.getAuthorizationManager(); if (GET_RECEIPT.equals(operation)) { authorized = authorizationManager.isUserAuthorized(tenantAwareUsername, PERMISSION_CONSENT_MGT_VIEW, UI_PERMISSION_ACTION); } else if (LIST_RECEIPT.equals(operation)) { authorized = authorizationManager.isUserAuthorized(tenantAwareUsername, PERMISSION_CONSENT_MGT_LIST, UI_PERMISSION_ACTION); } else if (REVOKE_RECEIPT.equals(operation)) { authorized = authorizationManager.isUserAuthorized(tenantAwareUsername, PERMISSION_CONSENT_MGT_DELETE, UI_PERMISSION_ACTION);
public static boolean isUserAuthorized(int tenantId, String username, String permission) throws AnalyticsException { if (logger.isDebugEnabled()) { logger.debug("User[" + username + "] calling method (" + Thread.currentThread().getStackTrace()[2] .getMethodName() + ") with permission[" + permission + "]"); } try { UserRealm userRealm = AnalyticsServiceHolder.getRealmService().getTenantUserRealm(tenantId); return userRealm.getAuthorizationManager().isUserAuthorized(MultitenantUtils.getTenantAwareUsername(username), permission, CarbonConstants.UI_PERMISSION_ACTION); } catch (UserStoreException e) { throw new AnalyticsException("Unable to get user permission information for user[" + username + "] due to " + e.getMessage(), e); } } }
/** * Get list of users which have given permission * * @param filter filter to check * @param permission permission to check * @param limit * @return * @throws UserAdminException */ public FlaggedName[] listAllUsersWithPermission(String filter, String permission, int limit) throws UserAdminException { List<FlaggedName> permittedUsers = new ArrayList<>(); try { org.wso2.carbon.user.api.UserRealm realm = UserMgtDSComponent.getRealmService().getTenantUserRealm (PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId()); AuthorizationManager authorizationManager = realm.getAuthorizationManager(); FlaggedName[] users = getUserAdminProxy().listAllUsers(filter, limit); for (int i = 0; i < users.length - 1; i++) { if (authorizationManager.isUserAuthorized(users[i].getItemName(), permission, UserMgtConstants.EXECUTE_ACTION)) { permittedUsers.add(users[i]); } } permittedUsers.add(users[users.length - 1]); } catch (org.wso2.carbon.user.api.UserStoreException e) { throw new UserAdminException("Error while filtering authorized users.", e); } FlaggedName[] permittedUsersArray = new FlaggedName[permittedUsers.size()]; return permittedUsers.toArray(permittedUsersArray); }
/** * Get list of users which have given permission * * @param filter filter to check * @param permission permission to check * @param limit * @return * @throws UserAdminException */ public FlaggedName[] listAllUsersWithPermission(String filter, String permission, int limit) throws UserAdminException { List<FlaggedName> permittedUsers = new ArrayList<>(); try { org.wso2.carbon.user.api.UserRealm realm = UserMgtDSComponent.getRealmService().getTenantUserRealm (PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId()); AuthorizationManager authorizationManager = realm.getAuthorizationManager(); FlaggedName[] users = getUserAdminProxy().listAllUsers(filter, limit); for (int i = 0; i < users.length - 1; i++) { if (authorizationManager.isUserAuthorized(users[i].getItemName(), permission, UserMgtConstants.EXECUTE_ACTION)) { permittedUsers.add(users[i]); } } permittedUsers.add(users[users.length - 1]); } catch (org.wso2.carbon.user.api.UserStoreException e) { throw new UserAdminException("Error while filtering authorized users.", e); } FlaggedName[] permittedUsersArray = new FlaggedName[permittedUsers.size()]; return permittedUsers.toArray(permittedUsersArray); }
