wso2-extensions · AnuradhaSK · Jan 19, 2025 · Jan 19, 2025 · Jan 19, 2025
diff --git a/...onents/org.wso2.carbon.identity.organization.management.organization.user.sharing/pom.xml b/...onents/org.wso2.carbon.identity.organization.management.organization.user.sharing/pom.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  ~ Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+  ~ Copyright (c) 2023-2025, WSO2 LLC. (http://www.wso2.com).
   ~
   ~ WSO2 LLC. licenses this file to you under the Apache License,
   ~ Version 2.0 (the "License"); you may not use this file except
@@ -158,6 +158,10 @@
                             org.wso2.carbon.identity.event; version="${carbon.identity.package.import.version.range}",
                             org.wso2.carbon.identity.event.services; version="${carbon.identity.package.import.version.range}",
                             org.wso2.carbon;version="${carbon.kernel.package.import.version.range}",
+                            org.wso2.carbon.identity.claim.metadata.mgt;version="${carbon.identity.package.import.version.range}",
+                            org.wso2.carbon.identity.claim.metadata.mgt.model;version="${carbon.identity.package.import.version.range}",
+                            org.wso2.carbon.identity.claim.metadata.mgt.util;version="${carbon.identity.package.import.version.range}",
+                            org.wso2.carbon.identity.claim.metadata.mgt.exception;version="${carbon.identity.package.import.version.range}",
                         </Import-Package>
                     </instructions>
                 </configuration>

diff --git a/...tion/management/organization/user/sharing/internal/OrganizationUserSharingDataHolder.java b/...tion/management/organization/user/sharing/internal/OrganizationUserSharingDataHolder.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ * Copyright (c) 2023-2025, WSO2 LLC. (http://www.wso2.com).
  *
  * WSO2 LLC. licenses this file to you under the Apache License,
  * Version 2.0 (the "License"); you may not use this file except
@@ -19,6 +19,7 @@
 package org.wso2.carbon.identity.organization.management.organization.user.sharing.internal;
 
 import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
+import org.wso2.carbon.identity.claim.metadata.mgt.ClaimMetadataManagementService;
 import org.wso2.carbon.identity.organization.management.organization.user.sharing.OrganizationUserSharingService;
 import org.wso2.carbon.identity.organization.management.role.management.service.RoleManager;
 import org.wso2.carbon.identity.organization.management.service.OrganizationManager;
@@ -37,6 +38,7 @@ public class OrganizationUserSharingDataHolder {
     private OrganizationUserSharingService organizationUserSharingService;
     private ApplicationManagementService applicationManagementService;
     private RoleManager roleManager;
+    private ClaimMetadataManagementService claimManagementService;
 
     public static OrganizationUserSharingDataHolder getInstance() {
 
@@ -162,4 +164,24 @@ public void setApplicationManagementService(ApplicationManagementService applica
 
         this.applicationManagementService = applicationManagementService;
     }
+
+    /**
+     * Get the claim management service.
+     *
+     * @return ClaimMetadataManagementService claim management service.
+     */
+    public ClaimMetadataManagementService getClaimManagementService() {
+
+        return claimManagementService;
+    }
+
+    /**
+     * Set the claim management service.
+     *
+     * @param claimManagementService ClaimMetadataManagementService claim management service.
+     */
+    public void setClaimManagementService(ClaimMetadataManagementService claimManagementService) {
+
+        this.claimManagementService = claimManagementService;
+    }
 }
diff --git a/...anagement/organization/user/sharing/internal/OrganizationUserSharingServiceComponent.java b/...anagement/organization/user/sharing/internal/OrganizationUserSharingServiceComponent.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ * Copyright (c) 2023-2025, WSO2 LLC. (http://www.wso2.com).
  *
  * WSO2 LLC. licenses this file to you under the Apache License,
  * Version 2.0 (the "License"); you may not use this file except
@@ -28,6 +28,7 @@
 import org.osgi.service.component.annotations.ReferenceCardinality;
 import org.osgi.service.component.annotations.ReferencePolicy;
 import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
+import org.wso2.carbon.identity.claim.metadata.mgt.ClaimMetadataManagementService;
 import org.wso2.carbon.identity.event.handler.AbstractEventHandler;
 import org.wso2.carbon.identity.organization.management.organization.user.sharing.OrganizationUserSharingService;
 import org.wso2.carbon.identity.organization.management.organization.user.sharing.OrganizationUserSharingServiceImpl;
@@ -148,4 +149,23 @@ protected void unsetApplicationManagementService(ApplicationManagementService ap
 
