Merge branch 'master' of https://github.com/rasika90/carbon-device-mgt

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/api/Group.java

@@ -22,9 +22,9 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
-import org.wso2.carbon.device.mgt.common.EnrolmentInfo;
 import org.wso2.carbon.device.mgt.common.PaginationResult;
 import org.wso2.carbon.device.mgt.common.group.mgt.DeviceGroup;
+import org.wso2.carbon.device.mgt.common.group.mgt.DeviceGroupConstants;
 import org.wso2.carbon.device.mgt.common.group.mgt.GroupAlreadyEixistException;
 import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException;
 import org.wso2.carbon.device.mgt.common.group.mgt.GroupUser;
@@ -48,20 +48,6 @@ import java.util.List;
 @SuppressWarnings("NonJaxWsWebServices")
 public class Group {
 
-    private static final String DEFAULT_ADMIN_ROLE = "admin";
-    private static final String DEFAULT_OPERATOR_ROLE = "invoke-device-operations";
-    private static final String DEFAULT_STATS_MONITOR_ROLE = "view-statistics";
-    private static final String DEFAULT_VIEW_POLICIES = "view-policies";
-    private static final String DEFAULT_MANAGE_POLICIES = "mange-policies";
-    private static final String DEFAULT_VIEW_EVENTS = "view-events";
-    private static final String[] DEFAULT_ADMIN_PERMISSIONS = {"/permission/device-mgt/admin/groups",
-                                                               "/permission/device-mgt/user/groups"};
-    private static final String[] DEFAULT_OPERATOR_PERMISSIONS = {"/permission/device-mgt/user/groups/device_operation"};
-    private static final String[] DEFAULT_STATS_MONITOR_PERMISSIONS = {"/permission/device-mgt/user/groups/device_monitor"};
-    private static final String[] DEFAULT_MANAGE_POLICIES_PERMISSIONS = {"/permission/device-mgt/user/groups/device_policies/add"};
-    private static final String[] DEFAULT_VIEW_POLICIES_PERMISSIONS = {"/permission/device-mgt/user/groups/device_policies/view"};
-    private static final String[] DEFAULT_VIEW_EVENTS_PERMISSIONS = {"/permission/device-mgt/user/groups/device_events"};
-
     private static Log log = LogFactory.getLog(Group.class);
 
     @POST
@@ -76,18 +62,18 @@ public class Group {
         group.setDateOfLastUpdate(new Date().getTime());
         try {
             GroupManagementProviderService groupManagementService = DeviceMgtAPIUtils.getGroupManagementProviderService();
-            groupManagementService.createGroup(group, DEFAULT_ADMIN_ROLE, DEFAULT_ADMIN_PERMISSIONS);
+            groupManagementService.createGroup(group, DeviceGroupConstants.Roles.DEFAULT_ADMIN_ROLE, DeviceGroupConstants.Permissions.DEFAULT_ADMIN_PERMISSIONS);
             groupManagementService.addGroupSharingRole(owner, group.getName(), owner,
-                                                       DEFAULT_OPERATOR_ROLE,
+                                                       DeviceGroupConstants.Roles.DEFAULT_OPERATOR_ROLE,
-                                                       DEFAULT_OPERATOR_PERMISSIONS);
+                                                       DeviceGroupConstants.Permissions.DEFAULT_OPERATOR_PERMISSIONS);
-            groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DEFAULT_STATS_MONITOR_ROLE,
+            groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DeviceGroupConstants.Roles.DEFAULT_STATS_MONITOR_ROLE,
-                                                       DEFAULT_STATS_MONITOR_PERMISSIONS);
+                                                       DeviceGroupConstants.Permissions.DEFAULT_STATS_MONITOR_PERMISSIONS);
-            groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DEFAULT_VIEW_POLICIES,
+            groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DeviceGroupConstants.Roles.DEFAULT_VIEW_POLICIES,
-                                                       DEFAULT_VIEW_POLICIES_PERMISSIONS);
+                                                       DeviceGroupConstants.Permissions.DEFAULT_VIEW_POLICIES_PERMISSIONS);
-            groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DEFAULT_MANAGE_POLICIES,
+            groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DeviceGroupConstants.Roles.DEFAULT_MANAGE_POLICIES,
-                                                       DEFAULT_MANAGE_POLICIES_PERMISSIONS);
+                                                       DeviceGroupConstants.Permissions.DEFAULT_MANAGE_POLICIES_PERMISSIONS);
-            groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DEFAULT_VIEW_EVENTS,
+            groupManagementService.addGroupSharingRole(owner, group.getName(), owner, DeviceGroupConstants.Roles.DEFAULT_VIEW_EVENTS,
-                                                       DEFAULT_VIEW_EVENTS_PERMISSIONS);
+                                                       DeviceGroupConstants.Permissions.DEFAULT_VIEW_EVENTS_PERMISSIONS);
             return Response.status(Response.Status.CREATED).build();
         } catch (GroupAlreadyEixistException e) {
             return Response.status(Response.Status.CONFLICT).entity(e.getMessage()).build();

