diff --git a/components/org.wso2.carbon.identity.governance/pom.xml b/components/org.wso2.carbon.identity.governance/pom.xml
index 6fcdc19f64..6686144da6 100644
--- a/components/org.wso2.carbon.identity.governance/pom.xml
+++ b/components/org.wso2.carbon.identity.governance/pom.xml
@@ -48,6 +48,11 @@
org.apache.axis2.wso2
axis2
+
+ com.h2database
+ h2
+ test
+
org.testng
testng
diff --git a/components/org.wso2.carbon.identity.governance/src/main/java/org/wso2/carbon/identity/governance/service/IdentityDataStoreService.java b/components/org.wso2.carbon.identity.governance/src/main/java/org/wso2/carbon/identity/governance/service/IdentityDataStoreService.java
index a1e0e9333a..c288c51f0a 100644
--- a/components/org.wso2.carbon.identity.governance/src/main/java/org/wso2/carbon/identity/governance/service/IdentityDataStoreService.java
+++ b/components/org.wso2.carbon.identity.governance/src/main/java/org/wso2/carbon/identity/governance/service/IdentityDataStoreService.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ * Copyright (c) 2023-2025, WSO2 LLC. (http://www.wso2.com).
*
* WSO2 LLC. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
@@ -24,6 +24,7 @@
import org.wso2.carbon.user.core.UserStoreManager;
import org.wso2.carbon.user.core.model.ExpressionCondition;
+import java.util.Collections;
import java.util.List;
import java.util.Map;
@@ -128,6 +129,58 @@ List getUserNamesMoreThanProvidedClaimValue(String claimURI, String clai
List getUserNamesBetweenProvidedClaimValues(String claimURI, String startValue, String endValue,
int tenantId) throws IdentityException;
+ /**
+ * Get the list of usernames who have the claim value less than the provided claim value for a given claim URI
+ * and include or exclude the users with the boolean isIncluded
+ * based on the nested claim value for a given nested claim URI.
+ *
+ * @param claimURI Claim URI.
+ * @param claimValue Claim value.
+ * @param nestedClaimURI Nested claim URI.
+ * @param nestedClaimValue Nested claim value.
+ * @param tenantId Tenant ID.
+ * @param isIncluded Include or exclude the users based on the nested claim.
+ * @return List of usernames.
+ * @throws IdentityException Identity exception.
+ */
+ default List getUserNamesLessThanClaimWithNestedClaim(String claimURI,
+ String claimValue,
+ String nestedClaimURI,
+ String nestedClaimValue,
+ int tenantId,
+ boolean isIncluded)
+ throws IdentityException {
+
+ return Collections.emptyList();
+ }
+
+ /**
+ * Get the list of usernames who have the claim value between the provided claim values for a given claim URI
+ * and include or exclude the users with the boolean isIncluded
+ * based on the nested claim value for a given nested claim URI.
+ *
+ * @param claimURI Claim URI.
+ * @param startValue Start value.
+ * @param endValue End value.
+ * @param nestedClaimURI Nested claim URI.
+ * @param nestedClaimValue Nested claim value.
+ * @param tenantId Tenant ID.
+ * @param isIncluded Include or exclude the users based on the nested claim.
+ * @return List of usernames.
+ * @throws IdentityException Identity exception.
+ */
+ default List getUserNamesBetweenGivenClaimsWithNestedClaim(String claimURI,
+ String startValue,
+ String endValue,
+ String nestedClaimURI,
+ String nestedClaimValue,
+ int tenantId,
+ boolean isIncluded)
+ throws IdentityException {
+
+ return Collections.emptyList();
+ }
+
/**
* Check whether the identity data store is user store based.
*
diff --git a/components/org.wso2.carbon.identity.governance/src/main/java/org/wso2/carbon/identity/governance/service/IdentityDataStoreServiceImpl.java b/components/org.wso2.carbon.identity.governance/src/main/java/org/wso2/carbon/identity/governance/service/IdentityDataStoreServiceImpl.java
index 17386d45a5..5973f8df0a 100644
--- a/components/org.wso2.carbon.identity.governance/src/main/java/org/wso2/carbon/identity/governance/service/IdentityDataStoreServiceImpl.java
+++ b/components/org.wso2.carbon.identity.governance/src/main/java/org/wso2/carbon/identity/governance/service/IdentityDataStoreServiceImpl.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ * Copyright (c) 2023-2025, WSO2 LLC. (http://www.wso2.com).