         OrganizationUserSharingDataHolder.getInstance().setApplicationManagementService(null);
     }
+
+    @Reference(
+            name = "claim.metadata.management.service",
+            service = ClaimMetadataManagementService.class,
+            cardinality = ReferenceCardinality.MANDATORY,
+            policy = ReferencePolicy.DYNAMIC,
+            unbind = "unsetClaimMetadataManagementService"
+    )
+    protected void setClaimMetadataManagementService(ClaimMetadataManagementService claimManagementService) {
+
+        OrganizationUserSharingDataHolder.getInstance().setClaimManagementService(claimManagementService);
+        LOG.debug("Set Claim Metadata Management Service.");
+    }
+
+    protected void unsetClaimMetadataManagementService(ClaimMetadataManagementService claimManagementService) {
+
+        OrganizationUserSharingDataHolder.getInstance().setClaimManagementService(null);
+        LOG.debug("Unset Claim Metadata Management Service.");
+    }
 }
diff --git a/...nt/organization/user/sharing/listener/SharedUserProfileUpdateGovernanceEventListener.java b/...nt/organization/user/sharing/listener/SharedUserProfileUpdateGovernanceEventListener.java
@@ -0,0 +1,186 @@
+/*
+ * Copyright (c) 2025, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.organization.management.organization.user.sharing.listener;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.context.PrivilegedCarbonContext;
+import org.wso2.carbon.identity.claim.metadata.mgt.ClaimMetadataManagementService;
+import org.wso2.carbon.identity.claim.metadata.mgt.exception.ClaimMetadataException;
+import org.wso2.carbon.identity.claim.metadata.mgt.model.LocalClaim;
+import org.wso2.carbon.identity.claim.metadata.mgt.util.ClaimConstants;
+import org.wso2.carbon.identity.core.AbstractIdentityUserOperationEventListener;
+import org.wso2.carbon.identity.organization.management.organization.user.sharing.internal.OrganizationUserSharingDataHolder;
+import org.wso2.carbon.identity.organization.management.organization.user.sharing.models.UserAssociation;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
+import org.wso2.carbon.identity.organization.management.service.util.OrganizationManagementUtil;
+import org.wso2.carbon.user.core.UserStoreClientException;
+import org.wso2.carbon.user.core.UserStoreException;
+import org.wso2.carbon.user.core.UserStoreManager;
+
+import java.util.Map;
+import java.util.Optional;
+
+import static org.wso2.carbon.identity.claim.metadata.mgt.util.ClaimConstants.SHARED_PROFILE_VALUE_RESOLVING_METHOD;
+import static org.wso2.carbon.identity.organization.management.organization.user.sharing.constant.UserSharingConstants.CLAIM_MANAGED_ORGANIZATION;
+import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.ErrorMessages.ERROR_CODE_MANAGED_ORGANIZATION_CLAIM_UPDATE_NOT_ALLOWED;
+
+/**
+ * Shared user profile update governing event listener.
+ */
+public class SharedUserProfileUpdateGovernanceEventListener extends AbstractIdentityUserOperationEventListener {
+
+    private static final Log LOG = LogFactory.getLog(SharedUserProfileUpdateGovernanceEventListener.class);
+
+    @Override
+    public int getExecutionOrderId() {
+
+        // The order of this listener should be higher than the IdentityStoreEventListener(100).
+        return 8;
+    }
+
+    @Override
+    public boolean doPreSetUserClaimValuesWithID(String userID, Map<String, String> claims, String profileName,
+                                                 UserStoreManager userStoreManager) throws UserStoreException {
+
+        if (!isEnable() || userStoreManager == null) {
+            return true;
+        }
+        if (!claims.isEmpty() && claims.containsKey(CLAIM_MANAGED_ORGANIZATION)) {
+            throw new UserStoreClientException(
+                    String.format(ERROR_CODE_MANAGED_ORGANIZATION_CLAIM_UPDATE_NOT_ALLOWED.getDescription(),
+                            CLAIM_MANAGED_ORGANIZATION),
+                    ERROR_CODE_MANAGED_ORGANIZATION_CLAIM_UPDATE_NOT_ALLOWED.getCode());
+        }
+        /*
+        If the update is for a shared profile, check whether the claim's SharedProfileValueResolvingMethod is
+        set to "FromOrigin" or blank. If yes, it is not allowed to update the claim value.
+         */
+        String currentTenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
+
+        if (!isSharedUserProfile(userID, currentTenantDomain)) {
+            return true;
+        }
+        ClaimMetadataManagementService claimManagementService =
+                OrganizationUserSharingDataHolder.getInstance().getClaimManagementService();
+        for (Map.Entry<String, String> claim : claims.entrySet()) {
+            try {
+                Optional<LocalClaim> localClaim =
+                        claimManagementService.getLocalClaim(claim.getKey(), currentTenantDomain);
+                if (!localClaim.isPresent()) {
+                    LOG.debug(String.format("Claim: %s is not available in the tenant: %s", claim.getKey(),
+                            currentTenantDomain));
+                    continue;
