update basic auth to authenticate shared users

AnuradhaSK · AnuradhaSK · commit cc1f3e6cd74e · 2025-05-29T11:10:49.000+05:30
diff --git a/components/org.wso2.carbon.identity.application.authenticator.basicauth/src/main/java/org/wso2/carbon/identity/application/authenticator/basicauth/BasicAuthenticator.java b/components/org.wso2.carbon.identity.application.authenticator.basicauth/src/main/java/org/wso2/carbon/identity/application/authenticator/basicauth/BasicAuthenticator.java
@@ -62,6 +62,9 @@
 import org.wso2.carbon.identity.core.util.IdentityUtil;
 import org.wso2.carbon.identity.governance.IdentityGovernanceException;
 import org.wso2.carbon.identity.multi.attribute.login.mgt.ResolvedUserResult;
+import org.wso2.carbon.identity.organization.management.organization.user.sharing.models.UserAssociation;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
+import org.wso2.carbon.identity.organization.management.service.util.OrganizationManagementUtil;
 import org.wso2.carbon.identity.recovery.RecoveryScenarios;
 import org.wso2.carbon.user.api.UserRealm;
 import org.wso2.carbon.user.core.UserCoreConstants;
@@ -735,8 +738,41 @@ protected void processAuthenticationResponse(HttpServletRequest request,
             if (userId != null) {
                 authenticationResult = userStoreManager.authenticateWithID(userId, password);
             } else {
-                authenticationResult = userStoreManager.authenticateWithID(UserCoreClaimConstants.USERNAME_CLAIM_URI,
-                        tenantAwareUsername, password, UserCoreConstants.DEFAULT_PROFILE);
+                // Check whether the user is a shared user, if yes authenticate from the user resident org.
+                org.wso2.carbon.user.core.common.User user = userStoreManager.getUser(null, tenantAwareUsername);
+                if (user != null) {
+                    String userID = user.getUserID();
+                    boolean sharedUserProfile = isSharedUserProfile(userID, requestTenantDomain);
+                    if (sharedUserProfile) {
+                        // Get user's resident org.
+                        String currentOrganizationId =
+                                BasicAuthenticatorDataHolder.getInstance().getOrganizationManager()
+                                        .resolveOrganizationId(requestTenantDomain);
+                        UserAssociation userAssociation =
+                                BasicAuthenticatorDataHolder.getInstance().getOrganizationUserSharingService()
+                                        .getUserAssociation(userID, currentOrganizationId);
+                        String associationUserResidentOrganizationId = userAssociation.getUserResidentOrganizationId();
+                        String associationUserTenantDomain =
+                                BasicAuthenticatorDataHolder.getInstance().getOrganizationManager()
+                                        .resolveTenantDomain(associationUserResidentOrganizationId);
+                        AbstractUserStoreManager residentOrguserStoreManager =
+                                getUserStoreManager(username, associationUserTenantDomain);
+                        authenticationResult = residentOrguserStoreManager.authenticateWithID(
+                                UserCoreClaimConstants.USERNAME_CLAIM_URI,
+                                tenantAwareUsername, password, UserCoreConstants.DEFAULT_PROFILE);
+                        if (AuthenticationResult.AuthenticationStatus.SUCCESS == authenticationResult.getAuthenticationStatus()) {
+                            authenticationResult.setAuthenticatedUser(user);
+                        }
+                    } else {
+                        authenticationResult =
+                                userStoreManager.authenticateWithID(UserCoreClaimConstants.USERNAME_CLAIM_URI,
+                                        tenantAwareUsername, password, UserCoreConstants.DEFAULT_PROFILE);
+                    }
+                } else {
+                    authenticationResult =
+                            userStoreManager.authenticateWithID(UserCoreClaimConstants.USERNAME_CLAIM_URI,
+                                    tenantAwareUsername, password, UserCoreConstants.DEFAULT_PROFILE);
+                }
             }
             if (AuthenticationResult.AuthenticationStatus.SUCCESS == authenticationResult.getAuthenticationStatus()
                     && authenticationResult.getAuthenticatedUser().isPresent()) {
@@ -825,6 +861,8 @@ protected void processAuthenticationResponse(HttpServletRequest request,
                         ErrorMessages.USER_STORE_EXCEPTION_WHILE_TRYING_TO_AUTHENTICATE.getCode(), e.getMessage(),
                         e);
             }
+        } catch (OrganizationManagementException e) {
+            throw new AuthenticationFailedException("Error while resolving organization", e);
         } finally {
             clearUserExistThreadLocal();
         }
@@ -1323,4 +1361,32 @@ public String getI18nKey() {
         return AUTHENTICATOR_BASIC;
     }
 
