Add new table to handle gw visibility permissions

components/apimgt/org.wso2.carbon.apimgt.api/src/main/java/org/wso2/carbon/apimgt/api/APIAdmin.java

@@ -17,6 +17,7 @@
 */
 package org.wso2.carbon.apimgt.api;
 
+import org.wso2.carbon.apimgt.api.dto.GatewayVisibilityPermissionConfigurationDTO;
 import org.wso2.carbon.apimgt.api.dto.KeyManagerConfigurationDTO;
 import org.wso2.carbon.apimgt.api.dto.KeyManagerPermissionConfigurationDTO;
 import org.wso2.carbon.apimgt.api.model.APICategory;
@@ -354,6 +355,14 @@ KeyManagerConfigurationDTO updateKeyManagerConfiguration(KeyManagerConfiguration
      */
     KeyManagerPermissionConfigurationDTO getKeyManagerPermissions(String id) throws APIManagementException;
 
+    /**
+     * This method used to get gateway visibility permissions with gateway environment id and role
+     * @param id uuid of gateway environment
+     * @return gateway visibility permissions
+     * @throws APIManagementException
+     */
+    GatewayVisibilityPermissionConfigurationDTO getGatewayVisibilityPermissions(String id) throws APIManagementException;
+
     /**
      * hTis method used to delete IDP mapped with key manager
      * @param organization organization requested

components/apimgt/org.wso2.carbon.apimgt.api/src/main/java/org/wso2/carbon/apimgt/api/APIConsumer.java

@@ -32,8 +32,8 @@
 import org.wso2.carbon.apimgt.api.model.CommentList;
 import org.wso2.carbon.apimgt.api.model.Application;
 import org.wso2.carbon.apimgt.api.model.Comment;
+import org.wso2.carbon.apimgt.api.model.Environment;
 import org.wso2.carbon.apimgt.api.model.Identifier;
-import org.wso2.carbon.apimgt.api.model.KeyManagerApplicationInfo;
 import org.wso2.carbon.apimgt.api.model.Monetization;
 import org.wso2.carbon.apimgt.api.model.OAuthApplicationInfo;
 import org.wso2.carbon.apimgt.api.model.ResourceFile;
@@ -883,6 +883,16 @@ List<KeyManagerConfigurationDTO> getKeyManagerConfigurationsByOrganization(Strin
     boolean isKeyManagerByNameAllowedForUser(String keyManagerName, String organization, String username)
             throws APIManagementException;
 
+    /**
+     * This method used to retrieve gateway environment for tenant
+     * @param organization organization of the gateway environment
+     * @param username username of the logged-in user
+     * @return Environment list
+     * @throws APIManagementException if error occurred
+     */
+    Map<String, Environment> getGatewayEnvironmentsByOrganization(String organization, String username)
+            throws APIManagementException;
+
     /**
      * Remove application keys.
      * @param application   application

components/apimgt/org.wso2.carbon.apimgt.api/src/main/java/org/wso2/carbon/apimgt/api/dto/GatewayVisibilityPermissionConfigurationDTO.java

@@ -0,0 +1,60 @@
+/*
+ *  Copyright (c) 2025, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
+ *
+ *  WSO2 LLC. licenses this file to you under the Apache License,
+ *  Version 2.0 (the "License"); you may not use this file except
+ *  in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.apimgt.api.dto;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ *GatewayVisibilityPermissionConfiguration model
+ */
+public class GatewayVisibilityPermissionConfigurationDTO implements Serializable {
+
+    private String permissionType = null;
+    private List<String> roles = new ArrayList<String>();
+
+    public GatewayVisibilityPermissionConfigurationDTO () {
+        this.setPermissionType("PUBLIC");
+    }
+
+    public GatewayVisibilityPermissionConfigurationDTO(String permissionType, List<String> roles) {
+        this.permissionType = permissionType;
+        this.roles = roles;
+    }
+
+    public String getPermissionType () {
+        return permissionType;
+    }
+
+    public void setPermissionType (String permissionType) {
+        this.permissionType = permissionType;
+    }
+
+    public List<String> getRoles() {
+        return roles;
+    }
+
+    public void setRoles(List<String> roles) {
+        if (roles == null) {
+            return;
+        }
+        this.roles = roles;
+    }
+}

components/apimgt/org.wso2.carbon.apimgt.api/src/main/java/org/wso2/carbon/apimgt/api/model/APIRevisionDeployment.java

