You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@usergrid.apache.org by mr...@apache.org on 2016/08/01 16:53:56 UTC
[21/50] [abbrv] usergrid git commit: superuser to be able to create
an org with new user or existing user.
superuser to be able to create an org with new user or existing user.
Project: http://git-wip-us.apache.org/repos/asf/usergrid/repo
Commit: http://git-wip-us.apache.org/repos/asf/usergrid/commit/5fcad445
Tree: http://git-wip-us.apache.org/repos/asf/usergrid/tree/5fcad445
Diff: http://git-wip-us.apache.org/repos/asf/usergrid/diff/5fcad445
Branch: refs/heads/master
Commit: 5fcad44504950f39be9d13e0d5224b04699f42c7
Parents: fad65a8
Author: Ayesha Dastagiri <ay...@gmail.com>
Authored: Thu Jul 21 09:35:52 2016 -0700
Committer: Ayesha Dastagiri <ay...@gmail.com>
Committed: Thu Jul 21 09:35:52 2016 -0700
----------------------------------------------------------------------
.../usergrid/rest/AbstractContextResource.java | 16 ++++++++++
.../rest/management/ManagementResource.java | 32 +++++++++++---------
.../organizations/OrganizationsResource.java | 6 ++--
stack/services/pom.xml | 2 +-
.../cassandra/ManagementServiceImpl.java | 27 +++++++++++++----
5 files changed, 58 insertions(+), 25 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/usergrid/blob/5fcad445/stack/rest/src/main/java/org/apache/usergrid/rest/AbstractContextResource.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/AbstractContextResource.java b/stack/rest/src/main/java/org/apache/usergrid/rest/AbstractContextResource.java
index 77d2d1e..fc95b19 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/AbstractContextResource.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/AbstractContextResource.java
@@ -55,6 +55,9 @@ public abstract class AbstractContextResource {
};
protected static final ObjectMapper mapper = new ObjectMapper();
+ public final static String ROLE_SERVICE_ADMIN = "service-admin";
+ public static final String USERGRID_SYSADMIN_LOGIN_NAME = "usergrid.sysadmin.login.name";
+
protected AbstractContextResource parent;
@@ -258,4 +261,17 @@ public abstract class AbstractContextResource {
}
return jsonObject;
}
+
+
+ /**
+ * check if its a system admin
+ * @return
+ */
+ public Boolean userServiceAdmin(String username) {
+
+ if (sc.isUserInRole(ROLE_SERVICE_ADMIN) || (username != null && username.equals(properties.getProperty(USERGRID_SYSADMIN_LOGIN_NAME)))) {
+ return true;
+ }
+ return false;
+ }
}
http://git-wip-us.apache.org/repos/asf/usergrid/blob/5fcad445/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java b/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java
index 77569d6..7217c49 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java
@@ -19,6 +19,7 @@ package org.apache.usergrid.rest.management;
import org.apache.amber.oauth2.common.error.OAuthError;
import org.apache.amber.oauth2.common.exception.OAuthProblemException;
+import org.apache.amber.oauth2.common.exception.OAuthSystemException;
import org.apache.amber.oauth2.common.message.OAuthResponse;
import org.apache.amber.oauth2.common.message.types.GrantType;
import org.apache.commons.lang.StringUtils;
@@ -269,6 +270,7 @@ public class ManagementResource extends AbstractContextResource {
@QueryParam( "client_id" ) String client_id,
@QueryParam( "client_secret" ) String client_secret, @QueryParam( "ttl" ) long ttl,
@QueryParam( "callback" ) @DefaultValue( "" ) String callback ) throws Exception {
+
return getAccessTokenInternal( ui, authorization, grant_type, username, password, client_id, client_secret, ttl,
callback, false, false);
}
@@ -305,6 +307,7 @@ public class ManagementResource extends AbstractContextResource {
ensureAuthenticationAllowed( username, grant_type );
// }
+
if ( authorization != null ) {
String type = stringOrSubstringBeforeFirst( authorization, ' ' ).toUpperCase();
@@ -381,7 +384,8 @@ public class ManagementResource extends AbstractContextResource {
}
//moved the check for sso enabled form MangementServiceImpl since was unable to get the current user there to check if its super user.
