diff --git a/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/ApplicationManagementServiceImpl.java b/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/ApplicationManagementServiceImpl.java index 1321892a3b1e..aa3d7566357b 100644 --- a/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/ApplicationManagementServiceImpl.java +++ b/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/ApplicationManagementServiceImpl.java @@ -2683,17 +2683,64 @@ public int getTenantIdByApp(String appId) throws IdentityApplicationManagementSe public String getAllowedAudienceForRoleAssociation(String applicationUUID, String tenantDomain) throws IdentityApplicationManagementException { - return ApplicationMgtSystemConfig.getInstance().getApplicationDAO() + // Invoking the pre listeners. + Collection preListeners = getApplicationMgtListeners(); + for (ApplicationMgtListener listener : preListeners) { + if (listener.isEnable() && + !listener.doPreGetAllowedAudienceForRoleAssociation(applicationUUID, tenantDomain)) { + throw buildServerException("Error executing doPreGetAllowedAudienceForRoleAssociation operation of " + + "listener: " + getName(listener) + " for application with id: " + applicationUUID); + } + } + + String allowedAudience = ApplicationMgtSystemConfig.getInstance().getApplicationDAO() .getSPPropertyValueByPropertyKey(applicationUUID, IdentityApplicationConstants.ALLOWED_ROLE_AUDIENCE_PROPERTY_NAME, tenantDomain); + AssociatedRolesConfig associatedRolesConfigExcludingRoles = new AssociatedRolesConfig(); + associatedRolesConfigExcludingRoles.setAllowedAudience(allowedAudience); + + // Invoking the post listeners. + Collection postListeners = getApplicationMgtListeners(); + for (ApplicationMgtListener listener : postListeners) { + if (listener.isEnable() && + !listener.doPostGetAllowedAudienceForRoleAssociation(associatedRolesConfigExcludingRoles, + applicationUUID, tenantDomain)) { + throw buildServerException( + "Error executing doPostGetAllowedAudienceForRoleAssociation operation of listener: " + + getName(listener) + " for application with id: " + applicationUUID); + } + } + return associatedRolesConfigExcludingRoles.getAllowedAudience(); } @Override public List getAssociatedRolesOfApplication(String applicationUUID, String tenantDomain) throws IdentityApplicationManagementException { - return ApplicationMgtSystemConfig.getInstance().getApplicationDAO() + // Invoking the pre listeners. + Collection preListeners = getApplicationMgtListeners(); + for (ApplicationMgtListener listener : preListeners) { + if (listener.isEnable() && + !listener.doPreGetAssociatedRolesOfApplication(applicationUUID, tenantDomain)) { + throw buildServerException("Error executing doPreGetAssociatedRolesOfApplication operation of " + + "listener: " + getName(listener) + " for application with id: " + applicationUUID); + } + } + + List associatedRolesOfApplication = ApplicationMgtSystemConfig.getInstance().getApplicationDAO() .getAssociatedRolesOfApplication(applicationUUID, tenantDomain); + + // Invoking the post listeners. + Collection postListeners = getApplicationMgtListeners(); + for (ApplicationMgtListener listener : postListeners) { + if (listener.isEnable() && + !listener.doPostGetAssociatedRolesOfApplication(associatedRolesOfApplication, applicationUUID, + tenantDomain)) { + throw buildServerException("Error executing doPostGetAssociatedRolesOfApplication operation of " + + "listener: " + getName(listener) + " for application with id: " + applicationUUID); + } + } + return associatedRolesOfApplication; } private void doPreUpdateChecks(String storedAppName, ServiceProvider updatedApp, String tenantDomain, @@ -3040,8 +3087,8 @@ private boolean isAssociatedRolesConfigValid(ServiceProvider serviceProvider, St return true; } String allowedAudienceType = - StringUtils.isNotBlank(associatedRolesConfig.getAllowedAudience()) ? RoleConstants.ORGANIZATION : - associatedRolesConfig.getAllowedAudience(); + StringUtils.isBlank(associatedRolesConfig.getAllowedAudience()) ? RoleConstants.ORGANIZATION : + associatedRolesConfig.getAllowedAudience().toLowerCase(); String allowedAudienceId; switch (allowedAudienceType) { case RoleConstants.APPLICATION: diff --git a/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/dao/impl/ApplicationDAOImpl.java b/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/dao/impl/ApplicationDAOImpl.java index 42a8f61b1653..f32241cec170 100644 --- a/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/dao/impl/ApplicationDAOImpl.java +++ b/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/dao/impl/ApplicationDAOImpl.java @@ -2150,7 +2150,7 @@ private AssociatedRolesConfig getAssociatedRoles(String applicationId, Connectio String allowedAudience = getSPPropertyValueByPropertyKey(applicationId, ALLOWED_ROLE_AUDIENCE_PROPERTY_NAME, tenantDomain); associatedRolesConfig.setAllowedAudience( - StringUtils.isNotBlank(allowedAudience) ? allowedAudience : RoleConstants.ORGANIZATION); + StringUtils.isNotBlank(allowedAudience) ? allowedAudience.toLowerCase() : RoleConstants.ORGANIZATION); return associatedRolesConfig; } @@ -4870,7 +4870,7 @@ private ServiceProviderProperty buildAllowedRoleAudienceProperty(ServiceProvider return allowedRoleAudienceProperty; } String allowedAudience = StringUtils.isNotBlank(associatedRolesConfig.getAllowedAudience()) ? - associatedRolesConfig.getAllowedAudience() : RoleConstants.ORGANIZATION; + associatedRolesConfig.getAllowedAudience().toLowerCase() : RoleConstants.ORGANIZATION; allowedRoleAudienceProperty.setValue(allowedAudience); return allowedRoleAudienceProperty; } diff --git a/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/internal/ApplicationManagementServiceComponent.java b/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/internal/ApplicationManagementServiceComponent.java index db8ae400f4db..9aaa68edfeed 100644 --- a/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/internal/ApplicationManagementServiceComponent.java +++ b/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/internal/ApplicationManagementServiceComponent.java @@ -135,6 +135,7 @@ protected void activate(ComponentContext context) { new AuthorizedAPIManagementServiceImpl(), null); bundleContext.registerService(RoleManagementListener.class, new DefaultRoleManagementListener(), null); + bundleContext.registerService(ApplicationMgtListener.class, new DefaultRoleManagementListener(), null); // Register the ApplicationValidator. context.getBundleContext().registerService(ApplicationValidator.class, diff --git a/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/listener/ApplicationMgtListener.java b/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/listener/ApplicationMgtListener.java index e8f4e351e5cf..1fe66c64d476 100644 --- a/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/listener/ApplicationMgtListener.java +++ b/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/listener/ApplicationMgtListener.java @@ -19,9 +19,13 @@ package org.wso2.carbon.identity.application.mgt.listener; import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException; +import org.wso2.carbon.identity.application.common.model.AssociatedRolesConfig; +import org.wso2.carbon.identity.application.common.model.RoleV2; import org.wso2.carbon.identity.application.common.model.ServiceProvider; import org.wso2.carbon.identity.application.mgt.dao.ApplicationDAO; +import java.util.List; + /** * Definition for the listeners which listens to Application/Service Provider CRUD events. */ @@ -390,4 +394,64 @@ default boolean doPreUpdateApplicationTemplate(ServiceProvider serviceProvider, return true; } + + /** + * Define any additional action before retrieving the allowed audiences for role association. + * + * @param applicationUUID Application UUID. + * @param tenantDomain Tenant domain. + * @return True if the preprocessing is successful. + * @throws IdentityApplicationManagementException Error occurred while preprocessing actions. + */ + default boolean doPreGetAllowedAudienceForRoleAssociation(String applicationUUID, String tenantDomain) + throws IdentityApplicationManagementException { + + return true; + } + + /** + * Define any additional action after retrieving the allowed audiences for role association. + * + * @param allowedAudienceForRoleAssociation Allowed audiences for role association. + * @param applicationUUID Application UUID. + * @param tenantDomain Tenant domain. + * @return True if the postprocessing is successful. + * @throws IdentityApplicationManagementException Error occurred while postprocessing actions. + */ + default boolean doPostGetAllowedAudienceForRoleAssociation(AssociatedRolesConfig allowedAudienceForRoleAssociation, + String applicationUUID, String tenantDomain) + throws IdentityApplicationManagementException { + + return true; + } + + /** + * Define any additional action before retrieving the associated roles of an application. + * + * @param applicationUUID Application UUID. + * @param tenantDomain Tenant domain. + * @return True if the preprocessing is successful. + * @throws IdentityApplicationManagementException Error occurred while preprocessing actions. + */ + default boolean doPreGetAssociatedRolesOfApplication(String applicationUUID, String tenantDomain) + throws IdentityApplicationManagementException { + + return true; + } + + /** + * Define any additional action after retrieving the associated roles of an application. + * + * @param associatedRolesOfApplication Associated roles of an application. + * @param applicationUUID Application UUID. + * @param tenantDomain Tenant domain. + * @return True if the postprocessing is successful. + * @throws IdentityApplicationManagementException Error occurred while postprocessing actions. + */ + default boolean doPostGetAssociatedRolesOfApplication(List associatedRolesOfApplication, + String applicationUUID, String tenantDomain) + throws IdentityApplicationManagementException { + + return true; + } } diff --git a/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/listener/DefaultRoleManagementListener.java b/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/listener/DefaultRoleManagementListener.java index 4ecab5886f44..a5108c64efc2 100644 --- a/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/listener/DefaultRoleManagementListener.java +++ b/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/listener/DefaultRoleManagementListener.java @@ -21,10 +21,10 @@ import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException; import org.wso2.carbon.identity.application.common.model.AuthorizedScopes; import