From 9348c64b9d45cd63ab68596a37ee6f640b56671a Mon Sep 17 00:00:00 2001
From: Tharsanan1 <ktharsanan@gmail.com>
Date: Thu, 30 Jan 2025 16:13:29 +0530
Subject: [PATCH] Fix auth nil pointer

---
 .../internal/authorization/authorization.go   | 14 ++------
 .../authorization/scope_validation.go         | 35 ++++++++++++-------
 .../internal/authorization/subscription.go    | 17 ++++++++-
 3 files changed, 42 insertions(+), 24 deletions(-)

diff --git a/gateway/enforcer/internal/authorization/authorization.go b/gateway/enforcer/internal/authorization/authorization.go
index 781833d08..74097725c 100644
--- a/gateway/enforcer/internal/authorization/authorization.go
+++ b/gateway/enforcer/internal/authorization/authorization.go
@@ -28,21 +28,13 @@ import (
 
 // Validate performs the authorization.
 func Validate(rch *requestconfig.Holder, subAppDataStore *datastore.SubscriptionApplicationDataStore, cfg *config.Server) *dto.ImmediateResponse {
-	if immediateResponse := ValidateScopes(*rch.JWTValidationInfo.Scopes, rch.MatchedResource.Scopes, rch.MatchedResource.Path); immediateResponse != nil {
+	if immediateResponse := ValidateScopes(rch); immediateResponse != nil {
 		return immediateResponse
 	}
 	cfg.Logger.Info(fmt.Sprintf("Scope validation successful for the request: %s", rch.MatchedResource.Path))
 	if rch.MatchedAPI.SubscriptionValidation {
-		appID := rch.ExternalProcessingEnvoyAttributes.ApplicationID
-		if appID == "" && rch.JWTValidationInfo.ClientID != "" {
-			appID = getAppIDUsingConsumerKey(rch.JWTValidationInfo.ClientID, subAppDataStore, rch.MatchedAPI, "")
-		} else {
-			return &dto.ImmediateResponse{
-				StatusCode: 403,
-				Message:    "Application ID not found",
-			}
-		}
-		return validateSubscription(appID, subAppDataStore, rch)
+		
+		return validateSubscription(subAppDataStore, rch)
 	}
 	return nil
 }
diff --git a/gateway/enforcer/internal/authorization/scope_validation.go b/gateway/enforcer/internal/authorization/scope_validation.go
index 14047902b..63fb4e62e 100644
--- a/gateway/enforcer/internal/authorization/scope_validation.go
+++ b/gateway/enforcer/internal/authorization/scope_validation.go
@@ -19,26 +19,37 @@ package authorization
 
 import (
 	"fmt"
+
 	"github.com/wso2/apk/gateway/enforcer/internal/dto"
+	"github.com/wso2/apk/gateway/enforcer/internal/requestconfig"
 )
 
 // ValidateScopes validates the scopes of the user against the required scopes.
-func ValidateScopes(scopes []string, requiredScopes []string, path string) *dto.ImmediateResponse {
-	for _, requiredScope := range requiredScopes {
-		found := false
-		for _, scope := range scopes {
-			if requiredScope == scope {
-				found = true
-				break
-			}
-		}
-		if !found {
+func ValidateScopes(rch *requestconfig.Holder) *dto.ImmediateResponse {
+	if rch.MatchedResource != nil {
+		if rch.JWTValidationInfo.Scopes == nil && len(rch.MatchedResource.Scopes) > 0 {
 			return &dto.ImmediateResponse{
 				StatusCode: 403,
-				Message:    fmt.Sprintf("User is NOT authorized to access the Resource: %s. Scope validation failed.", path),
+				Message:    fmt.Sprintf("User is NOT authorized to access the Resource: %s. Scope validation failed.", rch.MatchedResource.Path),
+			}
+		}
+		// scopes []string, requiredScopes []string, path string
+		for _, requiredScope := range rch.MatchedResource.Scopes {
+			found := false
+			for _, scope := range *rch.JWTValidationInfo.Scopes {
+				if requiredScope == scope {
+					found = true
+					break
+				}
+			}
+			if !found {
+				return &dto.ImmediateResponse{
+					StatusCode: 403,
+					Message:    fmt.Sprintf("User is NOT authorized to access the Resource: %s. Scope validation failed.", rch.MatchedResource.Path),
+				}
 			}
 		}
 	}
+	
 	return nil
 }
-
diff --git a/gateway/enforcer/internal/authorization/subscription.go b/gateway/enforcer/internal/authorization/subscription.go
index ef9c5a860..f7c192587 100644
--- a/gateway/enforcer/internal/authorization/subscription.go
+++ b/gateway/enforcer/internal/authorization/subscription.go
@@ -12,7 +12,22 @@ const (
 )
 
 // validateSubscription validates the subscription.
-func validateSubscription(appID string, subAppDatastore *datastore.SubscriptionApplicationDataStore, rch *requestconfig.Holder) *dto.ImmediateResponse{
+func validateSubscription(subAppDatastore *datastore.SubscriptionApplicationDataStore, rch *requestconfig.Holder) *dto.ImmediateResponse{
+	if rch.JWTValidationInfo == nil {
+		return &dto.ImmediateResponse{
+			StatusCode: 403,
+			Message:    "JWT validation info not found",
+		}
+	}
+	appID := rch.ExternalProcessingEnvoyAttributes.ApplicationID
+	if appID == "" && rch.JWTValidationInfo.ClientID != "" {
+		appID = getAppIDUsingConsumerKey(rch.JWTValidationInfo.ClientID, subAppDatastore, rch.MatchedAPI, "")
+	} else {
+		return &dto.ImmediateResponse{
+			StatusCode: 403,
+			Message:    "Application ID not found",
+		}
+	}
 	api := rch.MatchedAPI
 	appMaps := subAppDatastore.GetApplicationMappings(api.OrganizationID, appID)
 	for _, appMap := range appMaps {