*
* WSO2 LLC. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
@@ -179,6 +179,31 @@ public List getUserNamesBetweenProvidedClaimValues(String claimURI, Stri
return identityDataStore.getUserNamesBetweenProvidedClaimValues(claimURI, startValue, endValue, tenantId);
}
+ @Override
+ public List getUserNamesLessThanClaimWithNestedClaim(String claimURI,
+ String claimValue,
+ String nestedClaimURI,
+ String nestedClaimValue,
+ int tenantId,
+ boolean isIncluded)
+ throws IdentityException {
+
+ return identityDataStore.getUserNamesLessThanClaimWithNestedClaim(claimURI, claimValue,
+ nestedClaimURI, nestedClaimValue, tenantId, isIncluded);
+ }
+
+ @Override
+ public List getUserNamesBetweenGivenClaimsWithNestedClaim(String claimURI, String startValue,
+ String endValue,
+ String nestedClaimURI,
+ String nestedClaimValue, int tenantId,
+ boolean isIncluded)
+ throws IdentityException {
+
+ return identityDataStore.getUserNamesBetweenGivenClaimsWithNestedClaim(claimURI, startValue,
+ endValue, nestedClaimURI, nestedClaimValue, tenantId, isIncluded);
+ }
+
@Override
public boolean isUserStoreBasedIdentityDataStore() {
diff --git a/components/org.wso2.carbon.identity.governance/src/main/java/org/wso2/carbon/identity/governance/store/JDBCIdentityDataStore.java b/components/org.wso2.carbon.identity.governance/src/main/java/org/wso2/carbon/identity/governance/store/JDBCIdentityDataStore.java
index a836d819b8..c739f8cd43 100644
--- a/components/org.wso2.carbon.identity.governance/src/main/java/org/wso2/carbon/identity/governance/store/JDBCIdentityDataStore.java
+++ b/components/org.wso2.carbon.identity.governance/src/main/java/org/wso2/carbon/identity/governance/store/JDBCIdentityDataStore.java
@@ -1,17 +1,19 @@
/*
- * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ * Copyright (c) 2016-2025, WSO2 LLC. (http://www.wso2.com).
*
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
* You may obtain a copy of the License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
*/
package org.wso2.carbon.identity.governance.store;
@@ -463,6 +465,82 @@ public List getUserNamesBetweenProvidedClaimValues(String claimURI, Str
}
}
+ @Override
+ public List getUserNamesLessThanClaimWithNestedClaim(String claimURI, String claimValue,
+ String nestedClaimURI,
+ String nestedClaimValue, int tenantId,
+ boolean isIncluded)
+ throws IdentityException {
+
+ String sqlStmt = SQLQuery.FILTER_USERS_BY_DATA_KEY_LESS_THAN_DATA_VALUE;
+ String subSqlStmt = SQLQuery.LIST_USERS_FROM_CLAIM;
+ if (isIncluded) {
+ sqlStmt = sqlStmt + " AND USER_NAME IN (" + subSqlStmt + ")";
+ } else {
+ sqlStmt = sqlStmt + " AND USER_NAME NOT IN (" + subSqlStmt + ")";
+ }
+
+ List userNames = new ArrayList<>();
+ try (Connection connection = IdentityDatabaseUtil.getDBConnection(false)) {
+ try (PreparedStatement prepStmt = connection.prepareStatement(sqlStmt)) {
+ prepStmt.setString(1, claimURI);
+ prepStmt.setInt(2, tenantId);
+ prepStmt.setString(3, claimValue);
+ prepStmt.setString(4, nestedClaimURI);
+ prepStmt.setString(5, nestedClaimValue);
+ prepStmt.setInt(6, tenantId);
+ prepStmt.setString(7, "%");
+ try (ResultSet resultSet = prepStmt.executeQuery()) {
+ while (resultSet.next()) {
+ String username = resultSet.getString(1);
+ userNames.add(username);
+ }
+ }
+ return userNames;
+ }
+ } catch (SQLException e) {
+ throw new IdentityException("Error occurred while retrieving users from Identity Store.", e);
+ }
+ }
+
+ @Override
+ public List getUserNamesBetweenGivenClaimsWithNestedClaim(String claimURI, String startValue,
+ String endValue,
+ String nestedClaimURI,
+ String nestedClaimValue, int tenantId,
+ boolean isIncluded)
+ throws IdentityException {
+
+ String sqlStmt = SQLQuery.FILTER_USERS_BY_DATA_KEY_LESS_THAN_AND_GREATER_THAN_DATA_VALUES;
+ String subSqlStmt = SQLQuery.LIST_USERS_FROM_CLAIM;
+ if (isIncluded) {
+ sqlStmt = sqlStmt + " AND USER_NAME IN (" + subSqlStmt + ")";
+ } else {
+ sqlStmt = sqlStmt + " AND USER_NAME NOT IN (" + subSqlStmt + ")";
