diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java index 3725b1d4a2..df2e0901f9 100755 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java @@ -763,8 +763,11 @@ private static AuthenticatedUser buildAuthenticatedUser(UserStoreManager userSto return authenticatedUser; } - // Organization SSO user flow - authenticatedUser.setUserName(userId); + /* + Organization SSO user flow. This user id will be used to get the consumer keys which are associated + with the user from access tokens. + */ + authenticatedUser.setUserId(userId); setOrganizationSSOUserDetails(authenticatedUser); authenticatedUser.setUserResidentOrganization(accessingOrg); authenticatedUser.setAccessingOrganization(accessingOrg); @@ -881,7 +884,21 @@ private static boolean processTokenRevocation(Set clientIds, Authenticat // retrieve all ACTIVE or EXPIRED access tokens for particular client authorized by this user accessTokenDOs = OAuthTokenPersistenceFactory.getInstance().getAccessTokenDAO() .getAccessTokens(clientId, authenticatedUser, userStoreDomain, true); - } catch (IdentityOAuth2Exception e) { + /* + If the authenticated user's resident organization is an organization, then we need to check + for the access tokens issued directly for the organization as well. + */ + if (OrganizationManagementUtil.isOrganization(authenticatedUser.getUserResidentOrganization())) { + AuthenticatedUser orgUser = authenticatedUser; + orgUser.setFederatedUser(false); + orgUser.setUserStoreDomain("PRIMARY"); + String userTenantDomain = OAuthComponentServiceHolder.getInstance().getOrganizationManager() + .resolveTenantDomain(authenticatedUser.getUserResidentOrganization()); + orgUser.setTenantDomain(userTenantDomain); + accessTokenDOs = OAuthTokenPersistenceFactory.getInstance().getAccessTokenDAO() + .getAccessTokens(clientId, orgUser, "PRIMARY", true); + } + } catch (IdentityOAuth2Exception | OrganizationManagementException e) { String errorMsg = "Error occurred while retrieving access tokens issued for " + "Client ID : " + clientId + ", User ID : " + authenticatedUser; LOG.error(errorMsg, e); diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/TokenManagementDAOImpl.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/TokenManagementDAOImpl.java index aa7fe011a8..ae891a2b00 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/TokenManagementDAOImpl.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/TokenManagementDAOImpl.java @@ -24,6 +24,7 @@ import org.apache.commons.lang3.tuple.Pair; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException; import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser; import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException; import org.wso2.carbon.identity.application.common.model.ServiceProvider; @@ -40,6 +41,7 @@ import org.wso2.carbon.identity.oauth2.model.RefreshTokenValidationDataDO; import org.wso2.carbon.identity.oauth2.util.OAuth2Util; import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException; +import org.wso2.carbon.identity.organization.management.service.util.OrganizationManagementUtil; import java.sql.Connection; import java.sql.PreparedStatement; @@ -860,45 +862,132 @@ public Set getAllTimeAuthorizedClientIds(AuthenticatedUser authzUser) th } PreparedStatement ps = null; + PreparedStatement psForPrimary = null; Connection connection = IdentityDatabaseUtil.getDBConnection(); ResultSet rs = null; + ResultSet rsForPrimary = null; Set distinctConsumerKeys = new HashSet<>(); boolean isUsernameCaseSensitive = IdentityUtil.isUserStoreInUsernameCaseSensitive(authzUser.toString()); String tenantDomain = getUserResidentTenantDomain(authzUser); - String tenantAwareUsernameWithNoUserDomain = authzUser.getUserName(); - String userDomain = OAuth2Util.getSanitizedUserStoreDomain(authzUser.getUserStoreDomain()); - if (log.isDebugEnabled()) { - log.debug("Obtain the User's(" + tenantAwareUsernameWithNoUserDomain + ") tenant domain: " + tenantDomain - + "/" + OAuth2Util.getTenantId(tenantDomain) + "and user-domain: " + userDomain); - } + /* + If the tenant domain is an organization, then we need to extract the tokens in both PRIMARY and FEDERATED + user stores. For FEDERATED user store we can use the authenticated user's user id and for the PRIMARY domain, + we can use the authenticated user's username. + */ + boolean isOrganization = false; try { - int tenantId = OAuth2Util.getTenantId(tenantDomain); + isOrganization = OrganizationManagementUtil.isOrganization(tenantDomain); + } catch (OrganizationManagementException e) { + throw new IdentityOAuth2Exception("Error occurred while checking whether the tenant domain is an " + + "organization or not.", e); + } + + if (isOrganization) { + try { + // Getting the FEDERATED user domain related consumer keys. + String userId = authzUser.getUserId(); + String userDomain = OAuth2Util.getSanitizedUserStoreDomain(authzUser.getUserStoreDomain()); + + if (log.isDebugEnabled()) { + log.debug("Obtain the