Improve session termination logic to limit the process only for appli…

…cable role audience
ZiyamSanthosh · Jan 16, 2024 · c41d3c5 · c41d3c5
1 parent cc620a2
commit c41d3c5
Show file tree

Hide file tree

Showing 3 changed files with 68 additions and 1 deletion.
diff --git a/...o2/carbon/identity/application/authentication/framework/UserSessionManagementService.java b/...o2/carbon/identity/application/authentication/framework/UserSessionManagementService.java
@@ -77,6 +77,19 @@ default boolean terminateSessionsByUserId(String userId) throws SessionManagemen
         return false;
     }
 
+    /**
+     * Terminate active sessions of the given user ID mapped to the application associated to the given roleId.
+     *
+     * @param userId Unique ID of the user.
+     * @param roleId Unique ID of the role.
+     * @return Whether the sessions termination is success or not. In default method, false is returned.
+     * @throws SessionManagementException if the session termination fails.
+     */
+    default boolean terminateSessionsByUserId(String userId, String roleId) throws SessionManagementException {
+
+        return false;
+    }
+
     /**
      * Get a specific session of the given user ID.
      *

diff --git a/.../application/authentication/framework/internal/impl/UserSessionManagementServiceImpl.java b/.../application/authentication/framework/internal/impl/UserSessionManagementServiceImpl.java
@@ -40,6 +40,9 @@
 import org.wso2.carbon.identity.application.common.model.User;
 import org.wso2.carbon.identity.core.model.ExpressionNode;
 import org.wso2.carbon.identity.core.util.IdentityUtil;
+import org.wso2.carbon.identity.role.v2.mgt.core.RoleManagementService;
+import org.wso2.carbon.identity.role.v2.mgt.core.exception.IdentityRoleManagementException;
+import org.wso2.carbon.identity.role.v2.mgt.core.model.Role;
 import org.wso2.carbon.identity.user.profile.mgt.AssociatedAccountDTO;
 import org.wso2.carbon.identity.user.profile.mgt.association.federation.FederatedAssociationManager;
 import org.wso2.carbon.identity.user.profile.mgt.association.federation.exception.FederatedAssociationManagerException;
@@ -54,6 +57,7 @@
 
 import java.util.ArrayList;
 import java.util.HashMap;
+import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
@@ -264,6 +268,12 @@ public List<UserSession> getSessionsByUserId(String userId, String tenantDomain)
     @Override
     public boolean terminateSessionsByUserId(String userId) throws SessionManagementException {
 
+        return terminateSessionsByUserId(userId, null);
+    }
+
+    @Override
+    public boolean terminateSessionsByUserId(String userId, String roleId) throws SessionManagementException {
+
         List<String> sessionIdList = null;
 
         if (StringUtils.isBlank(userId)) {
@@ -289,6 +299,10 @@ public boolean terminateSessionsByUserId(String userId) throws SessionManagement
         }
         sessionIdList = getSessionIdListByUserId(userIdToSearch);
 
+        if (StringUtils.isNotEmpty(roleId)) {
+            sessionIdList = filterSessionIdListByRole(sessionIdList, roleId);
+        }
+
         boolean isSessionPreservingAtPasswordUpdateEnabled =
                 Boolean.parseBoolean(IdentityUtil.getProperty(PRESERVE_LOGGED_IN_SESSION_AT_PASSWORD_UPDATE));
         String currentSessionId = "";
@@ -317,6 +331,43 @@ public boolean terminateSessionsByUserId(String userId) throws SessionManagement
         return true;
     }
 
+    /**
+     * Filter out the session IDs that are only applicable for the given role.
+     *
+     * @param sessionIdList List of session IDs.
+     * @param roleId        Role ID.
+     * @return List of filtered session IDs.
+     */
+    private List<String> filterSessionIdListByRole(List<String> sessionIdList, String roleId)
+            throws SessionManagementServerException {
+
+        try {
+            RoleManagementService roleManagementServiceV2 = FrameworkServiceDataHolder.getInstance()
+                    .getRoleManagementServiceV2();
+            Role role = roleManagementServiceV2.getRole(roleId,
+                    CarbonContext.getThreadLocalCarbonContext().getTenantDomain());
+            String associatedApplication = role.getAudienceName();
+            Iterator<String> iterator = sessionIdList.iterator();
+            while (iterator.hasNext()) {
+                String sessionId = iterator.next();
+                SessionContext sessionContext = FrameworkUtils.getSessionContextFromCache(sessionId,
+                        FrameworkUtils.getLoginTenantDomainFromContext());
+                if (sessionContext != null) {
+                    sessionContext.getAuthenticatedIdPsOfApp().keySet().forEach(application -> {
+                        if (!associatedApplication.equals(application)) {
+                            iterator.remove();
+                        }
+                    });
+                }
+            }
+            return sessionIdList;
+        } catch (IdentityRoleManagementException e) {
+            String errorMessage = "Error occurred while retrieving role of id : " + roleId;
+            throw new SessionManagementServerException(SessionMgtConstants.ErrorMessages.ERROR_CODE_UNABLE_TO_GET_ROLE,
+                    errorMessage, e);
+        }
+    }
+
     @Override
     public Optional<UserSession> getSessionBySessionId(String userId, String sessionId)
             throws SessionManagementException {

diff --git a/...g/wso2/carbon/identity/application/authentication/framework/util/SessionMgtConstants.java b/...g/wso2/carbon/identity/application/authentication/framework/util/SessionMgtConstants.java
@@ -148,7 +148,10 @@ public enum ErrorMessages {
                 "Data validation has failed, %s."),
         ERROR_CODE_INVALID_SESSION_ID("USM-10011",
                 "Invalid Session",
-                "Session cannot be found for the given session ID.");
+                "Session cannot be found for the given session ID."),
+        ERROR_CODE_UNABLE_TO_GET_ROLE("USM-10012",
+                "Unable to retrieve role information",
+                "Server encountered an error while retrieving role information of roleId, %s.");
 
         private final String code;
         private final String message;