Merge pull request #245 from ThaminduR/rac-v2

Introduce Resource Access Control V2

components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/AuthenticationManager.java

@@ -1,7 +1,7 @@
 /*
- * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ * Copyright (c) 2016-2023, WSO2 LLC. (http://www.wso2.com).
  *
- * WSO2 Inc. licenses this file to you under the Apache License,
+ * WSO2 LLC. licenses this file to you under the Apache License,
  * Version 2.0 (the "License"); you may not use this file except
  * in compliance with the License.
  * You may obtain a copy of the License at
@@ -30,8 +30,10 @@
 import org.wso2.carbon.identity.auth.service.module.ResourceConfig;
 import org.wso2.carbon.identity.auth.service.module.ResourceConfigKey;
 import org.wso2.carbon.identity.auth.service.util.AuthConfigurationUtil;
+import org.wso2.carbon.identity.auth.service.util.Constants;
 import org.wso2.carbon.identity.core.handler.IdentityHandler;
 import org.wso2.carbon.identity.core.handler.InitConfig;
+import org.wso2.carbon.identity.core.util.IdentityUtil;
 
 import java.util.List;
 import java.util.stream.Collectors;
@@ -154,6 +156,10 @@ private List<AuthenticationHandler> filterAuthenticationHandlers(AuthenticationC
     private boolean isHandlerAllowedForResource(List<String> allowedAuthenticationHandlersForResource,
                                                 AuthenticationHandler handler) {
 
+        if (Constants.BASIC_AUTHENTICATION.equals(handler.getName()) &&
+                !Boolean.parseBoolean(IdentityUtil.getProperty(Constants.ENABLE_BASIC_AUTH_HANDLER_CONFIG))) {
+            return false;
+        }
         return allowedAuthenticationHandlersForResource.contains(handler.getName());
     }
 

components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/util/AuthConfigurationUtil.java

@@ -1,10 +1,12 @@
 package org.wso2.carbon.identity.auth.service.util;
 
 import org.apache.axiom.om.OMElement;
+import org.apache.axiom.om.impl.builder.StAXOMBuilder;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.http.HttpHeaders;
+import org.wso2.carbon.CarbonConstants;
 import org.wso2.carbon.identity.auth.service.AuthenticationContext;
 import org.wso2.carbon.identity.auth.service.handler.AuthenticationHandler;
 import org.wso2.carbon.identity.auth.service.internal.AuthenticationServiceHolder;
@@ -13,23 +15,31 @@
 import org.wso2.carbon.identity.core.bean.context.MessageContext;
 import org.wso2.carbon.identity.core.util.IdentityConfigParser;
 import org.wso2.carbon.identity.core.util.IdentityCoreConstants;
+import org.wso2.carbon.identity.core.util.IdentityUtil;
 import org.wso2.securevault.SecretResolver;
 import org.wso2.securevault.SecretResolverFactory;
 import org.wso2.securevault.commons.MiscellaneousUtil;
 
+import java.io.IOException;
+import java.io.InputStream;
 import java.io.UnsupportedEncodingException;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URLDecoder;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
+
 import javax.xml.namespace.QName;
+import javax.xml.stream.XMLStreamException;
 
 import static org.wso2.carbon.identity.auth.service.util.Constants.AUTHORIZATION_CONTROL_ELE;
 import static org.wso2.carbon.identity.auth.service.util.Constants.AUTH_HANDLER_ELE;
@@ -78,8 +88,7 @@ public ResourceConfig getSecuredConfig(ResourceConfigKey resourceConfigKey) {
      */
     public void buildResourceAccessControlData() {
 
-        OMElement resourceAccessControl = IdentityConfigParser.getInstance().getConfigElement(Constants
-                .RESOURCE_ACCESS_CONTROL_ELE);
+        OMElement resourceAccessControl = getResourceAccessControlConfigs();
         if ( resourceAccessControl != null ) {
             defaultAccess = resourceAccessControl.getAttributeValue(new QName(Constants.RESOURCE_DEFAULT_ACCESS));
             isScopeValidationEnabled = !Boolean.parseBoolean(resourceAccessControl
@@ -162,6 +171,34 @@ public void buildResourceAccessControlData() {
         }
     }
 
+    private static OMElement getResourceAccessControlConfigs() {
+
+        /*
+        Check whether legacy authorization runtime is enabled.
+        Use the legacy resource access control configs if enabled.
+        */
+        if (CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME) {
+            return IdentityConfigParser.getInstance().getConfigElement(Constants
+                    .RESOURCE_ACCESS_CONTROL_ELE);
+        }
+        Path path = Paths.get(IdentityUtil.getIdentityConfigDirPath(), Constants.RESOURCE_ACCESS_CONTROL_V2_FILE);
+        if (Files.exists(path)) {
+            try (InputStream in = Files.newInputStream(path)) {
+                StAXOMBuilder builder = new StAXOMBuilder(in);
+                return builder.getDocumentElement().cloneOMElement();
+            } catch (IOException e) {
+                String message = "Error while reading Resource Access control configuration at: " + path.getFileName();
+                log.error(message);
+            } catch (XMLStreamException e) {
+                String message = "Error while parsing Resource Access control configuration at: " + path.getFileName();
+                log.error(message);
+            }
+        } else {
+            log.error("Resource Access control configuration not found at: " + path.getFileName());
+        }
+        return null;
+    }
+
     public List<String> buildAllowedAuthenticationHandlers(String allowedAuthenticationHandlers) {
 
