From 4e8dead065ee47ddf5175612ca7a828ab20ea717 Mon Sep 17 00:00:00 2001 From: Thilina Shashimal Senarath Date: Fri, 27 Oct 2023 17:55:52 +0530 Subject: [PATCH] fix scim disabled roles --- .../identity/scim2/common/DAO/GroupDAO.java | 57 +++++++++++++++++++ .../identity/scim2/common/DAO/SQLQueries.java | 7 +++ .../scim2/common/group/SCIMGroupHandler.java | 20 ++++--- .../scim2/common/impl/SCIMUserManager.java | 4 +- .../common/utils/AdminAttributeUtil.java | 14 ++++- pom.xml | 2 +- 6 files changed, 94 insertions(+), 10 deletions(-) diff --git a/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/DAO/GroupDAO.java b/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/DAO/GroupDAO.java index 9ba867766..efdacaa6c 100644 --- a/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/DAO/GroupDAO.java +++ b/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/DAO/GroupDAO.java @@ -142,6 +142,34 @@ public boolean isExistingGroup(String groupName, int tenantId) throws IdentitySC return isExistingGroup; } + private boolean isExistingRoleV2Attribute(String attributeName, String roleName, int audienceRefId, int tenantId) + throws IdentitySCIMException { + Connection connection = IdentityDatabaseUtil.getDBConnection(); + PreparedStatement prepStmt = null; + ResultSet rSet = null; + boolean isExistingAttribute = false; + + try { + prepStmt = connection.prepareStatement(SQLQueries.CHECK_EXISTING_ATTRIBUTE_WITH_AUDIENCE_SQL); + prepStmt.setInt(1, tenantId); + prepStmt.setString(2, roleName); + prepStmt.setString(3, attributeName); + prepStmt.setInt(4, audienceRefId); + + rSet = prepStmt.executeQuery(); + if (rSet.next()) { + isExistingAttribute = true; + } + connection.commit(); + } catch (SQLException e) { + throw new IdentitySCIMException("Error when reading the group attribute information from " + + "the persistence store.", e); + } finally { + IdentityDatabaseUtil.closeAllConnections(connection, rSet, prepStmt); + } + return isExistingAttribute; + } + private boolean isExistingAttribute(String attributeName, String groupName, int tenantId) throws IdentitySCIMException { Connection connection = IdentityDatabaseUtil.getDBConnection(); @@ -208,6 +236,35 @@ public void addSCIMGroupAttributes(int tenantId, String roleName, Map attributes) + throws IdentitySCIMException { + + try (Connection connection = IdentityDatabaseUtil.getDBConnection(false); + PreparedStatement prepStmt = connection.prepareStatement(SQLQueries.ADD_ATTRIBUTES_WITH_AUDIENCE_SQL)) { + prepStmt.setInt(1, tenantId); + prepStmt.setString(2, roleName); + prepStmt.setInt(3, audienceRefId); + + for (Map.Entry entry : attributes.entrySet()) { + if (!isExistingRoleV2Attribute(entry.getKey(), roleName, audienceRefId, tenantId)) { + prepStmt.setString(4, entry.getKey()); + prepStmt.setString(5, entry.getValue()); + prepStmt.addBatch(); + + } else { + throw new IdentitySCIMException("Error when adding SCIM Attribute: " + + entry.getKey() + + " An attribute with the same name already exists."); + } + } + prepStmt.execute(); + } catch (SQLException e) { + throw new IdentitySCIMException("Error when adding SCIM attributes for the admin : " + + roleName, e); + } + } + /** * Add SCIM attributes to hybrid roles created while SCIM was disabled in the user store. * diff --git a/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/DAO/SQLQueries.java b/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/DAO/SQLQueries.java index a4131b773..a5784b390 100644 --- a/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/DAO/SQLQueries.java +++ b/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/DAO/SQLQueries.java @@ -35,6 +35,10 @@ public class SQLQueries { "IDN_SCIM_GROUP.ATTR_VALUE=? AND IDN_SCIM_GROUP.ATTR_NAME=?"; public static final String ADD_ATTRIBUTES_SQL = "INSERT INTO IDN_SCIM_GROUP (TENANT_ID, ROLE_NAME, ATTR_NAME, ATTR_VALUE) VALUES (?, ?, ?, ?)"; + + public static final String ADD_ATTRIBUTES_WITH_AUDIENCE_SQL = + "INSERT INTO IDN_SCIM_GROUP (TENANT_ID, ROLE_NAME, AUDIENCE_REF_ID, ATTR_NAME, ATTR_VALUE) VALUES " + + "(?, ?, ?, ?, ?)"; public static final String UPDATE_ATTRIBUTES_SQL = "UPDATE IDN_SCIM_GROUP SET UM_ATTR_VALUE=? WHERE TENANT_ID=? AND ROLE_NAME=? AND ATTR_NAME=?"; public static final String UPDATE_GROUP_NAME_SQL = @@ -44,6 +48,9 @@ public class SQLQueries { public static final String CHECK_EXISTING_ATTRIBUTE_SQL = "SELECT TENANT_ID, ROLE_NAME, ATTR_NAME FROM IDN_SCIM_GROUP WHERE IDN_SCIM_GROUP.TENANT_ID=? AND " + "IDN_SCIM_GROUP.ROLE_NAME=? AND IDN_SCIM_GROUP.ATTR_NAME=?"; + public static final String CHECK_EXISTING_ATTRIBUTE_WITH_AUDIENCE_SQL = + "SELECT TENANT_ID, ROLE_NAME, ATTR_NAME FROM IDN_SCIM_GROUP WHERE IDN_SCIM_GROUP.TENANT_ID=? AND " + + "IDN_SCIM_GROUP.ROLE_NAME=? AND IDN_SCIM_GROUP.ATTR_NAME=? AND IDN_SCIM_GROUP.AUDIENCE_REF_ID=?"; public static final String LIST_SCIM_GROUPS_SQL_BY_ATT_AND_ATT_VALUE = "SELECT ROLE_NAME FROM IDN_SCIM_GROUP WHERE IDN_SCIM_GROUP.TENANT_ID=? AND " + "IDN_SCIM_GROUP.ATTR_NAME=? AND ATTR_VALUE LIKE ?"; diff --git a/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/group/SCIMGroupHandler.java b/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/group/SCIMGroupHandler.java index 9a0167631..10d275118 100644 --- a/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/group/SCIMGroupHandler.java +++ b/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/group/SCIMGroupHandler.java @@ -25,6 +25,7 @@ import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException; import org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants; import org.wso2.carbon.identity.role.v2.mgt.core.exception.IdentityRoleManagementException; +import org.wso2.carbon.identity.role.v2.mgt.core.util.RoleManagementUtils; import org.wso2.carbon.identity.scim2.common.DAO.GroupDAO; import org.wso2.carbon.identity.scim2.common.exceptions.IdentitySCIMException; import org.wso2.carbon.identity.scim2.common.internal.SCIMCommonComponentHolder; @@ -84,25 +85,30 @@ public void addMandatoryAttributes(String groupName) } /** - * Add admin role attributes. + * Add role v2 attributes. * * @param roleName Role name. * @throws IdentitySCIMException if any error occurs while adding admin role attributes. */ - public void addAdminRoleMandatoryAttributes(String roleName) throws IdentitySCIMException { + public void addRoleV2MandatoryAttributes(String roleName) throws IdentitySCIMException { Map attributes = new HashMap<>(); String tenantDomain = IdentityTenantUtil.getTenantDomain(tenantId); + String orgId = getOrganizationId(tenantDomain); String id; + int roleAudienceRefId; try { id = SCIMCommonComponentHolder.getRoleManagementServiceV2().getRoleIdByName( - UserCoreUtil.removeDomainFromName(roleName), RoleConstants.ORGANIZATION, - getOrganizationId(tenantDomain), tenantDomain); + UserCoreUtil.removeDomainFromName(roleName), RoleConstants.ORGANIZATION, orgId, tenantDomain); + roleAudienceRefId = RoleManagementUtils.resolveAudienceRefId(RoleConstants.ORGANIZATION, orgId); } catch (IdentityRoleManagementException e) { - throw new IdentitySCIMException("Error