org.wso2.carbon.user.api.AuthorizationManager Java Examples

private void handleLoggedInUserAuthorization(String permission) throws TemplateManagementException {

        try {
            int tenantId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId();

            if (StringUtils.isBlank(loggedInUser)) {
                throw new TemplateManagementException(TemplateMgtConstants.ErrorMessages.
                        ERROR_CODE_NO_AUTH_USER_FOUND.getMessage(),
                        TemplateMgtConstants.ErrorMessages.ERROR_CODE_NO_AUTH_USER_FOUND.getCode());
            }
            AuthorizationManager authorizationManager = TemplateManagementUIServiceDataHolder
                    .getInstance().getRealmService()
                    .getTenantUserRealm(tenantId)
                    .getAuthorizationManager();
            if (!authorizationManager.isUserAuthorized(loggedInUser, permission, CarbonConstants.UI_PERMISSION_ACTION)) {
                throw new TemplateManagementException(TemplateMgtConstants.
                        ErrorMessages.ERROR_CODE_USER_NOT_AUTHORIZED.getMessage(),
                        TemplateMgtConstants.ErrorMessages
                                .ERROR_CODE_USER_NOT_AUTHORIZED.getCode());
            }
        } catch (UserStoreException e) {
            throw new TemplateManagementException(TemplateMgtConstants.ErrorMessages.ERROR_CODE_UNEXPECTED.getMessage(),
                    TemplateMgtConstants.ErrorMessages.ERROR_CODE_UNEXPECTED.getCode());
        }
    }
 

/**
 * Get list of roles which have given permission
 *
 * @param filter     filter to check
 * @param permission permission to check
 * @param limit
 * @return
 * @throws UserAdminException
 */
public FlaggedName[] getAllPermittedRoleNames(String filter, String permission, int limit) throws
        UserAdminException {

    FlaggedName[] roles = getUserAdminProxy().getAllRolesNames(filter, limit);
    List<FlaggedName> permittedRoles = new ArrayList<>();
    try {
        org.wso2.carbon.user.api.UserRealm realm = UserMgtDSComponent.getRealmService().getTenantUserRealm
                (PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
        AuthorizationManager authorizationManager = realm.getAuthorizationManager();
        for (int i = 0; i < roles.length - 1; i++) {
            if (authorizationManager.isRoleAuthorized(roles[i].getItemName(), permission, UserMgtConstants
                    .EXECUTE_ACTION)) {
                permittedRoles.add(roles[i]);
            }
        }
        permittedRoles.add(roles[roles.length - 1]);
    } catch (org.wso2.carbon.user.api.UserStoreException e) {
        throw new UserAdminException("Error while filtering authorized roles.", e);
    }
    FlaggedName[] permittedRolesArray = new FlaggedName[permittedRoles.size()];
    return permittedRoles.toArray(permittedRolesArray);
}
 

/**
 * List users with given claim value and permission
 *
 * @param claimValue claim to check
 * @param filter     filter to check
 * @param permission permission to check
 * @param maxLimit
 * @return
 * @throws UserAdminException
 */
public FlaggedName[] listUserByClaimWithPermission(ClaimValue claimValue, String filter, String permission, int
        maxLimit)
        throws UserAdminException {

    List<FlaggedName> permittedUsers = new ArrayList<>();
    try {
        org.wso2.carbon.user.api.UserRealm realm = UserMgtDSComponent.getRealmService().getTenantUserRealm
                (PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
        AuthorizationManager authorizationManager = realm.getAuthorizationManager();
        FlaggedName[] users = getUserAdminProxy().listUsers(claimValue, filter, maxLimit);
        for (int i = 0; i < users.length - 1; i++) {
            if (authorizationManager.isUserAuthorized(users[i].getItemName(),
                    permission, UserMgtConstants.EXECUTE_ACTION)) {
                permittedUsers.add(users[i]);
            }
        }
    } catch (org.wso2.carbon.user.api.UserStoreException e) {
        throw new UserAdminException("Error while filtering authorized users.", e);
    }
    FlaggedName[] permittedUsersArray = new FlaggedName[permittedUsers.size()];
    return permittedUsers.toArray(permittedUsersArray);
}
 