boolean authorized = ServiceHolder.getRealmService(). getTenantUserRealm(MultitenantConstants.SUPER_TENANT_ID). getAuthorizationManager().isUserAuthorized(username, AnalyticsAPIConstants.ANALYTICS_REMOTE_API_INVOCATION_PERMISSION, CarbonConstants.UI_PERMISSION_ACTION);
FlaggedName[] users = getUserAdminProxy().listUsers(claimValue, filter, maxLimit); for (int i = 0; i < users.length - 1; i++) { if (authorizationManager.isUserAuthorized(users[i].getItemName(), permission, UserMgtConstants.EXECUTE_ACTION)) { permittedUsers.add(users[i]);
FlaggedName[] users = getUserAdminProxy().listUsers(claimValue, filter, maxLimit); for (int i = 0; i < users.length - 1; i++) { if (authorizationManager.isUserAuthorized(users[i].getItemName(), permission, UserMgtConstants.EXECUTE_ACTION)) { permittedUsers.add(users[i]);
private boolean isUserAuthorized(String tenantAwareUserName, String tenantDomain) throws IdentityRecoveryException { int tenantId = IdentityTenantUtil.getTenantId(tenantDomain); AuthorizationManager authzManager = null; boolean isAuthorized; try { authzManager = IdentityRecoveryServiceDataHolder.getInstance().getRealmService(). getTenantUserRealm(tenantId).getAuthorizationManager(); isAuthorized = authzManager.isUserAuthorized(tenantAwareUserName, "/permission/admin/manage/identity", CarbonConstants.UI_PERMISSION_ACTION); } catch (UserStoreException e) { throw new IdentityRecoveryServerException("Error occurred while checking access level for " + "user " + tenantAwareUserName + " in tenant " + tenantDomain, e); } return isAuthorized; }
public void subscribe(Subscription subscription) throws EventBrokerException { String resourcePath = JavaUtil.getResourcePath(subscription.getTopicName(), this.topicStoragePath); try { UserRealm userRealm = EventBrokerHolder.getInstance().getRealmService().getTenantUserRealm (CarbonContext.getThreadLocalCarbonContext().getTenantId()); String userName = subscription.getOwner(); // trim the domain part if it is there. if (userName.lastIndexOf("@") != -1){ userName = userName.substring(0, userName.lastIndexOf("@")); } if (userName.equals(CarbonConstants.REGISTRY_SYSTEM_USERNAME) || userRealm.getAuthorizationManager().isUserAuthorized( userName, resourcePath, EventBrokerConstants.EB_PERMISSION_SUBSCRIBE)){ getMatchingManager().addSubscription(subscription); } else { throw new EventBrokerException("User " + CarbonContext.getThreadLocalCarbonContext().getUsername() + " is not allowed to subscribes to " + subscription.getTopicName()); } } catch (UserStoreException e) { throw new EventBrokerException("Can not access the user store manager",e); } }
public void subscribe(Subscription subscription) throws EventBrokerException { String resoucePath = JavaUtil.getResourcePath(subscription.getTopicName(), this.topicStoragePath); try { UserRealm userRealm = EventBrokerHolder.getInstance().getRealmService().getTenantUserRealm (CarbonContext.getThreadLocalCarbonContext().getTenantId()); String userName = subscription.getOwner(); // trim the domain part if it is there. if (userName.lastIndexOf("@") != -1){ userName = userName.substring(0, userName.lastIndexOf("@")); } if (userName.equals(CarbonConstants.REGISTRY_SYSTEM_USERNAME) || userRealm.getAuthorizationManager().isUserAuthorized( userName, resoucePath, EventBrokerConstants.EB_PERMISSION_SUBSCRIBE)){ this.matchingManager.addSubscription(subscription); } else { throw new EventBrokerException("User " + CarbonContext.getThreadLocalCarbonContext().getUsername() + " is not allowed to subscribes to " + subscription.getTopicName()); } } catch (UserStoreException e) { throw new EventBrokerException("Can not access the user store manager"); } }
