From 59befae8544a5f0f1d37728127e2a9f8d52b0d1a Mon Sep 17 00:00:00 2001 From: Nisan Abeywickrama <29643986+nisan-abeywickrama@users.noreply.github.com> Date: Mon, 2 Dec 2024 12:32:29 +0530 Subject: [PATCH 1/6] Add configuration to enable/disable deploying in-memory JWKS Api --- .../wso2/carbon/apimgt/gateway/InMemoryAPIDeployer.java | 7 ++++++- .../apimgt/gateway/handlers/DefaultAPIHandler.java | 6 +++++- .../java/org/wso2/carbon/apimgt/impl/APIConstants.java | 1 + .../wso2/carbon/apimgt/impl/APIManagerConfiguration.java | 4 ++++ .../apimgt/impl/dto/ExtendedJWTConfigurationDto.java | 9 +++++++++ 5 files changed, 25 insertions(+), 2 deletions(-) diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/InMemoryAPIDeployer.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/InMemoryAPIDeployer.java index ddb717129898..9d9e180f15d2 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/InMemoryAPIDeployer.java +++ b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/InMemoryAPIDeployer.java @@ -46,6 +46,7 @@ import org.wso2.carbon.apimgt.gateway.internal.ServiceReferenceHolder; import org.wso2.carbon.apimgt.gateway.service.APIGatewayAdmin; import org.wso2.carbon.apimgt.impl.APIConstants; +import org.wso2.carbon.apimgt.impl.dto.ExtendedJWTConfigurationDto; import org.wso2.carbon.apimgt.impl.dto.GatewayArtifactSynchronizerProperties; import org.wso2.carbon.apimgt.impl.dto.GatewayCleanupSkipList; import org.wso2.carbon.apimgt.impl.gatewayartifactsynchronizer.ArtifactRetriever; @@ -210,7 +211,11 @@ public boolean deployAllAPIs(Set assignedGatewayLabels, String tenantDom if (!redeployChangedAPIs) { try { - deployJWKSSynapseAPI(tenantDomain); // Deploy JWKS API + boolean isJWKSApiEnabled = ServiceReferenceHolder + .getInstance().getAPIManagerConfiguration().getJwtConfigurationDto().isJWKSApiEnabled(); + if(isJWKSApiEnabled) { + deployJWKSSynapseAPI(tenantDomain); // Deploy JWKS API + } if (APIConstants.SUPER_TENANT_DOMAIN.equalsIgnoreCase(tenantDomain)) { deployHealthCheckSynapseAPI(tenantDomain); // Deploy HealthCheck API for the super tenant } diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/DefaultAPIHandler.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/DefaultAPIHandler.java index 0a72bdd9da32..8fcbeaef86c8 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/DefaultAPIHandler.java +++ b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/DefaultAPIHandler.java @@ -29,6 +29,7 @@ import org.wso2.carbon.apimgt.common.gateway.constants.HealthCheckConstants; import org.wso2.carbon.apimgt.common.gateway.constants.JWTConstants; import org.wso2.carbon.apimgt.gateway.InMemoryAPIDeployer; +import org.wso2.carbon.apimgt.gateway.internal.ServiceReferenceHolder; import org.wso2.carbon.apimgt.gateway.utils.GatewayUtils; import org.wso2.carbon.apimgt.impl.APIConstants; import org.wso2.carbon.apimgt.impl.gatewayartifactsynchronizer.exception.ArtifactSynchronizerException; @@ -62,7 +63,10 @@ public boolean handleRequestInFlow(MessageContext messageContext) { } } - if (isJWKSEndpoint) { + boolean isJWKSApiEnabled = ServiceReferenceHolder + .getInstance().getAPIManagerConfiguration().getJwtConfigurationDto().isJWKSApiEnabled(); + + if (isJWKSEndpoint && isJWKSApiEnabled) { try { InMemoryAPIDeployer.deployJWKSSynapseAPI(tenantDomain); } catch(APIManagementException e){ diff --git a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIConstants.java b/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIConstants.java index 856731b01b82..85aee58d71e3 100755 --- a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIConstants.java +++ b/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIConstants.java @@ -464,6 +464,7 @@ public final class APIConstants { public static final String