/**
 * Get list of roles which have given permission
 *
 * @param filter     filter to check
 * @param permission permission to check
 * @param limit
 * @return
 * @throws UserAdminException
 */
public FlaggedName[] getAllPermittedRoleNames(String filter, String permission, int limit) throws
        UserAdminException {

    FlaggedName[] roles = getUserAdminProxy().getAllRolesNames(filter, limit);
    List<FlaggedName> permittedRoles = new ArrayList<>();
    try {
        org.wso2.carbon.user.api.UserRealm realm = UserMgtDSComponent.getRealmService().getTenantUserRealm
                (PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
        AuthorizationManager authorizationManager = realm.getAuthorizationManager();
        for (int i = 0; i < roles.length - 1; i++) {
            if (authorizationManager.isRoleAuthorized(roles[i].getItemName(), permission, UserMgtConstants
                    .EXECUTE_ACTION)) {
                permittedRoles.add(roles[i]);
            }
        }
        permittedRoles.add(roles[roles.length - 1]);
    } catch (org.wso2.carbon.user.api.UserStoreException e) {
        throw new UserAdminException("Error while filtering authorized roles.", e);
    }
    FlaggedName[] permittedRolesArray = new FlaggedName[permittedRoles.size()];
    return permittedRoles.toArray(permittedRolesArray);
}
 

/**
 * List users with given claim value and permission
 *
 * @param claimValue claim to check
 * @param filter     filter to check
 * @param permission permission to check
 * @param maxLimit
 * @return
 * @throws UserAdminException
 */
public FlaggedName[] listUserByClaimWithPermission(ClaimValue claimValue, String filter, String permission, int
        maxLimit)
        throws UserAdminException {

    List<FlaggedName> permittedUsers = new ArrayList<>();
    try {
        org.wso2.carbon.user.api.UserRealm realm = UserMgtDSComponent.getRealmService().getTenantUserRealm
                (PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
        AuthorizationManager authorizationManager = realm.getAuthorizationManager();
        FlaggedName[] users = getUserAdminProxy().listUsers(claimValue, filter, maxLimit);
        for (int i = 0; i < users.length - 1; i++) {
            if (authorizationManager.isUserAuthorized(users[i].getItemName(),
                    permission, UserMgtConstants.EXECUTE_ACTION)) {
                permittedUsers.add(users[i]);
            }
        }
    } catch (org.wso2.carbon.user.api.UserStoreException e) {
        throw new UserAdminException("Error while filtering authorized users.", e);
    }
    FlaggedName[] permittedUsersArray = new FlaggedName[permittedUsers.size()];
    return permittedUsers.toArray(permittedUsersArray);
}
 

private boolean authorize(String userName, String tenantDomain, int tenantId, Method targetMethod) throws Exception {
    // first we try to see whether this is a super.tenant only operation
    if (superTenantServiceSet.contains(targetMethod.getName()) && !isCurrentUserSuperTenant(tenantDomain, tenantId)) {
        return false;
    }
    // authorize using permissionString given as annotation in the service class
    String permissionString = authorizationActionMap.get(targetMethod.getName());

    // get the authorization manager for this tenant..
    UserRealm userRealm = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUserRealm();
    AuthorizationManager authorizationManager = userRealm.getAuthorizationManager();

    boolean isAuthorized = isAuthorized(authorizationManager, userName, permissionString, ACTION_ON_RESOURCE);
    return isAuthorized;

}
 

private boolean authorize(String userName, String tenantDomain, int tenantId,
                          Method targetMethod) throws Exception {
    // first we try to see whether this is a super.tenant only operation
    if (superTenantServiceSet.contains(targetMethod.getName()) &&
            !isCurrentUserSuperTenant(tenantDomain, tenantId)) {
        return false;
    }
    // authorize using permissionString given as annotation in the service
    // class
    String permissionString = authorizationActionMap.get(targetMethod.getName());

    // get the authorization manager for this tenant..
    UserRealm userRealm = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUserRealm();
    AuthorizationManager authorizationManager = userRealm.getAuthorizationManager();

    boolean isAuthorized =
            isAuthorized(authorizationManager, userName, permissionString,
                    ACTION_ON_RESOURCE);
    return isAuthorized;