         List<String> allowedAuthHandlersList = new ArrayList<>();

components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/util/Constants.java

@@ -52,4 +52,7 @@ public class Constants {
     public final static String AUTH_HANDLER_ELE = "authHandler";
     public final static String ENDPOINT_LIST_ELE = "endpoints";
     public static final String ENGAGED_AUTH_HANDLER = "engagedAuthHandler";
+    public static final String BASIC_AUTHENTICATION = "BasicAuthentication";
+    public static final String ENABLE_BASIC_AUTH_HANDLER_CONFIG = "EnableBasicAuthHandler";
+    public static final String RESOURCE_ACCESS_CONTROL_V2_FILE = "resource-access-control-v2.xml";
 }

components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/handler/AuthorizationHandler.java

@@ -1,7 +1,7 @@
 /*
- * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ * Copyright (c) 2016-2023, WSO2 LLC. (http://www.wso2.com).
  *
- * WSO2 Inc. licenses this file to you under the Apache License,
+ * WSO2 LLC. licenses this file to you under the Apache License,
  * Version 2.0 (the "License"); you may not use this file except
  * in compliance with the License.
  * You may obtain a copy of the License at
@@ -15,6 +15,7 @@
  * specific language governing permissions and limitations
  * under the License.
  */
+
 package org.wso2.carbon.identity.authz.service.handler;
 
 import org.apache.commons.collections.CollectionUtils;
@@ -23,6 +24,8 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.CarbonConstants;
+import org.wso2.carbon.context.PrivilegedCarbonContext;
+import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
 import org.wso2.carbon.identity.application.common.model.User;
 import org.wso2.carbon.identity.authz.service.AuthorizationContext;
 import org.wso2.carbon.identity.authz.service.AuthorizationResult;
@@ -32,6 +35,8 @@
 import org.wso2.carbon.identity.core.handler.AbstractIdentityHandler;
 import org.wso2.carbon.identity.core.handler.InitConfig;
 import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
+import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
+import org.wso2.carbon.identity.oauth2.util.AuthzUtil;
 import org.wso2.carbon.user.api.AuthorizationManager;
 import org.wso2.carbon.user.api.UserRealm;
 import org.wso2.carbon.user.api.UserStoreException;
@@ -75,10 +80,23 @@ public AuthorizationResult handleAuthorization(AuthorizationContext authorizatio
             // If the scopes are configured for the API, it gets the first priority
             if (isScopeValidationRequired(authorizationContext, validateScope)) {
                 validateScopes(authorizationContext, authorizationResult, allowedScopes);
-            } else if (StringUtils.isNotBlank(permissionString) || authorizationContext.getRequiredScopes().size() == 0) {
-                validatePermissions(authorizationResult, user, permissionString, tenantUserRealm);
+            } else if (CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME) {
+                if (StringUtils.isNotBlank(permissionString) || authorizationContext.getRequiredScopes().size() == 0) {
+                    validatePermissions(authorizationResult, user, permissionString, tenantUserRealm);
+                }
+            } else {
+                AuthenticatedUser authenticatedUser = new AuthenticatedUser(user);
+                String userId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUserId();
+                if (userId != null) {
+                    authenticatedUser.setUserId(userId);
+                    boolean isAuthorized = AuthzUtil.isUserAuthorized(authenticatedUser,
+                            authorizationContext.getRequiredScopes());
+                    if (isAuthorized) {
+                        authorizationResult.setAuthorizationStatus(AuthorizationStatus.GRANT);
+                    }
+                }
             }
-        } catch (UserStoreException e) {
+        } catch (UserStoreException | IdentityOAuth2Exception e) {
             String errorMessage = "Error occurred while trying to authorize, " + e.getMessage();
             log.error(errorMessage);
             throw new AuthzServiceServerException(errorMessage, e);

pom.xml

@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
-  ~ Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+  ~ Copyright (c) 2015-2023, WSO2 LLC. (http://www.wso2.com).
   ~
-  ~ WSO2 Inc. licenses this file to you under the Apache License,
+  ~ WSO2 LLC. licenses this file to you under the Apache License,
   ~ Version 2.0 (the "License"); you may not use this file except
   ~ in compliance with the License.
   ~ You may obtain a copy of the License at
@@ -348,7 +348,7 @@
         <identity.framework.version>5.25.393</identity.framework.version>
         <carbon.identity.package.import.version.range>[5.17.8, 7.0.0)</carbon.identity.package.import.version.range>
 
-        <org.wso2.carbon.identity.oauth.version>6.11.128</org.wso2.carbon.identity.oauth.version>
+        <org.wso2.carbon.identity.oauth.version>6.11.168</org.wso2.carbon.identity.oauth.version>
         <org.wso2.carbon.identity.oauth.import.version.range>[6.2.18, 7.0.0)
         </org.wso2.carbon.identity.oauth.import.version.range>
 
@@ -367,7 +367,7 @@
         <osgi.util.tracker.imp.pkg.version.range>[1.5.1, 2.0.0)</osgi.util.tracker.imp.pkg.version.range>
 
         <!-- Carbon Kernel version -->
-        <carbon.kernel.version>4.9.10</carbon.kernel.version>
+        <carbon.kernel.version>4.9.15</carbon.kernel.version>
         <carbon.kernel.feature.version>4.9.0</carbon.kernel.feature.version>
         <carbon.kernel.imp.pkg.version.range>[4.5.0, 5.0.0)</carbon.kernel.imp.pkg.version.range>