Improve impl

wso2 · Sep 27, 2023 · 86fb29c · 86fb29c
1 parent 2b4ceae
commit 86fb29c
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 15 deletions.
diff --git a/...bon/identity/api/server/application/management/common/ApplicationManagementConstants.java b/...bon/identity/api/server/application/management/common/ApplicationManagementConstants.java
@@ -51,7 +51,8 @@ private ApplicationManagementConstants() {
     public static final String NAME = "name";
     public static final String CLIENT_ID = "clientId";
     public static final String ISSUER = "issuer";
-
+    public static final String RBAC = "RBAC";
+    public static final String NO_POLICY = "No Policy";
     public static final String NON_EXISTING_USER_CODE = "30007 - ";
 
     /**
@@ -104,14 +105,19 @@ public enum ErrorMessage {
                 "'useExternalConsentPage' is not yet supported for SAML applications in this version of the API."),
         API_RESOURCE_NOT_FOUND("60507",
                 "API resource not found.",
-                "API resource with id: %s is not found."),
+                "API resource with id: %s is not found in the tenant domain: %s."),
         SCOPES_NOT_FOUND("60508",
                 "API scopes not found.",
-                "One or more scopes in the request is not found."),
+                "One or more scopes in the request is not found for the API resource with Id: %s in the " +
+                        "tenant domain: %s."),
         API_RESOURCE_ALREADY_AUTHORIZED("60509", "API resource already authorized.",
                 "API resource with id: %s is already authorized for the application with id: %s."),
         AUTHORIZED_API_NOT_FOUND("60510", "API resource not authorized for the application.",
                 "API resource with id: %s is not authorized for the application with id: %s."),
+        INVALID_POLICY_VALUE("60511", "Invalid policy id value provided.",
+                "Invalid policy id value. It should be 'RBAC' or 'No Policy'."),
+        INVALID_POLICY_TYPE_FOR_API_RESOURCE("60511", "Invalid policy type provided for the API " +
+                "resource.", "API resource with id: %s doesn't allow the provided policy type: %s."),
 
         // Server Errors.
         ERROR_RETRIEVING_SAML_METADATA("65001",

diff --git a/...dentity/api/server/application/management/v1/core/ServerApplicationManagementService.java b/...dentity/api/server/application/management/v1/core/ServerApplicationManagementService.java
@@ -152,6 +152,7 @@
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Locale;
 import java.util.Set;
 import java.util.function.BiFunction;
 import java.util.function.Function;
@@ -1317,10 +1318,24 @@ public void addAuthorizedAPI(String applicationId, AuthorizedAPICreationModel au
             if (authorizedAPI != null) {
                 throw handleAuthorizedAPIConflictError(applicationId, authorizedAPIId);
             }
-            validateAPIResourceScopes(authorizedAPIId, authorizedAPICreationModel.getScopes());
+
+            // Validate authorized API creation model.
+            APIResource apiResource = ApplicationManagementServiceHolder.getApiResourceManager()
+                    .getAPIResourceById(authorizedAPIId, tenantDomain);
+            if (apiResource == null) {
+                throw buildClientError(ErrorMessage.API_RESOURCE_NOT_FOUND, authorizedAPIId, tenantDomain);
+            }
+            validateAPIResourceScopes(apiResource, authorizedAPICreationModel.getScopes());
+
             // Validate policy identifier.
-            String policyIdentifier = authorizedAPICreationModel.getPolicyIdentifier().isEmpty() ? "RBAC" :
-                    authorizedAPICreationModel.getPolicyIdentifier();
+            String policyIdentifier = validatePolicy(authorizedAPICreationModel.getPolicyIdentifier());
+
+            // If API resource has requiresAuthorization set to true, policy identifier should be RBAC.
+            if (apiResource.isRequiresAuthorization() &&
+                    !policyIdentifier.equals(ApplicationManagementConstants.RBAC)) {
+                throw buildClientError(ErrorMessage.INVALID_POLICY_TYPE_FOR_API_RESOURCE, authorizedAPIId,
+                        policyIdentifier);
+            }
 
             getAuthorizedAPIManagementService().addAuthorizedAPI(applicationId,
                     new AuthorizedAPI.AuthorizedAPIBuilder()
@@ -1340,18 +1355,27 @@ public void addAuthorizedAPI(String applicationId, AuthorizedAPICreationModel au
         }
     }
 
-    private void validateAPIResourceScopes(String apiId, List<String> scopes)
-            throws APIResourceMgtException {
+    public String validatePolicy(String policyId) {
 
-        APIResource apiresource = ApplicationManagementServiceHolder.getApiResourceManager()
-                .getAPIResourceById(apiId, CarbonContext.getThreadLocalCarbonContext().getTenantDomain());
-        if (apiresource == null) {
-            throw buildClientError(ErrorMessage.API_RESOURCE_NOT_FOUND, apiId);
+        if (policyId == null || policyId.isEmpty()) {
+            // No input provided, use the default policy identifier.
+            return ApplicationManagementConstants.RBAC;
+        } else if (policyId.equalsIgnoreCase(ApplicationManagementConstants.RBAC)
+                || policyId.equalsIgnoreCase(ApplicationManagementConstants.NO_POLICY)) {
+            return policyId.toUpperCase(Locale.ENGLISH);
+        } else {
+            throw buildClientError(ErrorMessage.INVALID_POLICY_VALUE);
         }
-        List<Scope> apiResourceScopes = apiresource.getScopes();
+    }
+
+    private void validateAPIResourceScopes(APIResource apiResource, List<String> scopes)
+            throws APIResourceMgtException {
+
+        List<Scope> apiResourceScopes = apiResource.getScopes();
         for (String scopeName : scopes) {
             if (apiResourceScopes.stream().noneMatch(scope -> scope.getName().equals(scopeName))) {
-                throw buildClientError(ErrorMessage.SCOPES_NOT_FOUND);
+                throw buildClientError(ErrorMessage.SCOPES_NOT_FOUND, apiResource.getId(),
+                        CarbonContext.getThreadLocalCarbonContext().getTenantDomain());
             }
         }
     }
@@ -1379,7 +1403,13 @@ public void updateAuthorizedAPI(String applicationId, String apiId,
             List<String> removedScopes = authorizedAPIPatchModel.getRemovedScopes();
             addedScopes.removeAll(removedScopes);
 
-            validateAPIResourceScopes(apiId, addedScopes);
+            // Validate authorized API patch model.
+            APIResource apiResource = ApplicationManagementServiceHolder.getApiResourceManager()
+                    .getAPIResourceById(apiId, tenantDomain);
+            if (apiResource == null) {
+                throw buildClientError(ErrorMessage.API_RESOURCE_NOT_FOUND, apiId, tenantDomain);
+            }
+            validateAPIResourceScopes(apiResource, addedScopes);
 
             // Remove already authorized scopes from the added scopes list.
             AuthorizedAPI currentAuthorizedAPI = getAuthorizedAPIManagementService().getAuthorizedAPI(applicationId,