Skip to content

Commit

Permalink
Merge pull request #6305 from SujanSanjula96/idp-group-3
Browse files Browse the repository at this point in the history 
Introduce Federated IDP group, IDP group claim URI resolving methods with more specific attributes
  • Loading branch information
@SujanSanjula96
SujanSanjula96 authored Jan 25, 2025
2 parents 37146a4 + ef91f19 commit a3229c5
Show file tree
Hide file tree
Showing 7 changed files with 673 additions and 75 deletions.
26 changes: 25 additions & 1 deletion ...ntity/application/authentication/framework/handler/approles/ApplicationRolesResolver.java
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
* Copyright (c) 2023-2025, WSO2 LLC. (http://www.wso2.com).
*
* WSO2 LLC. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
Expand All @@ -19,7 +19,12 @@
package org.wso2.carbon.identity.application.authentication.framework.handler.approles;

import org.wso2.carbon.identity.application.authentication.framework.handler.approles.exception.ApplicationRolesException;
import org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.NotImplementedException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;

import java.util.Map;

/**
* Application associated roles resolver interface.
Expand Down Expand Up @@ -72,4 +77,23 @@ default String[] getAppAssociatedRolesOfFederatedUser(AuthenticatedUser authenti

return getRoles(authenticatedUser, applicationId);
}

/**
* Get the application associated roles of the federated user.
*
* @param fedUserAttributes Federated user attributes.
* @param identityProvider Identity provider.
* @param applicationId Application ID of the application.
* @param idpGroupClaimURI IDP group claim URI.
* @param tenantDomain Tenant domain.
* @return Array of application associated roles of the federated user.
* @throws ApplicationRolesException If an error occurs while getting app associated roles.
*/
default String[] getAppAssociatedRolesOfFederatedUser(Map<ClaimMapping, String> fedUserAttributes,
IdentityProvider identityProvider, String applicationId,
String idpGroupClaimURI, String tenantDomain)
throws ApplicationRolesException {

throw new NotImplementedException("This functionality is not implemented.");
}
}
76 changes: 59 additions & 17 deletions ...cation/authentication/framework/handler/approles/impl/AppAssociatedRolesResolverImpl.java
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
* Copyright (c) 2023-2025, WSO2 LLC. (http://www.wso2.com).
*
* WSO2 LLC. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
Expand Down Expand Up @@ -107,6 +107,15 @@ public String[] getAppAssociatedRolesOfLocalUser(AuthenticatedUser authenticated
return getAppAssociatedRolesForLocalUser(authenticatedUser, applicationId);
}

@Override
public String[] getAppAssociatedRolesOfFederatedUser(Map<ClaimMapping, String> fedUserAttributes,
IdentityProvider identityProvider, String applicationId,
String idpGroupClaimURI, String tenantDomain)
throws ApplicationRolesException {

return getAppAssociatedRolesForFederatedUser(fedUserAttributes, identityProvider, applicationId,
idpGroupClaimURI, tenantDomain);
}

/**
* Get app associated roles for local user for given app.
Expand Down Expand Up @@ -189,9 +198,40 @@ private void addSharedRoleAssociations(AuthenticatedUser authenticatedUser, List
private String[] getAppAssociatedRolesForFederatedUser(AuthenticatedUser authenticatedUser, String applicationId,
String idpGroupClaimURI) throws ApplicationRolesException {

Set<String> federatedUserRoleIds = getAllRolesOfFederatedUser(authenticatedUser, idpGroupClaimURI);
List<RoleV2> rolesAssociatedWithApp = getRolesAssociatedWithApplication(applicationId,
authenticatedUser.getTenantDomain());
String tenantDomain = authenticatedUser.getTenantDomain();
String idpName = authenticatedUser.getFederatedIdPName();
IdentityProvider identityProvider = getIDP(idpName, tenantDomain);
Map<ClaimMapping, String> fedUserAttributes = authenticatedUser.getUserAttributes();

Set<String> federatedUserRoleIds =
getAllRolesOfFederatedUser(fedUserAttributes, identityProvider, idpGroupClaimURI, tenantDomain);
List<RoleV2> rolesAssociatedWithApp = getRolesAssociatedWithApplication(applicationId, tenantDomain);

return rolesAssociatedWithApp.stream()
.filter(role -> federatedUserRoleIds.contains(role.getId()))
.map(role -> appendInternalDomain(role.getName()))
.toArray(String[]::new);
}

/**
* Get app associated roles for federated user for given app.
*
* @param fedUserAttributes Federated user attributes.
* @param identityProvider Identity provider.
* @param applicationId Application ID.
* @param idpGroupClaimURI IDP group claim URI.
* @param tenantDomain Tenant domain.
* @return App associated roles for federated user.
* @throws ApplicationRolesException If an error occurred while getting app associated roles for federated user.
*/
private String[] getAppAssociatedRolesForFederatedUser(Map<ClaimMapping, String> fedUserAttributes,
IdentityProvider identityProvider, String applicationId,
String idpGroupClaimURI, String tenantDomain)
throws ApplicationRolesException {

