From c4983db2641617c1b120c0ce0e84b31e64f6bcc6 Mon Sep 17 00:00:00 2001
From: Shan Chathusanda Jayathilaka <shanchathusanda@gmail.com>
Date: Wed, 24 Apr 2024 11:36:43 +0530
Subject: [PATCH] Improve user delete and update for sub organizations

---
 .../scim2/common/utils/SCIMCommonUtils.java   | 18 +++++++++++++++
 .../provider/resources/UserResource.java      | 23 +++++++++++--------
 2 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/utils/SCIMCommonUtils.java b/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/utils/SCIMCommonUtils.java
index b57949a9..2606fb4d 100644
--- a/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/utils/SCIMCommonUtils.java
+++ b/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/utils/SCIMCommonUtils.java
@@ -34,6 +34,8 @@
 import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
 import org.wso2.carbon.identity.core.util.IdentityUtil;
 import org.wso2.carbon.identity.handler.event.account.lock.constants.AccountConstants;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
+import org.wso2.carbon.identity.organization.management.service.util.OrganizationManagementUtil;
 import org.wso2.carbon.identity.role.mgt.core.IdentityRoleManagementException;
 import org.wso2.carbon.identity.role.mgt.core.util.UserIDResolver;
 import org.wso2.carbon.identity.scim2.common.cache.SCIMCustomAttributeSchemaCache;
@@ -948,4 +950,20 @@ public static String getLoggedInUserID() throws CharonException {
             throw new CharonException("Error occurred while retrieving super admin ID.", e);
         }
     }
+
+    /**
+     * Check whether the given tenant domain is an organization.
+     *
+     * @param tenantDomain Tenant domain of the request.
+     * @return True if the tenant domain is an organization.
+     * @throws CharonException If an error occurred while checking the organization state.
+     */
+    public static boolean isOrganization(String tenantDomain) throws CharonException {
+
+        try {
+            return OrganizationManagementUtil.isOrganization(tenantDomain);
+        } catch (OrganizationManagementException e) {
+            throw new CharonException("Error occurred while checking the organization state.", e);
+        }
+    }
 }
diff --git a/components/org.wso2.carbon.identity.scim2.provider/src/main/java/org/wso2/carbon/identity/scim2/provider/resources/UserResource.java b/components/org.wso2.carbon.identity.scim2.provider/src/main/java/org/wso2/carbon/identity/scim2/provider/resources/UserResource.java
index 817fc727..38b89816 100644
--- a/components/org.wso2.carbon.identity.scim2.provider/src/main/java/org/wso2/carbon/identity/scim2/provider/resources/UserResource.java
+++ b/components/org.wso2.carbon.identity.scim2.provider/src/main/java/org/wso2/carbon/identity/scim2/provider/resources/UserResource.java
@@ -40,6 +40,7 @@
 import javax.ws.rs.core.Response;
 
 import static org.wso2.carbon.identity.scim2.provider.util.SupportUtils.buildCustomSchema;
+import static org.wso2.carbon.identity.scim2.provider.util.SupportUtils.getTenantDomain;
 import static org.wso2.carbon.identity.scim2.provider.util.SupportUtils.getTenantId;
 
 @Path("/")
@@ -151,13 +152,14 @@ public Response deleteUser(@PathParam(SCIMProviderConstants.ID) String id,
             // obtain the user store manager
             UserManager userManager = IdentitySCIMManager.getInstance().getUserManager();
 
-            String superAdminID = AdminAttributeUtil.getSuperAdminID();
-            String loggedInUser = SCIMCommonUtils.getLoggedInUserID();
-            if ((superAdminID.equals(id)) && (!loggedInUser.equals(id))) {
-                if (LOG.isDebugEnabled()) {
+            // Skipping this validation if the request comes from a sub organization.
+            if (!SCIMCommonUtils.isOrganization(getTenantDomain())) {
+                String superAdminID = AdminAttributeUtil.getSuperAdminID();
+                String loggedInUser = SCIMCommonUtils.getLoggedInUserID();
+                if (superAdminID.equals(id) && !loggedInUser.equals(id)) {
                     LOG.debug("Do not have permission to delete SuperAdmin user.");
+                    return Response.status(Response.Status.FORBIDDEN).build();
                 }
-                return Response.status(Response.Status.FORBIDDEN).build();
             }
 
             // create charon-SCIM user resource manager and hand-over the request.
@@ -348,13 +350,14 @@ public Response patchUser(@PathParam(SCIMConstants.CommonSchemaConstants.ID) Str
             // obtain the user store manager
             UserManager userManager = IdentitySCIMManager.getInstance().getUserManager();
 
-            String superAdminID = AdminAttributeUtil.getSuperAdminID();
-            String loggedInUser = SCIMCommonUtils.getLoggedInUserID();
-            if ((superAdminID.equals(id)) && (!loggedInUser.equals(id))) {
-                if (LOG.isDebugEnabled()) {
+            // Skipping this validation if the request comes from a sub organization.
+            if (!SCIMCommonUtils.isOrganization(getTenantDomain())) {
+                String superAdminID = AdminAttributeUtil.getSuperAdminID();
+                String loggedInUser = SCIMCommonUtils.getLoggedInUserID();
+                if (superAdminID.equals(id) && !loggedInUser.equals(id)) {
                     LOG.debug("Do not have permission to patch SuperAdmin user.");
+                    return Response.status(Response.Status.FORBIDDEN).build();
                 }
-                return Response.status(Response.Status.FORBIDDEN).build();
             }
 
             // Build Custom schema