From 5a9d067a414f5500f098db6f84d2233aaf0be57e Mon Sep 17 00:00:00 2001 From: BimsaraBodaragama Date: Mon, 20 Jan 2025 01:28:44 +0530 Subject: [PATCH 1/7] Add a permission check to validate and delete only permitted hybrid user roles. --- .../role/v2/mgt/core/RoleConstants.java | 6 ++ .../mgt/core/RoleManagementServiceImpl.java | 51 +++++++++++ .../role/v2/mgt/core/dao/RoleDAO.java | 18 ++++ .../role/v2/mgt/core/dao/RoleDAOImpl.java | 88 ++++++++++++++++++- .../role/v2/mgt/core/dao/SQLQueries.java | 16 ++++ 5 files changed, 176 insertions(+), 3 deletions(-) diff --git a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleConstants.java b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleConstants.java index 3773d21edfe1..1f9186e7551d 100644 --- a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleConstants.java +++ b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleConstants.java @@ -86,6 +86,12 @@ private RoleConstants() { // Role properties public static final String IS_SHARED_ROLE_PROP_NAME = "isSharedRole"; + // NamedPreparedStatement Params + public static final String ROLE_ID = "roleId"; + public static final String TENANT_ID = "tenantId"; + public static final String PERMITTED_ORG_ID = "permittedOrgId"; + public static final String USERNAME = "username"; + /** * Grouping of constants related to database table names. */ diff --git a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java index 85bfab183292..b8a3ab19e69a 100644 --- a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java +++ b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java @@ -31,10 +31,12 @@ import org.wso2.carbon.identity.core.model.FilterTreeBuilder; import org.wso2.carbon.identity.core.model.Node; import org.wso2.carbon.identity.core.model.OperationNode; +import org.wso2.carbon.identity.core.util.IdentityTenantUtil; import org.wso2.carbon.identity.core.util.IdentityUtil; import org.wso2.carbon.identity.organization.management.service.OrganizationManager; import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException; import org.wso2.carbon.identity.organization.management.service.util.OrganizationManagementUtil; +import org.wso2.carbon.identity.organization.management.service.util.Utils; import org.wso2.carbon.identity.role.v2.mgt.core.dao.RoleDAO; import org.wso2.carbon.identity.role.v2.mgt.core.dao.RoleMgtDAOFactory; import org.wso2.carbon.identity.role.v2.mgt.core.exception.IdentityRoleManagementClientException; @@ -423,6 +425,18 @@ public List getUserListOfRole(String roleId, String tenantDomain) public RoleBasicInfo updateUserListOfRole(String roleId, List newUserIDList, List deletedUserIDList, String tenantDomain) throws IdentityRoleManagementException { + int tenantId = IdentityTenantUtil.getTenantId(tenantDomain); + try { + if (OrganizationManagementUtil.isOrganization(tenantId)) { + deletedUserIDList = updateDeletedUserIDListBasedOnPermission(roleId, deletedUserIDList, tenantDomain, + Utils.getOrganizationId()); + } + } catch (OrganizationManagementException e) { + String errorMessage = "Error while retrieving the organization id for the given tenantDomain: " + + tenantDomain; + throw new IdentityRoleManagementServerException(UNEXPECTED_SERVER_ERROR.getCode(), errorMessage, e); + } + List roleManagementListenerList = RoleManagementServiceComponentHolder.getInstance() .getRoleManagementListenerList(); for (RoleManagementListener roleManagementListener : roleManagementListenerList) { @@ -1245,4 +1259,41 @@ private List getUserNamesByIDs(List userIDs, String tenantDomain return userIDResolver.getNamesByIDs(userIDs, tenantDomain); } + + /** + * Get user IDs by usernames. + * + * @param userNames List of usernames. + * @param tenantDomain Tenant Domain. + * @return List of user IDs. + * @throws IdentityRoleManagementException IdentityRoleManagementException. + */ + private List getUserIDsByNames(List userNames, String tenantDomain) + throws IdentityRoleManagementException { + + return userIDResolver.getIDsByNames(userNames, tenantDomain); + } + + /** + * Updates the list of user IDs intended for deletion based on the specified permissions for the given role + * and permitted organization in the tenant domain. + * + * @param roleId The role ID associated with the users. + * @param deletedUserIDList The list of user IDs intended for deletion. + * @param tenantDomain The tenant domain. + * @param permittedOrgId The ID of the organization permitted for the operation. + * @return A modified list of user IDs that are permitted to be deleted. + * @throws IdentityRoleManagementException If an error occurs while updating the user ID list. + */ + private List updateDeletedUserIDListBasedOnPermission(String roleId, List deletedUserIDList, + String tenantDomain, String permittedOrgId) + throws IdentityRoleManagementException { + + List deletedUserNamesList = getUserNamesByIDs(deletedUserIDList, tenantDomain); + + List modifiedDeletedUserNamesList = + roleDAO.getPermittedUserNamesToBeDeleted(roleId, deletedUserNamesList, tenantDomain, permittedOrgId); + + return getUserIDsByNames(modifiedDeletedUserNamesList, tenantDomain); + } } diff --git a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAO.java b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAO.java index acfb9cfb3b7e..2712a8b0f85b 100644 --- a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAO.java +++ b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAO.java @@ -510,4 +510,22 @@ default boolean isSharedRole(String roleId, String tenantDomain) throws Identity return false; } + + /** + * Retrieve the list of permitted usernames that can be deleted in the given tenant domain for the specified role + * and permitted organization. + * + * @param roleId The role ID associated with the users. + * @param deletedUserNamesList The list of usernames intended for deletion. + * @param tenantDomain The tenant domain. + * @param permittedOrgId The ID of the organization permitted for the operation. + * @return A list of usernames permitted to be deleted. + * @throws IdentityRoleManagementException If an error occurs while retrieving the permitted usernames. + */ + default List getPermittedUserNamesToBeDeleted(String roleId, List deletedUserNamesList, + String tenantDomain, String permittedOrgId) + throws IdentityRoleManagementException { + + throw new NotImplementedException("getPermittedUserNamesToBeDeleted method is not implemented."); + } } diff --git a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java index fd3446b4a64e..3e3878192844 100644 --- a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java +++ b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java @@ -115,10 +115,15 @@ import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.MY_SQL; import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.ORACLE; import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.ORGANIZATION; +import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.PERMITTED_ORG_ID; import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.POSTGRE_SQL; +import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.ROLE_ID; import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.RoleTableColumns.ROLE_NAME; +import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.RoleTableColumns.UM_USER_NAME; import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.RoleTableColumns.USER_NOT_FOUND_ERROR_MESSAGE; import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.SYSTEM; +import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.TENANT_ID; +import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.USERNAME; import static org.wso2.carbon.identity.role.v2.mgt.core.dao.SQLQueries.ADD_APP_ROLE_ASSOCIATION_SQL; import