}
 

private boolean authorize(String userName, String tenantDomain, int tenantId, Method targetMethod)
        throws Exception {
    // first we try to see whether this is a super.tenant only operation
    if (superTenantServiceSet.contains(targetMethod.getName()) && !isCurrentUserSuperTenant(tenantDomain,
            tenantId)) {
        return false;
    }
    // authorize using permissionString given as annotation in the service class
    String permissionString = authorizationActionMap.get(targetMethod.getName());

    // get the authorization manager for this tenant..
    UserRealm userRealm = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUserRealm();
    AuthorizationManager authorizationManager = userRealm.getAuthorizationManager();

    boolean isAuthorized = isAuthorized(authorizationManager, userName, permissionString, ACTION_ON_RESOURCE);
    return isAuthorized;

}
 

/**
 * Get list of users which have given permission
 *
 * @param filter     filter to check
 * @param permission permission to check
 * @param limit
 * @return
 * @throws UserAdminException
 */
public FlaggedName[] listAllUsersWithPermission(String filter, String permission, int limit) throws
        UserAdminException {

    List<FlaggedName> permittedUsers = new ArrayList<>();
    try {
        org.wso2.carbon.user.api.UserRealm realm = UserMgtDSComponent.getRealmService().getTenantUserRealm
                (PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
        AuthorizationManager authorizationManager = realm.getAuthorizationManager();


        FlaggedName[] users = getUserAdminProxy().listAllUsers(filter, limit);

        for (int i = 0; i < users.length - 1; i++) {
            if (authorizationManager.isUserAuthorized(users[i].getItemName(),
                    permission, UserMgtConstants.EXECUTE_ACTION)) {
                permittedUsers.add(users[i]);
            }
        }
        permittedUsers.add(users[users.length - 1]);
    } catch (org.wso2.carbon.user.api.UserStoreException e) {
        throw new UserAdminException("Error while filtering authorized users.", e);
    }
    FlaggedName[] permittedUsersArray = new FlaggedName[permittedUsers.size()];
    return permittedUsers.toArray(permittedUsersArray);

}
 

private void removeAuthorization (UserRealm userRealm, String serviceGroupId,
                                  String serviceName) throws UserStoreException {

    AuthorizationManager manager = userRealm.getAuthorizationManager();
    String resourceName = serviceGroupId + "/" + serviceName;
    String[] roles = manager.
            getAllowedRolesForResource(resourceName,
                    UserCoreConstants.INVOKE_SERVICE_PERMISSION);
    if (roles != null) {
        for (String role : roles) {
            manager.clearRoleAuthorization(role, resourceName,
                    UserCoreConstants.INVOKE_SERVICE_PERMISSION);
        }
    }
}
 

/**
 * Get list of users which have given permission
 *
 * @param filter     filter to check
 * @param permission permission to check
 * @param limit
 * @return
 * @throws UserAdminException
 */
public FlaggedName[] listAllUsersWithPermission(String filter, String permission, int limit) throws
        UserAdminException {

    List<FlaggedName> permittedUsers = new ArrayList<>();
    try {
        org.wso2.carbon.user.api.UserRealm realm = UserMgtDSComponent.getRealmService().getTenantUserRealm
                (PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
        AuthorizationManager authorizationManager = realm.getAuthorizationManager();


        FlaggedName[] users = getUserAdminProxy().listAllUsers(filter, limit);

        for (int i = 0; i < users.length - 1; i++) {
            if (authorizationManager.isUserAuthorized(users[i].getItemName(),
                    permission, UserMgtConstants.EXECUTE_ACTION)) {
                permittedUsers.add(users[i]);
            }
        }
        permittedUsers.add(users[users.length - 1]);
    } catch (org.wso2.carbon.user.api.UserStoreException e) {
        throw new UserAdminException("Error while filtering authorized users.", e);
    }
    FlaggedName[] permittedUsersArray = new FlaggedName[permittedUsers.size()];
    return permittedUsers.toArray(permittedUsersArray);

