wso2-extensions · tharindu-b-hewage · Nov 18, 2019 · Nov 19, 2019 · Nov 19, 2019
diff --git a/components/org.wso2.carbon.identity.auth.service/pom.xml b/components/org.wso2.carbon.identity.auth.service/pom.xml
@@ -54,6 +54,10 @@
             <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
             <artifactId>org.wso2.carbon.identity.oauth</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.identity.association.account</groupId>
+            <artifactId>org.wso2.carbon.identity.user.account.association</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.testng</groupId>
             <artifactId>testng</artifactId>

diff --git a/...ce/src/main/java/org/wso2/carbon/identity/auth/service/handler/AuthenticationHandler.java b/...ce/src/main/java/org/wso2/carbon/identity/auth/service/handler/AuthenticationHandler.java
@@ -19,7 +19,8 @@
 package org.wso2.carbon.identity.auth.service.handler;
 
 import org.apache.commons.lang.StringUtils;
-import org.apache.http.HttpHeaders;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.identity.application.common.model.User;
 import org.wso2.carbon.identity.auth.service.AuthenticationContext;
@@ -28,10 +29,15 @@
 import org.wso2.carbon.identity.auth.service.exception.AuthClientException;
 import org.wso2.carbon.identity.auth.service.exception.AuthServerException;
 import org.wso2.carbon.identity.auth.service.exception.AuthenticationFailException;
+import org.wso2.carbon.identity.auth.service.internal.AuthenticationServiceHolder;
 import org.wso2.carbon.identity.core.bean.context.MessageContext;
 import org.wso2.carbon.identity.core.handler.AbstractIdentityMessageHandler;
-import org.wso2.carbon.identity.core.handler.AbstractIdentityMessageHandler;
 import org.wso2.carbon.identity.core.util.IdentityUtil;
+import org.wso2.carbon.identity.user.account.association.UserAccountConnector;
+import org.wso2.carbon.identity.user.account.association.dto.UserAccountAssociationDTO;
+import org.wso2.carbon.identity.user.account.association.exception.UserAccountAssociationException;
+import org.wso2.carbon.user.core.UserStoreConfigConstants;
+import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
 
 /**
  * This is the abstract class for custom authentication handlers.
@@ -41,6 +47,9 @@
  */
 public abstract class AuthenticationHandler extends AbstractIdentityMessageHandler {
 
+    private static final Log log = LogFactory.getLog(AuthenticationHandler.class);
+    private static final String ASSOCIATED_USER_ID_HEADER = "AssociatedUserId";
+
     public int getPriority(MessageContext messageContext, int defaultValue) {
 
         int priority = super.getPriority(messageContext);
@@ -101,10 +110,127 @@ protected void postAuthenticate(MessageContext messageContext, AuthenticationRes
 
