Restrict API resource creation for organizations

ThaminduR · Oct 15, 2023 · 9cd9f88 · 9cd9f88
1 parent 6b04a5d
commit 9cd9f88
Show file tree

Hide file tree

Showing 8 changed files with 148 additions and 4 deletions.
diff --git a/components/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt/pom.xml b/components/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt/pom.xml
@@ -39,6 +39,14 @@
             <groupId>org.apache.felix</groupId>
             <artifactId>org.apache.felix.scr.ds-annotations</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.identity.framework</groupId>
+            <artifactId>org.wso2.carbon.identity.core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.identity.organization.management.core</groupId>
+            <artifactId>org.wso2.carbon.identity.organization.management.service</artifactId>
+        </dependency>
         <!-- Test dependencies -->
         <dependency>
             <groupId>org.jacoco</groupId>
@@ -121,6 +129,13 @@
                             org.wso2.carbon.user.api; version="${carbon.user.api.imp.pkg.version.range}",
                             org.wso2.carbon.user.core.util; version="${carbon.kernel.package.import.version.range}",
                             org.wso2.carbon.utils; version="${carbon.kernel.package.import.version.range}",
+                            org.wso2.carbon.user.core.tenant;version="${carbon.kernel.package.import.version.range}",
+                            org.wso2.carbon.identity.organization.management.service;
+                            version="${org.wso2.carbon.identity.organization.management.core.version.range}",
+                            org.wso2.carbon.identity.organization.management.service.exception;
+                            version="${org.wso2.carbon.identity.organization.management.core.version.range}",
+                            org.wso2.carbon.user.core.service;
+                            version="${carbon.kernel.package.import.version.range}",
                         </Import-Package>
                     </instructions>
                 </configuration>

diff --git a/...e.mgt/src/main/java/org/wso2/carbon/identity/api/resource/mgt/APIResourceManagerImpl.java b/...e.mgt/src/main/java/org/wso2/carbon/identity/api/resource/mgt/APIResourceManagerImpl.java
@@ -22,6 +22,7 @@
 import org.wso2.carbon.identity.api.resource.mgt.constant.APIResourceManagementConstants;
 import org.wso2.carbon.identity.api.resource.mgt.dao.impl.APIResourceManagementDAOImpl;
 import org.wso2.carbon.identity.api.resource.mgt.dao.impl.CacheBackedAPIResourceMgtDAO;
+import org.wso2.carbon.identity.api.resource.mgt.internal.APIResourceManagementServiceComponentHolder;
 import org.wso2.carbon.identity.api.resource.mgt.model.APIResourceSearchResult;
 import org.wso2.carbon.identity.api.resource.mgt.util.APIResourceManagementUtil;
 import org.wso2.carbon.identity.application.common.model.APIResource;
@@ -32,6 +33,9 @@
 import org.wso2.carbon.identity.core.model.Node;
 import org.wso2.carbon.identity.core.model.OperationNode;
 import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
+import org.wso2.carbon.user.api.Tenant;
+import org.wso2.carbon.user.api.UserStoreException;
 
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
@@ -82,7 +86,26 @@ public APIResource getAPIResourceById(String apiResourceId, String tenantDomain)
     public APIResource addAPIResource(APIResource apiResource, String tenantDomain)
             throws APIResourceMgtException {
 
-        return CACHE_BACKED_DAO.addAPIResource(apiResource, IdentityTenantUtil.getTenantId(tenantDomain));
+        try {
+            // Check whether the tenant is a root organization. If not, throw a client error.
+            Tenant tenant = APIResourceManagementServiceComponentHolder.getInstance()
+                    .getRealmService().getTenantManager().getTenant(IdentityTenantUtil.getTenantId(tenantDomain));
+            if (StringUtils.isNotBlank(tenant.getAssociatedOrganizationUUID())) {
+                String organizationId = APIResourceManagementServiceComponentHolder.getInstance()
+                        .getOrganizationManager().resolveOrganizationId(tenantDomain);
+                if (StringUtils.isNotBlank(organizationId)) {
+                    if (!APIResourceManagementServiceComponentHolder.getInstance().getOrganizationManager()
+                            .isPrimaryOrganization(organizationId)) {
+                        throw APIResourceManagementUtil.handleClientException(
+                                APIResourceManagementConstants.ErrorMessages.ERROR_CODE_CREATION_RESTRICTED);
+                    }
+                }
+            }
+            return CACHE_BACKED_DAO.addAPIResource(apiResource, IdentityTenantUtil.getTenantId(tenantDomain));
+        } catch (OrganizationManagementException | UserStoreException e) {
+            throw APIResourceManagementUtil.handleServerException(
+                    APIResourceManagementConstants.ErrorMessages.ERROR_CODE_ERROR_WHILE_ADDING_API_RESOURCE, e);
+        }
     }
 
