From 35679f6e19735540d4ed0955dc2b6e5e34caac64 Mon Sep 17 00:00:00 2001 From: sadilchamishka Date: Thu, 18 Aug 2022 08:59:59 +0530 Subject: [PATCH] Improve authorization logic considering accessed organization resource --- .../constant/AuthorizationConstants.java | 5 ++++ .../OrganizationManagementAuthzHandler.java | 30 +++++++++++++++---- 2 files changed, 30 insertions(+), 5 deletions(-) diff --git a/components/org.wso2.carbon.identity.organization.management.authz.service/src/main/java/org/wso2/carbon/identity/organization/management/authz/service/constant/AuthorizationConstants.java b/components/org.wso2.carbon.identity.organization.management.authz.service/src/main/java/org/wso2/carbon/identity/organization/management/authz/service/constant/AuthorizationConstants.java index 2f05be275..414bbf2f4 100644 --- a/components/org.wso2.carbon.identity.organization.management.authz.service/src/main/java/org/wso2/carbon/identity/organization/management/authz/service/constant/AuthorizationConstants.java +++ b/components/org.wso2.carbon.identity.organization.management.authz.service/src/main/java/org/wso2/carbon/identity/organization/management/authz/service/constant/AuthorizationConstants.java @@ -26,4 +26,9 @@ public class AuthorizationConstants { public static final String PERMISSION_SPLITTER = "/"; public static final String RESOURCE_PERMISSION_NONE = "none"; public static final String SUPER = "Super"; + + public static final String URI_SPLITTER = "/"; + public static final String ORGANIZATION_RESOURCE = "organizations"; + public static final String REGEX_FOR_URLS_WITH_ORG_ID = + "^(.)*(/api/server/v1/organizations/)[a-z0-9]{8}(-[a-z0-9]{4}){3}-[a-z0-9]{12}(.)*$"; } diff --git a/components/org.wso2.carbon.identity.organization.management.authz.service/src/main/java/org/wso2/carbon/identity/organization/management/authz/service/handler/OrganizationManagementAuthzHandler.java b/components/org.wso2.carbon.identity.organization.management.authz.service/src/main/java/org/wso2/carbon/identity/organization/management/authz/service/handler/OrganizationManagementAuthzHandler.java index ead04ea3a..371e29535 100644 --- a/components/org.wso2.carbon.identity.organization.management.authz.service/src/main/java/org/wso2/carbon/identity/organization/management/authz/service/handler/OrganizationManagementAuthzHandler.java +++ b/components/org.wso2.carbon.identity.organization.management.authz.service/src/main/java/org/wso2/carbon/identity/organization/management/authz/service/handler/OrganizationManagementAuthzHandler.java @@ -41,9 +41,15 @@ import org.wso2.carbon.user.core.service.RealmService; import org.wso2.carbon.utils.multitenancy.MultitenantConstants; +import java.util.Arrays; +import java.util.regex.Pattern; + import static org.wso2.carbon.identity.auth.service.util.Constants.OAUTH2_ALLOWED_SCOPES; import static org.wso2.carbon.identity.auth.service.util.Constants.OAUTH2_VALIDATE_SCOPE; +import static org.wso2.carbon.identity.organization.management.authz.service.constant.AuthorizationConstants.ORGANIZATION_RESOURCE; +import static org.wso2.carbon.identity.organization.management.authz.service.constant.AuthorizationConstants.REGEX_FOR_URLS_WITH_ORG_ID; import static org.wso2.carbon.identity.organization.management.authz.service.constant.AuthorizationConstants.RESOURCE_PERMISSION_NONE; +import static org.wso2.carbon.identity.organization.management.authz.service.constant.AuthorizationConstants.URI_SPLITTER; import static org.wso2.carbon.identity.organization.management.authz.service.util.OrganizationManagementAuthzUtil.getUserStoreManager; /** @@ -63,9 +69,13 @@ public AuthorizationResult handleAuthorization(AuthorizationContext authorizatio AuthorizationResult authorizationResult = new AuthorizationResult(AuthorizationStatus.DENY); User user = authorizationContext.getUser(); - String tenantDomainFromURL = authorizationContext.getTenantDomainFromURLMapping(); - // Resolve associated org UUID. - String tenantOrgUUIDOfURLDomain = resolveAssociatedOrgUUIDForDomainInURL(tenantDomainFromURL); + String requestUri = ((OrganizationManagementAuthorizationContext) authorizationContext).getRequestUri(); + String organizationId = extractOrganizationId(requestUri); + if (organizationId == null) { + String tenantDomainFromURL = authorizationContext.getTenantDomainFromURLMapping(); + // Resolve associated org UUID. + organizationId = resolveAssociatedOrgUUIDForDomainInURL(tenantDomainFromURL); + } String permissionString = authorizationContext.getPermissionString(); String[] allowedScopes = authorizationContext.getParameter(OAUTH2_ALLOWED_SCOPES) == null ? null : @@ -73,13 +83,13 @@ public AuthorizationResult handleAuthorization(AuthorizationContext authorizatio boolean validateScope = authorizationContext.getParameter(OAUTH2_VALIDATE_SCOPE) == null ? false : (Boolean) authorizationContext.getParameter(OAUTH2_VALIDATE_SCOPE); - if (StringUtils.isNotBlank(tenantOrgUUIDOfURLDomain)) { + if (StringUtils.isNotBlank(organizationId)) { try { // If the scopes are configured for the API, it gets the first priority. if (isScopeValidationRequired(validateScope, authorizationContext)) { validateScopes(allowedScopes, authorizationContext, authorizationResult); } else if (StringUtils.isNotBlank(permissionString)) { - validatePermissions(tenantOrgUUIDOfURLDomain, permissionString, user, authorizationResult); + validatePermissions(organizationId, permissionString, user, authorizationResult); } } catch (OrganizationManagementAuthzServiceServerException e) { String errorMessage = "Error occurred while evaluating authorization of user for organization " + @@ -179,4 +189,14 @@ private void validateScopes(String[] tokenScopes, AuthorizationContext authoriza } } } + + private String extractOrganizationId(String requestPath) { + + if (Pattern.matches(REGEX_FOR_URLS_WITH_ORG_ID, requestPath)) { + String[] requestUriParts = requestPath.split(URI_SPLITTER); + return Arrays.asList(requestUriParts).get((Arrays.asList(requestUriParts).indexOf(ORGANIZATION_RESOURCE)) + + 1); + } + return null; + } }