param deviceIdentifier - DeviceIdentifier of the device to be checked.
|
||||
* @param username - Username of the user to be checked for authorization.
|
||||
* @param permission - Permission
|
||||
* @param username - Username of the user to be checked for authorization.
|
||||
* @param groupPermissions - Group Permissions
|
||||
* @return Boolean authorization result.
|
||||
* @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
|
||||
*/
|
||||
boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String permission) throws DeviceAccessAuthorizationException;
|
||||
boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String[] groupPermissions)
|
||||
throws DeviceAccessAuthorizationException;
|
||||
|
||||
/**
|
||||
* This method will check whether the given user has the access to the devices identified by the given
|
||||
@ -69,20 +94,21 @@ public interface DeviceAccessAuthorizationService {
|
||||
*
|
||||
* @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization.
|
||||
* @param username - User name
|
||||
* @param permission - Permission
|
||||
* @return DeviceAuthorizationResult - Authorization result including the list of authorized devices &
|
||||
* unauthorized devices.
|
||||
* @param groupPermissions - Group Permissions
|
||||
* @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized
|
||||
* devices.
|
||||
* @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
|
||||
*/
|
||||
DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username, String permission) throws
|
||||
DeviceAccessAuthorizationException;
|
||||
DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username,
|
||||
String[] groupPermissions) throws
|
||||
DeviceAccessAuthorizationException;
|
||||
|
||||
/**
|
||||
* This method will check whether the given user has the access to the device identified by the given
|
||||
* DeviceIdentifier.
|
||||
*
|
||||
* @param deviceIdentifier - DeviceIdentifier of the device to be checked.
|
||||
* @param username - Username of the user to be checked for authorization.
|
||||
* @param username - Username of the user to be checked for authorization.
|
||||
* @return Boolean authorization result.
|
||||
* @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
|
||||
*/
|
||||
@ -94,12 +120,11 @@ public interface DeviceAccessAuthorizationService {
|
||||
* DeviceIdentifier list.
|
||||
*
|
||||
* @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization.
|
||||
* @param username - Username of the user to be checked for authorization.
|
||||
* @return DeviceAuthorizationResult - Authorization result including the list of authorized devices &
|
||||
* unauthorized devices.
|
||||
* @param username - Username of the user to be checked for authorization.
|
||||
* @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized
|
||||
* devices.
|
||||
* @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
|
||||
*/
|
||||
DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username) throws
|
||||
DeviceAccessAuthorizationException;
|
||||
|
||||
DeviceAccessAuthorizationException;
|
||||
}
|
||||
@ -72,7 +72,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String permission)
|
||||
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String[] groupPermissions)
|
||||
throws DeviceAccessAuthorizationException {
|
||||
int tenantId = this.getTenantId();
|
||||
if (username == null || username.isEmpty()) {
|
||||
@ -84,10 +84,16 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
|
||||
}
|
||||
//check for group permissions
|
||||
try {
|
||||
if (permission == null || permission.isEmpty()) {
|
||||
if (groupPermissions == null || groupPermissions.length == 0) {
|
||||
return false;
|
||||
}
|
||||
return checkGroupsPermission(username, tenantId, permission);
|
||||
for (String groupPermission : groupPermissions) {
|
||||
if (!checkGroupsPermission(username, tenantId, groupPermission)) {
|
||||
//if at least one fails, authorization fails
|
||||
return false;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
} catch (GroupManagementException | UserStoreException e) {
|
||||
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
|
||||
deviceIdentifier.getId() + " for the user : " +
|
||||
@ -101,6 +107,12 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
|
||||
return isUserAuthorized(deviceIdentifier, username, null);
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String[] groupPermissions)
|
||||
throws DeviceAccessAuthorizationException {
|
||||
return isUserAuthorized(deviceIdentifier, this.getUserName(), groupPermissions);
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException {
|
||||
return isUserAuthorized(deviceIdentifier, this.getUserName(), null);
|
||||
@ -108,7 +120,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
|
||||
|
||||
@Override
|
||||
public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username,
|
||||
String permission)
|
||||
String[] groupPermissions)
|
||||
throws DeviceAccessAuthorizationException {
|
||||
int tenantId = this.getTenantId();
|
||||
if (username == null || username.isEmpty()) {
|
||||
@ -121,11 +133,19 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
|
||||
deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
|
||||
} else {
|
||||
try {
|
||||
if (permission == null || permission.isEmpty()) {
|
||||
if (groupPermissions == null || groupPermissions.length == 0) {
|
||||
return null;
|
||||
}
|
||||
//check for group permissions
|
||||
if (checkGroupsPermission(username, tenantId, permission)) {
|
||||
boolean isAuthorized = true;
|
||||
for (String groupPermission : groupPermissions) {
|
||||
if (!checkGroupsPermission(username, tenantId, groupPermission)) {
|
||||
//if at least one failed, authorizations fails and break the loop
|
||||
isAuthorized = false;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (isAuthorized) {
|
||||
deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
|
||||
} else {
|
||||
deviceAuthorizationResult.addUnauthorizedDevice(deviceIdentifier);
|
||||
@ -152,6 +172,12 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
|
||||
return isUserAuthorized(deviceIdentifiers, this.getUserName(), null);
|
||||
}
|
||||
|
||||
@Override
|
||||
public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String[] groupPermissions)
|
||||
throws DeviceAccessAuthorizationException {
|
||||
return isUserAuthorized(deviceIdentifiers, this.getUserName(), groupPermissions);
|
||||
}
|
||||
|
||||
private boolean isAdminOrDeviceOwner(String username, int tenantId, DeviceIdentifier deviceIdentifier)
|
||||
throws DeviceAccessAuthorizationException {
|
||||
try {
|
||||
@ -165,11 +191,11 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
|
||||
}
|
||||
}
|
||||
|
||||
private boolean checkGroupsPermission(String username, int tenantId, String permission)
|
||||
private boolean checkGroupsPermission(String username, int tenantId, String groupPermission)
|
||||
throws GroupManagementException, UserStoreException {
|
||||
List<DeviceGroup> groups =
|
||||
DeviceManagementDataHolder.getInstance().getGroupManagementProviderService().getGroups(username,
|
||||
permission);
|
||||
groupPermission);
|
||||
UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId);
|
||||
if (userRealm != null && userRealm.getAuthorizationManager() != null) {
|
||||
Iterator<DeviceGroup> groupIterator = groups.iterator();
|
||||
@ -179,7 +205,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
|
||||
while (rolesIterator.hasNext()) {
|
||||
String role = rolesIterator.next();
|
||||
if (userRealm.getAuthorizationManager().isRoleAuthorized(
|
||||
"Internal/group-" + deviceGroup.getId() + "-" + role, permission,
|
||||
"Internal/group-" + deviceGroup.getId() + "-" + role, groupPermission,
|
||||
CarbonConstants.UI_PERMISSION_ACTION)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user