diff --git a/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/ApplicationManagementAdminService.java b/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/ApplicationManagementAdminService.java index f0a74bcf9ce8..da7fd4c8c708 100644 --- a/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/ApplicationManagementAdminService.java +++ b/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/ApplicationManagementAdminService.java @@ -45,7 +45,7 @@ import java.util.regex.Pattern; /** - * Application management admin service + * Application management admin service. */ public class ApplicationManagementAdminService extends AbstractAdmin { @@ -112,7 +112,7 @@ public ServiceProvider createApplicationWithTemplate(ServiceProvider serviceProv } /** - * Get Service provider information for given application name + * Get Service provider information for given application name. * * @param applicationName Application name * @return service provider @@ -136,7 +136,7 @@ public ServiceProvider getApplication(String applicationName) throws IdentityApp } /** - * Get all basic application information + * Get all basic application information. * * @return Application Basic information array * @throws org.wso2.carbon.identity.application.common.IdentityApplicationManagementException @@ -182,7 +182,7 @@ public ApplicationBasicInfo[] getApplicationBasicInfo(String filter) } /** - * Get all basic application information with paginated manner + * Get all basic application information with paginated manner. * * @return Application Basic information array * @throws org.wso2.carbon.identity.application.common.IdentityApplicationManagementException @@ -411,7 +411,7 @@ private int getSynchronizedApplicationCount(List applicationRoles, Strin } /** - * Update application + * Update application. * * @param serviceProvider Service provider * @throws org.wso2.carbon.identity.application.common.IdentityApplicationManagementException @@ -437,7 +437,7 @@ public void updateApplication(ServiceProvider serviceProvider) throws IdentityAp } /** - * Delete Application + * Delete Application. * * @param applicationName Application name * @throws org.wso2.carbon.identity.application.common.IdentityApplicationManagementException @@ -459,7 +459,7 @@ public void deleteApplication(String applicationName) throws IdentityApplication } /** - * Get identity provider by identity provider name + * Get identity provider by identity provider name. * * @param federatedIdPName Federated identity provider name * @return Identity provider @@ -479,7 +479,7 @@ public IdentityProvider getIdentityProvider(String federatedIdPName) throws Iden } /** - * Get all identity providers + * Get all identity providers. * * @return Identity providers array * @throws org.wso2.carbon.identity.application.common.IdentityApplicationManagementException @@ -498,7 +498,7 @@ public IdentityProvider[] getAllIdentityProviders() throws IdentityApplicationMa } /** - * Get all local authenticators + * Get all local authenticators. * * @return local authenticators array * @throws org.wso2.carbon.identity.application.common.IdentityApplicationManagementException @@ -518,7 +518,7 @@ public LocalAuthenticatorConfig[] getAllLocalAuthenticators() throws IdentityApp } /** - * Get all request path authenticator config + * Get all request path authenticator config. * * @return Request path authenticator config array * @throws org.wso2.carbon.identity.application.common.IdentityApplicationManagementException @@ -539,7 +539,7 @@ public RequestPathAuthenticatorConfig[] getAllRequestPathAuthenticators() } /** - * Get all local claim uris + * Get all local claim uris. * * @return claim uri array * @throws org.wso2.carbon.identity.application.common.IdentityApplicationManagementException @@ -558,7 +558,7 @@ public String[] getAllLocalClaimUris() throws IdentityApplicationManagementExcep } /** - * Retrieve the set of authentication templates configured from file system in JSON format + * Retrieve the set of authentication templates configured from file system in JSON format. * * @return Authentication templates. */ @@ -803,18 +803,8 @@ private void generateCustomInboundAuthenticatorConfigs() { private ArrayList getAuthorizedApplicationBasicInfo( ApplicationBasicInfo[] applicationBasicInfos, String userName) throws IdentityApplicationManagementException { - - ArrayList appInfo = new ArrayList<>(); - for (ApplicationBasicInfo applicationBasicInfo : applicationBasicInfos) { - if (ApplicationMgtUtil.isUserAuthorized(applicationBasicInfo.getApplicationName(), userName)) { - appInfo.add(applicationBasicInfo); - if (log.isDebugEnabled()) { - log.debug("Retrieving basic information of application: " + - applicationBasicInfo.getApplicationName() + "username: " + userName); - } - } - } - return appInfo; + + return ApplicationMgtUtil.filterApplicationsForUser(applicationBasicInfos, userName); } /** diff --git a/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/ApplicationMgtUtil.java