BINDING_FEDERATED_USER_CLAIMS = "EnableBindingFederatedUserClaims"; public static final String TOKEN_GENERATOR_IMPL = "JWTGeneratorImpl"; public static final String ENABLE_JWT_GENERATION = "EnableJWTGeneration"; + public static final String Enable_JWKS_API = "EnableJWKSApi"; public static final String CLAIMS_RETRIEVER_CLASS = "ClaimsRetrieverImplClass"; public static final String USE_KID = "UseKidProperty"; public static final String CONSUMER_DIALECT_URI = "ConsumerDialectURI"; diff --git a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIManagerConfiguration.java b/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIManagerConfiguration.java index f6282dc4edac..0c7e6d4e9e30 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIManagerConfiguration.java +++ b/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIManagerConfiguration.java @@ -1787,6 +1787,10 @@ private void setJWTConfiguration(OMElement omElement) { } } } + + OMElement jwksApiEnableElement = + omElement.getFirstChildWithName(new QName(APIConstants.Enable_JWKS_API)); + jwtConfigurationDto.setJWKSApiEnabled(Boolean.parseBoolean(jwksApiEnableElement.getText())); } public ThrottleProperties getThrottleProperties() { diff --git a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/dto/ExtendedJWTConfigurationDto.java b/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/dto/ExtendedJWTConfigurationDto.java index 4da31ddface2..285b2a12b30e 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/dto/ExtendedJWTConfigurationDto.java +++ b/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/dto/ExtendedJWTConfigurationDto.java @@ -8,6 +8,7 @@ public class ExtendedJWTConfigurationDto extends JWTConfigurationDto { private boolean tenantBasedSigningEnabled; private boolean enableUserClaimRetrievalFromUserStore; private boolean isBindFederatedUserClaims; + private boolean isJWKSApiEnabled; public String getClaimRetrieverImplClass() { @@ -58,4 +59,12 @@ public void setBindFederatedUserClaims(boolean isBindFederatedUserClaims) { this.isBindFederatedUserClaims = isBindFederatedUserClaims; } + + public boolean isJWKSApiEnabled() { + return isJWKSApiEnabled; + } + + public void setJWKSApiEnabled(boolean JWKSApiEnabled) { + this.isJWKSApiEnabled = JWKSApiEnabled; + } } From 57ff2ccbbed070042f4fa920927d69cfcca55fe6 Mon Sep 17 00:00:00 2001 From: Nisan Abeywickrama <29643986+nisan-abeywickrama@users.noreply.github.com> Date: Mon, 2 Dec 2024 21:08:48 +0530 Subject: [PATCH 2/6] Mock isJWKSApiEnabled in DefaultAPIHandlerTest --- .../handlers/DefaultAPIHandlerTest.java | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/test/java/org/wso2/carbon/apimgt/gateway/handlers/DefaultAPIHandlerTest.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/test/java/org/wso2/carbon/apimgt/gateway/handlers/DefaultAPIHandlerTest.java index bf5d90a26164..6416c89b6f2a 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/test/java/org/wso2/carbon/apimgt/gateway/handlers/DefaultAPIHandlerTest.java +++ b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/test/java/org/wso2/carbon/apimgt/gateway/handlers/DefaultAPIHandlerTest.java @@ -29,8 +29,11 @@ import org.powermock.api.mockito.PowerMockito; import org.powermock.core.classloader.annotations.PrepareForTest; import org.powermock.modules.junit4.PowerMockRunner; +import org.wso2.carbon.apimgt.gateway.internal.ServiceReferenceHolder; import org.wso2.carbon.apimgt.gateway.utils.GatewayUtils; import org.wso2.carbon.apimgt.impl.APIConstants; +import org.wso2.carbon.apimgt.impl.APIManagerConfiguration; +import org.wso2.carbon.apimgt.impl.dto.ExtendedJWTConfigurationDto; import org.wso2.carbon.apimgt.keymgt.model.entity.API; import org.wso2.carbon.inbound.endpoint.protocol.websocket.InboundWebsocketConstants; @@ -38,14 +41,27 @@ import java.util.TreeMap; @RunWith(PowerMockRunner.class) -@PrepareForTest({ApiUtils.class, Utils.class, GatewayUtils.class}) +@PrepareForTest({ApiUtils.class, Utils.class, GatewayUtils.class, ServiceReferenceHolder.class, APIManagerConfiguration.class, ExtendedJWTConfigurationDto.class}) public class DefaultAPIHandlerTest { + private ServiceReferenceHolder serviceReferenceHolder; + private APIManagerConfiguration apiManagerConfiguration; + private ExtendedJWTConfigurationDto extendedJWTConfigurationDto; + @Before public void init() { PowerMockito.mockStatic(ApiUtils.class); PowerMockito.mockStatic(Utils.class); PowerMockito.mockStatic(GatewayUtils.class); + PowerMockito.mockStatic(ServiceReferenceHolder.class); + serviceReferenceHolder = Mockito.mock(ServiceReferenceHolder.class); + apiManagerConfiguration = Mockito.mock(APIManagerConfiguration.class); + extendedJWTConfigurationDto = Mockito.mock(ExtendedJWTConfigurationDto.class); + Mockito.when(ServiceReferenceHolder.getInstance()).thenReturn(serviceReferenceHolder); + Mockito.when(serviceReferenceHolder.getAPIManagerConfiguration()).thenReturn(apiManagerConfiguration); + Mockito.when(apiManagerConfiguration.getJwtConfigurationDto()).thenReturn(extendedJWTConfigurationDto); + Mockito.when(extendedJWTConfigurationDto.isJWKSApiEnabled()).thenReturn(true); + } @Test From a44376e3fdcfb45d4f75897c9adb9d8beb7cb0ae Mon Sep 17 00:00:00 2001 From: Nisan Abeywickrama <29643986+nisan-abeywickrama@users.noreply.github.com> Date: Tue, 3 Dec 2024 06:41:38 +0530 Subject: [PATCH 3/6] Add JWKS Api Enable configuration to amConfig.xml files --- .../org.wso2.carbon.apimgt.impl/src/test/resources/amConfig.xml | 1 + .../src/test/resources/amConfig.xml | 1 + 2 files changed, 2 insertions(+) diff --git a/components/apimgt/org.wso2.carbon.apimgt.impl/src/test/resources/amConfig.xml b/components/apimgt/org.wso2.carbon.apimgt.impl/src/test/resources/amConfig.xml index 6dce25404f9e..8c0ea5fb4854 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.impl/src/test/resources/amConfig.xml +++ b/components/apimgt/org.wso2.carbon.apimgt.impl/src/test/resources/amConfig.xml @@ -11,6 +11,7 @@ false + true NONE diff --git a/components/apimgt/org.wso2.carbon.apimgt.keymgt/src/test/resources/amConfig.xml b/components/apimgt/org.wso2.carbon.apimgt.keymgt/src/test/resources/amConfig.xml index aa5617ef824f..12a3dedbdfcb 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.keymgt/src/test/resources/amConfig.xml +++ b/components/apimgt/org.wso2.carbon.apimgt.keymgt/src/test/resources/amConfig.xml @@ -11,6 +11,7 @@ true + true NONE false From 5edac8a6d0e3f9bfa35254f82ed5ad8e5201e186 Mon Sep 17 00:00:00 2001 From: Nisan Abeywickrama <29643986+nisan-abeywickrama@users.noreply.github.com> Date: Tue, 3 Dec 2024 06:44:52 +0530 Subject: [PATCH 4/6] Update api-manager.xml.j2 and default.json artifacts --- .../conf_templates/org.wso2.carbon.apimgt.core.default.json | 1 + .../templates/repository/conf/api-manager.xml.j2 | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/features/apimgt/org.wso2.carbon.apimgt.core.feature/src/main/resources/conf_templates/org.wso2.carbon.apimgt.core.default.json b/features/apimgt/org.wso2.carbon.apimgt.core.feature/src/main/resources/conf_templates/org.wso2.carbon.apimgt.core.default.json index 8650827e723d..2dbb5660b2ea 100644 --- a/features/apimgt/org.wso2.carbon.apimgt.core.feature/src/main/resources/conf_templates/org.wso2.carbon.apimgt.core.default.json +++ b/features/apimgt/org.wso2.carbon.apimgt.core.feature/src/main/resources/conf_templates/org.wso2.carbon.apimgt.core.default.json @@ -22,6 +22,7 @@ "apim.gateway_type": "Regular", "apim.enable_secure_vault": "false", "apim.jwt.enable": false, + "apim.jwt.enable_jwks_api": true, "apim.jwt.header": "X-JWT-Assertion", "apim.jwt.claim_dialect": "http://wso2.org/claims", "apim.jwt.convert_dialect": false, diff --git a/features/apimgt/org.wso2.carbon.apimgt.core.feature/src/main/resources/conf_templates/templates/repository/conf/api-manager.xml.j2 b/features/apimgt/org.wso2.carbon.apimgt.core.feature/src/main/resources/conf_templates/templates/repository/conf/api-manager.xml.j2 index 86e7b7d51648..d24cf1726bf9 100644 --- a/features/apimgt/org.wso2.carbon.apimgt.core.feature/src/main/resources/conf_templates/templates/repository/conf/api-manager.xml.j2 +++ b/features/apimgt/org.wso2.carbon.apimgt.core.feature/src/main/resources/conf_templates/templates/repository/conf/api-manager.xml.j2 @@ -36,7 +36,8 @@ {{apim.jwt.enable}} - + + {{apim.jwt.enable_jwks_api}} {{apim.jwt.header}} From 22d62271ef959de9842d0118226e0287af19262f Mon Sep 17 00:00:00 2001 From: Nisan Abeywickrama <29643986+nisan-abeywickrama@users.noreply.github.com> Date: Wed, 4 Dec 2024 10:07:13 +0530 Subject: [PATCH 5/6] Fix intermittent failure in testGetAndUpdateAPIRevisionDeploymentsByWorkflowStatusAndApiUUID unit test --- .../apimgt/impl/dao/test/APIMgtDAOTest.java | 31 +++++++------------ 1 file changed, 11 insertions(+), 20 deletions(-) diff --git a/components/apimgt/org.wso2.carbon.apimgt.impl/src/test/java/org/wso2/carbon/apimgt/impl/dao/test/APIMgtDAOTest.java b/components/apimgt/org.wso2.carbon.apimgt.impl/src/test/java/org/wso2/carbon/apimgt/impl/dao/test/APIMgtDAOTest.java index d55c370503a3..94e393610ce6 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.impl/src/test/java/org/wso2/carbon/apimgt/impl/dao/test/APIMgtDAOTest.java +++ b/components/apimgt/org.wso2.carbon.apimgt.impl/src/test/java/org/wso2/carbon/apimgt/impl/dao/test/APIMgtDAOTest.java @@ -1818,12 +1818,13 @@ public void testRetrieveAllWorkflowFromInternalReference() throws Exception { } /** - * Test for getAPIRevisionDeploymentsByWorkflowStatusAndApiUUID method - * Checks whether the API revision deployment mapping details are retrieved correctly + * Test for testGetAndUpdateAPIRevisionDeploymentsByWorkflowStatusAndApiUUID method + * Checks whether the API revision deployment mapping details are retrieved correctly and + * Checks whether the API revision deployment status is updated correctly * @throws APIManagementException if an error occurs while retrieving revision deployment mapping details */ @Test - public void testGetAPIRevisionDeploymentsByWorkflowStatusAndApiUUID() throws Exception { + public void testGetAndUpdateAPIRevisionDeploymentsByWorkflowStatusAndApiUUID() throws Exception { String workflowStatus = "CREATED"; String apiUUID = "7af95c9d-6177-4191-ab3e-d3f6c1cdc4c2"; String revisionUUID = "821b9664-eeca-4173-9f56-3dc6d46bd6eb"; @@ -1836,24 +1837,14 @@ public void testGetAPIRevisionDeploymentsByWorkflowStatusAndApiUUID() throws Exc Assert.assertNotNull(apiRevisionDeployment); Assert.assertEquals(apiRevisionDeployment.getDeployment(), deployment); Assert.assertEquals(apiRevisionDeployment.getRevisionUUID(), revisionUUID); - } - /** - * Test for updateAPIRevisionDeploymentStatus method - * Checks whether the API revision deployment status is updated correctly - * @throws APIManagementException if an error occurs while updating revision deployment status - */ - @Test public void testUpdateAPIRevisionDeploymentStatus() throws Exception { - String workflowStatus = "APPROVED"; - String revisionUUID = "821b9664-eeca-4173-9f56-3dc6d46bd6eb"; - String apiId = "7af95c9d-6177-4191-ab3e-d3f6c1cdc4c2"; - String deployment = "default"; - apiMgtDAO.updateAPIRevisionDeploymentStatus(revisionUUID, workflowStatus, deployment); - List apiRevisionDeployments = apiMgtDAO.getAPIRevisionDeploymentByApiUUID(apiId); - Assert.assertNotNull(apiRevisionDeployments); - APIRevisionDeployment