Set<String> federatedUserRoleIds =
getAllRolesOfFederatedUser(fedUserAttributes, identityProvider, idpGroupClaimURI, tenantDomain);
List<RoleV2> rolesAssociatedWithApp = getRolesAssociatedWithApplication(applicationId, tenantDomain);

return rolesAssociatedWithApp.stream()
.filter(role -> federatedUserRoleIds.contains(role.getId()))
Expand Down Expand Up @@ -230,21 +270,23 @@ private Set<String> getAllRolesOfLocalUser(AuthenticatedUser authenticatedUser)
/**
* Get all roles of the federated user.
*
* @param authenticatedUser Authenticated user.
* @param fedUserAttributes Federated user attributes.
* @param identityProvider Identity provider.
* @param idpGroupClaimURI IDP group claim URI.
* @param tenantDomain Tenant domain.
* @return All the roles assigned to the federated user.
* @throws ApplicationRolesException If an error occurred while getting all roles of a federated user.
*/
private Set<String> getAllRolesOfFederatedUser(AuthenticatedUser authenticatedUser, String idpGroupClaimURI)
private Set<String> getAllRolesOfFederatedUser(Map<ClaimMapping, String> fedUserAttributes,
IdentityProvider identityProvider, String idpGroupClaimURI,
String tenantDomain)
throws ApplicationRolesException {

String tenantDomain = authenticatedUser.getTenantDomain();
String idpName = authenticatedUser.getFederatedIdPName();
IdentityProvider identityProvider = getIDP(idpName, tenantDomain);
if (identityProvider == null) {
return Collections.emptySet();
}
IdPGroup[] idpGroups = identityProvider.getIdPGroupConfig();
List<String> idpGroupNamesOfUser = getFederatedIdPGroupNamesOfUser(authenticatedUser, identityProvider,
List<String> idpGroupNamesOfUser = getFederatedIdPGroupNamesOfUser(fedUserAttributes, identityProvider,
idpGroupClaimURI);
if (CollectionUtils.isEmpty(idpGroupNamesOfUser)) {
return Collections.emptySet();
Expand Down Expand Up @@ -343,19 +385,20 @@ private List<RoleV2> getRolesAssociatedWithApplication(String applicationId, Str
/**
* Get federated user IDP groups.
*
* @param authenticatedUser Authenticated user.
* @param fedUserAttributes Federated user attributes.
* @param federatedIdP Federated IDP.
* @param idpGroupClaimURI IDP group claim URI.
* @return Federated user IDP groups.
*/
private List<String> getFederatedIdPGroupNamesOfUser(AuthenticatedUser authenticatedUser,
private List<String> getFederatedIdPGroupNamesOfUser(Map<ClaimMapping, String> fedUserAttributes,
IdentityProvider federatedIdP, String idpGroupClaimURI) {

if (federatedIdP != null) {
if (StringUtils.isEmpty(idpGroupClaimURI)) {
idpGroupClaimURI = FrameworkUtils.getIdpGroupClaimUri(federatedIdP.getClaimConfig().getClaimMappings());
}
if (idpGroupClaimURI != null) {
String[] idpGroups = getIdPUserGroups(authenticatedUser, idpGroupClaimURI);
String[] idpGroups = getIdPUserGroups(fedUserAttributes, idpGroupClaimURI);
if (idpGroups != null && idpGroups.length > 0) {
return Arrays.asList(idpGroups);
}
Expand Down Expand Up @@ -445,15 +488,14 @@ private boolean isDoGetGroupListOfUserNotImplemented(UserStoreException e) {
/**
* Get the IdP groups of the federated authenticated user.
*
* @param authenticatedUser Authenticated federated user.
* @param fedUserAttributes Federated user attributes.
* @param idpGroupClaimUri IDP group claim URI.
* @return IdP groups of the authenticated user.
*/
private String[] getIdPUserGroups(AuthenticatedUser authenticatedUser, String idpGroupClaimUri) {
private String[] getIdPUserGroups(Map<ClaimMapping, String> fedUserAttributes, String idpGroupClaimUri) {

String idpGroupClaimValueSeparator = FrameworkUtils.getIdpGroupClaimValueSeparator();
Map<ClaimMapping, String> userAttributes = authenticatedUser.getUserAttributes();
for (Map.Entry<ClaimMapping, String> entry : userAttributes.entrySet()) {
for (Map.Entry<ClaimMapping, String> entry : fedUserAttributes.entrySet()) {
ClaimMapping claimMapping = entry.getKey();
if (idpGroupClaimUri.equals(claimMapping.getRemoteClaim().getClaimUri())) {
String idPGroupsClaim = entry.getValue();
Expand Down
Loading

0 comments on commit a3229c5

Please sign in to comment.