Retrieve roles assigned through groups.

wso2-extensions · Aug 27, 2024 · 494ce44 · 494ce44
1 parent 647de32
commit 494ce44
Showing 1 changed file with 62 additions and 19 deletions.
diff --git a/...piry/src/main/java/org/wso2/carbon/identity/password/expiry/util/PasswordPolicyUtils.java b/...piry/src/main/java/org/wso2/carbon/identity/password/expiry/util/PasswordPolicyUtils.java
@@ -250,25 +250,23 @@ private static Set<String> getUserAttributes(PasswordExpiryRuleAttributeEnum att
             throws PostAuthenticationFailedException {
 
         if (!fetchedUserAttributes.containsKey(attribute)) {
-            try {
-                switch (attribute) {
-                    case ROLES:
-                        List<RoleBasicInfo> userRoles = getUserRoles(tenantDomain, userId);
-                        Set<String> userRoleIds = userRoles.stream().map(RoleBasicInfo::getId).collect(Collectors.toSet());
-                        fetchedUserAttributes.put(PasswordExpiryRuleAttributeEnum.ROLES, userRoleIds);
-                        break;
-                    case GROUPS:
-                        List<Group> userGroups =
-                                ((AbstractUserStoreManager) userStoreManager).getGroupListOfUser(userId,
-                                        null, null);
-                        Set<String> userGroupIds = userGroups.stream().map(Group::getGroupID).collect(Collectors.toSet());
-                        fetchedUserAttributes.put(PasswordExpiryRuleAttributeEnum.GROUPS, userGroupIds);
-                        break;
-                }
-            } catch (UserStoreException e) {
-                throw new PostAuthenticationFailedException(PasswordPolicyConstants.ErrorMessages.
-                        ERROR_WHILE_RETRIEVING_USER_GROUPS.getCode(),
-                        PasswordPolicyConstants.ErrorMessages.ERROR_WHILE_RETRIEVING_USER_GROUPS.getMessage());
+            switch (attribute) {
+                case ROLES:
+                    // Fetch roles assigned to user via groups.
+                    Set<String> userGroupIds = getUserGroupIds(userId, userStoreManager);
+                    List<String> roleIdsOfGroups = getRoleIdsOfGroups(new ArrayList<>(userGroupIds), tenantDomain);
+                    fetchedUserAttributes.put(PasswordExpiryRuleAttributeEnum.GROUPS, userGroupIds);
+
+                    List<RoleBasicInfo> userRoles = getUserRoles(tenantDomain, userId);
+                    Set<String> userRoleIds =
+                            userRoles.stream().map(RoleBasicInfo::getId).collect(Collectors.toSet());
+                    userRoleIds.addAll(roleIdsOfGroups);
+                    fetchedUserAttributes.put(PasswordExpiryRuleAttributeEnum.ROLES, userRoleIds);
+                    break;
+                case GROUPS:
+                    Set<String> groupIds = getUserGroupIds(userId, userStoreManager);
+                    fetchedUserAttributes.put(PasswordExpiryRuleAttributeEnum.GROUPS, groupIds);
+                    break;
             }
         }
         return fetchedUserAttributes.get(attribute);
@@ -314,6 +312,51 @@ public static List<RoleBasicInfo> getUserRoles(String tenantDomain, String userI
         }
     }
 
+    /**
+     * Get the group IDs of the given user.
+     *
+     * @param userId           The user ID.
+     * @param userStoreManager The user store manager.
+     * @return The group IDs of the user.
+     * @throws PostAuthenticationFailedException If an error occurs while getting the group IDs of the user.
+     */
+    private static Set<String> getUserGroupIds(String userId, UserStoreManager userStoreManager)
+            throws PostAuthenticationFailedException {
+
+        try {
+            List<Group> userGroups =
+                    ((AbstractUserStoreManager) userStoreManager).getGroupListOfUser(userId,
+                            null, null);
+            return userGroups.stream().map(Group::getGroupID).collect(Collectors.toSet());
+        } catch (UserStoreException e) {
+                throw new PostAuthenticationFailedException(PasswordPolicyConstants.ErrorMessages.
+                        ERROR_WHILE_RETRIEVING_USER_GROUPS.getCode(),
+                        PasswordPolicyConstants.ErrorMessages.ERROR_WHILE_RETRIEVING_USER_GROUPS.getMessage());
+        }
+    }
+
+    /**
+     * Get the role IDs of the given groups.
+     *
+     * @param groupIds     The group IDs.
+     * @param tenantDomain The tenant domain.
+     * @return The role IDs of the groups.
+     * @throws PostAuthenticationFailedException If an error occurs while getting the role IDs of the groups.
+     */
+    private static List<String> getRoleIdsOfGroups(List<String> groupIds, String tenantDomain)
+            throws PostAuthenticationFailedException {
+
+        try {
+            RoleManagementService roleManagementService = EnforcePasswordResetComponentDataHolder.getInstance()
+                    .getRoleManagementService();
+            return roleManagementService.getRoleIdListOfGroups(groupIds, tenantDomain);
+        } catch (IdentityRoleManagementException e) {
+            throw new PostAuthenticationFailedException(PasswordPolicyConstants.ErrorMessages.
+                    ERROR_WHILE_RETRIEVING_USER_ROLES.getCode(),
+                    PasswordPolicyConstants.ErrorMessages.ERROR_WHILE_RETRIEVING_USER_ROLES.getMessage());
+        }
+    }
+
     /**
      * This method retrieves the last password updated time in milliseconds.
      *