[1/4] usergrid git commit: superuser to be able to create an org with new user or existing user.

Tue, 26 Jul 2016 14:11:23 -0700 

Repository: usergrid
Updated Branches:
  refs/heads/apigee-sso-provider 4e93bd619 -> a22dc921f


superuser to be able to create an org with new user or existing user.


Project: http://git-wip-us.apache.org/repos/asf/usergrid/repo
Commit: http://git-wip-us.apache.org/repos/asf/usergrid/commit/5fcad445
Tree: http://git-wip-us.apache.org/repos/asf/usergrid/tree/5fcad445
Diff: http://git-wip-us.apache.org/repos/asf/usergrid/diff/5fcad445

Branch: refs/heads/apigee-sso-provider
Commit: 5fcad44504950f39be9d13e0d5224b04699f42c7
Parents: fad65a8
Author: Ayesha Dastagiri <[email protected]>
Authored: Thu Jul 21 09:35:52 2016 -0700
Committer: Ayesha Dastagiri <[email protected]>
Committed: Thu Jul 21 09:35:52 2016 -0700

----------------------------------------------------------------------
 .../usergrid/rest/AbstractContextResource.java  | 16 ++++++++++
 .../rest/management/ManagementResource.java     | 32 +++++++++++---------
 .../organizations/OrganizationsResource.java    |  6 ++--
 stack/services/pom.xml                          |  2 +-
 .../cassandra/ManagementServiceImpl.java        | 27 +++++++++++++----
 5 files changed, 58 insertions(+), 25 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/usergrid/blob/5fcad445/stack/rest/src/main/java/org/apache/usergrid/rest/AbstractContextResource.java
----------------------------------------------------------------------
diff --git 
a/stack/rest/src/main/java/org/apache/usergrid/rest/AbstractContextResource.java
 
b/stack/rest/src/main/java/org/apache/usergrid/rest/AbstractContextResource.java
index 77d2d1e..fc95b19 100644
--- 
a/stack/rest/src/main/java/org/apache/usergrid/rest/AbstractContextResource.java
+++ 
b/stack/rest/src/main/java/org/apache/usergrid/rest/AbstractContextResource.java
@@ -55,6 +55,9 @@ public abstract class AbstractContextResource {
     };
     protected static final ObjectMapper mapper = new ObjectMapper();
 
+    public final static String ROLE_SERVICE_ADMIN = "service-admin";
+    public static final String USERGRID_SYSADMIN_LOGIN_NAME = 
"usergrid.sysadmin.login.name";
+
 
     protected AbstractContextResource parent;
 
@@ -258,4 +261,17 @@ public abstract class AbstractContextResource {
         }
         return jsonObject;
     }
+
+
+    /**
+     * check if its a system admin
+     * @return
+     */
+    public Boolean userServiceAdmin(String username) {
+
+        if (sc.isUserInRole(ROLE_SERVICE_ADMIN) || (username != null && 
username.equals(properties.getProperty(USERGRID_SYSADMIN_LOGIN_NAME)))) {
+            return true;
+        }
+        return false;
+    }
 }

http://git-wip-us.apache.org/repos/asf/usergrid/blob/5fcad445/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java
----------------------------------------------------------------------
diff --git 
a/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java
 
b/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java
index 77569d6..7217c49 100644
--- 
a/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java
+++ 
b/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java
@@ -19,6 +19,7 @@ package org.apache.usergrid.rest.management;
 
 import org.apache.amber.oauth2.common.error.OAuthError;
 import org.apache.amber.oauth2.common.exception.OAuthProblemException;
+import org.apache.amber.oauth2.common.exception.OAuthSystemException;
 import org.apache.amber.oauth2.common.message.OAuthResponse;
 import org.apache.amber.oauth2.common.message.types.GrantType;
 import org.apache.commons.lang.StringUtils;
@@ -269,6 +270,7 @@ public class ManagementResource extends 
AbstractContextResource {
                                     @QueryParam( "client_id" ) String 
client_id,
                                     @QueryParam( "client_secret" ) String 
client_secret, @QueryParam( "ttl" ) long ttl,
                                     @QueryParam( "callback" ) @DefaultValue( 
"" ) String callback ) throws Exception {
+
         return getAccessTokenInternal( ui, authorization, grant_type, 
username, password, client_id, client_secret, ttl,
                 callback, false, false);
     }
@@ -305,6 +307,7 @@ public class ManagementResource extends 
AbstractContextResource {
                     ensureAuthenticationAllowed( username, grant_type );
                // }
 
+
                 if ( authorization != null ) {
                     String type = stringOrSubstringBeforeFirst( authorization, 
' ' ).toUpperCase();
 
