Add new table to handle gw visibility permissions

components/apimgt/org.wso2.carbon.apimgt.api/src/main/java/org/wso2/carbon/apimgt/api/APIAdmin.java

@@ -17,6 +17,7 @@
 */
 package org.wso2.carbon.apimgt.api;
 
+import org.wso2.carbon.apimgt.api.dto.GatewayVisibilityPermissionConfigurationDTO;
 import org.wso2.carbon.apimgt.api.dto.KeyManagerConfigurationDTO;
 import org.wso2.carbon.apimgt.api.dto.KeyManagerPermissionConfigurationDTO;
 import org.wso2.carbon.apimgt.api.model.APICategory;
@@ -354,6 +355,14 @@ KeyManagerConfigurationDTO updateKeyManagerConfiguration(KeyManagerConfiguration
      */
     KeyManagerPermissionConfigurationDTO getKeyManagerPermissions(String id) throws APIManagementException;
 
+    /**
+     * This method used to get gateway visibility permissions with gateway environment id and role
+     * @param id uuid of gateway environment
+     * @return gateway visibility permissions
+     * @throws APIManagementException
+     */
+    GatewayVisibilityPermissionConfigurationDTO getGatewayVisibilityPermissions(String id) throws APIManagementException;
+
     /**
      * hTis method used to delete IDP mapped with key manager
      * @param organization organization requested

components/apimgt/org.wso2.carbon.apimgt.api/src/main/java/org/wso2/carbon/apimgt/api/APIConsumer.java

@@ -21,29 +21,9 @@
 
 import org.json.simple.JSONArray;
 import org.json.simple.JSONObject;
+import org.wso2.carbon.apimgt.api.dto.EnvironmentPropertiesDTO;
 import org.wso2.carbon.apimgt.api.dto.KeyManagerConfigurationDTO;
-import org.wso2.carbon.apimgt.api.model.API;
-import org.wso2.carbon.apimgt.api.model.APIIdentifier;
-import org.wso2.carbon.apimgt.api.model.APIKey;
-import org.wso2.carbon.apimgt.api.model.APIRating;
-import org.wso2.carbon.apimgt.api.model.APIRevisionDeployment;
-import org.wso2.carbon.apimgt.api.model.AccessTokenInfo;
-import org.wso2.carbon.apimgt.api.model.ApiTypeWrapper;
-import org.wso2.carbon.apimgt.api.model.CommentList;
-import org.wso2.carbon.apimgt.api.model.Application;
-import org.wso2.carbon.apimgt.api.model.Comment;
-import org.wso2.carbon.apimgt.api.model.Identifier;
-import org.wso2.carbon.apimgt.api.model.KeyManagerApplicationInfo;
-import org.wso2.carbon.apimgt.api.model.Monetization;
-import org.wso2.carbon.apimgt.api.model.OAuthApplicationInfo;
-import org.wso2.carbon.apimgt.api.model.ResourceFile;
-import org.wso2.carbon.apimgt.api.model.Scope;
-import org.wso2.carbon.apimgt.api.model.SubscribedAPI;
-import org.wso2.carbon.apimgt.api.model.Subscriber;
-import org.wso2.carbon.apimgt.api.model.SubscriptionResponse;
-import org.wso2.carbon.apimgt.api.model.Tag;
-import org.wso2.carbon.apimgt.api.model.Tier;
-import org.wso2.carbon.apimgt.api.model.TierPermission;
+import org.wso2.carbon.apimgt.api.model.*;
 import org.wso2.carbon.apimgt.api.model.webhooks.Subscription;
 import org.wso2.carbon.apimgt.api.model.webhooks.Topic;
 
@@ -883,6 +863,25 @@ List<KeyManagerConfigurationDTO> getKeyManagerConfigurationsByOrganization(Strin
     boolean isKeyManagerByNameAllowedForUser(String keyManagerName, String organization, String username)
             throws APIManagementException;
 
