diff --git a/components/org.wso2.carbon.identity.api.server.application.management/org.wso2.carbon.identity.api.server.application.management.common/src/main/java/org/wso2/carbon/identity/api/server/application/management/common/ApplicationManagementConstants.java b/components/org.wso2.carbon.identity.api.server.application.management/org.wso2.carbon.identity.api.server.application.management.common/src/main/java/org/wso2/carbon/identity/api/server/application/management/common/ApplicationManagementConstants.java index d4914949dc..88236d7c85 100644 --- a/components/org.wso2.carbon.identity.api.server.application.management/org.wso2.carbon.identity.api.server.application.management.common/src/main/java/org/wso2/carbon/identity/api/server/application/management/common/ApplicationManagementConstants.java +++ b/components/org.wso2.carbon.identity.api.server.application.management/org.wso2.carbon.identity.api.server.application.management.common/src/main/java/org/wso2/carbon/identity/api/server/application/management/common/ApplicationManagementConstants.java @@ -51,7 +51,8 @@ private ApplicationManagementConstants() { public static final String NAME = "name"; public static final String CLIENT_ID = "clientId"; public static final String ISSUER = "issuer"; - + public static final String RBAC = "RBAC"; + public static final String NO_POLICY = "No Policy"; public static final String NON_EXISTING_USER_CODE = "30007 - "; /** @@ -104,14 +105,19 @@ public enum ErrorMessage { "'useExternalConsentPage' is not yet supported for SAML applications in this version of the API."), API_RESOURCE_NOT_FOUND("60507", "API resource not found.", - "API resource with id: %s is not found."), + "API resource with id: %s is not found in the tenant domain: %s."), SCOPES_NOT_FOUND("60508", "API scopes not found.", - "One or more scopes in the request is not found."), + "One or more scopes in the request is not found for the API resource with Id: %s in the " + + "tenant domain: %s."), API_RESOURCE_ALREADY_AUTHORIZED("60509", "API resource already authorized.", "API resource with id: %s is already authorized for the application with id: %s."), AUTHORIZED_API_NOT_FOUND("60510", "API resource not authorized for the application.", "API resource with id: %s is not authorized for the application with id: %s."), + INVALID_POLICY_VALUE("60511", "Invalid policy id value provided.", + "Invalid policy id value. It should be 'RBAC' or 'No Policy'."), + INVALID_POLICY_TYPE_FOR_API_RESOURCE("60511", "Invalid policy type provided for the API " + + "resource.", "API resource with id: %s doesn't allow the provided policy type: %s."), // Server Errors. ERROR_RETRIEVING_SAML_METADATA("65001", diff --git a/components/org.wso2.carbon.identity.api.server.application.management/org.wso2.carbon.identity.api.server.application.management.v1/src/main/java/org/wso2/carbon/identity/api/server/application/management/v1/core/ServerApplicationManagementService.java b/components/org.wso2.carbon.identity.api.server.application.management/org.wso2.carbon.identity.api.server.application.management.v1/src/main/java/org/wso2/carbon/identity/api/server/application/management/v1/core/ServerApplicationManagementService.java index 8310aba1f3..d84daaed48 100644 --- a/components/org.wso2.carbon.identity.api.server.application.management/org.wso2.carbon.identity.api.server.application.management.v1/src/main/java/org/wso2/carbon/identity/api/server/application/management/v1/core/ServerApplicationManagementService.java +++ b/components/org.wso2.carbon.identity.api.server.application.management/org.wso2.carbon.identity.api.server.application.management.v1/src/main/java/org/wso2/carbon/identity/api/server/application/management/v1/core/ServerApplicationManagementService.java @@ -152,6 +152,7 @@ import java.util.Collections; import