Search in sources :

Example 21 with SecurityUser

use of org.thingsboard.server.service.security.model.SecurityUser in project thingsboard by thingsboard.

the class BaseController method checkCustomerId.

Customer checkCustomerId(CustomerId customerId) throws ThingsboardException {
    try {
        validateId(customerId, "Incorrect customerId " + customerId);
        SecurityUser authUser = getCurrentUser();
        if (authUser.getAuthority() == Authority.SYS_ADMIN || (authUser.getAuthority() != Authority.TENANT_ADMIN && (authUser.getCustomerId() == null || !authUser.getCustomerId().equals(customerId)))) {
            throw new ThingsboardException(YOU_DON_T_HAVE_PERMISSION_TO_PERFORM_THIS_OPERATION, ThingsboardErrorCode.PERMISSION_DENIED);
        }
        Customer customer = customerService.findCustomerById(customerId);
        checkCustomer(customer);
        return customer;
    } catch (Exception e) {
        throw handleException(e, false);
    }
}
Also used : SecurityUser(org.thingsboard.server.service.security.model.SecurityUser) ThingsboardException(org.thingsboard.server.exception.ThingsboardException) MessagingException(javax.mail.MessagingException) IncorrectParameterException(org.thingsboard.server.dao.exception.IncorrectParameterException) ThingsboardException(org.thingsboard.server.exception.ThingsboardException) DataValidationException(org.thingsboard.server.dao.exception.DataValidationException)

Example 22 with SecurityUser

use of org.thingsboard.server.service.security.model.SecurityUser in project thingsboard by thingsboard.

the class BaseController method checkTenantId.

void checkTenantId(TenantId tenantId) throws ThingsboardException {
    validateId(tenantId, INCORRECT_TENANT_ID + tenantId);
    SecurityUser authUser = getCurrentUser();
    if (authUser.getAuthority() != Authority.SYS_ADMIN && (authUser.getTenantId() == null || !authUser.getTenantId().equals(tenantId))) {
        throw new ThingsboardException(YOU_DON_T_HAVE_PERMISSION_TO_PERFORM_THIS_OPERATION, ThingsboardErrorCode.PERMISSION_DENIED);
    }
}
Also used : SecurityUser(org.thingsboard.server.service.security.model.SecurityUser) ThingsboardException(org.thingsboard.server.exception.ThingsboardException)

Example 23 with SecurityUser

use of org.thingsboard.server.service.security.model.SecurityUser in project thingsboard by thingsboard.

the class JwtAuthenticationProvider method authenticate.

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    RawAccessJwtToken rawAccessToken = (RawAccessJwtToken) authentication.getCredentials();
    SecurityUser securityUser = tokenFactory.parseAccessJwtToken(rawAccessToken);
    return new JwtAuthenticationToken(securityUser);
}
Also used : SecurityUser(org.thingsboard.server.service.security.model.SecurityUser) JwtAuthenticationToken(org.thingsboard.server.service.security.auth.JwtAuthenticationToken) RawAccessJwtToken(org.thingsboard.server.service.security.model.token.RawAccessJwtToken)

Example 24 with SecurityUser

use of org.thingsboard.server.service.security.model.SecurityUser in project thingsboard by thingsboard.

the class JwtTokenFactory method parseAccessJwtToken.

