Fix: Error when loading configs to enforcer

wso2 · Jul 5, 2023 · 594f12f · 594f12f
1 parent d6c2a18
commit 594f12f
Show file tree

Hide file tree

Showing 7 changed files with 319 additions and 245 deletions.
diff --git a/adapter/internal/oasparser/config_generator.go b/adapter/internal/oasparser/config_generator.go
@@ -187,6 +187,20 @@ func GetEnforcerAPI(adapterInternalAPI model.AdapterInternalAPI, vhost string) *
 		}
 	}
 
+	var mutualSSL *api.MutualSSL
+	mutualSSLConf := adapterInternalAPI.GetMutualSSL()
+	if mutualSSLConf != nil {
+		mutualSSL = &api.MutualSSL{}
+		mutualSSL.IsEnabled = mutualSSLConf.Enabled
+		mutualSSL.CertificatePath = mutualSSLConf.TrustedCertPath
+		if mutualSSLConf.MTLSSecurity != nil {
+			mutualSSL.CertificateHeader = mutualSSLConf.MTLSSecurity.CertificateHeader
+			mutualSSL.EnableClientValidation = mutualSSLConf.MTLSSecurity.EnableClientValidation
+			mutualSSL.ClientCertificateEncode = mutualSSLConf.MTLSSecurity.ClientCertificateEncode
+			mutualSSL.EnableOutboundCertificateHeader = mutualSSLConf.MTLSSecurity.EnableOutboundCertificateHeader
+		}
+	}
+
 	return &api.Api{
 		Id:                     adapterInternalAPI.UUID,
 		Title:                  adapterInternalAPI.GetTitle(),
@@ -210,6 +224,7 @@ func GetEnforcerAPI(adapterInternalAPI model.AdapterInternalAPI, vhost string) *
 		// GraphqlComplexityInfo: adapterInternalAPI.GraphQLComplexities.Data.List,
 		SystemAPI:         adapterInternalAPI.IsSystemAPI,
 		ApiDefinitionFile: adapterInternalAPI.GetAPIDefinitionFile(),
+		MutualSSLAuth:     mutualSSL,
 	}
 }
 

diff --git a/adapter/internal/oasparser/model/adapter_internal_api.go b/adapter/internal/oasparser/model/adapter_internal_api.go
@@ -66,7 +66,7 @@ type AdapterInternalAPI struct {
 	backendJWTTokenInfo      *BackendJWTTokenInfo
 	apiDefinitionFile        []byte
 	APIProperties            []dpv1alpha1.Property
-	mutualSSLAuth            *MutualSSLAuth
+	mutualSSLAuth            *MutualSSL
 	// GraphQLSchema              string
 	// GraphQLComplexities        GraphQLComplexityYaml
 	IsSystemAPI     bool
@@ -83,8 +83,8 @@ type BackendJWTTokenInfo struct {
 	CustomClaims     []ClaimMapping
 }
 
-// MutualSSLAuth mutual ssl authentication related information
-type MutualSSLAuth struct {
+// MutualSSL mutual ssl authentication related information
+type MutualSSL struct {
 	TrustedCertPath string        `json:"trustedCertPath,omitempty"`
 	Enabled         bool          `json:"enabled"`
 	MTLSSecurity    *MTLSSecurity `json:"mtlsSecurity,omitempty"`
@@ -272,8 +272,8 @@ func (swagger *AdapterInternalAPI) GetXWso2Endpoints() map[string]*EndpointClust
 	return swagger.xWso2Endpoints
 }
 
-// GetMutualSSLConfigs returns the mutual ssl configs.
-func (swagger *AdapterInternalAPI) GetMutualSSLConfigs() *MutualSSLAuth {
+// GetMutualSSL returns the mutual ssl configs.
+func (swagger *AdapterInternalAPI) GetMutualSSL() *MutualSSL {
 	return swagger.mutualSSLAuth
 }
 
@@ -324,7 +324,7 @@ func (swagger *AdapterInternalAPI) SetClientCerts(certs []Certificate) {
 }
 
 // SetMutualSSLAuth set the mutual ssl auth of the API
-func (swagger *AdapterInternalAPI) SetMutualSSLAuth(mutualSSLAuth MutualSSLAuth) {
+func (swagger *AdapterInternalAPI) SetMutualSSLAuth(mutualSSLAuth MutualSSL) {
 	swagger.mutualSSLAuth = &mutualSSLAuth
 }
 

diff --git a/adapter/internal/oasparser/model/http_route.go b/adapter/internal/oasparser/model/http_route.go
@@ -335,6 +335,11 @@ func (swagger *AdapterInternalAPI) SetInfoHTTPRouteCR(httpRoute *gwapiv1b1.HTTPR
 	swagger.xWso2Cors = getCorsConfigFromAPIPolicy(apiPolicySelected)
 	swagger.disableAuthentications = disableAuthentications
 	swagger.disableScopes = disableScopes
+	if swagger.mutualSSLAuth != nil {
+		if swagger.mutualSSLAuth.MTLSSecurity != nil {
+			fmt.Println("mutual ssl header name: ", swagger.mutualSSLAuth.MTLSSecurity.CertificateHeader)
+		}
+	}
 
