Merge pull request #4437 from PasinduYeshan/fix/user-list-claim

PasinduYeshan · web-flow · commit dc7ae9db15b9 · 2025-12-02T17:35:11.000+05:30
Check claim storage location before listing users.
diff --git a/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/UserStoreConfigConstants.java b/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/UserStoreConfigConstants.java
@@ -214,4 +214,10 @@ public class UserStoreConfigConstants {
             "skip multi-valued attribute separation";
     public static final String singleValuedAttributesDisplayName = "Single Valued Attributes";
 
+    // Property to force all claims to be stored in user store regardless of other configurations.
+    public static final String STORE_IDENTITY_CLAIMS = "StoreIdentityClaims";
+    public static final String STORE_IDENTITY_CLAIMS_DISPLAY_NAME = "Store Identity Claims";
+    public static final String STORE_IDENTITY_CLAIMS_DESCRIPTION = "When enabled, all identity and user claims will " +
+            "be stored in the user store manager regardless of other claim configurations";
+
 }
diff --git a/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java b/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java
@@ -3172,6 +3172,22 @@ private List<String> doGetUserList(String claim, String claimValue, String profi
                         "matches");
             }
 
+            try {
+                if (isIdentityStoreManagedClaim(claimManager.getClaim(claim), extractedDomain, userManager)) {
+                    if (log.isDebugEnabled()) {
+                        log.debug("The claim: " + claim + " is an identity store managed claim for the domain: "
+                                + extractedDomain + ". Hence returning empty user list.");
+                    }
+                    return Collections.emptyList();
+                }
+            } catch (org.wso2.carbon.user.api.UserStoreException e) {
+                handleGetUserListFailure(ErrorMessages.ERROR_CODE_ERROR_DURING_PRE_GET_USER_LIST.getCode(),
+                        String.format(ErrorMessages.ERROR_CODE_ERROR_DURING_PRE_GET_USER_LIST.getMessage(),
+                                e.getMessage()), claim, claimValue, profileName);
+                throw new UserStoreException(
+                        "Error occurred while retrieving claim for claim URI: " + claim, e);
+            }
+
             try {
                 property = claimManager.getAttributeName(extractedDomain, claim);
             } catch (org.wso2.carbon.user.api.UserStoreException e) {
@@ -3250,6 +3266,20 @@ private List<String> doGetUserList(String claim, String claimValue, String profi
 
             // For all the user stores append the domain name to the claim and pass it recursively (Including PRIMARY).
             String domainName = ((AbstractUserStoreManager) userStoreManager).getMyDomainName();
+
+            try {
+                if (isIdentityStoreManagedClaim(claimManager.getClaim(claim), domainName, userStoreManager)) {
+                    if (log.isDebugEnabled()) {
+                        log.debug("The claim: " + claim + " is an identity store managed claim for the domain: "
+                                + domainName + ". Hence skipping the user store.");
+                    }
+                    continue;
+                }
+            } catch (org.wso2.carbon.user.api.UserStoreException e) {
+                log.error(String.format("Error occurred while retrieving claim for claim URI: %s for domain: %s.",
+                        claim, domainName), e);
+            }
+
             String claimValueWithDomain;
             if (StringUtils.equalsIgnoreCase(domainName, UserCoreConstants.PRIMARY_DEFAULT_DOMAIN_NAME)) {
                 claimValueWithDomain = domainName + CarbonConstants.DOMAIN_SEPARATOR + claimValue;
@@ -3416,6 +3446,22 @@ private List<User> doGetUserListWithID(String claim, String claimValue, String p
                         + "matches");
             }
 
+            try {
+                if (isIdentityStoreManagedClaim(claimManager.getClaim(claim), extractedDomain, userManager)) {
+                    if (log.isDebugEnabled()) {
+                        log.debug("The claim: " + claim + " is an identity store managed claim for the domain: "
+                                + extractedDomain + ". Hence returning empty user list.");
+                    }
+                    return Collections.emptyList();
+                }
+            } catch (org.wso2.carbon.user.api.UserStoreException e) {
+                handleGetUserListFailureWithID(ErrorMessages.ERROR_CODE_ERROR_DURING_PRE_GET_USER_LIST.getCode(),
+                        String.format(ErrorMessages.ERROR_CODE_ERROR_DURING_PRE_GET_USER_LIST.getMessage(),
+                                e.getMessage()), claim, claimValue, profileName);
+                throw new UserStoreException(
+                        "Error occurred while retrieving claim for claim URI: " + claim, e);
+            }
+
             try {
                 property = claimManager.getAttributeName(extractedDomain, claim);
             } catch (org.wso2.carbon.user.api.UserStoreException e) {
@@ -3496,6 +3542,20 @@ private List<User> doGetUserListWithID(String claim, String claimValue, String p
 
