Improve authorization logic considering accessed organization resource

wso2-extensions · Aug 18, 2022 · 35679f6 · 35679f6
1 parent 4c4a2ea
commit 35679f6
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 5 deletions.
diff --git a/...arbon/identity/organization/management/authz/service/constant/AuthorizationConstants.java b/...arbon/identity/organization/management/authz/service/constant/AuthorizationConstants.java
@@ -26,4 +26,9 @@ public class AuthorizationConstants {
     public static final String PERMISSION_SPLITTER = "/";
     public static final String RESOURCE_PERMISSION_NONE = "none";
     public static final String SUPER = "Super";
+
+    public static final String URI_SPLITTER = "/";
+    public static final String ORGANIZATION_RESOURCE = "organizations";
+    public static final String REGEX_FOR_URLS_WITH_ORG_ID =
+            "^(.)*(/api/server/v1/organizations/)[a-z0-9]{8}(-[a-z0-9]{4}){3}-[a-z0-9]{12}(.)*$";
 }
diff --git a/...ity/organization/management/authz/service/handler/OrganizationManagementAuthzHandler.java b/...ity/organization/management/authz/service/handler/OrganizationManagementAuthzHandler.java
@@ -41,9 +41,15 @@
 import org.wso2.carbon.user.core.service.RealmService;
 import org.wso2.carbon.utils.multitenancy.MultitenantConstants;
 
+import java.util.Arrays;
+import java.util.regex.Pattern;
+
 import static org.wso2.carbon.identity.auth.service.util.Constants.OAUTH2_ALLOWED_SCOPES;
 import static org.wso2.carbon.identity.auth.service.util.Constants.OAUTH2_VALIDATE_SCOPE;
+import static org.wso2.carbon.identity.organization.management.authz.service.constant.AuthorizationConstants.ORGANIZATION_RESOURCE;
+import static org.wso2.carbon.identity.organization.management.authz.service.constant.AuthorizationConstants.REGEX_FOR_URLS_WITH_ORG_ID;
 import static org.wso2.carbon.identity.organization.management.authz.service.constant.AuthorizationConstants.RESOURCE_PERMISSION_NONE;
+import static org.wso2.carbon.identity.organization.management.authz.service.constant.AuthorizationConstants.URI_SPLITTER;
 import static org.wso2.carbon.identity.organization.management.authz.service.util.OrganizationManagementAuthzUtil.getUserStoreManager;
 
 /**
@@ -63,23 +69,27 @@ public AuthorizationResult handleAuthorization(AuthorizationContext authorizatio
         AuthorizationResult authorizationResult = new AuthorizationResult(AuthorizationStatus.DENY);
 
         User user = authorizationContext.getUser();
-        String tenantDomainFromURL = authorizationContext.getTenantDomainFromURLMapping();
-        // Resolve associated org UUID.
-        String tenantOrgUUIDOfURLDomain = resolveAssociatedOrgUUIDForDomainInURL(tenantDomainFromURL);
+        String requestUri = ((OrganizationManagementAuthorizationContext) authorizationContext).getRequestUri();
+        String organizationId = extractOrganizationId(requestUri);
+        if (organizationId == null) {
+            String tenantDomainFromURL = authorizationContext.getTenantDomainFromURLMapping();
+            // Resolve associated org UUID.
+            organizationId = resolveAssociatedOrgUUIDForDomainInURL(tenantDomainFromURL);
+        }
 
         String permissionString = authorizationContext.getPermissionString();
         String[] allowedScopes = authorizationContext.getParameter(OAUTH2_ALLOWED_SCOPES) == null ? null :
                 (String[]) authorizationContext.getParameter(OAUTH2_ALLOWED_SCOPES);
         boolean validateScope = authorizationContext.getParameter(OAUTH2_VALIDATE_SCOPE) == null ? false :
                 (Boolean) authorizationContext.getParameter(OAUTH2_VALIDATE_SCOPE);
 
-        if (StringUtils.isNotBlank(tenantOrgUUIDOfURLDomain)) {
+        if (StringUtils.isNotBlank(organizationId)) {
             try {
                 // If the scopes are configured for the API, it gets the first priority.
                 if (isScopeValidationRequired(validateScope, authorizationContext)) {
                     validateScopes(allowedScopes, authorizationContext, authorizationResult);
                 } else if (StringUtils.isNotBlank(permissionString)) {
-                    validatePermissions(tenantOrgUUIDOfURLDomain, permissionString, user, authorizationResult);
+                    validatePermissions(organizationId, permissionString, user, authorizationResult);
                 }
             } catch (OrganizationManagementAuthzServiceServerException e) {
                 String errorMessage = "Error occurred while evaluating authorization of user for organization " +
@@ -179,4 +189,14 @@ private void validateScopes(String[] tokenScopes, AuthorizationContext authoriza
             }
         }
     }
+
+    private String extractOrganizationId(String requestPath) {
+
+        if (Pattern.matches(REGEX_FOR_URLS_WITH_ORG_ID, requestPath)) {
+            String[] requestUriParts = requestPath.split(URI_SPLITTER);
+            return Arrays.asList(requestUriParts).get((Arrays.asList(requestUriParts).indexOf(ORGANIZATION_RESOURCE))
+                    + 1);
+        }
+        return null;
+    }
 }