initial commit

components/org.wso2.carbon.identity.authz.valve/pom.xml

@@ -58,6 +58,10 @@
             <groupId>org.wso2.carbon.identity.auth.rest</groupId>
             <artifactId>org.wso2.carbon.identity.auth.valve</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.identity.organization.management.core</groupId>
+            <artifactId>org.wso2.carbon.identity.organization.management.service</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.wso2.carbon.identity.organization.management</groupId>
             <artifactId>org.wso2.carbon.identity.organization.management.authz.service</artifactId>
@@ -90,7 +94,8 @@
                             org.wso2.carbon.identity.core.*; version="${carbon.identity.package.import.version.range}",
                             org.wso2.carbon.identity.authz.service.*;version="${org.wso2.carbon.identity.authz.service.version.range}",
                             org.apache.catalina.*;version="1.7.0",
-                            org.wso2.carbon.identity.organization.management.authz.service; version="${org.wso2.carbon.identity.organization.management.version.range}"
+                            org.wso2.carbon.identity.organization.management.authz.service; version="${org.wso2.carbon.identity.organization.management.version.range}",
+                            org.wso2.carbon.identity.organization.management.service.constant; version="${org.wso2.carbon.identity.organization.management.core.version.range}"
                         </Import-Package>
                         <Export-Package>!org.wso2.carbon.identity.authz.valve.internal,
                             org.wso2.carbon.identity.authz.valve.*;

components/org.wso2.carbon.identity.authz.valve/src/main/java/org/wso2/carbon/identity/authz/valve/AuthorizationValve.java

@@ -91,7 +91,7 @@ public void invoke(Request request, Response response) throws IOException, Servl
                  */
                 Object scopeValidationEnabled = authenticationContext.getParameter(OAUTH2_VALIDATE_SCOPE);
                 if (scopeValidationEnabled != null && Boolean.parseBoolean(scopeValidationEnabled.toString())) {
-                    if (!Utils.isUserBelongsToRequestedTenant(authenticationContext, request)) {
+                    if (!Utils.isUserBelongsToRequestedOrganization(authenticationContext, request)) {
                         if (log.isDebugEnabled()) {
                             log.debug("Authorization to " + request.getRequestURI() +
                                     " is denied because the used access token issued from a different tenant domain: " +

components/org.wso2.carbon.identity.authz.valve/src/main/java/org/wso2/carbon/identity/authz/valve/util/Utils.java

@@ -19,17 +19,22 @@
 package org.wso2.carbon.identity.authz.valve.util;
 
 import org.apache.catalina.connector.Request;
+import org.apache.commons.lang.StringUtils;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
+import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
 import org.wso2.carbon.identity.application.common.model.User;
 import org.wso2.carbon.identity.auth.service.AuthenticationContext;
 import org.wso2.carbon.identity.auth.service.util.Constants;
 import org.wso2.carbon.identity.authz.service.AuthorizationContext;
 import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
 import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
+import org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants;
 import org.wso2.carbon.utils.multitenancy.MultitenantConstants;
 
 import java.util.List;
 
+import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.SUPER_ORG_ID;
+
 public class Utils {
 
     public static String getTenantDomainFromURLMapping(Request request) {
@@ -50,6 +55,22 @@ public static String getTenantDomainFromURLMapping(Request request) {
         return domain;
     }
 
+    public static String getOrganizationIdFromURLMapping(Request request) {
+
+        String requestURI = request.getRequestURI();
+        String organizationId = OrganizationManagementConstants.SUPER_ORG_ID;
+
+        if (requestURI.contains("/o/")) {
+            String temp = requestURI.substring(requestURI.indexOf("/o/") + 3);
+            int index = temp.indexOf('/');
+            if (index != -1) {
+                temp = temp.substring(0, index);
+                organizationId = temp;
+            }
+        }
+        return organizationId;
+    }
+
     /**
      * Checks whether the tenantDomain from URL mapping and the tenantDomain get from the user name are same.
      *
@@ -65,6 +86,16 @@ public static boolean isUserBelongsToRequestedTenant(AuthenticationContext authe
         String tenantDomain;
         if (user != null) {
             tenantDomain = user.getTenantDomain();
+            String userOrganization = ((AuthenticatedUser) user).getUserOrganization();
+            // This logic to prevent using the sub-org token against the parent orgs.
+            if (StringUtils.isNotBlank(userOrganization)) {
+                if (MultitenantConstants.SUPER_TENANT_DOMAIN_NAME.equals(tenantDomainFromURLMapping)) {
+                    return SUPER_ORG_ID.equals(userOrganization);
+                }
+                // resolve organization ID from tenant domain. Better if org ID is resolved and added to carbon
+                // context at valve level. Revisit org-context creator valve.
+                return false;
+            }
         } else {
             OAuthAppDO oAuthAppDO = (OAuthAppDO) authenticationContext.getProperty(
                     Constants.AUTH_CONTEXT_OAUTH_APP_PROPERTY);
@@ -73,6 +104,21 @@ public static boolean isUserBelongsToRequestedTenant(AuthenticationContext authe
         return tenantDomainFromURLMapping.equals(tenantDomain);
     }
 
+    public static boolean isUserBelongsToRequestedOrganization(AuthenticationContext authenticationContext,
+                                                               Request request) {
+
+        User user = authenticationContext.getUser();
+        if (user == null) {
+            return false;
+        }
+        String userOrganization = ((AuthenticatedUser) user).getUserOrganization();
+        if (StringUtils.isNotEmpty(userOrganization)) {
+            return getOrganizationIdFromURLMapping(request).equals(userOrganization);
+        }
+        String tenantDomainFromURLMapping = getTenantDomainFromURLMapping(request);
+        return tenantDomainFromURLMapping.equals(user.getTenantDomain());
+    }
+
     /**
      * Checks whether cross-tenant-access is allowed for the given tenant.
      *

pom.xml

@@ -345,7 +345,7 @@
         <org.wso2.carbon.identity.cors.valve.version>${project.version}</org.wso2.carbon.identity.cors.valve.version>
 
         <!--Carbon identity version-->
-        <identity.framework.version>5.23.34</identity.framework.version>
+        <identity.framework.version>5.25.317-SNAPSHOT</identity.framework.version>
         <carbon.identity.package.import.version.range>[5.17.8, 7.0.0)</carbon.identity.package.import.version.range>
 
         <org.wso2.carbon.identity.oauth.version>6.4.149</org.wso2.carbon.identity.oauth.version>