apiRevisionDeployment = apiRevisionDeployments.get(0); - Assert.assertNotNull(apiRevisionDeployment); - Assert.assertEquals(org.wso2.carbon.apimgt.api.WorkflowStatus.APPROVED,apiRevisionDeployment.getStatus()); + String workflowStatus2 = "APPROVED"; + apiMgtDAO.updateAPIRevisionDeploymentStatus(revisionUUID, workflowStatus2, deployment); + List apiRevisionDeployments2 = apiMgtDAO.getAPIRevisionDeploymentByApiUUID(apiUUID); + Assert.assertNotNull(apiRevisionDeployments2); + APIRevisionDeployment apiRevisionDeployment2 = apiRevisionDeployments2.get(0); + Assert.assertNotNull(apiRevisionDeployment2); + Assert.assertEquals(org.wso2.carbon.apimgt.api.WorkflowStatus.APPROVED,apiRevisionDeployment2.getStatus()); } @Test From 2f14c6249260d697d37120c08a5de723a2181071 Mon Sep 17 00:00:00 2001 From: Nisan Abeywickrama <29643986+nisan-abeywickrama@users.noreply.github.com> Date: Tue, 22 Oct 2024 15:33:04 +0530 Subject: [PATCH 6/6] Fix: block subscription to API by keyType instead of app token type --- .../handlers/security/APIKeyValidator.java | 4 ++-- .../security/keys/APIKeyDataStore.java | 2 +- .../security/keys/APIKeyValidatorClient.java | 4 ++-- .../security/keys/WSAPIKeyDataStore.java | 4 ++-- .../apimgt/gateway/utils/GatewayUtils.java | 7 ++++--- .../AbstractKeyValidationHandler.java | 21 +++++++++---------- .../keymgt/handlers/KeyValidationHandler.java | 2 +- .../service/APIKeyValidationService.java | 4 ++-- 8 files changed, 24 insertions(+), 24 deletions(-) diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/APIKeyValidator.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/APIKeyValidator.java index e83d6e71833b..f28610937922 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/APIKeyValidator.java +++ b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/APIKeyValidator.java @@ -743,9 +743,9 @@ public APIKeyValidationInfoDTO validateSubscription(String context, String versi } public APIKeyValidationInfoDTO validateSubscription(String context, String version, int appID, - String tenantDomain) + String tenantDomain, String keyType) throws APISecurityException { - return dataStore.validateSubscription(context, version, appID,tenantDomain); + return dataStore.validateSubscription(context, version, appID,tenantDomain, keyType); } /** diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/keys/APIKeyDataStore.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/keys/APIKeyDataStore.java index 4a4d5adef1f3..043132176e2f 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/keys/APIKeyDataStore.java +++ b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/keys/APIKeyDataStore.java @@ -107,7 +107,7 @@ APIKeyValidationInfoDTO validateSubscription(String context, String version, Str * @return an APIKeyValidationInfoDTO instance containing key validation data * @throws org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException on error */ - APIKeyValidationInfoDTO validateSubscription(String context, String version, int appId, String tenantDomain) + APIKeyValidationInfoDTO validateSubscription(String context, String version, int appId, String tenantDomain, String keyType) throws APISecurityException; /** * Validate scopes bound to the resource of the API being invoked against the scopes of the token. diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/keys/APIKeyValidatorClient.