Improve the role validation

wso2-extensions · Nov 22, 2023 · 0486217 · 0486217
1 parent 38106be
commit 0486217
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 36 deletions.
diff --git a/components/org.wso2.carbon.identity.organization.user.invitation.management/pom.xml b/components/org.wso2.carbon.identity.organization.user.invitation.management/pom.xml
@@ -94,6 +94,10 @@
             <artifactId>h2</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.identity.framework</groupId>
+            <artifactId>org.wso2.carbon.identity.application.authentication.framework</artifactId>
+        </dependency>
     </dependencies>
 
     <build>

diff --git a/...o2/carbon/identity/organization/user/invitation/management/InvitationCoreServiceImpl.java b/...o2/carbon/identity/organization/user/invitation/management/InvitationCoreServiceImpl.java
@@ -23,6 +23,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
+import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
 import org.wso2.carbon.identity.core.ServiceURLBuilder;
 import org.wso2.carbon.identity.core.URLBuilderException;
 import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
@@ -46,6 +47,7 @@
 import org.wso2.carbon.identity.role.v2.mgt.core.RoleManagementService;
 import org.wso2.carbon.identity.role.v2.mgt.core.exception.IdentityRoleManagementException;
 import org.wso2.carbon.identity.role.v2.mgt.core.model.Role;
+import org.wso2.carbon.identity.role.v2.mgt.core.model.RoleBasicInfo;
 import org.wso2.carbon.user.api.UserRealm;
 import org.wso2.carbon.user.api.UserStoreException;
 import org.wso2.carbon.user.core.common.AbstractUserStoreManager;
@@ -64,7 +66,6 @@
 import java.util.UUID;
 
 import static org.wso2.carbon.identity.organization.user.invitation.management.constant.UserInvitationMgtConstants.CLAIM_EMAIL_ADDRESS;
-import static org.wso2.carbon.identity.organization.user.invitation.management.constant.UserInvitationMgtConstants.CONSOLE;
 import static org.wso2.carbon.identity.organization.user.invitation.management.constant.UserInvitationMgtConstants.DEFAULT_USER_STORE_DOMAIN;
 import static org.wso2.carbon.identity.organization.user.invitation.management.constant.UserInvitationMgtConstants.EVENT_NAME_POST_ADD_INVITATION;
 import static org.wso2.carbon.identity.organization.user.invitation.management.constant.UserInvitationMgtConstants.EVENT_POST_ADD_INVITED_ORG_USER;
@@ -111,6 +112,8 @@ public class InvitationCoreServiceImpl implements InvitationCoreService {
 
     private static final Log LOG = LogFactory.getLog(InvitationCoreServiceImpl.class);
     private static final UserInvitationDAO userInvitationDAO = new UserInvitationDAOImpl();
+    private RoleManagementService roleManagementService = UserInvitationMgtDataHolder.getInstance()
+            .getRoleManagementService();
 
     @Override
     public Invitation createInvitation(Invitation invitation) throws UserInvitationMgtException {
@@ -119,8 +122,6 @@ public Invitation createInvitation(Invitation invitation) throws UserInvitationM
         validateInvitationPayload(invitation);
         OrganizationManager organizationManager = UserInvitationMgtDataHolder.getInstance()
                 .getOrganizationManagerService();
-        RoleManagementService roleManagementService = UserInvitationMgtDataHolder.getInstance()
-                .getRoleManagementService();
         Invitation createdInvitation;
         try {
             String userDomainQualifiedUserName = UserCoreUtil
@@ -176,31 +177,7 @@ public Invitation createInvitation(Invitation invitation) throws UserInvitationM
             invitation.setEmail(emailClaim);
             invitation.setUserOrganizationId(parentOrgId);
             invitation.setStatus(STATUS_PENDING);
-            List<String> audienceNameList = new ArrayList<>();
-            if (ArrayUtils.isNotEmpty(invitation.getRoleAssignments())) {
-                for (RoleAssignments roleAssignment : invitation.getRoleAssignments()) {
-                    if (!roleManagementService.isExistingRole(roleAssignment.getRole(), invitedTenantDomain)) {
-                        throw new UserInvitationMgtClientException(ERROR_CODE_INVALID_ROLE.getCode(),
-                                ERROR_CODE_INVALID_ROLE.getMessage(),
-                                String.format(ERROR_CODE_INVALID_ROLE.getDescription(), roleAssignment.getRole()));
-                    } else {
-                        String audienceName =
-                                getAudienceName(roleManagementService, roleAssignment.getRole(), invitedTenantDomain);
-                        if (StringUtils.isNotEmpty(audienceName)) {
-                            audienceNameList.add(audienceName);
-                        }
-                    }
-                }
-            }
-            if (ArrayUtils.isNotEmpty(audienceNameList.toArray()) && !audienceNameList.contains(CONSOLE)) {
-                if (LOG.isDebugEnabled()) {
-                    LOG.debug("The given role list for User: " + invitation.getUsername() + " doesn't contain" +
-                            " the console access.");
-                }
-                throw new UserInvitationMgtClientException(ERROR_CODE_CONSOLE_ACCESS_RESTRICTED.getCode(),
-                        ERROR_CODE_CONSOLE_ACCESS_RESTRICTED.getMessage(),
-                        String.format(ERROR_CODE_CONSOLE_ACCESS_RESTRICTED.getDescription()));
-            }
+            validateRoleAssignments(invitation, invitedUserId, invitedTenantDomain, parentTenantDomain);
             invitation.setInvitationId(UUID.randomUUID().toString());
             invitation.setConfirmationCode(UUID.randomUUID().toString());
             userInvitationDAO.createInvitation(invitation);
@@ -225,8 +202,6 @@ public boolean acceptInvitation(String confirmationCode) throws UserInvitationMg
                 try {
                     OrganizationManager organizationManager = UserInvitationMgtDataHolder.getInstance()
                             .getOrganizationManagerService();
-                    RoleManagementService roleManagementService = UserInvitationMgtDataHolder.getInstance()
-                            .getRoleManagementService();
                     String invitedOrganizationId = invitation.getInvitedOrganizationId();
                     String invitedTenantDomain = organizationManager.resolveTenantDomain(invitedOrganizationId);
                     int invitedTenantId = IdentityTenantUtil.getTenantId(invitedTenantDomain);
@@ -544,8 +519,6 @@ private OrganizationManager getOrganizationManager() {
     private void processingRoleAssignments(RoleAssignments[] roleAssignments, String invitedTenantId)
             throws UserInvitationMgtServerException {
 
