Improve authorization when accessing the organization resources from …

…tenant perspective

components/org.wso2.carbon.identity.authz.service/pom.xml

@@ -58,6 +58,14 @@
             <groupId>org.wso2.carbon.identity.auth.rest</groupId>
             <artifactId>org.wso2.carbon.identity.auth.service</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.identity.organization.management</groupId>
+            <artifactId>org.wso2.carbon.identity.organization.management.organization.user.sharing</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.identity.organization.management.core</groupId>
+            <artifactId>org.wso2.carbon.identity.organization.management.service</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.jacoco</groupId>
             <artifactId>jacoco-maven-plugin</artifactId>
@@ -94,7 +102,9 @@
                             org.wso2.carbon.identity.core.*; version="${carbon.identity.package.import.version.range}",
                             org.wso2.carbon.identity.oauth2.*;
                             version="${org.wso2.carbon.identity.oauth.import.version.range}",
-                            org.wso2.carbon.identity.auth.service.*;version="${org.wso2.carbon.identity.auth.service.version.range}"
+                            org.wso2.carbon.identity.auth.service.*;version="${org.wso2.carbon.identity.auth.service.version.range}",
+                            org.wso2.carbon.identity.organization.management.organization.user.sharing.*;
+                            version="${org.wso2.carbon.identity.organization.management.version.range}",
                         </Import-Package>
                         <Export-Package>
                             !org.wso2.carbon.identity.authz.service.internal,

components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/handler/AuthorizationHandler.java

@@ -37,12 +37,19 @@
 import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
 import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
 import org.wso2.carbon.identity.oauth2.util.AuthzUtil;
+import org.wso2.carbon.identity.organization.management.organization.user.sharing.OrganizationUserSharingService;
+import org.wso2.carbon.identity.organization.management.organization.user.sharing.OrganizationUserSharingServiceImpl;
+import org.wso2.carbon.identity.organization.management.organization.user.sharing.models.UserAssociation;
+import org.wso2.carbon.identity.organization.management.service.OrganizationManager;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
 import org.wso2.carbon.user.api.AuthorizationManager;
 import org.wso2.carbon.user.api.UserRealm;
 import org.wso2.carbon.user.api.UserStoreException;
 import org.wso2.carbon.user.core.service.RealmService;
 import org.wso2.carbon.user.core.util.UserCoreUtil;
 
+import java.util.List;
+
 import static org.wso2.carbon.identity.auth.service.util.Constants.OAUTH2_ALLOWED_SCOPES;
 import static org.wso2.carbon.identity.auth.service.util.Constants.OAUTH2_VALIDATE_SCOPE;
 import static org.wso2.carbon.identity.auth.service.util.Constants.VALIDATE_LEGACY_PERMISSIONS;
@@ -104,6 +111,27 @@ public AuthorizationResult handleAuthorization(AuthorizationContext authorizatio
             } else {
                 AuthenticatedUser authenticatedUser = new AuthenticatedUser(user);
                 String userId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUserId();
+                // Check whether the user is accessing a resource where the user has the access.
+                String resourceOrgId = (String) authorizationContext.getParameter("resourceOrgId");
+                if (StringUtils.isNotEmpty(resourceOrgId)) {
+                    String userResidentTenantDomain = user.getTenantDomain();
+                    OrganizationManager organizationManager = AuthorizationServiceHolder.getInstance().getOrganizationManager();
+                    String userResidentOrgId = organizationManager.resolveOrganizationId(userResidentTenantDomain);
+                    OrganizationUserSharingService organizationUserSharingService = new OrganizationUserSharingServiceImpl();
+                    List<UserAssociation> sharedAssociations = organizationUserSharingService.
+                            getUserAssociationsOfGivenUser(userId, userResidentOrgId);
+                    for (UserAssociation userAssociation : sharedAssociations) {
+                        if (resourceOrgId.equals(userAssociation.getOrganizationId())) {
+                            String sharedUserTenantDomain = organizationManager.resolveTenantDomain(
+                                    userAssociation.getOrganizationId());
+//                            authenticatedUser.setTenantDomain(sharedUserTenantDomain);
+                            authenticatedUser.setAccessingOrganization(userAssociation.getOrganizationId());
+//                            userId = userAssociation.getUserId();
+                            break;
+                        }
+                    }
+                }
+
                 if (userId != null) {
                     authenticatedUser.setUserId(userId);
                     boolean isAuthorized = AuthzUtil.isUserAuthorized(authenticatedUser,
@@ -113,7 +141,7 @@ public AuthorizationResult handleAuthorization(AuthorizationContext authorizatio
                     }
                 }
             }
-        } catch (UserStoreException | IdentityOAuth2Exception e) {
+        } catch (UserStoreException | IdentityOAuth2Exception | OrganizationManagementException e) {
             String errorMessage = "Error occurred while trying to authorize, " + e.getMessage();
             log.error(errorMessage);
             throw new AuthzServiceServerException(errorMessage, e);

components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/internal/AuthorizationServiceComponent.java

