use of org.wso2.carbon.user.api.Property in project carbon-apimgt by wso2.
the class APIUtil method setResourceProperties.
/**
* To set the resource properties to the API.
*
* @param api API that need to set the resource properties.
* @param registry Registry to get the resource from.
* @param artifactPath Path of the API artifact.
* @return Updated API.
* @throws RegistryException Registry Exception.
*/
private static API setResourceProperties(API api, Registry registry, String artifactPath) throws RegistryException {
Resource apiResource = registry.get(artifactPath);
Properties properties = apiResource.getProperties();
if (properties != null) {
Enumeration propertyNames = properties.propertyNames();
while (propertyNames.hasMoreElements()) {
String propertyName = (String) propertyNames.nextElement();
if (log.isDebugEnabled()) {
log.debug("API '" + api.getId().toString() + "' " + "has the property " + propertyName);
}
if (propertyName.startsWith(APIConstants.API_RELATED_CUSTOM_PROPERTIES_PREFIX)) {
api.addProperty(propertyName.substring(APIConstants.API_RELATED_CUSTOM_PROPERTIES_PREFIX.length()), apiResource.getProperty(propertyName));
}
}
}
api.setAccessControl(apiResource.getProperty(APIConstants.ACCESS_CONTROL));
String accessControlRoles = null;
String displayPublisherRoles = apiResource.getProperty(APIConstants.DISPLAY_PUBLISHER_ROLES);
if (displayPublisherRoles == null) {
String publisherRoles = apiResource.getProperty(APIConstants.PUBLISHER_ROLES);
if (publisherRoles != null) {
accessControlRoles = APIConstants.NULL_USER_ROLE_LIST.equals(apiResource.getProperty(APIConstants.PUBLISHER_ROLES)) ? null : apiResource.getProperty(APIConstants.PUBLISHER_ROLES);
}
} else {
accessControlRoles = APIConstants.NULL_USER_ROLE_LIST.equals(displayPublisherRoles) ? null : displayPublisherRoles;
}
api.setAccessControlRoles(accessControlRoles);
return api;
}
use of org.wso2.carbon.user.api.Property in project carbon-apimgt by wso2.
the class APIUtil method setResourceProperties.
/**
* To set the resource properties to the API Product.
*
* @param apiProduct API Product that need to set the resource properties.
* @param registry Registry to get the resource from.
* @param artifactPath Path of the API Product artifact.
* @return Updated API.
* @throws RegistryException Registry Exception.
*/
private static APIProduct setResourceProperties(APIProduct apiProduct, Registry registry, String artifactPath) throws RegistryException {
Resource productResource = registry.get(artifactPath);
Properties properties = productResource.getProperties();
if (properties != null) {
Enumeration propertyNames = properties.propertyNames();
while (propertyNames.hasMoreElements()) {
String propertyName = (String) propertyNames.nextElement();
if (log.isDebugEnabled()) {
log.debug("API Product '" + apiProduct.getId().toString() + "' " + "has the property " + propertyName);
}
if (propertyName.startsWith(APIConstants.API_RELATED_CUSTOM_PROPERTIES_PREFIX)) {
apiProduct.addProperty(propertyName.substring(APIConstants.API_RELATED_CUSTOM_PROPERTIES_PREFIX.length()), productResource.getProperty(propertyName));
}
}
}
apiProduct.setAccessControl(productResource.getProperty(APIConstants.ACCESS_CONTROL));
String accessControlRoles = null;
String displayPublisherRoles = productResource.getProperty(APIConstants.DISPLAY_PUBLISHER_ROLES);
if (displayPublisherRoles == null) {
String publisherRoles = productResource.getProperty(APIConstants.PUBLISHER_ROLES);
if (publisherRoles != null) {
accessControlRoles = APIConstants.NULL_USER_ROLE_LIST.equals(productResource.getProperty(APIConstants.PUBLISHER_ROLES)) ? null : productResource.getProperty(APIConstants.PUBLISHER_ROLES);
}
} else {
accessControlRoles = APIConstants.NULL_USER_ROLE_LIST.equals(displayPublisherRoles) ? null : displayPublisherRoles;
}
apiProduct.setAccessControlRoles(accessControlRoles);
return apiProduct;
}
use of org.wso2.carbon.user.api.Property in project carbon-apimgt by wso2.
the class APIUtil method setResourcePermissions.