@@ -381,7 +384,8 @@ public class ManagementResource extends 
AbstractContextResource {
             }
 
             //moved the check for sso enabled form MangementServiceImpl since 
was unable to get the current user there to check if its super user.
-            if( tokens.isExternalSSOProviderEnabled() && 
!user.getUsername().equals(properties.getProperty(USERGRID_SYSADMIN_LOGIN_NAME))
 ){
+            if( tokens.isExternalSSOProviderEnabled()
+                && !userServiceAdmin(user.getUsername()) ){
                 throw new RuntimeException("SSO Integration is enabled, Admin 
users must login via provider: "+
                     
properties.getProperty(TokenServiceImpl.USERGRID_EXTERNAL_PROVIDER));
             }
@@ -458,6 +462,8 @@ public class ManagementResource extends 
AbstractContextResource {
                                             @QueryParam( "callback" ) 
@DefaultValue( "" ) String callback )
             throws Exception {
 
+        ValidateJson(json);
+
         String grant_type = ( String ) json.get( "grant_type" );
         String username = ( String ) json.get( "username" );
         String password = ( String ) json.get( "password" );
@@ -487,14 +493,7 @@ public class ManagementResource extends 
AbstractContextResource {
                                               @HeaderParam( "Authorization" ) 
String authorization ) throws Exception {
 
 
-        if ( json == null ) {
-            String errorDescription = "invalid request, expected data in the 
request.";
-            OAuthResponse response =
-                OAuthResponse.errorResponse( SC_BAD_REQUEST ).setError( 
OAuthError.TokenResponse.INVALID_REQUEST )
-                    .setErrorDescription( errorDescription 
).buildJSONMessage();
-            return Response.status( response.getResponseStatus() ).type( 
jsonMediaType( callback ) )
-                .entity( wrapWithCallback( response.getBody(), callback ) 
).build();
-        }
+        ValidateJson(json);
 
         String grant_type = ( String ) json.get( "grant_type" );
         String username = ( String ) json.get( "username" );
@@ -516,6 +515,12 @@ public class ManagementResource extends 
AbstractContextResource {
                 callback, false, false );
     }
 
+    private void ValidateJson(Map<String, Object> json) throws 
OAuthSystemException {
+        if ( json == null ) {
+            throw new IllegalArgumentException("missing json post data");
+        }
+    }
+
 
     @GET
     @Path( "authorize" )
@@ -600,6 +605,7 @@ public class ManagementResource extends 
AbstractContextResource {
      */
     private void ensureAuthenticationAllowed( String username, String 
grant_type ) {
 
+
         if ( username == null || grant_type == null || 
!grant_type.equalsIgnoreCase( "password" )) {
             return; // we only care about username/password auth
         }
@@ -609,12 +615,8 @@ public class ManagementResource extends 
AbstractContextResource {
 //                !StringUtils.isEmpty( properties.getProperty( 
USERGRID_EXTERNAL_SSO_ENABLED ) );
 
         if ( tokens.isExternalSSOProviderEnabled() ) {
-
             // when external tokens enabled then only superuser can obtain an 
access token
-
-            final String superuserName = properties.getProperty( 
USERGRID_SYSADMIN_LOGIN_NAME );
-            if ( !username.equalsIgnoreCase( superuserName )) {
-
+            if ( userServiceAdmin(username)) {
                 // this guy is not the superuser
                 throw new IllegalArgumentException( "Admin Users must login 
via " +
                         properties.getProperty( USERGRID_EXTERNAL_PROVIDER_URL 
) );
@@ -623,6 +625,8 @@ public class ManagementResource extends 
AbstractContextResource {
     }
 
 
+
+
     String errorMsg = "";
     String responseType;
     String clientId;

http://git-wip-us.apache.org/repos/asf/usergrid/blob/5fcad445/stack/rest/src/main/java/org/apache/usergrid/rest/management/organizations/OrganizationsResource.java
----------------------------------------------------------------------
diff --git 
a/stack/rest/src/main/java/org/apache/usergrid/rest/management/organizations/OrganizationsResource.java
 
b/stack/rest/src/main/java/org/apache/usergrid/rest/management/organizations/OrganizationsResource.java
index eb70486..823ebcc 100644
--- 
a/stack/rest/src/main/java/org/apache/usergrid/rest/management/organizations/OrganizationsResource.java
+++ 
b/stack/rest/src/main/java/org/apache/usergrid/rest/management/organizations/OrganizationsResource.java
@@ -28,7 +28,6 @@ import org.apache.usergrid.rest.AbstractContextResource;
 import org.apache.usergrid.rest.ApiResponse;
 import org.apache.usergrid.rest.RootResource;
 import org.apache.usergrid.rest.security.annotations.RequireSystemAccess;
-import org.apache.usergrid.security.shiro.utils.SubjectUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -188,10 +187,9 @@ public class OrganizationsResource extends 
AbstractContextResource {
                                              String email, String password, 
Map<String, Object> userProperties,
                                              Map<String, Object> 
orgProperties, String callback ) throws Exception {
 
