From 631f9f2127aebcac5edc5b900d09a76b94d22a1a Mon Sep 17 00:00:00 2001 From: Malith-19 Date: Tue, 7 Jan 2025 12:11:57 +0530 Subject: [PATCH 1/2] Fix the tenant issue in token revoke flow. --- .../main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java index f70c6f8bfa..c462147b13 100755 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java @@ -1039,7 +1039,8 @@ public static boolean revokeTokens(String username, UserStoreManager userStoreMa .getTokenManagementDAO().getAllTimeAuthorizedClientIds(authenticatedUser); if (role != null && RoleConstants.ORGANIZATION.equals(role.getAudience())) { - clientIds = filterClientIdsWithOrganizationAudience(new ArrayList<>(clientIds), tenantDomain); + clientIds = filterClientIdsWithOrganizationAudience(new ArrayList<>(clientIds), + authenticatedUser.getTenantDomain()); } } catch (IdentityOAuth2Exception e) { From ab837148f30d9b224e057f9c88bb9a8f803b472b Mon Sep 17 00:00:00 2001 From: Malith-19 Date: Tue, 7 Jan 2025 16:33:47 +0530 Subject: [PATCH 2/2] Add unit test for organization org role token revoke. --- .../carbon/identity/oauth/OAuthUtilTest.java | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth/OAuthUtilTest.java b/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth/OAuthUtilTest.java index f6e982060a..a8c894b6b1 100644 --- a/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth/OAuthUtilTest.java +++ b/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth/OAuthUtilTest.java @@ -41,6 +41,7 @@ import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder; import org.wso2.carbon.identity.oauth2.dao.AccessTokenDAO; import org.wso2.carbon.identity.oauth2.dao.OAuthTokenPersistenceFactory; +import org.wso2.carbon.identity.oauth2.dao.TokenManagementDAO; import org.wso2.carbon.identity.oauth2.model.AccessTokenDO; import org.wso2.carbon.identity.oauth2.util.OAuth2Util; import org.wso2.carbon.identity.organization.management.service.util.OrganizationManagementUtil; @@ -291,6 +292,80 @@ public void testRevokeTokensForApplicationAudienceRoles() throws Exception { assertTrue(result, "Token revocation failed."); } + @Test + public void testRevokeTokensForOrganizationAudienceRoles() throws Exception { + + String username = "testUser"; + String roleId = "testRoleId"; + String roleName = "testRole"; + String appId = "testAppId"; + String clientId = "testClientId"; + String accessToken = "testAccessToken"; + + UserStoreManager userStoreManager = mock(UserStoreManager.class); + when(userStoreManager.getTenantId()).thenReturn(-1234); + when(userStoreManager.getRealmConfiguration()).thenReturn(mock(RealmConfiguration.class)); + when(userStoreManager.getRealmConfiguration().getUserStoreProperty(anyString())).thenReturn("PRIMARY"); + + when(OrganizationManagementUtil.isOrganization(anyString())).thenReturn(false); + when(OAuth2Util.getTenantId(anyString())).thenReturn(-1234); + + OAuthComponentServiceHolder mockOAuthComponentServiceHolder = mock(OAuthComponentServiceHolder.class); + when(OAuthComponentServiceHolder.getInstance()).thenReturn(mockOAuthComponentServiceHolder); + + when(mockOAuthComponentServiceHolder.getRoleV2ManagementService()).thenReturn(roleManagementService); + RoleBasicInfo roleBasicInfo = new RoleBasicInfo(); + roleBasicInfo.setId(roleId); + roleBasicInfo.setAudience(RoleConstants.ORGANIZATION); + roleBasicInfo.setAudienceId(appId); + roleBasicInfo.setName(roleName); + when(roleManagementService.getRoleBasicInfoById(roleId, MultitenantConstants.SUPER_TENANT_DOMAIN_NAME)) + .thenReturn(roleBasicInfo); + + when(mockOAuthComponentServiceHolder.getApplicationManagementService()) + .thenReturn(applicationManagementService); + ServiceProvider serviceProvider = new ServiceProvider(); + InboundAuthenticationConfig inboundAuthenticationConfig = new InboundAuthenticationConfig(); + InboundAuthenticationRequestConfig[] inboundAuthenticationRequestConfigs = + new InboundAuthenticationRequestConfig[1]; + InboundAuthenticationRequestConfig inboundAuthenticationRequestConfig = + new InboundAuthenticationRequestConfig(); + inboundAuthenticationRequestConfig.setInboundAuthKey(clientId); + inboundAuthenticationRequestConfig.setInboundAuthType(ApplicationConstants.StandardInboundProtocols.OAUTH2); + inboundAuthenticationRequestConfigs[0] = inboundAuthenticationRequestConfig; + inboundAuthenticationConfig.setInboundAuthenticationRequestConfigs(inboundAuthenticationRequestConfigs); + serviceProvider.setInboundAuthenticationConfig(inboundAuthenticationConfig); + when(applicationManagementService.getApplicationByResourceId( + appId, MultitenantConstants.SUPER_TENANT_DOMAIN_NAME)).thenReturn(serviceProvider); + when(applicationManagementService.getApplicationResourceIDByInboundKey(anyString(), anyString(), anyString())). + thenReturn(appId); + when(applicationManagementService.getAllowedAudienceForRoleAssociation(anyString(), anyString())). + thenReturn(RoleConstants.ORGANIZATION); + OAuthTokenPersistenceFactory mockOAuthTokenPersistenceFactory = mock(OAuthTokenPersistenceFactory.class); + when(OAuthTokenPersistenceFactory.getInstance()).thenReturn(mockOAuthTokenPersistenceFactory); + AccessTokenDAO mockAccessTokenDAO = mock(AccessTokenDAO.class); + when(mockOAuthTokenPersistenceFactory.getAccessTokenDAO()).thenReturn(mockAccessTokenDAO); + Set accessTokens = new HashSet<>(); + AccessTokenDO accessTokenDO = new AccessTokenDO(); + accessTokenDO.setAccessToken(accessToken); + accessTokenDO.setConsumerKey(clientId); + accessTokenDO.setScope(new String[]{"default"}); + accessTokenDO.setAuthzUser(new AuthenticatedUser()); + accessTokens.add(accessTokenDO); + when(mockAccessTokenDAO.getAccessTokens(anyString(), + any(AuthenticatedUser.class), nullable(String.class), anyBoolean())).thenReturn(accessTokens); + + TokenManagementDAO mockTokenManagementDao = mock(TokenManagementDAO.class); + when(mockOAuthTokenPersistenceFactory.getTokenManagementDAO()).thenReturn(mockTokenManagementDao); + Set clientIds = new HashSet<>(); + clientIds.add(clientId); + when(mockTokenManagementDao.getAllTimeAuthorizedClientIds(any())).thenReturn(clientIds); + + boolean result = OAuthUtil.revokeTokens(username, userStoreManager, roleId); + verify(mockAccessTokenDAO, times(1)).revokeAccessTokens(any(), anyBoolean()); + assertTrue(result, "Token revocation failed."); + } + private OAuthCache getOAuthCache(OAuthCacheKey oAuthCacheKey) {