components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/authorization/DeviceAccessAuthorizationService.java

@@ -28,7 +28,6 @@ import java.util.List;
  * accessing the device information and performing MDM operations on devices.
  */
 public interface DeviceAccessAuthorizationService {
-
     /**
      * This method will check whether the currently logged-in user has the access to the device identified by the given
      * DeviceIdentifier.
@@ -39,29 +38,55 @@ public interface DeviceAccessAuthorizationService {
      */
     boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException;
 
+    /**
+     * This method will check whether the currently logged-in user has the access to the device identified by the given
+     * DeviceIdentifier.
+     *
+     * @param deviceIdentifier - DeviceIdentifier of the device to be checked.
+     * @param groupPermissions - Group Permissions.
+     * @return Boolean authorization result.
+     * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
+     */
+    boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String[] groupPermissions)
+            throws DeviceAccessAuthorizationException;
+
     /**
      * This method will check whether the currently logged-in user has the access to the devices identified by the given
      * DeviceIdentifier list.
      *
      * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization.
-     * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices &
+     * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized
-     * unauthorized devices.
+     * devices.
      * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
      */
     DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers) throws
                                                                                          DeviceAccessAuthorizationException;
 
+    /**
+     * This method will check whether the currently logged-in user has the access to the devices identified by the given
+     * DeviceIdentifier list.
+     *
+     * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization.
+     * @param groupPermissions  - Group Permissions
+     * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized
+     * devices.
+     * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
+     */
+    DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String[] groupPermissions)
+            throws DeviceAccessAuthorizationException;
+
     /**
      * This method will check whether the given user has the access to the device identified by the given
      * DeviceIdentifier.
      *
      * @param deviceIdentifier - DeviceIdentifier of the device to be checked.
      * @param username         - Username of the user to be checked for authorization.
-     * @param permission       - Permission
+     * @param groupPermissions - Group Permissions
      * @return Boolean authorization result.
      * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
      */
-     boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String permission) throws DeviceAccessAuthorizationException;
+    boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String[] groupPermissions)
+            throws DeviceAccessAuthorizationException;
 
     /**
      * This method will check whether the given user has the access to the devices identified by the given
@@ -69,12 +94,13 @@ public interface DeviceAccessAuthorizationService {
      *
      * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization.
      * @param username          - User name
-     * @param permission        - Permission
+     * @param groupPermissions  - Group Permissions
-     * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices &
+     * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized
-     * unauthorized devices.
+     * devices.
      * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
      */
-    DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username, String permission) throws
+    DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username,
+                                               String[] groupPermissions) throws
                                                                           DeviceAccessAuthorizationException;
 
     /**
@@ -95,11 +121,10 @@ public interface DeviceAccessAuthorizationService {
      *
      * @param deviceIdentifiers - List of DeviceIdentifiers to be checked for authorization.
      * @param username          - Username of the user to be checked for authorization.
-     * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices &
+     * @return DeviceAuthorizationResult - Authorization result including the list of authorized devices & unauthorized
-     * unauthorized devices.
+     * devices.
      * @throws DeviceAccessAuthorizationException if something goes wrong when checking the authorization.
      */
     DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username) throws
                                                                                                           DeviceAccessAuthorizationException;
-
 }

components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/group/mgt/DeviceGroupConstants.java

