Example 6 with RegistryAuthorizationManager
use of org.wso2.carbon.registry.core.jdbc.realm.RegistryAuthorizationManager in project carbon-apimgt by wso2.
the class APIUtil method setResourcePermissions.
/**
* This function is to set resource permissions based on its visibility
*
* @param visibility API/Product visibility
* @param roles Authorized roles
* @param artifactPath API/Product resource path
* @param registry Registry
* @throws APIManagementException Throwing exception
*/
public static void setResourcePermissions(String username, String visibility, String[] roles, String artifactPath, Registry registry) throws APIManagementException {
try {
String resourcePath = RegistryUtils.getAbsolutePath(RegistryContext.getBaseInstance(), APIUtil.getMountedPath(RegistryContext.getBaseInstance(), RegistryConstants.GOVERNANCE_REGISTRY_BASE_PATH) + artifactPath);
Resource registryResource = null;
if (registry != null && registry.resourceExists(artifactPath)) {
registryResource = registry.get(artifactPath);
}
StringBuilder publisherAccessRoles = new StringBuilder(APIConstants.NULL_USER_ROLE_LIST);
if (registryResource != null) {
String publisherRole = registryResource.getProperty(APIConstants.PUBLISHER_ROLES);
if (publisherRole != null) {
publisherAccessRoles = new StringBuilder(publisherRole);
}
if (StringUtils.isEmpty(publisherAccessRoles.toString())) {
publisherAccessRoles = new StringBuilder(APIConstants.NULL_USER_ROLE_LIST);
}
if (APIConstants.API_GLOBAL_VISIBILITY.equalsIgnoreCase(visibility) || APIConstants.API_PRIVATE_VISIBILITY.equalsIgnoreCase(visibility)) {
registryResource.setProperty(APIConstants.STORE_VIEW_ROLES, APIConstants.NULL_USER_ROLE_LIST);
// set publisher
publisherAccessRoles = new StringBuilder(APIConstants.NULL_USER_ROLE_LIST);
// access roles null since store visibility is global. We do not need to add any roles to
// store_view_role property.
} else {
registryResource.setProperty(APIConstants.STORE_VIEW_ROLES, publisherAccessRoles.toString());
}
}
String tenantDomain = MultitenantUtils.getTenantDomain(APIUtil.replaceEmailDomainBack(username));
if (!org.wso2.carbon.utils.multitenancy.MultitenantConstants.SUPER_TENANT_DOMAIN_NAME.equals(tenantDomain)) {
int tenantId = ServiceReferenceHolder.getInstance().getRealmService().getTenantManager().getTenantId(tenantDomain);
// calculate resource path
RegistryAuthorizationManager authorizationManager = new RegistryAuthorizationManager(ServiceReferenceHolder.getUserRealm());
resourcePath = authorizationManager.computePathOnMount(resourcePath);
org.wso2.carbon.user.api.AuthorizationManager authManager = ServiceReferenceHolder.getInstance().getRealmService().getTenantUserRealm(tenantId).getAuthorizationManager();
if (visibility != null && APIConstants.API_RESTRICTED_VISIBILITY.equalsIgnoreCase(visibility)) {
boolean isRoleEveryOne = false;
/*If no roles have defined, authorize for everyone role */
if (roles != null) {
if (roles.length == 1 && "".equals(roles[0])) {
authManager.authorizeRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
isRoleEveryOne = true;
} else {
for (String role : roles) {
if (APIConstants.EVERYONE_ROLE.equalsIgnoreCase(role.trim())) {
isRoleEveryOne = true;
}
authManager.authorizeRole(role.trim(), resourcePath, ActionConstants.GET);
publisherAccessRoles.append(",").append(role.trim().toLowerCase());
}
}
}
if (!isRoleEveryOne) {
authManager.denyRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
}
authManager.denyRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
} else if (visibility != null && APIConstants.API_PRIVATE_VISIBILITY.equalsIgnoreCase(visibility)) {
authManager.authorizeRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
authManager.denyRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
} else if (visibility != null && APIConstants.DOC_OWNER_VISIBILITY.equalsIgnoreCase(visibility)) {
/*If no roles have defined, deny access for everyone & anonymous role */
if (roles == null) {
authManager.denyRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
authManager.denyRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
} else {
for (String role : roles) {
authManager.denyRole(role.trim(), resourcePath, ActionConstants.GET);
}
}
} else {
authManager.authorizeRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
authManager.authorizeRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
}
} else {
