Merge pull request #1217 from lasanthaDLPDS/geet_3.3.0

Fix OAuth2ScopeValidator Issues
revert-70aa11f8
Rasika Perera 7 years ago committed by GitHub
commit 7860e02814
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -110,7 +110,8 @@
org.wso2.carbon.identity.base;version="${carbon.identity.framework.version.range}", org.wso2.carbon.identity.base;version="${carbon.identity.framework.version.range}",
org.wso2.carbon.identity.oauth2.*;version="${carbon.identity.framework.version.range}", org.wso2.carbon.identity.oauth2.*;version="${carbon.identity.framework.version.range}",
org.wso2.carbon.utils.multitenancy, org.wso2.carbon.utils.multitenancy,
org.apache.oltu.oauth2.common.validators org.apache.oltu.oauth2.common.validators,
org.apache.commons.lang3.tuple,
</Import-Package> </Import-Package>
</instructions> </instructions>
</configuration> </configuration>

@ -28,11 +28,9 @@ import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.oauth.cache.CacheEntry; import org.wso2.carbon.identity.oauth.cache.CacheEntry;
import org.wso2.carbon.identity.oauth.cache.OAuthCache; import org.wso2.carbon.identity.oauth.cache.OAuthCache;
import org.wso2.carbon.identity.oauth.cache.OAuthCacheKey; import org.wso2.carbon.identity.oauth.cache.OAuthCacheKey;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception; import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dao.OAuthScopeDAO;
import org.wso2.carbon.identity.oauth2.dao.OAuthScopeDAOImpl; import org.wso2.carbon.identity.oauth2.dao.OAuthScopeDAOImpl;
import org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO; import org.wso2.carbon.identity.oauth2.dao.TokenManagementDAOImpl;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO; import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.model.ResourceScopeCacheEntry; import org.wso2.carbon.identity.oauth2.model.ResourceScopeCacheEntry;
import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator; import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator;
@ -64,12 +62,12 @@ public class ExtendedJDBCScopeValidator extends OAuth2ScopeValidator {
} }
String resourceScope = null; String resourceScope = null;
// TokenMgtDAO tokenMgtDAO = new TokenMgtDAO();
OAuthScopeDAOImpl scopeDAO = new OAuthScopeDAOImpl(); OAuthScopeDAOImpl scopeDAO = new OAuthScopeDAOImpl();
TokenManagementDAOImpl tokenManagementDAO = new TokenManagementDAOImpl();
boolean cacheHit = false; boolean cacheHit = false;
// Check the cache, if caching is enabled. // Check the cache, if caching is enabled.
if (OAuthServerConfiguration.getInstance().isCacheEnabled()) { if (OAuthCache.getInstance().isEnabled()) {
OAuthCache oauthCache = OAuthCache.getInstance(); OAuthCache oauthCache = OAuthCache.getInstance();
OAuthCacheKey cacheKey = new OAuthCacheKey(resource); OAuthCacheKey cacheKey = new OAuthCacheKey(resource);
CacheEntry result = oauthCache.getValueFromCache(cacheKey); CacheEntry result = oauthCache.getValueFromCache(cacheKey);
@ -82,9 +80,9 @@ public class ExtendedJDBCScopeValidator extends OAuth2ScopeValidator {
} }
if (!cacheHit) { if (!cacheHit) {
resourceScope = scopeDAO.findScopeOfResource(resource); resourceScope = tokenManagementDAO.findTenantAndScopeOfResource(resource).getKey();
if (OAuthServerConfiguration.getInstance().isCacheEnabled()) { if (OAuthCache.getInstance().isEnabled()) {
OAuthCache oauthCache = OAuthCache.getInstance(); OAuthCache oauthCache = OAuthCache.getInstance();
OAuthCacheKey cacheKey = new OAuthCacheKey(resource); OAuthCacheKey cacheKey = new OAuthCacheKey(resource);
ResourceScopeCacheEntry cacheEntry = new ResourceScopeCacheEntry(resourceScope); ResourceScopeCacheEntry cacheEntry = new ResourceScopeCacheEntry(resourceScope);
@ -96,7 +94,7 @@ public class ExtendedJDBCScopeValidator extends OAuth2ScopeValidator {
//Return TRUE if - There does not exist a scope definition for the resource //Return TRUE if - There does not exist a scope definition for the resource
if (resourceScope == null) { if (resourceScope == null) {
if(log.isDebugEnabled()){ if (log.isDebugEnabled()) {
log.debug("Resource '" + resource + "' is not protected with a scope"); log.debug("Resource '" + resource + "' is not protected with a scope");
} }
return true; return true;
@ -105,39 +103,39 @@ public class ExtendedJDBCScopeValidator extends OAuth2ScopeValidator {
List<String> scopeList = new ArrayList<>(Arrays.asList(scopes)); List<String> scopeList = new ArrayList<>(Arrays.asList(scopes));
//If the access token does not bear the scope required for accessing the Resource. //If the access token does not bear the scope required for accessing the Resource.