@@ -0,0 +1,82 @@
+/*
+ * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.wso2.carbon.device.mgt.common.group.mgt;
+
+
+/**
+ * Holds Device Group constants and expose to external access
+ */
+public class DeviceGroupConstants {
+    public enum RolePermissions {
+        DEFAULT_ADMIN_ROLE(Roles.DEFAULT_ADMIN_ROLE),
+        DEFAULT_OPERATOR_ROLE(Roles.DEFAULT_OPERATOR_ROLE),
+        DEFAULT_STATS_MONITOR_ROLE(Roles.DEFAULT_STATS_MONITOR_ROLE),
+        DEFAULT_VIEW_POLICIES(Roles.DEFAULT_VIEW_POLICIES),
+        DEFAULT_MANAGE_POLICIES(Roles.DEFAULT_MANAGE_POLICIES),
+        DEFAULT_VIEW_EVENTS(Roles.DEFAULT_VIEW_EVENTS);
+
+        private String value;
+        private String[] permissions;
+
+        RolePermissions(String value) {
+            this.value = value;
+        }
+
+        static {
+            DEFAULT_ADMIN_ROLE.permissions = Permissions.DEFAULT_ADMIN_PERMISSIONS;
+            DEFAULT_OPERATOR_ROLE.permissions = Permissions.DEFAULT_OPERATOR_PERMISSIONS;
+            DEFAULT_STATS_MONITOR_ROLE.permissions = Permissions.DEFAULT_STATS_MONITOR_PERMISSIONS;
+            DEFAULT_VIEW_POLICIES.permissions = Permissions.DEFAULT_MANAGE_POLICIES_PERMISSIONS;
+            DEFAULT_MANAGE_POLICIES.permissions = Permissions.DEFAULT_VIEW_POLICIES_PERMISSIONS;
+            DEFAULT_VIEW_EVENTS.permissions = Permissions.DEFAULT_VIEW_EVENTS_PERMISSIONS;
+        }
+
+        @Override
+        public String toString(){
+            return this.value;
+        }
+
+        public String[] getPermissions(){
+            return permissions;
+        }
+    }
+
+    public static class Roles {
+        public static final String DEFAULT_ADMIN_ROLE = "admin";
+        public static final String DEFAULT_OPERATOR_ROLE = "invoke-device-operations";
+        public static final String DEFAULT_STATS_MONITOR_ROLE = "view-statistics";
+        public static final String DEFAULT_VIEW_POLICIES = "view-policies";
+        public static final String DEFAULT_MANAGE_POLICIES = "mange-policies";
+        public static final String DEFAULT_VIEW_EVENTS = "view-events";
+    }
+
+    public static class Permissions {
+        public static final String[] DEFAULT_ADMIN_PERMISSIONS =
+                {"/permission/device-mgt/admin/groups", "/permission/device-mgt/user/groups"};
+        public static final String[] DEFAULT_OPERATOR_PERMISSIONS =
+                {"/permission/device-mgt/user/groups/device_operation"};
+        public static final String[] DEFAULT_STATS_MONITOR_PERMISSIONS =
+                {"/permission/device-mgt/user/groups/device_monitor"};
+        public static final String[] DEFAULT_MANAGE_POLICIES_PERMISSIONS =
+                {"/permission/device-mgt/user/groups/device_policies/add"};
+        public static final String[] DEFAULT_VIEW_POLICIES_PERMISSIONS =
+                {"/permission/device-mgt/user/groups/device_policies/view"};
+        public static final String[] DEFAULT_VIEW_EVENTS_PERMISSIONS =
+                {"/permission/device-mgt/user/groups/device_events"};
+    }
+}

components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java

@@ -72,7 +72,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
     }
 
     @Override
-    public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String permission)
+    public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String username, String[] groupPermissions)
             throws DeviceAccessAuthorizationException {
         int tenantId = this.getTenantId();
         if (username == null || username.isEmpty()) {
@@ -84,10 +84,16 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
         }
         //check for group permissions
         try {
-            if (permission == null || permission.isEmpty()) {
+            if (groupPermissions == null || groupPermissions.length == 0) {
                 return false;
             }
-            return checkGroupsPermission(username, tenantId, permission);
+            for (String groupPermission : groupPermissions) {
+                if (!checkGroupsPermission(username, tenantId, groupPermission)) {
+                    //if at least one fails, authorization fails
+                    return false;
+                }
+            }
+            return true;
         } catch (GroupManagementException | UserStoreException e) {
             throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
                                                                  deviceIdentifier.getId() + " for the user : " +
@@ -101,6 +107,12 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
         return isUserAuthorized(deviceIdentifier, username, null);
     }
 