+    /**
+     * This method used to retrieve gateway environment for tenant
+     * @param organization organization of the gateway environment
+     * @param username username of the logged-in user
+     * @return Environment list
+     * @throws APIManagementException if error occurred
+     */
+    List<Environment> getGatewayEnvironmentsByOrganization(String organization, String username)
+            throws APIManagementException;
+
+    /**
+     * This method used to check if gateway environment is allowed for user
+     * @param gatewayId uuid of the gateway environment
+     * @param username username of the logged-in user
+     * @return boolean
+     * @throws APIManagementException if error occurred
+     */
+    boolean isGatewayAllowedForUser(String gatewayId, String username) throws APIManagementException;
+
     /**
      * Remove application keys.
      * @param application   application

components/apimgt/org.wso2.carbon.apimgt.api/src/main/java/org/wso2/carbon/apimgt/api/dto/GatewayVisibilityPermissionConfigurationDTO.java

@@ -0,0 +1,60 @@
+/*
+ *  Copyright (c) 2025, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
+ *
+ *  WSO2 LLC. licenses this file to you under the Apache License,
+ *  Version 2.0 (the "License"); you may not use this file except
+ *  in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.apimgt.api.dto;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ *GatewayVisibilityPermissionConfiguration model
+ */
+public class GatewayVisibilityPermissionConfigurationDTO implements Serializable {
+
+    private String permissionType = null;
+    private List<String> roles = new ArrayList<String>();
+
+    public GatewayVisibilityPermissionConfigurationDTO () {
+        this.setPermissionType("PUBLIC");
+    }
+
+    public GatewayVisibilityPermissionConfigurationDTO(String permissionType, List<String> roles) {
+        this.permissionType = permissionType;
+        this.roles = roles;
+    }
+
+    public String getPermissionType () {
+        return permissionType;
+    }
+
+    public void setPermissionType (String permissionType) {
+        this.permissionType = permissionType;
+    }
+
+    public List<String> getRoles() {
+        return roles;
+    }
+
+    public void setRoles(List<String> roles) {
+        if (roles == null) {
+            return;
+        }
+        this.roles = roles;
+    }
+}

components/apimgt/org.wso2.carbon.apimgt.api/src/main/java/org/wso2/carbon/apimgt/api/model/Environment.java

@@ -21,6 +21,7 @@
 import org.apache.commons.lang3.StringUtils;
 import org.wso2.carbon.apimgt.api.APIManagementException;
 import org.wso2.carbon.apimgt.api.APIConstants;
+import org.wso2.carbon.apimgt.api.dto.GatewayVisibilityPermissionConfigurationDTO;
 
 import java.io.Serializable;
 import java.util.ArrayList;
@@ -58,6 +59,8 @@ public class Environment implements Serializable {
     private String[] visibilityRoles;
     private String visibility;
 
+    private GatewayVisibilityPermissionConfigurationDTO permissions = new GatewayVisibilityPermissionConfigurationDTO();
+
     public boolean isDefault() {
         return isDefault;
     }
@@ -188,12 +191,23 @@ public void setVisibility(String[] visibilityRoles) {
             builder.deleteCharAt(builder.length() - 1);
             this.visibility = builder.toString();
         } else {
-            this.visibility = "all";
-            this.visibilityRoles[0] = "all";
+            this.visibility = "PUBLIC";
+            this.visibilityRoles[0] = "internal/everyone";
         }
         this.visibilityRoles = visibilityRoles;
     }
 
+    public GatewayVisibilityPermissionConfigurationDTO getPermissions() {
+        return permissions;
+    }
+
+    public void setPermissions(GatewayVisibilityPermissionConfigurationDTO permissions) {
+        if (permissions == null) {
+            permissions = new GatewayVisibilityPermissionConfigurationDTO();
+        }
+        this.permissions = permissions;
+    }
+
     public String getDisplayName() {
         return displayName;
     }

