From 67a960a698d18ff280f9d9e652b7823c4ecfb0c6 Mon Sep 17 00:00:00 2001 From: dewniMW Date: Tue, 6 Feb 2024 19:28:57 +0530 Subject: [PATCH] Update app role when scopes are removed from app authorized API --- .../AuthorizedAPIManagementServiceImpl.java | 42 +++++++++++++++++++ .../DefaultRoleManagementListener.java | 4 ++ .../mgt/core/RoleManagementServiceImpl.java | 4 ++ 3 files changed, 50 insertions(+) diff --git a/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/AuthorizedAPIManagementServiceImpl.java b/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/AuthorizedAPIManagementServiceImpl.java index 2397c1fb43f8..1642399cd775 100644 --- a/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/AuthorizedAPIManagementServiceImpl.java +++ b/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/AuthorizedAPIManagementServiceImpl.java @@ -18,6 +18,7 @@ package org.wso2.carbon.identity.application.mgt; +import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; import org.wso2.carbon.identity.api.resource.mgt.APIResourceMgtException; import org.wso2.carbon.identity.application.common.IdentityApplicationManagementClientException; @@ -26,6 +27,7 @@ import org.wso2.carbon.identity.application.common.model.APIResource; import org.wso2.carbon.identity.application.common.model.AuthorizedAPI; import org.wso2.carbon.identity.application.common.model.AuthorizedScopes; +import org.wso2.carbon.identity.application.common.model.RoleV2; import org.wso2.carbon.identity.application.common.model.Scope; import org.wso2.carbon.identity.application.common.util.IdentityApplicationConstants; import org.wso2.carbon.identity.application.mgt.dao.AuthorizedAPIDAO; @@ -33,12 +35,17 @@ import org.wso2.carbon.identity.application.mgt.dao.impl.CacheBackedAuthorizedAPIDAOImpl; import org.wso2.carbon.identity.application.mgt.internal.ApplicationManagementServiceComponentHolder; import org.wso2.carbon.identity.core.util.IdentityTenantUtil; +import org.wso2.carbon.identity.role.v2.mgt.core.RoleManagementService; +import org.wso2.carbon.identity.role.v2.mgt.core.exception.IdentityRoleManagementException; +import org.wso2.carbon.identity.role.v2.mgt.core.model.Permission; import java.util.ArrayList; import java.util.List; +import java.util.stream.Collectors; import static org.wso2.carbon.identity.application.common.util.IdentityApplicationConstants.Error.INVALID_REQUEST; import static org.wso2.carbon.identity.application.common.util.IdentityApplicationConstants.Error.UNEXPECTED_SERVER_ERROR; +import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.APPLICATION; /** * Authorized API management service implementation. @@ -115,6 +122,7 @@ public void patchAuthorizedAPI(String appId, String apiId, List addedSco authorizedAPIDAO.patchAuthorizedAPI(appId, apiId, addedScopes, removedScopes, IdentityTenantUtil.getTenantId(tenantDomain)); + updateRoleWithRemovedScopes(appId, removedScopes, tenantDomain); } @Override @@ -181,4 +189,38 @@ private IdentityApplicationManagementServerException buildServerException(String return new IdentityApplicationManagementServerException(UNEXPECTED_SERVER_ERROR.getCode(), message, ex); } + + private void updateRoleWithRemovedScopes(String appId, List removedScopes, String tenantDomain) + throws IdentityApplicationManagementException { + + if (CollectionUtils.isEmpty(removedScopes) || !isApplicationAudience(appId, tenantDomain)) { + return; + } + + List removedPermissions = removedScopes.stream().map(Permission::new).collect(Collectors.toList()); + List roles = ApplicationManagementService.getInstance().getAssociatedRolesOfApplication(appId, + tenantDomain); + try { + for (RoleV2 role : roles) { + getRoleManagementServiceV2().updatePermissionListOfRole(role.getId(), null, removedPermissions, + tenantDomain); + } + } catch (IdentityRoleManagementException e) { + throw new IdentityApplicationManagementException("Error while updating permission list of roles " + + "associated with the application ID: " + appId, e); + } + } + + private boolean isApplicationAudience(String appId, String tenantDomain) throws + IdentityApplicationManagementException { + + String audience = ApplicationManagementService.getInstance().getAllowedAudienceForRoleAssociation(appId, + tenantDomain); + return APPLICATION.equalsIgnoreCase(audience); + } + + private static RoleManagementService getRoleManagementServiceV2() { + + return ApplicationManagementServiceComponentHolder.getInstance().getRoleManagementServiceV2(); + } } diff --git a/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/listener/DefaultRoleManagementListener.java b/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/listener/DefaultRoleManagementListener.java index 48d0dbaeecbf..f816751ab177 100644 --- a/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/listener/DefaultRoleManagementListener.java +++ b/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/listener/DefaultRoleManagementListener.java @@ -18,6 +18,7 @@ package org.wso2.carbon.identity.application.mgt.listener; +import org.apache.commons.collections.CollectionUtils; import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException; import org.wso2.carbon.identity.application.common.model.ApplicationBasicInfo; import org.wso2.carbon.identity.application.common.model.AuthorizedScopes; @@ -522,6 +523,9 @@ private void validatePermissionsForApplication(List permissions, Str String tenantDomain) throws IdentityRoleManagementException { + if (CollectionUtils.isEmpty(permissions)) { + return; + } List authorizedScopes = getAuthorizedScopes(applicationId, tenantDomain); for (Permission permission : permissions) { if (!authorizedScopes.contains(permission.getName())) { diff --git a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java index 5fa33b364703..13b46b55c2cb 100644 --- a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java +++ b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java @@ -1023,6 +1023,10 @@ private boolean isDomainSeparatorPresent(String roleName) { */ private void removeSimilarPermissions(List arr1, List arr2) { + if (arr1 == null || arr2 == null) { + return; + } + List common = new ArrayList<>(arr1); common.retainAll(arr2);