- if( tokens.isExternalSSOProviderEnabled() && !user.getUsername().equals(properties.getProperty(USERGRID_SYSADMIN_LOGIN_NAME)) ){
+ if( tokens.isExternalSSOProviderEnabled()
+ && !userServiceAdmin(user.getUsername()) ){
throw new RuntimeException("SSO Integration is enabled, Admin users must login via provider: "+
properties.getProperty(TokenServiceImpl.USERGRID_EXTERNAL_PROVIDER));
}
@@ -458,6 +462,8 @@ public class ManagementResource extends AbstractContextResource {
@QueryParam( "callback" ) @DefaultValue( "" ) String callback )
throws Exception {
+ ValidateJson(json);
+
String grant_type = ( String ) json.get( "grant_type" );
String username = ( String ) json.get( "username" );
String password = ( String ) json.get( "password" );
@@ -487,14 +493,7 @@ public class ManagementResource extends AbstractContextResource {
@HeaderParam( "Authorization" ) String authorization ) throws Exception {
- if ( json == null ) {
- String errorDescription = "invalid request, expected data in the request.";
- OAuthResponse response =
- OAuthResponse.errorResponse( SC_BAD_REQUEST ).setError( OAuthError.TokenResponse.INVALID_REQUEST )
- .setErrorDescription( errorDescription ).buildJSONMessage();
- return Response.status( response.getResponseStatus() ).type( jsonMediaType( callback ) )
- .entity( wrapWithCallback( response.getBody(), callback ) ).build();
- }
+ ValidateJson(json);
String grant_type = ( String ) json.get( "grant_type" );
String username = ( String ) json.get( "username" );
@@ -516,6 +515,12 @@ public class ManagementResource extends AbstractContextResource {
callback, false, false );
}
+ private void ValidateJson(Map<String, Object> json) throws OAuthSystemException {
+ if ( json == null ) {
+ throw new IllegalArgumentException("missing json post data");
+ }
+ }
+
@GET
@Path( "authorize" )
@@ -600,6 +605,7 @@ public class ManagementResource extends AbstractContextResource {
*/
private void ensureAuthenticationAllowed( String username, String grant_type ) {
+
if ( username == null || grant_type == null || !grant_type.equalsIgnoreCase( "password" )) {
return; // we only care about username/password auth
}
@@ -609,12 +615,8 @@ public class ManagementResource extends AbstractContextResource {
// !StringUtils.isEmpty( properties.getProperty( USERGRID_EXTERNAL_SSO_ENABLED ) );
if ( tokens.isExternalSSOProviderEnabled() ) {
-
// when external tokens enabled then only superuser can obtain an access token
-
- final String superuserName = properties.getProperty( USERGRID_SYSADMIN_LOGIN_NAME );
- if ( !username.equalsIgnoreCase( superuserName )) {
-
+ if ( userServiceAdmin(username)) {
// this guy is not the superuser
throw new IllegalArgumentException( "Admin Users must login via " +
properties.getProperty( USERGRID_EXTERNAL_PROVIDER_URL ) );
@@ -623,6 +625,8 @@ public class ManagementResource extends AbstractContextResource {
}
+
+
String errorMsg = "";
String responseType;
String clientId;
http://git-wip-us.apache.org/repos/asf/usergrid/blob/5fcad445/stack/rest/src/main/java/org/apache/usergrid/rest/management/organizations/OrganizationsResource.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/management/organizations/OrganizationsResource.java b/stack/rest/src/main/java/org/apache/usergrid/rest/management/organizations/OrganizationsResource.java
index eb70486..823ebcc 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/management/organizations/OrganizationsResource.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/management/organizations/OrganizationsResource.java
@@ -28,7 +28,6 @@ import org.apache.usergrid.rest.AbstractContextResource;
import org.apache.usergrid.rest.ApiResponse;
import org.apache.usergrid.rest.RootResource;
import org.apache.usergrid.rest.security.annotations.RequireSystemAccess;
-import org.apache.usergrid.security.shiro.utils.SubjectUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
@@ -188,10 +187,9 @@ public class OrganizationsResource extends AbstractContextResource {
String email, String password, Map<String, Object> userProperties,
Map<String, Object> orgProperties, String callback ) throws Exception {
- String tokenUserName = SubjectUtils.getUser().getUsername();
-
if ( tokens.isExternalSSOProviderEnabled() ) {
- if(!tokenUserName.equals(properties.getProperty(USERGRID_SYSADMIN_LOGIN_NAME))) {
+ //let superuser add an org even if external SSO Provider is enabled.