/** * Handle Authorization. * * @param authorizationContext * @return * @throws AuthzServiceServerException */ public AuthorizationResult handleAuthorization(AuthorizationContext authorizationContext) throws AuthzServiceServerException { AuthorizationResult authorizationResult = new AuthorizationResult(AuthorizationStatus.DENY); try { String userName = authorizationContext.getUserName(); int tenantId = IdentityTenantUtil.getTenantIdOfUser(userName); String permissionString = authorizationContext.getPermissionString(); RealmService realmService = AuthorizationServiceHolder.getInstance().getRealmService(); UserRealm tenantUserRealm = realmService.getTenantUserRealm(tenantId); AuthorizationManager authorizationManager = tenantUserRealm.getAuthorizationManager(); boolean isUserAuthorized = authorizationManager.isUserAuthorized(MultitenantUtils. getTenantAwareUsername(userName), permissionString, CarbonConstants.UI_PERMISSION_ACTION); if ( isUserAuthorized ) { authorizationResult.setAuthorizationStatus(AuthorizationStatus.GRANT); } } catch ( UserStoreException e ) { String errorMessage = "Error occurred while trying to authorize, " + e.getMessage(); log.error(errorMessage); throw new AuthzServiceServerException(errorMessage, e); } return authorizationResult; }
public void publish(Message message, String topicName, int deliveryMode) throws EventBrokerException { String resoucePath = JavaUtil.getResourcePath(topicName, this.topicStoragePath); try { UserRealm userRealm = EventBrokerHolder.getInstance().getRealmService().getTenantUserRealm (CarbonContext.getThreadLocalCarbonContext().getTenantId()); String userName = CarbonContext.getThreadLocalCarbonContext().getUsername(); if (userName == null){ userName = CarbonConstants.REGISTRY_SYSTEM_USERNAME; } if (userName.equals(CarbonConstants.REGISTRY_SYSTEM_USERNAME) || userRealm.getAuthorizationManager().isUserAuthorized( userName, resoucePath, EventBrokerConstants.EB_PERMISSION_PUBLISH)) { List<Subscription> subscriptions = this.matchingManager.getMatchingSubscriptions(topicName); for (Subscription subscription : subscriptions) { this.executor.submit(new Worker(this.notificationManager, message, subscription)); } } else { throw new EventBrokerException("User " + CarbonContext.getThreadLocalCarbonContext().getUsername() + " is not allowed to publish to " + topicName); } } catch (UserStoreException e) { throw new EventBrokerException("Can not access the user store manager"); } }
boolean isUserAuthorized = authorizationManager.isUserAuthorized(user.getUserName(), permissionString, CarbonConstants.UI_PERMISSION_ACTION); if (isUserAuthorized && (isCrossTenantAllowed || tenantDomainFromURLMapping.equals(userDomain))) {
public static boolean isUserAuthorized(String username, String resourcePath) throws AppManagementException { boolean isAuthorized = false; try { String tenantDomain = MultitenantUtils.getTenantDomain(AppManagerUtil.replaceEmailDomainBack(username)); int tenantId = ServiceReferenceHolder.getInstance().getRealmService() .getTenantManager().getTenantId(tenantDomain); AuthorizationManager authManager = null; authManager = ServiceReferenceHolder.getInstance().getRealmService().getTenantUserRealm(tenantId).getAuthorizationManager(); isAuthorized = authManager.isUserAuthorized(username, resourcePath, "authorize"); } catch (UserStoreException e) { throw new AppManagementException("User " + username + " is not authorized to perform lifecycle action"); } return isAuthorized; }
userRealm.getAuthorizationManager().isUserAuthorized( userName, resourcePath,
