Handle roles claim in roles v2 runtime

wso2 · Oct 26, 2023 · 5f9a625 · 5f9a625
1 parent 0190b85
commit 5f9a625
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 6 deletions.
diff --git a/...cation/authentication/framework/handler/approles/impl/AppAssociatedRolesResolverImpl.java b/...cation/authentication/framework/handler/approles/impl/AppAssociatedRolesResolverImpl.java
@@ -20,6 +20,7 @@
 
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang.StringUtils;
+import org.wso2.carbon.CarbonConstants;
 import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
 import org.wso2.carbon.identity.application.authentication.framework.handler.approles.ApplicationRolesResolver;
 import org.wso2.carbon.identity.application.authentication.framework.handler.approles.exception.ApplicationRolesException;
@@ -96,6 +97,9 @@ public String[] getRoles(AuthenticatedUser authenticatedUser, String application
         if (authenticatedUser == null) {
             throw RoleResolverUtils.handleClientException(ERROR_CODE_USER_NULL);
         }
+        if (CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME) {
+            return new String[0];
+        }
         if (authenticatedUser.isFederatedUser()) {
             return getAppAssociatedRolesForFederatedUser(authenticatedUser, applicationId);
         }

diff --git a/...dentity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java b/...dentity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java
@@ -23,6 +23,7 @@
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.CarbonConstants;
 import org.wso2.carbon.base.MultitenantConstants;
 import org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator;
 import org.wso2.carbon.identity.application.authentication.framework.config.builder.FileBasedConfigurationBuilder;
@@ -217,6 +218,10 @@ protected Map<String, String> handleFederatedClaims(Map<String, String> remoteCl
 
         if (StringUtils.isNotBlank(applicationRoles)) {
             localUnfilteredClaims.put(FrameworkConstants.APP_ROLES_CLAIM, applicationRoles);
+            if (!CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME) {
+                // Add app associated roles to roles claim in Role V2 runtime.
+                localUnfilteredClaims.put(getLocalGroupsClaimURI(), applicationRoles);
+            }
         }
 
         // claim mapping from local service provider to remote service provider.
@@ -570,7 +575,14 @@ protected Map<String, String> handleLocalClaims(String spStandardDialect,
         // Retrieve all non-null user claim values against local claim uris.
         allLocalClaims = retrieveAllNunNullUserClaimValues(authenticatedUser, claimManager, appConfig, userStore);
 
-        handleApplicationRolesForLocalUser(stepConfig, context, allLocalClaims);
+        String applicationRoles = getApplicationRoles(authenticatedUser, context);
+
+        handleApplicationRolesForLocalUser(stepConfig, context, allLocalClaims, applicationRoles);
+
+        if (!CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME) {
+            // Handle app associated roles in roles claim in Role V2 runtime.
+            handleRoleAppAssoication(allLocalClaims, applicationRoles);
+        }
 
         // Insert the runtime claims from the context. The priority is for runtime claims.
         allLocalClaims.putAll(context.getRuntimeClaims());
@@ -1098,6 +1110,20 @@ private boolean enableMergingCustomClaimMappingsWithDefaultMappings() {
                 .isMergingCustomClaimMappingsWithDefaultClaimMappingsAllowed();
     }
 
+    /**
+     * Handle role app association in roles claim.
+     *
+     * @param appAssociatedRoles App associated roles.
+     * @param mappedAttrs Mapped claim attributes.
+     */
+    private void handleRoleAppAssoication(Map<String, String> mappedAttrs, String appAssociatedRoles) {
+
+        if (mappedAttrs.containsKey(getLocalGroupsClaimURI())) {
+            mappedAttrs.put(getLocalGroupsClaimURI(),
+                    StringUtils.isEmpty(appAssociatedRoles) ? "" : appAssociatedRoles);
+        }
+    }
+
     /**
      * Specially handle role claim values.
      *
@@ -1172,7 +1198,7 @@ protected String getApplicationRolesForFederatedUser(StepConfig stepConfig, Auth
      * @throws FrameworkException Exception on handling application roles for local user.
      */
     protected void handleApplicationRolesForLocalUser(StepConfig stepConfig, AuthenticationContext context,
-                                                    Map<String, String> allLocalClaims)
+                                                    Map<String, String> allLocalClaims, String appAssociatedRoles)
             throws FrameworkException {
 
         AuthenticatedUser authenticatedUser = getAuthenticatedUser(stepConfig, context);
@@ -1183,9 +1209,8 @@ protected void handleApplicationRolesForLocalUser(StepConfig stepConfig, Authent
             String requestedAppRoleClaim = context.getSequenceConfig().getApplicationConfig()
                     .getRequestedClaimMappings().get(FrameworkConstants.APP_ROLES_CLAIM);
             if (requestedAppRoleClaim != null) {
-                String appRoles = getApplicationRoles(authenticatedUser, context);
-                if (appRoles != null) {
-                    allLocalClaims.put(FrameworkConstants.APP_ROLES_CLAIM, appRoles);
+                if (appAssociatedRoles != null) {
+                    allLocalClaims.put(FrameworkConstants.APP_ROLES_CLAIM, appAssociatedRoles);
                 }
             }
         }

diff --git a/...ity/application/authentication/framework/handler/claims/impl/DefaultClaimHandlerTest.java b/...ity/application/authentication/framework/handler/claims/impl/DefaultClaimHandlerTest.java
@@ -161,7 +161,8 @@ public void testHandleApplicationRolesForLocalUser() throws Exception {
         when(applicationRolesResolver.getRoles(eq(authenticatedUser), eq(applicationId))).thenReturn(
                 mappedApplicationRoles);
 
-        defaultClaimHandler.handleApplicationRolesForLocalUser(stepConfig, authenticationContext, localClaims);
+        defaultClaimHandler.handleApplicationRolesForLocalUser(stepConfig, authenticationContext, localClaims,
+                String.join(FrameworkUtils.getMultiAttributeSeparator(), mappedApplicationRoles));
 
         Assert.assertEquals(localClaims.get(FrameworkConstants.APP_ROLES_CLAIM),
                 String.join(",", mappedApplicationRoles));