-        RoleManagementService roleManagementService = UserInvitationMgtDataHolder.getInstance()
-                .getRoleManagementService();
         Role roleInfo;
         for (RoleAssignments roleAssignment : roleAssignments) {
             try {
@@ -583,9 +556,7 @@ private void checkUserExistenceAtInvitedOrganization(String domainQualifiedUserN
         }
     }
 
-    private String getAudienceName(RoleManagementService roleManagementService,
-                                   String roleId, String invitedTenantId)
-            throws UserInvitationMgtServerException {
+    private String getAudienceName(String roleId, String invitedTenantId) throws UserInvitationMgtServerException {
 
         try {
             Role roleInfo = roleManagementService.getRoleWithoutUsers(roleId, invitedTenantId);
@@ -599,4 +570,47 @@ private String getAudienceName(RoleManagementService roleManagementService,
         }
         return null;
     }
+
+    private void validateRoleAssignments(Invitation invitation, String userId, String invitedTenantDomain,
+                                         String parentTenantDomain)
+            throws UserInvitationMgtException, IdentityRoleManagementException {
+
+        List<String> audienceNameList = new ArrayList<>();
+
+        if (ArrayUtils.isNotEmpty(invitation.getRoleAssignments())) {
+            for (RoleAssignments roleAssignment : invitation.getRoleAssignments()) {
+                if (!roleManagementService.isExistingRole(roleAssignment.getRole(), invitedTenantDomain)) {
+                    throw new UserInvitationMgtClientException(ERROR_CODE_INVALID_ROLE.getCode(),
+                            ERROR_CODE_INVALID_ROLE.getMessage(),
+                            String.format(ERROR_CODE_INVALID_ROLE.getDescription(), roleAssignment.getRole()));
+                } else {
+                    String audienceName =
+                            getAudienceName(roleAssignment.getRole(), invitedTenantDomain);
+                    if (StringUtils.isNotEmpty(audienceName)) {
+                        audienceNameList.add(audienceName);
+                    }
+                }
+            }
+        }
+        if (ArrayUtils.isNotEmpty(audienceNameList.toArray())
+                && audienceNameList.contains(FrameworkConstants.Application.CONSOLE_APP)) {
+            if (!isInvitedUserHasConsoleAccess(userId, parentTenantDomain)) {
+                if (LOG.isDebugEnabled()) {
+                    LOG.debug("The given role list for User: " + invitation.getUsername() + " doesn't contain" +
+                            " the console access.");
+                }
+                throw new UserInvitationMgtClientException(ERROR_CODE_CONSOLE_ACCESS_RESTRICTED.getCode(),
+                        ERROR_CODE_CONSOLE_ACCESS_RESTRICTED.getMessage(),
+                        String.format(ERROR_CODE_CONSOLE_ACCESS_RESTRICTED.getDescription()));
+            }
+        }
+    }
+
+    private boolean isInvitedUserHasConsoleAccess(String userId, String tenantDomain)
+            throws IdentityRoleManagementException {
+
+        List<RoleBasicInfo> roleList = roleManagementService.getRoleListOfUser(userId, tenantDomain);
+        return roleList.stream().anyMatch(p ->
+                FrameworkConstants.Application.CONSOLE_APP.equals(p.getAudienceName()));
+    }
 }
diff --git a/...identity/organization/user/invitation/management/constant/UserInvitationMgtConstants.java b/...identity/organization/user/invitation/management/constant/UserInvitationMgtConstants.java
@@ -54,7 +54,6 @@ public class UserInvitationMgtConstants {
     public static final String EVENT_POST_ADD_INVITED_ORG_USER = "POST_ADD_INVITED_ORG_USER";
     public static final int SQL_FK_CONSTRAINT_VIOLATION_ERROR_CODE = 547;
     public static final String INVITATION_EVENT_HANDLER_ENABLED = "UserInvitationEventHandler.enable";
-    public static final String CONSOLE = "Console";
 
     // Configurations
     public static final String ORG_USER_INVITATION_USER_DOMAIN = "OrganizationUserInvitation.PrimaryUserDomain";