diff --git a/adapter/api/proto/wso2/discovery/api/api_authentication.proto b/adapter/api/proto/wso2/discovery/api/api_authentication.proto index efbff0caf2..32f0c894d9 100644 --- a/adapter/api/proto/wso2/discovery/api/api_authentication.proto +++ b/adapter/api/proto/wso2/discovery/api/api_authentication.proto @@ -35,16 +35,17 @@ message APIKey { message JWT { string header = 1; // name of the header containing the JWT bool sendTokenToUpstream = 2; // send the token to upstream + repeated string audience = 3; +} + +message Oauth2 { + string header = 1; // name of the header containing the JWT + bool sendTokenToUpstream = 2; // send the token to upstream } message APIAuthentication { bool disabled = 1; // disable authentication JWT jwt = 2; repeated APIKey apikey = 3; - TestConsoleKey testConsoleKey = 4; -} - -message TestConsoleKey { - string header = 1; // name of the header containing the test key - bool sendTokenToUpstream = 2; // send the token to upstream + Oauth2 Oauth2 = 4; } diff --git a/adapter/internal/oasparser/config_generator.go b/adapter/internal/oasparser/config_generator.go index b8763c81be..cad44bc401 100644 --- a/adapter/internal/oasparser/config_generator.go +++ b/adapter/internal/oasparser/config_generator.go @@ -258,6 +258,7 @@ func castAPIAuthenticationsToEnforcerAPIAuthentications(authentication *model.Au enforcerAuthentication.Jwt = &api.JWT{ Header: strings.ToLower(authentication.JWT.Header), SendTokenToUpstream: authentication.JWT.SendTokenToUpstream, + Audience: authentication.JWT.Audience, } } var apiKeys []*api.APIKey @@ -273,19 +274,12 @@ func castAPIAuthenticationsToEnforcerAPIAuthentications(authentication *model.Au }) } enforcerAuthentication.Apikey = apiKeys - if authentication.TestConsoleKey != nil { - enforcerAuthentication.TestConsoleKey = &api.TestConsoleKey{ - Header: strings.ToLower(authentication.TestConsoleKey.Header), - SendTokenToUpstream: authentication.TestConsoleKey.SendTokenToUpstream, + if authentication.Oauth2 != nil { + enforcerAuthentication.Oauth2 = &api.Oauth2{ + Header: strings.ToLower(authentication.Oauth2.Header), + SendTokenToUpstream: authentication.Oauth2.SendTokenToUpstream, } } - if authentication.TestConsoleKey != nil { - enforcerAuthentication.TestConsoleKey = &api.TestConsoleKey{ - Header: strings.ToLower(authentication.TestConsoleKey.Header), - SendTokenToUpstream: authentication.TestConsoleKey.SendTokenToUpstream, - } - } - return enforcerAuthentication } diff --git a/adapter/internal/oasparser/model/api_operation.go b/adapter/internal/oasparser/model/api_operation.go index a3d2285445..d26dde0f28 100644 --- a/adapter/internal/oasparser/model/api_operation.go +++ b/adapter/internal/oasparser/model/api_operation.go @@ -50,17 +50,18 @@ type Authentication struct { Disabled bool JWT *JWT APIKey []APIKey - TestConsoleKey *TestConsoleKey + Oauth2 *Oauth2 } // JWT holds JWT related configurations type JWT struct { Header string SendTokenToUpstream bool + Audience []string } -// TestConsoleKey holds testkey related configurations -type TestConsoleKey struct { +// Oauth2 holds Oauth2 related configurations +type Oauth2 struct { Header string SendTokenToUpstream bool } diff --git a/adapter/internal/oasparser/model/http_route.go b/adapter/internal/oasparser/model/http_route.go index 11fb078d7e..b560aecbc4 100644 --- a/adapter/internal/oasparser/model/http_route.go +++ b/adapter/internal/oasparser/model/http_route.go @@ -19,7 +19,6 @@ package model import ( "github.com/google/uuid" - "github.com/wso2/apk/adapter/internal/loggers" "github.com/wso2/apk/adapter/internal/oasparser/constants" "github.com/wso2/apk/adapter/internal/operator/utils" dpv1alpha1 "github.com/wso2/apk/common-go-libs/apis/dp/v1alpha1" @@ -234,19 +233,28 @@ func getSecurity(authScheme *dpv1alpha2.Authentication) *Authentication { sendTokenToUpstream = authScheme.Spec.Override.AuthTypes.Oauth2.SendTokenToUpstream } auth := &Authentication{Disabled: false, - TestConsoleKey: &TestConsoleKey{Header: constants.TestConsoleKeyHeader}, - JWT: &JWT{Header: authHeader, SendTokenToUpstream: sendTokenToUpstream}, + Oauth2: &Oauth2{Header: authHeader, SendTokenToUpstream: sendTokenToUpstream}, } if authScheme != nil && authScheme.Spec.Override != nil { if authScheme.Spec.Override.Disabled != nil && *authScheme.Spec.Override.Disabled { return &Authentication{Disabled: true} } authFound := false - if authScheme.Spec.Override.AuthTypes != nil && authScheme.Spec.Override.AuthTypes.Oauth2.Disabled { - auth = &Authentication{Disabled: false, - TestConsoleKey: &TestConsoleKey{Header: constants.TestConsoleKeyHeader}, - } + if authScheme.Spec.Override.AuthTypes != nil && !authScheme.Spec.Override.AuthTypes.Oauth2.Disabled { + authFound = true } else { + auth = &Authentication{Disabled: false} + } + if authScheme.Spec.Override.AuthTypes != nil && authScheme.Spec.Override.AuthTypes.JWT.Disabled != nil && !*authScheme.Spec.Override.AuthTypes.JWT.Disabled { + audience := make([]string, 0) + if len(authScheme.Spec.Override.AuthTypes.JWT.Audience) > 0 { + audience = authScheme.Spec.Override.AuthTypes.JWT.Audience + } + jwtHeader := constants.TestConsoleKeyHeader + if len(authScheme.Spec.Override.AuthTypes.JWT.Header) > 0 { + jwtHeader = authScheme.Spec.Override.AuthTypes.JWT.Header + } + auth.JWT = &JWT{Header: jwtHeader, SendTokenToUpstream: sendTokenToUpstream, Audience: audience} authFound = true } if authScheme.Spec.Override.AuthTypes != nil && authScheme.Spec.Override.AuthTypes.APIKey != nil { @@ -262,7 +270,6 @@ func getSecurity(authScheme *dpv1alpha2.Authentication) *Authentication { auth.APIKey = apiKeys } if !authFound { - loggers.LoggerOasparser.Debug("Disabled security.") return &Authentication{Disabled: true} } } diff --git a/adapter/pkg/discovery/api/wso2/discovery/api/api_authentication.pb.go b/adapter/pkg/discovery/api/wso2/discovery/api/api_authentication.pb.go index 4f0c0bd78c..be0fb06e13 100644 --- a/adapter/pkg/discovery/api/wso2/discovery/api/api_authentication.pb.go +++ b/adapter/pkg/discovery/api/wso2/discovery/api/api_authentication.pb.go @@ -105,8 +105,9 @@ type JWT struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - Header string `protobuf:"bytes,1,opt,name=header,proto3" json:"header,omitempty"` // name of the header containing the JWT - SendTokenToUpstream bool `protobuf:"varint,2,opt,name=sendTokenToUpstream,proto3" json:"sendTokenToUpstream,omitempty"` // send the token to upstream + Header string `protobuf:"bytes,1,opt,name=header,proto3" json:"header,omitempty"` // name of the header containing the JWT + SendTokenToUpstream bool `protobuf:"varint,2,opt,name=sendTokenToUpstream,proto3" json:"sendTokenToUpstream,omitempty"` // send the token to upstream + Audience []string `protobuf:"bytes,3,rep,name=audience,proto3" json:"audience,omitempty"` } func (x *JWT) Reset() { @@ -155,19 +156,24 @@ func (x *JWT) GetSendTokenToUpstream() bool { return false } -type APIAuthentication struct { +func (x *JWT) GetAudience() []string { + if x != nil { + return x.Audience + } + return nil +} + +type Oauth2 struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - Disabled bool `protobuf:"varint,1,opt,name=disabled,proto3" json:"disabled,omitempty"` // disable authentication - Jwt *JWT `protobuf:"bytes,2,opt,name=jwt,proto3" json:"jwt,omitempty"` - Apikey []*APIKey `protobuf:"bytes,3,rep,name=apikey,proto3" json:"apikey,omitempty"` - TestConsoleKey *TestConsoleKey `protobuf:"bytes,4,opt,name=testConsoleKey,proto3" json:"testConsoleKey,omitempty"` + Header string `protobuf:"bytes,1,opt,name=header,proto3" json:"header,omitempty"` // name of the header containing the JWT + SendTokenToUpstream bool `protobuf:"varint,2,opt,name=sendTokenToUpstream,proto3" json:"sendTokenToUpstream,omitempty"` // send