diff --git a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/pom.xml b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/pom.xml index 50b462f3dc..d60665d739 100644 --- a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/pom.xml +++ b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/pom.xml @@ -110,7 +110,8 @@ org.wso2.carbon.identity.base;version="${carbon.identity.framework.version.range}", org.wso2.carbon.identity.oauth2.*;version="${carbon.identity.framework.version.range}", org.wso2.carbon.utils.multitenancy, - org.apache.oltu.oauth2.common.validators + org.apache.oltu.oauth2.common.validators, + org.apache.commons.lang3.tuple, diff --git a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/ExtendedJDBCScopeValidator.java b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/ExtendedJDBCScopeValidator.java index f4745548dd..48e224c087 100644 --- a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/ExtendedJDBCScopeValidator.java +++ b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/ExtendedJDBCScopeValidator.java @@ -28,11 +28,9 @@ import org.wso2.carbon.identity.core.util.IdentityTenantUtil; import org.wso2.carbon.identity.oauth.cache.CacheEntry; import org.wso2.carbon.identity.oauth.cache.OAuthCache; import org.wso2.carbon.identity.oauth.cache.OAuthCacheKey; -import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration; import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception; -import org.wso2.carbon.identity.oauth2.dao.OAuthScopeDAO; import org.wso2.carbon.identity.oauth2.dao.OAuthScopeDAOImpl; -import org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO; +import org.wso2.carbon.identity.oauth2.dao.TokenManagementDAOImpl; import org.wso2.carbon.identity.oauth2.model.AccessTokenDO; import org.wso2.carbon.identity.oauth2.model.ResourceScopeCacheEntry; import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator; @@ -64,12 +62,12 @@ public class ExtendedJDBCScopeValidator extends OAuth2ScopeValidator { } String resourceScope = null; -// TokenMgtDAO tokenMgtDAO = new TokenMgtDAO(); OAuthScopeDAOImpl scopeDAO = new OAuthScopeDAOImpl(); - + TokenManagementDAOImpl tokenManagementDAO = new TokenManagementDAOImpl(); boolean cacheHit = false; + // Check the cache, if caching is enabled. - if (OAuthServerConfiguration.getInstance().isCacheEnabled()) { + if (OAuthCache.getInstance().isEnabled()) { OAuthCache oauthCache = OAuthCache.getInstance(); OAuthCacheKey cacheKey = new OAuthCacheKey(resource); CacheEntry result = oauthCache.getValueFromCache(cacheKey); @@ -82,9 +80,9 @@ public class ExtendedJDBCScopeValidator extends OAuth2ScopeValidator { } if (!cacheHit) { - resourceScope = scopeDAO.findScopeOfResource(resource); + resourceScope = tokenManagementDAO.findTenantAndScopeOfResource(resource).getKey(); - if (OAuthServerConfiguration.getInstance().isCacheEnabled()) { + if (OAuthCache.getInstance().isEnabled()) { OAuthCache oauthCache = OAuthCache.getInstance(); OAuthCacheKey cacheKey = new OAuthCacheKey(resource); ResourceScopeCacheEntry cacheEntry = new ResourceScopeCacheEntry(resourceScope); @@ -96,7 +94,7 @@ public class ExtendedJDBCScopeValidator extends OAuth2ScopeValidator { //Return TRUE if - There does not exist a scope definition for the resource if (resourceScope == null) { - if(log.isDebugEnabled()){ + if (log.isDebugEnabled()) { log.debug("Resource '" + resource + "' is not protected with a scope"); } return true; @@ -105,39 +103,39 @@ public class ExtendedJDBCScopeValidator extends OAuth2ScopeValidator { List scopeList = new ArrayList<>(Arrays.asList(scopes)); //If the access token does not bear the scope required for accessing the Resource. - if(!scopeList.contains(resourceScope)){ - if(log.isDebugEnabled()){ + if (!scopeList.contains(resourceScope)) { + if (log.isDebugEnabled()) { log.debug("Access token '" + accessTokenDO.getAccessToken() + "' does not bear the scope '" + - resourceScope + "'"); + resourceScope + "'"); } return false; } try { + User authorizedUser = accessTokenDO.getAuthzUser(); + RealmService realmService = OAuthExtensionsDataHolder.getInstance().getRealmService(); + int tenantId = realmService.getTenantManager().getTenantId(authorizedUser.getTenantDomain()); + //Get the permissions associated with the scope, if any - Set permissionsOfScope = scopeDAO.getBindingsOfScopeByScopeName(resourceScope); + Set permissionsOfScope = scopeDAO.getBindingsOfScopeByScopeName(resourceScope, tenantId); //If the scope doesn't have any permissions associated with it. - if(permissionsOfScope == null || permissionsOfScope.isEmpty()){ - if(log.isDebugEnabled()){ + if (permissionsOfScope == null || permissionsOfScope.isEmpty()) { + if (log.isDebugEnabled()) { log.debug("Did not find any roles associated to the scope " + resourceScope); } return true; } - if(log.isDebugEnabled()){ + if (log.isDebugEnabled()) { StringBuilder logMessage = new StringBuilder("Found permissions of scope '" + resourceScope + "' "); - for(String permission : permissionsOfScope){ + for (String permission : permissionsOfScope) { logMessage.append(permission); logMessage.append(", "); } log.debug(logMessage.toString()); } - User authorizedUser = accessTokenDO.getAuthzUser(); - RealmService realmService = OAuthExtensionsDataHolder.getInstance().getRealmService(); - - int tenantId = realmService.getTenantManager().getTenantId(authorizedUser.getTenantDomain()); if (tenantId == 0 || tenantId == -1) { tenantId = IdentityTenantUtil.getTenantIdOfUser(authorizedUser.getUserName()); @@ -147,12 +145,12 @@ public class ExtendedJDBCScopeValidator extends OAuth2ScopeValidator { String[] userRoles; boolean tenantFlowStarted = false; - try{ + try { //If this is a tenant user - if(tenantId != MultitenantConstants.SUPER_TENANT_ID){ + if (tenantId != MultitenantConstants.SUPER_TENANT_ID) { PrivilegedCarbonContext.startTenantFlow(); PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain( - realmService.getTenantManager().getDomain(tenantId),true); + realmService.getTenantManager().getDomain(tenantId), true); tenantFlowStarted = true; } @@ -173,7 +171,7 @@ public class ExtendedJDBCScopeValidator extends OAuth2ScopeValidator { status = authorizationManager .isUserAuthorized(userStore + "/" + username, permission, UI_EXECUTE); } else { - status = authorizationManager.isUserAuthorized(username , permission, UI_EXECUTE); + status = authorizationManager.isUserAuthorized(username, permission, UI_EXECUTE); } if (status) { break; @@ -182,13 +180,13 @@ public class ExtendedJDBCScopeValidator extends OAuth2ScopeValidator { } if (status) { - if(log.isDebugEnabled()){ + if (log.isDebugEnabled()) { log.debug("User '" + authorizedUser.getUserName() + "' is authorized"); } return true; } - if(log.isDebugEnabled()){ + if (log.isDebugEnabled()) { log.debug("No permissions associated for the user " + authorizedUser.getUserName()); } return false; diff --git a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/PermissionBasedScopeValidator.java b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/PermissionBasedScopeValidator.java index ef720b15ad..2d4010bf1c 100644 --- a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/PermissionBasedScopeValidator.java +++ b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/PermissionBasedScopeValidator.java @@ -27,9 +27,7 @@ import org.wso2.carbon.identity.application.common.model.User; import org.wso2.carbon.identity.core.util.IdentityTenantUtil; import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception; import org.wso2.carbon.identity.oauth2.dao.OAuthScopeDAO; -import org.wso2.carbon.identity.oauth2.dao.OAuthScopeDAOImpl; import org.wso2.carbon.identity.oauth2.dao.OAuthTokenPersistenceFactory; -import org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO; import org.wso2.carbon.identity.oauth2.model.AccessTokenDO; import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator; import org.wso2.carbon.user.api.AuthorizationManager; @@ -59,63 +57,57 @@ public class PermissionBasedScopeValidator extends OAuth2ScopeValidator { return true; } - OAuthScopeDAO pp = OAuthTokenPersistenceFactory.getInstance().getOAuthScopeDAO(); - int tid = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId(); - -// TokenMgtDAO tokenMgtDAO = new TokenMgtDAO(); - OAuthScopeDAOImpl nn = new OAuthScopeDAOImpl(); - + OAuthScopeDAO authScopeDAO = OAuthTokenPersistenceFactory.getInstance().getOAuthScopeDAO(); List scopeList = new ArrayList<>(Arrays.asList(scopes)); //If the access token does not bear the scope required for accessing the Resource. - if(!scopeList.contains(resourceScope)){ - if(log.isDebugEnabled()){ + if (!scopeList.contains(resourceScope)) { + if (log.isDebugEnabled()) { log.debug("Access token '" + accessTokenDO.getAccessToken() + "' does not bear the scope '" + - resourceScope + "'"); + resourceScope + "'"); } return false; } try { + User authorizedUser = accessTokenDO.getAuthzUser(); + RealmService realmService = OAuthExtensionsDataHolder.getInstance().getRealmService(); + + int tenantId = realmService.getTenantManager().getTenantId(authorizedUser.getTenantDomain()); + + if (tenantId == 0 || tenantId == -1) { + tenantId = IdentityTenantUtil.getTenantIdOfUser(authorizedUser.getUserName()); + } //Get the permissions associated with the scope, if any - Set permissionsOfScope = pp.getBindingsOfScopeByScopeName(resourceScope, tid); + Set permissionsOfScope = authScopeDAO.getBindingsOfScopeByScopeName(resourceScope, tenantId); //If the scope doesn't have any permissions associated with it. - if(permissionsOfScope == null || permissionsOfScope.isEmpty()){ - if(log.isDebugEnabled()){ + if (permissionsOfScope == null || permissionsOfScope.isEmpty()) { + if (log.isDebugEnabled()) { log.debug("Did not find any roles associated to the scope " + resourceScope); } return true; } - if(log.isDebugEnabled()){ + if (log.isDebugEnabled()) { StringBuilder logMessage = new StringBuilder("Found permissions of scope '" + resourceScope + "' "); - for(String permission : permissionsOfScope){ + for (String permission : permissionsOfScope) { logMessage.append(permission); logMessage.append(", "); } log.debug(logMessage.toString()); } - User authorizedUser = accessTokenDO.getAuthzUser(); - RealmService realmService = OAuthExtensionsDataHolder.getInstance().getRealmService(); - - int tenantId = realmService.getTenantManager().getTenantId(authorizedUser.getTenantDomain()); - - if (tenantId == 0 || tenantId == -1) { - tenantId = IdentityTenantUtil.getTenantIdOfUser(authorizedUser.getUserName()); - } - AuthorizationManager authorizationManager; String[] userRoles; boolean tenantFlowStarted = false; - try{ + try { //If this is a tenant user - if(tenantId != MultitenantConstants.SUPER_TENANT_ID){ + if (tenantId != MultitenantConstants.SUPER_TENANT_ID) { PrivilegedCarbonContext.startTenantFlow(); PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain( - realmService.getTenantManager().getDomain(tenantId),true); + realmService.getTenantManager().getDomain(tenantId), true); tenantFlowStarted = true; } @@ -136,7 +128,7 @@ public class PermissionBasedScopeValidator extends OAuth2ScopeValidator { status = authorizationManager .isUserAuthorized(userStore + "/" + username, permission, UI_EXECUTE); } else { - status = authorizationManager.isUserAuthorized(username , permission, UI_EXECUTE); + status = authorizationManager.isUserAuthorized(username, permission, UI_EXECUTE); } if (status) { break; @@ -145,13 +137,13 @@ public class PermissionBasedScopeValidator extends OAuth2ScopeValidator { } if (status) { - if(log.isDebugEnabled()){ + if (log.isDebugEnabled()) { log.debug("User '" + authorizedUser.getUserName() + "' is authorized"); } return true; } - if(log.isDebugEnabled()){ + if (log.isDebugEnabled()) { log.debug("No permissions associated for the user " + authorizedUser.getUserName()); } return false; diff --git a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/RoleBasedScopeValidator.java b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/RoleBasedScopeValidator.java index 6fd79eac17..23e6d9d9a7 100644 --- a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/RoleBasedScopeValidator.java +++ b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/RoleBasedScopeValidator.java @@ -29,7 +29,6 @@ import org.wso2.carbon.identity.core.util.IdentityTenantUtil; import org.wso2.carbon.identity.core.util.IdentityUtil; import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception; import org.wso2.carbon.identity.oauth2.dao.OAuthScopeDAOImpl; -import org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO; import org.wso2.carbon.identity.oauth2.model.AccessTokenDO; import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator; import org.wso2.carbon.user.api.UserStoreException; @@ -62,9 +61,7 @@ public class RoleBasedScopeValidator extends OAuth2ScopeValidator { return true; } -// TokenMgtDAO tokenMgtDAO = new TokenMgtDAO(); OAuthScopeDAOImpl scopeDAO = new OAuthScopeDAOImpl(); - List scopeList = new ArrayList<>(Arrays.asList(scopes)); //If the access token does not bear the scope required for accessing the Resource. @@ -77,8 +74,15 @@ public class RoleBasedScopeValidator extends OAuth2ScopeValidator { } try { + User authzUser = accessTokenDO.getAuthzUser(); + RealmService realmService = OAuthExtensionsDataHolder.getInstance().getRealmService(); + int tenantId = realmService.getTenantManager().getTenantId(authzUser.getTenantDomain()); + if (tenantId == 0 || tenantId == -1) { + tenantId = IdentityTenantUtil.getTenantIdOfUser(authzUser.getUserName()); + } + //Get the roles associated with the scope, if any - Set rolesOfScope = scopeDAO.getBindingsOfScopeByScopeName(resourceScope); + Set rolesOfScope = scopeDAO.getBindingsOfScopeByScopeName(resourceScope, tenantId); //If the scope doesn't have any roles associated with it. if(rolesOfScope == null || rolesOfScope.isEmpty()){ @@ -97,16 +101,6 @@ public class RoleBasedScopeValidator extends OAuth2ScopeValidator { log.debug(logMessage.toString()); } - User authzUser = accessTokenDO.getAuthzUser(); - RealmService realmService = OAuthExtensionsDataHolder.getInstance().getRealmService(); - - int tenantId = realmService.getTenantManager(). - getTenantId(authzUser.getTenantDomain()); - - if (tenantId == 0 || tenantId == -1) { - tenantId = IdentityTenantUtil.getTenantIdOfUser(authzUser.getUserName()); - } - UserStoreManager userStoreManager; String[] userRoles; boolean tenantFlowStarted = false;