Merge pull request #12670 from chamilaadhi/org_visibility

Provide config to set claim to select the organization info

components/apimgt/org.wso2.carbon.apimgt.api/src/main/java/org/wso2/carbon/apimgt/api/model/OrganizationInfo.java

@@ -23,6 +23,7 @@ public class OrganizationInfo {
     String superOrganization;
     String name;
     String id;
+    String organizationSelector;
     OrganizationInfo parentOrganization;
     OrganizationInfo[] childOrganizations;
 
@@ -56,4 +57,10 @@ public OrganizationInfo[] getChildOrganizations() {
     public void setChildOrganizations(OrganizationInfo[] childOrganizations) {
         this.childOrganizations = childOrganizations;
     }
+    public String getOrganizationSelector() {
+        return organizationSelector;
+    }
+    public void setOrganizationSelector(String organizationSelector) {
+        this.organizationSelector = organizationSelector;
+    }
 }

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIConstants.java

@@ -3182,4 +3182,7 @@ public static class TokenValidationConstants {
     // For Organization access control Configuration
     public static final String ORG_BASED_ACCESS_CONTROL = "OrganizationBasedAccessControl";
     public static final String ORG_BASED_ACCESS_CONTROL_ENABLE = "Enable";
+    public static final String ORG_BASED_ACCESS_CONTROL_ORG_NAME_CLAIM = "OrganizationNameLocalClaim";
+    public static final String ORG_BASED_ACCESS_CONTROL_ORG_ID_CLAIM = "OrganizationIDLocalClaim";
+    public static final String ORG_BASED_ACCESS_CONTROL_SELECTOR_CLAIM = "OrgaizationSelectorLocalClaim";
 }

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIConsumerImpl.java

@@ -3849,10 +3849,10 @@ public Map<String, Object> searchPaginatedAPIs(String searchQuery, OrganizationI
         String userName = (userNameWithoutChange != null) ? userNameWithoutChange : username;
         String[] roles = APIUtil.getListOfRoles(userName);
         Map<String, Object> properties = APIUtil.getUserProperties(userName);
-		UserContext userCtx = new UserContext(userNameWithoutChange, new Organization(organizationInfo.getName()),
-				properties, roles);
-    	
-    	return searchPaginatedAPIs(searchQuery, start, end, org, userCtx);
+        UserContext userCtx = new UserContext(userNameWithoutChange,
+                new Organization(organizationInfo.getOrganizationSelector()), properties, roles);
+
+        return searchPaginatedAPIs(searchQuery, start, end, org, userCtx);
     }
 
 	private Map<String, Object> searchPaginatedAPIs(String searchQuery, int start, int end, Organization org,

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIManagerConfiguration.java

@@ -685,6 +685,22 @@ private void setOrgBasedAccessControlConfigs(OMElement element) {
             orgAccessControl.setEnabled(Boolean.parseBoolean(orgEnableElement.getText()));
         }
 
+        OMElement orgSelectorElement =
+                element.getFirstChildWithName(new QName(APIConstants.ORG_BASED_ACCESS_CONTROL_SELECTOR_CLAIM));
+        if (orgSelectorElement != null) {
+            orgAccessControl.setOrgSelectorClaim(orgSelectorElement.getText());
+        }
+        OMElement orgNameElement =
+                element.getFirstChildWithName(new QName(APIConstants.ORG_BASED_ACCESS_CONTROL_ORG_NAME_CLAIM));
+        if (orgNameElement != null) {
+            orgAccessControl.setOrgNameLocalClaim(orgNameElement.getText());;
+        }
+        OMElement orgIdElement =
+                element.getFirstChildWithName(new QName(APIConstants.ORG_BASED_ACCESS_CONTROL_ORG_ID_CLAIM));
+        if (orgIdElement != null) {
+            orgAccessControl.setOrgIdLocalClaim(orgIdElement.getText());
+        }
+
     }
 
     public JSONObject getSubscriberAttributes() {

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/dto/OrgAccessControl.java

@@ -22,6 +22,7 @@ public class OrgAccessControl {
     private boolean isEnabled;
     private String orgNameLocalClaim;
     private String orgIdLocalClaim;
+    private String orgselectorClaim;
     public boolean isEnabled() {
         return isEnabled;
     }
@@ -40,4 +41,10 @@ public String getOrgIdLocalClaim() {
     public void setOrgIdLocalClaim(String orgIdLocalClaim) {
         this.orgIdLocalClaim = orgIdLocalClaim;
     }
+    public String getOrgSelectorClaim() {
+        return orgselectorClaim;
+    }
+    public void setOrgSelectorClaim(String orgselectorClaim) {
+        this.orgselectorClaim = orgselectorClaim;
+    }
 }

components/apimgt/org.wso2.carbon.apimgt.rest.api.store.v1/src/main/java/org/wso2/carbon/apimgt/rest/api/store/v1/impl/ApisApiServiceImpl.java

