Honour StoreIdentityClaims property when listing users by single claim value.

PasinduYeshan · PasinduYeshan · commit cfb909bfa1a5 · 2025-11-27T20:09:17.000+05:30
diff --git a/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/UserStoreConfigConstants.java b/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/UserStoreConfigConstants.java
@@ -214,4 +214,10 @@ public class UserStoreConfigConstants {
             "skip multi-valued attribute separation";
     public static final String singleValuedAttributesDisplayName = "Single Valued Attributes";
 
+    // Property to force all claims to be stored in user store regardless of other configurations.
+    public static final String STORE_IDENTITY_CLAIMS = "StoreIdentityClaims";
+    public static final String STORE_IDENTITY_CLAIMS_DISPLAY_NAME = "Store Identity Claims";
+    public static final String STORE_IDENTITY_CLAIMS_DESCRIPTION = "When enabled, all identity and user claims will " +
+            "be stored in the user store manager regardless of other claim configurations";
+
 }
diff --git a/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java b/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java
@@ -3173,7 +3173,7 @@ private List<String> doGetUserList(String claim, String claimValue, String profi
             }
 
             try {
-                if (isIdentityStoreManagedClaim(claimManager.getClaim(claim), extractedDomain)) {
+                if (isIdentityStoreManagedClaim(claimManager.getClaim(claim), extractedDomain, userManager)) {
                     if (log.isDebugEnabled()) {
                         log.debug("The claim: " + claim + " is an identity store managed claim for the domain: "
                                 + extractedDomain + ". Hence returning empty user list.");
@@ -3266,6 +3266,23 @@ private List<String> doGetUserList(String claim, String claimValue, String profi
 
             // For all the user stores append the domain name to the claim and pass it recursively (Including PRIMARY).
             String domainName = ((AbstractUserStoreManager) userStoreManager).getMyDomainName();
+
+            try {
+                if (isIdentityStoreManagedClaim(claimManager.getClaim(claim), domainName, userStoreManager)) {
+                    if (log.isDebugEnabled()) {
+                        log.debug("The claim: " + claim + " is an identity store managed claim for the domain: "
+                                + domainName + ". Hence skipping the user store.");
+                    }
+                    continue;
+                }
+            } catch (org.wso2.carbon.user.api.UserStoreException e) {
+                handleGetUserListFailure(ErrorMessages.ERROR_CODE_ERROR_DURING_PRE_GET_USER_LIST.getCode(),
+                        String.format(ErrorMessages.ERROR_CODE_ERROR_DURING_PRE_GET_USER_LIST.getMessage(),
+                                e.getMessage()), claim, claimValue, profileName);
+                throw new UserStoreException(
+                        "Error occurred while retrieving claim for claim URI: " + claim, e);
+            }
+
             String claimValueWithDomain;
             if (StringUtils.equalsIgnoreCase(domainName, UserCoreConstants.PRIMARY_DEFAULT_DOMAIN_NAME)) {
                 claimValueWithDomain = domainName + CarbonConstants.DOMAIN_SEPARATOR + claimValue;
@@ -3433,7 +3450,7 @@ private List<User> doGetUserListWithID(String claim, String claimValue, String p
             }
 
             try {
-                if (isIdentityStoreManagedClaim(claimManager.getClaim(claim), extractedDomain)) {
+                if (isIdentityStoreManagedClaim(claimManager.getClaim(claim), extractedDomain, userManager)) {
                     if (log.isDebugEnabled()) {
                         log.debug("The claim: " + claim + " is an identity store managed claim for the domain: "
                                 + extractedDomain + ". Hence returning empty user list.");
@@ -3528,6 +3545,23 @@ private List<User> doGetUserListWithID(String claim, String claimValue, String p
 
