Skip to content

Commit

Permalink
Update app role when scopes are removed from app authorized API
Browse files Browse the repository at this point in the history
  • Loading branch information
dewniMW committed Feb 8, 2024
1 parent be2d45e commit 3428ff1
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@

package org.wso2.carbon.identity.application.mgt;

import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.wso2.carbon.identity.api.resource.mgt.APIResourceMgtException;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementClientException;
Expand All @@ -26,19 +27,25 @@
import org.wso2.carbon.identity.application.common.model.APIResource;
import org.wso2.carbon.identity.application.common.model.AuthorizedAPI;
import org.wso2.carbon.identity.application.common.model.AuthorizedScopes;
import org.wso2.carbon.identity.application.common.model.RoleV2;
import org.wso2.carbon.identity.application.common.model.Scope;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationConstants;
import org.wso2.carbon.identity.application.mgt.dao.AuthorizedAPIDAO;
import org.wso2.carbon.identity.application.mgt.dao.impl.AuthorizedAPIDAOImpl;
import org.wso2.carbon.identity.application.mgt.dao.impl.CacheBackedAuthorizedAPIDAOImpl;
import org.wso2.carbon.identity.application.mgt.internal.ApplicationManagementServiceComponentHolder;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.role.v2.mgt.core.RoleManagementService;
import org.wso2.carbon.identity.role.v2.mgt.core.exception.IdentityRoleManagementException;
import org.wso2.carbon.identity.role.v2.mgt.core.model.Permission;

import java.util.ArrayList;
import java.util.List;
import java.util.stream.Collectors;

import static org.wso2.carbon.identity.application.common.util.IdentityApplicationConstants.Error.INVALID_REQUEST;
import static org.wso2.carbon.identity.application.common.util.IdentityApplicationConstants.Error.UNEXPECTED_SERVER_ERROR;
import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.APPLICATION;

/**
* Authorized API management service implementation.
Expand Down Expand Up @@ -115,6 +122,7 @@ public void patchAuthorizedAPI(String appId, String apiId, List<String> addedSco

authorizedAPIDAO.patchAuthorizedAPI(appId, apiId, addedScopes, removedScopes,
IdentityTenantUtil.getTenantId(tenantDomain));
updateRolesWithRemovedScopes(appId, removedScopes, tenantDomain);
}

@Override
Expand Down Expand Up @@ -181,4 +189,38 @@ private IdentityApplicationManagementServerException buildServerException(String

return new IdentityApplicationManagementServerException(UNEXPECTED_SERVER_ERROR.getCode(), message, ex);
}

private void updateRolesWithRemovedScopes(String appId, List<String> removedScopes, String tenantDomain)
throws IdentityApplicationManagementException {

if (CollectionUtils.isEmpty(removedScopes) || !isApplicationAudience(appId, tenantDomain)) {
return;
}

List<Permission> removedPermissions = removedScopes.stream().map(Permission::new).collect(Collectors.toList());
List<RoleV2> roles = ApplicationManagementService.getInstance().getAssociatedRolesOfApplication(appId,
tenantDomain);
try {
for (RoleV2 role : roles) {
getRoleManagementServiceV2().updatePermissionListOfRole(role.getId(), null, removedPermissions,
tenantDomain);
}
} catch (IdentityRoleManagementException e) {
throw new IdentityApplicationManagementException("Error while updating permission list of roles " +
"associated with the application ID: " + appId, e);
}
}

private boolean isApplicationAudience(String appId, String tenantDomain) throws
IdentityApplicationManagementException {

String audience = ApplicationManagementService.getInstance().getAllowedAudienceForRoleAssociation(appId,
tenantDomain);
return APPLICATION.equalsIgnoreCase(audience);
}

private static RoleManagementService getRoleManagementServiceV2() {

return ApplicationManagementServiceComponentHolder.getInstance().getRoleManagementServiceV2();
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@

package org.wso2.carbon.identity.application.mgt.listener;

import org.apache.commons.collections.CollectionUtils;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.common.model.ApplicationBasicInfo;
import org.wso2.carbon.identity.application.common.model.AuthorizedScopes;
Expand Down Expand Up @@ -522,6 +523,9 @@ private void validatePermissionsForApplication(List<Permission> permissions, Str
String tenantDomain)
throws IdentityRoleManagementException {

if (CollectionUtils.isEmpty(permissions)) {
return;
}
List<String> authorizedScopes = getAuthorizedScopes(applicationId, tenantDomain);
for (Permission permission : permissions) {
if (!authorizedScopes.contains(permission.getName())) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1023,6 +1023,10 @@ private boolean isDomainSeparatorPresent(String roleName) {
*/
private void removeSimilarPermissions(List<Permission> arr1, List<Permission> arr2) {

if (arr1 == null || arr2 == null) {
return;
}

List<Permission> common = new ArrayList<>(arr1);
common.retainAll(arr2);

Expand Down

0 comments on commit 3428ff1

Please sign in to comment.