From cddc02c2e10eeef0bd325f592f8da5bd79163ff0 Mon Sep 17 00:00:00 2001 From: Thamindu Aluthwala Date: Mon, 13 Nov 2023 22:26:03 +0530 Subject: [PATCH 1/2] Fix for authorized orgs in legacy runtime --- .../pom.xml | 1 + .../service/constant/SQLConstants.java | 46 +++++++++++ .../impl/OrganizationManagementDAOImpl.java | 81 ++++++++++++++++--- 3 files changed, 115 insertions(+), 13 deletions(-) diff --git a/components/org.wso2.carbon.identity.organization.management.service/pom.xml b/components/org.wso2.carbon.identity.organization.management.service/pom.xml index ba74dc05..83c874e0 100644 --- a/components/org.wso2.carbon.identity.organization.management.service/pom.xml +++ b/components/org.wso2.carbon.identity.organization.management.service/pom.xml @@ -124,6 +124,7 @@ org.wso2.carbon.user.core.tenant;version="${carbon.kernel.package.import.version.range}", org.wso2.carbon.user.core.util;version="${carbon.kernel.package.import.version.range}", org.wso2.carbon.utils;version="${carbon.kernel.package.import.version.range}", + org.wso2.carbon;version="${carbon.kernel.package.import.version.range}", diff --git a/components/org.wso2.carbon.identity.organization.management.service/src/main/java/org/wso2/carbon/identity/organization/management/service/constant/SQLConstants.java b/components/org.wso2.carbon.identity.organization.management.service/src/main/java/org/wso2/carbon/identity/organization/management/service/constant/SQLConstants.java index 03dfd36c..977dad9f 100644 --- a/components/org.wso2.carbon.identity.organization.management.service/src/main/java/org/wso2/carbon/identity/organization/management/service/constant/SQLConstants.java +++ b/components/org.wso2.carbon.identity.organization.management.service/src/main/java/org/wso2/carbon/identity/organization/management/service/constant/SQLConstants.java @@ -257,6 +257,52 @@ public class SQLConstants { "UM_ORG_HIERARCHY WHERE UM_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ID + "; AND DEPTH = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_DEPTH + ";"; + public static final String GET_ORGANIZATIONS_LEGACY = "SELECT DISTINCT UM_ORG.UM_ID, UM_ORG.UM_ORG_NAME, " + + "UM_ORG.UM_CREATED_TIME, UM_ORG.UM_STATUS FROM UM_ORG " + + "INNER JOIN UM_ORG_ROLE ON UM_ORG_ROLE.UM_ORG_ID = UM_ORG.UM_ID " + + "INNER JOIN UM_ORG_ROLE_USER ON UM_ORG_ROLE.UM_ROLE_ID = UM_ORG_ROLE_USER.UM_ROLE_ID " + + "INNER JOIN UM_ORG_ROLE_PERMISSION ON UM_ORG_ROLE.UM_ROLE_ID = UM_ORG_ROLE_PERMISSION.UM_ROLE_ID " + + "INNER JOIN UM_ORG_PERMISSION ON UM_ORG_ROLE_PERMISSION.UM_PERMISSION_ID = UM_ORG_PERMISSION.UM_ID " + + "WHERE "; + + public static final String GET_ORGANIZATIONS_WITHOUT_PERMISSION_CHECK = "SELECT DISTINCT UM_ORG.UM_ID, " + + "UM_ORG.UM_ORG_NAME, UM_ORG.UM_CREATED_TIME, UM_ORG.UM_STATUS FROM UM_ORG WHERE "; + + public static final String GET_ORGANIZATIONS_TAIL_LEGACY = "UM_ORG_ROLE_USER.UM_USER_ID = :" + + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_USER_ID + "; AND UM_ORG_PERMISSION.UM_RESOURCE_ID IN (" + + PERMISSION_LIST_PLACEHOLDER + ") AND UM_ORG.UM_ID IN (SELECT O.UM_ID FROM UM_ORG O JOIN " + + "UM_ORG_HIERARCHY OH ON O.UM_ID = OH.UM_ID WHERE OH.UM_PARENT_ID = (SELECT UM_ID FROM UM_ORG WHERE %s) " + + "AND OH.DEPTH %s) ORDER BY UM_ORG.UM_CREATED_TIME %s LIMIT :" + SQLPlaceholders.DB_SCHEMA_LIMIT + ";"; + + public static final String GET_ORGANIZATIONS_TAIL_WITHOUT_PERMISSION_CHECK = "UM_ORG.UM_ID IN " + + "(SELECT O.UM_ID FROM UM_ORG O JOIN UM_ORG_HIERARCHY OH ON O.UM_ID = OH.UM_ID " + + "WHERE OH.UM_PARENT_ID = (SELECT UM_ID FROM UM_ORG WHERE %s) " + + "AND OH.DEPTH %s) ORDER BY UM_ORG.UM_CREATED_TIME %s LIMIT :" + SQLPlaceholders.DB_SCHEMA_LIMIT + ";"; + + public static final String GET_ORGANIZATIONS_TAIL_ORACLE_LEGACY = "UM_ORG_ROLE_USER.UM_USER_ID = :" + + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_USER_ID + "; AND UM_ORG_PERMISSION.UM_RESOURCE_ID IN (" + + PERMISSION_LIST_PLACEHOLDER + ") AND UM_ORG.UM_ID IN (SELECT O.UM_ID FROM UM_ORG O JOIN " + + "UM_ORG_HIERARCHY OH ON O.UM_ID = OH.UM_ID WHERE OH.UM_PARENT_ID = (SELECT UM_ID FROM UM_ORG WHERE %s) " + + "AND OH.DEPTH %s) ORDER BY UM_ORG.UM_CREATED_TIME %s FETCH FIRST :" + SQLPlaceholders.DB_SCHEMA_LIMIT + + "; ROWS ONLY"; + + public static final String GET_ORGANIZATIONS_TAIL_ORACLE_WITHOUT_PERMISSION_CHECK = "UM_ORG.UM_ID IN " + + "(SELECT O.UM_ID FROM UM_ORG O JOIN UM_ORG_HIERARCHY OH ON O.UM_ID = OH.UM_ID WHERE OH.UM_PARENT_ID = " + + "(SELECT UM_ID FROM UM_ORG WHERE %s) AND OH.DEPTH %s) ORDER BY UM_ORG.UM_CREATED_TIME %s FETCH FIRST :" + + SQLPlaceholders.DB_SCHEMA_LIMIT + "; ROWS ONLY"; + + public static final String GET_ORGANIZATIONS_TAIL_MSSQL_LEGACY = "UM_ORG_ROLE_USER.UM_USER_ID = :" + + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_USER_ID + "; AND UM_ORG_PERMISSION.UM_RESOURCE_ID IN (" + + PERMISSION_LIST_PLACEHOLDER + ") AND UM_ORG.UM_ID IN (SELECT O.UM_ID FROM UM_ORG O JOIN " + + "UM_ORG_HIERARCHY OH ON O.UM_ID = OH.UM_ID WHERE OH.UM_PARENT_ID = (SELECT UM_ID FROM UM_ORG WHERE %s) " + + "AND OH.DEPTH %s) ORDER BY UM_ORG.UM_CREATED_TIME %s OFFSET 0 ROWS FETCH NEXT :" + + SQLPlaceholders.DB_SCHEMA_LIMIT + "; ROWS ONLY"; + + public static final String GET_ORGANIZATIONS_TAIL_MSSQL_WITHOUT_PERMISSION_CHECK = "UM_ORG.UM_ID IN " + + "(SELECT O.UM_ID FROM UM_ORG O JOIN UM_ORG_HIERARCHY OH ON O.UM_ID = OH.UM_ID WHERE OH.UM_PARENT_ID = " + + "(SELECT UM_ID FROM UM_ORG WHERE %s) AND OH.DEPTH %s) ORDER BY UM_ORG.UM_CREATED_TIME %s OFFSET 0 ROWS " + + "FETCH NEXT :" + SQLPlaceholders.DB_SCHEMA_LIMIT + "; ROWS ONLY"; + /** * SQL Placeholders. */ diff --git a/components/org.wso2.carbon.identity.organization.management.service/src/main/java/org/wso2/carbon/identity/organization/management/service/dao/impl/OrganizationManagementDAOImpl.java b/components/org.wso2.carbon.identity.organization.management.service/src/main/java/org/wso2/carbon/identity/organization/management/service/dao/impl/OrganizationManagementDAOImpl.java index 6e641831..a6c89119 100644 --- a/components/org.wso2.carbon.identity.organization.management.service/src/main/java/org/wso2/carbon/identity/organization/management/service/dao/impl/OrganizationManagementDAOImpl.java +++ b/components/org.wso2.carbon.identity.organization.management.service/src/main/java/org/wso2/carbon/identity/organization/management/service/dao/impl/OrganizationManagementDAOImpl.java @@ -22,6 +22,7 @@ import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.wso2.carbon.CarbonConstants; import org.wso2.carbon.database.utils.jdbc.NamedJdbcTemplate; import org.wso2.carbon.database.utils.jdbc.exceptions.DataAccessException; import org.wso2.carbon.database.utils.jdbc.exceptions.TransactionException; @@ -112,6 +113,7 @@ import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.VIEW_ID_COLUMN; import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.VIEW_LAST_MODIFIED_COLUMN; import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.VIEW_NAME_COLUMN; +import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.VIEW_ORGANIZATION_PERMISSION; import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.VIEW_PARENT_ID_COLUMN; import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.VIEW_STATUS_COLUMN; import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.VIEW_TENANT_UUID_COLUMN; @@ -136,7 +138,11 @@ import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS_BY_NAME; import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS_TAIL; import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS_TAIL_MSSQL; +import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS_TAIL_MSSQL_WITHOUT_PERMISSION_CHECK; import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS_TAIL_ORACLE; +import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS_TAIL_ORACLE_WITHOUT_PERMISSION_CHECK; +import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS_TAIL_WITHOUT_PERMISSION_CHECK; +import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS_WITHOUT_PERMISSION_CHECK; import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS_WITH_USER_ASSOCIATIONS; import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS_WITH_USER_ASSOCIATIONS_TAIL; import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS_WITH_USER_ASSOCIATIONS_TAIL_MSSQL; @@ -703,23 +709,44 @@ private List getOrganizationsList(boolean authorizedSubOrgsOn String parentIdFilterQuery = parentIdFilterQueryBuilder.getFilterQuery(); String sqlStmt; - String getOrgSqlStmtTail = authorizedSubOrgsOnly ? GET_ORGANIZATIONS_WITH_USER_ASSOCIATIONS_TAIL - : GET_ORGANIZATIONS_TAIL; - - if (isOracleDB()) { - getOrgSqlStmtTail = authorizedSubOrgsOnly ? GET_ORGANIZATIONS_WITH_USER_ASSOCIATIONS_TAIL_ORACLE - : GET_ORGANIZATIONS_TAIL_ORACLE; - } else if (isMSSqlDB()) { - getOrgSqlStmtTail = authorizedSubOrgsOnly ? GET_ORGANIZATIONS_WITH_USER_ASSOCIATIONS_TAIL_MSSQL - : GET_ORGANIZATIONS_TAIL_MSSQL; - } + String getOrgSqlStmtTail; + if (!CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME) { + getOrgSqlStmtTail = authorizedSubOrgsOnly ? GET_ORGANIZATIONS_WITH_USER_ASSOCIATIONS_TAIL + : GET_ORGANIZATIONS_TAIL; + + if (isOracleDB()) { + getOrgSqlStmtTail = authorizedSubOrgsOnly ? GET_ORGANIZATIONS_WITH_USER_ASSOCIATIONS_TAIL_ORACLE + : GET_ORGANIZATIONS_TAIL_ORACLE; + } else if (isMSSqlDB()) { + getOrgSqlStmtTail = authorizedSubOrgsOnly ? GET_ORGANIZATIONS_WITH_USER_ASSOCIATIONS_TAIL_MSSQL + : GET_ORGANIZATIONS_TAIL_MSSQL; + } - if (authorizedSubOrgsOnly) { - sqlStmt = GET_ORGANIZATIONS_WITH_USER_ASSOCIATIONS; + if (authorizedSubOrgsOnly) { + sqlStmt = GET_ORGANIZATIONS_WITH_USER_ASSOCIATIONS; + } else { + sqlStmt = GET_ORGANIZATIONS; + } } else { - sqlStmt = GET_ORGANIZATIONS; + getOrgSqlStmtTail = authorizedSubOrgsOnly ? GET_ORGANIZATIONS_TAIL + : GET_ORGANIZATIONS_TAIL_WITHOUT_PERMISSION_CHECK; + + if (isOracleDB()) { + getOrgSqlStmtTail = authorizedSubOrgsOnly ? GET_ORGANIZATIONS_TAIL_ORACLE + : GET_ORGANIZATIONS_TAIL_ORACLE_WITHOUT_PERMISSION_CHECK; + } else if (isMSSqlDB()) { + getOrgSqlStmtTail = authorizedSubOrgsOnly ? GET_ORGANIZATIONS_TAIL_MSSQL + : GET_ORGANIZATIONS_TAIL_MSSQL_WITHOUT_PERMISSION_CHECK; + } + + if (authorizedSubOrgsOnly) { + sqlStmt = GET_ORGANIZATIONS; + } else { + sqlStmt = GET_ORGANIZATIONS_WITHOUT_PERMISSION_CHECK; + } } + if (StringUtils.isBlank(parentIdFilterQuery)) { sqlStmt += filterQueryBuilder.getFilterQuery() + String.format(getOrgSqlStmtTail, SET_ID, recursive ? "> 0" : "= 1", sortOrder); @@ -728,6 +755,25 @@ private List getOrganizationsList(boolean authorizedSubOrgsOn String.format(getOrgSqlStmtTail, parentIdFilterQuery, recursive ? "> 0" : "= 1", sortOrder); } + List permissions; + String permissionPlaceholder; + if (CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME) { + permissionPlaceholder = "PERMISSION_"; + permissions = getAllowedPermissions(VIEW_ORGANIZATION_PERMISSION); + List permissionPlaceholders = new ArrayList<>(); + if (authorizedSubOrgsOnly) { + // Constructing the placeholders required to hold the permission strings in the named prepared + // statement. + for (int i = 1; i <= permissions.size(); i++) { + permissionPlaceholders.add(":" + permissionPlaceholder + i + ";"); + } + String placeholder = String.join(", ", permissionPlaceholders); + sqlStmt = sqlStmt.replace(PERMISSION_LIST_PLACEHOLDER, placeholder); + } + } else { + permissionPlaceholder = ""; + permissions = new ArrayList<>(); + } List