.getAuthorizationManager(); if (GET_RECEIPT.equals(operation)) { authorized = authorizationManager.isUserAuthorized(tenantAwareUsername, PERMISSION_CONSENT_MGT_VIEW, UI_PERMISSION_ACTION); } else if (LIST_RECEIPT.equals(operation)) { authorized = authorizationManager.isUserAuthorized(tenantAwareUsername, PERMISSION_CONSENT_MGT_LIST, UI_PERMISSION_ACTION); } else if (REVOKE_RECEIPT.equals(operation)) { authorized = authorizationManager.isUserAuthorized(tenantAwareUsername, PERMISSION_CONSENT_MGT_DELETE, UI_PERMISSION_ACTION);
String loggedInUser = CarbonContext.getThreadLocalCarbonContext().getUsername(); try { if (!userRealm.getAuthorizationManager().isUserAuthorized( loggedInUser, topicResourcePath, EventBrokerConstants.EB_PERMISSION_CHANGE_PERMISSION)) { role = topicRolePermission.getRoleName(); if (topicRolePermission.isAllowedToSubscribe()) { if (!userRealm.getAuthorizationManager().isRoleAuthorized( role, topicResourcePath, EventBrokerConstants.EB_PERMISSION_SUBSCRIBE)) { userRealm.getAuthorizationManager().authorizeRole( role, topicResourcePath, EventBrokerConstants.EB_PERMISSION_SUBSCRIBE); if (userRealm.getAuthorizationManager().isRoleAuthorized( role, topicResourcePath, EventBrokerConstants.EB_PERMISSION_SUBSCRIBE)) { userRealm.getAuthorizationManager().denyRole( role, topicResourcePath, EventBrokerConstants.EB_PERMISSION_SUBSCRIBE); if (!userRealm.getAuthorizationManager().isRoleAuthorized( role, topicResourcePath, EventBrokerConstants.EB_PERMISSION_PUBLISH)) { userRealm.getAuthorizationManager().authorizeRole( role, topicResourcePath, EventBrokerConstants.EB_PERMISSION_PUBLISH); if (userRealm.getAuthorizationManager().isRoleAuthorized( role, topicResourcePath, EventBrokerConstants.EB_PERMISSION_PUBLISH)) { userRealm.getAuthorizationManager().denyRole( role, topicResourcePath, EventBrokerConstants.EB_PERMISSION_PUBLISH);
private void removeAuthorization (UserRealm userRealm, String serviceGroupId, String serviceName) throws UserStoreException { AuthorizationManager manager = userRealm.getAuthorizationManager(); String resourceName = serviceGroupId + "/" + serviceName; String[] roles = manager. getAllowedRolesForResource(resourceName, UserCoreConstants.INVOKE_SERVICE_PERMISSION); if (roles != null) { for (String role : roles) { manager.clearRoleAuthorization(role, resourceName, UserCoreConstants.INVOKE_SERVICE_PERMISSION); } } }
private void setupImagePermissions() throws AppManagementException { try { AuthorizationManager accessControlAdmin = ServiceReferenceHolder.getInstance(). getRealmService().getTenantUserRealm(MultitenantConstants.SUPER_TENANT_ID). getAuthorizationManager(); String imageLocation = RegistryConstants.GOVERNANCE_REGISTRY_BASE_PATH + AppMConstants.API_IMAGE_LOCATION; if (!accessControlAdmin.isRoleAuthorized(CarbonConstants.REGISTRY_ANONNYMOUS_ROLE_NAME, imageLocation, ActionConstants.GET)) { // Can we get rid of this? accessControlAdmin.authorizeRole(CarbonConstants.REGISTRY_ANONNYMOUS_ROLE_NAME, imageLocation, ActionConstants.GET); } } catch (UserStoreException e) { throw new AppManagementException("Error while setting up permissions for image collection", e); } }
/** * Shows application visibility to the user * @param appPath Path of the application * @param username Username of the user * @param opType Op type (ALLOW OR DENY) * @return whether it is success */ public boolean showAppVisibilityToUser(String appPath, String username, String opType){ String userRole = "Internal/private_" + username; try { if("ALLOW".equalsIgnoreCase(opType)) { org.wso2.carbon.user.api.UserRealm realm = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUserRealm(); realm.getAuthorizationManager().authorizeRole(userRole, appPath, ActionConstants.GET); return true; }else if("DENY".equalsIgnoreCase(opType)){ org.wso2.carbon.user.api.UserRealm realm = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUserRealm(); realm.getAuthorizationManager().denyRole(userRole, appPath, ActionConstants.GET); return true; } return false; } catch (org.wso2.carbon.user.api.UserStoreException e) { log.error("Error while updating visibility of mobile app at " + appPath, e); return false; } } }