+    @Override
+    public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String[] groupPermissions)
+            throws DeviceAccessAuthorizationException {
+        return isUserAuthorized(deviceIdentifier, this.getUserName(), groupPermissions);
+    }
+
     @Override
     public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException {
         return isUserAuthorized(deviceIdentifier, this.getUserName(), null);
@@ -108,7 +120,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
 
     @Override
     public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String username,
-                                                      String permission)
+                                                      String[] groupPermissions)
             throws DeviceAccessAuthorizationException {
         int tenantId = this.getTenantId();
         if (username == null || username.isEmpty()) {
@@ -121,11 +133,19 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
                 deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
             } else {
                 try {
-                    if (permission == null || permission.isEmpty()) {
+                    if (groupPermissions == null || groupPermissions.length == 0) {
                         return null;
                     }
                     //check for group permissions
-                    if (checkGroupsPermission(username, tenantId, permission)) {
+                    boolean isAuthorized = true;
+                    for (String groupPermission : groupPermissions) {
+                        if (!checkGroupsPermission(username, tenantId, groupPermission)) {
+                            //if at least one failed, authorizations fails and break the loop
+                            isAuthorized = false;
+                            break;
+                        }
+                    }
+                    if (isAuthorized) {
                         deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
                     } else {
                         deviceAuthorizationResult.addUnauthorizedDevice(deviceIdentifier);
@@ -152,6 +172,12 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
         return isUserAuthorized(deviceIdentifiers, this.getUserName(), null);
     }
 
+    @Override
+    public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> deviceIdentifiers, String[] groupPermissions)
+            throws DeviceAccessAuthorizationException {
+        return isUserAuthorized(deviceIdentifiers, this.getUserName(), groupPermissions);
+    }
+
     private boolean isAdminOrDeviceOwner(String username, int tenantId, DeviceIdentifier deviceIdentifier)
             throws DeviceAccessAuthorizationException {
         try {
@@ -165,11 +191,11 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
         }
     }
 
-    private boolean checkGroupsPermission(String username, int tenantId, String permission)
+    private boolean checkGroupsPermission(String username, int tenantId, String groupPermission)
             throws GroupManagementException, UserStoreException {
         List<DeviceGroup> groups =
                 DeviceManagementDataHolder.getInstance().getGroupManagementProviderService().getGroups(username,
-                                                                                                       permission);
+                                                                                                       groupPermission);
         UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId);
         if (userRealm != null && userRealm.getAuthorizationManager() != null) {
             Iterator<DeviceGroup> groupIterator = groups.iterator();
@@ -179,7 +205,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
                 while (rolesIterator.hasNext()) {
                     String role = rolesIterator.next();
                     if (userRealm.getAuthorizationManager().isRoleAuthorized(
-                            "Internal/group-" + deviceGroup.getId() + "-" + role, permission,
+                            "Internal/group-" + deviceGroup.getId() + "-" + role, groupPermission,
                             CarbonConstants.UI_PERMISSION_ACTION)) {
                         return true;
                     }

components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/service/GroupManagementProviderService.java

@@ -25,7 +25,6 @@ import org.wso2.carbon.device.mgt.common.group.mgt.DeviceGroup;
 import org.wso2.carbon.device.mgt.common.group.mgt.GroupAlreadyEixistException;
 import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException;
 import org.wso2.carbon.device.mgt.common.group.mgt.GroupUser;
-import org.wso2.carbon.device.mgt.core.group.mgt.DeviceGroupBuilder;
 
 import java.util.List;
 
@@ -77,6 +76,7 @@ public interface GroupManagementProviderService {
 
     /**
      * Get the device group provided the device group id.
+     *
      * @param groupId
      * @return
      * @throws GroupManagementException
@@ -300,6 +300,7 @@ public interface GroupManagementProviderService {
 
     /**
      * Get the group of device.
+     *
      * @param deviceIdentifier
      * @return
      * @throws GroupManagementException

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/jaggery.conf

@@ -8,7 +8,7 @@
       "path": "/api/device-api.jag"
     },
     {
-      "url": "/api/group/*",
+      "url": "/api/groups/*",
       "path": "/api/group-api.jag"
     },
     {