     @Override

diff --git a/...va/org/wso2/carbon/identity/api/resource/mgt/constant/APIResourceManagementConstants.java b/...va/org/wso2/carbon/identity/api/resource/mgt/constant/APIResourceManagementConstants.java
@@ -74,6 +74,8 @@ public enum ErrorMessages {
                 "Scope already exists for the tenant: %s."),
         ERROR_CODE_INVALID_FILTER_VALUE("60005", "Unable to retrieve API resources.",
                 "Invalid filter value used for filtering."),
+        ERROR_CODE_CREATION_RESTRICTED("60006", "API resource creation restricted for organizations.",
+                "API resources cannot be created in organizations."),
 
         // Server errors.
         ERROR_CODE_ERROR_WHILE_RETRIEVING_API_RESOURCES("65001", "Error while retrieving API resources.",

diff --git a/...wso2/carbon/identity/api/resource/mgt/internal/APIResourceManagementServiceComponent.java b/...wso2/carbon/identity/api/resource/mgt/internal/APIResourceManagementServiceComponent.java
@@ -25,8 +25,13 @@
 import org.osgi.service.component.annotations.Activate;
 import org.osgi.service.component.annotations.Component;
 import org.osgi.service.component.annotations.Deactivate;
+import org.osgi.service.component.annotations.Reference;
+import org.osgi.service.component.annotations.ReferenceCardinality;
+import org.osgi.service.component.annotations.ReferencePolicy;
 import org.wso2.carbon.identity.api.resource.mgt.APIResourceManager;
 import org.wso2.carbon.identity.api.resource.mgt.APIResourceManagerImpl;
+import org.wso2.carbon.identity.organization.management.service.OrganizationManager;
+import org.wso2.carbon.user.core.service.RealmService;
 