java.util.HashSet; import java.util.List; +import java.util.Locale; import java.util.Set; import java.util.function.BiFunction; import java.util.function.Function; @@ -1317,10 +1318,24 @@ public void addAuthorizedAPI(String applicationId, AuthorizedAPICreationModel au if (authorizedAPI != null) { throw handleAuthorizedAPIConflictError(applicationId, authorizedAPIId); } - validateAPIResourceScopes(authorizedAPIId, authorizedAPICreationModel.getScopes()); + + // Validate authorized API creation model. + APIResource apiResource = ApplicationManagementServiceHolder.getApiResourceManager() + .getAPIResourceById(authorizedAPIId, tenantDomain); + if (apiResource == null) { + throw buildClientError(ErrorMessage.API_RESOURCE_NOT_FOUND, authorizedAPIId, tenantDomain); + } + validateAPIResourceScopes(apiResource, authorizedAPICreationModel.getScopes()); + // Validate policy identifier. - String policyIdentifier = authorizedAPICreationModel.getPolicyIdentifier().isEmpty() ? "RBAC" : - authorizedAPICreationModel.getPolicyIdentifier(); + String policyIdentifier = validatePolicy(authorizedAPICreationModel.getPolicyIdentifier()); + + // If API resource has requiresAuthorization set to true, policy identifier should be RBAC. + if (apiResource.isRequiresAuthorization() && + !policyIdentifier.equals(ApplicationManagementConstants.RBAC)) { + throw buildClientError(ErrorMessage.INVALID_POLICY_TYPE_FOR_API_RESOURCE, authorizedAPIId, + policyIdentifier); + } getAuthorizedAPIManagementService().addAuthorizedAPI(applicationId, new AuthorizedAPI.AuthorizedAPIBuilder() @@ -1340,18 +1355,27 @@ public void addAuthorizedAPI(String applicationId, AuthorizedAPICreationModel au } } - private void validateAPIResourceScopes(String apiId, List scopes) - throws APIResourceMgtException { + public String validatePolicy(String policyId) { - APIResource apiresource = ApplicationManagementServiceHolder.getApiResourceManager() - .getAPIResourceById(apiId, CarbonContext.getThreadLocalCarbonContext().getTenantDomain()); - if (apiresource == null) { - throw buildClientError(ErrorMessage.API_RESOURCE_NOT_FOUND, apiId); + if (policyId == null || policyId.isEmpty()) { + // No input provided, use the default policy identifier. + return ApplicationManagementConstants.RBAC; + } else if (policyId.equalsIgnoreCase(ApplicationManagementConstants.RBAC) + || policyId.equalsIgnoreCase(ApplicationManagementConstants.NO_POLICY)) { + return policyId.toUpperCase(Locale.ENGLISH); + } else { + throw buildClientError(ErrorMessage.INVALID_POLICY_VALUE); } - List apiResourceScopes = apiresource.getScopes(); + } + + private void validateAPIResourceScopes(APIResource apiResource, List scopes) + throws APIResourceMgtException { + + List apiResourceScopes = apiResource.getScopes(); for (String scopeName : scopes) { if (apiResourceScopes.stream().noneMatch(scope -> scope.getName().equals(scopeName))) { - throw buildClientError(ErrorMessage.SCOPES_NOT_FOUND); + throw buildClientError(ErrorMessage.SCOPES_NOT_FOUND, apiResource.getId(), + CarbonContext.getThreadLocalCarbonContext().getTenantDomain()); } } } @@ -1379,7 +1403,13 @@ public void updateAuthorizedAPI(String applicationId, String apiId, List removedScopes = authorizedAPIPatchModel.getRemovedScopes(); addedScopes.removeAll(removedScopes); - validateAPIResourceScopes(apiId, addedScopes); + // Validate authorized API patch model. + APIResource apiResource = ApplicationManagementServiceHolder.getApiResourceManager() + .getAPIResourceById(apiId, tenantDomain); + if (apiResource == null) { + throw buildClientError(ErrorMessage.API_RESOURCE_NOT_FOUND, apiId, tenantDomain); + } + validateAPIResourceScopes(apiResource, addedScopes); // Remove already authorized scopes from the added scopes list. AuthorizedAPI currentAuthorizedAPI = getAuthorizedAPIManagementService().getAuthorizedAPI(applicationId,