Improve scope validator to resolve the shared apps when switching to organizations

Author: sadilchamishka

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/SQLQueries.java

@@ -1639,6 +1639,9 @@ public class SQLQueries {
             "INSERT INTO IDN_OAUTH2_ACCESS_TOKEN_ATTRIBUTES (TOKEN_ATTR_NAME, TOKEN_ATTR_VALUE, TOKEN_ID) " +
                     "VALUES (?, ?, ?)";
 
+    public static final String GET_SHARED_APP_ID = "SELECT SHARED_APP_ID FROM SP_SHARED_APP WHERE " +
+            "OWNER_ORG_ID = ? AND MAIN_APP_ID = ? AND SHARED_ORG_ID = ? ";
+
     private SQLQueries() {
 
     }

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/SharedAppResolveDAO.java

@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.oauth2.dao;
+
+import org.wso2.carbon.identity.core.util.IdentityDatabaseUtil;
+import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
+
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+
+import static org.wso2.carbon.identity.oauth2.dao.SQLQueries.GET_SHARED_APP_ID;
+import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.ErrorMessages.ERROR_CODE_ERROR_RESOLVING_SHARED_APPLICATION;
+
+/**
+ * DAO class to resolve shared application.
+ */
+public class SharedAppResolveDAO {
+
+    public static String resolveSharedApplication(String appResideOrgId, String mainAppId, String orgId)
+            throws IdentityOAuth2Exception {
+
+        try (Connection connection = IdentityDatabaseUtil.getDBConnection(false);
+             PreparedStatement preparedStatement = connection.prepareStatement(GET_SHARED_APP_ID)) {
+            preparedStatement.setString(1, appResideOrgId);
+            preparedStatement.setString(2, mainAppId);
+            preparedStatement.setString(3, orgId);
+
+            try (ResultSet resultSet = preparedStatement.executeQuery()) {
+                if (resultSet.next()) {
+                    return resultSet.getString(1);
+                }
+                return null;
+            }
+        } catch (SQLException e) {
+            throw new IdentityOAuth2Exception(ERROR_CODE_ERROR_RESOLVING_SHARED_APPLICATION.getCode(),
+                    ERROR_CODE_ERROR_RESOLVING_SHARED_APPLICATION.getMessage(), e);
+        }
+    }
+}

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/DefaultOAuth2ScopeValidator.java

@@ -34,11 +34,13 @@
 import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
 import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
 import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
+import org.wso2.carbon.identity.oauth2.dao.SharedAppResolveDAO;
 import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
 import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
 import org.wso2.carbon.identity.oauth2.validators.validationhandler.ScopeValidationContext;
 import org.wso2.carbon.identity.oauth2.validators.validationhandler.ScopeValidationHandler;
 import org.wso2.carbon.identity.oauth2.validators.validationhandler.ScopeValidationHandlerException;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
 
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -84,6 +86,11 @@ public List<String> validateScope(OAuthAuthzReqMessageContext authzReqMessageCon
         String tenantDomain = authzReqMessageContext.getAuthorizationReqDTO().getTenantDomain();
         String clientId = authzReqMessageContext.getAuthorizationReqDTO().getConsumerKey();
         String appId = getApplicationId(clientId, tenantDomain);
+        if (isAccessingChildOrganization(authzReqMessageContext.getAuthorizationReqDTO().getUser())) {
+            String orgId = authzReqMessageContext.getAuthorizationReqDTO().getUser().getAccessingOrganization();
+            String appResideOrgId = resolveOrgIdByTenantDomain(tenantDomain);
+            appId = SharedAppResolveDAO.resolveSharedApplication(appResideOrgId, appId, orgId);
+        }
         List<String> authorizedScopes = getAuthorizedScopes(requestedScopes, authzReqMessageContext
                         .getAuthorizationReqDTO().getUser(), appId, null, tenantDomain);
         removeRegisteredScopes(authzReqMessageContext);
@@ -110,6 +117,11 @@ public List<String> validateScope(OAuthTokenReqMessageContext tokenReqMessageCon
         String tenantDomain = tokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain();
         String clientId = tokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId();
         String appId = getApplicationId(clientId, tenantDomain);
+        if (isAccessingChildOrganization(tokenReqMessageContext.getAuthorizedUser())) {
+            String orgId = tokenReqMessageContext.getAuthorizedUser().getAccessingOrganization();
+            String appResideOrgId = resolveOrgIdByTenantDomain(tenantDomain);
+            appId = SharedAppResolveDAO.resolveSharedApplication(appResideOrgId, appId, orgId);
+        }
         String grantType = tokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType();
         List<String> authorizedScopes = getAuthorizedScopes(requestedScopes, tokenReqMessageContext
                         .getAuthorizedUser(), appId, grantType, tenantDomain);
@@ -387,4 +399,21 @@ private boolean isScopesEmpty(String[] scopes) {
         return ArrayUtils.isEmpty(scopes);
     }
 
+    private boolean isAccessingChildOrganization(AuthenticatedUser authenticatedUser) {
+
+        return authenticatedUser.getAccessingOrganization() != null &&
+                !authenticatedUser.getAccessingOrganization().equals(authenticatedUser.getUserResidentOrganization());
+    }
+
+    private String resolveOrgIdByTenantDomain(String tenantDomain) throws IdentityOAuth2Exception {
+
+        try {
+            return OAuth2ServiceComponentHolder.getInstance().getOrganizationManager()
+                    .resolveOrganizationId(tenantDomain);
+        } catch (OrganizationManagementException e) {
+            throw new IdentityOAuth2Exception("Error occured while resolving organization for tenant domain: "
+                    + tenantDomain, e);
+        }
+    }
+
 }

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/validationhandler/impl/RoleBasedScopeValidationHandler.java

@@ -64,25 +64,15 @@ public List<String> validateScopes(List<String> requestedScopes, List<String> ap
             }
             String tenantDomain = scopeValidationContext.getAuthenticatedUser().getTenantDomain();
             String accessingOrganization = scopeValidationContext.getAuthenticatedUser().getAccessingOrganization();
-            String userResidentOrganization = scopeValidationContext.getAuthenticatedUser()
-                    .getUserResidentOrganization();
             if (StringUtils.isNotEmpty(accessingOrganization)) {
                 tenantDomain = resolveTenantDomainByOrgId(accessingOrganization);
             }
-
-            List<String> filteredRoleIds;
-            if (accessingOrganization != null && !accessingOrganization.equals(userResidentOrganization)) {
-                filteredRoleIds = userRoles;
-            } else {
-                filteredRoleIds =
-                        getFilteredRoleIds(userRoles, scopeValidationContext.getAppId(), tenantDomain);
-            }
-
+            List<String> filteredRoleIds = getFilteredRoleIds(userRoles, scopeValidationContext.getAppId(),
+                    tenantDomain);
             if (filteredRoleIds.isEmpty()) {
                 return new ArrayList<>();
             }
-            List<String> associatedScopes = AuthzUtil.getAssociatedScopesForRoles(filteredRoleIds,
-                    tenantDomain);
+            List<String> associatedScopes = AuthzUtil.getAssociatedScopesForRoles(filteredRoleIds, tenantDomain);
             List<String> filteredScopes = appAuthorizedScopes.stream().filter(associatedScopes::contains)
                     .collect(Collectors.toList());
             return requestedScopes.stream().filter(filteredScopes::contains).collect(Collectors.toList());