+ }
+ List userNames = new ArrayList<>();
+ try (Connection connection = IdentityDatabaseUtil.getDBConnection(false)) {
+ try (PreparedStatement prepStmt = connection.prepareStatement(sqlStmt)) {
+ prepStmt.setString(1, claimURI);
+ prepStmt.setInt(2, tenantId);
+ prepStmt.setString(3, endValue);
+ prepStmt.setString(4, startValue);
+ prepStmt.setString(5, nestedClaimURI);
+ prepStmt.setString(6, nestedClaimValue);
+ prepStmt.setInt(7, tenantId);
+ prepStmt.setString(8, "%");
+ try (ResultSet resultSet = prepStmt.executeQuery()) {
+ while (resultSet.next()) {
+ String username = resultSet.getString(1);
+ userNames.add(username);
+ }
+ }
+ return userNames;
+ }
+ } catch (SQLException e) {
+ throw new IdentityException("Error occurred while retrieving users from Identity Store.", e);
+ }
+ }
private void populatePrepareStatement(SqlBuilder sqlBuilder, PreparedStatement prepStmt, int startIndex,
int endIndex) throws SQLException {
diff --git a/components/org.wso2.carbon.identity.governance/src/main/java/org/wso2/carbon/identity/governance/store/UserIdentityDataStore.java b/components/org.wso2.carbon.identity.governance/src/main/java/org/wso2/carbon/identity/governance/store/UserIdentityDataStore.java
index 96b5af2c15..6f38ceba6b 100644
--- a/components/org.wso2.carbon.identity.governance/src/main/java/org/wso2/carbon/identity/governance/store/UserIdentityDataStore.java
+++ b/components/org.wso2.carbon.identity.governance/src/main/java/org/wso2/carbon/identity/governance/store/UserIdentityDataStore.java
@@ -1,17 +1,19 @@
/*
- * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ * Copyright (c) 2016-2025, WSO2 LLC. (http://www.wso2.com).
*
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
* You may obtain a copy of the License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
*/
package org.wso2.carbon.identity.governance.store;
@@ -161,4 +163,56 @@ public List getUserNamesBetweenProvidedClaimValues(String claimURI, Stri
// Return an immutable empty list if subclasses do not have any overrides.
return Collections.emptyList();
}
+
+ /**
+ * Get the list of usernames who have the claim value less than the provided claim value for a given claim URI
+ * and include or exclude the users with the boolean isIncluded
+ * based on the nested claim value for a given nested claim URI.
+ *
+ * @param claimURI Claim URI.
+ * @param claimValue Claim value.
+ * @param nestedClaimURI Nested claim URI.
+ * @param nestedClaimValue Nested claim value.
+ * @param tenantId Tenant ID.
+ * @param isIncluded Include or exclude the users based on the nested claim.
+ * @return List of usernames.
+ * @throws IdentityException Identity exception.
+ */
+ public List getUserNamesLessThanClaimWithNestedClaim(String claimURI,
+ String claimValue,
+ String nestedClaimURI,
+ String nestedClaimValue,
+ int tenantId,
+ boolean isIncluded) throws IdentityException {
+
+ // Return an immutable empty list if subclasses do not have any overrides.
+ return Collections.emptyList();
+ }
+
+ /**
+ * Get the list of usernames who have the claim value between the provided claim values for a given claim URI
+ * and include or exclude the users with the boolean isIncluded
+ * based on the nested claim value for a given nested claim URI.
+ *
+ * @param claimURI Claim URI.
+ * @param startValue Start value.
+ * @param endValue End value.
+ * @param nestedClaimURI Nested claim URI.
+ * @param nestedClaimValue Nested claim value.
+ * @param tenantId Tenant ID.
+ * @param isIncluded Include or exclude the users based on the nested claim.
+ * @return List of usernames.
+ * @throws IdentityException Identity exception.
+ */
+ public List getUserNamesBetweenGivenClaimsWithNestedClaim(String claimURI,
+ String startValue,
+ String endValue,
+ String nestedClaimURI,
+ String nestedClaimValue,
+ int tenantId,
+ boolean isIncluded) throws IdentityException {
+
+ // Return an immutable empty list if subclasses do not have any overrides.