@@ -32,8 +32,8 @@ public class APIRevisionDeployment implements Serializable {
     private boolean isDisplayOnDevportal;
     private String deployedTime;
     private String successDeployedTime;
-
     private String visibility;
+    private String permissionType;
 
     public int getId() {
         return id;
@@ -106,4 +106,12 @@ public String getVisibility() {
     public void setVisibility(String visibility) {
         this.visibility = visibility;
     }
+
+    public String getPermissionType() {
+        return permissionType;
+    }
+
+    public void setPermissionType(String permissionType) {
+        this.permissionType = permissionType;
+    }
 }

components/apimgt/org.wso2.carbon.apimgt.api/src/main/java/org/wso2/carbon/apimgt/api/model/Environment.java

@@ -21,6 +21,7 @@
 import org.apache.commons.lang3.StringUtils;
 import org.wso2.carbon.apimgt.api.APIManagementException;
 import org.wso2.carbon.apimgt.api.APIConstants;
+import org.wso2.carbon.apimgt.api.dto.GatewayVisibilityPermissionConfigurationDTO;
 
 import java.io.Serializable;
 import java.util.ArrayList;
@@ -58,6 +59,8 @@ public class Environment implements Serializable {
     private String[] visibilityRoles;
     private String visibility;
 
+    private GatewayVisibilityPermissionConfigurationDTO permissions = new GatewayVisibilityPermissionConfigurationDTO();
+
     public boolean isDefault() {
         return isDefault;
     }
@@ -188,12 +191,23 @@ public void setVisibility(String[] visibilityRoles) {
             builder.deleteCharAt(builder.length() - 1);
             this.visibility = builder.toString();
         } else {
-            this.visibility = "all";
-            this.visibilityRoles[0] = "all";
+            this.visibility = "PUBLIC";
+            this.visibilityRoles[0] = "internal/everyone";
         }
         this.visibilityRoles = visibilityRoles;
     }
 
+    public GatewayVisibilityPermissionConfigurationDTO getPermissions() {
+        return permissions;
+    }
+
+    public void setPermissions(GatewayVisibilityPermissionConfigurationDTO permissions) {
+        if (permissions == null) {
+            permissions = new GatewayVisibilityPermissionConfigurationDTO();
+        }
+        this.permissions = permissions;
+    }
+
     public String getDisplayName() {
         return displayName;
     }

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIAdminImpl.java

@@ -39,6 +39,7 @@
 import org.wso2.carbon.apimgt.api.APIManagementException;
 import org.wso2.carbon.apimgt.api.APIMgtResourceNotFoundException;
 import org.wso2.carbon.apimgt.api.ExceptionCodes;
+import org.wso2.carbon.apimgt.api.dto.GatewayVisibilityPermissionConfigurationDTO;
 import org.wso2.carbon.apimgt.api.dto.KeyManagerConfigurationDTO;
 import org.wso2.carbon.apimgt.api.model.API;
 import org.wso2.carbon.apimgt.api.dto.KeyManagerPermissionConfigurationDTO;
@@ -925,6 +926,18 @@ public KeyManagerPermissionConfigurationDTO getKeyManagerPermissions(String id)
         return keyManagerPermissionConfigurationDTO;
     }
 
+    @Override
+    public GatewayVisibilityPermissionConfigurationDTO getGatewayVisibilityPermissions(String id) throws APIManagementException {
+
+        GatewayVisibilityPermissionConfigurationDTO gatewayVisibilityPermissionConfigurationDTO;
+        try {
+            gatewayVisibilityPermissionConfigurationDTO = apiMgtDAO.getGatewayVisibilityPermissions(id);
+        } catch (APIManagementException e) {
+            throw new APIManagementException("Gateway Visibility Permissions retrieval failed for gateway environment id " + id, e);
+        }
+        return gatewayVisibilityPermissionConfigurationDTO;
+    }
+
     private IdentityProvider updatedIDP(IdentityProvider retrievedIDP,
                                         KeyManagerConfigurationDTO keyManagerConfigurationDTO) {
 

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIConstants.java

@@ -3195,6 +3195,10 @@ public enum ConfigType {
     public static final String WSO2_APK_GATEWAY = "wso2/apk";
     public static final String WSO2_SYNAPSE_GATEWAY = "wso2/synapse";
 
+    public static final String PERMISSION_ALLOW = "ALLOW";
+    public static final String PERMISSION_DENY = "DENY";
+    public static final String PERMISSION_NOT_RESTRICTED = "PUBLIC";
+
     // Protocol variables
     public static final String HTTP_TRANSPORT_PROTOCOL_NAME = "http";
     public static final String HTTPS_TRANSPORT_PROTOCOL_NAME = "https";

