Implemented scope based authorization in device-mgt UI module

components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/pom.xml

@@ -161,6 +161,10 @@
             <artifactId>org.wso2.carbon.user.api</artifactId>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.devicemgt</groupId>
+            <artifactId>org.wso2.carbon.apimgt.annotations</artifactId>
+        </dependency>
     </dependencies>
 
     <build>

components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationService.java

@@ -18,20 +18,19 @@
 
 package org.wso2.carbon.apimgt.application.extension.api;
 
+import org.wso2.carbon.apimgt.annotations.api.API;
 import org.wso2.carbon.apimgt.application.extension.api.util.RegistrationProfile;
 
-import javax.ws.rs.Consumes;
+import javax.ws.rs.*;
-import javax.ws.rs.DELETE;
-import javax.ws.rs.POST;
-import javax.ws.rs.PathParam;
-import javax.ws.rs.Produces;
-import javax.ws.rs.QueryParam;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 
 /**
  * This is the application registration service that exposed for apimApplicationRegistration
  */
+@API(name = "API Registration Service", version = "1.0.0",
+        context = "api-application-registration",
+        tags = {"devicemgt_admin"})
 public interface ApiApplicationRegistrationService {
 
     /**
@@ -40,6 +39,7 @@ public interface ApiApplicationRegistrationService {
     @POST
     @Produces(MediaType.APPLICATION_JSON)
     @Consumes(MediaType.APPLICATION_JSON)
+    @Path("register/tenants")
     Response register(@PathParam("tenantDomain") String tenantDomain,
                       @QueryParam("applicationName") String applicationName);
 
@@ -51,6 +51,7 @@ public interface ApiApplicationRegistrationService {
     @POST
     @Produces(MediaType.APPLICATION_JSON)
     @Consumes(MediaType.APPLICATION_JSON)
+    @Path("register")
     Response register(RegistrationProfile registrationProfile);
 
     /**
@@ -59,5 +60,6 @@ public interface ApiApplicationRegistrationService {
      * @return the response status of request.
      */
     @DELETE
+    @Path("unregister")
     Response unregister(@QueryParam("applicationName") String applicationName);
 }

components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml

@@ -47,7 +47,11 @@
     <!--publish to apim-->
     <context-param>
         <param-name>managed-api-enabled</param-name>
-        <param-value>false</param-value>
+        <param-value>true</param-value>
+    </context-param>
+    <context-param>
+        <param-name>managed-api-owner</param-name>
+        <param-value>admin</param-value>
     </context-param>
 
     <filter>

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/conf/config.json

@@ -70,17 +70,53 @@
         "copyrightSuffix" : " All Rights Reserved."
     },
     "scopes" : [
-        "license-add", "license-view", "device-view",
+        "user:manage",
-        "device-info", "device-list", "device-view-own", "device-modify", "device-search",
+        "user:view",
-        "operation-install", "operation-view", "operation-modify", "operation-uninstall",
+        "device-type:admin:view",
-        "group-add", "group-share", "group-modify", "group-view", "group-remove",
+        "device:view",
-        "certificate-modify", "certificate-view",
+        "notification:view",
-        "configuration-view", "configuration-modify",
+        "device:admin:view",
-        "policy-view", "policy-modify",
+        "application:manage",
-        "device-notification-view", "device-notification-modify",
+        "activity:view",
-        "feature-view",
+        "user:admin:reset-password",
-        "roles-view", "roles-modify", "roles-remove", "roles-add",
+        "policy:manage",
-        "user-password-reset", "user-password-modify", "user-modify", "user-view", "user-invite", "user-remove", "user-add"
+        "policy:view",
+        "role:manage",
+        "role:view",
+        "configuration:view",
+        "configuration:modify",
+        "device:android:operation:reboot",
+        "device:android:operation:camera",
+        "device:android:operation:vpn",
+        "device:android:operation:lock",
+        "device:android:operation:ring",
+        "device:android:operation:update-app",
+        "device:android:operation:wipe",
+        "device:android:operation:encrypt",
+        "device:android:operation:blacklist-app",
+        "device:android:operation:applications",
+        "device:android:operation:enterprise-wipe",
+        "device:android:operation:info",
+        "device:android:operation:wifi",
+        "device:android:operation:uninstall-app",
+        "device:android:operation:change-lock",
+        "device:android:operation:notification",
+        "device:android:operation:upgrade",
+        "device:android:operation:unlock",
+        "device:android:operation:mute",
+        "device:android:operation:location",
+        "device:android:operation:webclip",
+        "device:android:operation:clear-password",
+        "device:android:operation:password-policy",
+        "device:android:operation:install-app",
+        "device:android:event:write",
+        "device:android:event:read",
+        "device:android:enroll",
+        "configuration:manage",
+        "configuration:view",
+        "device:android:enroll",
+        "certificate:view",
+        "certificate:manage"
     ],
     "isOAuthEnabled" : true,
     "backendRestEndpoints" : {

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/constants.js

@@ -83,3 +83,4 @@ var HTTP_CONFLICT = 409;
 var HTTP_CREATED = 201;
 
 var CACHED_CREDENTIALS = "tenantBasedCredentials";
+var ALLOWED_SCOPES = "scopes";

