Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add console role listener #7416

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add console role listener #7416

wants to merge 2 commits into from
+410 −2

Conversation

shashimalcse
Copy link
Contributor

@shashimalcse shashimalcse commented Jan 27, 2025
edited
Loading

Proposed changes in this pull request

Previously, newly added scopes to the API resource collection did not reflect in existing console roles. With this PR (wso2/carbon-identity-framework#6372), we have introduced a new collection version and set previous collection as v0, which includes two feature scopes used for collection viewing and editing.

Following is sample api resource collection (v0 one and new one)

# API Resource collection for Diagnostic Logs
[[api_resource_collections]]
name = "diagnosticLogs"
displayName = "Diagnostic Logs"
type = "tenant"
version="v0"

[[api_resource_collections.scopes.feature]]
name="console:diagnosticLogs"

[[api_resource_collections.scopes.read]]
name="internal_application_mgt_view"


# Newly Added API Resource collection for Diagnostic Logs
[[api_resource_collections]]
name = "diagnosticLogs"
displayName = "Diagnostic Logs"
type = "tenant"

[[api_resource_collections.scopes.feature]]
name="console:diagnosticLogs"

# New view feature scope
[[api_resource_collections.scopes.feature]]
name="console:diagnosticLogs_view"

# New edit feature scope
[[api_resource_collections.scopes.feature]]
name="console:diagnosticLogs_edit"

[[api_resource_collections.scopes.read]]
name="internal_application_mgt_view"

In this PR we have introduce a listener to resolve console role permission at runtime.

When we fetch a console role, this listener :

## Input: Role Permissions

### Step 1: Retrieve System Data
1. Retrieve system permissions for the given tenant.
2. Retrieve API resource collections for the given tenant.

### Step 2: Extract Console Feature Permissions
- Retrieve console feature permissions from the role’s permissions list.
  - **Console feature permissions** are the ones defined at the new API resource collection with `_view` and `_edit` suffixes.

### Step 3: Check Console Feature Permissions List
#### Case 1: Console Feature Permissions List is **Not Empty**
1. Assume this is a **"new" console role** (created with `_view` and `_edit` feature permissions).
2. Create a new list to hold resolved role permissions.
3. For each console feature permission:
   - For each API resource collection:
     - If the permission matches the **edit feature scope**, add all corresponding **write scopes** of the collection.
     - If the permission matches the **view feature scope**, add all corresponding **read scopes** of the collection.
4. Return the resolved permissions.

#### Case 2: Console Feature Permissions List is **Empty**
1. Assume this is an **"old" console role**.
2. Convert the original role permissions to a set.
3. Retrieve console permissions from the role’s permission list (legacy feature scopes).
4. For each console permission:
   - For each API resource collection:
     - If the permission name is in the **read scopes**, add all new **read scopes** of the collection.
     - Check if the role has **all legacy write scopes** for that collection; if so, add all new **write scopes** of the collection.
5. Return the resolved permissions.

When adding or updating role (with permission) now we only persist new feature scope. In get role level we will resolve actual permissions of the role with api collection. This will resolve the original problem

Related Issues

Merge After

@codecov Codecov
Copy link

codecov bot commented Jan 27, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 41.98%. Comparing base (a3bc39d) to head (ed789e1).
Report is 233 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #7416      +/-   ##
==========================================
+ Coverage   36.53%   41.98%   +5.45%     
==========================================
  Files          42       42              
  Lines         906      936      +30     
  Branches      205      233      +28     
==========================================
+ Hits          331      393      +62     
+ Misses        575      543      -32
Flag Coverage Δ
@wso2is/core 41.98% <ø> (+5.45%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 2 files with indirect coverage changes

@wso2-jenkins-bot
Copy link
Contributor

⚠️ No Changeset found

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go.

If these changes should result in a version bump, you need to add a changeset.

Refer Release Documentation to learn how to add a changeset.

@shashimalcse shashimalcse marked this pull request as ready for review January 27, 2025 06:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@shashimalcse @wso2-jenkins-bot