RegistryAuthorizationManager authorizationManager = new RegistryAuthorizationManager(ServiceReferenceHolder.getUserRealm());
if (visibility != null && APIConstants.API_RESTRICTED_VISIBILITY.equalsIgnoreCase(visibility)) {
boolean isRoleEveryOne = false;
if (roles != null) {
for (String role : roles) {
if (APIConstants.EVERYONE_ROLE.equalsIgnoreCase(role.trim())) {
isRoleEveryOne = true;
}
authorizationManager.authorizeRole(role.trim(), resourcePath, ActionConstants.GET);
publisherAccessRoles.append(",").append(role.toLowerCase());
}
}
if (!isRoleEveryOne) {
authorizationManager.denyRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
}
authorizationManager.denyRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
} else if (visibility != null && APIConstants.API_PRIVATE_VISIBILITY.equalsIgnoreCase(visibility)) {
authorizationManager.authorizeRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
authorizationManager.denyRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
} else if (visibility != null && APIConstants.DOC_OWNER_VISIBILITY.equalsIgnoreCase(visibility)) {
/*If no roles have defined, deny access for everyone & anonymous role */
if (roles == null) {
authorizationManager.denyRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
authorizationManager.denyRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
} else {
for (String role : roles) {
authorizationManager.denyRole(role.trim(), resourcePath, ActionConstants.GET);
}
}
} else {
if (log.isDebugEnabled()) {
log.debug("Store view roles for " + artifactPath + " : " + publisherAccessRoles.toString());
}
authorizationManager.authorizeRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
authorizationManager.authorizeRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
}
}
if (registryResource != null) {
registryResource.setProperty(APIConstants.STORE_VIEW_ROLES, publisherAccessRoles.toString());
registry.put(artifactPath, registryResource);
}
} catch (UserStoreException e) {
throw new APIManagementException("Error while adding role permissions to API", e);
} catch (RegistryException e) {
throw new APIManagementException("Registry exception while adding role permissions to API", e);
}
}
Also used :
Resource(org.wso2.carbon.registry.core.Resource)
APIProductResource(org.wso2.carbon.apimgt.api.model.APIProductResource)
APIResource(org.wso2.carbon.apimgt.api.doc.model.APIResource)
RegistryException(org.wso2.carbon.registry.core.exceptions.RegistryException)
Endpoint(org.wso2.carbon.governance.api.endpoints.dataobjects.Endpoint)
APIManagementException(org.wso2.carbon.apimgt.api.APIManagementException)
RegistryAuthorizationManager(org.wso2.carbon.registry.core.jdbc.realm.RegistryAuthorizationManager)
UserStoreException(org.wso2.carbon.user.api.UserStoreException)
Example 7 with RegistryAuthorizationManager
use of org.wso2.carbon.registry.core.jdbc.realm.RegistryAuthorizationManager in project carbon-apimgt by wso2.
the class AbstractAPIManagerTestCase method testConstructor.
@Test
public void testConstructor() throws Exception {
ServiceReferenceHolderMockCreator holderMockCreator = new ServiceReferenceHolderMockCreator(1);
ServiceReferenceHolderMockCreator.initContextService();
holderMockCreator.initRegistryServiceMockCreator(false, new Object());
RegistryAuthorizationManager registryAuthorizationManager = Mockito.mock(RegistryAuthorizationManager.class);
Mockito.doThrow(UserStoreException.class).doNothing().when(registryAuthorizationManager).authorizeRole(Mockito.anyString(), Mockito.anyString(), Mockito.anyString());
PowerMockito.whenNew(RegistryAuthorizationManager.class).withAnyArguments().thenReturn(registryAuthorizationManager);
PowerMockito.mockStatic(RegistryUtils.class);
PowerMockito.when(RegistryUtils.getAbsolutePath((RegistryContext) Mockito.any(), Mockito.anyString())).thenReturn("/test");
try {
new AbstractAPIManager(null) {
@Override
public String getGraphqlSchema(APIIdentifier apiId) throws APIManagementException {
return null;
}
@Override
public API getLightweightAPIByUUID(String uuid, String organization) throws APIManagementException {
return null;
}
@Override
public Map<String, Object> searchPaginatedAPIs(String searchQuery, String organization, int start, int end, String sortBy, String sortOrder) throws APIManagementException {
return null;
}
@Override
public Map<String, Object> searchPaginatedContent(String searchQuery, String tenantDomain, int start, int end) throws APIManagementException {
