From 81fbe65e0e2f82581d92493740f567e99292978a Mon Sep 17 00:00:00 2001 From: Shan Chathusanda Jayathilaka Date: Wed, 24 Apr 2024 11:36:43 +0530 Subject: [PATCH] Improve user delete and update for sub organizations --- .../scim2/common/utils/SCIMCommonUtils.java | 18 +++++++++++ .../provider/resources/UserResource.java | 31 ++++++++++++------- 2 files changed, 37 insertions(+), 12 deletions(-) diff --git a/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/utils/SCIMCommonUtils.java b/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/utils/SCIMCommonUtils.java index b57949a9..c9c69062 100644 --- a/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/utils/SCIMCommonUtils.java +++ b/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/utils/SCIMCommonUtils.java @@ -34,6 +34,8 @@ import org.wso2.carbon.identity.core.util.IdentityTenantUtil; import org.wso2.carbon.identity.core.util.IdentityUtil; import org.wso2.carbon.identity.handler.event.account.lock.constants.AccountConstants; +import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException; +import org.wso2.carbon.identity.organization.management.service.util.OrganizationManagementUtil; import org.wso2.carbon.identity.role.mgt.core.IdentityRoleManagementException; import org.wso2.carbon.identity.role.mgt.core.util.UserIDResolver; import org.wso2.carbon.identity.scim2.common.cache.SCIMCustomAttributeSchemaCache; @@ -948,4 +950,20 @@ public static String getLoggedInUserID() throws CharonException { throw new CharonException("Error occurred while retrieving super admin ID.", e); } } + + /** + * Check whether the given tenant domain is an organization. + * + * @param tenantDomain Tenant domain of the request + * @return True if the tenant domain is an organization. + * @throws CharonException If an error occurred while checking the organization state. + */ + public static boolean isOrganization(String tenantDomain) throws CharonException { + + try { + return OrganizationManagementUtil.isOrganization(tenantDomain); + } catch (OrganizationManagementException e) { + throw new CharonException("Error occurred while checking the organization state.", e); + } + } } diff --git a/components/org.wso2.carbon.identity.scim2.provider/src/main/java/org/wso2/carbon/identity/scim2/provider/resources/UserResource.java b/components/org.wso2.carbon.identity.scim2.provider/src/main/java/org/wso2/carbon/identity/scim2/provider/resources/UserResource.java index 817fc727..d750dd6a 100644 --- a/components/org.wso2.carbon.identity.scim2.provider/src/main/java/org/wso2/carbon/identity/scim2/provider/resources/UserResource.java +++ b/components/org.wso2.carbon.identity.scim2.provider/src/main/java/org/wso2/carbon/identity/scim2/provider/resources/UserResource.java @@ -40,6 +40,7 @@ import javax.ws.rs.core.Response; import static org.wso2.carbon.identity.scim2.provider.util.SupportUtils.buildCustomSchema; +import static org.wso2.carbon.identity.scim2.provider.util.SupportUtils.getTenantDomain; import static org.wso2.carbon.identity.scim2.provider.util.SupportUtils.getTenantId; @Path("/") @@ -151,13 +152,16 @@ public Response deleteUser(@PathParam(SCIMProviderConstants.ID) String id, // obtain the user store manager UserManager userManager = IdentitySCIMManager.getInstance().getUserManager(); - String superAdminID = AdminAttributeUtil.getSuperAdminID(); - String loggedInUser = SCIMCommonUtils.getLoggedInUserID(); - if ((superAdminID.equals(id)) && (!loggedInUser.equals(id))) { - if (LOG.isDebugEnabled()) { - LOG.debug("Do not have permission to delete SuperAdmin user."); + // Skipping this validation if the request comes from a sub organization. + if (!SCIMCommonUtils.isOrganization(getTenantDomain())) { + String superAdminID = AdminAttributeUtil.getSuperAdminID(); + String loggedInUser = SCIMCommonUtils.getLoggedInUserID(); + if ((superAdminID.equals(id)) && (!loggedInUser.equals(id))) { + if (LOG.isDebugEnabled()) { + LOG.debug("Do not have permission to delete SuperAdmin user."); + } + return Response.status(Response.Status.FORBIDDEN).build(); } - return Response.status(Response.Status.FORBIDDEN).build(); } // create charon-SCIM user resource manager and hand-over the request. @@ -348,13 +352,16 @@ public Response patchUser(@PathParam(SCIMConstants.CommonSchemaConstants.ID) Str // obtain the user store manager UserManager userManager = IdentitySCIMManager.getInstance().getUserManager(); - String superAdminID = AdminAttributeUtil.getSuperAdminID(); - String loggedInUser = SCIMCommonUtils.getLoggedInUserID(); - if ((superAdminID.equals(id)) && (!loggedInUser.equals(id))) { - if (LOG.isDebugEnabled()) { - LOG.debug("Do not have permission to patch SuperAdmin user."); + // Skipping this validation if the request comes from a sub organization. + if (!SCIMCommonUtils.isOrganization(getTenantDomain())) { + String superAdminID = AdminAttributeUtil.getSuperAdminID(); + String loggedInUser = SCIMCommonUtils.getLoggedInUserID(); + if ((superAdminID.equals(id)) && (!loggedInUser.equals(id))) { + if (LOG.isDebugEnabled()) { + LOG.debug("Do not have permission to patch SuperAdmin user."); + } + return Response.status(Response.Status.FORBIDDEN).build(); } - return Response.status(Response.Status.FORBIDDEN).build(); } // Build Custom schema