+ return Collections.emptyList();
+ }
}
diff --git a/components/org.wso2.carbon.identity.governance/src/test/java/org/wso2/carbon/identity/governance/store/JDBCIdentityDataStoreTest.java b/components/org.wso2.carbon.identity.governance/src/test/java/org/wso2/carbon/identity/governance/store/JDBCIdentityDataStoreTest.java
new file mode 100644
index 0000000000..8d23f26b5d
--- /dev/null
+++ b/components/org.wso2.carbon.identity.governance/src/test/java/org/wso2/carbon/identity/governance/store/JDBCIdentityDataStoreTest.java
@@ -0,0 +1,142 @@
+/*
+ * Copyright (c) 2025, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.governance.store;
+
+import org.mockito.MockedStatic;
+import org.mockito.Mockito;
+import org.testng.annotations.AfterMethod;
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.DataProvider;
+import org.testng.annotations.Test;
+import org.wso2.carbon.context.CarbonContext;
+import org.wso2.carbon.identity.core.util.IdentityDatabaseUtil;
+import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
+import org.wso2.carbon.identity.core.util.IdentityUtil;
+import org.wso2.carbon.identity.governance.service.IdentityDataStoreService;
+import org.wso2.carbon.identity.governance.service.IdentityDataStoreServiceImpl;
+import org.wso2.carbon.identity.governance.store.Utils.TestUtils;
+import org.wso2.carbon.user.core.UserRealm;
+import org.wso2.carbon.user.core.UserStoreManager;
+
+import java.sql.Connection;
+import java.util.List;
+
+import static org.mockito.ArgumentMatchers.anyBoolean;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.spy;
+import static org.testng.Assert.assertEquals;
+
+public class JDBCIdentityDataStoreTest {
+
+ private static final int TENANT_ID = 3;
+ private static final String IDENTITY_DATA_STORE_TYPE = "org.wso2.carbon.identity." +
+ "governance.store.JDBCIdentityDataStore";
+ private static final String CLAIM_URI = "http://wso2.org/claims/identity/lastLogonTime";
+ private static final String CLAIM_VALUE_1 = "1680000000000";
+ private static final String CLAIM_VALUE_2 = "1673000000000";
+ private static final String NESTED_CLAIM_URI = "http://wso2.org/claims/identity/accountState";
+ private static final String NESTED_CLAIM_VALUE = "DISABLED";
+
+ private MockedStatic mockedIdentityDatabaseUtils;
+ private MockedStatic mockedIdentityTenantUtil;
+ private MockedStatic mockedCarbonContext;
+ private MockedStatic mockedIdentityUtil;
+
+ private UserStoreManager userStoreManager;
+ IdentityDataStoreService identityDataStoreService;
+
+ @BeforeMethod
+ public void setUp() throws Exception {
+
+ TestUtils.initiateH2Base();
+ TestUtils.mockDataSource();
+
+ Connection connection = TestUtils.getConnection();
+ mockedIdentityDatabaseUtils = Mockito.mockStatic(IdentityDatabaseUtil.class);
+ mockedIdentityDatabaseUtils.when(() -> IdentityDatabaseUtil.getDBConnection(anyBoolean()))
+ .thenReturn(connection);
+
+ mockedIdentityTenantUtil = Mockito.mockStatic(IdentityTenantUtil.class);
+ mockedIdentityTenantUtil.when(() -> IdentityTenantUtil.getTenantId(anyString()))
+ .thenReturn(TENANT_ID);
+
+ UserRealm userRealm = mock(UserRealm.class);
+ userStoreManager = mock(UserStoreManager.class);
+
+ mockedCarbonContext = Mockito.mockStatic(CarbonContext.class);
+ CarbonContext carbonContext = mock(CarbonContext.class);
+ mockedCarbonContext.when(CarbonContext::getThreadLocalCarbonContext).thenReturn(carbonContext);
+ mockedCarbonContext.when(carbonContext::getUserRealm).thenReturn(userRealm);
+ mockedCarbonContext.when(userRealm::getUserStoreManager).thenReturn(userStoreManager);
+ mockedCarbonContext.when(() ->
+ userStoreManager.getSecondaryUserStoreManager(anyString())).thenReturn(userStoreManager);
+
+ mockedIdentityUtil = Mockito.mockStatic(IdentityUtil.class);
+ mockedIdentityUtil.when(() -> IdentityUtil.getProperty(anyString())).thenReturn
+ (IDENTITY_DATA_STORE_TYPE);
+ identityDataStoreService = spy(new IdentityDataStoreServiceImpl());
+ }
+
+ @AfterMethod
+ public void tearDown() throws Exception {
+
+ mockedIdentityDatabaseUtils.close();
+ mockedIdentityTenantUtil.close();
+ mockedCarbonContext.close();