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIAdminImpl.java

@@ -39,6 +39,7 @@
 import org.wso2.carbon.apimgt.api.APIManagementException;
 import org.wso2.carbon.apimgt.api.APIMgtResourceNotFoundException;
 import org.wso2.carbon.apimgt.api.ExceptionCodes;
+import org.wso2.carbon.apimgt.api.dto.GatewayVisibilityPermissionConfigurationDTO;
 import org.wso2.carbon.apimgt.api.dto.KeyManagerConfigurationDTO;
 import org.wso2.carbon.apimgt.api.model.API;
 import org.wso2.carbon.apimgt.api.dto.KeyManagerPermissionConfigurationDTO;
@@ -925,6 +926,18 @@ public KeyManagerPermissionConfigurationDTO getKeyManagerPermissions(String id)
         return keyManagerPermissionConfigurationDTO;
     }
 
+    @Override
+    public GatewayVisibilityPermissionConfigurationDTO getGatewayVisibilityPermissions(String id) throws APIManagementException {
+
+        GatewayVisibilityPermissionConfigurationDTO gatewayVisibilityPermissionConfigurationDTO;
+        try {
+            gatewayVisibilityPermissionConfigurationDTO = apiMgtDAO.getGatewayVisibilityPermissions(id);
+        } catch (APIManagementException e) {
+            throw new APIManagementException("Gateway Visibility Permissions retrieval failed for gateway environment id " + id, e);
+        }
+        return gatewayVisibilityPermissionConfigurationDTO;
+    }
+
     private IdentityProvider updatedIDP(IdentityProvider retrievedIDP,
                                         KeyManagerConfigurationDTO keyManagerConfigurationDTO) {
 

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIConsumerImpl.java

@@ -43,6 +43,7 @@
 import org.wso2.carbon.apimgt.api.APIMgtResourceNotFoundException;
 import org.wso2.carbon.apimgt.api.ExceptionCodes;
 import org.wso2.carbon.apimgt.api.WorkflowResponse;
+import org.wso2.carbon.apimgt.api.dto.GatewayVisibilityPermissionConfigurationDTO;
 import org.wso2.carbon.apimgt.api.dto.KeyManagerConfigurationDTO;
 import org.wso2.carbon.apimgt.api.dto.KeyManagerPermissionConfigurationDTO;
 import org.wso2.carbon.apimgt.api.model.API;
@@ -4036,11 +4037,8 @@ public API getLightweightAPIByUUID(String uuid, String organization) throws APIM
                 API api = APIMapper.INSTANCE.toApi(devPortalApi);
 
                 // populate relevant external info environment
-                List<Environment> environments = null;
-                if (api.getEnvironments() != null) {
-                    environments = APIUtil.getEnvironmentsOfAPI(api);
-                }
-                api.setEnvironments(APIUtil.extractEnvironmentsForAPI(environments, organization, userNameWithoutChange));
+                List<Environment> environments = getGatewayEnvironmentsByOrganization(organization, username);
+                api.setEnvironments(APIUtil.extractEnvironmentsForAPI(environments.toString(), organization));
                 //CORS . if null is returned, set default config from the configuration
                 if (api.getCorsConfiguration() == null) {
                     api.setCorsConfiguration(APIUtil.getDefaultCorsConfiguration());
@@ -4677,6 +4675,57 @@ public boolean isKeyManagerByNameAllowedForUser(String keyManagerName, String or
         return true;
     }
 