if (!authManager.isUserAuthorized(username, resourcePath, "authorize")) { !StringUtils.isBlank(appArtifact.getAttribute("overview_visibleRoles"))) { authManager.denyRole(AppMConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET); authManager.denyRole(AppMConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
checkAuthorized = manager.isRoleAuthorized(AppMConstants.ANONYMOUS_ROLE, path, ActionConstants.GET); } else { checkAuthorized = manager.isUserAuthorized(userNameWithoutDomain, path, ActionConstants.GET);
/** * Add permissions to the appmgt/applicationdata collection for given role. * @param roleName * @throws org.wso2.carbon.appmgt.api.AppManagementException */ public static void applyRolePermissionToCollection(String roleName, org.wso2.carbon.user.api.UserRealm userRealm) throws AppManagementException { // TODO: Merge different resource loading methods and create a single method. try { userRealm.getAuthorizationManager().authorizeRole(roleName, RegistryConstants.GOVERNANCE_REGISTRY_BASE_PATH + AppMConstants.APPMGT_APPLICATION_DATA_LOCATION, "authorize"); userRealm.getAuthorizationManager().authorizeRole(roleName, RegistryConstants.GOVERNANCE_REGISTRY_BASE_PATH + AppMConstants.APPMGT_APPLICATION_DATA_LOCATION, ActionConstants.PUT); userRealm.getAuthorizationManager().authorizeRole(roleName, RegistryConstants.GOVERNANCE_REGISTRY_BASE_PATH + AppMConstants.APPMGT_APPLICATION_DATA_LOCATION, ActionConstants.DELETE); userRealm.getAuthorizationManager().authorizeRole(roleName, RegistryConstants.GOVERNANCE_REGISTRY_BASE_PATH + AppMConstants.APPMGT_APPLICATION_DATA_LOCATION, ActionConstants.GET); } catch (UserStoreException e) { throw new AppManagementException("Error while adding permissions for appmgt/applicationdata collection for role "+roleName, e); } }
.getTenantUserRealm(tenantId) .getAuthorizationManager(); authManager.clearResourceAuthorizations(resourcePath); authManager.authorizeRole(AppMConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET); isRoleEveryOne = true; isRoleEveryOne = true; authManager.authorizeRole(role, resourcePath, ActionConstants.GET); authManager.denyRole(AppMConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET); authManager.denyRole(AppMConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET); } else { authManager.authorizeRole(AppMConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET); authManager.authorizeRole(AppMConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
.getAuthorizationManager(); String[] allowedRoles = authManager.getAllowedRolesForResource(sourceResourcePath, ActionConstants.GET); authManager.authorizeRole(allowedRole, targetResourcePath, ActionConstants.GET);
authorizationManager.clearRoleActionOnAllResources(roleName, UserMgtConstants.EXECUTE_ACTION); for (String permission : optimizedList) { authorizationManager.authorizeRole(roleName, permission, UserMgtConstants.EXECUTE_ACTION); authorizationManager.authorizeRole(roleName, "/", "add"); authorizationManager.authorizeRole(roleName, "/", "get"); authorizationManager.authorizeRole(roleName, "/", "delete");
/** * Get list of roles which have given permission * * @param filter filter to check * @param permission permission to check * @param limit * @return * @throws UserAdminException */ public FlaggedName[] getAllPermittedRoleNames(String filter, String permission, int limit) throws UserAdminException { FlaggedName[] roles = getUserAdminProxy().getAllRolesNames(filter, limit); List<FlaggedName> permittedRoles = new ArrayList<>(); try { org.wso2.carbon.user.api.UserRealm realm = UserMgtDSComponent.getRealmService().getTenantUserRealm (PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId()); AuthorizationManager authorizationManager = realm.getAuthorizationManager(); for (int i = 0; i < roles.length - 1; i++) { if (authorizationManager.isRoleAuthorized(roles[i].getItemName(), permission, UserMgtConstants .EXECUTE_ACTION)) { permittedRoles.add(roles[i]); } } permittedRoles.add(roles[roles.length - 1]); } catch (org.wso2.carbon.user.api.UserStoreException e) { throw new UserAdminException("Error while filtering authorized roles.", e); } FlaggedName[] permittedRolesArray = new FlaggedName[permittedRoles.size()]; return permittedRoles.toArray(permittedRolesArray); }
AppManagerUtil.getMountedPath(RegistryContext.getBaseInstance(), RegistryConstants.GOVERNANCE_REGISTRY_BASE_PATH) + AppMConstants.EXTERNAL_APP_STORES_LOCATION); authManager.denyRole(AppMConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET);