             // For all the user stores append the domain name to the claim and pass it recursively (Including PRIMARY).
             String domainName = ((AbstractUserStoreManager) userStoreManager).getMyDomainName();
+
+            try {
+                if (isIdentityStoreManagedClaim(claimManager.getClaim(claim), domainName, userStoreManager)) {
+                    if (log.isDebugEnabled()) {
+                        log.debug("The claim: " + claim + " is an identity store managed claim for the domain: "
+                                + domainName + ". Hence skipping the user store.");
+                    }
+                    continue;
+                }
+            } catch (org.wso2.carbon.user.api.UserStoreException e) {
+                log.error(String.format("Error occurred while retrieving claim for claim URI: %s for domain: %s.",
+                        claim, domainName), e);
+            }
+
             String claimValueWithDomain;
             if (StringUtils.equalsIgnoreCase(domainName, UserCoreConstants.PRIMARY_DEFAULT_DOMAIN_NAME)) {
                 claimValueWithDomain = domainName + CarbonConstants.DOMAIN_SEPARATOR + claimValue;
@@ -3547,6 +3607,22 @@ private List<String> doGetUserList(String claim, String claimValue, String profi
                         "matches");
             }
 
+            try {
+                if (isIdentityStoreManagedClaim(claimManager.getClaim(claim), extractedDomain, userManager)) {
+                    if (log.isDebugEnabled()) {
+                        log.debug("The claim: " + claim + " is an identity store managed claim for the domain: "
+                                + extractedDomain + ". Hence returning empty user list.");
+                    }
+                    return Collections.emptyList();
+                }
+            } catch (org.wso2.carbon.user.api.UserStoreException e) {
+                handleGetUserListFailure(ErrorMessages.ERROR_CODE_ERROR_DURING_PRE_GET_USER_LIST.getCode(),
+                        String.format(ErrorMessages.ERROR_CODE_ERROR_DURING_PRE_GET_USER_LIST.getMessage(),
+                                e.getMessage()), claim, claimValue, limit, offset, profileName);
+                throw new UserStoreException(
+                        "Error occurred while retrieving claim for claim URI: " + claim, e);
+            }
+
             try {
                 property = claimManager.getAttributeName(extractedDomain, claim);
             } catch (org.wso2.carbon.user.api.UserStoreException e) {
@@ -3617,6 +3693,22 @@ private List<String> doGetUserList(String claim, String claimValue, String profi
             // For all the user stores append the domain name to the claim and pass it recursively (Including PRIMARY).
             String domainName = ((AbstractUserStoreManager) userStoreManager).getMyDomainName();
 
+            try {
+                if (isIdentityStoreManagedClaim(claimManager.getClaim(claim), domainName, userStoreManager)) {
+                    if (log.isDebugEnabled()) {
+                        log.debug("The claim: " + claim + " is an identity store managed claim for the domain: "
+                                + domainName + ". Hence skipping the user store.");
+                    }
+                    continue;
+                }
+            } catch (org.wso2.carbon.user.api.UserStoreException e) {
+                handleGetUserListFailure(ErrorMessages.ERROR_CODE_ERROR_DURING_PRE_GET_USER_LIST.getCode(),
+                        String.format(ErrorMessages.ERROR_CODE_ERROR_DURING_PRE_GET_USER_LIST.getMessage(),
+                                e.getMessage()), claim, claimValue, limit, offset, profileName);
+                throw new UserStoreException(
+                        "Error occurred while retrieving claim for claim URI: " + claim, e);
+            }
+
             try {
                 property = claimManager.getAttributeName(domainName, claim);
             } catch (org.wso2.carbon.user.api.UserStoreException e) {
@@ -17367,7 +17459,7 @@ private void mapAttributesToLocalIdentityClaims(List<ExpressionCondition> expres
             }
 
             // Check if the claim is an identity store managed claim and map the attribute name to claim URI.
-            if (isIdentityStoreManagedClaim(mappedClaim, userStoreDomain)) {
+            if (isIdentityStoreManagedClaim(mappedClaim.getClaim(), userStoreDomain, null)) {
                 expressionCondition.setAttributeName(mappedClaim.getClaim().getClaimUri());
                 if (log.isDebugEnabled()) {
                     log.debug("Obtained the ClaimURI " + mappedClaim.getClaim().getClaimUri() +
@@ -17382,37 +17474,57 @@ private void mapAttributesToLocalIdentityClaims(List<ExpressionCondition> expres
      * Note: This only checks the `managedInUserStore` property of the claim and `excludedUserStores` property only.
      * This doesn't check if the identity store is a user-store based or if the given user store is configured
      * to store identity claims.
-     * @param mappedClaim
-     * @return
+     * @param localClaim Claim to be checked.
+     * @param userStoreDomain User store domain.
+     * @param userStoreManager User store manager to check the configuration. If null, uses the current user store manager.
+     * @return True if the claim is an identity store managed claim, false otherwise.
      */
-    private boolean isIdentityStoreManagedClaim(org.wso2.carbon.user.api.ClaimMapping mappedClaim,
-                                                String userStoreDomain) {
+    private boolean isIdentityStoreManagedClaim(org.wso2.carbon.user.api.Claim localClaim, String userStoreDomain,
+                                                UserStoreManager userStoreManager) {
+
+        RealmConfiguration realmConfigToCheck = realmConfig;
+        if (userStoreManager instanceof AbstractUserStoreManager) {
+            realmConfigToCheck = ((AbstractUserStoreManager) userStoreManager).getRealmConfiguration();
+        }
 
