Skip to content

Commit

Permalink
Remove unwanted legacy authz runtime checks
Browse files Browse the repository at this point in the history
  • Loading branch information
sadilchamishka committed Jul 1, 2024
1 parent 8fb3cfc commit bc2e872
Show file tree
Hide file tree
Showing 3 changed files with 47 additions and 135 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementClientException;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
Expand Down Expand Up @@ -282,10 +281,8 @@ public boolean doPostGetServiceProvider(ServiceProvider serviceProvider, String
// Add application roles to the filtered claim mappings (if any
filteredClaimMappings = addApplicationRolesToFilteredClaimMappings(filteredClaimMappings);
}
if (!CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME) {
// Add roles to the filtered claim mappings.
filteredClaimMappings = addRolesClaimToFilteredClaimMappings(filteredClaimMappings);
}
// Add roles to the filtered claim mappings.
filteredClaimMappings = addRolesClaimToFilteredClaimMappings(filteredClaimMappings);
ClaimConfig claimConfig = new ClaimConfig();
claimConfig.setClaimMappings(filteredClaimMappings);
claimConfig.setAlwaysSendMappedLocalSubjectId(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.common.model.AssociatedRolesConfig;
Expand Down Expand Up @@ -106,8 +105,7 @@ public boolean doPreUpdateApplication(ServiceProvider serviceProvider, String te

String updatedAllowedAudienceForRoleAssociation = ((serviceProvider.getAssociatedRolesConfig() == null) ||
(serviceProvider.getAssociatedRolesConfig().getAllowedAudience() == null)) ?
(CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME ? RoleConstants.ORGANIZATION :
RoleConstants.APPLICATION) : serviceProvider.getAssociatedRolesConfig().getAllowedAudience();
RoleConstants.APPLICATION : serviceProvider.getAssociatedRolesConfig().getAllowedAudience();

// If the existing and updated audiences are both organization, no need to update the roles.
if (RoleConstants.ORGANIZATION.equalsIgnoreCase(existingAllowedAudienceForRoleAssociation) &&
Expand Down Expand Up @@ -515,10 +513,6 @@ private void handleOrganizationAudiencedSharedRoleDeletion(List<RoleV2> rolesLis
String sharedAppOrgId)
throws IdentityRoleManagementException, OrganizationManagementException {

// Avoid the execution for legacy runtime.
if (CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME) {
return;
}
String mainApplicationOrgId = organizationManager.resolveOrganizationId(mainApplicationTenantDomain);
if (mainApplicationOrgId == null) {
mainApplicationOrgId = SUPER_ORG_ID;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,33 +30,25 @@
import org.wso2.carbon.identity.event.IdentityEventException;
import org.wso2.carbon.identity.event.event.Event;
import org.wso2.carbon.identity.event.handler.AbstractEventHandler;
import org.wso2.carbon.identity.organization.management.ext.Constants;
import org.wso2.carbon.identity.organization.management.organization.user.sharing.OrganizationUserSharingService;
import org.wso2.carbon.identity.organization.management.organization.user.sharing.OrganizationUserSharingServiceImpl;
import org.wso2.carbon.identity.organization.management.organization.user.sharing.constant.UserSharingConstants;
import org.wso2.carbon.identity.organization.management.organization.user.sharing.internal.OrganizationUserSharingDataHolder;
import org.wso2.carbon.identity.organization.management.role.management.service.RoleManager;
import org.wso2.carbon.identity.organization.management.role.management.service.models.Role;
import org.wso2.carbon.identity.organization.management.role.management.service.models.User;
import org.wso2.carbon.identity.organization.management.service.OrganizationManager;
import org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants;
import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
import org.wso2.carbon.identity.organization.management.service.model.Organization;
import org.wso2.carbon.identity.organization.management.service.model.TenantTypeOrganization;
import org.wso2.carbon.identity.organization.management.service.util.OrganizationManagementUtil;
import org.wso2.carbon.identity.organization.management.service.util.Utils;
import org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants;
import org.wso2.carbon.identity.role.v2.mgt.core.exception.IdentityRoleManagementException;
import org.wso2.carbon.user.api.RealmConfiguration;
import org.wso2.carbon.user.api.UserStoreException;

import java.util.ArrayList;
import java.util.Collections;
import java.util.Map;

import static org.wso2.carbon.identity.organization.management.ext.Constants.EVENT_PROP_ORGANIZATION_ID;
import static org.wso2.carbon.identity.organization.management.role.management.service.constant.RoleManagementConstants.ORG_ADMINISTRATOR_ROLE;
import static org.wso2.carbon.identity.organization.management.role.management.service.constant.RoleManagementConstants.ORG_CREATOR_ROLE;