-        String tokenUserName = SubjectUtils.getUser().getUsername();
-
         if ( tokens.isExternalSSOProviderEnabled() ) {
-            
if(!tokenUserName.equals(properties.getProperty(USERGRID_SYSADMIN_LOGIN_NAME))) 
{
+            //let superuser add an org even if external SSO Provider is 
enabled.
+            if(!userServiceAdmin(null) ) { // what should the username be ?
                 throw new IllegalArgumentException("Organization / Admin Users 
must be created via " +
                     properties.getProperty(USERGRID_EXTERNAL_PROVIDER_URL));
             }

http://git-wip-us.apache.org/repos/asf/usergrid/blob/5fcad445/stack/services/pom.xml
----------------------------------------------------------------------
diff --git a/stack/services/pom.xml b/stack/services/pom.xml
index fdbd9c9..7a654f5 100644
--- a/stack/services/pom.xml
+++ b/stack/services/pom.xml
@@ -179,7 +179,7 @@
         <dependency>
             <groupId>io.jsonwebtoken</groupId>
             <artifactId>jjwt</artifactId>
-            <version>0.2</version>
+            <version>0.6.0</version>
         </dependency>
 
         <dependency>

http://git-wip-us.apache.org/repos/asf/usergrid/blob/5fcad445/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java
----------------------------------------------------------------------
diff --git 
a/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java
 
b/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java
index 90eb4c9..e8bf0ec 100644
--- 
a/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java
+++ 
b/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java
@@ -548,11 +548,25 @@ public class ManagementServiceImpl implements 
ManagementService {
             if ( !validateAdminInfo( username, name, email, password ) ) {
                 return null;
             }
-            if ( areActivationChecksDisabled() ) {
-                user = createAdminUserInternal( null, username, name, email, 
password, true, false, userProperties );
+
+            // irrespective of it being sso enabled or not , if its a super 
user request it will try to fetch user if no password is passed.
+            if(password == null && SubjectUtils.isServiceAdmin()){
+                user = getAdminUserByEmail(email);
+                if(user == null ){
+                    throw new IllegalArgumentException("Password should be 
sent in the request or should be a valid admin user email.");
+                }
             }
-            else {
-                user = createAdminUserInternal( null, username, name, email, 
password, activated, disabled, userProperties );
+            else if(password == null ){   //for existing workflow.
+                throw new IllegalArgumentException("Password should be sent in 
the request.");
+            }
+
+
+            if(user == null) {
+                if ((tokens.isExternalSSOProviderEnabled() && 
SubjectUtils.isServiceAdmin()) || areActivationChecksDisabled()) {
+                    user = createAdminUserInternal(null, username, name, 
email, password, true, false, userProperties);
+                } else {
+                    user = createAdminUserInternal(null, username, name, 
email, password, activated, disabled, userProperties);
+                }
             }
 
             if(logger.isTraceEnabled()){
@@ -964,11 +978,11 @@ public class ManagementServiceImpl implements 
ManagementService {
 
         EntityManager em = emf.getEntityManager( smf.getManagementAppId() );
 
-        if ( !em.isPropertyValueUniqueForEntity( "user", "username", username 
) ) {
+        if ( !( tokens.isExternalSSOProviderEnabled() && 
SubjectUtils.isServiceAdmin()) && !em.isPropertyValueUniqueForEntity( "user", 
"username", username ) ) {
             throw new DuplicateUniquePropertyExistsException( "user", 
"username", username );
         }
 
-        if ( !em.isPropertyValueUniqueForEntity( "user", "email", email ) ) {
+        if ( !(tokens.isExternalSSOProviderEnabled()&& 
SubjectUtils.isServiceAdmin())  && !em.isPropertyValueUniqueForEntity( "user", 
"email", email ) ) {
             throw new DuplicateUniquePropertyExistsException( "user", "email", 
email );
         }
         return true;
@@ -3479,4 +3493,5 @@ public class ManagementServiceImpl implements 
ManagementService {
         scopedCache.invalidate();
         localShiroCache.invalidateAll();
     }
+
 }

Reply via email to