Skip to content

Commit

Permalink
Improve authorization when accessing the organization resources from …
Browse files Browse the repository at this point in the history
…tenant perspective
  • Loading branch information
ShanChathusanda93 committed Dec 17, 2024
1 parent 9eb3d13 commit fe1260b
Show file tree
Hide file tree
Showing 6 changed files with 82 additions and 3 deletions.
12 changes: 11 additions & 1 deletion components/org.wso2.carbon.identity.authz.service/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,14 @@
<groupId>org.wso2.carbon.identity.auth.rest</groupId>
<artifactId>org.wso2.carbon.identity.auth.service</artifactId>
</dependency>
<dependency>
<groupId>org.wso2.carbon.identity.organization.management</groupId>
<artifactId>org.wso2.carbon.identity.organization.management.organization.user.sharing</artifactId>
</dependency>
<dependency>
<groupId>org.wso2.carbon.identity.organization.management.core</groupId>
<artifactId>org.wso2.carbon.identity.organization.management.service</artifactId>
</dependency>
<dependency>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
Expand Down Expand Up @@ -94,7 +102,9 @@
org.wso2.carbon.identity.core.*; version="${carbon.identity.package.import.version.range}",
org.wso2.carbon.identity.oauth2.*;
version="${org.wso2.carbon.identity.oauth.import.version.range}",
org.wso2.carbon.identity.auth.service.*;version="${org.wso2.carbon.identity.auth.service.version.range}"
org.wso2.carbon.identity.auth.service.*;version="${org.wso2.carbon.identity.auth.service.version.range}",
org.wso2.carbon.identity.organization.management.organization.user.sharing.*;
version="${org.wso2.carbon.identity.organization.management.version.range}",
</Import-Package>
<Export-Package>
!org.wso2.carbon.identity.authz.service.internal,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,12 +37,19 @@
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.util.AuthzUtil;
import org.wso2.carbon.identity.organization.management.organization.user.sharing.OrganizationUserSharingService;
import org.wso2.carbon.identity.organization.management.organization.user.sharing.OrganizationUserSharingServiceImpl;
import org.wso2.carbon.identity.organization.management.organization.user.sharing.models.UserAssociation;
import org.wso2.carbon.identity.organization.management.service.OrganizationManager;
import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
import org.wso2.carbon.user.api.AuthorizationManager;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.user.core.util.UserCoreUtil;

import java.util.List;

import static org.wso2.carbon.identity.auth.service.util.Constants.OAUTH2_ALLOWED_SCOPES;
import static org.wso2.carbon.identity.auth.service.util.Constants.OAUTH2_VALIDATE_SCOPE;
import static org.wso2.carbon.identity.auth.service.util.Constants.VALIDATE_LEGACY_PERMISSIONS;
Expand Down Expand Up @@ -104,6 +111,23 @@ public AuthorizationResult handleAuthorization(AuthorizationContext authorizatio
} else {
AuthenticatedUser authenticatedUser = new AuthenticatedUser(user);
String userId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUserId();
// Check whether the user is accessing a resource where the user has the access.
String resourceOrgId = (String) authorizationContext.getParameter("resourceOrgId");
if (StringUtils.isNotEmpty(resourceOrgId)) {
String userResidentTenantDomain = user.getTenantDomain();
OrganizationManager organizationManager = AuthorizationServiceHolder.getInstance().getOrganizationManager();
String userResidentOrgId = organizationManager.resolveOrganizationId(userResidentTenantDomain);
OrganizationUserSharingService organizationUserSharingService = new OrganizationUserSharingServiceImpl();
List<UserAssociation> sharedAssociations = organizationUserSharingService.
getUserAssociationsOfGivenUser(userId, userResidentOrgId);
for (UserAssociation userAssociation : sharedAssociations) {
if (resourceOrgId.equals(userAssociation.getOrganizationId())) {
authenticatedUser.setAccessingOrganization(userAssociation.getOrganizationId());
break;
}
}
}

if (userId != null) {
authenticatedUser.setUserId(userId);
boolean isAuthorized = AuthzUtil.isUserAuthorized(authenticatedUser,
Expand All @@ -113,7 +137,7 @@ public AuthorizationResult handleAuthorization(AuthorizationContext authorizatio
}
}
}
} catch (UserStoreException | IdentityOAuth2Exception e) {
} catch (UserStoreException | IdentityOAuth2Exception | OrganizationManagementException e) {
String errorMessage = "Error occurred while trying to authorize, " + e.getMessage();
log.error(errorMessage);
throw new AuthzServiceServerException(errorMessage, e);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
import org.wso2.carbon.identity.authz.service.handler.AuthorizationHandler;
import org.wso2.carbon.identity.authz.service.handler.ResourceHandler;
import org.wso2.carbon.identity.core.handler.HandlerComparator;
import org.wso2.carbon.identity.organization.management.service.OrganizationManager;
import org.wso2.carbon.user.core.service.RealmService;
import java.util.Collections;
import java.util.List;
Expand Down Expand Up @@ -115,5 +116,24 @@ protected void setResourceHandler(ResourceHandler resourceHandler) {
protected void unsetResourceHandler(ResourceHandler resourceHandler) {
setResourceHandler(null);
}

