Improve app visibility restricting functionality

Co-authored-by: Nishan Sangeeth <nishan@entgra.io> Co-committed-by: Nishan Sangeeth <nishan@entgra.io>
2025-10-06 02:01:45 +00:00 · 2023-06-28 16:00:53 +00:00 · 2023-06-28 16:00:53 +00:00 · 3616245ae6
commit 3616245ae6
parent e0a1cd3dbb
6 changed files with 80 additions and 12 deletions
--- a/components/application-mgt/io.entgra.device.mgt.core.application.mgt.common/src/main/java/io/entgra/device/mgt/core/application/mgt/common/services/ApplicationManager.java
+++ b/components/application-mgt/io.entgra.device.mgt.core.application.mgt.common/src/main/java/io/entgra/device/mgt/core/application/mgt/common/services/ApplicationManager.java
@ -27,6 +27,7 @@ import io.entgra.device.mgt.core.application.mgt.common.response.Category;
 import io.entgra.device.mgt.core.application.mgt.common.response.Tag;
 import io.entgra.device.mgt.core.device.mgt.common.Base64File;
 import io.entgra.device.mgt.core.application.mgt.common.dto.ApplicationDTO;
+import io.entgra.device.mgt.core.device.mgt.common.exceptions.MetadataManagementException;
 import org.apache.cxf.jaxrs.ext.multipart.Attachment;
 import io.entgra.device.mgt.core.application.mgt.common.ApplicationArtifact;
 import io.entgra.device.mgt.core.application.mgt.common.LifecycleChanger;
--- a/components/application-mgt/io.entgra.device.mgt.core.application.mgt.core/src/main/java/io/entgra/device/mgt/core/application/mgt/core/impl/ApplicationManagerImpl.java
+++ b/components/application-mgt/io.entgra.device.mgt.core.application.mgt.core/src/main/java/io/entgra/device/mgt/core/application/mgt/core/impl/ApplicationManagerImpl.java
@ -22,6 +22,8 @@ import io.entgra.device.mgt.core.application.mgt.core.exception.BadRequestExcept
 import io.entgra.device.mgt.core.device.mgt.common.Base64File;
 import io.entgra.device.mgt.core.application.mgt.core.dao.SPApplicationDAO;
 import io.entgra.device.mgt.core.application.mgt.core.util.ApplicationManagementUtil;
+import io.entgra.device.mgt.core.device.mgt.common.exceptions.MetadataManagementException;
+import io.entgra.device.mgt.core.device.mgt.common.metadata.mgt.Metadata;
 import org.apache.commons.codec.digest.DigestUtils;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang.StringEscapeUtils;
@ -30,6 +32,7 @@ import org.apache.commons.validator.routines.UrlValidator;
 import org.apache.cxf.jaxrs.ext.multipart.Attachment;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.json.JSONObject;
 import org.wso2.carbon.context.CarbonContext;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import io.entgra.device.mgt.core.application.mgt.common.ApplicationArtifact;
@ -95,6 +98,7 @@ import io.entgra.device.mgt.core.device.mgt.core.service.DeviceManagementProvide
 import org.wso2.carbon.user.api.UserRealm;
 import org.wso2.carbon.user.api.UserStoreException;

+import javax.ws.rs.core.Response;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
@ -1713,6 +1717,31 @@ public class ApplicationManagerImpl implements ApplicationManager {
        }
    }

+    /**
+     * Check whether valid metaData value or not
+     *
+     * @return true or false
+     * @throws MetadataManagementException If it is unable to load metaData
+     */
+    private boolean isUserAbleToViewAllRoles() throws MetadataManagementException {
+        List<Metadata> allMetadata;
+        allMetadata = APIUtil.getMetadataManagementService().retrieveAllMetadata();
+        if (allMetadata != null && !allMetadata.isEmpty()) {
+            for(Metadata metadata : allMetadata){
+                if(Constants.SHOW_ALL_ROLES.equals(metadata.getMetaKey())){
+                    String metaValue = metadata.getMetaValue();
+                    if (metaValue != null) {
+                        JSONObject jsonObject;
+                        jsonObject = new JSONObject(metaValue);
+                        boolean isUserAbleToViewAllRoles = jsonObject.getBoolean(Constants.IS_USER_ABLE_TO_VIEW_ALL_ROLES);
+                        return isUserAbleToViewAllRoles;
+                    }
+                }
+            }
+        }
+        return false;
+    }
+
    /**
     * Get assigned role list of the given user.
     *
@ -3486,7 +3515,8 @@ public class ApplicationManagerImpl implements ApplicationManager {
    }

