/**
* Checks whether received credentials for accessing API is authorized for exporting and importing
* APIs
*
* @param headers HTTP headers of the received request
* @return Response indicating whether authentication and authorization for accessing API got
* succeeded
* @throws APIExportException If an error occurs while authorizing current user
*/
public static Response authorizeUser(HttpHeaders headers) throws APIExportException {
if (!isValidCredentials(headers)) {
log.error("No username and password is provided for authentication");
return Response.status(Response.Status.UNAUTHORIZED)
.entity("No username and password is provided for authentication")
.type(MediaType.APPLICATION_JSON)
.build();
}
try {
String tenantDomain = MultitenantUtils.getTenantDomain(username);
PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true);
UserStoreManager userstoremanager =
CarbonContext.getThreadLocalCarbonContext().getUserRealm().getUserStoreManager();
String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(username);
// authenticate user provided credentials
if (userstoremanager.authenticate(tenantAwareUsername, password)) {
log.info(username + " user authenticated successfully");
// Get admin role name of the current domain
String adminRoleName =
CarbonContext.getCurrentContext()
.getUserRealm()
.getRealmConfiguration()
.getAdminRoleName();
String[] userRoles = userstoremanager.getRoleListOfUser(tenantAwareUsername);
// user is only authorized for exporting and importing if he is an admin of his
// domain
if (Arrays.asList(userRoles).contains(adminRoleName)) {
log.info(username + " is authorized to import and export APIs");
return Response.ok().build();
} else {
return Response.status(Response.Status.FORBIDDEN)
.entity("User Authorization " + "Failed")
.type(MediaType.APPLICATION_JSON)
.build();
}
} else {
return Response.status(Response.Status.UNAUTHORIZED)
.entity("User Authentication " + "Failed")
.type(MediaType.APPLICATION_JSON)
.build();
}
} catch (UserStoreException e) {
log.error("Error while accessing user configuration" + e.getMessage());
throw new APIExportException("Error while accessing user configuration", e);
} finally {
PrivilegedCarbonContext.endTenantFlow();
}
}
/**
* Deleting cache data in JDBCTenantManager
*
* @param arg0 - ConfigurationContext
*/
@Override
public void execute(ConfigurationContext arg0) throws ClusteringFault {
TenantManager tenantManager = TenantMgtServiceComponent.getTenantManager();
try {
tenantManager.deleteTenant(tenantId, IS_DELETE_PERSISTANCE_STORAGE);
} catch (UserStoreException e) {
log.error("Error occured while deleting cache : " + e.getMessage());
}
}
@Override
public SortedMap<String, String> getClaims(String endUserName, String[] requestedClaims)
throws IdentityOAuth2Exception {
SortedMap<String, String> claimValues;
try {
int tenantId = JWTTokenGenerator.getTenantId(endUserName);
// check in local cache
String key = endUserName + ":" + tenantId;
CacheKey cacheKey = new ClaimCacheKey(key);
Object result = claimsLocalCache.getValueFromCache(cacheKey);
if (result != null) {
claimValues = ((UserClaims) result).getClaimValues();
} else {
// if no claims were requested, return all
if (requestedClaims == null) {
log.debug("No claims set requested. Returning all claims in the dialect");
ClaimManager claimManager =
OAuthComponentServiceHolder.getRealmService()
.getTenantUserRealm(tenantId)
.getClaimManager();
ClaimMapping[] claims = claimManager.getAllClaimMappings(dialectURI);
requestedClaims = claimToString(claims);
}
UserStoreManager userStoreManager =
OAuthComponentServiceHolder.getRealmService()
.getTenantUserRealm(tenantId)
.getUserStoreManager();
claimValues =
new TreeMap(userStoreManager.getUserClaimValues(endUserName, requestedClaims, null));
UserClaims userClaims = new UserClaims(claimValues);
claimsLocalCache.addToCache(cacheKey, userClaims);
}
} catch (UserStoreException e) {
log.debug("Error while reading user claims ", e);