@Reference(
name = "organization.service",
service = OrganizationManager.class,
cardinality = ReferenceCardinality.MANDATORY,
policy = ReferencePolicy.DYNAMIC,
unbind = "unsetOrganizationManager"
)
protected void setOrganizationManager(OrganizationManager organizationManager) {

log.debug("Setting the organization management service.");
AuthorizationServiceHolder.getInstance().setOrganizationManager(organizationManager);
}

protected void unsetOrganizationManager(OrganizationManager organizationManager) {

log.debug("Unset organization management service.");
AuthorizationServiceHolder.getInstance().setOrganizationManager(null);
}
}

Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@

import org.wso2.carbon.identity.authz.service.handler.AuthorizationHandler;
import org.wso2.carbon.identity.authz.service.handler.ResourceHandler;
import org.wso2.carbon.identity.organization.management.service.OrganizationManager;
import org.wso2.carbon.user.core.service.RealmService;

import java.util.ArrayList;
Expand All @@ -37,6 +38,7 @@ public class AuthorizationServiceHolder {
private List<ResourceHandler> resourceHandlerList = new ArrayList<>();

private RealmService realmService = null;
private OrganizationManager organizationManager;

private AuthorizationServiceHolder() {

Expand All @@ -61,4 +63,15 @@ public List<AuthorizationHandler> getAuthorizationHandlerList() {
public List<ResourceHandler> getResourceHandlerList() {
return resourceHandlerList;
}

public OrganizationManager getOrganizationManager() {

return organizationManager;
}

public void setOrganizationManager(
OrganizationManager organizationManager) {

this.organizationManager = organizationManager;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,13 @@ public void invoke(Request request, Response response) throws IOException, Servl
authorizationContext.addParameter(OAUTH2_VALIDATE_SCOPE, authenticationContext.getParameter(OAUTH2_VALIDATE_SCOPE));
authorizationContext.addParameter(VALIDATE_LEGACY_PERMISSIONS,
authenticationContext.getParameter(VALIDATE_LEGACY_PERMISSIONS));
Pattern patternTenantPerspective = Pattern.compile("^/t/[^/]+/o/[a-f0-9\\-]+?");
if (patternTenantPerspective.matcher(requestURI).find()) {
int startIndex = requestURI.indexOf("/o/") + 3;
int endIndex = requestURI.indexOf("/", startIndex);
String resourceOrgId = requestURI.substring(startIndex, endIndex);
authorizationContext.addParameter("resourceOrgId", resourceOrgId);
}

String tenantDomainFromURLMapping = Utils.getTenantDomainFromURLMapping(request);
authorizationContext.setTenantDomainFromURLMapping(tenantDomainFromURLMapping);
Expand Down
7 changes: 6 additions & 1 deletion pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,11 @@
<artifactId>org.wso2.carbon.identity.organization.management.service</artifactId>
<version>${org.wso2.carbon.identity.organization.management.core.version}</version>
</dependency>
<dependency>
<groupId>org.wso2.carbon.identity.organization.management</groupId>
<artifactId>org.wso2.carbon.identity.organization.management.organization.user.sharing</artifactId>
<version>${org.wso2.carbon.identity.organization.management.version}</version>
</dependency>
<dependency>
<groupId>org.wso2.carbon.identity.event.handler.accountlock</groupId>
<artifactId>org.wso2.carbon.identity.handler.event.account.lock</artifactId>
Expand Down Expand Up @@ -437,7 +442,7 @@
<nimbusds.version>7.9.0.wso2v1</nimbusds.version>
<nimbusds.osgi.version.range>[7.3.0,8.0.0)</nimbusds.osgi.version.range>

<org.wso2.carbon.identity.organization.management.version>1.1.14
<org.wso2.carbon.identity.organization.management.version>1.4.59
</org.wso2.carbon.identity.organization.management.version>
<org.wso2.carbon.identity.organization.management.version.range>[1.0.0, 2.0.0)
</org.wso2.carbon.identity.organization.management.version.range>
Expand Down

0 comments on commit fe1260b

Please sign in to comment.