Skip to content

Commit

Permalink
Merge pull request #3319 from malakaganga/fix_secpol
Browse files Browse the repository at this point in the history
Add capability of case insensitive role name check
  • Loading branch information
malakaganga authored May 2, 2024
2 parents 102833b + 6489472 commit dc8f759
Show file tree
Hide file tree
Showing 3 changed files with 45 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.config.mapper.ConfigParser;
import org.wso2.micro.integrator.security.internal.DataHolder;
import org.wso2.micro.integrator.security.internal.ServiceComponent;
import org.wso2.micro.integrator.security.user.api.RealmConfiguration;
Expand All @@ -30,6 +31,7 @@
import org.wso2.micro.integrator.security.user.core.profile.ProfileConfigurationManager;

import java.lang.reflect.Constructor;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Hashtable;
import java.util.Map;
Expand Down Expand Up @@ -202,4 +204,27 @@ public static boolean isAdmin(String user) throws UserStoreException {
public static boolean containsAdminRole(String[] rolesList) throws UserStoreException {
return Arrays.asList(rolesList).contains(getRealmConfiguration().getAdminRoleName());
}

/**
* Checks whether Case Insensitive Role Name Check is Enabled.
*
* @return whether Case Insensitive Role Name Check is Enabled.
*/
public static boolean isCaseInsensitiveRoleNameCheckEnabled() {
Map<String, Object> catalogProperties;
if (ConfigParser.getParsedConfigs().get(SecurityConstants.WS_SECURITY_CONFIG) != null) {
catalogProperties =
(Map<String, Object>) ((ArrayList) ConfigParser.getParsedConfigs().get(
SecurityConstants.WS_SECURITY_CONFIG)).get(0);
if (catalogProperties != null
&& catalogProperties.containsKey(SecurityConstants.CASE_INSENSITIVE_ROLE_NAME_CHECK)) {
Object caseInsensitiveRoleNameCheckValue
= catalogProperties.get(SecurityConstants.CASE_INSENSITIVE_ROLE_NAME_CHECK);
if (caseInsensitiveRoleNameCheckValue instanceof Boolean) {
return (boolean) caseInsensitiveRoleNameCheckValue;
}
}
}
return false;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -34,4 +34,8 @@ public class SecurityConstants {
"org.wso2.micro.integrator.security.user.core.ldap.ReadOnlyLDAPUserStoreManager";
public static final String DEFAULT_JDBC_USERSTORE_MANAGER =
"org.wso2.micro.integrator.security.user.core.jdbc.JDBCUserStoreManager";

public static final String CASE_INSENSITIVE_ROLE_NAME_CHECK = "case_insensitive_role_name_check";

public static final String WS_SECURITY_CONFIG = "ws_security";
}
Original file line number Diff line number Diff line change
Expand Up @@ -48,10 +48,13 @@ public abstract class AbstractPasswordCallback implements CallbackHandler {
private RealmConfiguration realmConfig;
private List<String> allowedRoles = null;

private boolean caseInsensitiveRoleNameCheckEnabled = false;

@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
try {
boolean isAuthenticated = false;
caseInsensitiveRoleNameCheckEnabled = MicroIntegratorSecurityUtils.isCaseInsensitiveRoleNameCheckEnabled();
if (realmConfig == null) {
try {
realmConfig = MicroIntegratorSecurityUtils.getRealmConfiguration();
Expand Down Expand Up @@ -217,9 +220,19 @@ private String getPrivateKeyPassword(String username) throws IOException, Except
private boolean hasAllowedRole(String authenticatedUser) throws UserStoreException {
if (allowedRoles != null) {
String[] existingRoles = userStoreManager.getRoleListOfUser(authenticatedUser);
for (String existingRole : existingRoles) {
if (allowedRoles.contains(existingRole)) {
return true;
if (caseInsensitiveRoleNameCheckEnabled) {
for (String existingRole : existingRoles) {
for (String allowedRole : allowedRoles) {
if (existingRole.equalsIgnoreCase(allowedRole)) {
return true;
}
}
}
} else {
for (String existingRole : existingRoles) {
if (allowedRoles.contains(existingRole)) {
return true;
}
}
}
return false;
Expand Down

0 comments on commit dc8f759

Please sign in to comment.