From 64894724f37c26a67a54a1461e43a437d2ec789f Mon Sep 17 00:00:00 2001 From: malakaganga Date: Thu, 2 May 2024 13:10:06 +0530 Subject: [PATCH] Add capability of case insensitive role name check Fixes: https://github.com/wso2/micro-integrator/issues/3316 --- .../MicroIntegratorSecurityUtils.java | 25 +++++++++++++++++++ .../security/SecurityConstants.java | 4 +++ .../callback/AbstractPasswordCallback.java | 19 +++++++++++--- 3 files changed, 45 insertions(+), 3 deletions(-) diff --git a/components/org.wso2.micro.integrator.security/src/main/java/org/wso2/micro/integrator/security/MicroIntegratorSecurityUtils.java b/components/org.wso2.micro.integrator.security/src/main/java/org/wso2/micro/integrator/security/MicroIntegratorSecurityUtils.java index 9923fb866e..9c4bea20b9 100644 --- a/components/org.wso2.micro.integrator.security/src/main/java/org/wso2/micro/integrator/security/MicroIntegratorSecurityUtils.java +++ b/components/org.wso2.micro.integrator.security/src/main/java/org/wso2/micro/integrator/security/MicroIntegratorSecurityUtils.java @@ -20,6 +20,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.wso2.config.mapper.ConfigParser; import org.wso2.micro.integrator.security.internal.DataHolder; import org.wso2.micro.integrator.security.internal.ServiceComponent; import org.wso2.micro.integrator.security.user.api.RealmConfiguration; @@ -30,6 +31,7 @@ import org.wso2.micro.integrator.security.user.core.profile.ProfileConfigurationManager; import java.lang.reflect.Constructor; +import java.util.ArrayList; import java.util.Arrays; import java.util.Hashtable; import java.util.Map; @@ -202,4 +204,27 @@ public static boolean isAdmin(String user) throws UserStoreException { public static boolean containsAdminRole(String[] rolesList) throws UserStoreException { return Arrays.asList(rolesList).contains(getRealmConfiguration().getAdminRoleName()); } + + /** + * Checks whether Case Insensitive Role Name Check is Enabled. + * + * @return whether Case Insensitive Role Name Check is Enabled. + */ + public static boolean isCaseInsensitiveRoleNameCheckEnabled() { + Map catalogProperties; + if (ConfigParser.getParsedConfigs().get(SecurityConstants.WS_SECURITY_CONFIG) != null) { + catalogProperties = + (Map) ((ArrayList) ConfigParser.getParsedConfigs().get( + SecurityConstants.WS_SECURITY_CONFIG)).get(0); + if (catalogProperties != null + && catalogProperties.containsKey(SecurityConstants.CASE_INSENSITIVE_ROLE_NAME_CHECK)) { + Object caseInsensitiveRoleNameCheckValue + = catalogProperties.get(SecurityConstants.CASE_INSENSITIVE_ROLE_NAME_CHECK); + if (caseInsensitiveRoleNameCheckValue instanceof Boolean) { + return (boolean) caseInsensitiveRoleNameCheckValue; + } + } + } + return false; + } } diff --git a/components/org.wso2.micro.integrator.security/src/main/java/org/wso2/micro/integrator/security/SecurityConstants.java b/components/org.wso2.micro.integrator.security/src/main/java/org/wso2/micro/integrator/security/SecurityConstants.java index 63e370b413..282b71b9a8 100644 --- a/components/org.wso2.micro.integrator.security/src/main/java/org/wso2/micro/integrator/security/SecurityConstants.java +++ b/components/org.wso2.micro.integrator.security/src/main/java/org/wso2/micro/integrator/security/SecurityConstants.java @@ -34,4 +34,8 @@ public class SecurityConstants { "org.wso2.micro.integrator.security.user.core.ldap.ReadOnlyLDAPUserStoreManager"; public static final String DEFAULT_JDBC_USERSTORE_MANAGER = "org.wso2.micro.integrator.security.user.core.jdbc.JDBCUserStoreManager"; + + public static final String CASE_INSENSITIVE_ROLE_NAME_CHECK = "case_insensitive_role_name_check"; + + public static final String WS_SECURITY_CONFIG = "ws_security"; } diff --git a/components/org.wso2.micro.integrator.security/src/main/java/org/wso2/micro/integrator/security/callback/AbstractPasswordCallback.java b/components/org.wso2.micro.integrator.security/src/main/java/org/wso2/micro/integrator/security/callback/AbstractPasswordCallback.java index 5684bc48fc..625eb99baa 100644 --- a/components/org.wso2.micro.integrator.security/src/main/java/org/wso2/micro/integrator/security/callback/AbstractPasswordCallback.java +++ b/components/org.wso2.micro.integrator.security/src/main/java/org/wso2/micro/integrator/security/callback/AbstractPasswordCallback.java @@ -48,10 +48,13 @@ public abstract class AbstractPasswordCallback implements CallbackHandler { private RealmConfiguration realmConfig; private List allowedRoles = null; + private boolean caseInsensitiveRoleNameCheckEnabled = false; + @Override public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { try { boolean isAuthenticated = false; + caseInsensitiveRoleNameCheckEnabled = MicroIntegratorSecurityUtils.isCaseInsensitiveRoleNameCheckEnabled(); if (realmConfig == null) { try { realmConfig = MicroIntegratorSecurityUtils.getRealmConfiguration(); @@ -217,9 +220,19 @@ private String getPrivateKeyPassword(String username) throws IOException, Except private boolean hasAllowedRole(String authenticatedUser) throws UserStoreException { if (allowedRoles != null) { String[] existingRoles = userStoreManager.getRoleListOfUser(authenticatedUser); - for (String existingRole : existingRoles) { - if (allowedRoles.contains(existingRole)) { - return true; + if (caseInsensitiveRoleNameCheckEnabled) { + for (String existingRole : existingRoles) { + for (String allowedRole : allowedRoles) { + if (existingRole.equalsIgnoreCase(allowedRole)) { + return true; + } + } + } + } else { + for (String existingRole : existingRoles) { + if (allowedRoles.contains(existingRole)) { + return true; + } } } return false;