org.wso2.carbon.identity.application.common.model.ServiceProvider; -import org.wso2.carbon.identity.application.common.model.ServiceProviderProperty; import org.wso2.carbon.identity.application.mgt.ApplicationManagementService; import org.wso2.carbon.identity.application.mgt.AuthorizedAPIManagementService; import org.wso2.carbon.identity.application.mgt.AuthorizedAPIManagementServiceImpl; +import org.wso2.carbon.identity.application.mgt.internal.ApplicationManagementServiceComponentHolder; import org.wso2.carbon.identity.application.mgt.internal.cache.ServiceProviderByResourceIdCache; import org.wso2.carbon.identity.application.mgt.internal.cache.ServiceProviderResourceIdCacheKey; import org.wso2.carbon.identity.role.v2.mgt.core.exception.IdentityRoleManagementClientException; @@ -41,16 +41,16 @@ import java.util.ArrayList; import java.util.List; -import static org.wso2.carbon.identity.application.common.util.IdentityApplicationConstants.ALLOWED_ROLE_AUDIENCE_PROPERTY_NAME; import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.APPLICATION; import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.Error.INVALID_AUDIENCE; import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.Error.INVALID_PERMISSION; import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.Error.UNEXPECTED_SERVER_ERROR; /** - * Default Role Management Listener implementation of Role Management V2 Listener. + * Default Role Management Listener implementation of Role Management V2 Listener, + * and application based role management. */ -public class DefaultRoleManagementListener implements RoleManagementListener { +public class DefaultRoleManagementListener extends AbstractApplicationMgtListener implements RoleManagementListener { private static final AuthorizedAPIManagementService authorizedAPIManagementService = new AuthorizedAPIManagementServiceImpl(); @@ -456,15 +456,9 @@ private void validateApplicationRoleAudience(String applicationId, String tenant "Invalid audience. No application found with application id: " + applicationId + " and tenant domain : " + tenantDomain); } - boolean valid = false; - for (ServiceProviderProperty property : app.getSpProperties()) { - // TODO : use osgi service to get this - if (ALLOWED_ROLE_AUDIENCE_PROPERTY_NAME.equals(property.getName()) && - APPLICATION.equalsIgnoreCase(property.getValue())) { - valid = true; - } - } - if (!valid) { + String allowedAudienceForRoleAssociation = ApplicationManagementService.getInstance() + .getAllowedAudienceForRoleAssociation(app.getApplicationResourceId(), tenantDomain); + if (!APPLICATION.equalsIgnoreCase(allowedAudienceForRoleAssociation.toLowerCase())) { throw new IdentityRoleManagementClientException(INVALID_AUDIENCE.getCode(), "Application: " + applicationId + " does not have Application role audience type"); } @@ -543,4 +537,19 @@ private String getApplicationName(String applicationID, String tenantDomain) throw new IdentityRoleManagementServerException(UNEXPECTED_SERVER_ERROR.getCode(), errorMessage, e); } } + + @Override + public boolean doPostDeleteApplication(ServiceProvider serviceProvider, String tenantDomain, String userName) + throws IdentityApplicationManagementException { + + try { + ApplicationManagementServiceComponentHolder.getInstance().getRoleManagementServiceV2() + .deleteRolesByApplication(serviceProvider.getApplicationResourceId(), tenantDomain); + } catch (IdentityRoleManagementException e) { + throw new IdentityApplicationManagementException( + String.format("Error occurred while deleting roles created for the application: %s.", + serviceProvider.getApplicationName()), e); + } + return true; + } } diff --git a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java index 43240a546b95..46daafc461ae 100644 --- a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java +++ b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java @@ -619,7 +619,7 @@ private void validateOrganizationRoleAudience(String audienceId, String roleCrea OrganizationManager organizationManager = RoleManagementServiceComponentHolder.getInstance() .getOrganizationManager(); String orgIdOfTenantDomain = organizationManager.resolveOrganizationId(roleCreationTenantDomain); - if (orgIdOfTenantDomain == null || orgIdOfTenantDomain.equalsIgnoreCase(audienceId)) { + if (orgIdOfTenantDomain == null || !orgIdOfTenantDomain.equalsIgnoreCase(audienceId)) { throw new IdentityRoleManagementClientException(INVALID_AUDIENCE.getCode(), "Invalid audience. Given Organization id: " + audienceId + " is invalid"); } diff --git a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java index 71323e6bf5f6..300753e621b6 100644 --- a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java +++ b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java @@ -1122,7 +1122,7 @@ private List getHybridRolesByApplication(String applicationId, String t throws IdentityRoleManagementException { List hybridRoles = new ArrayList<>(); - try (Connection connection = IdentityDatabaseUtil.getDBConnection(false); + try (Connection connection = IdentityDatabaseUtil.getUserDBConnection(false); NamedPreparedStatement statement = new NamedPreparedStatement(connection, GET_ROLES_BY_APP_ID_SQL)) { statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, IdentityTenantUtil.getTenantId(tenantDomain));