Add capability to validate legacy permissions for certain apis

components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/handler/impl/TomcatCookieAuthenticationHandler.java

@@ -37,8 +37,8 @@
 import javax.servlet.http.Cookie;
 
 import static org.apache.commons.lang.StringUtils.isNotBlank;
-import static org.wso2.carbon.identity.auth.service.util.Constants.COOKIE_AUTH_HEADER;
 import static org.wso2.carbon.identity.auth.service.util.Constants.JSESSIONID;
+import static org.wso2.carbon.identity.auth.service.util.Constants.VALIDATE_LEGACY_PERMISSIONS;
 
 /**
  * This handler is used to authenticate the rest APIs based on the set-cookie obtained from the AuthenticationAdmin
@@ -47,6 +47,7 @@
 public class TomcatCookieAuthenticationHandler extends AuthenticationHandler {
 
     private static final Log log = LogFactory.getLog(TomcatCookieAuthenticationHandler.class);
+    private static final String FILE_UPLOAD_API = "/fileupload/";
 
     @Override
     public String getName() {
@@ -96,6 +97,16 @@ protected AuthenticationResult doAuthenticate(MessageContext messageContext) {
                     if (log.isDebugEnabled()) {
                         log.debug("Tomcat Cookie Authentication success.");
                     }
+                    /*
+                    TomcatCookieAuthenticationHandler is generally used to authenticate requests coming from Carbon
+                    Management Console. In some cases, we need to validate the legacy permissions for the requests
+                    coming from the Carbon Management Console.
+                    Ex: the /fileupload/ is a rest api that is used only in the carbon management console and it
+                    requires the legacy permission validation.
+                     */
+                    if (requireLegacyPermissionValidation(authenticationContext)) {
+                        authenticationContext.addParameter(VALIDATE_LEGACY_PERMISSIONS, true);
+                    }
                 }
             }
         }
@@ -132,4 +143,10 @@ private boolean servletRequestExists(AuthenticationContext authenticationContext
                 .MC_HTTP_SERVLETREQUEST);
         return request != null && request instanceof Request;
     }
+
+    private boolean requireLegacyPermissionValidation(AuthenticationContext authenticationContext) {
+
+        String uri = authenticationContext.getAuthenticationRequest().getRequestUri();
+        return StringUtils.contains(uri, FILE_UPLOAD_API);
+    }
 }

components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/util/Constants.java

@@ -56,4 +56,5 @@ public class Constants {
     public static final String ENABLE_BASIC_AUTH_HANDLER_CONFIG = "EnableBasicAuthHandler";
     public static final String RESOURCE_ACCESS_CONTROL_V2_FILE = "resource-access-control-v2.xml";
     public static final String AUTHENTICATION_TYPE = "authenticationType";
+    public final static String VALIDATE_LEGACY_PERMISSIONS = "validateLegacyPermissions";
 }

components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/handler/AuthorizationHandler.java

@@ -45,6 +45,7 @@
 
 import static org.wso2.carbon.identity.auth.service.util.Constants.OAUTH2_ALLOWED_SCOPES;
 import static org.wso2.carbon.identity.auth.service.util.Constants.OAUTH2_VALIDATE_SCOPE;
+import static org.wso2.carbon.identity.auth.service.util.Constants.VALIDATE_LEGACY_PERMISSIONS;
 
 /**
  * AuthorizationHandler can be extended to handle the user permissions.
@@ -74,6 +75,8 @@ public AuthorizationResult handleAuthorization(AuthorizationContext authorizatio
                     (String[]) authorizationContext.getParameter(OAUTH2_ALLOWED_SCOPES);
             boolean validateScope = authorizationContext.getParameter(OAUTH2_VALIDATE_SCOPE) == null ? false :
                     (Boolean) authorizationContext.getParameter(OAUTH2_VALIDATE_SCOPE);
+            boolean validateLegacyPermissions = authorizationContext.getParameter(VALIDATE_LEGACY_PERMISSIONS) == null ?
+                    false : (Boolean) authorizationContext.getParameter(VALIDATE_LEGACY_PERMISSIONS);
             RealmService realmService = AuthorizationServiceHolder.getInstance().getRealmService();
             UserRealm tenantUserRealm = realmService.getTenantUserRealm(tenantId);
 