static org.wso2.carbon.identity.role.v2.mgt.core.dao.SQLQueries.ADD_GROUP_TO_ROLE_SQL; import static org.wso2.carbon.identity.role.v2.mgt.core.dao.SQLQueries.ADD_GROUP_TO_ROLE_SQL_MSSQL; @@ -155,6 +160,10 @@ import static org.wso2.carbon.identity.role.v2.mgt.core.dao.SQLQueries.GET_LIMITED_USER_LIST_OF_ROLE_ORACLE; import static org.wso2.carbon.identity.role.v2.mgt.core.dao.SQLQueries.GET_LIMITED_USER_LIST_OF_ROLE_SQL; import static org.wso2.carbon.identity.role.v2.mgt.core.dao.SQLQueries.GET_MAIN_ROLE_TO_SHARED_ROLE_MAPPINGS_BY_SUBORG_SQL; +import static org.wso2.carbon.identity.role.v2.mgt.core.dao.SQLQueries.GET_NOT_RESTRICTED_USERNAMES_BY_ROLE_HEAD; +import static org.wso2.carbon.identity.role.v2.mgt.core.dao.SQLQueries.GET_NOT_RESTRICTED_USERNAMES_BY_ROLE_TAIL; +import static org.wso2.carbon.identity.role.v2.mgt.core.dao.SQLQueries.GET_RESTRICTED_USERNAMES_BY_ROLE_AND_ORG_HEAD; +import static org.wso2.carbon.identity.role.v2.mgt.core.dao.SQLQueries.GET_RESTRICTED_USERNAMES_BY_ROLE_AND_ORG_TAIL; import static org.wso2.carbon.identity.role.v2.mgt.core.dao.SQLQueries.GET_ROLES_BY_APP_ID_SQL; import static org.wso2.carbon.identity.role.v2.mgt.core.dao.SQLQueries.GET_ROLES_BY_TENANT_AND_ROLE_NAME_DB2; import static org.wso2.carbon.identity.role.v2.mgt.core.dao.SQLQueries.GET_ROLES_BY_TENANT_AND_ROLE_NAME_INFORMIX; @@ -1090,7 +1099,7 @@ public List getRoleListOfUser(String userId, String tenantDomain) try (Connection connection = IdentityDatabaseUtil.getUserDBConnection(false); NamedPreparedStatement statement = new NamedPreparedStatement(connection, GET_ROLE_LIST_OF_USER_SQL)) { - statement.setString(RoleConstants.RoleTableColumns.UM_USER_NAME, nameWithoutDomain); + statement.setString(UM_USER_NAME, nameWithoutDomain); statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); statement.setString(RoleConstants.RoleTableColumns.UM_DOMAIN_NAME, domainName); try (ResultSet resultSet = statement.executeQuery()) { @@ -1287,7 +1296,7 @@ public List getRoleIdListOfUser(String userId, String tenantDomain) thro try (Connection connection = IdentityDatabaseUtil.getUserDBConnection(false); NamedPreparedStatement statement = new NamedPreparedStatement(connection, GET_ROLE_ID_LIST_OF_USER_SQL)) { - statement.setString(RoleConstants.RoleTableColumns.UM_USER_NAME, nameWithoutDomain); + statement.setString(UM_USER_NAME, nameWithoutDomain); statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); statement.setString(RoleConstants.RoleTableColumns.UM_DOMAIN_NAME, domainName); try (ResultSet resultSet = statement.executeQuery()) { @@ -1732,6 +1741,79 @@ public boolean isSharedRole(String roleId, String tenantDomain) throws IdentityR return isShared; } + @Override + public List getPermittedUserNamesToBeDeleted(String roleId, List deletedUserNamesList, + String tenantDomain, String permittedOrgId) + throws IdentityRoleManagementException { + + if (deletedUserNamesList == null || deletedUserNamesList.isEmpty()) { + return Collections.emptyList(); // Return early if no usernames are provided + } + + int tenantId = IdentityTenantUtil.getTenantId(tenantDomain); + List permittedUserNames = new ArrayList<>(); + + // Dynamically build placeholders for the IN clause + String placeholders = deletedUserNamesList.stream() + .map(username -> ":username" + deletedUserNamesList.indexOf(username)) + .collect(Collectors.joining(",")); + + // Query 1: NOT_RESTRICTED usernames + String query1 = + GET_NOT_RESTRICTED_USERNAMES_BY_ROLE_HEAD + placeholders + GET_NOT_RESTRICTED_USERNAMES_BY_ROLE_TAIL; + + // Query 2: RESTRICTED usernames with permitted deletion access + String query2 = GET_RESTRICTED_USERNAMES_BY_ROLE_AND_ORG_HEAD + placeholders + + GET_RESTRICTED_USERNAMES_BY_ROLE_AND_ORG_TAIL; + + try (Connection connection = IdentityDatabaseUtil.getUserDBConnection(false)) { + + // Execute Query 1 + try (NamedPreparedStatement ps1 = new NamedPreparedStatement(connection, query1)) { + ps1.setString(ROLE_ID, roleId); + ps1.setInt(TENANT_ID, tenantId); + + for (int i = 0; i < deletedUserNamesList.size(); i++) { + ps1.setString(USERNAME + i, deletedUserNamesList.get(i)); + } + + try (ResultSet rs1 = ps1.executeQuery()) { + while (rs1.next()) { + permittedUserNames.add(rs1.getString(UM_USER_NAME)); + } + } + } + + // Execute Query 2 + try (NamedPreparedStatement ps2 = new NamedPreparedStatement(connection, query2)) { + ps2.setString(ROLE_ID, roleId); + ps2.setInt(TENANT_ID, tenantId); + ps2.setString(PERMITTED_ORG_ID, permittedOrgId); + + for (int i = 0; i < deletedUserNamesList.size(); i++) { + ps2.setString(USERNAME + i, deletedUserNamesList.get(i)); + } + + try (ResultSet rs2 = ps2.executeQuery()) { + while (rs2.next()) { + String username = rs2.getString(UM_USER_NAME); + if (!permittedUserNames.contains(username)) { + permittedUserNames.add(username); + } + } + } + } + + } catch (SQLException e) { + String errorMessage = + String.format("Error while retrieving permitted usernames for role ID: %s in tenant domain: %s", + roleId, tenantDomain); + throw new IdentityRoleManagementServerException(UNEXPECTED_SERVER_ERROR.getCode(), errorMessage, e); + } + + return permittedUserNames; + } + /** * Check tenant is a sub organization. * @@ -2247,7 +2329,7 @@ private void processBatchUpdateForUsers(String roleName, int audienceRefId, List domainName = domainName.toUpperCase(Locale.ENGLISH); } String nameWithoutDomain = UserCoreUtil.removeDomainFromName(userName); - statement.setString(RoleConstants.RoleTableColumns.UM_USER_NAME, nameWithoutDomain); + statement.setString(UM_USER_NAME, nameWithoutDomain); statement.setString(RoleConstants.RoleTableColumns.UM_ROLE_NAME, roleName); statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); statement.setInt(RoleConstants.RoleTableColumns.UM_AUDIENCE_REF_ID, audienceRefId); diff --git a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/SQLQueries.java b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/SQLQueries.java index a326cc710d4d..6de6d97ab86a 100644 --- a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/SQLQueries.java +++ b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/SQLQueries.java @@ -414,4 +414,20 @@ public class SQLQueries { public static final String INSERT_MAIN_TO_SHARED_ROLE_RELATIONSHIP = "INSERT INTO UM_SHARED_ROLE " + "(UM_SHARED_ROLE_ID, UM_MAIN_ROLE_ID, UM_SHARED_ROLE_TENANT_ID, UM_MAIN_ROLE_TENANT_ID) " + "VALUES (:UM_SHARED_ROLE_ID;, :UM_MAIN_ROLE_ID;, :UM_SHARED_ROLE_TENANT_ID;, :UM_MAIN_ROLE_TENANT_ID;)"; + + public static final String GET_NOT_RESTRICTED_USERNAMES_BY_ROLE_HEAD = + "SELECT UM_USER_NAME FROM UM_HYBRID_USER_ROLE WHERE UM_ROLE_ID = :roleId AND UM_USER_NAME IN ("; + + public static final String GET_NOT_RESTRICTED_USERNAMES_BY_ROLE_TAIL = + ") AND UM_TENANT_ID = :tenantId AND UM_EDIT_RESTRICTION = 'NOT_RESTRICTED'"; + + public static final String GET_RESTRICTED_USERNAMES_BY_ROLE_AND_ORG_HEAD = + "SELECT r.UM_USER_NAME FROM UM_HYBRID_USER_ROLE r " + + "INNER JOIN UM_HYBRID_USER_ROLE_RESTRICTED_EDIT_PERMISSIONS p " + + "ON r.UM_ID = p.UM_HYBRID_USER_ROLE_ID AND r.UM_TENANT_ID = p.UM_HYBRID_USER_ROLE_TENANT_ID " + + "WHERE r.UM_ROLE_ID = :roleId AND r.UM_USER_NAME IN ("; + + public static final String GET_RESTRICTED_USERNAMES_BY_ROLE_AND_ORG_TAIL = + ") AND r.UM_TENANT_ID = :tenantId AND p.UM_PERMITTED_ORG_ID = :permittedOrgId " + + "AND r.UM_EDIT_OPERATION = 'DELETE' AND r.UM_EDIT_RESTRICTION = 'RESTRICTED'"; } From 6df0fe34c26cf6aa6a2531a9fc2af78121fea457 Mon Sep 17 00:00:00 2001 From: BimsaraBodaragama Date: Mon, 20 Jan 2025 10:30:57 +0530 Subject: [PATCH 2/7] Encapsulate the new business logic to a private method. --- .../mgt/core/RoleManagementServiceImpl.java | 45 ++++++++++++++----- .../role/v2/mgt/core/dao/RoleDAO.java | 29 ++++++------ .../role/v2/mgt/core/dao/RoleDAOImpl.java | 4 +- 3 files changed, 51 insertions(+), 27 deletions(-) diff --git a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java index b8a3ab19e69a..0c156f5e8063 100644 --- a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java +++ b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java @@ -425,17 +425,7 @@ public List getUserListOfRole(String roleId, String tenantDomain) public RoleBasicInfo updateUserListOfRole(String roleId, List newUserIDList, List deletedUserIDList, String tenantDomain) throws IdentityRoleManagementException { - int tenantId = IdentityTenantUtil.getTenantId(tenantDomain); - try { - if (OrganizationManagementUtil.isOrganization(tenantId)) { - deletedUserIDList = updateDeletedUserIDListBasedOnPermission(roleId, deletedUserIDList, tenantDomain, - Utils.getOrganizationId()); - } - } catch (OrganizationManagementException e) { - String errorMessage = "Error while retrieving the organization id for the given tenantDomain: " - + tenantDomain; - throw new IdentityRoleManagementServerException(UNEXPECTED_SERVER_ERROR.getCode(), errorMessage, e); - } + deletedUserIDList = getEligibleUserIDsForUserRemovalFromRole(roleId, deletedUserIDList, tenantDomain); List roleManagementListenerList = RoleManagementServiceComponentHolder.getInstance() .getRoleManagementListenerList(); @@ -1292,8 +1282,39 @@ private List updateDeletedUserIDListBasedOnPermission(String roleId, Lis List deletedUserNamesList = getUserNamesByIDs(deletedUserIDList, tenantDomain); List modifiedDeletedUserNamesList = - roleDAO.getPermittedUserNamesToBeDeleted(roleId, deletedUserNamesList, tenantDomain, permittedOrgId); + roleDAO.getEligibleUsernamesForUserRemovalFromRole(roleId, deletedUserNamesList, tenantDomain, + permittedOrgId); return getUserIDsByNames(modifiedDeletedUserNamesList, tenantDomain); } + + /** + * Retrieves the list of user IDs eligible for removal from the specified role in the given tenant domain, + * based on the permissions of the requesting organization. + * + * @param roleId The role ID from which the users are to be removed. + * @param deletedUserIDList The list of user IDs intended for removal. + * @param tenantDomain The tenant domain where the operation is being performed. + * @return A list of user IDs eligible for removal from the specified role. + * @throws IdentityRoleManagementException If an error occurs while validating permissions or retrieving the + * organization ID. + */ + private List getEligibleUserIDsForUserRemovalFromRole(String roleId, List deletedUserIDList, + String tenantDomain) + throws IdentityRoleManagementException { + + int tenantId = IdentityTenantUtil.getTenantId(tenantDomain); + try { + if (OrganizationManagementUtil.isOrganization(tenantId)) { + return updateDeletedUserIDListBasedOnPermission(roleId, deletedUserIDList, tenantDomain, + Utils.getOrganizationId()); + } + } catch (OrganizationManagementException e) { + String errorMessage = "Error while retrieving the organization id for the given tenantDomain: " + + tenantDomain; + throw new IdentityRoleManagementServerException(UNEXPECTED_SERVER_ERROR.getCode(), errorMessage, e); + } + + return deletedUserIDList; + } } diff --git a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAO.java b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAO.java index 2712a8b0f85b..2fa4faf9f9ac 100644 --- a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAO.java +++ b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAO.java @@ -512,20 +512,23 @@ default boolean isSharedRole(String roleId, String tenantDomain) throws Identity } /** - * Retrieve the list of permitted usernames that can be deleted in the given tenant domain for the specified role - * and permitted organization. - * - * @param roleId The role ID associated with the users. - * @param deletedUserNamesList The list of usernames intended for deletion. - * @param tenantDomain The tenant domain. - * @param permittedOrgId The ID of the organization permitted for the operation. - * @return A list of usernames permitted to be deleted. - * @throws IdentityRoleManagementException If an error occurs while retrieving the permitted usernames. - */ - default List getPermittedUserNamesToBeDeleted(String roleId, List deletedUserNamesList, - String tenantDomain, String permittedOrgId) + * Retrieve the list of usernames eligible to be removed from the specified role within the given tenant domain, + * based on the permissions of the requesting organization. + * + * This method ensures that the requesting organization has the necessary permissions to remove the specified users + * from the given role. + * + * @param roleId The role ID from which the users are to be removed. + * @param usernamesToBeRemoved The list of usernames intended for removal. + * @param tenantDomain The tenant domain where the operation is being performed. + * @param requestingOrgId The ID of the requesting organization performing the operation. + * @return A list of usernames that the requesting organization is permitted to remove from the given role. + * @throws IdentityRoleManagementException If an error occurs while validating the permissions or retrieving eligible usernames. + */ + default List getEligibleUsernamesForUserRemovalFromRole(String roleId, List usernamesToBeRemoved, + String tenantDomain, String requestingOrgId) throws IdentityRoleManagementException { - throw new NotImplementedException("getPermittedUserNamesToBeDeleted method is not implemented."); + throw new NotImplementedException("getEligibleUsernamesForUserRemovalFromRole method is not implemented."); } } diff --git a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java index 3e3878192844..a567534150cc 100644 --- a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java +++ b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java @@ -1099,7 +1099,7 @@ public List getRoleListOfUser(String userId, String tenantDomain) try (Connection connection = IdentityDatabaseUtil.getUserDBConnection(false); NamedPreparedStatement statement = new NamedPreparedStatement(connection, GET_ROLE_LIST_OF_USER_SQL)) { - statement.setString(UM_USER_NAME, nameWithoutDomain); + statement.setString(RoleConstants.RoleTableColumns.UM_USER_NAME, nameWithoutDomain); statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); statement.setString(RoleConstants.RoleTableColumns.UM_DOMAIN_NAME, domainName); try (ResultSet resultSet = statement.executeQuery()) { @@ -1742,7 +1742,7 @@ public boolean isSharedRole(String roleId, String tenantDomain) throws IdentityR } @Override - public List getPermittedUserNamesToBeDeleted(String roleId, List deletedUserNamesList, + public List getEligibleUsernamesForUserRemovalFromRole(String roleId, List deletedUserNamesList, String tenantDomain, String permittedOrgId) throws IdentityRoleManagementException { From 27c8c1530467a007da0b246f48c15f734d959002 Mon Sep 17 00:00:00 2001 From: BimsaraBodaragama Date: Mon, 20 Jan 2025 12:09:13 +0530 Subject: [PATCH 3/7] Update the sql queries with ; after each filter. --- .../identity/role/v2/mgt/core/dao/SQLQueries.java | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/SQLQueries.java b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/SQLQueries.java index 6de6d97ab86a..c3b422e95263 100644 --- a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/SQLQueries.java +++ b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/SQLQueries.java @@ -416,18 +416,18 @@ public class SQLQueries { "VALUES (:UM_SHARED_ROLE_ID;, :UM_MAIN_ROLE_ID;, :UM_SHARED_ROLE_TENANT_ID;, :UM_MAIN_ROLE_TENANT_ID;)"; public static final String