private void handleLoggedInUserAuthorization(String permission) throws TemplateManagementException { try { int tenantId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId(); if (StringUtils.isBlank(loggedInUser)) { throw new TemplateManagementException(TemplateMgtConstants.ErrorMessages. ERROR_CODE_NO_AUTH_USER_FOUND.getMessage(), TemplateMgtConstants.ErrorMessages.ERROR_CODE_NO_AUTH_USER_FOUND.getCode()); } AuthorizationManager authorizationManager = TemplateManagementUIServiceDataHolder .getInstance().getRealmService() .getTenantUserRealm(tenantId) .getAuthorizationManager(); if (!authorizationManager.isUserAuthorized(loggedInUser, permission, CarbonConstants.UI_PERMISSION_ACTION)) { throw new TemplateManagementException(TemplateMgtConstants. ErrorMessages.ERROR_CODE_USER_NOT_AUTHORIZED.getMessage(), TemplateMgtConstants.ErrorMessages .ERROR_CODE_USER_NOT_AUTHORIZED.getCode()); } } catch (UserStoreException e) { throw new TemplateManagementException(TemplateMgtConstants.ErrorMessages.ERROR_CODE_UNEXPECTED.getMessage(), TemplateMgtConstants.ErrorMessages.ERROR_CODE_UNEXPECTED.getCode()); } } }
private void handleLoggedInUserAuthorization(String permission) throws TemplateManagementException { try { int tenantId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId(); if (StringUtils.isBlank(loggedInUser)) { throw new TemplateManagementException(TemplateMgtConstants.ErrorMessages. ERROR_CODE_NO_AUTH_USER_FOUND.getMessage(), TemplateMgtConstants.ErrorMessages.ERROR_CODE_NO_AUTH_USER_FOUND.getCode()); } AuthorizationManager authorizationManager = TemplateManagementUIServiceDataHolder .getInstance().getRealmService() .getTenantUserRealm(tenantId) .getAuthorizationManager(); if (!authorizationManager.isUserAuthorized(loggedInUser, permission, CarbonConstants.UI_PERMISSION_ACTION)) { throw new TemplateManagementException(TemplateMgtConstants. ErrorMessages.ERROR_CODE_USER_NOT_AUTHORIZED.getMessage(), TemplateMgtConstants.ErrorMessages .ERROR_CODE_USER_NOT_AUTHORIZED.getCode()); } } catch (UserStoreException e) { throw new TemplateManagementException(TemplateMgtConstants.ErrorMessages.ERROR_CODE_UNEXPECTED.getMessage(), TemplateMgtConstants.ErrorMessages.ERROR_CODE_UNEXPECTED.getCode()); } } }
/** * This is used to handle the authorization. Authentication supports in rest API via a tomcat valve. * * @param permission permission string. * @throws ConsentManagementException Consent Management Exception. */ private void handleLoggedInUserAuthorization(String permission) throws ConsentManagementException { try { int tenantId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId(); if (StringUtils.isBlank(loggedInUser)) { throw new ConsentManagementException(ERROR_CODE_NO_AUTH_USER_FOUND.getMessage(), ERROR_CODE_NO_AUTH_USER_FOUND.getCode()); } AuthorizationManager authorizationManager = ConsentManagementUIServiceDataHolder.getInstance().getRealmService() .getTenantUserRealm(tenantId) .getAuthorizationManager(); if (!authorizationManager.isUserAuthorized(loggedInUser, permission, UI_PERMISSION_ACTION)) { throw new ConsentManagementException(ERROR_CODE_USER_NOT_AUTHORIZED.getMessage(), ERROR_CODE_USER_NOT_AUTHORIZED.getCode()); } } catch (UserStoreException e) { throw new ConsentManagementException(ERROR_CODE_UNEXPECTED.getMessage(), ERROR_CODE_UNEXPECTED.getCode()); } }
isAuthorized = authzManager.isUserAuthorized(loggedInName, "/permission/admin/configure/security", CarbonConstants.UI_PERMISSION_ACTION); } catch (UserStoreException e) {
isAuthorized = authzManager.isUserAuthorized(loggedInName, "/permission/admin/manage/identity/identitymgt/view", CarbonConstants.UI_PERMISSION_ACTION); } catch (UserStoreException e) {