    @Override
-    public <T> void validateAppCreatingRequest(T param) throws ApplicationManagementException, RequestValidatingException {
+    public <T> void validateAppCreatingRequest(T param)
+            throws ApplicationManagementException, RequestValidatingException {
        int tenantId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId(true);
        String userName = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUsername();
        int deviceTypeId = -1;
@ -3658,6 +3688,15 @@ public class ApplicationManagerImpl implements ApplicationManager {
                    log.error(msg);
                    throw new ApplicationManagementException(msg);
                }
+                if (!isUserAbleToViewAllRoles()) {
+                    if (!hasUserRole(unrestrictedRoles, userName)) {
+                        String msg = "You are trying to restrict the visibility of the application for a role set, but "
+                                + "in order to perform the action at least one role should be assigned to user: "
+                                + userName;
+                        log.error(msg);
+                        throw new BadRequestException(msg);
+                    }
+                }
            }

            Filter filter = new Filter();
@ -3709,6 +3748,10 @@ public class ApplicationManagerImpl implements ApplicationManager {
            String msg = "Error occurred when validating the unrestricted roles given for the web clip";
            log.error(msg, e);
            throw new ApplicationManagementException(msg, e);
+        } catch (MetadataManagementException e) {
+            String msg = "Error occurred while retrieving metadata list";
+            log.error(msg, e);
+            throw new ApplicationManagementException(msg, e);
        } finally {
            ConnectionManagerUtil.closeDBConnection();
        }
--- a/components/application-mgt/io.entgra.device.mgt.core.application.mgt.core/src/main/java/io/entgra/device/mgt/core/application/mgt/core/util/APIUtil.java
+++ b/components/application-mgt/io.entgra.device.mgt.core.application.mgt.core/src/main/java/io/entgra/device/mgt/core/application/mgt/core/util/APIUtil.java
@ -26,6 +26,7 @@ import io.entgra.device.mgt.core.application.mgt.core.config.IdentityServiceProv
 import io.entgra.device.mgt.core.application.mgt.core.serviceprovider.ISServiceProviderApplicationService;
 import io.entgra.device.mgt.core.application.mgt.core.exception.BadRequestException;
 import io.entgra.device.mgt.core.application.mgt.core.exception.UnexpectedServerErrorException;
+import io.entgra.device.mgt.core.device.mgt.common.metadata.mgt.MetadataManagementService;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@ -71,6 +72,7 @@ public class APIUtil {
    private static volatile SubscriptionManager subscriptionManager;
    private static volatile ReviewManager reviewManager;
    private static volatile AppmDataHandler appmDataHandler;
+    private static volatile MetadataManagementService metadataManagementService;

    public static SPApplicationManager getSPApplicationManager() {
        if (SPApplicationManager == null) {
@ -523,4 +525,20 @@ public class APIUtil {
                .getAppHashValue() + Constants.FORWARD_SLASH;
        return basePath + Constants.ICON_ARTIFACT + Constants.FORWARD_SLASH + applicationReleaseDTO.getIconName();
    }
+
+    public static MetadataManagementService getMetadataManagementService() {
+        if (metadataManagementService == null) {
+            synchronized (APIUtil.class) {
+                if (metadataManagementService == null) {
+                    PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext();
+                    metadataManagementService = (MetadataManagementService) ctx.getOSGiService(
+                            MetadataManagementService.class, null);
+                    if (metadataManagementService == null) {
+                        throw new IllegalStateException("Metadata Management service not initialized.");
+                    }
+                }
+            }
+        }
+        return metadataManagementService;
+    }
 }
--- a/components/application-mgt/io.entgra.device.mgt.core.application.mgt.core/src/main/java/io/entgra/device/mgt/core/application/mgt/core/util/Constants.java
+++ b/components/application-mgt/io.entgra.device.mgt.core.application.mgt.core/src/main/java/io/entgra/device/mgt/core/application/mgt/core/util/Constants.java
@ -70,7 +70,8 @@ public class Constants {
    public static final String ANY = "ANY";
    public static final String DEFAULT_PCK_NAME = "default.app.com";
    public static final String ALL = "ALL";
-
+    public static final String SHOW_ALL_ROLES = "SHOW_ALL_ROLES";
+    public static final String IS_USER_ABLE_TO_VIEW_ALL_ROLES = "isUserAbleToViewAllRoles";
    public static final String GOOGLE_PLAY_STORE_URL = "https://play.google.com/store/apps/details?id=";
    public static final String APPLE_STORE_URL = "https://itunes.apple.com/country/app/app-name/id";