}
 

@Deactivate
protected void deactivate(ComponentContext componentContext) {
    if (log.isDebugEnabled()) {
        log.debug("Deactivating API manager component");
    }
    CertificateReLoaderUtil.shutDownCertificateReLoader();
    registration.unregister();
    APIManagerFactory.getInstance().clearAll();
    org.wso2.carbon.apimgt.impl.utils.AuthorizationManager.getInstance().destroy();
}
 

private void setupImagePermissions() throws APIManagementException {
    try {
        AuthorizationManager accessControlAdmin = ServiceReferenceHolder.getInstance().getRealmService().getTenantUserRealm(MultitenantConstants.SUPER_TENANT_ID).getAuthorizationManager();
        String imageLocation = APIUtil.getMountedPath(RegistryContext.getBaseInstance(), RegistryConstants.GOVERNANCE_REGISTRY_BASE_PATH) + APIConstants.API_IMAGE_LOCATION;
        if (!accessControlAdmin.isRoleAuthorized(CarbonConstants.REGISTRY_ANONNYMOUS_ROLE_NAME, imageLocation, ActionConstants.GET)) {
            // Can we get rid of this?
            accessControlAdmin.authorizeRole(CarbonConstants.REGISTRY_ANONNYMOUS_ROLE_NAME, imageLocation, ActionConstants.GET);
        }
    } catch (UserStoreException e) {
        throw new APIManagementException("Error while setting up permissions for image collection", e);
    }
}
 

public static ServiceReferenceHolder mockRegistryAndUserRealm(int tenantId) throws UserStoreException, 
                                                                                                RegistryException {
    ServiceReferenceHolder sh = getServiceReferenceHolder();
    
    RealmService realmService = Mockito.mock(RealmService.class);
    TenantManager tm = Mockito.mock(TenantManager.class);
    
    PowerMockito.when(sh.getRealmService()).thenReturn(realmService);
    PowerMockito.when(realmService.getTenantManager()).thenReturn(tm);
    
    RegistryService registryService = Mockito.mock(RegistryService.class);
    PowerMockito.when(sh.getRegistryService()).thenReturn(registryService);
    
    UserRegistry userReg = Mockito.mock(UserRegistry.class);
    PowerMockito.when(registryService.getGovernanceUserRegistry()).thenReturn(userReg);
    
    UserRegistry systemReg = Mockito.mock(UserRegistry.class);
    PowerMockito.when(registryService.getConfigSystemRegistry()).thenReturn(systemReg);
    
    UserRealm userRealm = Mockito.mock(UserRealm.class);
    UserRealm bootstrapRealm = Mockito.mock(UserRealm.class);
    
    PowerMockito.when(systemReg.getUserRealm()).thenReturn(userRealm);        
    PowerMockito.doNothing().when(ServiceReferenceHolder.class); 
    ServiceReferenceHolder.setUserRealm(userRealm);
    org.wso2.carbon.user.api.UserRealm userR = Mockito.mock(org.wso2.carbon.user.api.UserRealm.class);
    PowerMockito.when(realmService.getTenantUserRealm(-1234)).thenReturn(userR);
    AuthorizationManager authManager = Mockito.mock(AuthorizationManager.class);
    PowerMockito.when(userR.getAuthorizationManager()).thenReturn(authManager);
    PowerMockito.when(realmService.getBootstrapRealm()).thenReturn(bootstrapRealm);
    ServiceReferenceHolder.setUserRealm(bootstrapRealm);

    PowerMockito.when(tm.getTenantId(Matchers.anyString())).thenReturn(tenantId);

    return sh;
}
 

private void applySecurityParameters(AxisService service, SecurityScenario secScenario,
                                     Policy policy) {
    try {

        UserRealm userRealm = (UserRealm) PrivilegedCarbonContext.getThreadLocalCarbonContext()
                .getUserRealm();

        UserRegistry govRegistry = (UserRegistry) PrivilegedCarbonContext
                .getThreadLocalCarbonContext().getRegistry(RegistryType.SYSTEM_GOVERNANCE);

        String serviceGroupId = service.getAxisServiceGroup().getServiceGroupName();
        String serviceName = service.getName();

