Fix scim disabled roles

components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/DAO/GroupDAO.java

@@ -142,6 +142,34 @@ public boolean isExistingGroup(String groupName, int tenantId) throws IdentitySC
  return isExistingGroup;
  }
 
+ private boolean isExistingRoleV2Attribute(String attributeName, String roleName, int audienceRefId, int tenantId)
+ throws IdentitySCIMException {
+ Connection connection = IdentityDatabaseUtil.getDBConnection();
+ PreparedStatement prepStmt = null;
+ ResultSet rSet = null;
+ boolean isExistingAttribute = false;
+
+ try {
+ prepStmt = connection.prepareStatement(SQLQueries.CHECK_EXISTING_ATTRIBUTE_WITH_AUDIENCE_SQL);
+ prepStmt.setInt(1, tenantId);
+ prepStmt.setString(2, roleName);
+ prepStmt.setString(3, attributeName);
+ prepStmt.setInt(4, audienceRefId);
+
+ rSet = prepStmt.executeQuery();
+ if (rSet.next()) {
+ isExistingAttribute = true;
+ }
+ connection.commit();
+ } catch (SQLException e) {
+ throw new IdentitySCIMException("Error when reading the group attribute information from " +
+ "the persistence store.", e);
+ } finally {
+ IdentityDatabaseUtil.closeAllConnections(connection, rSet, prepStmt);
+ }
+ return isExistingAttribute;
+ }
+
  private boolean isExistingAttribute(String attributeName, String groupName, int tenantId)
  throws IdentitySCIMException {
  Connection connection = IdentityDatabaseUtil.getDBConnection();
@@ -208,6 +236,35 @@ public void addSCIMGroupAttributes(int tenantId, String roleName, Map<String, St
  }
  }
 
+ public void addSCIMRoleV2Attributes(int tenantId, String roleName, int audienceRefId, Map<String,
+ String> attributes)
+ throws IdentitySCIMException {
+
+ try (Connection connection = IdentityDatabaseUtil.getDBConnection(false);
+ PreparedStatement prepStmt = connection.prepareStatement(SQLQueries.ADD_ATTRIBUTES_WITH_AUDIENCE_SQL)) {
+ prepStmt.setInt(1, tenantId);
+ prepStmt.setString(2, roleName);
+ prepStmt.setInt(3, audienceRefId);
+
+ for (Map.Entry<String, String> entry : attributes.entrySet()) {
+ if (!isExistingRoleV2Attribute(entry.getKey(), roleName, audienceRefId, tenantId)) {
+ prepStmt.setString(4, entry.getKey());
+ prepStmt.setString(5, entry.getValue());
+ prepStmt.addBatch();
+
+ } else {
+ throw new IdentitySCIMException("Error when adding SCIM Attribute: "
+ + entry.getKey()
+ + " An attribute with the same name already exists.");
+ }
+ }
+ prepStmt.execute();
+ } catch (SQLException e) {
+ throw new IdentitySCIMException("Error when adding SCIM attributes for the admin : "
+ + roleName, e);
+ }
+ }
+
  /**
  * Add SCIM attributes to hybrid roles created while SCIM was disabled in the user store.
  *

components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/DAO/SQLQueries.java

@@ -35,6 +35,10 @@ public class SQLQueries {
  "IDN_SCIM_GROUP.ATTR_VALUE=? AND IDN_SCIM_GROUP.ATTR_NAME=?";
  public static final String ADD_ATTRIBUTES_SQL =
  "INSERT INTO IDN_SCIM_GROUP (TENANT_ID, ROLE_NAME, ATTR_NAME, ATTR_VALUE) VALUES (?, ?, ?, ?)";
+
+ public static final String ADD_ATTRIBUTES_WITH_AUDIENCE_SQL =
+ "INSERT INTO IDN_SCIM_GROUP (TENANT_ID, ROLE_NAME, AUDIENCE_REF_ID, ATTR_NAME, ATTR_VALUE) VALUES " +
+ "(?, ?, ?, ?, ?)";
  public static final String UPDATE_ATTRIBUTES_SQL =
  "UPDATE IDN_SCIM_GROUP SET UM_ATTR_VALUE=? WHERE TENANT_ID=? AND ROLE_NAME=? AND ATTR_NAME=?";
  public static final String UPDATE_GROUP_NAME_SQL =
@@ -44,6 +48,9 @@ public class SQLQueries {
  public static final String CHECK_EXISTING_ATTRIBUTE_SQL =
  "SELECT TENANT_ID, ROLE_NAME, ATTR_NAME FROM IDN_SCIM_GROUP WHERE IDN_SCIM_GROUP.TENANT_ID=? AND " +
  "IDN_SCIM_GROUP.ROLE_NAME=? AND IDN_SCIM_GROUP.ATTR_NAME=?";
+ public static final String CHECK_EXISTING_ATTRIBUTE_WITH_AUDIENCE_SQL =
+ "SELECT TENANT_ID, ROLE_NAME, ATTR_NAME FROM IDN_SCIM_GROUP WHERE IDN_SCIM_GROUP.TENANT_ID=? AND " +
+ "IDN_SCIM_GROUP.ROLE_NAME=? AND IDN_SCIM_GROUP.ATTR_NAME=? AND IDN_SCIM_GROUP.AUDIENCE_REF_ID=?";
  public static final String LIST_SCIM_GROUPS_SQL_BY_ATT_AND_ATT_VALUE =
  "SELECT ROLE_NAME FROM IDN_SCIM_GROUP WHERE IDN_SCIM_GROUP.TENANT_ID=? AND " +
  "IDN_SCIM_GROUP.ATTR_NAME=? AND ATTR_VALUE LIKE ?";

components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/group/SCIMGroupHandler.java

