community/device-mgt-core
1
0
Fork 0
mirror of https://repository.entgra.net/community/device-mgt-core.git synced 2025-10-06 02:01:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Adding group permissions checking

Browse Source
This commit is contained in:
Rasika Perera 2016-05-03 19:29:12 +05:30
parent 9cb24d8cec
commit 938eda7c46
2 changed files with 78 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/authorization/DeviceAccessAuthorizationService.java
View File

@ -28,7 +28,6 @@ import java.util.List;
* accessing the device information and performing MDM operations on devices. * accessing the device information and performing MDM operations on devices.
*/ */
public interface DeviceAccessAuthorizationService { public interface DeviceAccessAuthorizationService {
/** /**
* This method will check whether the currently logged-in user has the access to the device identified by the given * This method will check whether the currently logged-in user has the access to the device identified by the given
* DeviceIdentifier. * DeviceIdentifier.
@ -39,29 +38,55 @@ public interface DeviceAccessAuthorizationService {
*/ */
boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException; boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException;
/**
* This method will check whether the currently logged-in user has the access to the device identified by the given
* DeviceIdentifier.
*
* @param deviceIdentifier - DeviceIdentifier of the device to be checked.
* @param groupPermissions - Group Permissions.
* @return Boolean authorization result.
* @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
*/
boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String[] groupPermissions)
throws DeviceAccessAuthorizationException;
/** /**
* This method will check whether the currently logged-in user has the access to the devices identified by the given * This method will check whether the currently logged-in user has the access to the devices identified by the given
* DeviceIdentifier list. * DeviceIdentifier list.
* *
* @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization. * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization.
* @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized
* unauthorized devices. * devices.
* @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
*/ */
DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers) throws DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers) throws
DeviceAccessAuthorizationException; DeviceAccessAuthorizationException;
/**
* This method will check whether the currently logged-in user has the access to the devices identified by the given
* DeviceIdentifier list.
*
* @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization.
* @param groupPermissions - Group Permissions
* @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized
* devices.
* @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
*/
DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String[] groupPermissions)
throws DeviceAccessAuthorizationException;
/** /**
* This method will check whether the given user has the access to the device identified by the given * This method will check whether the given user has the access to the device identified by the given
* DeviceIdentifier. * DeviceIdentifier.
* *
* @param deviceIdentifier - DeviceIdentifier of the device to be checked. * @param deviceIdentifier - DeviceIdentifier of the device to be checked.
* @param username - Username of the user to be checked for authorization. * @param username - Username of the user to be checked for authorization.
* @param permission - Permission * @param groupPermissions - Group Permissions
* @return Boolean authorization result. * @return Boolean authorization result.
* @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
*/ */
boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String permission) throws DeviceAccessAuthorizationException; boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String[] groupPermissions)
throws DeviceAccessAuthorizationException;
/** /**
* This method will check whether the given user has the access to the devices identified by the given * This method will check whether the given user has the access to the devices identified by the given
@ -69,20 +94,21 @@ public interface DeviceAccessAuthorizationService {
* *
* @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization. * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization.
* @param username - User name * @param username - User name
* @param permission - Permission * @param groupPermissions - Group Permissions
* @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized
* unauthorized devices. * devices.
* @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
*/ */
DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username, String permission) throws DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username,
DeviceAccessAuthorizationException; String[] groupPermissions) throws
DeviceAccessAuthorizationException;
/** /**
* This method will check whether the given user has the access to the device identified by the given * This method will check whether the given user has the access to the device identified by the given
* DeviceIdentifier. * DeviceIdentifier.
* *
* @param deviceIdentifier - DeviceIdentifier of the device to be checked. * @param deviceIdentifier - DeviceIdentifier of the device to be checked.
* @param username - Username of the user to be checked for authorization. * @param username - Username of the user to be checked for authorization.
* @return Boolean authorization result. * @return Boolean authorization result.
* @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
*/ */
@ -94,12 +120,11 @@ public interface DeviceAccessAuthorizationService {
* DeviceIdentifier list. * DeviceIdentifier list.
* *
* @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization. * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization.
* @param username - Username of the user to be checked for authorization. * @param username - Username of the user to be checked for authorization.
* @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized
* unauthorized devices. * devices.
* @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization. * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
*/ */
DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username) throws DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username) throws
DeviceAccessAuthorizationException; DeviceAccessAuthorizationException;
} }

