Validate whether the given role list contains the console access

wso2-extensions · Nov 21, 2023 · 38106be · 38106be
1 parent af61f1d
commit 38106be
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 0 deletions.
diff --git a/...o2/carbon/identity/organization/user/invitation/management/InvitationCoreServiceImpl.java b/...o2/carbon/identity/organization/user/invitation/management/InvitationCoreServiceImpl.java
@@ -55,6 +55,7 @@
 import java.security.SecureRandom;
 import java.sql.Timestamp;
 import java.time.Instant;
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Date;
@@ -63,6 +64,7 @@
 import java.util.UUID;
 
 import static org.wso2.carbon.identity.organization.user.invitation.management.constant.UserInvitationMgtConstants.CLAIM_EMAIL_ADDRESS;
+import static org.wso2.carbon.identity.organization.user.invitation.management.constant.UserInvitationMgtConstants.CONSOLE;
 import static org.wso2.carbon.identity.organization.user.invitation.management.constant.UserInvitationMgtConstants.DEFAULT_USER_STORE_DOMAIN;
 import static org.wso2.carbon.identity.organization.user.invitation.management.constant.UserInvitationMgtConstants.EVENT_NAME_POST_ADD_INVITATION;
 import static org.wso2.carbon.identity.organization.user.invitation.management.constant.UserInvitationMgtConstants.EVENT_POST_ADD_INVITED_ORG_USER;
@@ -76,6 +78,7 @@
 import static org.wso2.carbon.identity.organization.user.invitation.management.constant.UserInvitationMgtConstants.EVENT_PROP_USER_NAME;
 import static org.wso2.carbon.identity.organization.user.invitation.management.constant.UserInvitationMgtConstants.ErrorMessage.ERROR_CODE_ACCEPT_INVITATION;
 import static org.wso2.carbon.identity.organization.user.invitation.management.constant.UserInvitationMgtConstants.ErrorMessage.ERROR_CODE_ACTIVE_INVITATION_EXISTS;
+import static org.wso2.carbon.identity.organization.user.invitation.management.constant.UserInvitationMgtConstants.ErrorMessage.ERROR_CODE_CONSOLE_ACCESS_RESTRICTED;
 import static org.wso2.carbon.identity.organization.user.invitation.management.constant.UserInvitationMgtConstants.ErrorMessage.ERROR_CODE_CONSTRUCT_REDIRECT_URL;
 import static org.wso2.carbon.identity.organization.user.invitation.management.constant.UserInvitationMgtConstants.ErrorMessage.ERROR_CODE_CREATE_INVITATION;
 import static org.wso2.carbon.identity.organization.user.invitation.management.constant.UserInvitationMgtConstants.ErrorMessage.ERROR_CODE_EVENT_HANDLE;
@@ -173,15 +176,31 @@ public Invitation createInvitation(Invitation invitation) throws UserInvitationM
             invitation.setEmail(emailClaim);
             invitation.setUserOrganizationId(parentOrgId);
             invitation.setStatus(STATUS_PENDING);
+            List<String> audienceNameList = new ArrayList<>();
             if (ArrayUtils.isNotEmpty(invitation.getRoleAssignments())) {
                 for (RoleAssignments roleAssignment : invitation.getRoleAssignments()) {
                     if (!roleManagementService.isExistingRole(roleAssignment.getRole(), invitedTenantDomain)) {
                         throw new UserInvitationMgtClientException(ERROR_CODE_INVALID_ROLE.getCode(),
                                 ERROR_CODE_INVALID_ROLE.getMessage(),
                                 String.format(ERROR_CODE_INVALID_ROLE.getDescription(), roleAssignment.getRole()));
+                    } else {
+                        String audienceName =
+                                getAudienceName(roleManagementService, roleAssignment.getRole(), invitedTenantDomain);
+                        if (StringUtils.isNotEmpty(audienceName)) {
+                            audienceNameList.add(audienceName);
+                        }
                     }
                 }
             }
+            if (ArrayUtils.isNotEmpty(audienceNameList.toArray()) && !audienceNameList.contains(CONSOLE)) {
+                if (LOG.isDebugEnabled()) {
+                    LOG.debug("The given role list for User: " + invitation.getUsername() + " doesn't contain" +
+                            " the console access.");
+                }
+                throw new UserInvitationMgtClientException(ERROR_CODE_CONSOLE_ACCESS_RESTRICTED.getCode(),
+                        ERROR_CODE_CONSOLE_ACCESS_RESTRICTED.getMessage(),
+                        String.format(ERROR_CODE_CONSOLE_ACCESS_RESTRICTED.getDescription()));
+            }
             invitation.setInvitationId(UUID.randomUUID().toString());
             invitation.setConfirmationCode(UUID.randomUUID().toString());
             userInvitationDAO.createInvitation(invitation);
@@ -563,4 +582,21 @@ private void checkUserExistenceAtInvitedOrganization(String domainQualifiedUserN
                             PrivilegedCarbonContext.getThreadLocalCarbonContext().getOrganizationId()));
         }
     }
+
+    private String getAudienceName(RoleManagementService roleManagementService,
+                                   String roleId, String invitedTenantId)
+            throws UserInvitationMgtServerException {
+
+        try {
+            Role roleInfo = roleManagementService.getRoleWithoutUsers(roleId, invitedTenantId);
+            if (roleInfo != null) {
+                return roleInfo.getAudienceName();
+            }
+        } catch (IdentityRoleManagementException e) {
+            throw new UserInvitationMgtServerException(ERROR_CODE_GET_ROLE_ASSIGNMENTS_BY_ROLE_ID.getCode(),
+                    ERROR_CODE_GET_ROLE_ASSIGNMENTS_BY_ROLE_ID.getMessage(),
+                    String.format(ERROR_CODE_GET_ROLE_ASSIGNMENTS_BY_ROLE_ID.getDescription(), roleId), e);
+        }
+        return null;
+    }
 }
diff --git a/...identity/organization/user/invitation/management/constant/UserInvitationMgtConstants.java b/...identity/organization/user/invitation/management/constant/UserInvitationMgtConstants.java
@@ -54,6 +54,7 @@ public class UserInvitationMgtConstants {
     public static final String EVENT_POST_ADD_INVITED_ORG_USER = "POST_ADD_INVITED_ORG_USER";
     public static final int SQL_FK_CONSTRAINT_VIOLATION_ERROR_CODE = 547;
     public static final String INVITATION_EVENT_HANDLER_ENABLED = "UserInvitationEventHandler.enable";
+    public static final String CONSOLE = "Console";
 
     // Configurations
     public static final String ORG_USER_INVITATION_USER_DOMAIN = "OrganizationUserInvitation.PrimaryUserDomain";
@@ -126,6 +127,9 @@ public enum ErrorMessage {
         ERROR_CODE_INVITED_USER_EMAIL_NOT_FOUND("10030",
                 "Failed to resolve the email of the invited user.",
                 "Could not find the email of the invited user %s."),
+        ERROR_CODE_CONSOLE_ACCESS_RESTRICTED("10031",
+                "The provided role list doesn't contain console access.",
+                "Could not find any role with a console access to create an invitation."),
 
         // DAO layer errors
         ERROR_CODE_STORE_INVITATION("10501",