             // For all the user stores append the domain name to the claim and pass it recursively (Including PRIMARY).
             String domainName = ((AbstractUserStoreManager) userStoreManager).getMyDomainName();
+
+            try {
+                if (isIdentityStoreManagedClaim(claimManager.getClaim(claim), domainName, userStoreManager)) {
+                    if (log.isDebugEnabled()) {
+                        log.debug("The claim: " + claim + " is an identity store managed claim for the domain: "
+                                + domainName + ". Hence skipping the user store.");
+                    }
+                    continue;
+                }
+            } catch (org.wso2.carbon.user.api.UserStoreException e) {
+                handleGetUserListFailureWithID(ErrorMessages.ERROR_CODE_ERROR_DURING_PRE_GET_USER_LIST.getCode(),
+                        String.format(ErrorMessages.ERROR_CODE_ERROR_DURING_PRE_GET_USER_LIST.getMessage(),
+                                e.getMessage()), claim, claimValue, profileName);
+                throw new UserStoreException(
+                        "Error occurred while retrieving claim for claim URI: " + claim, e);
+            }
+
             String claimValueWithDomain;
             if (StringUtils.equalsIgnoreCase(domainName, UserCoreConstants.PRIMARY_DEFAULT_DOMAIN_NAME)) {
                 claimValueWithDomain = domainName + CarbonConstants.DOMAIN_SEPARATOR + claimValue;
@@ -3580,7 +3614,7 @@ private List<String> doGetUserList(String claim, String claimValue, String profi
             }
 
             try {
-                if (isIdentityStoreManagedClaim(claimManager.getClaim(claim), extractedDomain)) {
+                if (isIdentityStoreManagedClaim(claimManager.getClaim(claim), extractedDomain, userManager)) {
                     if (log.isDebugEnabled()) {
                         log.debug("The claim: " + claim + " is an identity store managed claim for the domain: "
                                 + extractedDomain + ". Hence returning empty user list.");
@@ -3665,6 +3699,22 @@ private List<String> doGetUserList(String claim, String claimValue, String profi
             // For all the user stores append the domain name to the claim and pass it recursively (Including PRIMARY).
             String domainName = ((AbstractUserStoreManager) userStoreManager).getMyDomainName();
 
+            try {
+                if (isIdentityStoreManagedClaim(claimManager.getClaim(claim), domainName, userStoreManager)) {
+                    if (log.isDebugEnabled()) {
+                        log.debug("The claim: " + claim + " is an identity store managed claim for the domain: "
+                                + domainName + ". Hence skipping the user store.");
+                    }
+                    continue;
+                }
+            } catch (org.wso2.carbon.user.api.UserStoreException e) {
+                handleGetUserListFailure(ErrorMessages.ERROR_CODE_ERROR_DURING_PRE_GET_USER_LIST.getCode(),
+                        String.format(ErrorMessages.ERROR_CODE_ERROR_DURING_PRE_GET_USER_LIST.getMessage(),
+                                e.getMessage()), claim, claimValue, limit, offset, profileName);
+                throw new UserStoreException(
+                        "Error occurred while retrieving claim for claim URI: " + claim, e);
+            }
+
             try {
                 property = claimManager.getAttributeName(domainName, claim);
             } catch (org.wso2.carbon.user.api.UserStoreException e) {
@@ -17415,7 +17465,7 @@ private void mapAttributesToLocalIdentityClaims(List<ExpressionCondition> expres
             }
 