+                }
+                String sharedProfileValueResolvingMethod =
+                        localClaim.get().getClaimProperty(SHARED_PROFILE_VALUE_RESOLVING_METHOD);
+                if (StringUtils.isBlank(sharedProfileValueResolvingMethod) ||
+                        StringUtils.equals(ClaimConstants.SharedProfileValueResolvingMethod.FROM_ORIGIN.getName(),
+                                sharedProfileValueResolvingMethod)) {
+                    throw new UserStoreClientException(
+                            String.format("Claim: %s is not allowed to be updated for shared users.", claim.getKey()));
+                }
+            } catch (ClaimMetadataException e) {
+                throw new UserStoreClientException(
+                        String.format(
+                                "Error while checking the SharedProfileValueResolvingMethod value of the claim: %s",
+                                claim.getKey()), e);
+            }
+        }
+        return true;
+    }
+
+    @Override
+    public boolean doPreSetUserClaimValueWithID(String userID, String claimURI, String claimValue, String profileName,
+                                                UserStoreManager userStoreManager) throws UserStoreException {
+
+        if (!isEnable() || userStoreManager == null) {
+            return true;
+        }
+        // The managedOrg identity claim can't be edited by the user.
+        if (CLAIM_MANAGED_ORGANIZATION.equals(claimURI)) {
+            throw new UserStoreClientException(
+                    String.format(ERROR_CODE_MANAGED_ORGANIZATION_CLAIM_UPDATE_NOT_ALLOWED.getDescription(),
+                            CLAIM_MANAGED_ORGANIZATION),
+                    ERROR_CODE_MANAGED_ORGANIZATION_CLAIM_UPDATE_NOT_ALLOWED.getCode());
+        }
+
+        /*
+        If the update is for a shared profile, check whether the claim's SharedProfileValueResolvingMethod
+        is set to "FromOrigin" or blank. If yes, it is not allowed to update the claim value.
+         */
+        String currentTenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
+
+        if (!isSharedUserProfile(userID, currentTenantDomain)) {
+            return true;
+        }
+        try {
+            ClaimMetadataManagementService claimManagementService =
+                    OrganizationUserSharingDataHolder.getInstance().getClaimManagementService();
+            Optional<LocalClaim> localClaim = claimManagementService.getLocalClaim(claimURI, currentTenantDomain);
+            if (!localClaim.isPresent()) {
+                LOG.debug(String.format("Claim: %s is not available in the tenant: %s", claimURI, currentTenantDomain));
+                return true;
+            }
+            String sharedProfileValueResolvingMethod =
+                    localClaim.get().getClaimProperty(SHARED_PROFILE_VALUE_RESOLVING_METHOD);
+            if (StringUtils.isBlank(sharedProfileValueResolvingMethod) ||
+                    StringUtils.equals(ClaimConstants.SharedProfileValueResolvingMethod.FROM_ORIGIN.getName(),
+                            sharedProfileValueResolvingMethod)) {
+                throw new UserStoreClientException(
+                        String.format("Claim: %s is not allowed to be updated for shared users.", claimURI));
+            }
+        } catch (ClaimMetadataException e) {
+            throw new UserStoreClientException(
+                    String.format("Error while checking the SharedProfileValueResolvingMethod value of the claim: %s",
+                            claimURI), e);
+        }
+        return true;
+    }
+
+
+    private static boolean isSharedUserProfile(String userID, String currentTenantDomain)
+            throws UserStoreClientException {
+
+        String currentOrganizationId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getOrganizationId();
+        try {
+            if (!OrganizationManagementUtil.isOrganization(currentTenantDomain)) {
+                // There is no shared users in root organizations. Hence, return false.
+                return false;
+            }
+            if (StringUtils.isBlank(currentOrganizationId)) {
+                currentOrganizationId = OrganizationUserSharingDataHolder.getInstance().getOrganizationManager()
+                        .resolveOrganizationId(currentTenantDomain);
+            }
+            UserAssociation userAssociation =
+                    OrganizationUserSharingDataHolder.getInstance().getOrganizationUserSharingService()
+                            .getUserAssociation(userID, currentOrganizationId);
+            if (userAssociation == null) {
+                // User is not a shared user. Hence, return false.
+                return false;
+            }
+        } catch (OrganizationManagementException e) {
+            throw new UserStoreClientException(
+                    "Error while checking the user association of the user: " + userID + " with the organization: " +
+                            currentOrganizationId, e);
+        }
+        return true;
+    }
+}