+ mockedIdentityUtil.close();
+ TestUtils.closeH2Base();
+ }
+
+ @DataProvider
+ Object[][] testDataForNestedLessThan() {
+ return new Object[][] {
+ { true, 3 },
+ { false, 2 }
+ };
+ }
+
+ @DataProvider
+ Object[][] testDataForNestedBetween() {
+ return new Object[][] {
+ { true, 2 },
+ { false, 2 }
+ };
+ }
+
+ @Test(dataProvider = "testDataForNestedLessThan")
+ public void testGetUserNamesLessThanClaimWithNestedClaim(boolean isIncluded, int expected) throws Exception {
+
+ List userNames =
+ identityDataStoreService.getUserNamesLessThanClaimWithNestedClaim(CLAIM_URI, CLAIM_VALUE_1,
+ NESTED_CLAIM_URI, NESTED_CLAIM_VALUE, TENANT_ID, isIncluded);
+
+ assertEquals(userNames.size(), expected);
+ }
+
+ @Test(dataProvider = "testDataForNestedBetween")
+ public void testGetUserNamesBetweenGivenClaimsWithNestedClaim(boolean isIncluded, int expected) throws Exception {
+
+ List userNames =
+ identityDataStoreService.getUserNamesBetweenGivenClaimsWithNestedClaim(CLAIM_URI, CLAIM_VALUE_2,
+ CLAIM_VALUE_1, NESTED_CLAIM_URI, NESTED_CLAIM_VALUE, TENANT_ID, isIncluded);
+
+ assertEquals(userNames.size(), expected);
+ }
+}
diff --git a/components/org.wso2.carbon.identity.governance/src/test/java/org/wso2/carbon/identity/governance/store/Utils/TestUtils.java b/components/org.wso2.carbon.identity.governance/src/test/java/org/wso2/carbon/identity/governance/store/Utils/TestUtils.java
new file mode 100644
index 0000000000..ed3f8d7e45
--- /dev/null
+++ b/components/org.wso2.carbon.identity.governance/src/test/java/org/wso2/carbon/identity/governance/store/Utils/TestUtils.java
@@ -0,0 +1,109 @@
+/*
+ * Copyright (c) 2025, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.governance.store.Utils;
+
+import org.apache.commons.dbcp.BasicDataSource;
+import org.apache.commons.lang.StringUtils;
+import org.wso2.carbon.base.CarbonBaseConstants;
+import org.wso2.carbon.context.CarbonContext;
+import org.wso2.carbon.context.internal.CarbonContextDataHolder;
+import org.wso2.carbon.user.api.UserRealm;
+import org.wso2.carbon.user.core.util.DatabaseUtil;
+
+import java.lang.reflect.Field;
+import java.nio.file.Paths;
+import java.sql.Connection;
+import java.sql.SQLException;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.sql.DataSource;
+
+import static org.mockito.Mockito.mock;
+
+public class TestUtils {
+
+ public static final String DB_NAME = "test_db";
+ public static final String H2_SCRIPT_NAME = "h2.sql";
+ public static Map dataSourceMap = new HashMap<>();
+
+ public static String getFilePath(String fileName) {
+
+ if (StringUtils.isNotBlank(fileName)) {
+ return Paths.get(System.getProperty("user.dir"), "src", "test", "resources", "dbscripts",
+ fileName).toString();
+ }
+ throw new IllegalArgumentException("DB Script file name cannot be empty.");
+ }
+
+ public static void initiateH2Base() throws Exception {
+
+ BasicDataSource dataSource = new BasicDataSource();
+ dataSource.setDriverClassName("org.h2.Driver");
+ dataSource.setUsername("username");
+ dataSource.setPassword("password");
+ dataSource.setUrl("jdbc:h2:mem:test" + DB_NAME);
+ dataSource.setTestOnBorrow(true);
+ dataSource.setValidationQuery("select 1");
+ try (Connection connection = dataSource.getConnection()) {
+ connection.createStatement().executeUpdate("RUNSCRIPT FROM '" + getFilePath(H2_SCRIPT_NAME) + "'");
+ }
+ dataSourceMap.put(DB_NAME, dataSource);
+ }
+
+ public static void closeH2Base() throws Exception {
+
+ BasicDataSource dataSource = dataSourceMap.remove(DB_NAME);
+ if (dataSource != null) {
+ dataSource.close();
+ }
+ }
+
+ public static Connection getConnection() throws SQLException {
+
+ if (dataSourceMap.get(DB_NAME) != null) {
+ return dataSourceMap.get(DB_NAME).getConnection();
+ }
+ throw new RuntimeException("No datasource initiated for database: " + DB_NAME);
+ }
+
+ public static void mockDataSource() throws Exception {
+
+ String carbonHome = Paths.get(System.getProperty("user.dir"), "target", "test-classes").toString();
+ System.setProperty(CarbonBaseConstants.CARBON_HOME, carbonHome);
+ System.setProperty(CarbonBaseConstants.CARBON_CONFIG_DIR_PATH, Paths.get(carbonHome,