if(!scopeList.contains(resourceScope)){ if (!scopeList.contains(resourceScope)) {
if(log.isDebugEnabled()){ if (log.isDebugEnabled()) {
log.debug("Access token '" + accessTokenDO.getAccessToken() + "' does not bear the scope '" + log.debug("Access token '" + accessTokenDO.getAccessToken() + "' does not bear the scope '" +
resourceScope + "'"); resourceScope + "'");
} }
return false; return false;
} }
try { try {
User authorizedUser = accessTokenDO.getAuthzUser();
RealmService realmService = OAuthExtensionsDataHolder.getInstance().getRealmService();
int tenantId = realmService.getTenantManager().getTenantId(authorizedUser.getTenantDomain());
//Get the permissions associated with the scope, if any //Get the permissions associated with the scope, if any
Set<String> permissionsOfScope = scopeDAO.getBindingsOfScopeByScopeName(resourceScope); Set<String> permissionsOfScope = scopeDAO.getBindingsOfScopeByScopeName(resourceScope, tenantId);
//If the scope doesn't have any permissions associated with it. //If the scope doesn't have any permissions associated with it.
if(permissionsOfScope == null || permissionsOfScope.isEmpty()){ if (permissionsOfScope == null || permissionsOfScope.isEmpty()) {
if(log.isDebugEnabled()){ if (log.isDebugEnabled()) {
log.debug("Did not find any roles associated to the scope " + resourceScope); log.debug("Did not find any roles associated to the scope " + resourceScope);
} }
return true; return true;
} }
if(log.isDebugEnabled()){ if (log.isDebugEnabled()) {
StringBuilder logMessage = new StringBuilder("Found permissions of scope '" + resourceScope + "' "); StringBuilder logMessage = new StringBuilder("Found permissions of scope '" + resourceScope + "' ");
for(String permission : permissionsOfScope){ for (String permission : permissionsOfScope) {
logMessage.append(permission); logMessage.append(permission);
logMessage.append(", "); logMessage.append(", ");
} }
log.debug(logMessage.toString()); log.debug(logMessage.toString());
} }
User authorizedUser = accessTokenDO.getAuthzUser();
RealmService realmService = OAuthExtensionsDataHolder.getInstance().getRealmService();
int tenantId = realmService.getTenantManager().getTenantId(authorizedUser.getTenantDomain());
if (tenantId == 0 || tenantId == -1) { if (tenantId == 0 || tenantId == -1) {
tenantId = IdentityTenantUtil.getTenantIdOfUser(authorizedUser.getUserName()); tenantId = IdentityTenantUtil.getTenantIdOfUser(authorizedUser.getUserName());
@ -147,12 +145,12 @@ public class ExtendedJDBCScopeValidator extends OAuth2ScopeValidator {
String[] userRoles; String[] userRoles;
boolean tenantFlowStarted = false; boolean tenantFlowStarted = false;
try{ try {
//If this is a tenant user //If this is a tenant user
if(tenantId != MultitenantConstants.SUPER_TENANT_ID){ if (tenantId != MultitenantConstants.SUPER_TENANT_ID) {
PrivilegedCarbonContext.startTenantFlow(); PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain( PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(
realmService.getTenantManager().getDomain(tenantId),true); realmService.getTenantManager().getDomain(tenantId), true);
tenantFlowStarted = true; tenantFlowStarted = true;
} }
@ -173,7 +171,7 @@ public class ExtendedJDBCScopeValidator extends OAuth2ScopeValidator {
status = authorizationManager status = authorizationManager
.isUserAuthorized(userStore + "/" + username, permission, UI_EXECUTE); .isUserAuthorized(userStore + "/" + username, permission, UI_EXECUTE);
} else { } else {
status = authorizationManager.isUserAuthorized(username , permission, UI_EXECUTE); status = authorizationManager.isUserAuthorized(username, permission, UI_EXECUTE);
} }
if (status) { if (status) {
break; break;
@ -182,13 +180,13 @@ public class ExtendedJDBCScopeValidator extends OAuth2ScopeValidator {
} }
if (status) { if (status) {
if(log.isDebugEnabled()){ if (log.isDebugEnabled()) {
log.debug("User '" + authorizedUser.getUserName() + "' is authorized"); log.debug("User '" + authorizedUser.getUserName() + "' is authorized");
} }
return true; return true;
} }
if(log.isDebugEnabled()){ if (log.isDebugEnabled()) {
log.debug("No permissions associated for the user " + authorizedUser.getUserName()); log.debug("No permissions associated for the user " + authorizedUser.getUserName());
} }
return false; return false;