@@ -1178,7 +1178,7 @@ private APIDTO getAPIByAPIId(String apiId, String organization, OrganizationInfo
                 if (!api.isAPIProduct()) {
                     // Add only organization specific tiers
                     Set<Tier> tiers = APIUtil.getAllowedTiersForTheOrganization(api.getApi().getAvailableTiers(),
-                            userOrgInfo.getName(), userOrgInfo.getSuperOrganization());
+                            userOrgInfo.getOrganizationSelector(), userOrgInfo.getSuperOrganization());
                     api.getApi().removeAllTiers();
                     api.getApi().setAvailableTiers(tiers);
                 }

components/apimgt/org.wso2.carbon.apimgt.rest.api.store.v1/src/main/java/org/wso2/carbon/apimgt/rest/api/store/v1/impl/ApplicationsApiServiceImpl.java

@@ -143,7 +143,7 @@ public Response applicationsGet(String groupId, String query, String sortBy, Str
             APIConsumer apiConsumer = RestApiCommonUtil.getConsumer(username);
             Subscriber subscriber = new Subscriber(username);
             Application[] applications;
-            String sharedOrganization = orgInfo.getName();
+            String sharedOrganization = orgInfo.getOrganizationSelector();
             applications = apiConsumer
                     .getApplicationsWithPagination(new Subscriber(username), groupId, offset, limit, query, sortBy,
                             sortOrder, organization, sharedOrganization);
@@ -254,9 +254,9 @@ public Response applicationsGet(String groupId, String query, String sortBy, Str
                 int appId = APIUtil.getApplicationId(applicationDTO.getName(), ownerId);
                 Application oldApplication = apiConsumer.getApplicationById(appId);
                 application = preProcessAndUpdateApplication(ownerId, applicationDTO, oldApplication,
-                        oldApplication.getUUID(), orgInfo.getName());
+                        oldApplication.getUUID(), orgInfo.getOrganizationSelector());
             } else {
-                application = preProcessAndAddApplication(ownerId, applicationDTO, organization, orgInfo.getName());
+                application = preProcessAndAddApplication(ownerId, applicationDTO, organization, orgInfo.getOrganizationSelector());
                 update = Boolean.FALSE;
             }
 
@@ -329,7 +329,8 @@ public Response applicationsPost(ApplicationDTO body, MessageContext messageCont
 
             String organization = RestApiUtil.getValidatedOrganization(messageContext);
             OrganizationInfo orgInfo = RestApiUtil.getOrganizationInfo(messageContext);
-            Application createdApplication = preProcessAndAddApplication(username, body, organization, orgInfo.getName());
+            Application createdApplication = preProcessAndAddApplication(username, body, organization,
+                    orgInfo.getOrganizationSelector());
             ApplicationDTO createdApplicationDTO = ApplicationMappingUtil.fromApplicationtoDTO(createdApplication);
 
             //to be set as the Location header
@@ -432,8 +433,9 @@ public Response applicationsApplicationIdGet(String applicationId, String ifNone
                     }
                 }
                 application.setApplicationAttributes(applicationAttributes);
-                if (RestAPIStoreUtils.isUserAccessAllowedForApplication(application) || (orgInfo.getName() != null
-                        && orgInfo.getName().equals(application.getSharedOrganization()))) {
+                if (RestAPIStoreUtils.isUserAccessAllowedForApplication(application)
+                        || (orgInfo.getOrganizationSelector() != null
+                                && orgInfo.getOrganizationSelector().equals(application.getSharedOrganization()))) {
                     ApplicationDTO applicationDTO = ApplicationMappingUtil.fromApplicationtoDTO(application);
                     applicationDTO.setHashEnabled(OAuthServerConfiguration.getInstance().isClientSecretHashEnabled());
                     Set<Scope> scopes = apiConsumer
@@ -484,7 +486,7 @@ public Response applicationsApplicationIdPut(String applicationId, ApplicationDT
             }
             OrganizationInfo orgInfo = RestApiUtil.getOrganizationInfo(messageContext);
             Application updatedApplication = preProcessAndUpdateApplication(username, body, oldApplication,
-                    applicationId, orgInfo.getName());
+                    applicationId, orgInfo.getOrganizationSelector());
             ApplicationDTO updatedApplicationDTO = ApplicationMappingUtil.fromApplicationtoDTO(updatedApplication);
             return Response.ok().entity(updatedApplicationDTO).build();
 