        SecurityConfigParams configParams =
                SecurityConfigParamBuilder.getSecurityParams(getSecurityConfig(policy));

        // Set Trust (Rahas) Parameters
        if (secScenario.getModules().contains(SecurityConstants.TRUST_MODULE)) {
            AxisModule trustModule = service.getAxisConfiguration()
                    .getModule(SecurityConstants.TRUST_MODULE);
            if (log.isDebugEnabled()) {
                log.debug("Enabling trust module : " + SecurityConstants.TRUST_MODULE);
            }

            service.disengageModule(trustModule);
            service.engageModule(trustModule);

            Properties cryptoProps = new Properties();
            cryptoProps.setProperty(ServerCrypto.PROP_ID_PRIVATE_STORE,
                                    configParams.getPrivateStore());
            cryptoProps.setProperty(ServerCrypto.PROP_ID_DEFAULT_ALIAS,
                                    configParams.getKeyAlias());
            if (configParams.getTrustStores() != null) {
                cryptoProps.setProperty(ServerCrypto.PROP_ID_TRUST_STORES,
                                        configParams.getTrustStores());
            }
            service.addParameter(RahasUtil.getSCTIssuerConfigParameter(
                    ServerCrypto.class.getName(), cryptoProps, -1, null, true, true));

            service.addParameter(RahasUtil.getTokenCancelerConfigParameter());

        }

        // Authorization
        AuthorizationManager manager = userRealm.getAuthorizationManager();
        String resourceName = serviceGroupId + "/" + serviceName;
        removeAuthorization(userRealm,serviceGroupId,serviceName);
        String allowRolesParameter = configParams.getAllowedRoles();
        if (allowRolesParameter != null) {
            if (log.isDebugEnabled()) {
                log.debug("Authorizing roles " + allowRolesParameter);
            }
            String[] allowRoles = allowRolesParameter.split(",");
            if (allowRoles != null) {
                for (String role : allowRoles) {
                    manager.authorizeRole(role, resourceName,
                                          UserCoreConstants.INVOKE_SERVICE_PERMISSION);
                }
            }
        }

        // Password Callback Handler
        ServicePasswordCallbackHandler handler =
                new ServicePasswordCallbackHandler(configParams, serviceGroupId, serviceName,
                                                   govRegistry, userRealm);

        Parameter param = new Parameter();
        param.setName(WSHandlerConstants.PW_CALLBACK_REF);
        param.setValue(handler);
        service.addParameter(param);

    } catch (Throwable e) {
    //TODO: Copied from 4.2.2.
    //TODO: Not sure why we are catching throwable. Need to check error handling is correct
        String msg = "Cannot apply security parameters";
        log.error(msg, e);
    }
}
 

@Test
public void testShouldActivateWhenAllPrerequisitesMet() throws Exception {
    PowerMockito.mockStatic(APIMgtDBUtil.class);
    PowerMockito.mockStatic(APIUtil.class);
    PowerMockito.mockStatic(AuthorizationUtils.class);
    PowerMockito.mockStatic(RegistryUtils.class);
    PowerMockito.mockStatic(ServiceReferenceHolder.class);
    PowerMockito.mockStatic(SQLConstantManagerFactory.class);
    ServiceReferenceHolder serviceReferenceHolder = Mockito.mock(ServiceReferenceHolder.class);
    ComponentContext componentContext = Mockito.mock(ComponentContext.class);
    BundleContext bundleContext = Mockito.mock(BundleContext.class);
    APIManagerConfiguration configuration = Mockito.mock(APIManagerConfiguration.class);
    APIManagerConfigurationService configurationService = Mockito.mock(APIManagerConfigurationService.class);
    AuthorizationManager authManager = Mockito.mock(AuthorizationManager.class);
    Registry registry = Mockito.mock(Registry.class);
    RealmService realmService = Mockito.mock(RealmService.class);
    UserRealm userRealm = Mockito.mock(UserRealm.class);
    OutputEventAdapterService adapterService = Mockito.mock(OutputEventAdapterService.class);
    ThrottleProperties throttleProperties = new ThrottleProperties();

