From 1cbd3a1f9156723c9b821233db562ecbb8de2907 Mon Sep 17 00:00:00 2001 From: sadilchamishka Date: Thu, 18 Aug 2022 08:58:57 +0530 Subject: [PATCH 1/2] Validate user while role assignments --- .../management/service/RoleManagerImpl.java | 32 +++++++++---------- .../service/dao/RoleManagementDAO.java | 11 ------- .../service/dao/RoleManagementDAOImpl.java | 19 ----------- .../internal/RoleManagementDataHolder.java | 13 ++++++++ .../RoleManagementServiceComponent.java | 27 ++++++++++++++++ 5 files changed, 55 insertions(+), 47 deletions(-) diff --git a/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/RoleManagerImpl.java b/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/RoleManagerImpl.java index 78f4e378f..a0e6dd975 100644 --- a/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/RoleManagerImpl.java +++ b/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/RoleManagerImpl.java @@ -89,15 +89,13 @@ public Role createRole(String organizationId, Role role) throws OrganizationMana role.setId(generateUniqueID()); validateOrganizationId(organizationId); validateRoleNameNotExist(organizationId, role.getDisplayName()); - // skip user existence check atm, this user can be from any org. Fix this through - // https://github.com/wso2-extensions/identity-organization-management/issues/50 - -// if (CollectionUtils.isNotEmpty(role.getUsers())) { -// List userIdList = role.getUsers().stream().map(User::getId).collect(Collectors.toList()); -// if (CollectionUtils.isNotEmpty(userIdList)) { -// validateUsers(userIdList, getTenantId()); -// } -// } + + if (CollectionUtils.isNotEmpty(role.getUsers())) { + List userIdList = role.getUsers().stream().map(User::getId).collect(Collectors.toList()); + if (CollectionUtils.isNotEmpty(userIdList)) { + validateUsers(userIdList, organizationId); + } + } if (CollectionUtils.isNotEmpty(role.getGroups())) { List groupIdList = role.getGroups().stream().map(Group::getGroupId).collect(Collectors.toList()); if (CollectionUtils.isNotEmpty(groupIdList)) { @@ -201,7 +199,7 @@ public Role patchRole(String organizationId, String roleId, List } if (CollectionUtils.isNotEmpty(patchOperation.getValues())) { if (StringUtils.equalsIgnoreCase(patchPath, USERS)) { - validateUsers(patchOperation.getValues(), getTenantId()); + validateUsers(patchOperation.getValues(), organizationId); } else if (StringUtils.equalsIgnoreCase(patchPath, GROUPS)) { validateGroups(patchOperation.getValues(), getTenantId()); } else if (StringUtils.equalsIgnoreCase(patchPath, DISPLAY_NAME)) { @@ -226,7 +224,7 @@ public Role putRole(String organizationId, String roleId, Role role) throws Orga if (CollectionUtils.isNotEmpty(role.getUsers())) { List userIdList = role.getUsers().stream().map(User::getId).collect(Collectors.toList()); if (CollectionUtils.isNotEmpty(userIdList)) { - validateUsers(userIdList, getTenantId()); + validateUsers(userIdList, organizationId); } } if (CollectionUtils.isNotEmpty(role.getGroups())) { @@ -336,16 +334,16 @@ private void validateRoleNameNotExist(String organizationId, String roleName) /** * Check the passed user ID list is valid. * - * @param userIdList The user ID list. - * @param tenantId The tenant ID. + * @param userIdList The user ID list. + * @param organizationId The organization id where the user ID is about to resolve over ancestor organizations. * @throws OrganizationManagementException Throws an exception if a user ID is not valid. */ - private void validateUsers(List userIdList, int tenantId) throws OrganizationManagementException { + private void validateUsers(List userIdList, String organizationId) throws OrganizationManagementException { for (String userId : userIdList) { - if (!roleManagementDAO.checkUserExists(userId, tenantId)) { - throw handleClientException(ERROR_CODE_INVALID_USER_ID, userId); - } + RoleManagementDataHolder.getInstance().getOrganizationUserResidentResolverService() + .resolveResidentOrganization(userId, organizationId) + .orElseThrow(() -> handleClientException(ERROR_CODE_INVALID_USER_ID, userId)); } } diff --git a/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/dao/RoleManagementDAO.java b/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/dao/RoleManagementDAO.java index ee56aefd8..43f646b52 100644 --- a/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/dao/RoleManagementDAO.java +++ b/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/dao/RoleManagementDAO.java @@ -139,17 +139,6 @@ Role patchRole(String organizationId, String roleId, List patchO boolean