@@ -24,6 +24,7 @@
 import org.wso2.carbon.identity.authz.service.handler.AuthorizationHandler;
 import org.wso2.carbon.identity.authz.service.handler.ResourceHandler;
 import org.wso2.carbon.identity.core.handler.HandlerComparator;
+import org.wso2.carbon.identity.organization.management.service.OrganizationManager;
 import org.wso2.carbon.user.core.service.RealmService;
 import java.util.Collections;
 import java.util.List;
@@ -115,5 +116,24 @@ protected void setResourceHandler(ResourceHandler resourceHandler) {
     protected void unsetResourceHandler(ResourceHandler resourceHandler) {
         setResourceHandler(null);
     }
+
+    @Reference(
+            name = "organization.service",
+            service = OrganizationManager.class,
+            cardinality = ReferenceCardinality.MANDATORY,
+            policy = ReferencePolicy.DYNAMIC,
+            unbind = "unsetOrganizationManager"
+    )
+    protected void setOrganizationManager(OrganizationManager organizationManager) {
+
+        log.debug("Setting the organization management service.");
+        AuthorizationServiceHolder.getInstance().setOrganizationManager(organizationManager);
+    }
+
+    protected void unsetOrganizationManager(OrganizationManager organizationManager) {
+
+        log.debug("Unset organization management service.");
+        AuthorizationServiceHolder.getInstance().setOrganizationManager(null);
+    }
 }
 

components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/internal/AuthorizationServiceHolder.java

@@ -20,6 +20,7 @@
 
 import org.wso2.carbon.identity.authz.service.handler.AuthorizationHandler;
 import org.wso2.carbon.identity.authz.service.handler.ResourceHandler;
+import org.wso2.carbon.identity.organization.management.service.OrganizationManager;
 import org.wso2.carbon.user.core.service.RealmService;
 
 import java.util.ArrayList;
@@ -37,6 +38,7 @@ public class AuthorizationServiceHolder {
     private List<ResourceHandler> resourceHandlerList = new ArrayList<>();
 
     private RealmService realmService = null;
+    private OrganizationManager organizationManager;
 
     private AuthorizationServiceHolder() {
 
@@ -61,4 +63,15 @@ public List<AuthorizationHandler> getAuthorizationHandlerList() {
     public List<ResourceHandler> getResourceHandlerList() {
         return resourceHandlerList;
     }
+
+    public OrganizationManager getOrganizationManager() {
+
+        return organizationManager;
+    }
+
+    public void setOrganizationManager(
+            OrganizationManager organizationManager) {
+
+        this.organizationManager = organizationManager;
+    }
 }

components/org.wso2.carbon.identity.authz.valve/src/main/java/org/wso2/carbon/identity/authz/valve/AuthorizationValve.java

@@ -122,6 +122,13 @@ public void invoke(Request request, Response response) throws IOException, Servl
                 authorizationContext.addParameter(OAUTH2_VALIDATE_SCOPE, authenticationContext.getParameter(OAUTH2_VALIDATE_SCOPE));
                 authorizationContext.addParameter(VALIDATE_LEGACY_PERMISSIONS,
                         authenticationContext.getParameter(VALIDATE_LEGACY_PERMISSIONS));
+                Pattern patternTenantPerspective = Pattern.compile("^/t/[^/]+/o/[a-f0-9\\-]+?");
+                if (patternTenantPerspective.matcher(requestURI).find()) {
+                    int startIndex = requestURI.indexOf("/o/") + 3;
+                    int endIndex = requestURI.indexOf("/", startIndex);
+                    String resourceOrgId = requestURI.substring(startIndex, endIndex);
+                    authorizationContext.addParameter("resourceOrgId", resourceOrgId);
+                }
 
                 String tenantDomainFromURLMapping = Utils.getTenantDomainFromURLMapping(request);
                 authorizationContext.setTenantDomainFromURLMapping(tenantDomainFromURLMapping);

pom.xml

@@ -182,6 +182,11 @@
                 <artifactId>org.wso2.carbon.identity.organization.management.service</artifactId>
                 <version>${org.wso2.carbon.identity.organization.management.core.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.wso2.carbon.identity.organization.management</groupId>
+                <artifactId>org.wso2.carbon.identity.organization.management.organization.user.sharing</artifactId>
+                <version>${org.wso2.carbon.identity.organization.management.version}</version>
+            </dependency>
             <dependency>
                 <groupId>org.wso2.carbon.identity.event.handler.accountlock</groupId>
                 <artifactId>org.wso2.carbon.identity.handler.event.account.lock</artifactId>
@@ -437,7 +442,7 @@
         <nimbusds.version>7.9.0.wso2v1</nimbusds.version>
         <nimbusds.osgi.version.range>[7.3.0,8.0.0)</nimbusds.osgi.version.range>
 
-        <org.wso2.carbon.identity.organization.management.version>1.1.14
+        <org.wso2.carbon.identity.organization.management.version>1.4.59
         </org.wso2.carbon.identity.organization.management.version>
         <org.wso2.carbon.identity.organization.management.version.range>[1.0.0, 2.0.0)
         </org.wso2.carbon.identity.organization.management.version.range>