if (!authManager.isUserAuthorized(MultitenantUtils.getTenantAwareUsername(AppManagerUtil.replaceEmailDomainBack(username)), resourcePath, "authorize")) { !StringUtils.isBlank(appArtifact.getAttribute("overview_visibleRoles"))) { authManager.denyRole(AppMConstants.EVERYONE_ROLE, resourcePath, ActionConstants.GET); authManager.denyRole(AppMConstants.ANONYMOUS_ROLE, resourcePath, ActionConstants.GET);
userRealm.getAuthorizationManager().authorizeRole( roleName, destinationId, EventBrokerConstants.EB_PERMISSION_SUBSCRIBE); userRealm.getAuthorizationManager().authorizeRole( roleName, destinationId, EventBrokerConstants.EB_PERMISSION_PUBLISH); userRealm.getAuthorizationManager().authorizeRole( roleName, destinationId, EventBrokerConstants.EB_PERMISSION_CHANGE_PERMISSION);
/** * Sets permission for uploaded file resource. * * @param filePath * Registry path for the uploaded file * @throws org.wso2.carbon.appmgt.api.AppManagementException */ public static void setFilePermission(String filePath) throws AppManagementException { try { filePath = filePath.replaceFirst("/registry/resource/", ""); AuthorizationManager accessControlAdmin = ServiceReferenceHolder.getInstance() .getRealmService() .getTenantUserRealm(MultitenantConstants.SUPER_TENANT_ID) .getAuthorizationManager(); if (!accessControlAdmin.isRoleAuthorized(CarbonConstants.REGISTRY_ANONNYMOUS_ROLE_NAME, filePath, ActionConstants.GET)) { accessControlAdmin.authorizeRole(CarbonConstants.REGISTRY_ANONNYMOUS_ROLE_NAME, filePath, ActionConstants.GET); } } catch (UserStoreException e) { throw new AppManagementException( "Error while setting up permissions for file location", e); } }
/** * Get list of roles which have given permission * * @param filter filter to check * @param permission permission to check * @param limit * @return * @throws UserAdminException */ public FlaggedName[] getAllPermittedRoleNames(String filter, String permission, int limit) throws UserAdminException { FlaggedName[] roles = getUserAdminProxy().getAllRolesNames(filter, limit); List<FlaggedName> permittedRoles = new ArrayList<>(); try { org.wso2.carbon.user.api.UserRealm realm = UserMgtDSComponent.getRealmService().getTenantUserRealm (PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId()); AuthorizationManager authorizationManager = realm.getAuthorizationManager(); for (int i = 0; i < roles.length - 1; i++) { if (authorizationManager.isRoleAuthorized(roles[i].getItemName(), permission, UserMgtConstants .EXECUTE_ACTION)) { permittedRoles.add(roles[i]); } } permittedRoles.add(roles[roles.length - 1]); } catch (org.wso2.carbon.user.api.UserStoreException e) { throw new UserAdminException("Error while filtering authorized roles.", e); } FlaggedName[] permittedRolesArray = new FlaggedName[permittedRoles.size()]; return permittedRoles.toArray(permittedRolesArray); }
public static boolean isUserAuthorized(int tenantId, String username, String permission) throws AnalyticsException { if (logger.isDebugEnabled()) { logger.debug("User[" + username + "] calling method (" + Thread.currentThread().getStackTrace()[2] .getMethodName() + ") with permission[" + permission + "]"); } try { UserRealm userRealm = AnalyticsServiceHolder.getRealmService().getTenantUserRealm(tenantId); return userRealm.getAuthorizationManager().isUserAuthorized(MultitenantUtils.getTenantAwareUsername(username), permission, CarbonConstants.UI_PERMISSION_ACTION); } catch (UserStoreException e) { throw new AnalyticsException("Unable to get user permission information for user[" + username + "] due to " + e.getMessage(), e); } } }
if (allowRoles != null) { for (String role : allowRoles) { manager.authorizeRole(role, resourceName, UserCoreConstants.INVOKE_SERVICE_PERMISSION);
private void removeAuthorization (UserRealm userRealm, String serviceGroupId, String serviceName) throws UserStoreException { AuthorizationManager manager = userRealm.getAuthorizationManager(); String resourceName = serviceGroupId + "/" + serviceName; String[] roles = manager. getAllowedRolesForResource(resourceName, UserCoreConstants.INVOKE_SERVICE_PERMISSION); if (roles != null) { for (String role : roles) { manager.clearRoleAuthorization(role, resourceName, UserCoreConstants.INVOKE_SERVICE_PERMISSION); } } }