checkRoleExists(String organizationId, String roleId, String roleName) throws OrganizationManagementServerException; - /** - * Check whether a user exists inside a tenant. - * - * @param userId The ID of the user. - * @param tenantId The ID of the tenant. - * @return If there is a user then returns true, else false. - * @throws OrganizationManagementServerException The exception is thrown when an error occurs during checking the - * user existence. - */ - boolean checkUserExists(String userId, int tenantId) throws OrganizationManagementServerException; - /** * Get the count of {@link Role}s of an organization with respect to the filter criteria. * diff --git a/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/dao/RoleManagementDAOImpl.java b/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/dao/RoleManagementDAOImpl.java index 11bbcceb6..f91b180e6 100644 --- a/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/dao/RoleManagementDAOImpl.java +++ b/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/dao/RoleManagementDAOImpl.java @@ -90,7 +90,6 @@ import static org.wso2.carbon.identity.organization.management.role.management.service.constant.SQLConstants.CHECK_PERMISSION_ROLE_MAPPING_EXISTS; import static org.wso2.carbon.identity.organization.management.role.management.service.constant.SQLConstants.CHECK_ROLE_EXISTS; import static org.wso2.carbon.identity.organization.management.role.management.service.constant.SQLConstants.CHECK_ROLE_NAME_EXISTS; -import static org.wso2.carbon.identity.organization.management.role.management.service.constant.SQLConstants.CHECK_USER_EXISTS; import static org.wso2.carbon.identity.organization.management.role.management.service.constant.SQLConstants.CHECK_USER_ROLE_MAPPING_EXISTS; import static org.wso2.carbon.identity.organization.management.role.management.service.constant.SQLConstants.DELETE_GROUPS_FROM_ROLE; import static org.wso2.carbon.identity.organization.management.role.management.service.constant.SQLConstants.DELETE_GROUPS_FROM_ROLE_MAPPING; @@ -164,7 +163,6 @@ import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.ErrorMessages.ERROR_CODE_GETTING_ROLE_FROM_ORGANIZATION_ID_ROLE_ID; import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.ErrorMessages.ERROR_CODE_GETTING_ROLE_FROM_ORGANIZATION_ID_ROLE_NAME; import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.ErrorMessages.ERROR_CODE_GETTING_USERS_USING_ROLE_ID; -import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.ErrorMessages.ERROR_CODE_GETTING_USER_VALIDITY; import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.ErrorMessages.ERROR_CODE_INVALID_ATTRIBUTE; import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.ErrorMessages.ERROR_CODE_INVALID_FILTER_FORMAT; import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.ErrorMessages.ERROR_CODE_PATCHING_ROLE; @@ -569,23 +567,6 @@ public boolean checkRoleExists(String organizationId, String roleId, String role } } - @Override - public boolean checkUserExists(String userId, int tenantId) throws OrganizationManagementServerException { - - NamedJdbcTemplate namedJdbcTemplate = getNewTemplate(); - try { - int value = namedJdbcTemplate.fetchSingleRecord(CHECK_USER_EXISTS, - (resultSet, rowNumber) -> resultSet.getInt(1), - namedPreparedStatement -> { - namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_UM_USER_ID, userId); - namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_UM_TENANT_ID, tenantId); - }); - return value > 0; - } catch (DataAccessException e) { - throw handleServerException(ERROR_CODE_GETTING_USER_VALIDITY, e, userId); - } - } - @Override public int getTotalOrganizationRoles(String organizationId, List expressionNodes, List operators) throws OrganizationManagementServerException { diff --git a/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/internal/RoleManagementDataHolder.java b/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/internal/RoleManagementDataHolder.java index 2f8962863..41633fdb5 100644 --- a/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/internal/RoleManagementDataHolder.java +++ b/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/internal/RoleManagementDataHolder.java @@ -19,6 +19,7 @@ package org.wso2.carbon.identity.organization.management.role.management.service.internal; import org.wso2.carbon.identity.organization.management.service.OrganizationManager; +import org.wso2.carbon.identity.organization.management.service.OrganizationUserResidentResolverService; import org.wso2.carbon.user.core.service.RealmService; /** @@ -28,6 +29,7 @@ public class RoleManagementDataHolder { private static final RoleManagementDataHolder ROLE_MANAGEMENT_DATA_HOLDER = new RoleManagementDataHolder(); private OrganizationManager organizationManager; + private OrganizationUserResidentResolverService organizationUserResidentResolverService; private RealmService realmService; public static RoleManagementDataHolder getInstance() { @@ -45,6 +47,17 @@ public void setOrganizationManager(OrganizationManager organizationManager) { this.organizationManager = organizationManager; } + public OrganizationUserResidentResolverService getOrganizationUserResidentResolverService() { + + return organizationUserResidentResolverService; + } + + public void setOrganizationUserResidentResolverService( + OrganizationUserResidentResolverService organizationUserResidentResolverService) { + + this.organizationUserResidentResolverService = organizationUserResidentResolverService; + } + public RealmService getRealmService() { return realmService; diff --git a/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/internal/RoleManagementServiceComponent.java b/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/internal/RoleManagementServiceComponent.java index 450b8d27e..6beeac5c3 100644 --- a/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/internal/RoleManagementServiceComponent.java +++ b/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/internal/RoleManagementServiceComponent.java @@ -30,6 +30,7 @@ import org.wso2.carbon.identity.organization.management.role.management.service.RoleManager; import org.wso2.carbon.identity.organization.management.role.management.service.RoleManagerImpl; import org.wso2.carbon.identity.organization.management.service.OrganizationManager; +import org.wso2.carbon.identity.organization.management.service.OrganizationUserResidentResolverService; import org.wso2.carbon.user.core.service.RealmService; /** @@ -102,4 +103,30 @@ protected void unsetOrganizationManager(OrganizationManager organizationManager) } RoleManagementDataHolder.getInstance().setOrganizationManager(null); } + + @Reference( + name = "organization.user.resident.resolver.service", + service = OrganizationUserResidentResolverService.class, + cardinality = ReferenceCardinality.MANDATORY, + policy = ReferencePolicy.DYNAMIC, + unbind = "unsetOrganizationUserResidentResolverService" + ) + protected void setOrganizationUserResidentResolverService( + OrganizationUserResidentResolverService organizationUserResidentResolverService) { + + if (LOG.isDebugEnabled()) { + LOG.debug("Setting the organization user resident resolver service."); + } + RoleManagementDataHolder.getInstance() + .setOrganizationUserResidentResolverService(organizationUserResidentResolverService); + } + + protected void unsetOrganizationUserResidentResolverService( + OrganizationUserResidentResolverService organizationUserResidentResolverService) { + + if (LOG.isDebugEnabled()) { + LOG.debug("Unset organization user resident resolver service."); + } + RoleManagementDataHolder.getInstance().setOrganizationUserResidentResolverService(null); + } } From 1a68a79e8b5d17bb76433c658bb1d1cfe3d2e8ad Mon Sep 17 00:00:00 2001 From: sadilchamishka Date: Fri, 19 Aug 2022 17:12:43 +0530 Subject: [PATCH 2/2] Address review comments --- .../role/management/service/constant/SQLConstants.java | 4 ---- 1 file changed, 4 deletions(-) diff --git a/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/constant/SQLConstants.java b/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/constant/SQLConstants.java index 721208045..21699a97a 100644 --- a/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/constant/SQLConstants.java +++ b/components/org.wso2.carbon.identity.organization.management.role.management.service/src/main/java/org/wso2/carbon/identity/organization/management/role/management/service/constant/SQLConstants.java @@ -118,10 +118,6 @@ public class SQLConstants { SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_UM_TENANT_ID + "; AND UM_ACTION=:" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_UM_ACTION + ";)"; - public static final String CHECK_USER_EXISTS = "SELECT COUNT(1) FROM UM_USER WHERE UM_USER_ID=:" + - SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_UM_USER_ID + "; AND UM_TENANT_ID=:" + - SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_UM_TENANT_ID + ";"; - public static final String ADD_PERMISSION_IF_NOT_EXISTS = "INSERT INTO UM_ORG_PERMISSION (UM_RESOURCE_ID, " + "UM_ACTION, UM_TENANT_ID) VALUES ";