@ -27,9 +27,7 @@ import org.wso2.carbon.identity.application.common.model.User;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil; import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception; import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dao.OAuthScopeDAO; import org.wso2.carbon.identity.oauth2.dao.OAuthScopeDAO;
import org.wso2.carbon.identity.oauth2.dao.OAuthScopeDAOImpl;
import org.wso2.carbon.identity.oauth2.dao.OAuthTokenPersistenceFactory; import org.wso2.carbon.identity.oauth2.dao.OAuthTokenPersistenceFactory;
import org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO; import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator; import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator;
import org.wso2.carbon.user.api.AuthorizationManager; import org.wso2.carbon.user.api.AuthorizationManager;
@ -59,63 +57,57 @@ public class PermissionBasedScopeValidator extends OAuth2ScopeValidator {
return true; return true;
} }
OAuthScopeDAO pp = OAuthTokenPersistenceFactory.getInstance().getOAuthScopeDAO(); OAuthScopeDAO authScopeDAO = OAuthTokenPersistenceFactory.getInstance().getOAuthScopeDAO();
int tid = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId();
// TokenMgtDAO tokenMgtDAO = new TokenMgtDAO();
OAuthScopeDAOImpl nn = new OAuthScopeDAOImpl();
List<String> scopeList = new ArrayList<>(Arrays.asList(scopes)); List<String> scopeList = new ArrayList<>(Arrays.asList(scopes));
//If the access token does not bear the scope required for accessing the Resource. //If the access token does not bear the scope required for accessing the Resource.
if(!scopeList.contains(resourceScope)){ if (!scopeList.contains(resourceScope)) {
if(log.isDebugEnabled()){ if (log.isDebugEnabled()) {
log.debug("Access token '" + accessTokenDO.getAccessToken() + "' does not bear the scope '" + log.debug("Access token '" + accessTokenDO.getAccessToken() + "' does not bear the scope '" +
resourceScope + "'"); resourceScope + "'");
} }
return false; return false;
} }
try { try {
User authorizedUser = accessTokenDO.getAuthzUser();
RealmService realmService = OAuthExtensionsDataHolder.getInstance().getRealmService();
int tenantId = realmService.getTenantManager().getTenantId(authorizedUser.getTenantDomain());
if (tenantId == 0 || tenantId == -1) {
tenantId = IdentityTenantUtil.getTenantIdOfUser(authorizedUser.getUserName());
}
//Get the permissions associated with the scope, if any //Get the permissions associated with the scope, if any
Set<String> permissionsOfScope = pp.getBindingsOfScopeByScopeName(resourceScope, tid); Set<String> permissionsOfScope = authScopeDAO.getBindingsOfScopeByScopeName(resourceScope, tenantId);
//If the scope doesn't have any permissions associated with it. //If the scope doesn't have any permissions associated with it.
if(permissionsOfScope == null || permissionsOfScope.isEmpty()){ if (permissionsOfScope == null || permissionsOfScope.isEmpty()) {
if(log.isDebugEnabled()){ if (log.isDebugEnabled()) {
log.debug("Did not find any roles associated to the scope " + resourceScope); log.debug("Did not find any roles associated to the scope " + resourceScope);
} }
return true; return true;
} }
if(log.isDebugEnabled()){ if (log.isDebugEnabled()) {
StringBuilder logMessage = new StringBuilder("Found permissions of scope '" + resourceScope + "' "); StringBuilder logMessage = new StringBuilder("Found permissions of scope '" + resourceScope + "' ");
for(String permission : permissionsOfScope){ for (String permission : permissionsOfScope) {
logMessage.append(permission); logMessage.append(permission);
logMessage.append(", "); logMessage.append(", ");
} }
log.debug(logMessage.toString()); log.debug(logMessage.toString());
} }
User authorizedUser = accessTokenDO.getAuthzUser();
RealmService realmService = OAuthExtensionsDataHolder.getInstance().getRealmService();
int tenantId = realmService.getTenantManager().getTenantId(authorizedUser.getTenantDomain());
if (tenantId == 0 || tenantId == -1) {
tenantId = IdentityTenantUtil.getTenantIdOfUser(authorizedUser.getUserName());
}
AuthorizationManager authorizationManager; AuthorizationManager authorizationManager;
String[] userRoles; String[] userRoles;
boolean tenantFlowStarted = false; boolean tenantFlowStarted = false;
try{ try {
//If this is a tenant user //If this is a tenant user