the token to upstream } -func (x *APIAuthentication) Reset() { - *x = APIAuthentication{} +func (x *Oauth2) Reset() { + *x = Oauth2{} if protoimpl.UnsafeEnabled { mi := &file_wso2_discovery_api_api_authentication_proto_msgTypes[2] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -175,13 +181,13 @@ func (x *APIAuthentication) Reset() { } } -func (x *APIAuthentication) String() string { +func (x *Oauth2) String() string { return protoimpl.X.MessageStringOf(x) } -func (*APIAuthentication) ProtoMessage() {} +func (*Oauth2) ProtoMessage() {} -func (x *APIAuthentication) ProtoReflect() protoreflect.Message { +func (x *Oauth2) ProtoReflect() protoreflect.Message { mi := &file_wso2_discovery_api_api_authentication_proto_msgTypes[2] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -193,50 +199,38 @@ func (x *APIAuthentication) ProtoReflect() protoreflect.Message { return mi.MessageOf(x) } -// Deprecated: Use APIAuthentication.ProtoReflect.Descriptor instead. -func (*APIAuthentication) Descriptor() ([]byte, []int) { +// Deprecated: Use Oauth2.ProtoReflect.Descriptor instead. +func (*Oauth2) Descriptor() ([]byte, []int) { return file_wso2_discovery_api_api_authentication_proto_rawDescGZIP(), []int{2} } -func (x *APIAuthentication) GetDisabled() bool { - if x != nil { - return x.Disabled - } - return false -} - -func (x *APIAuthentication) GetJwt() *JWT { +func (x *Oauth2) GetHeader() string { if x != nil { - return x.Jwt - } - return nil -} - -func (x *APIAuthentication) GetApikey() []*APIKey { - if x != nil { - return x.Apikey + return x.Header } - return nil + return "" } -func (x *APIAuthentication) GetTestConsoleKey() *TestConsoleKey { +func (x *Oauth2) GetSendTokenToUpstream() bool { if x != nil { - return x.TestConsoleKey + return x.SendTokenToUpstream } - return nil + return false } -type TestConsoleKey struct { +type APIAuthentication struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - Header string `protobuf:"bytes,1,opt,name=header,proto3" json:"header,omitempty"` // name of the header containing the test key - SendTokenToUpstream bool `protobuf:"varint,2,opt,name=sendTokenToUpstream,proto3" json:"sendTokenToUpstream,omitempty"` // send the token to upstream + Disabled bool `protobuf:"varint,1,opt,name=disabled,proto3" json:"disabled,omitempty"` // disable authentication + Jwt *JWT `protobuf:"bytes,2,opt,name=jwt,proto3" json:"jwt,omitempty"` + Apikey []*APIKey `protobuf:"bytes,3,rep,name=apikey,proto3" json:"apikey,omitempty"` + Oauth2 *Oauth2 `protobuf:"bytes,4,opt,name=Oauth2,proto3" json:"Oauth2,omitempty"` } -func (x *TestConsoleKey) Reset() { - *x = TestConsoleKey{} +func (x *APIAuthentication) Reset() { + *x = APIAuthentication{} if protoimpl.UnsafeEnabled { mi := &file_wso2_discovery_api_api_authentication_proto_msgTypes[3] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -244,13 +238,13 @@ func (x *TestConsoleKey) Reset() { } } -func (x *TestConsoleKey) String() string { +func (x *APIAuthentication) String() string { return protoimpl.X.MessageStringOf(x) } -func (*TestConsoleKey) ProtoMessage() {} +func (*APIAuthentication) ProtoMessage() {} -func (x *TestConsoleKey) ProtoReflect() protoreflect.Message { +func (x *APIAuthentication) ProtoReflect() protoreflect.Message { mi := &file_wso2_discovery_api_api_authentication_proto_msgTypes[3] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -262,23 +256,37 @@ func (x *TestConsoleKey) ProtoReflect() protoreflect.Message { return mi.MessageOf(x) } -// Deprecated: Use TestConsoleKey.ProtoReflect.Descriptor instead. -func (*TestConsoleKey) Descriptor() ([]byte, []int) { +// Deprecated: Use APIAuthentication.ProtoReflect.Descriptor instead. +func (*APIAuthentication) Descriptor() ([]byte, []int) { return file_wso2_discovery_api_api_authentication_proto_rawDescGZIP(), []int{3} } -func (x *TestConsoleKey) GetHeader() string { +func (x *APIAuthentication) GetDisabled() bool { if x != nil { - return x.Header + return x.Disabled } - return "" + return false } -func (x *TestConsoleKey) GetSendTokenToUpstream() bool { +func (x *APIAuthentication) GetJwt() *JWT { if x != nil { - return x.SendTokenToUpstream + return x.Jwt } - return false + return nil +} + +func (x *APIAuthentication) GetApikey() []*APIKey { + if x != nil { + return x.Apikey + } + return nil +} + +func (x *APIAuthentication) GetOauth2() *Oauth2 { + if x != nil { + return x.Oauth2 + } + return nil } var File_wso2_discovery_api_api_authentication_proto protoreflect.FileDescriptor @@ -294,12 +302,19 @@ var file_wso2_discovery_api_api_authentication_proto_rawDesc = []byte{ 0x30, 0x0a, 0x13, 0x73, 0x65, 0x6e, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x54, 0x6f, 0x55, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13, 0x73, 0x65, 0x6e, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x54, 0x6f, 0x55, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, - 0x6d, 0x22, 0x4f, 0x0a, 0x03, 0x4a, 0x57, 0x54, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, + 0x6d, 0x22, 0x6b, 0x0a, 0x03, 0x4a, 0x57, 0x54, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x30, 0x0a, 0x13, 0x73, 0x65, 0x6e, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x54, 0x6f, 0x55, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13, 0x73, 0x65, 0x6e, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x54, 0x6f, 0x55, 0x70, 0x73, 0x74, 0x72, 0x65, - 0x61, 0x6d, 0x22, 0xda, 0x01, 0x0a, 0x11, 0x41, 0x50, 0x49, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, + 0x61, 0x6d, 0x12, 0x1a, 0x0a, 0x08, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x03, + 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x52, + 0x0a, 0x06, 0x4f, 0x61, 0x75, 0x74, 0x68, 0x32, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, + 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, + 0x12, 0x30, 0x0a, 0x13, 0x73, 0x65, 0x6e, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x54, 0x6f, 0x55, + 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13, 0x73, + 0x65, 0x6e, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x54, 0x6f, 0x55, 0x70, 0x73, 0x74, 0x72, 0x65, + 0x61, 0x6d, 0x22, 0xc2, 0x01, 0x0a, 0x11, 0x41, 0x50, 0x49, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x29, 0x0a, 0x03, 0x6a, 0x77, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, @@ -308,26 +323,18 @@ var file_wso2_discovery_api_api_authentication_proto_rawDesc = []byte{ 0x32, 0x0a, 0x06, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x77, 0x73, 0x6f, 0x32, 0x2e, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x41, 0x50, 0x49, 0x4b, 0x65, 0x79, 0x52, 0x06, 0x61, 0x70, 0x69, - 0x6b, 0x65, 0x79, 0x12, 0x4a, 0x0a, 0x0e, 0x74, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x73, 0x6f, - 0x6c, 0x65, 0x4b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x77, 0x73, - 0x6f, 0x32, 0x2e, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x2e, 0x61, 0x70, 0x69, - 0x2e, 0x54, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x73, 0x6f, 0x6c, 0x65, 0x4b, 0x65, 0x79, 0x52, - 0x0e, 0x74, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x73, 0x6f, 0x6c, 0x65, 0x4b, 0x65, 0x79, 0x22, - 0x5a, 0x0a, 0x0e, 0x54, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x73, 0x6f, 0x6c, 0x65, 0x4b, 0x65, - 0x79, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x30, 0x0a, 0x13, 0x73, 0x65, 0x6e, - 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x54, 0x6f, 0x55, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13, 0x73, 0x65, 0x6e, 0x64, 0x54, 0x6f, 0x6b, 0x65, - 0x6e, 0x54, 0x6f, 0x55, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x42, 0x7e, 0x0a, 0x23, 0x6f, - 0x72, 0x67, 0x2e, 0x77, 0x73, 0x6f, 0x32, 0x2e, 0x61, 0x70, 0x6b, 