/**
* This function is to set resource permissions based on its visibility
*
* @param visibility API/Product visibility
* @param roles Authorized roles
* @param artifactPath API/Product resource path
* @param registry Registry
* @throws APIManagementException Throwing exception
*/
public static void setResourcePermissions(String username, String visibility, String[] roles, String artifactPath, Registry registry) throws APIManagementException {
try {
String resourcePath = RegistryUtils.getAbsolutePath(RegistryContext.getBaseInstance(), APIUtil.getMountedPath(RegistryContext.getBaseInstance(), RegistryConstants.GOVERNANCE_REGISTRY_BASE_PATH) + artifactPath);
Resource registryResource = null;
if (registry != null && registry.resourceExists(artifactPath)) {
registryResource = registry.get(artifactPath);
}
StringBuilder publisherAccessRoles = new StringBuilder(APIConstants.NULL_USER_ROLE_LIST);
if (registryResource != null) {
String publisherRole = registryResource.getProperty(APIConstants.PUBLISHER_ROLES);
if (publisherRole != null) {
publisherAccessRoles = new StringBuilder(publisherRole);
}
if (StringUtils.isEmpty(publisherAccessRoles.toString())) {
publisherAccessRoles = new StringBuilder(APIConstants.NULL_USER_ROLE_LIST);
}
if (APIConstants.API_GLOBAL_VISIBILITY.equalsIgnoreCase(visibility) || APIConstants.API_PRIVATE_VISIBILITY.equalsIgnoreCase(visibility)) {
registryResource.setProperty(APIConstants.STORE_VIEW_ROLES, APIConstants.NULL_USER_ROLE_LIST);
// set publisher
publisherAccessRoles = new StringBuilder(APIConstants.NULL_USER_ROLE_LIST);
// access roles null since store visibility is global. We do not need to add any roles to
// store_view_role property.
} else {
registryResource.setProperty(APIConstants.STORE_VIEW_ROLES, publisherAccessRoles.toString());
}
}
String tenantDomain = MultitenantUtils.getTenantDomain(APIUtil.replaceEmailDomainBack(username));
if (!org.wso2.carbon.utils.multitenancy.MultitenantConstants.SUPER_TENANT_DOMAIN_NAME.equals(tenantDomain)) {
int tenantId = ServiceReferenceHolder.getInstance().getRealmService().getTenantManager().getTenantId(tenantDomain);
// calculate resource path
RegistryAuthorizationManager authorizationManager = new RegistryAuthorizationManager(ServiceReferenceHolder.getUserRealm());
resourcePath = authorizationManager.computePathOnMount(resourcePath);
org.wso2.carbon.user.api.AuthorizationManager authManager = ServiceReferenceHolder.getInstance().getRealmService().getTenantUserRealm(tenantId).getAuthorizationManager();
if (visibility != null && APIConstants.API_RESTRICTED_VISIBILITY.equalsIgnoreCase(visibility)) {
boolean isRoleEveryOne = false;
/*If no roles have defined, authorize for everyone role */
if (roles != null) {
if (roles.length == 1 && "".equals(roles[0])) {
authManager.authorizeRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
isRoleEveryOne = true;
} else {
for (String role : roles) {
if (APIConstants.EVERYONE_ROLE.equalsIgnoreCase(role.trim())) {
isRoleEveryOne = true;
}
authManager.authorizeRole(role.trim(), resourcePath, ActionConstants.GET);
publisherAccessRoles.append(",").append(role.trim().toLowerCase());
}
}
}
if (!isRoleEveryOne) {
authManager.denyRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
}
authManager.denyRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
} else if (visibility != null && APIConstants.API_PRIVATE_VISIBILITY.equalsIgnoreCase(visibility)) {
authManager.authorizeRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
authManager.denyRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
} else if (visibility != null && APIConstants.DOC_OWNER_VISIBILITY.equalsIgnoreCase(visibility)) {
/*If no roles have defined, deny access for everyone & anonymous role */
if (roles == null) {
authManager.denyRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
authManager.denyRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
} else {
for (String role : roles) {
authManager.denyRole(role.trim(), resourcePath, ActionConstants.GET);
}
}
} else {
authManager.authorizeRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
authManager.authorizeRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
}
} else {
RegistryAuthorizationManager authorizationManager = new RegistryAuthorizationManager(ServiceReferenceHolder.getUserRealm());
if (visibility != null && APIConstants.API_RESTRICTED_VISIBILITY.equalsIgnoreCase(visibility)) {
boolean isRoleEveryOne = false;
if (roles != null) {
for (String role : roles) {
if (APIConstants.EVERYONE_ROLE.equalsIgnoreCase(role.trim())) {
isRoleEveryOne = true;
}
authorizationManager.authorizeRole(role.trim(), resourcePath, ActionConstants.GET);
publisherAccessRoles.append(",").append(role.toLowerCase());
}
}
if (!isRoleEveryOne) {
authorizationManager.denyRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
}
authorizationManager.denyRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
} else if (visibility != null && APIConstants.API_PRIVATE_VISIBILITY.equalsIgnoreCase(visibility)) {
authorizationManager.authorizeRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
authorizationManager.denyRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
} else if (visibility != null && APIConstants.DOC_OWNER_VISIBILITY.equalsIgnoreCase(visibility)) {
/*If no roles have defined, deny access for everyone & anonymous role */
if (roles == null) {
authorizationManager.denyRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
authorizationManager.denyRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
} else {
for (String role : roles) {
authorizationManager.denyRole(role.trim(), resourcePath, ActionConstants.GET);
}
}
} else {
if (log.isDebugEnabled()) {
log.debug("Store view roles for " + artifactPath + " : " + publisherAccessRoles.toString());
}
authorizationManager.authorizeRole(APIConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
authorizationManager.authorizeRole(APIConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
}
}
if (registryResource != null) {
registryResource.setProperty(APIConstants.STORE_VIEW_ROLES, publisherAccessRoles.toString());
registry.put(artifactPath, registryResource);
}
} catch (UserStoreException e) {
throw new APIManagementException("Error while adding role permissions to API", e);
} catch (RegistryException e) {
throw new APIManagementException("Registry exception while adding role permissions to API", e);
}
}
use of org.wso2.carbon.user.api.Property in project carbon-apimgt by wso2.