throw new IdentityOAuth2Exception(
"Error while retrieving user claim values from " + "user store: " + e.getMessage());
}
return claimValues;
}
@Path("device/download")
@GET
@Produces("application/zip")
public Response downloadSketch(
@QueryParam("deviceName") String deviceName, @QueryParam("sketchType") String sketchType) {
try {
ZipArchive zipFile =
createDownloadFile(APIUtil.getAuthenticatedUser(), deviceName, sketchType);
Response.ResponseBuilder response =
Response.ok(FileUtils.readFileToByteArray(zipFile.getZipFile()));
response.status(Response.Status.OK);
response.type("application/zip");
response.header(
"Content-Disposition", "attachment; filename=\"" + zipFile.getFileName() + "\"");
Response resp = response.build();
zipFile.getZipFile().delete();
return resp;
} catch (IllegalArgumentException ex) {
return Response.status(400).entity(ex.getMessage()).build(); // bad request
} catch (DeviceManagementException ex) {
log.error(ex.getMessage(), ex);
return Response.status(500).entity(ex.getMessage()).build();
} catch (JWTClientException ex) {
log.error(ex.getMessage(), ex);
return Response.status(500).entity(ex.getMessage()).build();
} catch (APIManagerException ex) {
log.error(ex.getMessage(), ex);
return Response.status(500).entity(ex.getMessage()).build();
} catch (IOException ex) {
log.error(ex.getMessage(), ex);
return Response.status(500).entity(ex.getMessage()).build();
} catch (UserStoreException ex) {
log.error(ex.getMessage(), ex);
return Response.status(500).entity(ex.getMessage()).build();
} catch (VirtualFirealarmDeviceMgtPluginException ex) {
log.error(ex.getMessage(), ex);
return Response.status(500).entity(ex.getMessage()).build();
}
}
/**
* Builds the response to change the password of a user
*
* @param credentials - User credentials
* @return Response Object
*/
public static Response buildChangePasswordResponse(OldPasswordResetWrapper credentials) {
String username = "";
try {
RequestValidationUtil.validateCredentials(credentials);
if (!validateCredential(credentials.getNewPassword())) {
String errorMsg =
DeviceMgtAPIUtils.getRealmService()
.getBootstrapRealmConfiguration()
.getUserStoreProperty(PASSWORD_VALIDATION_ERROR_MSG_TAG);
return Response.status(Response.Status.BAD_REQUEST)
.entity(new ErrorResponse.ErrorResponseBuilder().setMessage(errorMsg).build())
.build();
}
UserStoreManager userStoreManager = DeviceMgtAPIUtils.getUserStoreManager();
// this is the user who initiates the request
username = CarbonContext.getThreadLocalCarbonContext().getUsername();
userStoreManager.updateCredential(
username, credentials.getNewPassword(), credentials.getOldPassword());
return Response.status(Response.Status.OK)
.entity("UserImpl password by username: "******" was successfully changed.")
.build();
} catch (UserStoreException e) {
log.error(e.getMessage(), e);
return Response.serverError()
.entity(new ErrorResponse.ErrorResponseBuilder().setMessage(e.getMessage()).build())
.build();
} catch (UnsupportedEncodingException e) {
String msg =
"Could not change the password of the user: "******". The Character Encoding is not supported.";
log.error(msg, e);
return Response.serverError()
.entity(new ErrorResponse.ErrorResponseBuilder().setMessage(msg).build())
.build();
}
}
private void doAddUser(
int i,
UserStoreManager admin,
String[] identityRoleNames,
String userName,
Permission permission)
throws IdentityException, UserStoreException {
try {
if (!admin.isExistingRole(identityRoleNames[i], false)) {
permission = new Permission("/permission/admin/login", UserMgtConstants.EXECUTE_ACTION);
admin.addRole(
identityRoleNames[i], new String[] {userName}, new Permission[] {permission}, false);
} else {
// if role already exists, just add user to role
admin.updateUserListOfRole(identityRoleNames[i], new String[] {}, new String[] {userName});
}
} catch (org.wso2.carbon.user.api.UserStoreException e) {
// If something goes wrong here - then remove the already added user.