while resolving admin role id", e); + throw new IdentitySCIMException("Error while resolving role : " + roleName + " id", e); } if (StringUtils.isBlank(id)) { - id = UUID.randomUUID().toString(); + throw new IdentitySCIMException("Role : " + roleName + " id not found"); + } + if (roleAudienceRefId == -1) { + throw new IdentitySCIMException("Role : " + roleName + " audience id not found"); } attributes.put(SCIMConstants.CommonSchemaConstants.ID_URI, id); @@ -112,7 +118,7 @@ public void addAdminRoleMandatoryAttributes(String roleName) throws IdentitySCIM attributes.put(SCIMConstants.CommonSchemaConstants.LAST_MODIFIED_URI, createdDate); attributes.put(SCIMConstants.CommonSchemaConstants.LOCATION_URI, SCIMCommonUtils.getSCIMGroupURL(id)); GroupDAO groupDAO = new GroupDAO(); - groupDAO.addSCIMGroupAttributes(tenantId, roleName, attributes); + groupDAO.addSCIMRoleV2Attributes(tenantId, roleName, roleAudienceRefId, attributes); } /** diff --git a/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMUserManager.java b/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMUserManager.java index bee7df9d5..65b70ce54 100644 --- a/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMUserManager.java +++ b/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMUserManager.java @@ -2986,7 +2986,9 @@ private Set getRoleNamesForGroupsEndpoint(String domainName) Set scimRoles = groupHandler.listSCIMRoles(); List scimDisabledHybridRoles = getSCIMDisabledHybridRoleList(roleNames, scimRoles); if (!scimDisabledHybridRoles.isEmpty()) { - createSCIMAttributesForSCIMDisabledHybridRoles(scimDisabledHybridRoles); + if (CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME) { + createSCIMAttributesForSCIMDisabledHybridRoles(scimDisabledHybridRoles); + } roleNames.addAll(scimDisabledHybridRoles); } return roleNames; diff --git a/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/utils/AdminAttributeUtil.java b/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/utils/AdminAttributeUtil.java index a74fa3216..8958d08c3 100644 --- a/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/utils/AdminAttributeUtil.java +++ b/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/utils/AdminAttributeUtil.java @@ -22,6 +22,7 @@ import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.wso2.carbon.CarbonConstants; import org.wso2.carbon.identity.core.util.IdentityTenantUtil; import org.wso2.carbon.identity.core.util.IdentityUtil; import org.wso2.carbon.identity.scim2.common.exceptions.IdentitySCIMException; @@ -134,7 +135,18 @@ public static void updateAdminGroup(int tenantId) { log.debug( "Group does not exist, setting scim attribute group value: " + roleNameWithDomain); } - scimGroupHandler.addAdminRoleMandatoryAttributes(roleNameWithDomain); + if (CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME) { + scimGroupHandler.addMandatoryAttributes(roleNameWithDomain); + } else { + scimGroupHandler.addRoleV2MandatoryAttributes(roleNameWithDomain); + + // Add everyone role scim attributes. + String everyoneRoleName = userStoreManager.getRealmConfiguration().getEveryOneRoleName(); + String everyoneRoleNameWithDomain = UserCoreUtil.addDomainToName(everyoneRoleName, + domainName); + scimGroupHandler.addRoleV2MandatoryAttributes(everyoneRoleNameWithDomain); + } + } // Adding the SCIM attributes for admin group diff --git a/pom.xml b/pom.xml index 7772496cb..2fdf02ff0 100644 --- a/pom.xml +++ b/pom.xml @@ -273,7 +273,7 @@ 6.5.3 3.2.0.wso2v1 4.9.15 - 5.25.419 + 5.25.456 4.13.1 20030203.000129 1.8.12