+ "repository/conf").toString());
+
+ DataSource dataSource = dataSourceMap.get(DB_NAME);
+
+ setStatic(DatabaseUtil.class.getDeclaredField("dataSource"), dataSource);
+
+ Field carbonContextHolderField =
+ CarbonContext.getThreadLocalCarbonContext().getClass().getDeclaredField("carbonContextHolder");
+ carbonContextHolderField.setAccessible(true);
+ CarbonContextDataHolder carbonContextHolder
+ = (CarbonContextDataHolder) carbonContextHolderField.get(CarbonContext.getThreadLocalCarbonContext());
+ carbonContextHolder.setUserRealm(mock(UserRealm.class));
+ }
+
+ private static void setStatic(Field field, Object newValue) throws Exception {
+ field.setAccessible(true);
+ field.set(null, newValue);
+ }
+}
diff --git a/components/org.wso2.carbon.identity.governance/src/test/resources/dbscripts/h2.sql b/components/org.wso2.carbon.identity.governance/src/test/resources/dbscripts/h2.sql
new file mode 100644
index 0000000000..877b4ac834
--- /dev/null
+++ b/components/org.wso2.carbon.identity.governance/src/test/resources/dbscripts/h2.sql
@@ -0,0 +1,20 @@
+-- -----------------------------------------------------
+-- Table IDN_IDENTITY_USER_DATA
+-- -----------------------------------------------------
+CREATE TABLE IDN_IDENTITY_USER_DATA (
+ TENANT_ID INTEGER DEFAULT -1234,
+ USER_NAME VARCHAR(255) NOT NULL,
+ DATA_KEY VARCHAR(255) NOT NULL,
+ DATA_VALUE VARCHAR(2048),
+ PRIMARY KEY (TENANT_ID, USER_NAME, DATA_KEY)
+);
+
+INSERT INTO IDN_IDENTITY_USER_DATA (TENANT_ID, USER_NAME, DATA_KEY, DATA_VALUE) VALUES
+(3, 'DEFAULT/sampleUser1@xmail.com', 'http://wso2.org/claims/identity/lastLogonTime', '1672704000000'),
+(3, 'DEFAULT/sampleUser2@xmail.com', 'http://wso2.org/claims/identity/lastLogonTime', '1673481600000'),
+(3, 'DEFAULT/sampleUser3@xmail.com', 'http://wso2.org/claims/identity/lastLogonTime', '1674000000000'),
+(3, 'DEFAULT/sampleUser4@xmail.com', 'http://wso2.org/claims/identity/lastLogonTime', '1674518400000'),
+(3, 'DEFAULT/sampleUser5@xmail.com', 'http://wso2.org/claims/identity/lastLogonTime', '1674950400000'),
+(3, 'DEFAULT/sampleUser1@xmail.com', 'http://wso2.org/claims/identity/accountState', 'DISABLED'),
+(3, 'DEFAULT/sampleUser3@xmail.com', 'http://wso2.org/claims/identity/accountState', 'DISABLED'),
+(3, 'DEFAULT/sampleUser5@xmail.com', 'http://wso2.org/claims/identity/accountState', 'DISABLED');
diff --git a/components/org.wso2.carbon.identity.governance/src/test/resources/testng.xml b/components/org.wso2.carbon.identity.governance/src/test/resources/testng.xml
index 0c10670da8..5fa789b286 100644
--- a/components/org.wso2.carbon.identity.governance/src/test/resources/testng.xml
+++ b/components/org.wso2.carbon.identity.governance/src/test/resources/testng.xml
@@ -26,6 +26,7 @@
+
diff --git a/components/org.wso2.carbon.identity.idle.account.identification/src/main/java/org/wso2/carbon/identity/idle/account/identification/constants/IdleAccIdentificationConstants.java b/components/org.wso2.carbon.identity.idle.account.identification/src/main/java/org/wso2/carbon/identity/idle/account/identification/constants/IdleAccIdentificationConstants.java
index 4337713e32..c0557655bb 100644
--- a/components/org.wso2.carbon.identity.idle.account.identification/src/main/java/org/wso2/carbon/identity/idle/account/identification/constants/IdleAccIdentificationConstants.java
+++ b/components/org.wso2.carbon.identity.idle.account.identification/src/main/java/org/wso2/carbon/identity/idle/account/identification/constants/IdleAccIdentificationConstants.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ * Copyright (c) 2023-2025, WSO2 LLC. (http://www.wso2.com).
*
* WSO2 LLC. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
@@ -26,6 +26,8 @@ public class IdleAccIdentificationConstants {
public static final String IDLE_ACC_IDENTIFICATION_SERVICE_ERROR_PREFIX = "IDLE_ACC-";
public static final String LAST_LOGIN_TIME_CLAIM = "http://wso2.org/claims/identity/lastLogonTime";
+ public static final String ACCOUNT_STATE_CLAIM_URI = "http://wso2.org/claims/identity/accountState";
+ public static final String ACCOUNT_STATE_DISABLED = "DISABLED";
/**
* Class containing SQL queries.