/**
* The event handler for sharing the organization creator to the child organization.
Expand All @@ -71,81 +63,52 @@ public void handleEvent(Event event) throws IdentityEventException {
String eventName = event.getEventName();
String orgId = null;

if (!"POST_SHARED_CONSOLE_APP".equals(eventName)) {
return;
}

try {
if (Constants.EVENT_POST_ADD_ORGANIZATION.equals(eventName)) {
Map<String, Object> eventProperties = event.getEventProperties();
TenantTypeOrganization organization = (TenantTypeOrganization) eventProperties.get("ORGANIZATION");
boolean isOrgOwnerSetInAttributes = checkOrgCreatorSetInOrgAttributes(organization);
String authenticationType = (String) IdentityUtil.threadLocalProperties.get()
.get(UserSharingConstants.AUTHENTICATION_TYPE);
if (!isOrgOwnerSetInAttributes && StringUtils.isNotEmpty(authenticationType) &&
UserSharingConstants.APPLICATION_AUTHENTICATION_TYPE.equals(authenticationType)) {
return;
}
orgId = organization.getId();
String tenantDomain = OrganizationUserSharingDataHolder.getInstance().getOrganizationManager()
.resolveTenantDomain(orgId);
if (!OrganizationManagementUtil.isOrganization(tenantDomain)) {
return;
}
String associatedUserId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUserId();
String associatedUserName = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUsername();
try {
PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true);
PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(associatedUserName);
Role organizationCreatorRole = buildOrgCreatorRole(associatedUserId);
Role administratorRole = buildAdministratorRole(associatedUserId);
getRoleManager().createRole(orgId, organizationCreatorRole);
getRoleManager().createRole(orgId, administratorRole);
} finally {
PrivilegedCarbonContext.endTenantFlow();
}
} else {
if ("POST_SHARED_CONSOLE_APP".equals(eventName)) {
Map<String, Object> eventProperties = event.getEventProperties();
orgId = (String) eventProperties.get(EVENT_PROP_ORGANIZATION_ID);
Organization organization = OrganizationUserSharingDataHolder.getInstance()
.getOrganizationManager().getOrganization(orgId, false, false);
boolean isOrgOwnerSetInAttributes = checkOrgCreatorSetInOrgAttributes(organization);
String authenticationType = (String) IdentityUtil.threadLocalProperties.get()
.get(UserSharingConstants.AUTHENTICATION_TYPE);
if (!isOrgOwnerSetInAttributes && StringUtils.isNotEmpty(authenticationType) &&
UserSharingConstants.APPLICATION_AUTHENTICATION_TYPE.equals(authenticationType)) {
return;
}

String tenantDomain = OrganizationUserSharingDataHolder.getInstance().getOrganizationManager()
.resolveTenantDomain(orgId);
if (!OrganizationManagementUtil.isOrganization(tenantDomain)) {
return;
}

RealmConfiguration realmConfiguration = OrganizationUserSharingDataHolder.getInstance()
.getRealmService().getTenantUserRealm(IdentityTenantUtil.getTenantId(tenantDomain))
.getRealmConfiguration();
String associatedUserName = realmConfiguration.getAdminUserName();
String associatedUserId = realmConfiguration.getAdminUserId();
String associatedOrgId = PrivilegedCarbonContext.getThreadLocalCarbonContext()
.getUserResidentOrganizationId();
if (StringUtils.isEmpty(associatedOrgId)) {
associatedOrgId = getOrganizationManager().resolveOrganizationId(Utils.getTenantDomain());
}
try {
PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true);
PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(associatedUserName);
userSharingService.shareOrganizationUser(orgId, associatedUserId, associatedOrgId);
String userId = userSharingService
.getUserAssociationOfAssociatedUserByOrgId(associatedUserId, orgId)
.getUserId();
if (allowAssignConsoleAdministratorRole()) {
assignUserToConsoleAppAdminRole(userId, tenantDomain);
}
} finally {
PrivilegedCarbonContext.endTenantFlow();
}
Map<String, Object> eventProperties = event.getEventProperties();
orgId = (String) eventProperties.get(EVENT_PROP_ORGANIZATION_ID);
Organization organization = OrganizationUserSharingDataHolder.getInstance()
.getOrganizationManager().getOrganization(orgId, false, false);
boolean isOrgOwnerSetInAttributes = checkOrgCreatorSetInOrgAttributes(organization);
String authenticationType = (String) IdentityUtil.threadLocalProperties.get()
.get(UserSharingConstants.AUTHENTICATION_TYPE);
if (!isOrgOwnerSetInAttributes && StringUtils.isNotEmpty(authenticationType) &&
UserSharingConstants.APPLICATION_AUTHENTICATION_TYPE.equals(authenticationType)) {
return;
}