+    /**
+     * This method is used to retrieve gateway environments for tenant
+     *
+     * @param organization organization of the gateway environment
+     * @param username     username of the logged-in user
+     * @return Environment list
+     * @throws APIManagementException if error occurred
+     */
+    @Override
+    public List<Environment> getGatewayEnvironmentsByOrganization(String organization, String username) throws APIManagementException {
+
+        Map<String, Environment> environmentsMap = APIUtil.getEnvironments(organization);
+        List<Environment> permittedGatewayEnvironments = new ArrayList<>();
+        if (environmentsMap.size() > 0) {
+            for (Environment environment : environmentsMap.values()) {
+                if (isGatewayAllowedForUser(environment.getUuid(), username)) {
+                    permittedGatewayEnvironments.add(environment);
+                }
+            }
+        }
+        return permittedGatewayEnvironments;
+    }
+
+    /**
+     * This method is used to check if gateway environment is allowed for user
+     *
+     * @param gatewayId uuid of the gateway environment
+     * @param username  username of the logged-in user
+     * @return boolean returns if the gateway environment is allowed for the logged-in user
+     * @throws APIManagementException if error occurred
+     */
+    @Override
+    public boolean isGatewayAllowedForUser(String gatewayId, String username) throws APIManagementException {
+
+        APIAdmin apiAdmin = new APIAdminImpl();
+        GatewayVisibilityPermissionConfigurationDTO permissions = apiAdmin.getGatewayVisibilityPermissions(gatewayId);
+        String permissionType = permissions.getPermissionType();
+        if (permissions != null && !permissionType.equals(PERMISSION_NOT_RESTRICTED)) {
+            String[] permissionRoles = permissions.getRoles()
+                    .stream()
+                    .toArray(String[]::new);
+            String[] userRoles = APIUtil.getListOfRoles(username);
+            boolean roleIsRestricted = hasIntersection(userRoles, permissionRoles);
+            if ((PERMISSION_ALLOW.equals(permissionType) && !roleIsRestricted)
+                    || (PERMISSION_DENY.equals(permissionType) && roleIsRestricted)) {
+                return false;
+            }
+        }
+        return true;
+    }
+
     public static boolean hasIntersection(String[] arr1, String[] arr2) {
 
         Set<String> set = new HashSet<>();

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIManagerConfiguration.java

@@ -29,6 +29,7 @@
 import org.json.simple.JSONArray;
 import org.json.simple.JSONObject;
 import org.wso2.carbon.apimgt.api.APIManagementException;
+import org.wso2.carbon.apimgt.api.dto.GatewayVisibilityPermissionConfigurationDTO;
 import org.wso2.carbon.apimgt.api.model.APIPublisher;
 import org.wso2.carbon.apimgt.api.model.APIStore;
 import org.wso2.carbon.apimgt.api.model.Environment;
@@ -759,15 +760,26 @@ void setEnvironmentConfig(OMElement environmentElem) throws APIManagementExcepti
             gatewayType = APIConstants.API_GATEWAY_TYPE_REGULAR;
         }
         environment.setGatewayType(gatewayType);
+        GatewayVisibilityPermissionConfigurationDTO permissionsDTO = new GatewayVisibilityPermissionConfigurationDTO();
         OMElement visibility = environmentElem.getFirstChildWithName(new QName(APIConstants.API_GATEWAY_VISIBILITY));
-        String[] visibilityRoles;
+        List<String> visibilityRoles = new LinkedList<>();
+        String[] visibilityRolesArray;
         if (visibility == null) {
-            visibilityRoles = new String[]{"all"};
+            permissionsDTO.setPermissionType("PUBLIC");
+            environment.setVisibility("PUBLIC");
+            visibilityRolesArray = new String[]{APIConstants.EVERYONE_ROLE};
         } else {
             String visibilityString = visibility.getText();
-            visibilityRoles = visibilityString.split(",");
+            visibilityRolesArray = visibilityString.split(",");
+            for (int i = 0; i < visibilityRolesArray.length; i++) {
+                visibilityRoles.add(visibilityRolesArray[i]);
+            }
+            permissionsDTO.setPermissionType("ALLOW");
+            permissionsDTO.setRoles(visibilityRoles);
+            environment.setVisibility(visibilityString);
         }
-        environment.setVisibility(visibilityRoles);
+        environment.setVisibility(visibilityRolesArray);
+        environment.setPermissions(permissionsDTO);
         if (StringUtils.isEmpty(environment.getDisplayName())) {environment.setDisplayName(environment.getName());}
         environment.setServerURL(APIUtil.replaceSystemProperty(environmentElem.getFirstChildWithName(new QName(
                         APIConstants.API_GATEWAY_SERVER_URL)).getText()));