Implement normalization of ROOT domain to null for global OAuth provider handling and add corresponding unit tests

Author: Damans227

plugins/user-authenticators/oauth2/src/main/java/org/apache/cloudstack/oauth2/OAuth2AuthManagerImpl.java

@@ -147,7 +147,7 @@ public OauthProviderVO registerOauthProvider(RegisterOAuthProviderCmd cmd) {
         String clientId = StringUtils.trim(cmd.getClientId());
         String redirectUri = StringUtils.trim(cmd.getRedirectUri());
         String secretKey = StringUtils.trim(cmd.getSecretKey());
-        Long domainId = resolveDomainIdFromIdOrPath(cmd.getDomainId(), cmd.getDomainPath());
+        Long domainId = normalizeGlobalScope(resolveDomainIdFromIdOrPath(cmd.getDomainId(), cmd.getDomainPath()));
 
         if (!isOAuthPluginEnabled(domainId)) {
             throw new CloudRuntimeException("OAuth is not enabled, please enable to register");
@@ -203,11 +203,13 @@ public OauthProviderVO updateOauthProvider(UpdateOAuthProviderCmd cmd) {
             if (resolved == null) {
                 throw new CloudRuntimeException("Unable to resolve the supplied domain. Provide a valid domain id or path.");
             }
-            if (!resolved.equals(providerVO.getDomainId())) {
+            resolved = normalizeGlobalScope(resolved);
+            if (!Objects.equals(resolved, providerVO.getDomainId())) {
                 OauthProviderVO existing = _oauthProviderDao.findByProviderAndDomain(providerVO.getProvider(), resolved);
                 if (existing != null) {
                     throw new CloudRuntimeException(String.format(
-                            "Provider with the name %s is already registered for domain %d", providerVO.getProvider(), resolved));
+                            "Provider with the name %s is already registered for domain %s", providerVO.getProvider(),
+                            resolved == null ? "ROOT (global)" : resolved));
                 }
             }
             targetDomainId = resolved;
@@ -302,6 +304,12 @@ protected Long resolveDomainIdFromIdOrPath(Long domainId, String domainPath) {
         return null;
     }
 
+    // The ROOT domain is the top of the tree, so a provider scoped to it is equivalent
+    // to a global provider; treat it as global so the global oauth2.enabled config applies.
+    protected Long normalizeGlobalScope(Long domainId) {
+        return (domainId != null && Domain.ROOT_DOMAIN == domainId) ? null : domainId;
+    }
+
     protected String normalizeDomainPath(String path) {
         if (StringUtils.isEmpty(path)) {
             return null;

plugins/user-authenticators/oauth2/src/test/java/org/apache/cloudstack/oauth2/OAuth2AuthManagerImplTest.java

@@ -208,6 +208,32 @@ public void testUpdateOauthProviderRejectsDuplicateAtTargetDomain() {
         }
     }
 
+    @Test
+    public void testRegisterOauthProviderForRootDomainTreatedAsGlobal() {
+        RegisterOAuthProviderCmd cmd = Mockito.mock(RegisterOAuthProviderCmd.class);
+        when(cmd.getProvider()).thenReturn("github");
+        when(cmd.getDomainId()).thenReturn(com.cloud.domain.Domain.ROOT_DOMAIN);
+        when(cmd.getSecretKey()).thenReturn("secret");
+        when(cmd.getClientId()).thenReturn("clientId");
+        when(cmd.getRedirectUri()).thenReturn("https://redirect");
+
+        // global check must be consulted (domainId resolves to null), not the ROOT domain scope
+        when(_authManager.isOAuthPluginEnabled(Mockito.isNull())).thenReturn(true);
+        when(_oauthProviderDao.findByProviderAndDomain("github", null)).thenReturn(null);
+        when(_oauthProviderDao.persist(Mockito.any(OauthProviderVO.class))).thenAnswer(i -> i.getArgument(0));
+
+        OauthProviderVO result = _authManager.registerOauthProvider(cmd);
+        assertNull(result.getDomainId());
+        Mockito.verify(_oauthProviderDao).findByProviderAndDomain("github", null);
+    }
+
+    @Test
+    public void testNormalizeGlobalScopeMapsRootToNull() {
+        assertNull(_authManager.normalizeGlobalScope(com.cloud.domain.Domain.ROOT_DOMAIN));
+        assertNull(_authManager.normalizeGlobalScope(null));
+        assertEquals(Long.valueOf(42L), _authManager.normalizeGlobalScope(42L));
+    }
+
     @Test
     public void testUpdateOauthProviderRejectsEnableWhenPluginDisabledAtScope() {
         Long id = 7L;