0x2e, 0x65, 0x6e, 0x66, 0x6f, - 0x72, 0x63, 0x65, 0x72, 0x2e, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x2e, 0x61, - 0x70, 0x69, 0x42, 0x16, 0x41, 0x50, 0x49, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3d, 0x67, 0x69, - 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x70, 0x72, - 0x6f, 0x78, 0x79, 0x2f, 0x67, 0x6f, 0x2d, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x2d, 0x70, - 0x6c, 0x61, 0x6e, 0x65, 0x2f, 0x77, 0x73, 0x6f, 0x32, 0x2f, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, - 0x65, 0x72, 0x79, 0x2f, 0x61, 0x70, 0x69, 0x3b, 0x61, 0x70, 0x69, 0x62, 0x06, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x33, + 0x6b, 0x65, 0x79, 0x12, 0x32, 0x0a, 0x06, 0x4f, 0x61, 0x75, 0x74, 0x68, 0x32, 0x18, 0x04, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x77, 0x73, 0x6f, 0x32, 0x2e, 0x64, 0x69, 0x73, 0x63, 0x6f, + 0x76, 0x65, 0x72, 0x79, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x4f, 0x61, 0x75, 0x74, 0x68, 0x32, 0x52, + 0x06, 0x4f, 0x61, 0x75, 0x74, 0x68, 0x32, 0x42, 0x7e, 0x0a, 0x23, 0x6f, 0x72, 0x67, 0x2e, 0x77, + 0x73, 0x6f, 0x32, 0x2e, 0x61, 0x70, 0x6b, 0x2e, 0x65, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x72, + 0x2e, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x2e, 0x61, 0x70, 0x69, 0x42, 0x16, + 0x41, 0x50, 0x49, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3d, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2f, + 0x67, 0x6f, 0x2d, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x2d, 0x70, 0x6c, 0x61, 0x6e, 0x65, + 0x2f, 0x77, 0x73, 0x6f, 0x32, 0x2f, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x2f, + 0x61, 0x70, 0x69, 0x3b, 0x61, 0x70, 0x69, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -346,13 +353,13 @@ var file_wso2_discovery_api_api_authentication_proto_msgTypes = make([]protoimpl var file_wso2_discovery_api_api_authentication_proto_goTypes = []interface{}{ (*APIKey)(nil), // 0: wso2.discovery.api.APIKey (*JWT)(nil), // 1: wso2.discovery.api.JWT - (*APIAuthentication)(nil), // 2: wso2.discovery.api.APIAuthentication - (*TestConsoleKey)(nil), // 3: wso2.discovery.api.TestConsoleKey + (*Oauth2)(nil), // 2: wso2.discovery.api.Oauth2 + (*APIAuthentication)(nil), // 3: wso2.discovery.api.APIAuthentication } var file_wso2_discovery_api_api_authentication_proto_depIdxs = []int32{ 1, // 0: wso2.discovery.api.APIAuthentication.jwt:type_name -> wso2.discovery.api.JWT 0, // 1: wso2.discovery.api.APIAuthentication.apikey:type_name -> wso2.discovery.api.APIKey - 3, // 2: wso2.discovery.api.APIAuthentication.testConsoleKey:type_name -> wso2.discovery.api.TestConsoleKey + 2, // 2: wso2.discovery.api.APIAuthentication.Oauth2:type_name -> wso2.discovery.api.Oauth2 3, // [3:3] is the sub-list for method output_type 3, // [3:3] is the sub-list for method input_type 3, // [3:3] is the sub-list for extension type_name @@ -391,7 +398,7 @@ func file_wso2_discovery_api_api_authentication_proto_init() { } } file_wso2_discovery_api_api_authentication_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*APIAuthentication); i { + switch v := v.(*Oauth2); i { case 0: return &v.state case 1: @@ -403,7 +410,7 @@ func file_wso2_discovery_api_api_authentication_proto_init() { } } file_wso2_discovery_api_api_authentication_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*TestConsoleKey); i { + switch v := v.