 	// Check whether the API has a backend JWT token
 	if apiPolicySelected != nil && apiPolicySelected.Spec.Override != nil && apiPolicySelected.Spec.Override.BackendJWTToken != nil {
@@ -343,9 +348,11 @@ func (swagger *AdapterInternalAPI) SetInfoHTTPRouteCR(httpRoute *gwapiv1b1.HTTPR
 	return nil
 }
 
-func parseMTLSAuthToInternal(authScheme *dpv1alpha1.Authentication) *MutualSSLAuth {
-	mutualSSLAuth := &MutualSSLAuth{}
+func parseMTLSAuthToInternal(authScheme *dpv1alpha1.Authentication) *MutualSSL {
+	mutualSSLAuth := &MutualSSL{}
+	fmt.Println("authScheme.Spec.Override.MutualSSl", authScheme.Spec.Override.MutualSSL)
 	if authScheme.Spec.Override != nil && authScheme.Spec.Override.MutualSSL != nil {
+		fmt.Println("authScheme.Spec.Override.MutualSSl.Disabled", authScheme.Spec.Override.MutualSSL.Enabled)
 		mtlsOverride := authScheme.Spec.Override.MutualSSL
 		mtlsDefault := authScheme.Spec.Default.MutualSSL
 		if mtlsOverride != nil && mtlsOverride.Enabled != nil && *mtlsOverride.Enabled {

diff --git a/developer/tryout/samples/sample-auth.yaml b/developer/tryout/samples/sample-auth.yaml
@@ -4,6 +4,12 @@ metadata:
   name: sand-http-bin-authentication
 spec:
   override:
+    mutualSSL:
+      enabled: true
+      mtlsSecurity:
+        enableClientValidation: true
+        clientCertificateEncode: true
+        certificateHeader: SSL-CLIENT-CERT
     type: ext
     ext:
       disabled: false
@@ -17,6 +23,15 @@ spec:
           - in: Header
             name: x-api-key
   default:
+    mutualSSL:
+      trustedCertPath: ""
+      enabled: true
+      mtlsSecurity:
+        enableClientValidation: true
+        clientCertificateEncode: true
+        certificateHeader: SSL-CLIENT-CERT
+        clientCertificateEncode: true
+        enableOutboundCertificateHeader: true
     type: ext
     ext:
       serviceRef: 
@@ -29,6 +44,6 @@ spec:
           - in: Header
             name: x-api-key
   targetRef:
-    kind: Resource
-    name: http-bin-api #provide API ref name
-    group: gateway.networking.k8s.io
+    kind: API
+    name: http-bin-api1 #provide API ref name
+    group: ""
diff --git a/...forcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/AuthFilter.java b/...forcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/AuthFilter.java
@@ -72,8 +72,6 @@ private void initializeAuthenticators(APIConfig apiConfig) {
         isOAuthBasicAuthMandatory = apiConfig.getApplicationSecurity();
         MutualSSLDTO mtlsInfo = apiConfig.getMutualSSLDto();
 
-        // isMutualSSLProtected = mtlsInfo.isEnable();
-
         if (!Objects.isNull(apiConfig.getMutualSSL())) {
             if (apiConfig.getMutualSSL().equalsIgnoreCase(APIConstants.Optionality.MANDATORY)) {
                 isMutualSSLProtected = true;
@@ -86,6 +84,7 @@ private void initializeAuthenticators(APIConfig apiConfig) {
         if (!isMutualSSLMandatory) {
             isOAuthBasicAuthMandatory = true;
         }
+        isMutualSSLProtected = mtlsInfo.isEnable();
 
         // TODO: Set authenticator for isBasicAuthProtected
         if (isMutualSSLProtected) {

diff --git a/...so2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/mtls/MTLSAuthenticator.java b/...so2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/mtls/MTLSAuthenticator.java
@@ -47,10 +47,8 @@
  */
 public class MTLSAuthenticator implements Authenticator {
     private static final Logger log = LogManager.getLogger(MTLSAuthenticator.class);
-    private boolean isEnableClientValidation = ConfigHolder.getInstance().getConfig().getMtlsInfo()
-                                                        .isEnableClientValidation();
-    private boolean isClientCertificateEncode = ConfigHolder.getInstance().getConfig().getMtlsInfo()
-                                                        .isClientCertificateEncode();
+    private boolean isEnableClientValidation;
+    private boolean isClientCertificateEncode;
 
     public MTLSAuthenticator(boolean isEnableClientValidation, boolean isClientCertificateEncode) {
         this.isEnableClientValidation = isEnableClientValidation;