Merge pull request #2238 from SujanSanjula96/roles-claim-1

SujanSanjula96 · web-flow · commit fcd75b965d0d · 2023-11-17T07:59:42.000+05:30
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/DefaultOIDCClaimsCallbackHandler.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/DefaultOIDCClaimsCallbackHandler.java
@@ -25,6 +25,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
+import org.wso2.carbon.CarbonConstants;
 import org.wso2.carbon.base.MultitenantConstants;
 import org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException;
 import org.wso2.carbon.identity.application.authentication.framework.handler.approles.ApplicationRolesResolver;
@@ -566,15 +567,30 @@ private Map<String, Object> getUserClaimsInOIDCDialect(String spTenantDomain,
         // Improve runtime claim value storage in cache through https://github.com/wso2/product-is/issues/15056
         requestedClaimUris.removeIf(claim -> claim.startsWith("http://wso2.org/claims/runtime/"));
 
-        boolean requestedAppRoleClaim = false;
+        boolean roleClaimRequested = false;
+        String rolesClaimURI = IdentityUtil.getLocalGroupsClaimURI();
+        if (requestedClaimUris.contains(rolesClaimURI) && !CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME) {
+            requestedClaimUris.remove(rolesClaimURI);
+            roleClaimRequested = true;
+        }
+        boolean appRoleClaimRequested = false;
         if (requestedClaimUris.contains(APP_ROLES_CLAIM)) {
             requestedClaimUris.remove(APP_ROLES_CLAIM);
-            requestedAppRoleClaim = true;
+            appRoleClaimRequested = true;
         }
         Map<String, String> userClaims = getUserClaimsInLocalDialect(fullQualifiedUsername, realm, requestedClaimUris);
-        if (requestedAppRoleClaim) {
-            handleAppRoleClaimInLocalDialect(userClaims, authenticatedUser, serviceProvider.getApplicationResourceId());
+
+        if (roleClaimRequested || appRoleClaimRequested) {
+            String[] appAssocatedRolesOfUser = getAppAssociatedRolesOfUser(authenticatedUser,
+                    serviceProvider.getApplicationResourceId());
+            if (roleClaimRequested) {
+                setRoleClaimInLocalDialect(userClaims, appAssocatedRolesOfUser);
+            }
+            if (appRoleClaimRequested) {
+                setAppRoleClaimInLocalDialect(userClaims, appAssocatedRolesOfUser);
+            }
         }
+
         if (isEmpty(userClaims)) {
             // User claims can be empty if user does not exist in user stores. Probably a federated user.
             if (log.isDebugEnabled()) {
@@ -651,25 +667,51 @@ private String resolveUserIdForOrganizationSsoUser(AuthenticatedUser authenticat
     }
 
     /**
-     * Adds the application roles claim for local user.
+     * Get app associated roles of the user.
      *
-     * @param userClaims        User claims in local dialect.
      * @param authenticatedUser Authenticated user.
-     * @param applicationId     Application ID.
-     * @throws ApplicationRolesException Error while getting application roles.
+     * @param applicationId     Application id.
+     * @return App associated roles of the user.
+     * @throws ApplicationRolesException If an error occurred while getting app associated roles.
      */
-    private void handleAppRoleClaimInLocalDialect(Map<String, String> userClaims, AuthenticatedUser authenticatedUser,
-                                                  String applicationId) throws ApplicationRolesException {
+    private String[] getAppAssociatedRolesOfUser(AuthenticatedUser authenticatedUser, String applicationId) throws
+            ApplicationRolesException {
 
         ApplicationRolesResolver appRolesResolver =
                 OpenIDConnectServiceComponentHolder.getInstance().getHighestPriorityApplicationRolesResolver();
         if (appRolesResolver == null) {
             log.debug("No application roles resolver found. So not adding application roles claim to the id_token.");
-            return;
+            return new String[0];
+        }
+        return appRolesResolver.getRoles(authenticatedUser, applicationId);
+    }
+
+    /**
+     * Set the roles claim for local user.
+     *
+     * @param userClaims         User claims in local dialect.
+     * @param appAssociatedRoles App associated roles of the user.
+     */
+    private void setRoleClaimInLocalDialect(Map<String, String> userClaims, String[] appAssociatedRoles) {
+
+        String rolesClaimURI = IdentityUtil.getLocalGroupsClaimURI();
+        if (ArrayUtils.isNotEmpty(appAssociatedRoles)) {
+            userClaims.put(rolesClaimURI,
+                    String.join(FrameworkUtils.getMultiAttributeSeparator(), appAssociatedRoles));
         }
-        String[] appRoles = appRolesResolver.getRoles(authenticatedUser, applicationId);
-        if (ArrayUtils.isNotEmpty(appRoles)) {
-            userClaims.put(APP_ROLES_CLAIM, String.join(FrameworkUtils.getMultiAttributeSeparator(), appRoles));
+    }
+
+    /**
+     * Set the application roles claim for local user.
+     *
+     * @param userClaims         User claims in local dialect.
+     * @param appAssociatedRoles App associated roles of the user.
+     */
+    private void setAppRoleClaimInLocalDialect(Map<String, String> userClaims, String[] appAssociatedRoles) {
+
+        if (ArrayUtils.isNotEmpty(appAssociatedRoles)) {
+            userClaims.put(APP_ROLES_CLAIM,
+                    String.join(FrameworkUtils.getMultiAttributeSeparator(), appAssociatedRoles));
         }
     }
 
diff --git a/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/openidconnect/DefaultOIDCClaimsCallbackHandlerTest.java b/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/openidconnect/DefaultOIDCClaimsCallbackHandlerTest.java
@@ -40,6 +40,7 @@
 import org.testng.annotations.ObjectFactory;
 import org.testng.annotations.Test;
 import org.w3c.dom.Element;
+import org.wso2.carbon.CarbonConstants;
 import org.wso2.carbon.base.CarbonBaseConstants;
 import org.wso2.carbon.base.MultitenantConstants;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
@@ -230,6 +231,7 @@ public class DefaultOIDCClaimsCallbackHandlerTest extends PowerMockTestCase {
     @BeforeClass
     public void setUp() throws Exception {
 
+        CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME = false;
         System.setProperty(CarbonBaseConstants.CARBON_HOME, CARBON_HOME);
         BasicDataSource dataSource1 = new BasicDataSource();
         dataSource1.setDriverClassName("org.h2.Driver");