44
components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java
View File

@ -72,7 +72,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
} }
@Override @Override
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String permission) public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String[] groupPermissions)
throws DeviceAccessAuthorizationException { throws DeviceAccessAuthorizationException {
int tenantId = this.getTenantId(); int tenantId = this.getTenantId();
if (username == null || username.isEmpty()) { if (username == null || username.isEmpty()) {
@ -84,10 +84,16 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
} }
//check for group permissions //check for group permissions
try { try {
if (permission == null || permission.isEmpty()) { if (groupPermissions == null || groupPermissions.length == 0) {
return false; return false;
} }
return checkGroupsPermission(username, tenantId, permission); for (String groupPermission : groupPermissions) {
if (!checkGroupsPermission(username, tenantId, groupPermission)) {
//if at least one fails, authorization fails
return false;
}
}
return true;
} catch (GroupManagementException | UserStoreException e) { } catch (GroupManagementException | UserStoreException e) {
throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " + throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
deviceIdentifier.getId() + " for the user : " + deviceIdentifier.getId() + " for the user : " +
@ -101,6 +107,12 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
return isUserAuthorized(deviceIdentifier, username, null); return isUserAuthorized(deviceIdentifier, username, null);
} }
@Override
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String[] groupPermissions)
throws DeviceAccessAuthorizationException {
return isUserAuthorized(deviceIdentifier, this.getUserName(), groupPermissions);
}
@Override @Override
public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException { public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException {
return isUserAuthorized(deviceIdentifier, this.getUserName(), null); return isUserAuthorized(deviceIdentifier, this.getUserName(), null);
@ -108,7 +120,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
@Override @Override
public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username, public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username,
String permission) String[] groupPermissions)
throws DeviceAccessAuthorizationException { throws DeviceAccessAuthorizationException {
int tenantId = this.getTenantId(); int tenantId = this.getTenantId();
if (username == null || username.isEmpty()) { if (username == null || username.isEmpty()) {
@ -121,11 +133,19 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier); deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
} else { } else {
try { try {
if (permission == null || permission.isEmpty()) { if (groupPermissions == null || groupPermissions.length == 0) {
return null; return null;
} }
//check for group permissions //check for group permissions
if (checkGroupsPermission(username, tenantId, permission)) { boolean isAuthorized = true;
for (String groupPermission : groupPermissions) {
if (!checkGroupsPermission(username, tenantId, groupPermission)) {
//if at least one failed, authorizations fails and break the loop
isAuthorized = false;
break;
}
}
if (isAuthorized) {
deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier); deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
} else { } else {
deviceAuthorizationResult.addUnauthorizedDevice(deviceIdentifier); deviceAuthorizationResult.addUnauthorizedDevice(deviceIdentifier);
@ -152,6 +172,12 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
return isUserAuthorized(deviceIdentifiers, this.getUserName(), null); return isUserAuthorized(deviceIdentifiers, this.getUserName(), null);
} }
@Override
public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String[] groupPermissions)
throws DeviceAccessAuthorizationException {
return isUserAuthorized(deviceIdentifiers, this.getUserName(), groupPermissions);
}
private boolean isAdminOrDeviceOwner(String username, int tenantId, DeviceIdentifier deviceIdentifier) private boolean isAdminOrDeviceOwner(String username, int tenantId, DeviceIdentifier deviceIdentifier)
throws DeviceAccessAuthorizationException { throws DeviceAccessAuthorizationException {
try { try {
@ -165,11 +191,11 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
} }
} }
private boolean checkGroupsPermission(String username, int tenantId, String permission) private boolean checkGroupsPermission(String username, int tenantId, String groupPermission)
throws GroupManagementException, UserStoreException { throws GroupManagementException, UserStoreException {
List<DeviceGroup> groups = List<DeviceGroup> groups =
DeviceManagementDataHolder.getInstance().getGroupManagementProviderService().getGroups(username, DeviceManagementDataHolder.getInstance().getGroupManagementProviderService().getGroups(username,
permission); groupPermission);
UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId); UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId);
if (userRealm != null && userRealm.getAuthorizationManager() != null) { if (userRealm != null && userRealm.getAuthorizationManager() != null) {
Iterator<DeviceGroup> groupIterator = groups.iterator(); Iterator<DeviceGroup> groupIterator = groups.iterator();
@ -179,7 +205,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
while (rolesIterator.hasNext()) { while (rolesIterator.hasNext()) {
String role = rolesIterator.next(); String role = rolesIterator.next();
if (userRealm.getAuthorizationManager().isRoleAuthorized( if (userRealm.getAuthorizationManager().isRoleAuthorized(
"Internal/group-" + deviceGroup.getId() + "-" + role, permission, "Internal/group-" + deviceGroup.getId() + "-" + role, groupPermission,
CarbonConstants.UI_PERMISSION_ACTION)) { CarbonConstants.UI_PERMISSION_ACTION)) {
return true; return true;
} }