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/keys/APIKeyValidatorClient.java index 1f69d5d08f09..87d71ac2a1ed 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/keys/APIKeyValidatorClient.java +++ b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/keys/APIKeyValidatorClient.java @@ -76,12 +76,12 @@ public APIKeyValidationInfoDTO validateSubscription(String context, String versi } public APIKeyValidationInfoDTO validateSubscription(String context, String version, int appId, - String tenantDomain) + String tenantDomain, String keyType) throws APISecurityException { try { return apiKeyValidationService - .validateSubscription(context, version, appId, tenantDomain); + .validateSubscription(context, version, appId, tenantDomain, keyType); } catch (APIKeyMgtException | APIManagementException e) { log.error("Error while validate subscriptions", e); throw new APISecurityException(APISecurityConstants.API_AUTH_GENERAL_ERROR, diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/keys/WSAPIKeyDataStore.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/keys/WSAPIKeyDataStore.java index dfc1ba7d8ee3..3efc29661240 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/keys/WSAPIKeyDataStore.java +++ b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/keys/WSAPIKeyDataStore.java @@ -107,11 +107,11 @@ public APIKeyValidationInfoDTO validateSubscription(String context, String versi @Override public APIKeyValidationInfoDTO validateSubscription(String context, String version, int appId, - String tenantDomain) + String tenantDomain, String keyType) throws APISecurityException { APIKeyValidatorClient client = new APIKeyValidatorClient(); try { - return client.validateSubscription(context, version, appId, tenantDomain); + return client.validateSubscription(context, version, appId, tenantDomain, keyType); } catch (APISecurityException ex) { throw new APISecurityException(ex.getErrorCode(), "Resource forbidden", ex); diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/utils/GatewayUtils.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/utils/GatewayUtils.java index 9879f7de129b..750e247e7bb4 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/utils/GatewayUtils.java +++ b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/utils/GatewayUtils.java @@ -796,6 +796,7 @@ public static JSONObject validateAPISubscription(String apiContext, String apiVe APIKeyValidator apiKeyValidator = new APIKeyValidator(); APIKeyValidationInfoDTO apiKeyValidationInfoDTO = null; JSONObject application; + String keyType = (String) payload.getClaim(APIConstants.JwtTokenConstants.KEY_TYPE); int appId = 0; if (payload.getClaim(APIConstants.JwtTokenConstants.APPLICATION) != null) { try { @@ -813,7 +814,7 @@ public static JSONObject validateAPISubscription(String apiContext, String apiVe // if the appId is equal to 0 then it's a internal key if (appId != 0) { apiKeyValidationInfoDTO = - apiKeyValidator.validateSubscription(apiContext, apiVersion, appId, getTenantDomain()); + apiKeyValidator.validateSubscription(apiContext, apiVersion, appId, getTenantDomain(), keyType); } if (payload.getClaim(APIConstants.JwtTokenConstants.SUBSCRIBED_APIS) != null) { @@ -887,6 +888,7 @@ public static APIKeyValidationInfoDTO validateAPISubscription(String apiContext, APIKeyValidator apiKeyValidator = new APIKeyValidator(); APIKeyValidationInfoDTO apiKeyValidationInfoDTO = null; + String keyType = (String) payload.getClaim(APIConstants.JwtTokenConstants.KEY_TYPE); int appId = 0; if (payload.getClaim(APIConstants.JwtTokenConstants.APPLICATION) != null) { try { @@ -904,13 +906,12 @@ public static APIKeyValidationInfoDTO validateAPISubscription(String apiContext, // if the appId is equal to 0 then it's a internal key if (appId != 0) { apiKeyValidationInfoDTO = - apiKeyValidator.validateSubscription(apiContext, apiVersion, appId, getTenantDomain()); + apiKeyValidator.validateSubscription(apiContext, apiVersion, appId, getTenantDomain(), keyType); if (apiKeyValidationInfoDTO.isAuthorized()) { if (log.isDebugEnabled()) { log.debug("User is subscribed to the API: " + apiContext + ", " + "version: " + apiVersion + ". Token: " + getMaskedToken(token)); } - String keyType = (String) payload.getClaim(APIConstants.JwtTokenConstants.KEY_TYPE); apiKeyValidationInfoDTO.setType(keyType); } else { if (log.isDebugEnabled()) { diff --git a/components/apimgt/org.wso2.carbon.apimgt.keymgt/src/main/java/org/wso2/carbon/apimgt/keymgt/handlers/AbstractKeyValidationHandler.java b/components/apimgt/org.wso2.carbon.apimgt.keymgt/src/main/java/org/wso2/carbon/apimgt/keymgt/handlers/AbstractKeyValidationHandler.java index e22562c825be..72b7fc1321ba 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.keymgt/src/main/java/org/wso2/carbon/apimgt/keymgt/handlers/AbstractKeyValidationHandler.java +++ b/components/apimgt/org.wso2.carbon.apimgt.keymgt/src/main/java/org/wso2/carbon/apimgt/keymgt/handlers/AbstractKeyValidationHandler.java @@ -200,7 +200,7 @@ public APIKeyValidationInfoDTO validateSubscription(String apiContext, String ap } @Override - public APIKeyValidationInfoDTO validateSubscription(String apiContext, String apiVersion, int appId) { + public APIKeyValidationInfoDTO validateSubscription(String apiContext, String apiVersion, int appId, String keyType) { APIKeyValidationInfoDTO apiKeyValidationInfoDTO = new APIKeyValidationInfoDTO(); if (log.isDebugEnabled()) { @@ -208,7 +208,7 @@ public APIKeyValidationInfoDTO validateSubscription(String apiContext, String ap log.debug("Validation Info : { context : " + apiContext + " , " + "version : " + apiVersion + " , appId : " + appId + " }"); } - validateSubscriptionDetails(apiContext, apiVersion, appId, apiKeyValidationInfoDTO); + validateSubscriptionDetails(apiContext, apiVersion, appId, apiKeyValidationInfoDTO, keyType); if (log.isDebugEnabled()) { log.debug("After validating subscriptions"); } @@ -230,7 +230,7 @@ private boolean validateSubscriptionDetails(String context, String version, Stri private boolean validateSubscriptionDetails(String context, String version, int appId, - APIKeyValidationInfoDTO infoDTO) { + APIKeyValidationInfoDTO infoDTO, String keyType) { // Check if the api version has been prefixed with _default_ if (version != null && version.startsWith(APIConstants.DEFAULT_VERSION_PREFIX)) { @@ -238,7 +238,7 @@ private boolean validateSubscriptionDetails(String context, String version, int version = version.split(APIConstants.DEFAULT_VERSION_PREFIX)[1]; } - validateSubscriptionDetails(infoDTO, context, version, appId); + validateSubscriptionDetails(infoDTO, context, version, appId, keyType); return infoDTO.isAuthorized(); } @@ -326,7 +326,7 @@ private APIKeyValidationInfoDTO validateSubscriptionDetails(APIKeyValidationInfo } private APIKeyValidationInfoDTO validateSubscriptionDetails(APIKeyValidationInfoDTO infoDTO, String context, - String version, int appId) { + String version, int appId, String keyType) { String apiTenantDomain = MultitenantUtils.getTenantDomainFromRequestURL(context); if (apiTenantDomain == null) { apiTenantDomain = MultitenantConstants.SUPER_TENANT_DOMAIN_NAME; @@ -367,7 +367,7 @@ private APIKeyValidationInfoDTO validateSubscriptionDetails(APIKeyValidationInfo } if (api != null && sub != null) { - validate(infoDTO, apiTenantDomain, tenantId, datastore, api, app, sub); + validate(infoDTO, apiTenantDomain, tenantId, datastore, api, app, sub, keyType); } else if (!infoDTO.isAuthorized() && infoDTO.getValidationStatus() == 0) { //Scenario where validation failed and message is not set infoDTO.setValidationStatus(APIConstants.KeyValidationStatus.API_AUTH_RESOURCE_FORBIDDEN); @@ -657,9 +657,8 @@ private APIKeyValidationInfoDTO validate(APIKeyValidationInfoDTO infoDTO, String private APIKeyValidationInfoDTO validate(APIKeyValidationInfoDTO infoDTO, String apiTenantDomain, int