Improve scope validator for organization switching

sadilchamishka · sadilchamishka · commit eda179e47d32 · 2023-10-27T09:09:00.000+05:30
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/AuthzUtil.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/AuthzUtil.java
@@ -29,8 +29,10 @@
 import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
 import org.wso2.carbon.identity.application.common.model.ClaimMapping;
 import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
+import org.wso2.carbon.identity.oauth2.IdentityOAuth2ClientException;
 import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
 import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
+import org.wso2.carbon.identity.organization.management.organization.user.sharing.util.OrganizationSharedUserUtil;
 import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
 import org.wso2.carbon.identity.role.v2.mgt.core.exception.IdentityRoleManagementException;
 import org.wso2.carbon.user.api.UserStoreException;
@@ -46,6 +48,7 @@
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 
 import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.APPLICATION;
 import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.ORGANIZATION;
@@ -184,8 +187,15 @@ private static String getAccessingTenantDomain(AuthenticatedUser authenticatedUs
      */
     private static String getAccessingUserId(AuthenticatedUser authenticatedUser) throws IdentityOAuth2Exception {
 
-        // TODO: resolve accessing user id.
-        return getUserId(authenticatedUser);
+        String associatedUserId = getUserId(authenticatedUser);
+        try {
+            Optional<String> optionalOrganizationUserId = OrganizationSharedUserUtil
+                    .getUserIdOfAssociatedUserByOrgId(associatedUserId, authenticatedUser.getAccessingOrganization());
+            return optionalOrganizationUserId.orElseThrow(() ->
+                    new IdentityOAuth2ClientException("User is not allowed to access the organization"));
+        } catch (OrganizationManagementException e) {
+            throw new IdentityOAuth2Exception("Error while resolving shared user ID" , e);
+        }
     }
 
     /**
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/validationhandler/impl/RoleBasedScopeValidationHandler.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/validationhandler/impl/RoleBasedScopeValidationHandler.java
@@ -18,6 +18,7 @@
 
 package org.wso2.carbon.identity.oauth2.validators.validationhandler.impl;
 
+import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
@@ -30,6 +31,7 @@
 import org.wso2.carbon.identity.oauth2.validators.validationhandler.ScopeValidationContext;
 import org.wso2.carbon.identity.oauth2.validators.validationhandler.ScopeValidationHandler;
 import org.wso2.carbon.identity.oauth2.validators.validationhandler.ScopeValidationHandlerException;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -60,13 +62,27 @@ public List<String> validateScopes(List<String> requestedScopes, List<String> ap
             if (userRoles.isEmpty()) {
                 return new ArrayList<>();
             }
-            List<String> filteredRoleIds = getFilteredRoleIds(userRoles, scopeValidationContext.getAppId(),
-                    scopeValidationContext.getAuthenticatedUser().getTenantDomain());
+            String tenantDomain = scopeValidationContext.getAuthenticatedUser().getTenantDomain();
+            String accessingOrganization = scopeValidationContext.getAuthenticatedUser().getAccessingOrganization();
+            String userResidentOrganization = scopeValidationContext.getAuthenticatedUser()
+                    .getUserResidentOrganization();
+            if (StringUtils.isNotEmpty(accessingOrganization)) {
+                tenantDomain = resolveTenantDomainByOrgId(accessingOrganization);
+            }
+
+            List<String> filteredRoleIds;
+            if (accessingOrganization != null && !accessingOrganization.equals(userResidentOrganization)) {
+                filteredRoleIds = userRoles;
+            } else {
+                filteredRoleIds =
+                        getFilteredRoleIds(userRoles, scopeValidationContext.getAppId(), tenantDomain);
+            }
+
             if (filteredRoleIds.isEmpty()) {
                 return new ArrayList<>();
             }
             List<String> associatedScopes = AuthzUtil.getAssociatedScopesForRoles(filteredRoleIds,
-                    scopeValidationContext.getAuthenticatedUser().getTenantDomain());
+                    tenantDomain);
             List<String> filteredScopes = appAuthorizedScopes.stream().filter(associatedScopes::contains)
                     .collect(Collectors.toList());
             return requestedScopes.stream().filter(filteredScopes::contains).collect(Collectors.toList());
@@ -124,4 +140,15 @@ public String getName() {
 
         return "RoleBasedScopeValidationHandler";
     }
+
+    private String resolveTenantDomainByOrgId(String organizationId) throws ScopeValidationHandlerException {
+
+        try {
+            return OAuth2ServiceComponentHolder.getInstance().getOrganizationManager()
+                    .resolveTenantDomain(organizationId);
+        } catch (OrganizationManagementException e) {
+            throw new ScopeValidationHandlerException("Error while resolving the tenant domain of the org ID: " +
+                    organizationId, e);
+        }
+    }
 }
