Merge pull request #12316 from Lakith-Rambukkanage/vMaster-DCR-fix

Fix DCR endpoint issue with same app name for different user
wso2 · Mar 19, 2024 · 057cb61 · 057cb61
2 parents cdba80d + b9dfa8d
commit 057cb61
Showing 1 changed file with 19 additions and 15 deletions.
diff --git a/...r/src/main/java/org/wso2/carbon/apimgt/rest/api/dcr/web/impl/RegistrationServiceImpl.java b/...r/src/main/java/org/wso2/carbon/apimgt/rest/api/dcr/web/impl/RegistrationServiceImpl.java
@@ -110,8 +110,7 @@ public Response register(RegistrationProfile profile) {
             String owner = profile.getOwner();
             String authUserName = RestApiCommonUtil.getLoggedInUsername();
 
-            //If user is in a secondory userstore, update the owner of the application with
-            //correct domain
+            //If user is in a secondary user store, update the owner of the application with the correct domain
             if (owner != null && authUserName != null) {
                 int index = authUserName.indexOf(UserCoreConstants.DOMAIN_SEPARATOR);
                 int ownerIndex = owner.indexOf(UserCoreConstants.DOMAIN_SEPARATOR);
@@ -128,7 +127,7 @@ public Response register(RegistrationProfile profile) {
                 }
             }
 
-            //Validates if the application owner and logged in username is same.
+            //Validates if the app owner in payload and auth-user username is same or is auth-user a super admin
             if (authUserName != null && ((authUserName.equals(owner))|| isUserSuperAdmin(authUserName))) {
                 //Getting client credentials from the profile
                 String grantTypes = profile.getGrantType();
@@ -156,19 +155,11 @@ public Response register(RegistrationProfile profile) {
                 oauthApplicationInfo.setIsSaasApplication(profile.isSaasApp());
                 oauthApplicationInfo.setTokenType(tokenType);
                 appRequest.setOAuthApplicationInfo(oauthApplicationInfo);
-                if (!authUserName.equals(owner)){
+                if (!authUserName.equals(owner)) {
                     loggedInUserTenantDomain = MultitenantUtils.getTenantDomain(owner);
-                }else{
+                } else {
                     loggedInUserTenantDomain = RestApiCommonUtil.getLoggedInUserTenantDomain();
                 }
-                String userId = (String) oauthApplicationInfo.getParameter(OAUTH_CLIENT_USERNAME);
-                String userNameForSP = MultitenantUtils.getTenantAwareUsername(userId);
-                // Replace domain separator by "_" if user is coming from a secondary userstore.
-                String domain = UserCoreUtil.extractDomainFromName(userNameForSP);
-                if (domain != null && !domain.isEmpty() && !UserCoreConstants.PRIMARY_DEFAULT_DOMAIN_NAME.equals
-                        (domain)) {
-                    userNameForSP = userNameForSP.replace(UserCoreConstants.DOMAIN_SEPARATOR, "_");
-                }
                 applicationName = profile.getClientName();
 
                 ApplicationManagementService applicationManagementService =
@@ -202,11 +193,22 @@ public Response register(RegistrationProfile profile) {
                             (RestApiConstants.STATUS_BAD_REQUEST_MESSAGE_DEFAULT, 500L, errorMsg);
                     response = Response.status(Response.Status.INTERNAL_SERVER_ERROR).
                             entity(errorDTO).build();
-                } else {
+                } else if (authUserName.equals(returnedAPP.getAppOwner())
+                        || (isUserSuperAdmin(authUserName) && owner.equals(returnedAPP.getAppOwner()))) {
+                    // Permit only if (auth user is the app owner)
+                    // or (auth user is super admin and payload.owner is same as app owner)
                     if (log.isDebugEnabled()) {
                         log.debug("OAuth app " + profile.getClientName() + " creation successful.");
                     }
                     response = Response.status(Response.Status.OK).entity(returnedAPP).build();
+                } else {
+                    String errMsg = "Access is forbidden to the application";
+                    if (log.isDebugEnabled()) {
+                        log.debug("OAuth app owner: " + returnedAPP.getAppOwner() + " is different from payload " +
+                                "owner: " + owner + " and " + errMsg);
+                    }
+                    errorDTO = RestApiUtil.getErrorDTO(RestApiConstants.STATUS_FORBIDDEN_MESSAGE_DEFAULT, 403L, errMsg);
+                    response = Response.status(Response.Status.FORBIDDEN).entity(errorDTO).build();
                 }
             } else {
                 String errorMsg = "Logged in user '" + authUserName + "' and application owner '" +
@@ -275,9 +277,11 @@ private OAuthApplicationInfo getExistingApp(String applicationName, boolean saas
     /**
      * Create a new client application
      *
+     * @param applicationName application name
      * @param appRequest OAuthAppRequest object with client's payload content
+     * @param grantType grant type
      * @return created Application
-     * @throws APIManagementException if failed to create the new application
+     * @throws APIManagementException if failed to create a new application
      */
     private OAuthApplicationInfo createApplication(String applicationName, OAuthAppRequest appRequest, String grantType,
             boolean setUserStoreDomainInSubject) throws APIManagementException {