 /**
  * Service component for the API resource management.
@@ -62,4 +67,42 @@ protected void deactivate(ComponentContext context) {
             LOG.error("Error while deactivating API resource management component.", e);
         }
     }
+
+    @Reference(
+            name = "organization.service",
+            service = OrganizationManager.class,
+            cardinality = ReferenceCardinality.MANDATORY,
+            policy = ReferencePolicy.DYNAMIC,
+            unbind = "unsetOrganizationManager"
+    )
+    protected void setOrganizationManager(OrganizationManager organizationManager) {
+
+        APIResourceManagementServiceComponentHolder.getInstance().setOrganizationManager(organizationManager);
+        LOG.debug("Set the organization management service.");
+    }
+
+    protected void unsetOrganizationManager(OrganizationManager organizationManager) {
+
+        APIResourceManagementServiceComponentHolder.getInstance().setOrganizationManager(null);
+        LOG.debug("Unset organization management service.");
+    }
+
+    @Reference(
+            name = "realm.service",
+            service = RealmService.class,
+            cardinality = ReferenceCardinality.MANDATORY,
+            policy = ReferencePolicy.DYNAMIC,
+            unbind = "unsetRealmService"
+    )
+    protected void setRealmService(RealmService realmService) {
+
+        APIResourceManagementServiceComponentHolder.getInstance().setRealmService(realmService);
+        LOG.debug("Set the Realm Service");
+    }
+
+    protected void unsetRealmService(RealmService realmService) {
+
+        APIResourceManagementServiceComponentHolder.getInstance().setRealmService(null);
+        LOG.debug("Unset the Realm Service");
+    }
 }
diff --git a/...arbon/identity/api/resource/mgt/internal/APIResourceManagementServiceComponentHolder.java b/...arbon/identity/api/resource/mgt/internal/APIResourceManagementServiceComponentHolder.java
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.api.resource.mgt.internal;
+
+import org.wso2.carbon.identity.organization.management.service.OrganizationManager;
+import org.wso2.carbon.user.core.service.RealmService;
+
+/**
+ * API Resource Management Service Component Holder class.
+ */
+public class APIResourceManagementServiceComponentHolder {
+
+    private static final APIResourceManagementServiceComponentHolder instance = new
+            APIResourceManagementServiceComponentHolder();
+
+    private OrganizationManager organizationManager;
+    private RealmService realmService;
+
+    public static APIResourceManagementServiceComponentHolder getInstance() {
+
+        return instance;
+    }
+
+    public OrganizationManager getOrganizationManager() {
+
+        return organizationManager;
+    }
+
+    public void setOrganizationManager(OrganizationManager organizationManager) {
+
+        this.organizationManager = organizationManager;
+    }
+
+    public RealmService getRealmService() {
+
+        return realmService;
+    }
+
+    public void setRealmService(RealmService realmService) {
+
+        this.realmService = realmService;
+    }
+}
diff --git a/...e.mgt/src/test/java/org/wso2/carbon/identity/api/resource/mgt/APIResourceManagerTest.java b/...e.mgt/src/test/java/org/wso2/carbon/identity/api/resource/mgt/APIResourceManagerTest.java
@@ -25,6 +25,7 @@
 import org.testng.annotations.DataProvider;
 import org.testng.annotations.Test;
 import org.wso2.carbon.context.CarbonContext;
+import org.wso2.carbon.identity.api.resource.mgt.internal.APIResourceManagementServiceComponentHolder;
 import org.wso2.carbon.identity.api.resource.mgt.model.APIResourceSearchResult;
 import org.wso2.carbon.identity.application.common.model.APIResource;
 import org.wso2.carbon.identity.application.common.model.Scope;
@@ -41,7 +42,7 @@
 @WithAxisConfiguration
 @WithCarbonHome
 @WithRegistry
-@WithRealmService
+@WithRealmService(injectToSingletons = {APIResourceManagementServiceComponentHolder.class}, initUserStoreManager = true)
 @WithH2Database(files = {"dbscripts/h2.sql"})
 public class APIResourceManagerTest extends PowerMockTestCase {
 

diff --git a/...java/org/wso2/carbon/identity/application/mgt/AuthorizedAPIManagementServiceImplTest.java b/...java/org/wso2/carbon/identity/application/mgt/AuthorizedAPIManagementServiceImplTest.java
@@ -32,6 +32,7 @@
 import org.wso2.carbon.identity.api.resource.mgt.APIResourceManager;
 import org.wso2.carbon.identity.api.resource.mgt.APIResourceManagerImpl;
 import org.wso2.carbon.identity.api.resource.mgt.APIResourceMgtException;
+import org.wso2.carbon.identity.api.resource.mgt.internal.APIResourceManagementServiceComponentHolder;
 import org.wso2.carbon.identity.application.common.model.APIResource;
 import org.wso2.carbon.identity.application.common.model.AuthorizedAPI;
 import org.wso2.carbon.identity.application.common.model.AuthorizedScopes;
@@ -75,7 +76,7 @@
 @WithAxisConfiguration
 @WithCarbonHome
 @WithRegistry
-@WithRealmService
+@WithRealmService(injectToSingletons = {APIResourceManagementServiceComponentHolder.class}, initUserStoreManager = true)
 @WithH2Database(files = {"dbscripts/identity.sql"})
 public class AuthorizedAPIManagementServiceImplTest extends PowerMockTestCase {
 

diff --git a/pom.xml b/pom.xml
@@ -1820,7 +1820,7 @@
         <carbon.identity.package.export.version>${project.version}</carbon.identity.package.export.version>
         <carbon.identity.package.import.version.range>[5.14.0, 6.0.0)</carbon.identity.package.import.version.range>
 
-        <org.wso2.carbon.identity.organization.management.core.version>1.0.0
+        <org.wso2.carbon.identity.organization.management.core.version>1.0.65
         </org.wso2.carbon.identity.organization.management.core.version>
         <org.wso2.carbon.identity.organization.management.core.version.range>[1.0.0, 2.0.0)
         </org.wso2.carbon.identity.organization.management.core.version.range>