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIConsumerImpl.java

@@ -148,21 +148,7 @@
 import java.io.InputStream;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.InvocationTargetException;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.Comparator;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.LinkedHashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Properties;
-import java.util.Set;
-import java.util.SortedSet;
-import java.util.TreeSet;
-import java.util.UUID;
+import java.util.*;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
 import java.util.regex.Matcher;
@@ -194,9 +180,6 @@ public class APIConsumerImpl extends AbstractAPIManager implements APIConsumer {
     public static final String API_NAME = "apiName";
     public static final String API_VERSION = "apiVersion";
     public static final String API_PROVIDER = "apiProvider";
-    private static final String PERMISSION_ALLOW = "ALLOW";
-    private static final String PERMISSION_DENY = "DENY";
-    private static final String PERMISSION_NOT_RESTRICTED = "PUBLIC";
     private static final String PRESERVED_CASE_SENSITIVE_VARIABLE = "preservedCaseSensitive";
 
     private static final String GET_SUB_WORKFLOW_REF_FAILED = "Failed to get external workflow reference for " +
@@ -4036,11 +4019,8 @@ public API getLightweightAPIByUUID(String uuid, String organization) throws APIM
                 API api = APIMapper.INSTANCE.toApi(devPortalApi);
 
                 // populate relevant external info environment
-                List<Environment> environments = null;
-                if (api.getEnvironments() != null) {
-                    environments = APIUtil.getEnvironmentsOfAPI(api);
-                }
-                api.setEnvironments(APIUtil.extractEnvironmentsForAPI(environments, organization, userNameWithoutChange));
+                Map<String, Environment> environments = getGatewayEnvironmentsByOrganization(organization, username);
+                api.setEnvironments(APIUtil.extractEnvironmentsForAPI(environments.toString(), organization));
                 //CORS . if null is returned, set default config from the configuration
                 if (api.getCorsConfiguration() == null) {
                     api.setCorsConfiguration(APIUtil.getDefaultCorsConfiguration());
@@ -4628,14 +4608,14 @@ public boolean isKeyManagerAllowedForUser(String keyManagerId, String username)
         APIAdmin apiAdmin = new APIAdminImpl();
         KeyManagerPermissionConfigurationDTO permissions = apiAdmin.getKeyManagerPermissions(keyManagerId);
         String permissionType = permissions.getPermissionType();
-        if (permissions != null && !permissionType.equals(PERMISSION_NOT_RESTRICTED)) {
+        if (permissions != null && !permissionType.equals(APIConstants.PERMISSION_NOT_RESTRICTED)) {
             String[] permissionRoles = permissions.getRoles()
                     .stream()
                     .toArray(String[]::new);
             String[] userRoles = APIUtil.getListOfRoles(username);
             boolean roleIsRestricted = hasIntersection(userRoles, permissionRoles);
-            if ((PERMISSION_ALLOW.equals(permissionType) && !roleIsRestricted)
-                    || (PERMISSION_DENY.equals(permissionType) && roleIsRestricted)) {
+            if ((APIConstants.PERMISSION_ALLOW.equals(permissionType) && !roleIsRestricted)
+                    || (APIConstants.PERMISSION_DENY.equals(permissionType) && roleIsRestricted)) {
                 return false;
             }
         }
@@ -4661,22 +4641,40 @@ public boolean isKeyManagerByNameAllowedForUser(String keyManagerName, String or
         KeyManagerPermissionConfigurationDTO permissions = keyManagerConfiguration.getPermissions();
         String permissionType = permissions.getPermissionType();
         //Checks if the keymanager is permission restricted and if the user is in the restricted list
-        if (permissions != null && !permissionType.equals(PERMISSION_NOT_RESTRICTED)) {
+        if (permissions != null && !permissionType.equals(APIConstants.PERMISSION_NOT_RESTRICTED)) {
             String[] permissionRoles = permissions.getRoles()
                     .stream()
                     .toArray(String[]::new);
             String[] userRoles = APIUtil.getListOfRoles(username);
             //list of common roles the user has and the restricted list
             boolean roleIsRestricted = hasIntersection(userRoles, permissionRoles);
             //Checks if the user is allowed to access the key manager
-            if ((PERMISSION_ALLOW.equals(permissionType) && !roleIsRestricted)
-                    || (PERMISSION_DENY.equals(permissionType) && roleIsRestricted)) {
+            if ((APIConstants.PERMISSION_ALLOW.equals(permissionType) && !roleIsRestricted)
+                    || (APIConstants.PERMISSION_DENY.equals(permissionType) && roleIsRestricted)) {
                 return false;
             }
         }
         return true;
     }
 
