From 0796a634b22c3739f76dd9c1317a32e0913fee84 Mon Sep 17 00:00:00 2001 From: Shan Chathusanda Jayathilaka Date: Tue, 10 Dec 2024 16:42:38 +0530 Subject: [PATCH] Improve authorization when accessing the organization resources from tenant perspective --- .../pom.xml | 12 +++++++- .../service/handler/AuthorizationHandler.java | 30 ++++++++++++++++++- .../AuthorizationServiceComponent.java | 20 +++++++++++++ .../internal/AuthorizationServiceHolder.java | 13 ++++++++ .../authz/valve/AuthorizationValve.java | 7 +++++ pom.xml | 7 ++++- 6 files changed, 86 insertions(+), 3 deletions(-) diff --git a/components/org.wso2.carbon.identity.authz.service/pom.xml b/components/org.wso2.carbon.identity.authz.service/pom.xml index d478ad9c..771abb0c 100644 --- a/components/org.wso2.carbon.identity.authz.service/pom.xml +++ b/components/org.wso2.carbon.identity.authz.service/pom.xml @@ -58,6 +58,14 @@ org.wso2.carbon.identity.auth.rest org.wso2.carbon.identity.auth.service + + org.wso2.carbon.identity.organization.management + org.wso2.carbon.identity.organization.management.organization.user.sharing + + + org.wso2.carbon.identity.organization.management.core + org.wso2.carbon.identity.organization.management.service + org.jacoco jacoco-maven-plugin @@ -94,7 +102,9 @@ org.wso2.carbon.identity.core.*; version="${carbon.identity.package.import.version.range}", org.wso2.carbon.identity.oauth2.*; version="${org.wso2.carbon.identity.oauth.import.version.range}", - org.wso2.carbon.identity.auth.service.*;version="${org.wso2.carbon.identity.auth.service.version.range}" + org.wso2.carbon.identity.auth.service.*;version="${org.wso2.carbon.identity.auth.service.version.range}", + org.wso2.carbon.identity.organization.management.organization.user.sharing.*; + version="${org.wso2.carbon.identity.organization.management.version.range}", !org.wso2.carbon.identity.authz.service.internal, diff --git a/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/handler/AuthorizationHandler.java b/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/handler/AuthorizationHandler.java index 17379c84..d7edef38 100644 --- a/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/handler/AuthorizationHandler.java +++ b/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/handler/AuthorizationHandler.java @@ -37,12 +37,19 @@ import org.wso2.carbon.identity.core.util.IdentityTenantUtil; import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception; import org.wso2.carbon.identity.oauth2.util.AuthzUtil; +import org.wso2.carbon.identity.organization.management.organization.user.sharing.OrganizationUserSharingService; +import org.wso2.carbon.identity.organization.management.organization.user.sharing.OrganizationUserSharingServiceImpl; +import org.wso2.carbon.identity.organization.management.organization.user.sharing.models.UserAssociation; +import org.wso2.carbon.identity.organization.management.service.OrganizationManager; +import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException; import org.wso2.carbon.user.api.AuthorizationManager; import org.wso2.carbon.user.api.UserRealm; import org.wso2.carbon.user.api.UserStoreException; import org.wso2.carbon.user.core.service.RealmService; import org.wso2.carbon.user.core.util.UserCoreUtil; +import java.util.List; + import static org.wso2.carbon.identity.auth.service.util.Constants.OAUTH2_ALLOWED_SCOPES; import static org.wso2.carbon.identity.auth.service.util.Constants.OAUTH2_VALIDATE_SCOPE; import static org.wso2.carbon.identity.auth.service.util.Constants.VALIDATE_LEGACY_PERMISSIONS; @@ -104,6 +111,27 @@ public AuthorizationResult handleAuthorization(AuthorizationContext authorizatio } else { AuthenticatedUser authenticatedUser = new AuthenticatedUser(user); String userId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUserId(); + // Check whether the user is accessing a resource where the user has the access. + String resourceOrgId = (String) authorizationContext.getParameter("resourceOrgId"); + if (StringUtils.isNotEmpty(resourceOrgId)) { + String userResidentTenantDomain = user.getTenantDomain(); + OrganizationManager organizationManager = AuthorizationServiceHolder.getInstance().getOrganizationManager(); + String userResidentOrgId = organizationManager.resolveOrganizationId(userResidentTenantDomain); + OrganizationUserSharingService organizationUserSharingService = new OrganizationUserSharingServiceImpl(); + List sharedAssociations = organizationUserSharingService. + getUserAssociationsOfGivenUser(userId, userResidentOrgId); + for (UserAssociation userAssociation : sharedAssociations) { + if (resourceOrgId.equals(userAssociation.getOrganizationId())) { + String sharedUserTenantDomain = organizationManager.resolveTenantDomain( + userAssociation.getOrganizationId()); +// authenticatedUser.setTenantDomain(sharedUserTenantDomain); + authenticatedUser.setAccessingOrganization(userAssociation.getOrganizationId()); +// userId = userAssociation.getUserId(); + break; + } + } + } + if (userId != null) { authenticatedUser.setUserId(userId); boolean isAuthorized = AuthzUtil.isUserAuthorized(authenticatedUser, @@ -113,7 +141,7 @@ public AuthorizationResult handleAuthorization(AuthorizationContext authorizatio } } } - } catch (UserStoreException | IdentityOAuth2Exception e) { + } catch (UserStoreException | IdentityOAuth2Exception | OrganizationManagementException