diff --git a/components/org.wso2.carbon.identity.idle.account.identification/src/main/java/org/wso2/carbon/identity/idle/account/identification/services/IdleAccountIdentificationService.java b/components/org.wso2.carbon.identity.idle.account.identification/src/main/java/org/wso2/carbon/identity/idle/account/identification/services/IdleAccountIdentificationService.java
index f3adfc460f..54de111072 100644
--- a/components/org.wso2.carbon.identity.idle.account.identification/src/main/java/org/wso2/carbon/identity/idle/account/identification/services/IdleAccountIdentificationService.java
+++ b/components/org.wso2.carbon.identity.idle.account.identification/src/main/java/org/wso2/carbon/identity/idle/account/identification/services/IdleAccountIdentificationService.java
@@ -4,6 +4,7 @@
import org.wso2.carbon.identity.idle.account.identification.models.InactiveUserModel;
import java.time.LocalDateTime;
+import java.util.Collections;
import java.util.List;
/**
@@ -38,4 +39,28 @@ List getInactiveUsersFromSpecificDate(LocalDateTime inactiveA
*/
List getLimitedInactiveUsersFromSpecificDate(LocalDateTime inactiveAfter,
LocalDateTime excludeBefore, String tenantDomain) throws IdleAccountIdentificationException;
+
+ /**
+ * Get inactive users from a specific date or from a specific date excluding the oldest inactive users while
+ * filtering the disabled users based on the value provided for the isDisabled.
+ * If isDisabled is true, the method will return inactive and disabled users.
+ * If isDisabled is false, the method will return inactive and non-disabled users filtering disabled users.
+ * (Example: If isDisabled is true, the method will return all the inactive users who have not logged in since
+ * 2023-01-31 00:00:00.000 excluding users who have not logged in since 2023-01-01 00:00:00.000 and who are
+ * in the state of DISABLED)
+ *
+ * @param inactiveAfter Inactive after date.
+ * @param excludeBefore Exclude before date.
+ * @param tenantDomain Tenant domain.
+ * @param isDisabled Filter based on the state DISABLED.
+ * @return List of inactive users.
+ * @throws IdleAccountIdentificationException Idle account identification exception.
+ */
+ default List filterInactiveUsersIfDisabled(LocalDateTime inactiveAfter,
+ LocalDateTime excludeBefore, String tenantDomain,
+ boolean isDisabled)
+ throws IdleAccountIdentificationException {
+
+ return Collections.emptyList();
+ }
}
diff --git a/components/org.wso2.carbon.identity.idle.account.identification/src/main/java/org/wso2/carbon/identity/idle/account/identification/services/impl/IdleAccountIdentificationServiceImpl.java b/components/org.wso2.carbon.identity.idle.account.identification/src/main/java/org/wso2/carbon/identity/idle/account/identification/services/impl/IdleAccountIdentificationServiceImpl.java
index fb381e8f7a..610bfd3b84 100644
--- a/components/org.wso2.carbon.identity.idle.account.identification/src/main/java/org/wso2/carbon/identity/idle/account/identification/services/impl/IdleAccountIdentificationServiceImpl.java
+++ b/components/org.wso2.carbon.identity.idle.account.identification/src/main/java/org/wso2/carbon/identity/idle/account/identification/services/impl/IdleAccountIdentificationServiceImpl.java
@@ -92,6 +92,51 @@ public List getLimitedInactiveUsersFromSpecificDate(LocalDate
return inactiveUsers;
}
+ /**
+ * Retrieve inactive users if the account is disabled or non-disabled depending on the value for isDisabled.
+ *
+ * @param inactiveAfter Inactive after date.
+ * @param excludeBefore Exclude before date.
+ * @param tenantDomain Tenant domain.
+ * @param isDisabled isDisabled.
+ * @return List of inactive users.
+ * @throws IdleAccountIdentificationException Idle account identification exception.
+ */
+ public List filterInactiveUsersIfDisabled(LocalDateTime inactiveAfter,
+ LocalDateTime excludeBefore, String tenantDomain,
+ boolean isDisabled)
+ throws IdleAccountIdentificationException {
+
+ List inactiveUsers = new ArrayList<>();
+ int tenantId = IdentityTenantUtil.getTenantId(tenantDomain);
+ String lastLoginTime = Long.toString(inactiveAfter.toEpochSecond(ZoneOffset.UTC));
+ List usernames;
+ try {
+ if (excludeBefore == null) {
+ usernames = IdleAccountIdentificationDataHolder.getInstance().getIdentityDataStoreService()
+ .getUserNamesLessThanClaimWithNestedClaim(
+ IdleAccIdentificationConstants.LAST_LOGIN_TIME_CLAIM, lastLoginTime,
+ IdleAccIdentificationConstants.ACCOUNT_STATE_CLAIM_URI,
+ IdleAccIdentificationConstants.ACCOUNT_STATE_DISABLED, tenantId, isDisabled);
+ } else {
+ String excludeDateEpoch = Long.toString(excludeBefore.toEpochSecond(ZoneOffset.UTC));
+ usernames = IdleAccountIdentificationDataHolder.getInstance().getIdentityDataStoreService()
+ .getUserNamesBetweenGivenClaimsWithNestedClaim(
+ IdleAccIdentificationConstants.LAST_LOGIN_TIME_CLAIM, excludeDateEpoch, lastLoginTime,
+ IdleAccIdentificationConstants.ACCOUNT_STATE_CLAIM_URI,
+ IdleAccIdentificationConstants.ACCOUNT_STATE_DISABLED, tenantId, isDisabled);
+ }
+ if (!usernames.isEmpty()) {
+ inactiveUsers = buildInactiveUsers(usernames);
+ }
+ } catch (IdentityException e) {
+ IdleAccIdentificationConstants.ErrorMessages errorEnum =
+ IdleAccIdentificationConstants.ErrorMessages.ERROR_RETRIEVE_INACTIVE_USERS_FROM_DB;
+ throw new IdleAccountIdentificationServerException(errorEnum.getCode(), errorEnum.getMessage());
+ }
+ return inactiveUsers;
+ }
+
/**
* Build a list of inactive users.