                 if (user.getTenantDomain() != null && user.getTenantDomain().equalsIgnoreCase(PrivilegedCarbonContext
                         .getThreadLocalCarbonContext().getTenantDomain())) {
-                    PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(IdentityUtil.addDomainToName
-                            (user.getUserName(), user.getUserStoreDomain()));
+
+                    String domainAwareUserName = IdentityUtil.addDomainToName(user.getUserName(),
+                            user.getUserStoreDomain());
+                    String associatedUserRequestHeader = authenticationContext.getAuthenticationRequest().
+                            getHeader(ASSOCIATED_USER_ID_HEADER);
+                    if (StringUtils.isNotEmpty(associatedUserRequestHeader)) {
+                        User associatedUser = getAssociatedUser(authenticationResult, associatedUserRequestHeader);
+                        if (associatedUser != null && !isSameUser(user, associatedUser)) {
+                            setAssociatedUserInCarbonContext(user, associatedUser, authenticationResult);
+                            return;
+                        }
+                    }
+                    setUserInCarbonContext(domainAwareUserName);
                 }
             }
         }
     }
+
+    private User getAssociatedUser(AuthenticationResult authenticationResult, String associatedUserRequestHeader) {
+
+        User associatedUser = getUser(associatedUserRequestHeader);
+        if (associatedUser == null) {
+            log.error("Invalid user provided with the header: " + ASSOCIATED_USER_ID_HEADER);
+            setFailedAuthentication(authenticationResult);
+            return null;
+        }
+        return associatedUser;
+    }
+
+    private void setAssociatedUserInCarbonContext(User user, User associatedUser,
+                                                  AuthenticationResult authenticationResult) {
+
+        if (isUsersInSameTenant(user, associatedUser)) {
+            UserAccountConnector userAccountConnector = AuthenticationServiceHolder.getInstance()
+                    .getUserAccountConnector();
+            if (userAccountConnector != null) {
+                try {
+                    UserAccountAssociationDTO[] userAccountAssociations = userAccountConnector
+                            .getAccountAssociationsOfUser(user.toFullQualifiedUsername());
+                    for (UserAccountAssociationDTO userAccountAssociationDTO : userAccountAssociations) {
+                        if (isSameUser(associatedUser, userAccountAssociationDTO)) {
+                            if (log.isDebugEnabled()) {
+                                log.debug("Setting the Associated user: " + associatedUser.toFullQualifiedUsername()
+                                        + ", sent with the header: "  + ASSOCIATED_USER_ID_HEADER + ", in the carbon " +
+                                        "context since it is a valid association of the user: "
+                                        + user.toFullQualifiedUsername());
+                            }
+                            setUserInCarbonContext(MultitenantUtils.getTenantAwareUsername(
+                                    associatedUser.toFullQualifiedUsername()));
+                            return;
+                        }
+                    }
+                    log.error("Associated user: " + associatedUser.toFullQualifiedUsername() + ", sent with the " +
+                            "header: "  + ASSOCIATED_USER_ID_HEADER + ", does not have a valid association with the " +
+                            "user: " + user.toFullQualifiedUsername());
+                    setFailedAuthentication(authenticationResult);
+                } catch (UserAccountAssociationException e) {
+                    log.error("Error while getting account associations of the user: "
+                            + user.toFullQualifiedUsername(), e);
+                    setFailedAuthentication(authenticationResult);
+                }
+            } else {
+                log.error("Unable to get the UserAccountConnector service");
+                setFailedAuthentication(authenticationResult);
+            }
+        } else {
+            log.error("Cannot switch to an Associated user: " + associatedUser.toFullQualifiedUsername() + ", " +
+                    "in a different tenant domain to the authenticated user: " + user.toFullQualifiedUsername());
+            setFailedAuthentication(authenticationResult);
+        }
+    }
+
+    private void setFailedAuthentication(AuthenticationResult authenticationResult) {
+
+        authenticationResult.setAuthenticationStatus(AuthenticationStatus.FAILED);
+    }
+
+    private boolean isUsersInSameTenant(User user, User associatedUser) {
+
+        return associatedUser.getTenantDomain().equals(user.getTenantDomain());
+    }
+
+    private boolean isSameUser(User user, UserAccountAssociationDTO userAccountAssociationDTO) {
+
+        User associatedUser = new User();
+        associatedUser.setTenantDomain(userAccountAssociationDTO.getTenantDomain());
+        associatedUser.setUserStoreDomain(userAccountAssociationDTO.getDomain());
+        associatedUser.setUserName(userAccountAssociationDTO.getUsername());
+        return isSameUser(user, associatedUser);
+    }
+
+    private boolean isSameUser(User firstUser, User secondUser) {
+
+        return firstUser.toFullQualifiedUsername().equals(secondUser.toFullQualifiedUsername());
+    }
+
+    private User getUser(String fullyQualifiedUserName) {
+
+        String realm = UserStoreConfigConstants.PRIMARY;
+        String tenantDomain = MultitenantUtils.getTenantDomain(fullyQualifiedUserName);
+        String username;
+        String[] strComponent = MultitenantUtils.getTenantAwareUsername(fullyQualifiedUserName).split("/");
+
+        if (strComponent.length == 1) {
+            username = strComponent[0];
+        } else if (strComponent.length == 2) {
+            realm = strComponent[0];
+            username = strComponent[1];
+        } else {
+            return null;
+        }
+
+        User user = new User();
+        user.setUserName(username);
+        user.setUserStoreDomain(realm);
+        user.setTenantDomain(tenantDomain);
+        return user;
+    }
+
+    private void setUserInCarbonContext(String domainAwareUserName) {
+
+        PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(domainAwareUserName);
+    }
 }
diff --git a/...n/java/org/wso2/carbon/identity/auth/service/internal/AuthenticationServiceComponent.java b/...n/java/org/wso2/carbon/identity/auth/service/internal/AuthenticationServiceComponent.java
@@ -32,6 +32,7 @@
 import org.wso2.carbon.identity.auth.service.util.AuthConfigurationUtil;
 import org.wso2.carbon.identity.core.handler.HandlerComparator;
 import org.wso2.carbon.identity.core.util.IdentityCoreInitializedEvent;
+import org.wso2.carbon.identity.user.account.association.UserAccountConnector;
 import org.wso2.carbon.user.core.service.RealmService;
 import java.util.Collections;
 import java.util.List;
@@ -110,6 +111,23 @@ protected void removeAuthenticationHandler(AuthenticationHandler authenticationH
         AuthenticationServiceHolder.getInstance().getAuthenticationHandlers().remove(authenticationHandler);
     }
 
