From 0c8328bcd3ead12c74a642269e34859943b788a4 Mon Sep 17 00:00:00 2001 From: sadilchamishka Date: Wed, 15 Nov 2023 06:35:35 +0530 Subject: [PATCH 1/3] Improve the post authentication handler to set the correct username in the carbon context for organization SSO users --- .../pom.xml | 3 ++ .../handler/AuthenticationHandler.java | 48 ++++++++++++++++--- 2 files changed, 44 insertions(+), 7 deletions(-) diff --git a/components/org.wso2.carbon.identity.auth.service/pom.xml b/components/org.wso2.carbon.identity.auth.service/pom.xml index 26c74516..af491e77 100644 --- a/components/org.wso2.carbon.identity.auth.service/pom.xml +++ b/components/org.wso2.carbon.identity.auth.service/pom.xml @@ -187,6 +187,9 @@ org.osgi.util.tracker; version="${osgi.util.tracker.imp.pkg.version.range}", org.wso2.carbon.core.*; version="${carbon.kernel.imp.pkg.version.range}", org.wso2.carbon.user.core.util; version="${carbon.kernel.imp.pkg.version.range}", + org.wso2.carbon.user.core.common; version="${carbon.kernel.imp.pkg.version.range}", + org.wso2.carbon.user.core.service; version="${carbon.kernel.imp.pkg.version.range}", + org.wso2.carbon.user.api; version="${carbon.user.api.imp.pkg.version.range}", org.wso2.carbon.utils.*; version="${carbon.kernel.imp.pkg.version.range}", org.wso2.carbon.identity.application.common.model.*; version="${carbon.identity.package.import.version.range}" diff --git a/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/handler/AuthenticationHandler.java b/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/handler/AuthenticationHandler.java index f9d7407d..6c0b1035 100644 --- a/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/handler/AuthenticationHandler.java +++ b/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/handler/AuthenticationHandler.java @@ -31,9 +31,15 @@ import org.wso2.carbon.identity.auth.service.exception.AuthClientException; import org.wso2.carbon.identity.auth.service.exception.AuthServerException; import org.wso2.carbon.identity.auth.service.exception.AuthenticationFailException; +import org.wso2.carbon.identity.auth.service.internal.AuthenticationServiceHolder; import org.wso2.carbon.identity.core.bean.context.MessageContext; import org.wso2.carbon.identity.core.handler.AbstractIdentityMessageHandler; import org.wso2.carbon.identity.core.util.IdentityUtil; +import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException; +import org.wso2.carbon.user.api.UserRealm; +import org.wso2.carbon.user.api.UserStoreException; +import org.wso2.carbon.user.core.common.AbstractUserStoreManager; +import org.wso2.carbon.user.core.service.RealmService; import org.wso2.carbon.user.core.util.UserCoreUtil; import org.wso2.carbon.utils.multitenancy.MultitenantUtils; @@ -112,14 +118,11 @@ protected void postAuthenticate(MessageContext messageContext, AuthenticationRes } if (user.getTenantDomain() != null && (user.getTenantDomain() - .equalsIgnoreCase(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain()) || - StringUtils.isNotEmpty(authorizedOrganization))) { + .equalsIgnoreCase(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain()))) { PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(IdentityUtil.addDomainToName (user.getUserName(), user.getUserStoreDomain())); - // Set the user's resident organization if user is accessing an organization - PrivilegedCarbonContext.getThreadLocalCarbonContext() - .setUserResidentOrganizationId(userResidentOrganization); } + // Set the user id to the Carbon context if the user authentication is succeeded. try { AuthenticatedUser authenticatedUser; @@ -130,16 +133,47 @@ protected void postAuthenticate(MessageContext messageContext, AuthenticationRes String userName = MultitenantUtils.getTenantAwareUsername(authenticatedUser.getUserName()); userName = UserCoreUtil.removeDomainFromName(userName); PrivilegedCarbonContext.getThreadLocalCarbonContext().setUserId(userName); - return; + } else { + PrivilegedCarbonContext.getThreadLocalCarbonContext() + .setUserId(authenticatedUser.getUserId()); } } else { authenticatedUser = new AuthenticatedUser(user); + PrivilegedCarbonContext.getThreadLocalCarbonContext().setUserId(authenticatedUser.getUserId()); } - PrivilegedCarbonContext.getThreadLocalCarbonContext().setUserId(authenticatedUser.getUserId()); } catch (UserIdNotFoundException e) { LOG.error("User id not found for user: " + user.getLoggableMaskedUserId()); } + + if (StringUtils.isNotEmpty(authorizedOrganization)) { + // Set the user's resident organization if user is accessing an organization + PrivilegedCarbonContext.getThreadLocalCarbonContext() + .setUserResidentOrganizationId(userResidentOrganization); + if (((AuthenticatedUser) user).isFederatedUser()) { + updateUserNameInContextForOrganizationSsoUsers(userResidentOrganization); + } + } + } + } + } + + private void updateUserNameInContextForOrganizationSsoUsers(String userResidentOrganization) { + + try { + String tenantDomain = AuthenticationServiceHolder.getInstance().getOrganizationManager() + .resolveTenantDomain(userResidentOrganization); + int tenantId = AuthenticationServiceHolder.getInstance().getRealmService().getTenantManager() + .getTenantId(tenantDomain); + RealmService realmService = AuthenticationServiceHolder.getInstance().getRealmService(); + UserRealm tenantUserRealm = realmService.getTenantUserRealm(tenantId); + if (tenantUserRealm != null) { + String userId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUserId(); + org.wso2.carbon.user.core.common.User user = + ((AbstractUserStoreManager) tenantUserRealm.getUserStoreManager()).getUser(userId, null); + PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(user.getUsername()); } + } catch (OrganizationManagementException | UserStoreException e) { + LOG.debug("Authenticated user's username could not be resolved.", e); } } } From 3e6fe12498a30cabfe0fb63e6f5a8289fe773a84 Mon Sep 17 00:00:00 2001 From: sadilchamishka Date: Wed, 15 Nov 2023 06:59:24 +0530 Subject: [PATCH 2/3] Add null check --- .../identity/auth/service/handler/AuthenticationHandler.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/handler/AuthenticationHandler.java b/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/handler/AuthenticationHandler.java index 6c0b1035..aa42b3ca 100644 --- a/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/handler/AuthenticationHandler.java +++ b/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/handler/AuthenticationHandler.java @@ -170,7 +170,9 @@ private void updateUserNameInContextForOrganizationSsoUsers(String userResidentO String userId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUserId(); org.wso2.carbon.user.core.common.User user = ((AbstractUserStoreManager) tenantUserRealm.getUserStoreManager()).getUser(userId, null); - PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(user.getUsername()); + if (user != null && StringUtils.isNotEmpty(user.getUsername())) { + PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(user.getUsername()); + } } } catch (OrganizationManagementException | UserStoreException e) { LOG.debug("Authenticated user's username could not be resolved.", e); From d8ff9bb9bfd3538d73e4a5d435a2e0f135c8c52f Mon Sep 17 00:00:00 2001 From: sadilchamishka Date: Wed, 15 Nov 2023 15:11:05 +0530 Subject: [PATCH 3/3] Address review comments --- .../identity/auth/service/handler/AuthenticationHandler.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/handler/AuthenticationHandler.java b/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/handler/AuthenticationHandler.java index aa42b3ca..95422587 100644 --- a/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/handler/AuthenticationHandler.java +++ b/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/handler/AuthenticationHandler.java @@ -175,7 +175,7 @@ private void updateUserNameInContextForOrganizationSsoUsers(String userResidentO } } } catch (OrganizationManagementException | UserStoreException e) { - LOG.debug("Authenticated user's username could not be resolved.", e); + LOG.error("Authenticated user's username could not be resolved.", e); } } }