    Mockito.doNothing().when(configuration).load(Mockito.anyString());
    Mockito.doNothing().when(authManager)
            .authorizeRole(Mockito.anyString(), Mockito.anyString(), Mockito.anyString());
    Mockito.doNothing().when(adapterService).create(null);
    Mockito.when(componentContext.getBundleContext()).thenReturn(bundleContext);
    Mockito.when(registry.resourceExists(Mockito.anyString())).thenReturn(true);
    Mockito.when(configuration.getFirstProperty(Mockito.anyString())).thenReturn("").thenReturn(null);
    Mockito.when(bundleContext.registerService("", CommonConfigDeployer.class, null)).thenReturn(null);
    Mockito.when(authManager.isRoleAuthorized(Mockito.anyString(), Mockito.anyString(), Mockito.anyString()))
            .thenReturn(true);
    Mockito.when(serviceReferenceHolder.getRealmService()).thenReturn(realmService);
    Mockito.when(serviceReferenceHolder.getAPIManagerConfigurationService()).thenReturn(configurationService);
    Mockito.when(serviceReferenceHolder.getOutputEventAdapterService()).thenReturn(adapterService);
    Mockito.when(configurationService.getAPIManagerConfiguration()).thenReturn(configuration);
    Mockito.when(realmService.getTenantUserRealm(Mockito.anyInt())).thenReturn(userRealm);
    Mockito.when(userRealm.getAuthorizationManager()).thenReturn(authManager);
    Mockito.when(configuration.getThrottleProperties()).thenReturn(throttleProperties);
    PowerMockito.doNothing().when(APIMgtDBUtil.class, "initialize");
    PowerMockito.doNothing().when(APIUtil.class, "loadTenantExternalStoreConfig", Mockito.anyInt());
    PowerMockito.doNothing().when(AuthorizationUtils.class ,"addAuthorizeRoleListener",
            Mockito.anyInt(), Mockito.anyString(), Mockito.anyString(), Mockito.anyString());
    PowerMockito.doNothing().when(SQLConstantManagerFactory.class, "initializeSQLConstantManager");
    PowerMockito.when(APIUtil.getMountedPath(null, "")).thenReturn("");
    PowerMockito.when(ServiceReferenceHolder.getInstance()).thenReturn(serviceReferenceHolder);
    PowerMockito.when(RegistryUtils.getAbsolutePath(null, null)).thenReturn("");
    PowerMockito.whenNew(APIManagerConfiguration.class).withAnyArguments().thenReturn(configuration);

    PowerMockito.mockStatic(ApiMgtDAO.class);
    ApiMgtDAO apiMgtDAO = Mockito.mock(ApiMgtDAO.class);
    PowerMockito.when(ApiMgtDAO.getInstance()).thenReturn(apiMgtDAO);

    APIManagerConfiguration config = ServiceReferenceHolder.getInstance().getAPIManagerConfigurationService()
            .getAPIManagerConfiguration();
    APIManagerComponent apiManagerComponent = new APIManagerComponentWrapper(registry);
    GatewayArtifactSynchronizerProperties synchronizerProperties = new GatewayArtifactSynchronizerProperties();
    Mockito.when(config.getGatewayArtifactSynchronizerProperties()).thenReturn(synchronizerProperties);
    EventHubConfigurationDto eventHubConfigurationDto = new EventHubConfigurationDto();
    eventHubConfigurationDto.setEnabled(true);
    eventHubConfigurationDto.setInitDelay(0);
    eventHubConfigurationDto.setUsername("a");
    eventHubConfigurationDto.setPassword("sss".toCharArray());
    eventHubConfigurationDto.setServiceUrl("https://localhost");
    EventHubConfigurationDto.EventHubPublisherConfiguration eventHubPublisherConfiguration =
            new EventHubConfigurationDto.EventHubPublisherConfiguration();
    eventHubConfigurationDto.setEventHubPublisherConfiguration(eventHubPublisherConfiguration);
    Mockito.when(config.getEventHubConfigurationDto()).thenReturn(eventHubConfigurationDto);
    try {
        apiManagerComponent.activate(componentContext);
    } catch (FileNotFoundException f) {
        // Exception thrown here means that method was continued without the configuration file
        Assert.fail("Should not throw an exception");
    }
}