diff --git a/rest-api/resources/src/main/java/org/eclipse/kapua/app/api/resources/v1/resources/Aaaaaaaaaa.java b/rest-api/resources/src/main/java/org/eclipse/kapua/app/api/resources/v1/resources/Aaaaaaaaaa.java new file mode 100644 index 00000000000..f0bf84a4a0c --- /dev/null +++ b/rest-api/resources/src/main/java/org/eclipse/kapua/app/api/resources/v1/resources/Aaaaaaaaaa.java @@ -0,0 +1,54 @@ +/******************************************************************************* + * Copyright (c) 2016, 2022 Eurotech and/or its affiliates and others + * + * This program and the accompanying materials are made + * available under the terms of the Eclipse Public License 2.0 + * which is available at https://www.eclipse.org/legal/epl-2.0/ + * + * SPDX-License-Identifier: EPL-2.0 + * + * Contributors: + * Eurotech - initial API and implementation + *******************************************************************************/ +package org.eclipse.kapua.app.api.resources.v1.resources; + +import java.util.Set; + +import javax.inject.Inject; +import javax.ws.rs.GET; +import javax.ws.rs.Path; +import javax.ws.rs.PathParam; +import javax.ws.rs.Produces; +import javax.ws.rs.core.MediaType; + +import org.eclipse.kapua.KapuaException; +import org.eclipse.kapua.app.api.core.model.ScopeId; +import org.eclipse.kapua.app.api.core.resources.AbstractKapuaResource; +import org.eclipse.kapua.service.KapuaService; +import org.eclipse.kapua.service.authorization.AuthorizationService; + +@Path("{scopeId}/aaaaaaaaaa/claims") +public class Aaaaaaaaaa extends AbstractKapuaResource { + + @Inject + private AuthorizationService authorizationService; + + /** + * Gets the list of user's claims in the scope. + * + * @param scopeId + * The {@link ScopeId} in which to search results. + * @return The list of all the available claims associated to the current selected scope (and user). + * @throws KapuaException + * Whenever something bad happens. See specific {@link KapuaService} exceptions. + * @since 1.0.0 + */ + @GET + @Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML }) + public Set fetchClaims( + @PathParam("scopeId") ScopeId scopeId + ) throws KapuaException { + return authorizationService.fetchUserClaims(scopeId); + } + +} diff --git a/rest-api/resources/src/main/resources/openapi/aaaaaaaaaa/aaaaaaaaaa-scopeId.yaml b/rest-api/resources/src/main/resources/openapi/aaaaaaaaaa/aaaaaaaaaa-scopeId.yaml new file mode 100644 index 00000000000..b5be86dbfc7 --- /dev/null +++ b/rest-api/resources/src/main/resources/openapi/aaaaaaaaaa/aaaaaaaaaa-scopeId.yaml @@ -0,0 +1,39 @@ +openapi: 3.0.3 + +info: + title: Eclipse Kapua REST API - Aaaaaaaaaa + version: '1.0' + contact: + name: Eclipse Kapua Dev Team + url: https://eclipse.org/kapua + email: kapua-dev@eclipse.org + license: + name: Eclipse Public License 2.0 + url: https://www.eclipse.org/legal/epl-2.0 + +paths: + /{scopeId}/claims: + get: + tags: + - Claims + summary: Get all the Claims + operationId: fetchUserClaims + parameters: + - $ref: '../openapi.yaml#/components/parameters/scopeId' + responses: + 200: + description: The list of User's claims in the Scope + content: + application/json: + schema: + type: array + items: + type: string + 400: + $ref: '../openapi.yaml#/components/responses/illegalArgument' + 401: + $ref: '../openapi.yaml#/components/responses/unauthenticated' + 403: + $ref: '../openapi.yaml#/components/responses/subjectUnauthorized' + 500: + $ref: '../openapi.yaml#/components/responses/kapuaError' \ No newline at end of file diff --git a/rest-api/resources/src/main/resources/openapi/openapi.yaml b/rest-api/resources/src/main/resources/openapi/openapi.yaml index 678a191e0e7..bde35da4380 100644 --- a/rest-api/resources/src/main/resources/openapi/openapi.yaml +++ b/rest-api/resources/src/main/resources/openapi/openapi.yaml @@ -64,6 +64,9 @@ paths: $ref: './authentication/authentication-logout.yaml#/paths/~1authentication~1logout' /authentication/mfa: $ref: './authentication/authentication-mfa.yaml#/paths/~1authentication~1mfa' + ### Aaaaaaaaaa ### + /{scopeId}/aaaaaaaaaa/claims: + $ref: './aaaaaaaaaa/aaaaaaaaaa-scopeId.yaml#/paths/~1{scopeId}~1claims' ### Access Info ### /{scopeId}/accessinfos: $ref: './accessInfo/accessInfo-scopeId.yaml#/paths/~1{scopeId}~1accessinfos' diff --git a/rest-api/web/src/main/resources/shiro.ini b/rest-api/web/src/main/resources/shiro.ini index 531f664f5e7..93385be52a7 100644 --- a/rest-api/web/src/main/resources/shiro.ini +++ b/rest-api/web/src/main/resources/shiro.ini @@ -43,6 +43,8 @@ kapuaAuthcAccessToken = org.eclipse.kapua.app.api.core.auth.KapuaTokenAuthentica /v1/*/credentials.xml = kapuaAuthcAccessToken /v1/*/credentials/** = kapuaAuthcAccessToken +/v1/*/aaaaaaaaaa/** = kapuaAuthcAccessToken + # Authorization /v1/*/accessinfos.xml = kapuaAuthcAccessToken /v1/*/accessinfos.json = kapuaAuthcAccessToken diff --git a/service/security/authorization/api/src/main/java/org/eclipse/kapua/service/authorization/AuthorizationService.java b/service/security/authorization/api/src/main/java/org/eclipse/kapua/service/authorization/AuthorizationService.java index 8c3ee9256e5..50715e90e15 100644 --- a/service/security/authorization/api/src/main/java/org/eclipse/kapua/service/authorization/AuthorizationService.java +++ b/service/security/authorization/api/src/main/java/org/eclipse/kapua/service/authorization/AuthorizationService.java @@ -13,26 +13,31 @@ package org.eclipse.kapua.service.authorization; import java.util.List; +import java.util.Set; import org.eclipse.kapua.KapuaException; +import org.eclipse.kapua.model.id.KapuaId; import org.eclipse.kapua.service.KapuaService; import org.eclipse.kapua.service.authorization.permission.Permission; /** - * AuthenticationService exposes APIs to manage User object under an Account.
- * It includes APIs to create, update, find, list and delete Users.
- * Instances of the UserService can be acquired through the ServiceLocator. + * AuthenticationService exposes APIs to manage User object under an Account.
It includes APIs to create, update, find, list and delete Users.