+    private static boolean isSharedUserProfile(String userID, String currentTenantDomain)
+            throws UserStoreClientException {
+
+        String currentOrganizationId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getOrganizationId();
+        try {
+            if (!OrganizationManagementUtil.isOrganization(currentTenantDomain)) {
+                // There is no shared users in root organizations. Hence, return false.
+                return false;
+            }
+            if (StringUtils.isBlank(currentOrganizationId)) {
+                currentOrganizationId = BasicAuthenticatorDataHolder.getInstance().getOrganizationManager()
+                        .resolveOrganizationId(currentTenantDomain);
+            }
+            UserAssociation userAssociation =
+                    BasicAuthenticatorDataHolder.getInstance().getOrganizationUserSharingService()
+                            .getUserAssociation(userID, currentOrganizationId);
+            if (userAssociation == null) {
+                // User is not a shared user. Hence, return false.
+                return false;
+            }
+        } catch (OrganizationManagementException e) {
+            throw new UserStoreClientException(
+                    "Error while checking the user association of the user: " + userID + " with the organization: " +
+                            currentOrganizationId, e);
+        }
+        return true;
+    }
+
 }
diff --git a/components/org.wso2.carbon.identity.application.authenticator.basicauth/src/main/java/org/wso2/carbon/identity/application/authenticator/basicauth/internal/BasicAuthenticatorDataHolder.java b/components/org.wso2.carbon.identity.application.authenticator.basicauth/src/main/java/org/wso2/carbon/identity/application/authenticator/basicauth/internal/BasicAuthenticatorDataHolder.java
@@ -21,6 +21,8 @@
 import org.wso2.carbon.identity.configuration.mgt.core.ConfigurationManager;
 import org.wso2.carbon.identity.governance.IdentityGovernanceService;
 import org.wso2.carbon.identity.multi.attribute.login.mgt.MultiAttributeLoginService;
+import org.wso2.carbon.identity.organization.management.organization.user.sharing.OrganizationUserSharingService;
+import org.wso2.carbon.identity.organization.management.service.OrganizationManager;
 
 import java.util.Properties;
 
@@ -35,6 +37,8 @@ public class BasicAuthenticatorDataHolder {
     private MultiAttributeLoginService multiAttributeLogin;
     private Properties recaptchaConfigs;
     private ConfigurationManager configurationManager = null;
+    private OrganizationUserSharingService organizationUserSharingService;
+    private OrganizationManager organizationManager;
 
     private BasicAuthenticatorDataHolder() {
 
@@ -79,4 +83,24 @@ public ConfigurationManager getConfigurationManager() {
 
         return configurationManager;
     }
+
+    public OrganizationManager getOrganizationManager() {
+
+        return organizationManager;
+    }
+
+    public void setOrganizationManager(OrganizationManager organizationManager) {
+
+        this.organizationManager = organizationManager;
+    }
+
+    public void setOrganizationUserSharingService(OrganizationUserSharingService organizationUserSharingService) {
+
+        this.organizationUserSharingService = organizationUserSharingService;
+    }
+
+    public OrganizationUserSharingService getOrganizationUserSharingService() {
+
+        return organizationUserSharingService;
+    }
 }
diff --git a/components/org.wso2.carbon.identity.application.authenticator.basicauth/src/main/java/org/wso2/carbon/identity/application/authenticator/basicauth/internal/BasicAuthenticatorServiceComponent.java b/components/org.wso2.carbon.identity.application.authenticator.basicauth/src/main/java/org/wso2/carbon/identity/application/authenticator/basicauth/internal/BasicAuthenticatorServiceComponent.java
@@ -36,6 +36,8 @@
 import org.wso2.carbon.identity.core.util.IdentityUtil;
 import org.wso2.carbon.identity.governance.IdentityGovernanceService;
 import org.wso2.carbon.identity.multi.attribute.login.mgt.MultiAttributeLoginService;
+import org.wso2.carbon.identity.organization.management.organization.user.sharing.OrganizationUserSharingService;
+import org.wso2.carbon.identity.organization.management.service.OrganizationManager;
 import org.wso2.carbon.identity.user.registration.engine.graph.Executor;
 import org.wso2.carbon.user.core.service.RealmService;
 import org.wso2.securevault.SecretResolver;
@@ -169,6 +171,43 @@ protected void unregisterConfigurationManager(ConfigurationManager configuration
         BasicAuthenticatorDataHolder.getInstance().setConfigurationManager(null);
     }
 
+    @Reference(
+            name = "organization.user.sharing.service",
+            service = OrganizationUserSharingService.class,
+            cardinality = ReferenceCardinality.MANDATORY,
+            policy = ReferencePolicy.DYNAMIC,
+            unbind = "unsetOrganizationUserAssociationService")
+    protected void setOrganizationUserSharingService(OrganizationUserSharingService organizationUserSharingService) {
+
+        BasicAuthenticatorDataHolder.getInstance().setOrganizationUserSharingService(organizationUserSharingService);
+        log.debug("Set organization user association service.");
+    }
+
+    protected void unsetOrganizationUserAssociationService(
+            OrganizationUserSharingService organizationUserSharingService) {
+
+        BasicAuthenticatorDataHolder.getInstance().setOrganizationUserSharingService(null);
+        log.debug("Unset organization user association Service.");
+    }
+
+    @Reference(
+            name = "organization.management.service",
+            service = OrganizationManager.class,
+            cardinality = ReferenceCardinality.MANDATORY,
+            policy = ReferencePolicy.DYNAMIC,
+            unbind = "unsetOrganizationManagementService")
+    protected void setOrganizationManagementService(OrganizationManager organizationManager) {
+
+        BasicAuthenticatorDataHolder.getInstance().setOrganizationManager(organizationManager);
+        log.debug("Set Organization Management Service");
+    }
+
+    protected void unsetOrganizationManagementService(OrganizationManager organizationManager) {
+
+        BasicAuthenticatorDataHolder.getInstance().setOrganizationManager(null);
+        log.debug("Unset Organization Management Service");
+    }
+
     /**
      * Read the captcha-config.properties file located in repository/conf/identity directory and set the
      * configurations required to enable recaptcha in the Data holder.