e) { String errorMessage = "Error occurred while trying to authorize, " + e.getMessage(); log.error(errorMessage); throw new AuthzServiceServerException(errorMessage, e); diff --git a/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/internal/AuthorizationServiceComponent.java b/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/internal/AuthorizationServiceComponent.java index d88b3dcc..9eb80762 100644 --- a/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/internal/AuthorizationServiceComponent.java +++ b/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/internal/AuthorizationServiceComponent.java @@ -24,6 +24,7 @@ import org.wso2.carbon.identity.authz.service.handler.AuthorizationHandler; import org.wso2.carbon.identity.authz.service.handler.ResourceHandler; import org.wso2.carbon.identity.core.handler.HandlerComparator; +import org.wso2.carbon.identity.organization.management.service.OrganizationManager; import org.wso2.carbon.user.core.service.RealmService; import java.util.Collections; import java.util.List; @@ -115,5 +116,24 @@ protected void setResourceHandler(ResourceHandler resourceHandler) { protected void unsetResourceHandler(ResourceHandler resourceHandler) { setResourceHandler(null); } + + @Reference( + name = "organization.service", + service = OrganizationManager.class, + cardinality = ReferenceCardinality.MANDATORY, + policy = ReferencePolicy.DYNAMIC, + unbind = "unsetOrganizationManager" + ) + protected void setOrganizationManager(OrganizationManager organizationManager) { + + log.debug("Setting the organization management service."); + AuthorizationServiceHolder.getInstance().setOrganizationManager(organizationManager); + } + + protected void unsetOrganizationManager(OrganizationManager organizationManager) { + + log.debug("Unset organization management service."); + AuthorizationServiceHolder.getInstance().setOrganizationManager(null); + } } diff --git a/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/internal/AuthorizationServiceHolder.java b/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/internal/AuthorizationServiceHolder.java index 37aac741..9e4acd2d 100644 --- a/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/internal/AuthorizationServiceHolder.java +++ b/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/internal/AuthorizationServiceHolder.java @@ -20,6 +20,7 @@ import org.wso2.carbon.identity.authz.service.handler.AuthorizationHandler; import org.wso2.carbon.identity.authz.service.handler.ResourceHandler; +import org.wso2.carbon.identity.organization.management.service.OrganizationManager; import org.wso2.carbon.user.core.service.RealmService; import java.util.ArrayList; @@ -37,6 +38,7 @@ public class AuthorizationServiceHolder { private List resourceHandlerList = new ArrayList<>(); private RealmService realmService = null; + private OrganizationManager organizationManager; private AuthorizationServiceHolder() { @@ -61,4 +63,15 @@ public List getAuthorizationHandlerList() { public List getResourceHandlerList() { return resourceHandlerList; } + + public OrganizationManager getOrganizationManager() { + + return organizationManager; + } + + public void setOrganizationManager( + OrganizationManager organizationManager) { + + this.organizationManager = organizationManager; + } } diff --git a/components/org.wso2.carbon.identity.authz.valve/src/main/java/org/wso2/carbon/identity/authz/valve/AuthorizationValve.java b/components/org.wso2.carbon.identity.authz.valve/src/main/java/org/wso2/carbon/identity/authz/valve/AuthorizationValve.java index e30f3cfc..e4a50365 100644 --- a/components/org.wso2.carbon.identity.authz.valve/src/main/java/org/wso2/carbon/identity/authz/valve/AuthorizationValve.java +++ b/components/org.wso2.carbon.identity.authz.valve/src/main/java/org/wso2/carbon/identity/authz/valve/AuthorizationValve.java @@ -122,6 +122,13 @@ public void invoke(Request request, Response response) throws IOException, Servl authorizationContext.addParameter(OAUTH2_VALIDATE_SCOPE, authenticationContext.getParameter(OAUTH2_VALIDATE_SCOPE)); authorizationContext.addParameter(VALIDATE_LEGACY_PERMISSIONS, authenticationContext.getParameter(VALIDATE_LEGACY_PERMISSIONS)); + Pattern patternTenantPerspective = Pattern.compile("^/t/[^/]+/o/[a-f0-9\\-]+?"); + if (patternTenantPerspective.matcher(requestURI).find()) { + int startIndex = requestURI.indexOf("/o/") + 3; + int endIndex = requestURI.indexOf("/", startIndex); + String resourceOrgId = requestURI.substring(startIndex, endIndex); + authorizationContext.addParameter("resourceOrgId", resourceOrgId); + } String tenantDomainFromURLMapping = Utils.getTenantDomainFromURLMapping(request); authorizationContext.setTenantDomainFromURLMapping(tenantDomainFromURLMapping); diff --git a/pom.xml b/pom.xml index 18b280f8..b627dc34 100644 --- a/pom.xml +++ b/pom.xml @@ -182,6 +182,11 @@ org.wso2.carbon.identity.organization.management.service ${org.wso2.carbon.identity.organization.management.core.version} + + org.wso2.carbon.identity.organization.management + org.wso2.carbon.identity.organization.management.organization.user.sharing + ${org.wso2.carbon.identity.organization.management.version} + org.wso2.carbon.identity.event.handler.accountlock org.wso2.carbon.identity.handler.event.account.lock @@ -437,7 +442,7 @@ 7.9.0.wso2v1 [7.3.0,8.0.0) - 1.1.14 + 1.4.59 [1.0.0, 2.0.0)