Add capability of case insensitive role name check

Fixes: #3316
wso2 · May 2, 2024 · 6489472 · 6489472
1 parent 102833b
commit 6489472
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 3 deletions.
diff --git a/...curity/src/main/java/org/wso2/micro/integrator/security/MicroIntegratorSecurityUtils.java b/...curity/src/main/java/org/wso2/micro/integrator/security/MicroIntegratorSecurityUtils.java
@@ -20,6 +20,7 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.wso2.config.mapper.ConfigParser;
 import org.wso2.micro.integrator.security.internal.DataHolder;
 import org.wso2.micro.integrator.security.internal.ServiceComponent;
 import org.wso2.micro.integrator.security.user.api.RealmConfiguration;
@@ -30,6 +31,7 @@
 import org.wso2.micro.integrator.security.user.core.profile.ProfileConfigurationManager;
 
 import java.lang.reflect.Constructor;
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Hashtable;
 import java.util.Map;
@@ -202,4 +204,27 @@ public static boolean isAdmin(String user) throws UserStoreException {
     public static boolean containsAdminRole(String[] rolesList) throws UserStoreException {
         return Arrays.asList(rolesList).contains(getRealmConfiguration().getAdminRoleName());
     }
+
+    /**
+     * Checks whether Case Insensitive Role Name Check is Enabled.
+     *
+     * @return whether Case Insensitive Role Name Check is Enabled.
+     */
+    public static boolean isCaseInsensitiveRoleNameCheckEnabled() {
+        Map<String, Object> catalogProperties;
+        if (ConfigParser.getParsedConfigs().get(SecurityConstants.WS_SECURITY_CONFIG) != null) {
+            catalogProperties =
+                    (Map<String, Object>) ((ArrayList) ConfigParser.getParsedConfigs().get(
+                            SecurityConstants.WS_SECURITY_CONFIG)).get(0);
+            if (catalogProperties != null
+                    && catalogProperties.containsKey(SecurityConstants.CASE_INSENSITIVE_ROLE_NAME_CHECK)) {
+                Object caseInsensitiveRoleNameCheckValue
+                        = catalogProperties.get(SecurityConstants.CASE_INSENSITIVE_ROLE_NAME_CHECK);
+                if (caseInsensitiveRoleNameCheckValue instanceof Boolean) {
+                    return (boolean) caseInsensitiveRoleNameCheckValue;
+                }
+            }
+        }
+        return false;
+    }
 }
diff --git a/...tegrator.security/src/main/java/org/wso2/micro/integrator/security/SecurityConstants.java b/...tegrator.security/src/main/java/org/wso2/micro/integrator/security/SecurityConstants.java
@@ -34,4 +34,8 @@ public class SecurityConstants {
             "org.wso2.micro.integrator.security.user.core.ldap.ReadOnlyLDAPUserStoreManager";
     public static final String DEFAULT_JDBC_USERSTORE_MANAGER =
             "org.wso2.micro.integrator.security.user.core.jdbc.JDBCUserStoreManager";
+
+    public static final String CASE_INSENSITIVE_ROLE_NAME_CHECK = "case_insensitive_role_name_check";
+
+    public static final String WS_SECURITY_CONFIG = "ws_security";
 }
diff --git a/...y/src/main/java/org/wso2/micro/integrator/security/callback/AbstractPasswordCallback.java b/...y/src/main/java/org/wso2/micro/integrator/security/callback/AbstractPasswordCallback.java
@@ -48,10 +48,13 @@ public abstract class AbstractPasswordCallback implements CallbackHandler {
     private RealmConfiguration realmConfig;
     private List<String> allowedRoles = null;
 
+    private boolean caseInsensitiveRoleNameCheckEnabled = false;
+
     @Override
     public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
         try {
             boolean isAuthenticated = false;
+            caseInsensitiveRoleNameCheckEnabled = MicroIntegratorSecurityUtils.isCaseInsensitiveRoleNameCheckEnabled();
             if (realmConfig == null) {
                 try {
                     realmConfig = MicroIntegratorSecurityUtils.getRealmConfiguration();
@@ -217,9 +220,19 @@ private String getPrivateKeyPassword(String username) throws IOException, Except
     private boolean hasAllowedRole(String authenticatedUser) throws UserStoreException {
         if (allowedRoles != null) {
             String[] existingRoles = userStoreManager.getRoleListOfUser(authenticatedUser);
-            for (String existingRole : existingRoles) {
-                if (allowedRoles.contains(existingRole)) {
-                    return true;
+            if (caseInsensitiveRoleNameCheckEnabled) {
+                for (String existingRole : existingRoles) {
+                    for (String allowedRole : allowedRoles) {
+                        if (existingRole.equalsIgnoreCase(allowedRole)) {
+                            return true;
+                        }
+                    }
+                }
+            } else {
+                for (String existingRole : existingRoles) {
+                    if (allowedRoles.contains(existingRole)) {
+                        return true;
+                    }
                 }
             }
             return false;