+    @Reference(
+            name = "org.wso2.carbon.identity.user.account.association.connector",
+            service = org.wso2.carbon.identity.user.account.association.UserAccountConnector.class,
+            cardinality = ReferenceCardinality.MULTIPLE,
+            policy = ReferencePolicy.DYNAMIC,
+            unbind = "removeUserAccountConnector")
+    protected void addUserAccountConnector(UserAccountConnector userAccountConnector) {
+        if (log.isDebugEnabled()) {
+            log.debug("UserAccountConnector acquired");
+        }
+        AuthenticationServiceHolder.getInstance().setUserAccountConnector(userAccountConnector);
+    }
+
+    protected void removeUserAccountConnector(UserAccountConnector userAccountConnector) {
+        AuthenticationServiceHolder.getInstance().setUserAccountConnector(null);
+    }
+
     @Reference(
              name = "org.wso2.carbon.identity.auth.service.handler.resource", 
              service = org.wso2.carbon.identity.auth.service.handler.ResourceHandler.class, 

diff --git a/...main/java/org/wso2/carbon/identity/auth/service/internal/AuthenticationServiceHolder.java b/...main/java/org/wso2/carbon/identity/auth/service/internal/AuthenticationServiceHolder.java
@@ -21,6 +21,7 @@
 import org.wso2.carbon.identity.auth.service.handler.AuthenticationHandler;
 import org.wso2.carbon.identity.auth.service.handler.ResourceHandler;
 import org.wso2.carbon.identity.core.handler.MessageHandlerComparator;
+import org.wso2.carbon.identity.user.account.association.UserAccountConnector;
 import org.wso2.carbon.user.core.service.RealmService;
 
 import java.util.ArrayList;
@@ -38,7 +39,7 @@ public class AuthenticationServiceHolder {
     private RealmService realmService = null;
     private List<AuthenticationHandler> authenticationHandlers = new ArrayList<>();
     private List<ResourceHandler> resourceHandlers = new ArrayList<>();
-
+    private UserAccountConnector userAccountConnector = null;
 
     private AuthenticationServiceHolder() {
 
@@ -69,4 +70,14 @@ public List<ResourceHandler> getResourceHandlers() {
     public List<AuthenticationHandler> getAuthenticationHandlers() {
         return authenticationHandlers;
     }
+
+    public UserAccountConnector getUserAccountConnector() {
+
+        return userAccountConnector;
+    }
+
+    public void setUserAccountConnector(UserAccountConnector userAccountConnector) {
+
+        this.userAccountConnector = userAccountConnector;
+    }
 }
diff --git a/pom.xml b/pom.xml
@@ -200,6 +200,12 @@
                 <artifactId>org.wso2.carbon.identity.oauth</artifactId>
                 <version>${org.wso2.carbon.identity.oauth.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.wso2.carbon.identity.association.account</groupId>
+                <artifactId>org.wso2.carbon.identity.user.account.association</artifactId>
+                <version>${org.wso2.carbon.identity.user.account.association.version}</version>
+            </dependency>
+
             <dependency>
                 <groupId>org.json.wso2</groupId>
                 <artifactId>json</artifactId>
@@ -355,6 +361,11 @@
         <org.wso2.carbon.identity.oauth.import.version.range>[6.2.18, 7.0.0)
         </org.wso2.carbon.identity.oauth.import.version.range>
 
+        <org.wso2.carbon.identity.user.account.association.version>5.3.5
+        </org.wso2.carbon.identity.user.account.association.version>
+        <org.wso2.carbon.identity.user.account.association.import.version.range>[5.3.5, 6.0.0)
+        </org.wso2.carbon.identity.user.account.association.import.version.range>
+
         <!-- OSGi framework component version -->
         <osgi.service.component.imp.pkg.version.range>[1.2.0, 2.0.0)</osgi.service.component.imp.pkg.version.range>
         <osgi.framework.imp.pkg.version.range>[1.7.0, 2.0.0)</osgi.framework.imp.pkg.version.range>