-        if (mappedClaim == null) {
+        // If StoreIdentityClaims property is enabled, all claims should be stored in user store.
+        // This overrides all other claim configurations.
+        if (Boolean.parseBoolean(
+                realmConfigToCheck.getUserStoreProperty(UserStoreConfigConstants.STORE_IDENTITY_CLAIMS))) {
+            if (log.isDebugEnabled()) {
+                log.debug("StoreIdentityClaims property is enabled for domain: " + userStoreDomain +
+                        ". All claims will be stored in user store.");
+            }
+            return false;
+        }
+
+        if (localClaim == null) {
             return false;
         }
 
-        Boolean managedInUserStoreValue = mappedClaim.getClaim().isManagedInUserStore();
+        Boolean managedInUserStoreValue = localClaim.isManagedInUserStore();
         if (managedInUserStoreValue == null) {
             if (log.isDebugEnabled()) {
                 log.debug("ManagedInUserStore property is not set for the claim: " +
-                        mappedClaim.getClaim().getClaimUri() + ". Hence defaulting to claim type storage.");
+                        localClaim.getClaimUri() + ". Hence defaulting to claim type storage.");
             }
-            return mappedClaim.getClaim().getClaimUri().contains(IDENTITY_CLAIM_URI);
+            return localClaim.getClaimUri().contains(IDENTITY_CLAIM_URI);
         }
         if (!managedInUserStoreValue) {
             if (log.isDebugEnabled()) {
-                log.debug("Claim: " + mappedClaim.getClaim().getClaimUri() +
+                log.debug("Claim: " + localClaim.getClaimUri() +
                         " is an identity store managed claim as per the ManagedInUserStore property.");
             }
             return true;
         }
 
-        Set<String> excludedUserStores = mappedClaim.getClaim().getExcludedUserStores();
+        Set<String> excludedUserStores = localClaim.getExcludedUserStores();
         if (CollectionUtils.isEmpty(excludedUserStores)) {
             return false;
         }
-        return excludedUserStores.contains(userStoreDomain);
+
+        return excludedUserStores.stream()
+                .anyMatch(excludedDomain -> excludedDomain.equalsIgnoreCase(userStoreDomain));
     }
 
     /**
@@ -17474,6 +17586,22 @@ private List<User> doGetUserListWithID(String claim, String claimValue, String p
                         + "matches");
             }
 
+            try {
+                if (isIdentityStoreManagedClaim(claimManager.getClaim(claim), extractedDomain, userManager)) {
+                    if (log.isDebugEnabled()) {
+                        log.debug("The claim: " + claim + " is an identity store managed claim for the domain: "
+                                + extractedDomain + ". Hence returning empty user list.");
+                    }
+                    return Collections.emptyList();
+                }
+            } catch (org.wso2.carbon.user.api.UserStoreException e) {
+                handleGetUserListFailure(ErrorMessages.ERROR_CODE_ERROR_DURING_PRE_GET_USER_LIST.getCode(),
+                        String.format(ErrorMessages.ERROR_CODE_ERROR_DURING_PRE_GET_USER_LIST.getMessage(),
+                                e.getMessage()), claim, claimValue, limit, offset, profileName);
+                throw new UserStoreException(
+                        "Error occurred while retrieving claim for claim URI: " + claim, e);
+            }
+
             try {
                 property = claimManager.getAttributeName(extractedDomain, claim);
             } catch (org.wso2.carbon.user.api.UserStoreException e) {
@@ -17543,6 +17671,22 @@ private List<User> doGetUserListWithID(String claim, String claimValue, String p
             // For all the user stores append the domain name to the claim and pass it recursively (Including PRIMARY).
             String domainName = ((AbstractUserStoreManager) userStoreManager).getMyDomainName();
 
+            try {
+                if (isIdentityStoreManagedClaim(claimManager.getClaim(claim), domainName, userStoreManager)) {
+                    if (log.isDebugEnabled()) {
+                        log.debug("The claim: " + claim + " is an identity store managed claim for the domain: "
+                                + domainName + ". Hence skipping the user store.");
+                    }
+                    continue;
+                }
+            } catch (org.wso2.carbon.user.api.UserStoreException e) {
+                handleGetUserListFailure(ErrorMessages.ERROR_CODE_ERROR_DURING_PRE_GET_USER_LIST.getCode(),
+                        String.format(ErrorMessages.ERROR_CODE_ERROR_DURING_PRE_GET_USER_LIST.getMessage(),
+                                e.getMessage()), claim, claimValue, limit, offset, profileName);
+                throw new UserStoreException(
+                        "Error occurred while retrieving claim for claim URI: " + claim, e);
+            }
+
             try {
                 property = claimManager.getAttributeName(domainName, claim);
             } catch (org.wso2.carbon.user.api.UserStoreException e) {