return null;
}
};
Assert.fail("User store exception not thrown for error scenario");
} catch (APIManagementException e) {
Assert.assertTrue(e.getMessage().contains("Error while setting the permissions"));
}
PowerMockito.mockStatic(APIUtil.class);
PowerMockito.doNothing().when(APIUtil.class, "loadTenantRegistry", Mockito.anyInt());
PowerMockito.mockStatic(MultitenantUtils.class);
PowerMockito.when(MultitenantUtils.getTenantDomain(Mockito.anyString())).thenReturn(SAMPLE_TENANT_DOMAIN_1);
String userName = "admin";
Mockito.verify(holderMockCreator.getRegistryServiceMockCreator().getMock().getConfigSystemRegistry(Mockito.anyInt()), Mockito.atLeastOnce());
}
Also used :
APIManagementException(org.wso2.carbon.apimgt.api.APIManagementException)
RegistryAuthorizationManager(org.wso2.carbon.registry.core.jdbc.realm.RegistryAuthorizationManager)
UserStoreException(org.wso2.carbon.user.core.UserStoreException)
APIIdentifier(org.wso2.carbon.apimgt.api.model.APIIdentifier)
Test(org.junit.Test)
PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest)
Example 8 with RegistryAuthorizationManager
use of org.wso2.carbon.registry.core.jdbc.realm.RegistryAuthorizationManager in project carbon-apimgt by wso2.
the class RegistryPersistenceUtil method getAuthorizedRoles.
public static String[] getAuthorizedRoles(String apiPath, String tenantDomain) throws UserStoreException {
String resourcePath = RegistryUtils.getAbsolutePath(RegistryContext.getBaseInstance(), getMountedPath(RegistryContext.getBaseInstance(), RegistryConstants.GOVERNANCE_REGISTRY_BASE_PATH) + apiPath);
if (!MultitenantConstants.SUPER_TENANT_DOMAIN_NAME.equals(tenantDomain)) {
int tenantId = ServiceReferenceHolder.getInstance().getRealmService().getTenantManager().getTenantId(tenantDomain);
AuthorizationManager authManager = ServiceReferenceHolder.getInstance().getRealmService().getTenantUserRealm(tenantId).getAuthorizationManager();
return authManager.getAllowedRolesForResource(resourcePath, ActionConstants.GET);
} else {
RegistryAuthorizationManager authorizationManager = new RegistryAuthorizationManager(ServiceReferenceHolder.getUserRealm());
return authorizationManager.getAllowedRolesForResource(resourcePath, ActionConstants.GET);
}
}
Also used :
RegistryAuthorizationManager(org.wso2.carbon.registry.core.jdbc.realm.RegistryAuthorizationManager)
RegistryAuthorizationManager(org.wso2.carbon.registry.core.jdbc.realm.RegistryAuthorizationManager)
AuthorizationManager(org.wso2.carbon.user.api.AuthorizationManager)
Example 9 with RegistryAuthorizationManager
use of org.wso2.carbon.registry.core.jdbc.realm.RegistryAuthorizationManager in project carbon-apimgt by wso2.
the class RegistryPersistenceUtil method setResourcePermissions.
/**
* This function is to set resource permissions based on its visibility
*
* @param visibility API/Product visibility
* @param roles Authorized roles
* @param artifactPath API/Product resource path
* @param registry Registry
* @throws APIManagementException Throwing exception
*/
public static void setResourcePermissions(String username, String visibility, String[] roles, String artifactPath, Registry registry) throws APIManagementException {
try {
String resourcePath = RegistryUtils.getAbsolutePath(RegistryContext.getBaseInstance(), getMountedPath(RegistryContext.getBaseInstance(), RegistryConstants.GOVERNANCE_REGISTRY_BASE_PATH) + artifactPath);
Resource registryResource = null;
if (registry != null && registry.resourceExists(artifactPath)) {
registryResource = registry.get(artifactPath);
}
StringBuilder publisherAccessRoles = new StringBuilder(APIConstants.NULL_USER_ROLE_LIST);
if (registryResource != null) {
String publisherRole = registryResource.getProperty(APIConstants.PUBLISHER_ROLES);
if (publisherRole != null) {
publisherAccessRoles = new StringBuilder(publisherRole);
}
if (StringUtils.isEmpty(publisherAccessRoles.toString())) {
publisherAccessRoles = new StringBuilder(APIConstants.NULL_USER_ROLE_LIST);
}
if (APIConstants.API_GLOBAL_VISIBILITY.equalsIgnoreCase(visibility) || APIConstants.API_PRIVATE_VISIBILITY.equalsIgnoreCase(visibility)) {
registryResource.setProperty(APIConstants.STORE_VIEW_ROLES, APIConstants.NULL_USER_ROLE_LIST);
// set publisher
publisherAccessRoles = new StringBuilder(APIConstants.NULL_USER_ROLE_LIST);
// access roles null since store visibility is global. We do not need to add any roles to
// store_view_role property.