+ if(!userServiceAdmin(null) ) { // what should the username be ?
throw new IllegalArgumentException("Organization / Admin Users must be created via " +
properties.getProperty(USERGRID_EXTERNAL_PROVIDER_URL));
}
http://git-wip-us.apache.org/repos/asf/usergrid/blob/5fcad445/stack/services/pom.xml
----------------------------------------------------------------------
diff --git a/stack/services/pom.xml b/stack/services/pom.xml
index fdbd9c9..7a654f5 100644
--- a/stack/services/pom.xml
+++ b/stack/services/pom.xml
@@ -179,7 +179,7 @@
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
- <version>0.2</version>
+ <version>0.6.0</version>
</dependency>
<dependency>
http://git-wip-us.apache.org/repos/asf/usergrid/blob/5fcad445/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java
----------------------------------------------------------------------
diff --git a/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java b/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java
index 90eb4c9..e8bf0ec 100644
--- a/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java
+++ b/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java
@@ -548,11 +548,25 @@ public class ManagementServiceImpl implements ManagementService {
if ( !validateAdminInfo( username, name, email, password ) ) {
return null;
}
- if ( areActivationChecksDisabled() ) {
- user = createAdminUserInternal( null, username, name, email, password, true, false, userProperties );
+
+ // irrespective of it being sso enabled or not , if its a super user request it will try to fetch user if no password is passed.
+ if(password == null && SubjectUtils.isServiceAdmin()){
+ user = getAdminUserByEmail(email);
+ if(user == null ){
+ throw new IllegalArgumentException("Password should be sent in the request or should be a valid admin user email.");
+ }
}
- else {
- user = createAdminUserInternal( null, username, name, email, password, activated, disabled, userProperties );
+ else if(password == null ){ //for existing workflow.
+ throw new IllegalArgumentException("Password should be sent in the request.");
+ }
+
+
+ if(user == null) {
+ if ((tokens.isExternalSSOProviderEnabled() && SubjectUtils.isServiceAdmin()) || areActivationChecksDisabled()) {
+ user = createAdminUserInternal(null, username, name, email, password, true, false, userProperties);
+ } else {
+ user = createAdminUserInternal(null, username, name, email, password, activated, disabled, userProperties);
+ }
}
if(logger.isTraceEnabled()){
@@ -964,11 +978,11 @@ public class ManagementServiceImpl implements ManagementService {
EntityManager em = emf.getEntityManager( smf.getManagementAppId() );
- if ( !em.isPropertyValueUniqueForEntity( "user", "username", username ) ) {
+ if ( !( tokens.isExternalSSOProviderEnabled() && SubjectUtils.isServiceAdmin()) && !em.isPropertyValueUniqueForEntity( "user", "username", username ) ) {
throw new DuplicateUniquePropertyExistsException( "user", "username", username );
}
- if ( !em.isPropertyValueUniqueForEntity( "user", "email", email ) ) {
+ if ( !(tokens.isExternalSSOProviderEnabled()&& SubjectUtils.isServiceAdmin()) && !em.isPropertyValueUniqueForEntity( "user", "email", email ) ) {
throw new DuplicateUniquePropertyExistsException( "user", "email", email );
}
return true;
@@ -3479,4 +3493,5 @@ public class ManagementServiceImpl implements ManagementService {
scopedCache.invalidate();
localShiroCache.invalidateAll();
}
+
}