@@ -25,6 +25,7 @@
 import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
 import org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants;
 import org.wso2.carbon.identity.role.v2.mgt.core.exception.IdentityRoleManagementException;
+import org.wso2.carbon.identity.role.v2.mgt.core.util.RoleManagementUtils;
 import org.wso2.carbon.identity.scim2.common.DAO.GroupDAO;
 import org.wso2.carbon.identity.scim2.common.exceptions.IdentitySCIMException;
 import org.wso2.carbon.identity.scim2.common.internal.SCIMCommonComponentHolder;
@@ -84,25 +85,30 @@ public void addMandatoryAttributes(String groupName)
  }
 
  /**
- * Add admin role attributes.
+ * Add role v2 attributes.
  *
  * @param roleName Role name.
  * @throws IdentitySCIMException if any error occurs while adding admin role attributes.
  */
- public void addAdminRoleMandatoryAttributes(String roleName) throws IdentitySCIMException {
+ public void addRoleV2MandatoryAttributes(String roleName) throws IdentitySCIMException {
 
  Map<String, String> attributes = new HashMap<>();
  String tenantDomain = IdentityTenantUtil.getTenantDomain(tenantId);
+ String orgId = getOrganizationId(tenantDomain);
  String id;
+ int roleAudienceRefId;
  try {
  id = SCIMCommonComponentHolder.getRoleManagementServiceV2().getRoleIdByName(
- UserCoreUtil.removeDomainFromName(roleName), RoleConstants.ORGANIZATION,
-  getOrganizationId(tenantDomain), tenantDomain);
+ UserCoreUtil.removeDomainFromName(roleName), RoleConstants.ORGANIZATION, orgId, tenantDomain);
+ roleAudienceRefId = RoleManagementUtils.resolveAudienceRefId(RoleConstants.ORGANIZATION, orgId);
  } catch (IdentityRoleManagementException e) {
- throw new IdentitySCIMException("Error while resolving admin role id", e);
+ throw new IdentitySCIMException("Error while resolving role : " + roleName + " id", e);
  }
  if (StringUtils.isBlank(id)) {
- id = UUID.randomUUID().toString();
+ throw new IdentitySCIMException("Role : " + roleName + " id not found");
+ }
+ if (roleAudienceRefId == -1) {
+ throw new IdentitySCIMException("Role : " + roleName + " audience id not found");
  }
  attributes.put(SCIMConstants.CommonSchemaConstants.ID_URI, id);
 
@@ -112,7 +118,7 @@ public void addAdminRoleMandatoryAttributes(String roleName) throws IdentitySCIM
  attributes.put(SCIMConstants.CommonSchemaConstants.LAST_MODIFIED_URI, createdDate);
  attributes.put(SCIMConstants.CommonSchemaConstants.LOCATION_URI, SCIMCommonUtils.getSCIMGroupURL(id));
  GroupDAO groupDAO = new GroupDAO();
- groupDAO.addSCIMGroupAttributes(tenantId, roleName, attributes);
+ groupDAO.addSCIMRoleV2Attributes(tenantId, roleName, roleAudienceRefId, attributes);
  }
 
  /**

components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMUserManager.java

@@ -2986,7 +2986,9 @@ private Set<String> getRoleNamesForGroupsEndpoint(String domainName)
  Set<String> scimRoles = groupHandler.listSCIMRoles();
  List<String> scimDisabledHybridRoles = getSCIMDisabledHybridRoleList(roleNames, scimRoles);
  if (!scimDisabledHybridRoles.isEmpty()) {
- createSCIMAttributesForSCIMDisabledHybridRoles(scimDisabledHybridRoles);
+ if (CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME) {
+ createSCIMAttributesForSCIMDisabledHybridRoles(scimDisabledHybridRoles);
+ }
  roleNames.addAll(scimDisabledHybridRoles);
  }
  return roleNames;

components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/utils/AdminAttributeUtil.java

@@ -22,6 +22,7 @@
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.CarbonConstants;
 import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
 import org.wso2.carbon.identity.core.util.IdentityUtil;
 import org.wso2.carbon.identity.scim2.common.exceptions.IdentitySCIMException;
@@ -134,7 +135,18 @@ public static void updateAdminGroup(int tenantId) {
  log.debug(
  "Group does not exist, setting scim attribute group value: " + roleNameWithDomain);
  }
- scimGroupHandler.addAdminRoleMandatoryAttributes(roleNameWithDomain);
+ if (CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME) {
+ scimGroupHandler.addMandatoryAttributes(roleNameWithDomain);
+ } else {
+ scimGroupHandler.addRoleV2MandatoryAttributes(roleNameWithDomain);
+
+ // Add everyone role scim attributes.
+ String everyoneRoleName = userStoreManager.getRealmConfiguration().getEveryOneRoleName();
+ String everyoneRoleNameWithDomain = UserCoreUtil.addDomainToName(everyoneRoleName,
+ domainName);
+ scimGroupHandler.addRoleV2MandatoryAttributes(everyoneRoleNameWithDomain);
+ }
+
  }
 
  // Adding the SCIM attributes for admin group

pom.xml

@@ -273,7 +273,7 @@
  <inbound.auth.oauth.version>6.5.3</inbound.auth.oauth.version>
  <commons-collections.version>3.2.0.wso2v1</commons-collections.version>
  <carbon.kernel.version>4.9.15</carbon.kernel.version>
- <identity.framework.version>5.25.419</identity.framework.version>
+ <identity.framework.version>5.25.456</identity.framework.version>
  <junit.version>4.13.1</junit.version>
  <commons.lang.version>20030203.000129</commons.lang.version>
  <identity.governance.version>1.8.12</identity.governance.version>