GET_NOT_RESTRICTED_USERNAMES_BY_ROLE_HEAD = - "SELECT UM_USER_NAME FROM UM_HYBRID_USER_ROLE WHERE UM_ROLE_ID = :roleId AND UM_USER_NAME IN ("; + "SELECT UM_USER_NAME FROM UM_HYBRID_USER_ROLE WHERE UM_ROLE_ID = :roleId; AND UM_USER_NAME IN ("; public static final String GET_NOT_RESTRICTED_USERNAMES_BY_ROLE_TAIL = - ") AND UM_TENANT_ID = :tenantId AND UM_EDIT_RESTRICTION = 'NOT_RESTRICTED'"; + "); AND UM_TENANT_ID = :tenantId; AND UM_EDIT_RESTRICTION = 'NOT_RESTRICTED';"; public static final String GET_RESTRICTED_USERNAMES_BY_ROLE_AND_ORG_HEAD = "SELECT r.UM_USER_NAME FROM UM_HYBRID_USER_ROLE r " + "INNER JOIN UM_HYBRID_USER_ROLE_RESTRICTED_EDIT_PERMISSIONS p " + "ON r.UM_ID = p.UM_HYBRID_USER_ROLE_ID AND r.UM_TENANT_ID = p.UM_HYBRID_USER_ROLE_TENANT_ID " - + "WHERE r.UM_ROLE_ID = :roleId AND r.UM_USER_NAME IN ("; + + "WHERE r.UM_ROLE_ID = :roleId; AND r.UM_USER_NAME IN ("; public static final String GET_RESTRICTED_USERNAMES_BY_ROLE_AND_ORG_TAIL = - ") AND r.UM_TENANT_ID = :tenantId AND p.UM_PERMITTED_ORG_ID = :permittedOrgId " + - "AND r.UM_EDIT_OPERATION = 'DELETE' AND r.UM_EDIT_RESTRICTION = 'RESTRICTED'"; + "); AND r.UM_TENANT_ID = :tenantId; AND p.UM_PERMITTED_ORG_ID = :permittedOrgId; " + + "AND r.UM_EDIT_OPERATION = 'DELETE'; AND r.UM_EDIT_RESTRICTION = 'RESTRICTED';"; } From 07974471dc0c7e6d30ed8ae5da135ed7e25e0b18 Mon Sep 17 00:00:00 2001 From: BimsaraBodaragama Date: Mon, 20 Jan 2025 16:57:27 +0530 Subject: [PATCH 4/7] Fix checkstyle. --- .../wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAO.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAO.java b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAO.java index 2fa4faf9f9ac..cc4562ecbec0 100644 --- a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAO.java +++ b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAO.java @@ -514,7 +514,7 @@ default boolean isSharedRole(String roleId, String tenantDomain) throws Identity /** * Retrieve the list of usernames eligible to be removed from the specified role within the given tenant domain, * based on the permissions of the requesting organization. - * + *

* This method ensures that the requesting organization has the necessary permissions to remove the specified users * from the given role. * @@ -523,7 +523,8 @@ default boolean isSharedRole(String roleId, String tenantDomain) throws Identity * @param tenantDomain The tenant domain where the operation is being performed. * @param requestingOrgId The ID of the requesting organization performing the operation. * @return A list of usernames that the requesting organization is permitted to remove from the given role. - * @throws IdentityRoleManagementException If an error occurs while validating the permissions or retrieving eligible usernames. + * @throws IdentityRoleManagementException If an error occurs while validating the permissions or retrieving + * eligible usernames. */ default List getEligibleUsernamesForUserRemovalFromRole(String roleId, List usernamesToBeRemoved, String tenantDomain, String requestingOrgId) From 4a2588d7b3e0358ae048d456962756250c9b0577 Mon Sep 17 00:00:00 2001 From: BimsaraBodaragama Date: Tue, 21 Jan 2025 01:34:43 +0530 Subject: [PATCH 5/7] Update queries to have constants. --- .../role/v2/mgt/core/RoleConstants.java | 7 +- .../mgt/core/RoleManagementServiceImpl.java | 14 +- .../role/v2/mgt/core/dao/RoleDAOImpl.java | 121 +++++++++--------- .../role/v2/mgt/core/dao/SQLQueries.java | 16 ++- 4 files changed, 80 insertions(+), 78 deletions(-) diff --git a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleConstants.java b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleConstants.java index 1f9186e7551d..ad2bcfd162ca 100644 --- a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleConstants.java +++ b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleConstants.java @@ -86,12 +86,6 @@ private RoleConstants() { // Role properties public static final String IS_SHARED_ROLE_PROP_NAME = "isSharedRole"; - // NamedPreparedStatement Params - public static final String ROLE_ID = "roleId"; - public static final String TENANT_ID = "tenantId"; - public static final String PERMITTED_ORG_ID = "permittedOrgId"; - public static final String USERNAME = "username"; - /** * Grouping of constants related to database table names. */ @@ -125,6 +119,7 @@ public static class RoleTableColumns { public static final String UM_GROUP_ID = "UM_GROUP_ID"; public static final String GROUP_NAME = "GROUP_NAME"; public static final String ID = "ID"; + public static final String UM_PERMITTED_ORG_ID = "UM_PERMITTED_ORG_ID"; public static final String NEW_ROLE_NAME = "NEW_ROLE_NAME"; public static final String USER_NOT_FOUND_ERROR_MESSAGE = "A user doesn't exist with name: %s " + diff --git a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java index 0c156f5e8063..ade22391b2e9 100644 --- a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java +++ b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java @@ -1265,17 +1265,17 @@ private List getUserIDsByNames(List userNames, String tenantDoma } /** - * Updates the list of user IDs intended for deletion based on the specified permissions for the given role - * and permitted organization in the tenant domain. + * Retrieves the updated list of user IDs intended for deletion based on the specified permissions for the + * given role and permitted organization in the tenant domain. * - * @param roleId The role ID associated with the users. + * @param roleId The role ID associated with the users. * @param deletedUserIDList The list of user IDs intended for deletion. - * @param tenantDomain The tenant domain. - * @param permittedOrgId The ID of the organization permitted for the operation. + * @param tenantDomain The tenant domain. + * @param permittedOrgId The ID of the organization permitted for the operation. * @return A modified list of user IDs that are permitted to be deleted. * @throws IdentityRoleManagementException If an error occurs while updating the user ID list. */ - private List updateDeletedUserIDListBasedOnPermission(String roleId, List deletedUserIDList, + private List getUpdatedUserIDListToBeDeletedBasedOnPermission(String roleId, List deletedUserIDList, String tenantDomain, String permittedOrgId) throws IdentityRoleManagementException { @@ -1306,7 +1306,7 @@ private List getEligibleUserIDsForUserRemovalFromRole(String roleId, Lis int tenantId = IdentityTenantUtil.getTenantId(tenantDomain); try { if (OrganizationManagementUtil.isOrganization(tenantId)) { - return updateDeletedUserIDListBasedOnPermission(roleId, deletedUserIDList, tenantDomain, + return getUpdatedUserIDListToBeDeletedBasedOnPermission(roleId, deletedUserIDList, tenantDomain, Utils.getOrganizationId()); } } catch (OrganizationManagementException e) { diff --git a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java index a567534150cc..4ce7ff95a782 100644 --- a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java +++ b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java @@ -115,15 +115,14 @@ import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.MY_SQL; import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.ORACLE; import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.ORGANIZATION; -import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.PERMITTED_ORG_ID; import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.POSTGRE_SQL; -import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.ROLE_ID; import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.RoleTableColumns.ROLE_NAME; +import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.RoleTableColumns.UM_PERMITTED_ORG_ID; +import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.RoleTableColumns.UM_ROLE_ID; +import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.RoleTableColumns.UM_TENANT_ID; import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.RoleTableColumns.UM_USER_NAME; import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.RoleTableColumns.USER_NOT_FOUND_ERROR_MESSAGE; import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.SYSTEM; -import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.TENANT_ID; -import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.USERNAME; import