if(tenantId != MultitenantConstants.SUPER_TENANT_ID){ if (tenantId != MultitenantConstants.SUPER_TENANT_ID) {
PrivilegedCarbonContext.startTenantFlow(); PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain( PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(
realmService.getTenantManager().getDomain(tenantId),true); realmService.getTenantManager().getDomain(tenantId), true);
tenantFlowStarted = true; tenantFlowStarted = true;
} }
@ -136,7 +128,7 @@ public class PermissionBasedScopeValidator extends OAuth2ScopeValidator {
status = authorizationManager status = authorizationManager
.isUserAuthorized(userStore + "/" + username, permission, UI_EXECUTE); .isUserAuthorized(userStore + "/" + username, permission, UI_EXECUTE);
} else { } else {
status = authorizationManager.isUserAuthorized(username , permission, UI_EXECUTE); status = authorizationManager.isUserAuthorized(username, permission, UI_EXECUTE);
} }
if (status) { if (status) {
break; break;
@ -145,13 +137,13 @@ public class PermissionBasedScopeValidator extends OAuth2ScopeValidator {
} }
if (status) { if (status) {
if(log.isDebugEnabled()){ if (log.isDebugEnabled()) {
log.debug("User '" + authorizedUser.getUserName() + "' is authorized"); log.debug("User '" + authorizedUser.getUserName() + "' is authorized");
} }
return true; return true;
} }
if(log.isDebugEnabled()){ if (log.isDebugEnabled()) {
log.debug("No permissions associated for the user " + authorizedUser.getUserName()); log.debug("No permissions associated for the user " + authorizedUser.getUserName());
} }
return false; return false;

@ -29,7 +29,6 @@ import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil; import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception; import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dao.OAuthScopeDAOImpl; import org.wso2.carbon.identity.oauth2.dao.OAuthScopeDAOImpl;
import org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO; import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator; import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator;
import org.wso2.carbon.user.api.UserStoreException; import org.wso2.carbon.user.api.UserStoreException;
@ -62,9 +61,7 @@ public class RoleBasedScopeValidator extends OAuth2ScopeValidator {
return true; return true;
} }
// TokenMgtDAO tokenMgtDAO = new TokenMgtDAO();
OAuthScopeDAOImpl scopeDAO = new OAuthScopeDAOImpl(); OAuthScopeDAOImpl scopeDAO = new OAuthScopeDAOImpl();
List<String> scopeList = new ArrayList<>(Arrays.asList(scopes)); List<String> scopeList = new ArrayList<>(Arrays.asList(scopes));
//If the access token does not bear the scope required for accessing the Resource. //If the access token does not bear the scope required for accessing the Resource.
@ -77,8 +74,15 @@ public class RoleBasedScopeValidator extends OAuth2ScopeValidator {
} }
try { try {
User authzUser = accessTokenDO.getAuthzUser();
RealmService realmService = OAuthExtensionsDataHolder.getInstance().getRealmService();
int tenantId = realmService.getTenantManager().getTenantId(authzUser.getTenantDomain());
if (tenantId == 0 || tenantId == -1) {
tenantId = IdentityTenantUtil.getTenantIdOfUser(authzUser.getUserName());
}
//Get the roles associated with the scope, if any //Get the roles associated with the scope, if any
Set<String> rolesOfScope = scopeDAO.getBindingsOfScopeByScopeName(resourceScope); Set<String> rolesOfScope = scopeDAO.getBindingsOfScopeByScopeName(resourceScope, tenantId);
//If the scope doesn't have any roles associated with it. //If the scope doesn't have any roles associated with it.
if(rolesOfScope == null || rolesOfScope.isEmpty()){ if(rolesOfScope == null || rolesOfScope.isEmpty()){
@ -97,16 +101,6 @@ public class RoleBasedScopeValidator extends OAuth2ScopeValidator {
log.debug(logMessage.toString()); log.debug(logMessage.toString());
} }
User authzUser = accessTokenDO.getAuthzUser();
RealmService realmService = OAuthExtensionsDataHolder.getInstance().getRealmService();
int tenantId = realmService.getTenantManager().
getTenantId(authzUser.getTenantDomain());
if (tenantId == 0 || tenantId == -1) {
tenantId = IdentityTenantUtil.getTenantIdOfUser(authzUser.getUserName());
}
UserStoreManager userStoreManager; UserStoreManager userStoreManager;
String[] userRoles; String[] userRoles;
boolean tenantFlowStarted = false; boolean tenantFlowStarted = false;

Loading…
Cancel
Save