} else {
registryResource.setProperty(APIConstants.STORE_VIEW_ROLES, publisherAccessRoles.toString());
}
}
String tenantDomain = MultitenantUtils.getTenantDomain(PersistenceUtil.replaceEmailDomainBack(username));
if (!org.wso2.carbon.utils.multitenancy.MultitenantConstants.SUPER_TENANT_DOMAIN_NAME.equals(tenantDomain)) {
int tenantId = ServiceReferenceHolder.getInstance().getRealmService().getTenantManager().getTenantId(tenantDomain);
// calculate resource path
RegistryAuthorizationManager authorizationManager = new RegistryAuthorizationManager(ServiceReferenceHolder.getUserRealm());
resourcePath = authorizationManager.computePathOnMount(resourcePath);
org.wso2.carbon.user.api.AuthorizationManager authManager = ServiceReferenceHolder.getInstance().getRealmService().getTenantUserRealm(tenantId).getAuthorizationManager();
if (visibility != null && APIConstants.API_RESTRICTED_VISIBILITY.equalsIgnoreCase(visibility)) {
boolean isRoleEveryOne = false;
/*If no roles have defined, authorize for everyone role */
if (roles != null) {
if (roles.length == 1 && "".equals(roles[0])) {
authManager.authorizeRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
isRoleEveryOne = true;
} else {
for (String role : roles) {
if (APIConstants.EVERYONE_ROLE.equalsIgnoreCase(role.trim())) {
isRoleEveryOne = true;
}
authManager.authorizeRole(role.trim(), resourcePath, ActionConstants.GET);
publisherAccessRoles.append(",").append(role.trim().toLowerCase());
}
}
}
if (!isRoleEveryOne) {
authManager.denyRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
}
authManager.denyRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
} else if (visibility != null && APIConstants.API_PRIVATE_VISIBILITY.equalsIgnoreCase(visibility)) {
authManager.authorizeRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
authManager.denyRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
} else if (visibility != null && APIConstants.DOC_OWNER_VISIBILITY.equalsIgnoreCase(visibility)) {
/*If no roles have defined, deny access for everyone & anonymous role */
if (roles == null) {
authManager.denyRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
authManager.denyRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
} else {
for (String role : roles) {
authManager.denyRole(role.trim(), resourcePath, ActionConstants.GET);
}
}
} else {
authManager.authorizeRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
authManager.authorizeRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
}
} else {
RegistryAuthorizationManager authorizationManager = new RegistryAuthorizationManager(ServiceReferenceHolder.getUserRealm());
if (visibility != null && APIConstants.API_RESTRICTED_VISIBILITY.equalsIgnoreCase(visibility)) {
boolean isRoleEveryOne = false;
if (roles != null) {
for (String role : roles) {
if (APIConstants.EVERYONE_ROLE.equalsIgnoreCase(role.trim())) {
isRoleEveryOne = true;
}
authorizationManager.authorizeRole(role.trim(), resourcePath, ActionConstants.GET);
publisherAccessRoles.append(",").append(role.toLowerCase());
}
}
if (!isRoleEveryOne) {
authorizationManager.denyRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
}
authorizationManager.denyRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
} else if (visibility != null && APIConstants.API_PRIVATE_VISIBILITY.equalsIgnoreCase(visibility)) {
authorizationManager.authorizeRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
authorizationManager.denyRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
} else if (visibility != null && APIConstants.DOC_OWNER_VISIBILITY.equalsIgnoreCase(visibility)) {
/*If no roles have defined, deny access for everyone & anonymous role */
if (roles == null) {
authorizationManager.denyRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
authorizationManager.denyRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
} else {
for (String role : roles) {
authorizationManager.denyRole(role.trim(), resourcePath, ActionConstants.GET);
}
}
} else {
if (log.isDebugEnabled()) {
log.debug("Store view roles for " + artifactPath + " : " + publisherAccessRoles.toString());
}
authorizationManager.authorizeRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
authorizationManager.authorizeRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
}
}
if (registryResource != null) {
registryResource.setProperty(APIConstants.STORE_VIEW_ROLES, publisherAccessRoles.toString());
registry.put(artifactPath, registryResource);
}
} catch (UserStoreException e) {
throw new APIManagementException("Error while adding role permissions to API", e);
} catch (RegistryException e) {
throw new APIManagementException("Registry exception while adding role permissions to API", e);
}
}
Also used :
AuthorizationManager(org.wso2.carbon.user.api.AuthorizationManager)
Resource(org.wso2.carbon.registry.core.Resource)
RegistryException(org.wso2.carbon.registry.core.exceptions.RegistryException)
APIManagementException(org.wso2.carbon.apimgt.api.APIManagementException)
RegistryAuthorizationManager(org.wso2.carbon.registry.core.jdbc.realm.RegistryAuthorizationManager)
UserStoreException(org.wso2.carbon.user.api.UserStoreException)
Example 10 with RegistryAuthorizationManager
use of org.wso2.carbon.registry.core.jdbc.realm.RegistryAuthorizationManager in project carbon-apimgt by wso2.