static org.wso2.carbon.identity.role.v2.mgt.core.dao.SQLQueries.ADD_APP_ROLE_ASSOCIATION_SQL; import static org.wso2.carbon.identity.role.v2.mgt.core.dao.SQLQueries.ADD_GROUP_TO_ROLE_SQL; import static org.wso2.carbon.identity.role.v2.mgt.core.dao.SQLQueries.ADD_GROUP_TO_ROLE_SQL_MSSQL; @@ -254,7 +253,7 @@ public RoleBasicInfo addRole(String roleName, List userList, List getRolesBasicInfo(Integer limit, Integer offset, Str String databaseProductName = connection.getMetaData().getDatabaseProductName(); try (NamedPreparedStatement statement = new NamedPreparedStatement(connection, getDBTypeSpecificRolesRetrievalQuery(databaseProductName), RoleConstants.RoleTableColumns.UM_ID)) { - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); + statement.setInt(UM_TENANT_ID, tenantId); roles = processListRolesQuery(limit, offset, statement, tenantDomain); } } catch (SQLException e) { @@ -376,7 +375,7 @@ private int getFilteredRolesCount(List expressionNodes, String t filterQueryBuilder.getFilterQuery()); try (NamedPreparedStatement statement = new NamedPreparedStatement(connection, query, RoleConstants.RoleTableColumns.UM_ID)) { - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); + statement.setInt(UM_TENANT_ID, tenantId); if (filterAttributeValue != null) { for (Map.Entry entry : filterAttributeValue.entrySet()) { statement.setString(entry.getKey(), entry.getValue()); @@ -415,7 +414,7 @@ private List getFilteredRolesBasicInfo(List expre getDBTypeSpecificRolesRetrievalQueryByFilter(databaseProductName, filterQueryBuilder.getFilterQuery()), RoleConstants.RoleTableColumns.UM_ID)) { - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); + statement.setInt(UM_TENANT_ID, tenantId); if (filterAttributeValue != null) { for (Map.Entry entry : filterAttributeValue.entrySet()) { statement.setString(entry.getKey(), entry.getValue()); @@ -657,7 +656,7 @@ public List getIdpGroupListOfRole(String roleId, String tenantDomain) NamedPreparedStatement statement = new NamedPreparedStatement(connection, GET_IDP_GROUPS_SQL)) { statement.setString(RoleConstants.RoleTableColumns.UM_UUID, roleId); - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); + statement.setInt(UM_TENANT_ID, tenantId); try (ResultSet resultSet = statement.executeQuery()) { while (resultSet.next()) { groups.add(new IdpGroup(resultSet.getString(1))); @@ -687,7 +686,7 @@ public void updateIdpGroupListOfRole(String roleId, List newGroupList, DELETE_IDP_GROUPS_SQL)) { statement.setString(RoleConstants.RoleTableColumns.UM_GROUP_ID, idpGroup.getGroupId()); statement.setString(RoleConstants.RoleTableColumns.UM_UUID, roleId); - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); + statement.setInt(UM_TENANT_ID, tenantId); statement.executeUpdate(); } catch (SQLException e) { IdentityDatabaseUtil.rollbackTransaction(connection); @@ -739,7 +738,7 @@ public void deleteRole(String roleId, String tenantDomain) throws IdentityRoleMa try (NamedPreparedStatement statement = new NamedPreparedStatement(connection, DELETE_ROLE_SQL, RoleConstants.RoleTableColumns.UM_ID)) { statement.setString(RoleConstants.RoleTableColumns.UM_UUID, roleId); - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); + statement.setInt(UM_TENANT_ID, tenantId); statement.executeUpdate(); } @@ -855,7 +854,7 @@ public void updateRoleName(String roleId, String newRoleName, String tenantDomai RoleConstants.RoleTableColumns.UM_ID)) { statement.setString(RoleConstants.RoleTableColumns.NEW_UM_ROLE_NAME, newRoleName); statement.setString(RoleConstants.RoleTableColumns.UM_UUID, roleId); - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); + statement.setInt(UM_TENANT_ID, tenantId); statement.executeUpdate(); } // Update shared hybrid role names and return conflicting roles if there are any @@ -907,7 +906,7 @@ private List updateSharedHybridRolesNameAndReturnConflicts(List getRoleListOfUser(String userId, String tenantDomain) NamedPreparedStatement statement = new NamedPreparedStatement(connection, GET_ROLE_LIST_OF_USER_SQL)) { statement.setString(RoleConstants.RoleTableColumns.UM_USER_NAME, nameWithoutDomain); - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); + statement.setInt(UM_TENANT_ID, tenantId); statement.setString(RoleConstants.RoleTableColumns.UM_DOMAIN_NAME, domainName); try (ResultSet resultSet = statement.executeQuery()) { while (resultSet.next()) { @@ -1212,7 +1211,7 @@ public List getRoleListOfGroups(List groupIds, String ten } String nameWithoutDomain = UserCoreUtil.removeDomainFromName(groupName); statement.setString(RoleConstants.RoleTableColumns.UM_GROUP_NAME, nameWithoutDomain); - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); + statement.setInt(UM_TENANT_ID, tenantId); statement.setString(RoleConstants.RoleTableColumns.UM_DOMAIN_NAME, domainName); try (ResultSet resultSet = statement.executeQuery()) { while (resultSet.next()) { @@ -1250,7 +1249,7 @@ public List getRoleListOfIdpGroups(List groupIds, String GET_ROLE_LIST_OF_IDP_GROUPS_SQL)) { for (String groupId : groupIds) { statement.setString(RoleConstants.RoleTableColumns.UM_GROUP_ID, groupId); - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); + statement.setInt(UM_TENANT_ID, tenantId); try (ResultSet resultSet = statement.executeQuery()) { while (resultSet.next()) { String roleName = resultSet.getString(1); @@ -1297,7 +1296,7 @@ public List getRoleIdListOfUser(String userId, String tenantDomain) thro NamedPreparedStatement statement = new NamedPreparedStatement(connection, GET_ROLE_ID_LIST_OF_USER_SQL)) { statement.setString(UM_USER_NAME, nameWithoutDomain); - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); + statement.setInt(UM_TENANT_ID, tenantId); statement.setString(RoleConstants.RoleTableColumns.UM_DOMAIN_NAME, domainName); try (ResultSet resultSet = statement.executeQuery()) { while (resultSet.next()) { @@ -1340,7 +1339,7 @@ public List getRoleIdListOfGroups(List groupIds, String tenantDo } String nameWithoutDomain = UserCoreUtil.removeDomainFromName(groupName); statement.setString(RoleConstants.RoleTableColumns.UM_GROUP_NAME, nameWithoutDomain); - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); + statement.setInt(UM_TENANT_ID, tenantId); statement.setString(RoleConstants.RoleTableColumns.UM_DOMAIN_NAME, domainName); try (ResultSet resultSet = statement.executeQuery()) { while (resultSet.next()) { @@ -1369,7 +1368,7 @@ public List getRoleIdListOfIdpGroups(List groupIds, String tenan GET_ROLE_ID_LIST_OF_IDP_GROUPS_SQL)) { for (String groupId : groupIds) { statement.setString(RoleConstants.RoleTableColumns.UM_GROUP_ID, groupId); - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); + statement.setInt(UM_TENANT_ID, tenantId); try (ResultSet resultSet = statement.executeQuery()) { while (resultSet.next()) { String roleId = resultSet.getString(1); @@ -1394,7 +1393,7 @@ public void deleteRolesByApplication(String applicationId, String tenantDomain) try (Connection connection = IdentityDatabaseUtil.getUserDBConnection(true); NamedPreparedStatement statement = new NamedPreparedStatement(connection, DELETE_ROLES_BY_APP_ID_SQL)) { try { - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, + statement.setInt(UM_TENANT_ID, IdentityTenantUtil.getTenantId(tenantDomain)); statement.setString(RoleConstants.RoleTableColumns.UM_AUDIENCE, APPLICATION); statement.setString(RoleConstants.RoleTableColumns.UM_AUDIENCE_ID, applicationId); @@ -1517,7 +1516,7 @@ private List getHybridRolesByApplication(String applicationId, String t try (Connection connection = IdentityDatabaseUtil.getUserDBConnection(false); NamedPreparedStatement statement = new NamedPreparedStatement(connection, GET_ROLES_BY_APP_ID_SQL)) { - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, IdentityTenantUtil.getTenantId(tenantDomain)); + statement.setInt(UM_TENANT_ID, IdentityTenantUtil.getTenantId(tenantDomain)); statement.setString(RoleConstants.RoleTableColumns.UM_AUDIENCE, APPLICATION); statement.setString(RoleConstants.RoleTableColumns.UM_AUDIENCE_ID, applicationId); try (ResultSet resultSet = statement.executeQuery()) { @@ -1617,7 +1616,7 @@ private void addIdpGroups(String roleId, List groups, String tenantDom try (NamedPreparedStatement statement = new NamedPreparedStatement(connection, ADD_IDP_GROUPS_SQL)) { for (IdpGroup group : groups) { statement.setString(RoleConstants.RoleTableColumns.UM_UUID, roleId); - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, + statement.setInt(UM_TENANT_ID, IdentityTenantUtil.getTenantId(tenantDomain)); statement.setString(RoleConstants.RoleTableColumns.UM_GROUP_ID, group.getGroupId()); statement.addBatch(); @@ -1743,10 +1742,10 @@ public boolean isSharedRole(String roleId, String tenantDomain) throws IdentityR @Override public List getEligibleUsernamesForUserRemovalFromRole(String roleId, List deletedUserNamesList, - String tenantDomain, String permittedOrgId) + String tenantDomain, String permittedOrgId) throws IdentityRoleManagementException { - if (deletedUserNamesList == null || deletedUserNamesList.isEmpty()) { + if (CollectionUtils.isEmpty(deletedUserNamesList)) { return Collections.emptyList(); // Return early if no usernames are provided } @@ -1755,55 +1754,57 @@ public List getEligibleUsernamesForUserRemovalFromRole(String roleId, Li // Dynamically build placeholders for the IN clause String placeholders = deletedUserNamesList.stream() - .map(username -> ":username" + deletedUserNamesList.indexOf(username)) + .map(username -> ":" + UM_USER_NAME + deletedUserNamesList.indexOf(username)) .collect(Collectors.joining(",")); // Query 1: NOT_RESTRICTED usernames - String query1 = + String fetchNotRestrictedUsernamesQuery = GET_NOT_RESTRICTED_USERNAMES_BY_ROLE_HEAD + placeholders + GET_NOT_RESTRICTED_USERNAMES_BY_ROLE_TAIL; // Query 2: RESTRICTED usernames with permitted deletion access - String query2 = GET_RESTRICTED_USERNAMES_BY_ROLE_AND_ORG_HEAD + placeholders + - GET_RESTRICTED_USERNAMES_BY_ROLE_AND_ORG_TAIL; + String fetchRestrictedUsernamesWithPermittedAccessQuery = + GET_RESTRICTED_USERNAMES_BY_ROLE_AND_ORG_HEAD + placeholders + + GET_RESTRICTED_USERNAMES_BY_ROLE_AND_ORG_TAIL; try (Connection connection = IdentityDatabaseUtil.getUserDBConnection(false)) { // Execute Query 1 - try (NamedPreparedStatement ps1 = new NamedPreparedStatement(connection, query1)) { - ps1.setString(ROLE_ID, roleId); - ps1.setInt(TENANT_ID, tenantId); + try (NamedPreparedStatement preparedStatement1 = new NamedPreparedStatement(connection, + fetchNotRestrictedUsernamesQuery)) { + preparedStatement1.setString(UM_ROLE_ID, roleId); + preparedStatement1.setInt(UM_TENANT_ID, tenantId); for (int i = 0; i < deletedUserNamesList.size(); i++) { - ps1.setString(USERNAME + i, deletedUserNamesList.get(i)); + preparedStatement1.setString(UM_USER_NAME + i, deletedUserNamesList.get(i)); } - try (ResultSet rs1 = ps1.executeQuery()) { - while (rs1.next()) { - permittedUserNames.add(rs1.getString(UM_USER_NAME)); + try (ResultSet resultSet1 = preparedStatement1.executeQuery()) { + while (resultSet1.next()) { + permittedUserNames.add(resultSet1.getString(UM_USER_NAME)); } } } // Execute Query 2 - try (NamedPreparedStatement ps2 = new NamedPreparedStatement(connection, query2)) { - ps2.setString(ROLE_ID, roleId); - ps2.setInt(TENANT_ID, tenantId); - ps2.setString(PERMITTED_ORG_ID, permittedOrgId); + try (NamedPreparedStatement preparedStatement2 = new NamedPreparedStatement(connection, + fetchRestrictedUsernamesWithPermittedAccessQuery)) { + preparedStatement2.setString(UM_ROLE_ID, roleId); + preparedStatement2.setInt(UM_TENANT_ID, tenantId); + preparedStatement2.setString(UM_PERMITTED_ORG_ID, permittedOrgId); for (int i = 0; i < deletedUserNamesList.size(); i++) { - ps2.setString(USERNAME + i, deletedUserNamesList.get(i)); + preparedStatement2.setString(UM_USER_NAME + i, deletedUserNamesList.get(i)); } - try (ResultSet rs2 = ps2.executeQuery()) { - while (rs2.next()) { - String username = rs2.getString(UM_USER_NAME); + try (ResultSet resultSet2 = preparedStatement2.executeQuery()) { + while (resultSet2.next()) { + String username = resultSet2.getString(UM_USER_NAME); if (!permittedUserNames.contains(username)) { permittedUserNames.add(username); } } } } - } catch (SQLException e) { String errorMessage = String.format("Error while retrieving permitted usernames for role ID: %s in tenant domain: %s", @@ -1849,11 +1850,11 @@ private List getPermissionsOfSharedRole(String roleId, String tenant GET_SHARED_ROLE_MAIN_ROLE_ID_SQL)) { statement.setString(RoleConstants.RoleTableColumns.UM_UUID, roleId); - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); + statement.setInt(UM_TENANT_ID, tenantId); try (ResultSet resultSet = statement.executeQuery()) { if (resultSet.next()) { mainRoleId = resultSet.getString(RoleConstants.RoleTableColumns.UM_UUID); - mainTenantId = resultSet.getInt(RoleConstants.RoleTableColumns.UM_TENANT_ID); + mainTenantId = resultSet.getInt(UM_TENANT_ID); } } if (StringUtils.isNotEmpty(mainRoleId) && mainTenantId != -1) { @@ -2256,7 +2257,7 @@ public boolean isExistingRoleName(String roleName, String audience, String audie try (NamedPreparedStatement statement = new NamedPreparedStatement(connection, IS_ROLE_EXIST_SQL, RoleConstants.RoleTableColumns.UM_ID)) { statement.setString(RoleConstants.RoleTableColumns.UM_ROLE_NAME, removeInternalDomain(roleName)); - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); + statement.setInt(UM_TENANT_ID, tenantId); statement.setInt(RoleConstants.RoleTableColumns.UM_AUDIENCE_REF_ID, audienceRefId); try (ResultSet resultSet = statement.executeQuery()) { if (resultSet.next()) { @@ -2331,7 +2332,7 @@ private void processBatchUpdateForUsers(String roleName, int audienceRefId, List String nameWithoutDomain = UserCoreUtil.removeDomainFromName(userName); statement.setString(UM_USER_NAME, nameWithoutDomain); statement.setString(RoleConstants.RoleTableColumns.UM_ROLE_NAME, roleName); - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); + statement.setInt(UM_TENANT_ID, tenantId); statement.setInt(RoleConstants.RoleTableColumns.UM_AUDIENCE_REF_ID, audienceRefId); statement.setString(RoleConstants.RoleTableColumns.UM_DOMAIN_NAME, domainName); statement.addBatch(); @@ -2368,7 +2369,7 @@ private void processBatchUpdateForGroups(String roleName, int audienceRefId, Lis String nameWithoutDomain = UserCoreUtil.removeDomainFromName(groupName); statement.setString(RoleConstants.RoleTableColumns.UM_GROUP_NAME, nameWithoutDomain); statement.setString(RoleConstants.RoleTableColumns.UM_ROLE_NAME, roleName); - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); + statement.setInt(UM_TENANT_ID, tenantId); statement.setInt(RoleConstants.RoleTableColumns.UM_AUDIENCE_REF_ID, audienceRefId); statement.setString(RoleConstants.RoleTableColumns.UM_DOMAIN_NAME, domainName); statement.addBatch(); @@ -2785,7 +2786,7 @@ public String