@@ -84,6 +87,20 @@ public AuthorizationResult handleAuthorization(AuthorizationContext authorizatio
                 if (StringUtils.isNotBlank(permissionString) || authorizationContext.getRequiredScopes().size() == 0) {
                     validatePermissions(authorizationResult, user, permissionString, tenantUserRealm);
                 }
+            } else if (validateLegacyPermissions && StringUtils.isNotBlank(permissionString)) {
+                /*
+                In some cases, we need to validate the legacy permissions.
+                Ex: the /fileupload/ is a rest api that is used only in the carbon management console and it
+                requires the legacy permission validation.
+                Authenticators will mark when legacy permission validation is required by setting a parameter in the
+                context. Ex: TomcatCookieAuthenticationHandler which generally authenticates requests coming from the
+                Carbon Management Console.
+                 */
+                if (log.isDebugEnabled()) {
+                    log.debug("Legacy permission validation is engaged for context : " +
+                            authorizationContext.getContext());
+                }
+                validatePermissions(authorizationResult, user, permissionString, tenantUserRealm);
             } else {
                 AuthenticatedUser authenticatedUser = new AuthenticatedUser(user);
                 String userId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUserId();

components/org.wso2.carbon.identity.authz.valve/src/main/java/org/wso2/carbon/identity/authz/valve/AuthorizationValve.java

@@ -59,6 +59,7 @@
 import static org.wso2.carbon.identity.auth.service.util.Constants.ENGAGED_AUTH_HANDLER;
 import static org.wso2.carbon.identity.auth.service.util.Constants.OAUTH2_ALLOWED_SCOPES;
 import static org.wso2.carbon.identity.auth.service.util.Constants.OAUTH2_VALIDATE_SCOPE;
+import static org.wso2.carbon.identity.auth.service.util.Constants.VALIDATE_LEGACY_PERMISSIONS;
 
 /**
  * AuthenticationValve can be used to intercept any request.
@@ -153,6 +154,8 @@ public void invoke(Request request, Response response) throws IOException, Servl
                 authorizationContext.setUser(authenticationContext.getUser());
                 authorizationContext.addParameter(OAUTH2_ALLOWED_SCOPES, authenticationContext.getParameter(OAUTH2_ALLOWED_SCOPES));
                 authorizationContext.addParameter(OAUTH2_VALIDATE_SCOPE, authenticationContext.getParameter(OAUTH2_VALIDATE_SCOPE));
+                authorizationContext.addParameter(VALIDATE_LEGACY_PERMISSIONS,
+                        authenticationContext.getParameter(VALIDATE_LEGACY_PERMISSIONS));
 
                 String tenantDomainFromURLMapping = Utils.getTenantDomainFromURLMapping(request);
                 authorizationContext.setTenantDomainFromURLMapping(tenantDomainFromURLMapping);
@@ -238,6 +241,8 @@ private AuthorizationResult authorizeInOrganizationLevel(Request request, Respon
                     authenticationContext.getParameter(OAUTH2_ALLOWED_SCOPES));
             orgMgtAuthorizationContext.addParameter(OAUTH2_VALIDATE_SCOPE,
                     authenticationContext.getParameter(OAUTH2_VALIDATE_SCOPE));
+            orgMgtAuthorizationContext.addParameter(VALIDATE_LEGACY_PERMISSIONS,
+                    authenticationContext.getParameter(VALIDATE_LEGACY_PERMISSIONS));
 
             List<AuthorizationManager> authorizationManagerList = AuthorizationValveServiceHolder.getInstance()
                     .getAuthorizationManagerList();