String tenantDomain = OrganizationUserSharingDataHolder.getInstance().getOrganizationManager()
.resolveTenantDomain(orgId);
if (!OrganizationManagementUtil.isOrganization(tenantDomain)) {
return;
}

RealmConfiguration realmConfiguration = OrganizationUserSharingDataHolder.getInstance()
.getRealmService().getTenantUserRealm(IdentityTenantUtil.getTenantId(tenantDomain))
.getRealmConfiguration();
String associatedUserName = realmConfiguration.getAdminUserName();
String associatedUserId = realmConfiguration.getAdminUserId();
String associatedOrgId = PrivilegedCarbonContext.getThreadLocalCarbonContext()
.getUserResidentOrganizationId();
if (StringUtils.isEmpty(associatedOrgId)) {
associatedOrgId = getOrganizationManager().resolveOrganizationId(Utils.getTenantDomain());
}
try {
PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true);
PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(associatedUserName);
userSharingService.shareOrganizationUser(orgId, associatedUserId, associatedOrgId);
String userId = userSharingService
.getUserAssociationOfAssociatedUserByOrgId(associatedUserId, orgId)
.getUserId();
if (allowAssignConsoleAdministratorRole()) {
assignUserToConsoleAppAdminRole(userId, tenantDomain);
}
} finally {
PrivilegedCarbonContext.endTenantFlow();
}
} catch (OrganizationManagementException | UserStoreException e) {
throw new IdentityEventException("An error occurred while sharing the organization creator to the " +
Expand All @@ -171,48 +134,6 @@ private boolean allowAssignConsoleAdministratorRole() {
return FrameworkConstants.Application.CONSOLE_APP.equals(authenticatedApp);
}

private Role buildOrgCreatorRole(String adminUUID) {

Role organizationCreatorRole = new Role();
organizationCreatorRole.setDisplayName(ORG_CREATOR_ROLE);
User orgCreator = new User(adminUUID);
organizationCreatorRole.setUsers(Collections.singletonList(orgCreator));
// Set permissions for org-creator role.
ArrayList<String> orgCreatorRolePermissions = new ArrayList<>();
// Adding mandatory permissions for the org-creator role.
orgCreatorRolePermissions.add(UserSharingConstants.ORG_MGT_PERMISSION);
orgCreatorRolePermissions.add(UserSharingConstants.ORG_ROLE_MGT_PERMISSION);
/*
Adding the bear minimum permission set that org creator should have to logged in to the console and view
user, groups, roles, SP, IDP sections.
*/
orgCreatorRolePermissions.addAll(UserSharingConstants.MINIMUM_PERMISSIONS_REQUIRED_FOR_ORG_CREATOR_VIEW);
// Add user create permission to organization creator to delegate permissions to other org users.
// This permission is assigned until https://github.com/wso2/product-is/issues/14439 is fixed
orgCreatorRolePermissions.add(UserSharingConstants.USER_MGT_CREATE_PERMISSION);
organizationCreatorRole.setPermissions(orgCreatorRolePermissions);
return organizationCreatorRole;
}

private Role buildAdministratorRole(String adminUUID) {

Role organizationAdministratorRole = new Role();
organizationAdministratorRole.setDisplayName(ORG_ADMINISTRATOR_ROLE);
User orgAdministrator = new User(adminUUID);
organizationAdministratorRole.setUsers(Collections.singletonList(orgAdministrator));
// Set permissions for org-administrator role.
ArrayList<String> orgAdministratorRolePermissions = new ArrayList<>();
// Setting all administrative permissions for the Administrator role
orgAdministratorRolePermissions.add(UserSharingConstants.ADMINISTRATOR_ROLE_PERMISSION);
organizationAdministratorRole.setPermissions(orgAdministratorRolePermissions);
return organizationAdministratorRole;
}

private RoleManager getRoleManager() {

return OrganizationUserSharingDataHolder.getInstance().getRoleManager();
}

private void assignUserToConsoleAppAdminRole(String userId, String tenantDomain)
throws IdentityEventException {

Expand Down

0 comments on commit bc2e872

Please sign in to comment.