getRoleNameByID(String roleId, String tenantDomain) throws Identit try (Connection connection = IdentityDatabaseUtil.getUserDBConnection(false); NamedPreparedStatement statement = new NamedPreparedStatement(connection, GET_ROLE_NAME_BY_ID_SQL)) { - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); + statement.setInt(UM_TENANT_ID, tenantId); statement.setString(RoleConstants.RoleTableColumns.UM_UUID, roleId); int count = 0; try (ResultSet resultSet = statement.executeQuery()) { @@ -2824,7 +2825,7 @@ public String getRoleIdByName(String roleName, String audience, String audienceI NamedPreparedStatement statement = new NamedPreparedStatement(connection, GET_ROLE_ID_BY_NAME_AND_AUDIENCE_SQL)) { statement.setString(RoleConstants.RoleTableColumns.UM_ROLE_NAME, removeInternalDomain(roleName)); - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); + statement.setInt(UM_TENANT_ID, tenantId); statement.setString(RoleConstants.RoleTableColumns.UM_AUDIENCE, audience); statement.setString(RoleConstants.RoleTableColumns.UM_AUDIENCE_ID, audienceId); int count = 0; @@ -2905,7 +2906,7 @@ private int getAudienceRefByID(String roleId, String tenantDomain) throws Identi NamedPreparedStatement statement = new NamedPreparedStatement( connection, GET_AUDIENCE_REF_BY_ID_FROM_UM_HYBRID_ROLE_SQL)) { - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); + statement.setInt(UM_TENANT_ID, tenantId); statement.setString(RoleConstants.RoleTableColumns.UM_UUID, roleId); try (ResultSet resultSet = statement.executeQuery()) { if (resultSet.next()) { @@ -2969,7 +2970,7 @@ public List getUserListOfRole(String roleId, String tenantDomain) try (NamedPreparedStatement statement = new NamedPreparedStatement(connection, query)) { statement.setString(RoleConstants.RoleTableColumns.UM_ROLE_NAME, roleName); - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); + statement.setInt(UM_TENANT_ID, tenantId); statement.setInt(RoleConstants.RoleTableColumns.UM_AUDIENCE_REF_ID, audienceRefId); statement.setInt(RoleConstants.LIMIT, limit); statement.setInt(RoleConstants.OFFSET, offset); @@ -3081,7 +3082,7 @@ public boolean isExistingRoleID(String roleId, String tenantDomain) throws Ident NamedPreparedStatement statement = new NamedPreparedStatement( connection, IS_ROLE_ID_EXIST_FROM_UM_HYBRID_ROLE_SQL)) { - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); + statement.setInt(UM_TENANT_ID, tenantId); statement.setString(RoleConstants.RoleTableColumns.UM_UUID, roleId); try (ResultSet resultSet = statement.executeQuery()) { if (resultSet.next()) { @@ -3169,7 +3170,7 @@ public List getGroupListOfRole(String roleId, String tenantDomai NamedPreparedStatement statement = new NamedPreparedStatement(connection, GET_GROUP_LIST_OF_ROLE_SQL)) { statement.setString(RoleConstants.RoleTableColumns.UM_ROLE_NAME, roleName); - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, tenantId); + statement.setInt(UM_TENANT_ID, tenantId); statement.setInt(RoleConstants.RoleTableColumns.UM_AUDIENCE_REF_ID, audienceRefId); try (ResultSet resultSet = statement.executeQuery()) { while (resultSet.next()) { @@ -3485,7 +3486,7 @@ private void deleteSharedHybridRoles(String roleId, int mainTenantId, Connection try { try (NamedPreparedStatement selectStatement = new NamedPreparedStatement(connection, GET_SHARED_HYBRID_ROLE_WITH_MAIN_ROLE_SQL)) { - selectStatement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, mainTenantId); + selectStatement.setInt(UM_TENANT_ID, mainTenantId); selectStatement.setString(RoleConstants.RoleTableColumns.UM_UUID, roleId); List> idsToDelete = new ArrayList<>(); @@ -3500,7 +3501,7 @@ private void deleteSharedHybridRoles(String roleId, int mainTenantId, Connection DELETE_SHARED_ROLE)) { for (Map.Entry idPair : idsToDelete) { deleteStatement.setInt(RoleConstants.RoleTableColumns.UM_ID, idPair.getKey()); - deleteStatement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, idPair.getValue()); + deleteStatement.setInt(UM_TENANT_ID, idPair.getValue()); deleteStatement.addBatch(); } deleteStatement.executeBatch(); @@ -3526,7 +3527,7 @@ private List getSharedHybridRoles(String roleId, int mainTenantId, List hybridRoles = new ArrayList<>(); try (NamedPreparedStatement statement = new NamedPreparedStatement(connection, GET_SHARED_ROLES_SQL)) { - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, mainTenantId); + statement.setInt(UM_TENANT_ID, mainTenantId); statement.setString(RoleConstants.RoleTableColumns.UM_UUID, roleId); try (ResultSet resultSet = statement.executeQuery()) { while (resultSet.next()) { @@ -3756,7 +3757,7 @@ public List getSharedHybridRoles(String roleId, int mainTenantId) throw List hybridRoles = new ArrayList<>(); try (Connection connection = IdentityDatabaseUtil.getUserDBConnection(true); NamedPreparedStatement statement = new NamedPreparedStatement(connection, GET_SHARED_ROLES_SQL)) { - statement.setInt(RoleConstants.RoleTableColumns.UM_TENANT_ID, mainTenantId); + statement.setInt(UM_TENANT_ID, mainTenantId); statement.setString(RoleConstants.RoleTableColumns.UM_UUID, roleId); try (ResultSet resultSet = statement.executeQuery()) { while (resultSet.next()) { diff --git a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/SQLQueries.java b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/SQLQueries.java index c3b422e95263..5158abcb304c 100644 --- a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/SQLQueries.java +++ b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/SQLQueries.java @@ -18,6 +18,11 @@ package org.wso2.carbon.identity.role.v2.mgt.core.dao; +import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.RoleTableColumns.UM_PERMITTED_ORG_ID; +import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.RoleTableColumns.UM_ROLE_ID; +import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.RoleTableColumns.UM_TENANT_ID; +import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.RoleTableColumns.UM_USER_NAME; + /** * SQL Queries used in {@link RoleDAOImpl}. */ @@ -416,18 +421,19 @@ public class SQLQueries { "VALUES (:UM_SHARED_ROLE_ID;, :UM_MAIN_ROLE_ID;, :UM_SHARED_ROLE_TENANT_ID;, :UM_MAIN_ROLE_TENANT_ID;)"; public static final String GET_NOT_RESTRICTED_USERNAMES_BY_ROLE_HEAD = - "SELECT UM_USER_NAME FROM UM_HYBRID_USER_ROLE WHERE UM_ROLE_ID = :roleId; AND UM_USER_NAME IN ("; + "SELECT UM_USER_NAME FROM UM_HYBRID_USER_ROLE WHERE UM_ROLE_ID = :" + UM_USER_NAME + "; AND " + + "UM_USER_NAME IN ("; public static final String GET_NOT_RESTRICTED_USERNAMES_BY_ROLE_TAIL = - "); AND UM_TENANT_ID = :tenantId; AND UM_EDIT_RESTRICTION = 'NOT_RESTRICTED';"; + "); AND UM_TENANT_ID = :" + UM_TENANT_ID + "; AND UM_EDIT_RESTRICTION = 'NOT_RESTRICTED';"; public static final String GET_RESTRICTED_USERNAMES_BY_ROLE_AND_ORG_HEAD = "SELECT r.UM_USER_NAME FROM UM_HYBRID_USER_ROLE r " + "INNER JOIN UM_HYBRID_USER_ROLE_RESTRICTED_EDIT_PERMISSIONS p " + "ON r.UM_ID = p.UM_HYBRID_USER_ROLE_ID AND r.UM_TENANT_ID = p.UM_HYBRID_USER_ROLE_TENANT_ID " - + "WHERE r.UM_ROLE_ID = :roleId; AND r.UM_USER_NAME IN ("; + + "WHERE r.UM_ROLE_ID = :" + UM_ROLE_ID + "; AND r.UM_USER_NAME IN ("; public static final String GET_RESTRICTED_USERNAMES_BY_ROLE_AND_ORG_TAIL = - "); AND r.UM_TENANT_ID = :tenantId; AND p.UM_PERMITTED_ORG_ID = :permittedOrgId; " + - "AND r.UM_EDIT_OPERATION = 'DELETE'; AND r.UM_EDIT_RESTRICTION = 'RESTRICTED';"; + "); AND r.UM_TENANT_ID = :" + UM_TENANT_ID + "; AND p.UM_PERMITTED_ORG_ID = :" + UM_PERMITTED_ORG_ID + + "; AND r.UM_EDIT_OPERATION = 'DELETE'; AND r.UM_EDIT_RESTRICTION = 'RESTRICTED';"; } From 1bd41eaa3a7bf137c16bcef3c628eeccbc74314c Mon Sep 17 00:00:00 2001 From: BimsaraBodaragama Date: Tue, 21 Jan 2025 01:39:51 +0530 Subject: [PATCH 6/7] Update