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/oauth/token-handler-utils.js

@@ -172,10 +172,11 @@ var utils = function () {
 
             if (xhr["status"] == 200 && xhr["responseText"]) {
                 var responsePayload = parse(xhr["responseText"]);
-                var tokenPair = {};
+                var tokenData = {};
-                tokenPair["accessToken"] = responsePayload["access_token"];
+                tokenData["accessToken"] = responsePayload["access_token"];
-                tokenPair["refreshToken"] = responsePayload["refresh_token"];
+                tokenData["refreshToken"] = responsePayload["refresh_token"];
-                return tokenPair;
+                tokenData["scopes"] = responsePayload["scope"];
+                return tokenData;
             } else {
                 log.error("{/app/modules/oauth/token-handler-utils.js} Error in retrieving access token " +
                     "by password grant type - getTokenPairByPasswordGrantType(a, b, c, d)");
@@ -224,10 +225,11 @@ var utils = function () {
 
                 if (xhr["status"] == 200 && xhr["responseText"]) {
                     var responsePayload = parse(xhr["responseText"]);
-                    var tokenPair = {};
+                    var tokenData = {};
-                    tokenPair["accessToken"] = responsePayload["access_token"];
+                    tokenData["accessToken"] = responsePayload["access_token"];
-                    tokenPair["refreshToken"] = responsePayload["refresh_token"];
+                    tokenData["refreshToken"] = responsePayload["refresh_token"];
-                    return tokenPair;
+                    tokenData["scopes"] = responsePayload["scope"];
+                    return tokenData;
                 } else {
                     log.error("{/app/modules/oauth/token-handler-utils.js} Error in retrieving access token " +
                         "by password grant type - getTokenPairBySAMLGrantType(x, y, z)");

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/oauth/token-handlers.js

@@ -45,23 +45,30 @@ var handlers = function () {
                     "password grant type. Encoded client credentials are " +
                         "missing - setupTokenPairByPasswordGrantType(x, y)");
             } else {
-                var tokenPair;
+                var tokenData;
                 // tokenPair will include current access token as well as current refresh token
                 var arrayOfScopes = devicemgtProps["scopes"];
                 var stringOfScopes = "";
                 arrayOfScopes.forEach(function (entry) {
                     stringOfScopes += entry + " ";
                 });
-                tokenPair = tokenUtil.
+                tokenData = tokenUtil.
                     getTokenPairByPasswordGrantType(username,
                         encodeURIComponent(password), encodedClientAppCredentials, stringOfScopes);
-                if (!tokenPair) {
+                if (!tokenData) {
                     throw new Error("{/app/modules/oauth/token-handlers.js} Could not set up " +
                         "token pair by password grant type. Error in token " +
                             "retrieval - setupTokenPairByPasswordGrantType(x, y)");
                 } else {
-                    // setting up access token pair into session context as a string
+                    var tokenPair = {};
+                    tokenPair["accessToken"] = tokenData["accessToken"];
+                    tokenPair["refreshToken"] = tokenData["refreshToken"];
+                    // setting up token pair into session context as a string
                     session.put(constants["TOKEN_PAIR"], stringify(tokenPair));
+
+                    var scopes = tokenData.scopes.split(" ");
+                    // adding allowed scopes to the session
+                    session.put(constants["ALLOWED_SCOPES"], scopes);
                 }
             }
         }
@@ -80,17 +87,24 @@ var handlers = function () {
                     "by saml grant type. Encoded client credentials are " +
                         "missing - setupTokenPairByPasswordGrantType(x, y)");
             } else {
-                var tokenPair;
+                var tokenData;
                 // accessTokenPair will include current access token as well as current refresh token
-                tokenPair = tokenUtil.
+                tokenData = tokenUtil.
                     getTokenPairBySAMLGrantType(samlToken, encodedClientAppCredentials, "PRODUCTION");
-                if (!tokenPair) {
+                if (!tokenData) {
                     throw new Error("{/app/modules/oauth/token-handlers.js} Could not set up token " +
                         "pair by password grant type. Error in token " +
                             "retrieval - setupTokenPairByPasswordGrantType(x, y)");
                 } else {
+                    var tokenPair = {};
+                    tokenPair["accessToken"] = tokenData["accessToken"];
+                    tokenPair["refreshToken"] = tokenData["refreshToken"];
                     // setting up access token pair into session context as a string
                     session.put(constants["TOKEN_PAIR"], stringify(tokenPair));
+
+                    var scopes = tokenData.scopes.split(" ");
+                    // adding allowed scopes to the session
+                    session.put(constants["ALLOWED_SCOPES"], scopes);
                 }
             }
         }

components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/OAuthAuthenticator.java

@@ -129,7 +129,7 @@ public class OAuthAuthenticator implements WebappAuthenticator {
 
                 if (resource == null || resource.isEmpty()) {
                     authenticationInfo.setStatus(Status.FAILURE);
-                    authenticationInfo.setMessage("Requested resource does not exist");
+                    authenticationInfo.setMessage("Authorization failed. Requested API resource does not exist");
                     return authenticationInfo;
                 }