Remove obsole code blocks and support organization qualified URLs

wso2-extensions · Jul 1, 2024 · da826f3 · da826f3
1 parent e42c59c
commit da826f3
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 50 deletions.
diff --git a/...ty.authz.valve/src/main/java/org/wso2/carbon/identity/authz/valve/AuthorizationValve.java b/...ty.authz.valve/src/main/java/org/wso2/carbon/identity/authz/valve/AuthorizationValve.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2023, WSO2 LLC. (http://www.wso2.com).
+ * Copyright (c) 2016-2024, WSO2 LLC. (http://www.wso2.com).
  *
  * WSO2 LLC. licenses this file to you under the Apache License,
  * Version 2.0 (the "License"); you may not use this file except
@@ -85,40 +85,6 @@ public void invoke(Request request, Response response) throws IOException, Servl
             }
 
             String requestURI = request.getRequestURI();
-            String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
-            // The below check on organization qualified resource access should be removed.
-            if (!StringUtils.equals(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME, tenantDomain) &&
-                    requestURI.startsWith(ORGANIZATION_PATH_PARAM) &&
-                    org.wso2.carbon.identity.organization.management.service.util.Utils.useOrganizationRolesForValidation(
-                            PrivilegedCarbonContext.getThreadLocalCarbonContext().getOrganizationId())) {
-                /*
-                If the request is authenticated using an oauth2 access token and scope validation is required,
-                the token obtained tenant domain should be equal to the accessed resource's tenant domain.
-                 */
-                Object scopeValidationEnabled = authenticationContext.getParameter(OAUTH2_VALIDATE_SCOPE);
-                if (scopeValidationEnabled != null && Boolean.parseBoolean(scopeValidationEnabled.toString())) {
-                    if (!Utils.isUserAuthorizedForOrganization(authenticationContext, request)) {
-                        if (log.isDebugEnabled()) {
-                            log.debug("Authorization to " + request.getRequestURI() +
-                                    " is denied because the used access token issued from a different tenant domain: " +
-                                    authenticationContext.getUser().getTenantDomain());
-                        }
-                        APIErrorResponseHandler.handleErrorResponse(authenticationContext, response,
-                                HttpServletResponse.SC_UNAUTHORIZED, null);
-                        return;
-                    }
-                }
-                AuthorizationResult authorizationResult =
-                        authorizeInOrganizationLevel(request, response, authenticationContext, resourceConfig);
-                /*
-                If the user authorized from organization level permissions, grant access and execute next valve.
-                 */
-                if (AuthorizationStatus.GRANT.equals(authorizationResult.getAuthorizationStatus())) {
-                    getNext().invoke(request, response);
-                    return;
-                }
-            }
-            // If user didn't authorized via org level authz model, fallback to old authz model.
             if (!isRequestValidForTenant(authenticationContext, authorizationContext, request)) {
                 /*
                 Forbidden the /o/<org-id> path requests if the org level authz failed and

diff --git a/...n.identity.authz.valve/src/main/java/org/wso2/carbon/identity/authz/valve/util/Utils.java b/...n.identity.authz.valve/src/main/java/org/wso2/carbon/identity/authz/valve/util/Utils.java
@@ -1,8 +1,8 @@
 /*
- * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ * Copyright (c) 2016-2024, WSO2 LLC. (http://www.wso2.com).
  *
- * WSO2 Inc. licenses this file to you under the Apache License,
- *  Version 2.0 (the "License"); you may not use this file except
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
  * in compliance with the License.
  * You may obtain a copy of the License at
  *
@@ -88,20 +88,15 @@ public static boolean isUserBelongsToRequestedTenant(AuthenticationContext authe
                     Constants.AUTH_CONTEXT_OAUTH_APP_PROPERTY);
             tenantDomain = OAuth2Util.getTenantDomainOfOauthApp(oAuthAppDO);
         }
-        return tenantDomainFromURLMapping.equals(tenantDomain);
-    }
-
-    public static boolean isUserAuthorizedForOrganization(AuthenticationContext authenticationContext, Request request) {
-
-        User user = authenticationContext.getUser();
-        if (user == null) {
-            return false;
+        if (tenantDomainFromURLMapping.equals(tenantDomain)) {
+            return true;
         }
-        String authorizedOrganization = ((AuthenticatedUser) user).getAccessingOrganization();
-        if (StringUtils.isNotEmpty(authorizedOrganization)) {
-            return getOrganizationIdFromURLMapping(request).equals(authorizedOrganization);
+        // Check request with organization qualified URL is allowed to access.
+        String organizationID = getOrganizationIdFromURLMapping(request);
+        if (user != null) {
+            return StringUtils.equals(organizationID, ((AuthenticatedUser) user).getAccessingOrganization());
         }
-        return isUserBelongsToRequestedTenant(authenticationContext, request);
+        return false;
     }
 
     /**