Format. --- .../wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java | 1 - 1 file changed, 1 deletion(-) diff --git a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java index 4ce7ff95a782..b072d21a7945 100644 --- a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java +++ b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java @@ -1811,7 +1811,6 @@ public List getEligibleUsernamesForUserRemovalFromRole(String roleId, Li roleId, tenantDomain); throw new IdentityRoleManagementServerException(UNEXPECTED_SERVER_ERROR.getCode(), errorMessage, e); } - return permittedUserNames; } From a6c313d3ff1f88bd1532cd8b5f78cb30653dfdb4 Mon Sep 17 00:00:00 2001 From: BimsaraBodaragama Date: Tue, 21 Jan 2025 15:02:37 +0530 Subject: [PATCH 7/7] Update licence headers and a few variable names. --- .../role/v2/mgt/core/RoleManagementService.java | 2 +- .../v2/mgt/core/RoleManagementServiceImpl.java | 2 +- .../identity/role/v2/mgt/core/dao/RoleDAO.java | 9 +++------ .../role/v2/mgt/core/dao/RoleDAOImpl.java | 16 ++++++++-------- .../role/v2/mgt/core/dao/SQLQueries.java | 2 +- 5 files changed, 14 insertions(+), 17 deletions(-) diff --git a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementService.java b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementService.java index eaa756e1932e..6e5d2103b607 100644 --- a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementService.java +++ b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementService.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023-2024, WSO2 LLC. (http://www.wso2.com). + * Copyright (c) 2023-2025, WSO2 LLC. (http://www.wso2.com). * * WSO2 LLC. licenses this file to you under the Apache License, * Version 2.0 (the "License"); you may not use this file except diff --git a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java index ade22391b2e9..bcf597b024c1 100644 --- a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java +++ b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleManagementServiceImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023-2024, WSO2 LLC. (http://www.wso2.com). + * Copyright (c) 2023-2025, WSO2 LLC. (http://www.wso2.com). * * WSO2 LLC. licenses this file to you under the Apache License, * Version 2.0 (the "License"); you may not use this file except diff --git a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAO.java b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAO.java index cc4562ecbec0..777ba05f925d 100644 --- a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAO.java +++ b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAO.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023-2024, WSO2 LLC. (http://www.wso2.com). + * Copyright (c) 2023-2025, WSO2 LLC. (http://www.wso2.com). * * WSO2 LLC. licenses this file to you under the Apache License, * Version 2.0 (the "License"); you may not use this file except @@ -514,19 +514,16 @@ default boolean isSharedRole(String roleId, String tenantDomain) throws Identity /** * Retrieve the list of usernames eligible to be removed from the specified role within the given tenant domain, * based on the permissions of the requesting organization. - *

- * This method ensures that the requesting organization has the necessary permissions to remove the specified users - * from the given role. * * @param roleId The role ID from which the users are to be removed. - * @param usernamesToBeRemoved The list of usernames intended for removal. + * @param deletedUserNamesList The list of usernames intended for removal. * @param tenantDomain The tenant domain where the operation is being performed. * @param requestingOrgId The ID of the requesting organization performing the operation. * @return A list of usernames that the requesting organization is permitted to remove from the given role. * @throws IdentityRoleManagementException If an error occurs while validating the permissions or retrieving * eligible usernames. */ - default List getEligibleUsernamesForUserRemovalFromRole(String roleId, List usernamesToBeRemoved, + default List getEligibleUsernamesForUserRemovalFromRole(String roleId, List deletedUserNamesList, String tenantDomain, String requestingOrgId) throws IdentityRoleManagementException { diff --git a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java index b072d21a7945..270b4e0aa0d5 100644 --- a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java +++ b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023-2024, WSO2 LLC. (http://www.wso2.com). + * Copyright (c) 2023-2025, WSO2 LLC. (http://www.wso2.com). * * WSO2 LLC. licenses this file to you under the Apache License, * Version 2.0 (the "License"); you may not use this file except @@ -1746,29 +1746,29 @@ public List getEligibleUsernamesForUserRemovalFromRole(String roleId, Li throws IdentityRoleManagementException { if (CollectionUtils.isEmpty(deletedUserNamesList)) { - return Collections.emptyList(); // Return early if no usernames are provided + return Collections.emptyList(); // Return early if no usernames are provided. } int tenantId = IdentityTenantUtil.getTenantId(tenantDomain); List permittedUserNames = new ArrayList<>(); - // Dynamically build placeholders for the IN clause + // Dynamically build placeholders for the IN clause. String placeholders = deletedUserNamesList.stream() .map(username -> ":" + UM_USER_NAME + deletedUserNamesList.indexOf(username)) .collect(Collectors.joining(",")); - // Query 1: NOT_RESTRICTED usernames + // Query 1: NOT_RESTRICTED usernames. String fetchNotRestrictedUsernamesQuery = GET_NOT_RESTRICTED_USERNAMES_BY_ROLE_HEAD + placeholders + GET_NOT_RESTRICTED_USERNAMES_BY_ROLE_TAIL; - // Query 2: RESTRICTED usernames with permitted deletion access + // Query 2: RESTRICTED usernames with permitted deletion access. String fetchRestrictedUsernamesWithPermittedAccessQuery = GET_RESTRICTED_USERNAMES_BY_ROLE_AND_ORG_HEAD + placeholders + GET_RESTRICTED_USERNAMES_BY_ROLE_AND_ORG_TAIL; try (Connection connection = IdentityDatabaseUtil.getUserDBConnection(false)) { - // Execute Query 1 + // Execute Query 1. try (NamedPreparedStatement preparedStatement1 = new NamedPreparedStatement(connection, fetchNotRestrictedUsernamesQuery)) { preparedStatement1.setString(UM_ROLE_ID, roleId); @@ -1785,7 +1785,7 @@ public List getEligibleUsernamesForUserRemovalFromRole(String roleId, Li } } - // Execute Query 2 + // Execute Query 2. try (NamedPreparedStatement preparedStatement2 = new NamedPreparedStatement(connection, fetchRestrictedUsernamesWithPermittedAccessQuery)) { preparedStatement2.setString(UM_ROLE_ID, roleId); @@ -1807,7 +1807,7 @@ public List getEligibleUsernamesForUserRemovalFromRole(String roleId, Li } } catch (SQLException e) { String errorMessage = - String.format("Error while retrieving permitted usernames for role ID: %s in tenant domain: %s", + String.format("Error while retrieving permitted usernames for role ID: %s in tenant domain: %s.", roleId, tenantDomain); throw new IdentityRoleManagementServerException(UNEXPECTED_SERVER_ERROR.getCode(), errorMessage, e); } diff --git a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/SQLQueries.java b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/SQLQueries.java index 5158abcb304c..4dd914c5716c 100644 --- a/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/SQLQueries.java +++ b/components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/SQLQueries.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023-2024, WSO2 LLC. (http://www.wso2.com). + * Copyright (c) 2023-2025, WSO2 LLC. (http://www.wso2.com). * * WSO2 LLC. licenses this file to you under the Apache License, * Version 2.0 (the "License"); you may not use this file except