Instances of the UserService can be acquired + * through the ServiceLocator. * * @since 1.0.0 */ public interface AuthorizationService extends KapuaService { + Set fetchUserClaims(KapuaId inScope); + /** * Returns if the user (the current logged user retrieved by thread context) is allowed to perform the operation identified by provided the permission. * - * @param permission The permission to check. + * @param permission + * The permission to check. * @return {@code true} if the current user has the given permission, {@code false} otherwise. - * @throws KapuaException If there is no logged context. + * @throws KapuaException + * If there is no logged context. * @since 1.0.0 */ boolean isPermitted(Permission permission) throws KapuaException; @@ -40,9 +45,11 @@ public interface AuthorizationService extends KapuaService { /** * Returns if the user (the current logged user retrieved by thread context) is allowed to perform the operation identified by provided the permission. * - * @param permission The permissions to check. + * @param permission + * The permissions to check. * @return an array representing the current user permissions. - * @throws KapuaException If there is no logged context. + * @throws KapuaException + * If there is no logged context. * @since 1.0.0 */ boolean[] isPermitted(List permission) throws KapuaException; @@ -50,8 +57,10 @@ public interface AuthorizationService extends KapuaService { /** * Checks if the user (the current logged user retrieved by thread context) is allowed to perform the operation identified by provided the permission. * - * @param permission The permission to check. - * @throws KapuaException if there is no logged context or if the user has no right for the provided permission. + * @param permission + * The permission to check. + * @throws KapuaException + * if there is no logged context or if the user has no right for the provided permission. * @since 1.0.0 */ void checkPermission(Permission permission) throws KapuaException; diff --git a/service/security/shiro/src/main/java/org/eclipse/kapua/service/authorization/shiro/AuthorizationServiceImpl.java b/service/security/shiro/src/main/java/org/eclipse/kapua/service/authorization/shiro/AuthorizationServiceImpl.java index 6065aeddc10..95292808bf1 100644 --- a/service/security/shiro/src/main/java/org/eclipse/kapua/service/authorization/shiro/AuthorizationServiceImpl.java +++ b/service/security/shiro/src/main/java/org/eclipse/kapua/service/authorization/shiro/AuthorizationServiceImpl.java @@ -12,20 +12,25 @@ *******************************************************************************/ package org.eclipse.kapua.service.authorization.shiro; +import java.util.Arrays; +import java.util.List; +import java.util.Set; +import java.util.stream.Collectors; + +import javax.inject.Inject; +import javax.inject.Singleton; + import org.apache.shiro.SecurityUtils; import org.eclipse.kapua.KapuaException; import org.eclipse.kapua.KapuaUnauthenticatedException; import org.eclipse.kapua.commons.security.KapuaSecurityUtils; import org.eclipse.kapua.commons.security.KapuaSession; +import org.eclipse.kapua.model.domain.Domain; +import org.eclipse.kapua.model.id.KapuaId; import org.eclipse.kapua.service.authorization.AuthorizationService; import org.eclipse.kapua.service.authorization.exception.SubjectUnauthorizedException; import org.eclipse.kapua.service.authorization.permission.Permission; - -import javax.inject.Inject; -import javax.inject.Singleton; -import java.util.Arrays; -import java.util.List; -import java.util.stream.Collectors; +import org.eclipse.kapua.service.authorization.permission.PermissionFactory; /** * {@link AuthorizationService} implementation. @@ -34,10 +39,16 @@ */ @Singleton public class AuthorizationServiceImpl implements AuthorizationService { + + private final PermissionFactory permissionFactory; + private final Set knownDomains; private final PermissionMapper permissionMapper; @Inject - public AuthorizationServiceImpl(PermissionMapper permissionMapper) { + public AuthorizationServiceImpl(PermissionFactory permissionFactory, Set knownDomains, + PermissionMapper permissionMapper) { + this.permissionFactory = permissionFactory; + this.knownDomains = knownDomains; this.permissionMapper = permissionMapper; } @@ -60,6 +71,30 @@ public boolean[] isPermitted(List permissions) throws KapuaException } } + @Override + public Set fetchUserClaims(KapuaId inScope) { + final KapuaSession kapuaSession = KapuaSecurityUtils.getSession(); + final Set claims = knownDomains.stream() + .flatMap(domain -> { + return domain.getActions() + .stream() + .filter(action -> { + if (kapuaSession.isTrustedMode()) { + return true; + } + try { + final Permission permission = permissionFactory.newPermission(domain.getName(), action, inScope); + return this.isPermitted(permission); + } catch (KapuaException e) { + return false; + } + }) + .map(action -> String.format("%s:%s", domain.getName(), action)); + }) + .collect(Collectors.toSet()); + return claims; + } + @Override public boolean isPermitted(Permission permission) throws KapuaException {