*
diff --git a/components/org.wso2.carbon.identity.idle.account.identification/src/test/java/org/wso2/carbon/identity/idle/account/identification/IdleAccountIdentificationServiceImplTest.java b/components/org.wso2.carbon.identity.idle.account.identification/src/test/java/org/wso2/carbon/identity/idle/account/identification/IdleAccountIdentificationServiceImplTest.java
index 9eb8273877..eb3ca8112d 100644
--- a/components/org.wso2.carbon.identity.idle.account.identification/src/test/java/org/wso2/carbon/identity/idle/account/identification/IdleAccountIdentificationServiceImplTest.java
+++ b/components/org.wso2.carbon.identity.idle.account.identification/src/test/java/org/wso2/carbon/identity/idle/account/identification/IdleAccountIdentificationServiceImplTest.java
@@ -157,4 +157,29 @@ public void testGetLimitedInactiveUsersFromSpecificDate(LocalDateTime inactiveAf
assertEquals(inactiveUsers.size(), expected);
}
+
+ @DataProvider
+ public Object[][] getDatesAndFilter() {
+
+ return new Object[][]{
+ {LocalDate.parse("2023-01-31").atStartOfDay(), null, true, 3},
+ {LocalDate.parse("2023-01-31").atStartOfDay(), null, false, 2},
+ {LocalDate.parse("2023-01-31").atStartOfDay(), LocalDate.parse("2023-01-15").atStartOfDay(), true, 2},
+ {LocalDate.parse("2023-01-31").atStartOfDay(), LocalDate.parse("2023-01-15").atStartOfDay(), false, 1}
+ };
+ }
+
+ @Test(dataProvider = "getDatesAndFilter")
+ public void testFilterInactiveUsersIfDisabled(LocalDateTime inactiveAfter, LocalDateTime excludeBefore,
+ boolean isDisabled, int expected) throws Exception {
+
+ IdleAccountIdentificationServiceImpl idleAccountIdentificationService =
+ spy(IdleAccountIdentificationServiceImpl.class);
+ doReturn(SAMPLE_USER_ID).when(idleAccountIdentificationService).fetchUserId(anyString());
+
+ List inactiveUsers = idleAccountIdentificationService.
+ filterInactiveUsersIfDisabled(inactiveAfter, excludeBefore, TENANT_DOMAIN, isDisabled);
+
+ assertEquals(inactiveUsers.size(), expected);
+ }
}
diff --git a/components/org.wso2.carbon.identity.idle.account.identification/src/test/resources/dbscripts/h2.sql b/components/org.wso2.carbon.identity.idle.account.identification/src/test/resources/dbscripts/h2.sql
index 9e8e487883..877b4ac834 100644
--- a/components/org.wso2.carbon.identity.idle.account.identification/src/test/resources/dbscripts/h2.sql
+++ b/components/org.wso2.carbon.identity.idle.account.identification/src/test/resources/dbscripts/h2.sql
@@ -14,4 +14,7 @@ INSERT INTO IDN_IDENTITY_USER_DATA (TENANT_ID, USER_NAME, DATA_KEY, DATA_VALUE)
(3, 'DEFAULT/sampleUser2@xmail.com', 'http://wso2.org/claims/identity/lastLogonTime', '1673481600000'),
(3, 'DEFAULT/sampleUser3@xmail.com', 'http://wso2.org/claims/identity/lastLogonTime', '1674000000000'),
(3, 'DEFAULT/sampleUser4@xmail.com', 'http://wso2.org/claims/identity/lastLogonTime', '1674518400000'),
-(3, 'DEFAULT/sampleUser5@xmail.com', 'http://wso2.org/claims/identity/lastLogonTime', '1674950400000');
+(3, 'DEFAULT/sampleUser5@xmail.com', 'http://wso2.org/claims/identity/lastLogonTime', '1674950400000'),
+(3, 'DEFAULT/sampleUser1@xmail.com', 'http://wso2.org/claims/identity/accountState', 'DISABLED'),
+(3, 'DEFAULT/sampleUser3@xmail.com', 'http://wso2.org/claims/identity/accountState', 'DISABLED'),
+(3, 'DEFAULT/sampleUser5@xmail.com', 'http://wso2.org/claims/identity/accountState', 'DISABLED');