the class APIUtil method getActualEpPswdFromHiddenProperty.
/**
* This method is used to get the actual endpoint password of an API from the hidden property
* in the case where the handler APIEndpointPasswordRegistryHandler is enabled in registry.xml
*
* @param api The API
* @param registry The registry object
* @return The actual password of the endpoint if exists
* @throws RegistryException Throws if the api resource doesn't exist
*/
private static String getActualEpPswdFromHiddenProperty(API api, Registry registry) throws RegistryException {
String apiPath = APIUtil.getAPIPath(api.getId());
Resource apiResource = registry.get(apiPath);
return apiResource.getProperty(APIConstants.REGISTRY_HIDDEN_ENDPOINT_PROPERTY);
}
use of org.wso2.carbon.user.api.Property in project carbon-apimgt by wso2.
the class SystemScopesIssuer method getScopes.
/**
* This method is used to retrieve the authorized scopes with respect to a token.
*
* @param tokReqMsgCtx token message context
* @return authorized scopes list
*/
public List<String> getScopes(OAuthTokenReqMessageContext tokReqMsgCtx) {
List<String> authorizedScopes = null;
List<String> requestedScopes = new ArrayList<>(Arrays.asList(tokReqMsgCtx.getScope()));
String clientId = tokReqMsgCtx.getOauth2AccessTokenReqDTO().getClientId();
AuthenticatedUser authenticatedUser = tokReqMsgCtx.getAuthorizedUser();
Map<String, String> appScopes = getAppScopes(clientId, authenticatedUser, requestedScopes);
if (appScopes != null) {
// If no scopes can be found in the context of the application
if (isAppScopesEmpty(appScopes, clientId)) {
return getAllowedScopes(requestedScopes);
}
String grantType = tokReqMsgCtx.getOauth2AccessTokenReqDTO().getGrantType();
String[] userRoles = null;
// If GrantType is SAML20_BEARER and CHECK_ROLES_FROM_SAML_ASSERTION is true, or if GrantType is
// JWT_BEARER and retrieveRolesFromUserStoreForScopeValidation system property is true,
// use user roles from assertion or jwt otherwise use roles from userstore.
String isSAML2Enabled = System.getProperty(APIConstants.SystemScopeConstants.CHECK_ROLES_FROM_SAML_ASSERTION);
String isRetrieveRolesFromUserStoreForScopeValidation = System.getProperty(APIConstants.SystemScopeConstants.RETRIEVE_ROLES_FROM_USERSTORE_FOR_SCOPE_VALIDATION);
if (GrantType.SAML20_BEARER.toString().equals(grantType) && Boolean.parseBoolean(isSAML2Enabled)) {
authenticatedUser.setUserStoreDomain("FEDERATED");
tokReqMsgCtx.setAuthorizedUser(authenticatedUser);
Assertion assertion = (Assertion) tokReqMsgCtx.getProperty(APIConstants.SystemScopeConstants.SAML2_ASSERTION);
userRoles = getRolesFromAssertion(assertion);
} else if (APIConstants.SystemScopeConstants.OAUTH_JWT_BEARER_GRANT_TYPE.equals(grantType) && !(Boolean.parseBoolean(isRetrieveRolesFromUserStoreForScopeValidation))) {
configureForJWTGrant(tokReqMsgCtx);
Map<ClaimMapping, String> userAttributes = authenticatedUser.getUserAttributes();
if (tokReqMsgCtx.getProperty(APIConstants.SystemScopeConstants.ROLE_CLAIM) != null) {
userRoles = getRolesFromUserAttribute(userAttributes, tokReqMsgCtx.getProperty(APIConstants.SystemScopeConstants.ROLE_CLAIM).toString());
}
} else {
userRoles = getUserRoles(authenticatedUser);
}
authorizedScopes = getAuthorizedScopes(userRoles, requestedScopes, appScopes);
}
return authorizedScopes;
}
Aggregations