the class RegistryPersistenceUtil method clearResourcePermissions.
/**
* This function is to set resource permissions based on its visibility
*
* @param artifactPath API/Product resource path
* @throws APIManagementException Throwing exception
*/
public static void clearResourcePermissions(String artifactPath, Identifier id, int tenantId) throws APIManagementException {
try {
String resourcePath = RegistryUtils.getAbsolutePath(RegistryContext.getBaseInstance(), getMountedPath(RegistryContext.getBaseInstance(), RegistryConstants.GOVERNANCE_REGISTRY_BASE_PATH) + artifactPath);
String tenantDomain = MultitenantUtils.getTenantDomain(replaceEmailDomainBack(id.getProviderName()));
if (!org.wso2.carbon.utils.multitenancy.MultitenantConstants.SUPER_TENANT_DOMAIN_NAME.equals(tenantDomain)) {
org.wso2.carbon.user.api.AuthorizationManager authManager = ServiceReferenceHolder.getInstance().getRealmService().getTenantUserRealm(tenantId).getAuthorizationManager();
authManager.clearResourceAuthorizations(resourcePath);
} else {
RegistryAuthorizationManager authorizationManager = new RegistryAuthorizationManager(ServiceReferenceHolder.getUserRealm());
authorizationManager.clearResourceAuthorizations(resourcePath);
}
} catch (UserStoreException e) {
throw new APIManagementException("Error while adding role permissions to API", e);
}
}
Also used :
AuthorizationManager(org.wso2.carbon.user.api.AuthorizationManager)
APIManagementException(org.wso2.carbon.apimgt.api.APIManagementException)
RegistryAuthorizationManager(org.wso2.carbon.registry.core.jdbc.realm.RegistryAuthorizationManager)
UserStoreException(org.wso2.carbon.user.api.UserStoreException)
Aggregations
RegistryAuthorizationManager (org.wso2.carbon.registry.core.jdbc.realm.RegistryAuthorizationManager)12
APIManagementException (org.wso2.carbon.apimgt.api.APIManagementException)8
Resource (org.wso2.carbon.registry.core.Resource)7
AuthorizationManager (org.wso2.carbon.user.api.AuthorizationManager)6
UserStoreException (org.wso2.carbon.user.api.UserStoreException)6
RegistryException (org.wso2.carbon.registry.core.exceptions.RegistryException)4
Test (org.junit.Test)3
PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)3
APIIdentifier (org.wso2.carbon.apimgt.api.model.APIIdentifier)3
APIProductResource (org.wso2.carbon.apimgt.api.model.APIProductResource)3
RegistryService (org.wso2.carbon.registry.core.service.RegistryService)3
UserRegistry (org.wso2.carbon.registry.core.session.UserRegistry)3
File (java.io.File)2
FilenameFilter (java.io.FilenameFilter)2
IOException (java.io.IOException)2
APIResource (org.wso2.carbon.apimgt.api.doc.model.APIResource)2
API (org.wso2.carbon.apimgt.api.model.API)2
Documentation (org.wso2.carbon.apimgt.api.model.Documentation)2
SubscribedAPI (org.wso2.carbon.apimgt.api.model.SubscribedAPI)2
ImportExportAPI (org.wso2.carbon.apimgt.impl.importexport.ImportExportAPI)2