--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/RoleManagementServiceImpl.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/RoleManagementServiceImpl.java
@ -19,7 +19,6 @@ package io.entgra.device.mgt.core.device.mgt.api.jaxrs.service.impl;

 import io.entgra.device.mgt.core.device.mgt.common.exceptions.MetadataManagementException;
 import io.entgra.device.mgt.core.device.mgt.common.metadata.mgt.Metadata;
-import org.apache.axis2.databinding.types.xsd._boolean;
 import org.apache.commons.logging.Log;
 import org.json.simple.JSONObject;
 import org.json.simple.parser.JSONParser;
@ -110,8 +109,10 @@ public class RoleManagementServiceImpl implements RoleManagementService {
            @QueryParam("filter") String filter,
            @QueryParam("user-store") String userStore,
            @HeaderParam("If-Modified-Since") String ifModifiedSince,
-            @QueryParam("offset") int offset, @QueryParam("limit") int limit,
-            @QueryParam("username") String username, @QueryParam("domain") String domain,
+            @QueryParam("offset") int offset,
+            @QueryParam("limit") int limit,
+            @QueryParam("username") String username,
+            @QueryParam("domain") String domain,
            @PathParam("metaKey") String metaKey) {
        RequestValidationUtil.validatePaginationParameters(offset, limit);
        if (limit == 0){
@ -128,7 +129,7 @@ public class RoleManagementServiceImpl implements RoleManagementService {
            String metaValue = metadata.getMetaValue();
            JSONParser parser = new JSONParser();
            JSONObject jsonObject = (JSONObject) parser.parse(metaValue);
-            boolean decision = (boolean) jsonObject.get("isUserAbleToViewAllRoles");
+            boolean decision = (boolean) jsonObject.get(Constants.IS_USER_ABLE_TO_VIEW_ALL_ROLES);
            if (decision) {
                if (userStore == null || "".equals(userStore)){
                    userStore = PRIMARY_USER_STORE;
@ -148,7 +149,8 @@ public class RoleManagementServiceImpl implements RoleManagementService {
                            new ErrorResponse.ErrorResponseBuilder().setMessage(msg).build()).build();
                }
            } else {
-                try{UserStoreManager userStoreManager = DeviceMgtAPIUtils.getUserStoreManager();
+                try {
+                    UserStoreManager userStoreManager = DeviceMgtAPIUtils.getUserStoreManager();
                    if (!userStoreManager.isExistingUser(username)) {
                        if (log.isDebugEnabled()) {
                            log.debug("User by username: " + username + " does not exist for role retrieval.");
@ -171,7 +173,9 @@ public class RoleManagementServiceImpl implements RoleManagementService {
            log.error(msg, e);
            return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(msg).build();
        } catch (ParseException e) {
-            throw new RuntimeException(e);
+            String msg = "Error occurred while parsing JSON metadata: " + e.getMessage();
+            log.error(msg, e);
+            return Response.status(Response.Status.BAD_REQUEST).entity(msg).build();
        }
    }

--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/util/Constants.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/util/Constants.java
@ -38,6 +38,7 @@ public class Constants {
 	public static final int DEFAULT_PAGE_LIMIT = 50;
 	public static final String FORWARD_SLASH = "/";
 	public static final String ANDROID = "android";
+	public static final String IS_USER_ABLE_TO_VIEW_ALL_ROLES = "isUserAbleToViewAllRoles";
 	public static final String ANDROID_POLICY_VALIDATOR = "io.entgra.proprietary.uem.platform.android." +
 			"core.polcy.AndroidPolicyPayloadValidator";
 	public static final String IOS = "ios";