             // Check if the claim is an identity store managed claim and map the attribute name to claim URI.
-            if (isIdentityStoreManagedClaim(mappedClaim.getClaim(), userStoreDomain)) {
+            if (isIdentityStoreManagedClaim(mappedClaim.getClaim(), userStoreDomain, null)) {
                 expressionCondition.setAttributeName(mappedClaim.getClaim().getClaimUri());
                 if (log.isDebugEnabled()) {
                     log.debug("Obtained the ClaimURI " + mappedClaim.getClaim().getClaimUri() +
@@ -17432,9 +17482,27 @@ private void mapAttributesToLocalIdentityClaims(List<ExpressionCondition> expres
      * to store identity claims.
      * @param localClaim Claim to be checked.
      * @param userStoreDomain User store domain.
+     * @param userStoreManager User store manager to check the configuration. If null, uses the current user store manager.
      * @return True if the claim is an identity store managed claim, false otherwise.
      */
-    private boolean isIdentityStoreManagedClaim(org.wso2.carbon.user.api.Claim localClaim, String userStoreDomain) {
+    private boolean isIdentityStoreManagedClaim(org.wso2.carbon.user.api.Claim localClaim, String userStoreDomain,
+                                                UserStoreManager userStoreManager) {
+
+        RealmConfiguration realmConfigToCheck = realmConfig;
+        if (userStoreManager instanceof AbstractUserStoreManager) {
+            realmConfigToCheck = ((AbstractUserStoreManager) userStoreManager).getRealmConfiguration();
+        }
+
+        // If StoreIdentityClaims property is enabled, all claims should be stored in user store.
+        // This overrides all other claim configurations.
+        if (Boolean.parseBoolean(
+                realmConfigToCheck.getUserStoreProperty(UserStoreConfigConstants.STORE_IDENTITY_CLAIMS))) {
+            if (log.isDebugEnabled()) {
+                log.debug("StoreIdentityClaims property is enabled for domain: " + userStoreDomain +
+                        ". All claims will be stored in user store.");
+            }
+            return false;
+        }
 
         if (localClaim == null) {
             return false;
@@ -17460,7 +17528,9 @@ private boolean isIdentityStoreManagedClaim(org.wso2.carbon.user.api.Claim local
         if (CollectionUtils.isEmpty(excludedUserStores)) {
             return false;
         }
-        return excludedUserStores.contains(userStoreDomain);
+
+        return excludedUserStores.stream()
+                .anyMatch(excludedDomain -> excludedDomain.equalsIgnoreCase(userStoreDomain));
     }
 
     /**
@@ -17523,7 +17593,7 @@ private List<User> doGetUserListWithID(String claim, String claimValue, String p
             }
 
             try {
-                if (isIdentityStoreManagedClaim(claimManager.getClaim(claim), extractedDomain)) {
+                if (isIdentityStoreManagedClaim(claimManager.getClaim(claim), extractedDomain, userManager)) {
                     if (log.isDebugEnabled()) {
                         log.debug("The claim: " + claim + " is an identity store managed claim for the domain: "
                                 + extractedDomain + ". Hence returning empty user list.");
@@ -17607,6 +17677,22 @@ private List<User> doGetUserListWithID(String claim, String claimValue, String p
             // For all the user stores append the domain name to the claim and pass it recursively (Including PRIMARY).
             String domainName = ((AbstractUserStoreManager) userStoreManager).getMyDomainName();
 
+            try {
+                if (isIdentityStoreManagedClaim(claimManager.getClaim(claim), domainName, userStoreManager)) {
+                    if (log.isDebugEnabled()) {
+                        log.debug("The claim: " + claim + " is an identity store managed claim for the domain: "
+                                + domainName + ". Hence skipping the user store.");
+                    }
+                    continue;
+                }
+            } catch (org.wso2.carbon.user.api.UserStoreException e) {
+                handleGetUserListFailure(ErrorMessages.ERROR_CODE_ERROR_DURING_PRE_GET_USER_LIST.getCode(),
+                        String.format(ErrorMessages.ERROR_CODE_ERROR_DURING_PRE_GET_USER_LIST.getMessage(),
+                                e.getMessage()), claim, claimValue, limit, offset, profileName);
+                throw new UserStoreException(
+                        "Error occurred while retrieving claim for claim URI: " + claim, e);
+            }
+
             try {
                 property = claimManager.getAttributeName(domainName, claim);
             } catch (org.wso2.carbon.user.api.UserStoreException e) {