+    /**
+     * This method is used to retrieve gateway environments for tenant
+     *
+     * @param organization organization of the gateway environment
+     * @param username     username of the logged-in user
+     * @return Environment list
+     * @throws APIManagementException if error occurred
+     */
+    @Override
+    public Map<String, Environment> getGatewayEnvironmentsByOrganization(String organization, String username) throws APIManagementException {
+
+        Map<String, Environment> environmentsMap = APIUtil.getEnvironments(organization);
+        Map<String, Environment> permittedGatewayEnvironments;
+        List<Environment> environmentList = new ArrayList<Environment>(environmentsMap.values());
+        permittedGatewayEnvironments = APIUtil.extractVisibleEnvironmentsForUser(environmentList, username);
+        return permittedGatewayEnvironments;
+    }
+
     public static boolean hasIntersection(String[] arr1, String[] arr2) {
 
         Set<String> set = new HashSet<>();

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIManagerConfiguration.java

@@ -29,6 +29,7 @@
 import org.json.simple.JSONArray;
 import org.json.simple.JSONObject;
 import org.wso2.carbon.apimgt.api.APIManagementException;
+import org.wso2.carbon.apimgt.api.dto.GatewayVisibilityPermissionConfigurationDTO;
 import org.wso2.carbon.apimgt.api.model.APIPublisher;
 import org.wso2.carbon.apimgt.api.model.APIStore;
 import org.wso2.carbon.apimgt.api.model.Environment;
@@ -759,15 +760,26 @@ void setEnvironmentConfig(OMElement environmentElem) throws APIManagementExcepti
             gatewayType = APIConstants.API_GATEWAY_TYPE_REGULAR;
         }
         environment.setGatewayType(gatewayType);
+        GatewayVisibilityPermissionConfigurationDTO permissionsDTO = new GatewayVisibilityPermissionConfigurationDTO();
         OMElement visibility = environmentElem.getFirstChildWithName(new QName(APIConstants.API_GATEWAY_VISIBILITY));
-        String[] visibilityRoles;
+        List<String> visibilityRoles = new LinkedList<>();
+        String[] visibilityRolesArray;
         if (visibility == null) {
-            visibilityRoles = new String[]{"all"};
+            permissionsDTO.setPermissionType("PUBLIC");
+            environment.setVisibility("PUBLIC");
+            visibilityRolesArray = new String[]{APIConstants.EVERYONE_ROLE};
         } else {
             String visibilityString = visibility.getText();
-            visibilityRoles = visibilityString.split(",");
+            visibilityRolesArray = visibilityString.split(",");
+            for (int i = 0; i < visibilityRolesArray.length; i++) {
+                visibilityRoles.add(visibilityRolesArray[i]);
+            }
+            permissionsDTO.setPermissionType("ALLOW");
+            permissionsDTO.setRoles(visibilityRoles);
+            environment.setVisibility(visibilityString);
         }
-        environment.setVisibility(visibilityRoles);
+        environment.setVisibility(visibilityRolesArray);
+        environment.setPermissions(permissionsDTO);
         if (StringUtils.isEmpty(environment.getDisplayName())) {environment.setDisplayName(environment.getName());}
         environment.setServerURL(APIUtil.replaceSystemProperty(environmentElem.getFirstChildWithName(new QName(
                         APIConstants.API_GATEWAY_SERVER_URL)).getText()));

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIProviderImpl.java

@@ -5601,11 +5601,11 @@ public API getLightweightAPIByUUID(String uuid, String organization) throws APIM
                 API api = APIMapper.INSTANCE.toApi(publisherAPI);
                 checkAccessControlPermission(userNameWithoutChange, api.getAccessControl(), api.getAccessControlRoles());
                 // populate relevant external info environment
-                List<Environment> environments = null;
-                if (api.getEnvironments() != null) {
-                    environments = APIUtil.getEnvironmentsOfAPI(api);
-                }
-                api.setEnvironments(APIUtil.extractEnvironmentsForAPI(environments, organization, userNameWithoutChange));
+                Map<String, Environment> environmentsMap = APIUtil.getEnvironments(organization);
+                Map<String, Environment> permittedGatewayEnvironments;
+                List<Environment> environmentList = new ArrayList<Environment>(environmentsMap.values());
+                permittedGatewayEnvironments = APIUtil.extractVisibleEnvironmentsForUser(environmentList, username);
+                api.setEnvironments(APIUtil.extractEnvironmentsForAPI(permittedGatewayEnvironments.toString(), organization));
                 //CORS . if null is returned, set default config from the configuration
                 if (api.getCorsConfiguration() == null) {
                     api.setCorsConfiguration(APIUtil.getDefaultCorsConfiguration());