@@ -929,8 +931,8 @@ private Set<APIKey> getApplicationKeys(String applicationUUID, String tenantDoma
             Application application = apiConsumer.getLightweightApplicationByUUID(applicationUUID);
             if (application != null) {
                 if (RestAPIStoreUtils.isUserAccessAllowedForApplication(application)
-                        || (orgInfo != null && orgInfo.getName() != null
-                                && orgInfo.getName().equals(application.getSharedOrganization()))) {
+                        || (orgInfo != null && orgInfo.getOrganizationSelector() != null
+                                && orgInfo.getOrganizationSelector().equals(application.getSharedOrganization()))) {
                     return apiConsumer.getApplicationKeysOfApplication(application.getId(), tenantDomain);
                 } else {
                     RestApiUtil.handleAuthorizationFailure(RestApiConstants.RESOURCE_APPLICATION, applicationUUID, log);

components/apimgt/org.wso2.carbon.apimgt.rest.api.store.v1/src/main/java/org/wso2/carbon/apimgt/rest/api/store/v1/utils/APIUtils.java

@@ -206,7 +206,7 @@ public static List<KeyManagerConfigurationDTO> filterAllowedKeyManagersForOrgani
             List<KeyManagerConfigurationDTO> keymanagerConfigs, OrganizationInfo orgInfo) {
 
         List<KeyManagerConfigurationDTO> allowedList = new ArrayList<KeyManagerConfigurationDTO>();
-        String organization = orgInfo.getName();
+        String organization = orgInfo.getOrganizationSelector();
         for (KeyManagerConfigurationDTO keyManagerConfigurationDTO : keymanagerConfigs) {
             List<String> allowedOrgs = keyManagerConfigurationDTO.getAllowedOrganizations();
             // Add to allowedList if no organizations are restricted or if the organization is allowed

components/apimgt/org.wso2.carbon.apimgt.rest.api.util/src/main/java/org/wso2/carbon/apimgt/rest/api/util/impl/OAuthOpaqueAuthenticatorImpl.java

@@ -258,6 +258,7 @@ public OrganizationInfo getOrganizationInfo(String tenantDomain, String username
                 getAPIManagerConfigurationService().getAPIManagerConfiguration();
         String orgNameClaim = config.getOrgAccessControl().getOrgNameLocalClaim();
         String orgIdClaim = config.getOrgAccessControl().getOrgIdLocalClaim();
+        String orgSelectorClaim = config.getOrgAccessControl().getOrgSelectorClaim();
         if (StringUtils.isBlank(orgNameClaim)) {
             orgNameClaim = "http://wso2.org/claims/organization";
         }
@@ -267,6 +268,7 @@ public OrganizationInfo getOrganizationInfo(String tenantDomain, String username
 
         String organization = null;
         String organizationId = null;
+        String orgSelector = null;
         String[] groupIdArray = null;
         try {
             if (tenantDomain.equals(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME)) {
@@ -288,6 +290,12 @@ public OrganizationInfo getOrganizationInfo(String tenantDomain, String username
                     manager.getUserClaimValue(MultitenantUtils.getTenantAwareUsername(username), orgNameClaim, null);
             organizationId =
                     manager.getUserClaimValue(MultitenantUtils.getTenantAwareUsername(username), orgIdClaim, null);
+            if (StringUtils.isBlank(orgSelectorClaim)) {
+                orgSelector = organization; // default selector will be organization name
+            } else {
+                orgSelector = manager.getUserClaimValue(MultitenantUtils.getTenantAwareUsername(username),
+                        orgSelectorClaim, null);
+            }
             if (organization != null) {
                 if (organization.contains(",")) {
                     groupIdArray = organization.split(",");
@@ -299,6 +307,7 @@ public OrganizationInfo getOrganizationInfo(String tenantDomain, String username
                     groupIdArray = new String[] {organization};
                     orgInfo.setName(organization); // check for multiple orgs
                     orgInfo.setId(organizationId);
+                    orgInfo.setOrganizationSelector(orgSelector);
                 }
             } else {
                 // If claim is null then returning a empty string

features/apimgt/org.wso2.carbon.apimgt.core.feature/src/main/resources/conf_templates/templates/repository/conf/api-manager.xml.j2

@@ -108,6 +108,7 @@
         <Enable>{{apim.organization_based_access_control.enable}}</Enable>
         <OrganizationNameLocalClaim>{{apim.organization_based_access_control.organization_name_local_claim}}</OrganizationNameLocalClaim>
         <OrganizationIDLocalClaim>{{apim.organization_based_access_control.organization_id_local_claim}}</OrganizationIDLocalClaim>
+        <OrgaizationSelectorLocalClaim>{{apim.organization_based_access_control.organization_selector_local_claim}}</OrgaizationSelectorLocalClaim>
     </OrganizationBasedAccessControl>
     {% endif %}