tenantId, - SubscriptionDataStore datastore, API api, Application app, Subscription sub) { + SubscriptionDataStore datastore, API api, Application app, Subscription sub, String keyType) { String subscriptionStatus = sub.getSubscriptionState(); - String type = app.getTokenType(); if (APIConstants.SubscriptionStatus.BLOCKED.equals(subscriptionStatus)) { infoDTO.setValidationStatus(APIConstants.KeyValidationStatus.API_BLOCKED); infoDTO.setAuthorized(false); @@ -670,9 +669,9 @@ private APIKeyValidationInfoDTO validate(APIKeyValidationInfoDTO infoDTO, String infoDTO.setAuthorized(false); return infoDTO; } else if (APIConstants.SubscriptionStatus.PROD_ONLY_BLOCKED.equals(subscriptionStatus) - && !APIConstants.API_KEY_TYPE_SANDBOX.equals(type)) { + && !APIConstants.API_KEY_TYPE_SANDBOX.equals(keyType)) { infoDTO.setValidationStatus(APIConstants.KeyValidationStatus.API_BLOCKED); - infoDTO.setType(type); + infoDTO.setType(keyType); infoDTO.setAuthorized(false); return infoDTO; } @@ -687,7 +686,7 @@ private APIKeyValidationInfoDTO validate(APIKeyValidationInfoDTO infoDTO, String infoDTO.setApplicationUUID(app.getUUID()); infoDTO.setApplicationGroupIds(app.getGroupIds().stream().map(GroupId::getGroupId).collect(Collectors.toSet())); infoDTO.setAppAttributes(app.getAttributes()); - infoDTO.setType(type); + infoDTO.setType(keyType); // Advanced Level Throttling Related Properties String apiTier = api.getApiTier(); diff --git a/components/apimgt/org.wso2.carbon.apimgt.keymgt/src/main/java/org/wso2/carbon/apimgt/keymgt/handlers/KeyValidationHandler.java b/components/apimgt/org.wso2.carbon.apimgt.keymgt/src/main/java/org/wso2/carbon/apimgt/keymgt/handlers/KeyValidationHandler.java index 362afe5a46f5..f94a87df88be 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.keymgt/src/main/java/org/wso2/carbon/apimgt/keymgt/handlers/KeyValidationHandler.java +++ b/components/apimgt/org.wso2.carbon.apimgt.keymgt/src/main/java/org/wso2/carbon/apimgt/keymgt/handlers/KeyValidationHandler.java @@ -54,7 +54,7 @@ boolean validateSubscription(TokenValidationContext tokenValidationContext) * @param appId * @return APIKeyValidationInfoDTO instance containing key validation data */ - APIKeyValidationInfoDTO validateSubscription(String apiContext, String apiVersion, int appId); + APIKeyValidationInfoDTO validateSubscription(String apiContext, String apiVersion, int appId, String keyType); /** * Validate Scopes by oAuth2TokenValidationMessageContext diff --git a/components/apimgt/org.wso2.carbon.apimgt.keymgt/src/main/java/org/wso2/carbon/apimgt/keymgt/service/APIKeyValidationService.java b/components/apimgt/org.wso2.carbon.apimgt.keymgt/src/main/java/org/wso2/carbon/apimgt/keymgt/service/APIKeyValidationService.java index cca9b3b76195..cd5a3d2ce8c3 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.keymgt/src/main/java/org/wso2/carbon/apimgt/keymgt/service/APIKeyValidationService.java +++ b/components/apimgt/org.wso2.carbon.apimgt.keymgt/src/main/java/org/wso2/carbon/apimgt/keymgt/service/APIKeyValidationService.java @@ -507,11 +507,11 @@ public boolean validateScopes(TokenValidationContext tokenValidationContext, Str * @throws APIManagementException in case of APIM Component initialization failure */ public APIKeyValidationInfoDTO validateSubscription(String context, String version, int appId, - String tenantDomain) + String tenantDomain, String keyType) throws APIKeyMgtException, APIManagementException { KeyValidationHandler keyValidationHandler = ServiceReferenceHolder.getInstance().getKeyValidationHandler(tenantDomain); - return keyValidationHandler.validateSubscription(context, version, appId); + return keyValidationHandler.validateSubscription(context, version, appId, keyType); } public Map retrieveScopes(String tenantDomain) {