User's(" + userId + ") tenant domain: " + tenantDomain + + "/" + OAuth2Util.getTenantId(tenantDomain) + "and user-domain: " + userDomain); + } + + int tenantId = OAuth2Util.getTenantId(tenantDomain); + + String sqlQuery = OAuth2Util.getTokenPartitionedSqlByUserStore(SQLQueries. + GET_DISTINCT_APPS_AUTHORIZED_BY_USER_ALL_TIME, userId); + + if (!isUsernameCaseSensitive) { + sqlQuery = sqlQuery.replace(AUTHZ_USER, LOWER_AUTHZ_USER); + } + ps = connection.prepareStatement(sqlQuery); + if (isUsernameCaseSensitive) { + ps.setString(1, userId); + } else { + ps.setString(1, userId.toLowerCase()); + } + ps.setInt(2, tenantId); + ps.setString(3, userDomain); + rs = ps.executeQuery(); + while (rs.next()) { + String consumerKey = getPersistenceProcessor().getPreprocessedClientId(rs.getString(1)); + distinctConsumerKeys.add(consumerKey); + } + + // Getting the PRIMARY user domain related consumer keys. + String tenantAwareUsernameWithNoUserDomain = authzUser.getUserName(); + if (log.isDebugEnabled()) { + log.debug("Obtain the User's(" + tenantAwareUsernameWithNoUserDomain + ") tenant domain: " + + tenantDomain + "/" + OAuth2Util.getTenantId(tenantDomain) + "and user-domain: " + + userDomain); + } + + String sqlQueryForPrimary = OAuth2Util.getTokenPartitionedSqlByUserStore(SQLQueries. + GET_DISTINCT_APPS_AUTHORIZED_BY_USER_ALL_TIME, authzUser.getUserStoreDomain()); - String sqlQuery = OAuth2Util.getTokenPartitionedSqlByUserStore(SQLQueries. - GET_DISTINCT_APPS_AUTHORIZED_BY_USER_ALL_TIME, authzUser.getUserStoreDomain()); + if (!isUsernameCaseSensitive) { + sqlQueryForPrimary = sqlQuery.replace(AUTHZ_USER, LOWER_AUTHZ_USER); + } - if (!isUsernameCaseSensitive) { - sqlQuery = sqlQuery.replace(AUTHZ_USER, LOWER_AUTHZ_USER); + psForPrimary = connection.prepareStatement(sqlQueryForPrimary); + if (isUsernameCaseSensitive) { + psForPrimary.setString(1, tenantAwareUsernameWithNoUserDomain); + } else { + psForPrimary.setString(1, tenantAwareUsernameWithNoUserDomain.toLowerCase()); + } + psForPrimary.setInt(2, tenantId); + psForPrimary.setString(3, "PRIMARY"); + rsForPrimary = psForPrimary.executeQuery(); + while (rsForPrimary.next()) { + String consumerKey = getPersistenceProcessor().getPreprocessedClientId(rsForPrimary.getString(1)); + distinctConsumerKeys.add(consumerKey); + } + } catch (SQLException | UserIdNotFoundException e) { + throw new IdentityOAuth2Exception( + "Error occurred while retrieving all distinct Client IDs authorized by " + + "User ID : " + authzUser + " until now", e); + } finally { + IdentityDatabaseUtil.closeAllConnections(connection, rs, ps); + IdentityDatabaseUtil.closeStatement(psForPrimary); + IdentityDatabaseUtil.closeResultSet(rsForPrimary); } - ps = connection.prepareStatement(sqlQuery); - if (isUsernameCaseSensitive) { - ps.setString(1, tenantAwareUsernameWithNoUserDomain); - } else { - ps.setString(1, tenantAwareUsernameWithNoUserDomain.toLowerCase()); + } else { + String tenantAwareUsernameWithNoUserDomain = authzUser.getUserName(); + String userDomain = OAuth2Util.getSanitizedUserStoreDomain(authzUser.getUserStoreDomain()); + if (log.isDebugEnabled()) { + log.debug("Obtain the User's(" + tenantAwareUsernameWithNoUserDomain + ") tenant domain: " + + tenantDomain + "/" + OAuth2Util.getTenantId(tenantDomain) + "and user-domain: " + userDomain); } - ps.setInt(2, tenantId); - ps.setString(3, userDomain); - rs = ps.executeQuery(); - while (rs.next()) { - String consumerKey = getPersistenceProcessor().getPreprocessedClientId(rs.getString(1)); - distinctConsumerKeys.add(consumerKey); + try { + int tenantId = OAuth2Util.getTenantId(tenantDomain); + + String sqlQuery = OAuth2Util.getTokenPartitionedSqlByUserStore(SQLQueries. + GET_DISTINCT_APPS_AUTHORIZED_BY_USER_ALL_TIME, authzUser.getUserStoreDomain()); + + if (!isUsernameCaseSensitive) { + sqlQuery = sqlQuery.replace(AUTHZ_USER, LOWER_AUTHZ_USER); + } + ps = connection.prepareStatement(sqlQuery); + if (isUsernameCaseSensitive) { + ps.setString(1, tenantAwareUsernameWithNoUserDomain); + } else { + ps.setString(1, tenantAwareUsernameWithNoUserDomain.toLowerCase()); + } + ps.setInt(2, tenantId); + ps.setString(3, userDomain); + rs = ps.executeQuery(); + while (rs.next()) { + String consumerKey = getPersistenceProcessor().getPreprocessedClientId(rs.getString(1)); + distinctConsumerKeys.add(consumerKey); + } + } catch (SQLException e) { + throw new IdentityOAuth2Exception( + "Error occurred while retrieving all distinct Client IDs authorized by " + + "User ID : " + authzUser + " until now", e); + } finally { + IdentityDatabaseUtil.closeAllConnections(connection, rs, ps); } - } catch (SQLException e) { - throw new IdentityOAuth2Exception( - "Error occurred while retrieving all distinct Client IDs authorized by " + - "User ID : " + authzUser + " until now", e); - } finally { - IdentityDatabaseUtil.closeAllConnections(connection, rs, ps); } if (log.isDebugEnabled()) { StringBuilder consumerKeys = new StringBuilder();