organizations; NamedJdbcTemplate namedJdbcTemplate = Utils.getNewTemplate(); @@ -757,6 +803,15 @@ private List getOrganizationsList(boolean authorizedSubOrgsOn namedPreparedStatement.setString(entry.getKey(), entry.getValue()); } } + if (CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME) { + if (authorizedSubOrgsOnly) { + int index = 1; + for (String permission : permissions) { + namedPreparedStatement.setString(permissionPlaceholder + index, permission); + index++; + } + } + } namedPreparedStatement.setInt(DB_SCHEMA_LIMIT, limit); }); } catch (DataAccessException e) { From fbbf673d1cdff9be677e917e29589af98f09c869 Mon Sep 17 00:00:00 2001 From: Thamindu Aluthwala Date: Tue, 14 Nov 2023 13:11:53 +0530 Subject: [PATCH 2/2] Use legacy sql queries --- .../dao/impl/OrganizationManagementDAOImpl.java | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/components/org.wso2.carbon.identity.organization.management.service/src/main/java/org/wso2/carbon/identity/organization/management/service/dao/impl/OrganizationManagementDAOImpl.java b/components/org.wso2.carbon.identity.organization.management.service/src/main/java/org/wso2/carbon/identity/organization/management/service/dao/impl/OrganizationManagementDAOImpl.java index a6c89119..da5f3519 100644 --- a/components/org.wso2.carbon.identity.organization.management.service/src/main/java/org/wso2/carbon/identity/organization/management/service/dao/impl/OrganizationManagementDAOImpl.java +++ b/components/org.wso2.carbon.identity.organization.management.service/src/main/java/org/wso2/carbon/identity/organization/management/service/dao/impl/OrganizationManagementDAOImpl.java @@ -136,10 +136,14 @@ import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_CHILD_ORGANIZATION_IDS; import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS; import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS_BY_NAME; +import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS_LEGACY; import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS_TAIL; +import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS_TAIL_LEGACY; import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS_TAIL_MSSQL; +import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS_TAIL_MSSQL_LEGACY; import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS_TAIL_MSSQL_WITHOUT_PERMISSION_CHECK; import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS_TAIL_ORACLE; +import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS_TAIL_ORACLE_LEGACY; import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS_TAIL_ORACLE_WITHOUT_PERMISSION_CHECK; import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS_TAIL_WITHOUT_PERMISSION_CHECK; import static org.wso2.carbon.identity.organization.management.service.constant.SQLConstants.GET_ORGANIZATIONS_WITHOUT_PERMISSION_CHECK; @@ -728,19 +732,19 @@ private List getOrganizationsList(boolean authorizedSubOrgsOn sqlStmt = GET_ORGANIZATIONS; } } else { - getOrgSqlStmtTail = authorizedSubOrgsOnly ? GET_ORGANIZATIONS_TAIL + getOrgSqlStmtTail = authorizedSubOrgsOnly ? GET_ORGANIZATIONS_TAIL_LEGACY : GET_ORGANIZATIONS_TAIL_WITHOUT_PERMISSION_CHECK; if (isOracleDB()) { - getOrgSqlStmtTail = authorizedSubOrgsOnly ? GET_ORGANIZATIONS_TAIL_ORACLE + getOrgSqlStmtTail = authorizedSubOrgsOnly ? GET_ORGANIZATIONS_TAIL_ORACLE_LEGACY : GET_ORGANIZATIONS_TAIL_ORACLE_WITHOUT_PERMISSION_CHECK; } else if (isMSSqlDB()) { - getOrgSqlStmtTail = authorizedSubOrgsOnly ? GET_ORGANIZATIONS_TAIL_MSSQL + getOrgSqlStmtTail = authorizedSubOrgsOnly ? GET_ORGANIZATIONS_TAIL_MSSQL_LEGACY : GET_ORGANIZATIONS_TAIL_MSSQL_WITHOUT_PERMISSION_CHECK; } if (authorizedSubOrgsOnly) { - sqlStmt = GET_ORGANIZATIONS; + sqlStmt = GET_ORGANIZATIONS_LEGACY; } else { sqlStmt = GET_ORGANIZATIONS_WITHOUT_PERMISSION_CHECK; }