b/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/ApplicationMgtUtil.java index e89cc9fd5eb4..dd15ad70f041 100644 --- a/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/ApplicationMgtUtil.java +++ b/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/ApplicationMgtUtil.java @@ -33,6 +33,7 @@ import org.wso2.carbon.context.PrivilegedCarbonContext; import org.wso2.carbon.context.RegistryType; import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException; +import org.wso2.carbon.identity.application.common.model.ApplicationBasicInfo; import org.wso2.carbon.identity.application.common.model.ApplicationPermission; import org.wso2.carbon.identity.application.common.model.InboundAuthenticationRequestConfig; import org.wso2.carbon.identity.application.common.model.PermissionsAndRoleConfig; @@ -150,6 +151,85 @@ public static boolean isUserAuthorized(String applicationName, String username, return true; } + + /** + * @param applicationInfos + * @param username + * @return a filtered list of ApplicationBasicInfo + * @throws IdentityApplicationManagementException + */ + public static ArrayList filterApplicationsForUser( + ApplicationBasicInfo[] applicationInfos, String username + ) + throws IdentityApplicationManagementException { + + // Initialize list to return + ArrayList authorizedAppInfo = new ArrayList(); + + // Check whether roles validation is enabled + // If we do not validate the roles, return the whole list of applications + boolean validateRoles = validateRoles(); + if (!validateRoles) { + if (log.isDebugEnabled()) { + log.debug(String.format("Validating user with application roles is disabled. Therefore, " + + "user: %s will be authorized for all applications", username)); + } + + // return new ArrayList(applicationInfos); + return new ArrayList( + (List) Arrays.asList(applicationInfos)); + + } + + // Get user store + try { + UserStoreManager userStoreManager = CarbonContext.getThreadLocalCarbonContext().getUserRealm() + .getUserStoreManager(); + + // List roles from user store + String[] userRoles = userStoreManager.getRoleListOfUser(username); + + // For each app, check whether the user the corresponding application role + for (ApplicationBasicInfo applicationBasicInfo : applicationInfos) { + + String applicationName = applicationBasicInfo.getApplicationName(); + + String applicationRoleName = getAppRoleName(applicationName); + + try { + if (log.isDebugEnabled()) { + log.debug( + "Checking whether user has role : " + applicationRoleName + + " by retrieving role list of " + "user : " + username); + } + + if (userStoreManager instanceof AbstractUserStoreManager) { + if (((AbstractUserStoreManager) userStoreManager).isUserInRole(username, applicationRoleName)) { + authorizedAppInfo.add(applicationBasicInfo); + } + } + + for (String userRole : userRoles) { + if (applicationRoleName.equals(userRole)) { + authorizedAppInfo.add(applicationBasicInfo); + } + } + + } catch (UserStoreException e) { + throw new IdentityApplicationManagementException("Error while checking authorization for user: " + + username + " for application: " + applicationName, e); + } + + } + + } catch (UserStoreException e) { + throw new IdentityApplicationManagementException("Error getting roles for user: " + + username, e); + } + return authorizedAppInfo; + } + + /** * @param applicationName * @param username @@ -296,7 +376,7 @@ private static String getAppRoleName(String applicationName) { } /** - * Delete the role of the app + * Delete the role of the app. * * @param applicationName * @throws IdentityApplicationManagementException @@ -468,7 +548,7 @@ public static void storePermissions(String applicationName, String username, } /** - * Updates the permissions of the application + * Updates the permissions of the application. * * @param applicationName * @param permissions @@ -542,7 +622,7 @@ private static void addPermission(String applicationNode, ApplicationPermission[ } /** - * Loads the permissions of the application + * Loads the permissions of the application. * * @param applicationName * @return @@ -620,7 +700,7 @@ private static void permissionPath(Registry tenantGovReg, String permissionPath, } /** - * Delete the resource + * Delete the resource. * * @param applicationName * @throws IdentityApplicationManagementException @@ -690,7 +770,7 @@ public static String getApplicationPermissionPath() { } /** - * Validate application name according to the regex + * Validate application name according to the regex. * * @return validated or not */ @@ -716,7 +796,7 @@ public static String getSPValidatorRegex() { } /** - * Get Property values + * Get Property values. * * @param tenantDomain Tenant domain * @param spIssuer SP Issuer @@ -811,7 +891,7 @@ public static boolean isValidApplicationOwner(ServiceProvider serviceProvider) } /** - * Get Service provider name from XML configuration file + * Get Service provider name from XML configuration file. * * @param spFileStream * @param tenantDomain