public SecurityUser parseAccessJwtToken(RawAccessJwtToken rawAccessToken) {
    Jws<Claims> jwsClaims = rawAccessToken.parseClaims(settings.getTokenSigningKey());
    Claims claims = jwsClaims.getBody();
    String subject = claims.getSubject();
    List<String> scopes = claims.get(SCOPES, List.class);
    if (scopes == null || scopes.isEmpty()) {
        throw new IllegalArgumentException("JWT Token doesn't have any scopes");
    }
    SecurityUser securityUser = new SecurityUser(new UserId(UUID.fromString(claims.get(USER_ID, String.class))));
    securityUser.setEmail(subject);
    securityUser.setAuthority(Authority.parse(scopes.get(0)));
    securityUser.setFirstName(claims.get(FIRST_NAME, String.class));
    securityUser.setLastName(claims.get(LAST_NAME, String.class));
    securityUser.setEnabled(claims.get(ENABLED, Boolean.class));
    boolean isPublic = claims.get(IS_PUBLIC, Boolean.class);
    UserPrincipal principal = new UserPrincipal(isPublic ? UserPrincipal.Type.PUBLIC_ID : UserPrincipal.Type.USER_NAME, subject);
    securityUser.setUserPrincipal(principal);
    String tenantId = claims.get(TENANT_ID, String.class);
    if (tenantId != null) {
        securityUser.setTenantId(new TenantId(UUID.fromString(tenantId)));
    }
    String customerId = claims.get(CUSTOMER_ID, String.class);
    if (customerId != null) {
        securityUser.setCustomerId(new CustomerId(UUID.fromString(customerId)));
    }
    return securityUser;
}
Also used : TenantId(org.thingsboard.server.common.data.id.TenantId) Claims(io.jsonwebtoken.Claims) SecurityUser(org.thingsboard.server.service.security.model.SecurityUser) UserId(org.thingsboard.server.common.data.id.UserId) CustomerId(org.thingsboard.server.common.data.id.CustomerId) UserPrincipal(org.thingsboard.server.service.security.model.UserPrincipal)

Example 25 with SecurityUser

use of org.thingsboard.server.service.security.model.SecurityUser in project thingsboard by thingsboard.

the class RestAuthenticationProvider method authenticateByUsernameAndPassword.

private Authentication authenticateByUsernameAndPassword(UserPrincipal userPrincipal, String username, String password) {
    User user = userService.findUserByEmail(username);
    if (user == null) {
        throw new UsernameNotFoundException("User not found: " + username);
    }
    UserCredentials userCredentials = userService.findUserCredentialsByUserId(user.getId());
    if (userCredentials == null) {
        throw new UsernameNotFoundException("User credentials not found");
    }
    if (!userCredentials.isEnabled()) {
        throw new DisabledException("User is not active");
    }
    if (!encoder.matches(password, userCredentials.getPassword())) {
        throw new BadCredentialsException("Authentication Failed. Username or Password not valid.");
    }
    if (user.getAuthority() == null)
        throw new InsufficientAuthenticationException("User has no authority assigned");
    SecurityUser securityUser = new SecurityUser(user, userCredentials.isEnabled(), userPrincipal);
    return new UsernamePasswordAuthenticationToken(securityUser, null, securityUser.getAuthorities());
}
Also used : UsernameNotFoundException(org.springframework.security.core.userdetails.UsernameNotFoundException) SecurityUser(org.thingsboard.server.service.security.model.SecurityUser) User(org.thingsboard.server.common.data.User) SecurityUser(org.thingsboard.server.service.security.model.SecurityUser) UserCredentials(org.thingsboard.server.common.data.security.UserCredentials)

Aggregations

SecurityUser (org.thingsboard.server.service.security.model.SecurityUser)25 ThingsboardException (org.thingsboard.server.exception.ThingsboardException)15 PreAuthorize (org.springframework.security.access.prepost.PreAuthorize)8 User (org.thingsboard.server.common.data.User)8 UserId (org.thingsboard.server.common.data.id.UserId)7 UserCredentials (org.thingsboard.server.common.data.security.UserCredentials)7 UserPrincipal (org.thingsboard.server.service.security.model.UserPrincipal)7 CustomerId (org.thingsboard.server.common.data.id.CustomerId)6 TenantId (org.thingsboard.server.common.data.id.TenantId)6 IncorrectParameterException (org.thingsboard.server.dao.exception.IncorrectParameterException)5 ArrayList (java.util.ArrayList)4 List (java.util.List)4 UsernameNotFoundException (org.springframework.security.core.userdetails.UsernameNotFoundException)4 URISyntaxException (java.net.URISyntaxException)3 JwtToken (org.thingsboard.server.service.security.model.token.JwtToken)3 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)2 ObjectNode (com.fasterxml.jackson.databind.node.ObjectNode)2 Claims (io.jsonwebtoken.Claims)2 AuthenticationException (org.springframework.security.core.AuthenticationException)2 Customer (org.thingsboard.server.common.data.Customer)2