admin.deleteUser(userName);
throw new IdentityException(
"Error occurred while adding user : "******". " + e.getMessage(), e);
}
}
/** Process the response of the Inwebo end-point */
@Override
protected void processAuthenticationResponse(
HttpServletRequest request, HttpServletResponse response, AuthenticationContext context)
throws AuthenticationFailedException {
int waitTime;
int retryInterval;
String username = null;
// Getting the last authenticated local user
for (Integer stepMap : context.getSequenceConfig().getStepMap().keySet())
if (context.getSequenceConfig().getStepMap().get(stepMap).getAuthenticatedUser() != null
&& context
.getSequenceConfig()
.getStepMap()
.get(stepMap)
.getAuthenticatedAutenticator()
.getApplicationAuthenticator()
instanceof LocalApplicationAuthenticator) {
username =
String.valueOf(
context.getSequenceConfig().getStepMap().get(stepMap).getAuthenticatedUser());
break;
}
if (username != null) {
UserRealm userRealm = null;
try {
String tenantDomain = MultitenantUtils.getTenantDomain(username);
int tenantId = IdentityTenantUtil.getTenantId(tenantDomain);
RealmService realmService = IdentityTenantUtil.getRealmService();
userRealm = (UserRealm) realmService.getTenantUserRealm(tenantId);
username = MultitenantUtils.getTenantAwareUsername(username);
if (userRealm != null) {
userId =
userRealm
.getUserStoreManager()
.getUserClaimValue(username, InweboConstants.INWEBO_USERID, null)
.toString();
} else {
throw new AuthenticationFailedException(
"Cannot find the user claim for the given userId: " + userId);
}
} catch (UserStoreException e) {
throw new AuthenticationFailedException(
"Error while getting the user realm" + e.getMessage(), e);
}
}
Map<String, String> authenticatorProperties = context.getAuthenticatorProperties();
if (authenticatorProperties != null) {
String serviceId = authenticatorProperties.get(InweboConstants.SERVICE_ID);
String p12file = authenticatorProperties.get(InweboConstants.INWEBO_P12FILE);
String p12password = authenticatorProperties.get(InweboConstants.INWEBO_P12PASSWORD);
if (!StringUtils.isEmpty(authenticatorProperties.get(InweboConstants.RETRY_COUNT))) {
waitTime = Integer.parseInt(authenticatorProperties.get(InweboConstants.RETRY_COUNT));
} else {
waitTime = Integer.parseInt(InweboConstants.WAITTIME_DEFAULT);
}
if (!StringUtils.isEmpty(authenticatorProperties.get(InweboConstants.RETRY_INTERVAL))) {
retryInterval =
Integer.parseInt(authenticatorProperties.get(InweboConstants.RETRY_INTERVAL));
} else {
retryInterval = Integer.parseInt(InweboConstants.RETRYINTERVAL_DEFAULT);
}
PushRestCall push =
new PushRestCall(serviceId, p12file, p12password, userId, waitTime, retryInterval);
pushResponse = push.run();
if (pushResponse.contains(InweboConstants.PUSHRESPONSE)) {
if (log.isDebugEnabled()) {
log.info("Authentication successful");
}
context.setSubject(
AuthenticatedUser.createLocalAuthenticatedUserFromSubjectIdentifier(userId));
} else {
throw new AuthenticationFailedException("Authentication failed");
}
pushResponse = null;
userId = null;
} else {
throw new AuthenticationFailedException("Required parameters are empty");
}
}
@Override
public boolean validateScope(AccessTokenDO accessTokenDO, String resource)
throws IdentityOAuth2Exception {
boolean status = true;
// Extract the url & http method
int idx = resource.lastIndexOf(':');
String url = resource.substring(0, idx);
String method = resource.substring(++idx, resource.length());
// This is to remove the url params for request path.
int urlParamIndex = url.indexOf('?');
if (urlParamIndex > 0) {
url = url.substring(0, urlParamIndex);
}
Properties properties = new Properties();
properties.put(PermissionBasedScopeValidator.URL_PROPERTY, url.toLowerCase());
properties.put(PermissionBasedScopeValidator.HTTP_METHOD_PROPERTY, method.toUpperCase());
PermissionManagerService permissionManagerService =
OAuthExtensionsDataHolder.getInstance().getPermissionManagerService();
try {
Permission permission = permissionManagerService.getPermission(properties);
User authzUser = accessTokenDO.getAuthzUser();
if ((permission != null) && (authzUser != null)) {
if (permission.getPath() == null) {
if (log.isDebugEnabled()) {
log.debug("Permission is not defined for the resource '" + resource + "'");
}
return true;
}
String username = authzUser.getUserName();
String userStore = authzUser.getUserStoreDomain();
int tenantId = OAuthExtUtils.getTenantId(authzUser.getTenantDomain());
UserRealm userRealm =
OAuthExtensionsDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId);
if (userRealm != null && userRealm.getAuthorizationManager() != null) {
if (userStore != null) {
status =
userRealm
.getAuthorizationManager()
.isUserAuthorized(
userStore + "/" + username,
permission.getPath(),
PermissionMethod.UI_EXECUTE);
} else {
status =
userRealm
.getAuthorizationManager()
.isUserAuthorized(username, permission.getPath(), PermissionMethod.UI_EXECUTE);
}
}
}
} catch (PermissionManagementException e) {
log.error(
"Error occurred while validating the resource scope for : "
+ resource
+ ", Msg = "
+ e.getMessage(),
e);
} catch (UserStoreException e) {
log.error("Error occurred while retrieving user store. " + e.getMessage());
}
return status;
}