(*APIAuthentication); i { case 0: return &v.state case 1: diff --git a/common-go-libs/apis/dp/v1alpha1/authentication_conversion.go b/common-go-libs/apis/dp/v1alpha1/authentication_conversion.go index b60287f245..e9f28d11db 100644 --- a/common-go-libs/apis/dp/v1alpha1/authentication_conversion.go +++ b/common-go-libs/apis/dp/v1alpha1/authentication_conversion.go @@ -71,6 +71,22 @@ func (src *Authentication) ConvertTo(dstRaw conversion.Hub) error { dst.Spec.Override.AuthTypes.APIKey = append(dst.Spec.Override.AuthTypes.APIKey, convertedAPIKeyAuth) } + // Convert testConsoleKey Override to v1alpha2.JWT + if src.Spec.Override.AuthTypes.TestConsoleKey != (TestConsoleKeyAuth{}) { + dst.Spec.Override.AuthTypes.JWT = v1alpha2.JWT{ + Header: src.Spec.Override.AuthTypes.TestConsoleKey.Header, + SendTokenToUpstream: src.Spec.Override.AuthTypes.TestConsoleKey.SendTokenToUpstream, + } + } + + // Convert testConsoleKey Default to v1alpha2.JWT + if src.Spec.Default.AuthTypes.TestConsoleKey != (TestConsoleKeyAuth{}) { + dst.Spec.Default.AuthTypes.JWT = v1alpha2.JWT{ + Header: src.Spec.Default.AuthTypes.TestConsoleKey.Header, + SendTokenToUpstream: src.Spec.Default.AuthTypes.TestConsoleKey.SendTokenToUpstream, + } + } + // Status dst.Status = v1alpha2.AuthenticationStatus(src.Status) @@ -118,6 +134,18 @@ func (src *Authentication) ConvertFrom(srcRaw conversion.Hub) error { src.Spec.Override.AuthTypes.APIKey = append(src.Spec.Override.AuthTypes.APIKey, convertedAPIKeyAuth) } + // Convert testConsoleKey Override to v1alpha1.TestConsoleKey + src.Spec.Override.AuthTypes.TestConsoleKey = TestConsoleKeyAuth{ + Header: dst.Spec.Override.AuthTypes.JWT.Header, + SendTokenToUpstream: dst.Spec.Override.AuthTypes.JWT.SendTokenToUpstream, + } + + // Convert testConsoleKey Default to v1alpha1.TestConsoleKey + src.Spec.Default.AuthTypes.TestConsoleKey = TestConsoleKeyAuth{ + Header: dst.Spec.Default.AuthTypes.JWT.Header, + SendTokenToUpstream: dst.Spec.Default.AuthTypes.JWT.SendTokenToUpstream, + } + // Status src.Status = AuthenticationStatus(dst.Status) return nil diff --git a/common-go-libs/apis/dp/v1alpha2/authentication_types.go b/common-go-libs/apis/dp/v1alpha2/authentication_types.go index b3000fec18..c0eb99d3ec 100644 --- a/common-go-libs/apis/dp/v1alpha2/authentication_types.go +++ b/common-go-libs/apis/dp/v1alpha2/authentication_types.go @@ -55,10 +55,10 @@ type APIAuth struct { // +nullable APIKey []APIKeyAuth `json:"apiKey,omitempty"` - // TestConsoleKey is to specify the Test Console Key authentication scheme details + // JWT is to specify the JWT authentication scheme details // // +optional - TestConsoleKey TestConsoleKeyAuth `json:"testConsoleKey,omitempty"` + JWT JWT `json:"jwt,omitempty"` // MutualSSL is to specify the features and certificates for mutual SSL // @@ -91,19 +91,31 @@ type MutualSSLConfig struct { ConfigMapRefs []*RefConfig `json:"configMapRefs,omitempty"` } -// TestConsoleKeyAuth Test Console Key Authentication scheme details -type TestConsoleKeyAuth struct { - // Header is the header name used to pass the Test Console Key +// JWT Json Web Token Authentication scheme details +type JWT struct { + + // Disabled is to disable JWT authentication + // + // +kubebuilder:default=true + // +optional + Disabled *bool `json:"disabled"` + + // Header is the header name used to pass the JWT // // +kubebuilder:default:=internal-key // +optional // +kubebuilder:validation:MinLength=1 Header string `json:"header,omitempty"` - // SendTokenToUpstream is to specify whether the Test Console Key should be sent to the upstream + // SendTokenToUpstream is to specify whether the JWT should be sent to the upstream // // +optional SendTokenToUpstream bool `json:"sendTokenToUpstream,omitempty"` + + // Audience who can invoke a corresponding API + // + // +optional + Audience []string `json:"audience,omitempty"` } // Oauth2Auth OAuth2 Authentication scheme details diff --git a/common-go-libs/apis/dp/v1alpha2/zz_generated.deepcopy.go b/common-go-libs/apis/dp/v1alpha2/zz_generated.deepcopy.go index 9f683a1793..0400f77809 100644 --- a/common-go-libs/apis/dp/v1alpha2/zz_generated.deepcopy.go +++ b/common-go-libs/apis/dp/v1alpha2/zz_generated.deepcopy.go @@ -64,7 +64,7 @@ func (in *APIAuth) DeepCopyInto(out *APIAuth) { *out = make([]APIKeyAuth, len(*in)) copy(*out, *in) } - out.TestConsoleKey = in.TestConsoleKey + in.JWT.DeepCopyInto(&out.JWT) if in.MutualSSL != nil { in, out := &in.MutualSSL, &out.MutualSSL *out = new(MutualSSLConfig) @@ -766,6 +766,31 @@ func (in *JWKS) DeepCopy() *JWKS { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *JWT) DeepCopyInto(out *JWT) { + *out = *in + if in.Disabled != nil { + in, out := &in.Disabled, &out.Disabled + *out = new(bool) + **out = **in + } + if in.Audience != nil { + in, out := &in.Audience, &out.Audience + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWT. +func (in *JWT) DeepCopy() *JWT { + if in == nil { + return nil + } + out := new(JWT) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MutualSSL) DeepCopyInto(out *MutualSSL) { *out = *in @@ -939,21 +964,6 @@ func (in *SignatureValidation) DeepCopy() *SignatureValidation { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *TestConsoleKeyAuth) DeepCopyInto(out *TestConsoleKeyAuth) { - *out = *in -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TestConsoleKeyAuth. -func (in *TestConsoleKeyAuth) DeepCopy() *TestConsoleKeyAuth { - if in == nil { - return nil - } - out := new(TestConsoleKeyAuth) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TokenIssuer) DeepCopyInto(out *TokenIssuer) { *out = *in diff --git a/common-go-libs/config/crd/bases/dp.wso2.com_authentications.yaml b/common-go-libs/config/crd/bases/dp.wso2.com_authentications.yaml index 1418de8c2c..784a583d66 100644 --- a/common-go-libs/config/crd/bases/dp.wso2.com_authentications.yaml +++ b/common-go-libs/config/crd/bases/dp.wso2.com_authentications.yaml @@ -275,6 +275,30 @@ spec: type: object nullable: true type: array + jwt: + description: JWT is to specify the JWT authentication scheme + details + properties: + audience: + description: Audience who can invoke a corresponding API + items: + type: string + type: array + disabled: + default: true + description: Disabled is to disable JWT authentication + type: boolean + header: + default: internal-key + description: Header is the header name used to pass the + JWT + minLength: 1 + type: string + sendTokenToUpstream: + description: SendTokenToUpstream is to specify whether + the JWT should be sent to the upstream + type: boolean + type: object mtls: description: MutualSSL is to specify the features and certificates for mutual SSL @@ -364,21 +388,6 @@ spec: the OAuth2 token should be sent to the upstream type: boolean type: object - testConsoleKey: - description: TestConsoleKey is to specify the Test Console - Key authentication scheme details - properties: - header: - default: internal-key - description: Header is the header name used to pass the - Test Console Key - minLength: 1 - type: string - sendTokenToUpstream: - description: SendTokenToUpstream is to specify whether - the Test Console Key should be sent to the upstream - type: boolean - type: object type: object disabled: description: Disabled is to disable all authentications @@ -417,6 +426,30 @@ spec: type: object nullable: true type: array + jwt: + description: JWT is to specify the JWT authentication scheme + details + properties: + audience: + description: Audience who can invoke a corresponding API + items: + type: string + type: array + disabled: + default: true + description: Disabled is to disable JWT authentication + type: boolean + header: + default: internal-key + description: Header is the header name used to pass the + JWT + minLength: 1 + type: string + sendTokenToUpstream: + description: SendTokenToUpstream is to specify whether + the JWT should be sent to the upstream + type: boolean + type: object mtls: description: MutualSSL is to specify the features and certificates for mutual SSL @@ -506,21 +539,6 @@ spec: the OAuth2 token should be sent to the upstream type: boolean type: object - testConsoleKey: - description: TestConsoleKey is to specify the Test Console - Key authentication scheme details - properties: - header: - default: internal-key - description: Header is the header name used to pass the - Test Console Key - minLength: 1 - type: string - sendTokenToUpstream: - description: SendTokenToUpstream is to specify whether - the Test Console Key should be sent to the upstream - type: boolean - type: object type: object disabled: description: Disabled is to disable all authentications diff --git a/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/dto/JWTValidationInfo.java b/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/dto/JWTValidationInfo.java index dc8259a972..ed818a6f2a 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/dto/JWTValidationInfo.java +++ b/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/dto/JWTValidationInfo.java @@ -42,6 +42,7 @@ public class JWTValidationInfo implements Serializable { private String identifier; private JWTClaimsSet jwtClaimsSet; private String token; + private List audience = new ArrayList<>(); public JWTValidationInfo() { @@ -57,6 +58,15 @@ public JWTValidationInfo(JWTValidationInfo jwtValidationInfo) { this.claims = jwtValidationInfo.getClaims(); this.validationCode = jwtValidationInfo.getValidationCode(); this.keyManager = jwtValidationInfo.getKeyManager(); + this.audience = jwtValidationInfo.audience; + } + + public List getAudience() { + return audience; + } + + public void setAudience(List audience) { + this.audience = audience; } public String getToken() { diff --git a/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/AuthenticationConfig.java b/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/AuthenticationConfig.java index ade16982d5..b0c5ff67f1 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/AuthenticationConfig.java +++ b/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/AuthenticationConfig.java @@ -24,6 +24,7 @@ public class AuthenticationConfig { private JWTAuthenticationConfig jwtAuthenticationConfig; private List apiKeyAuthenticationConfigs; private InternalKeyConfig internalKeyConfig; + private Oauth2AuthenticationConfig oauth2AuthenticationConfig; private boolean Disabled; public JWTAuthenticationConfig getJwtAuthenticationConfig() { @@ -57,4 +58,14 @@ public InternalKeyConfig getInternalKeyConfig() { public void setInternalKeyConfig(InternalKeyConfig internalKeyConfig) { this.internalKeyConfig = internalKeyConfig; } + + public Oauth2AuthenticationConfig getOauth2AuthenticationConfig() { + + return oauth2AuthenticationConfig; + } + + public void setOauth2AuthenticationConfig(Oauth2AuthenticationConfig oauth2AuthenticationConfig) { + + this.oauth2AuthenticationConfig = oauth2AuthenticationConfig; + } } diff --git a/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/JWTAuthenticationConfig.java b/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/JWTAuthenticationConfig.java index b222e2f6c5..ddc5db695f 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/JWTAuthenticationConfig.java +++ b/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/JWTAuthenticationConfig.java @@ -18,10 +18,12 @@ package org.wso2.apk.enforcer.commons.model; +import java.util.ArrayList; + public class JWTAuthenticationConfig { private String Header; private boolean sendTokenToUpstream; - + private ArrayList audience; public String getHeader() { return Header; } @@ -37,4 +39,12 @@ public boolean isSendTokenToUpstream() { public void setSendTokenToUpstream(boolean sendTokenToUpstream) { this.sendTokenToUpstream = sendTokenToUpstream; } + + public ArrayList getAudience() { + return audience; + } + + public void setAudience(ArrayList audience) { + this.audience = audience; + } } diff --git a/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/Oauth2AuthenticationConfig.java b/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/Oauth2AuthenticationConfig.java new file mode 100644 index 0000000000..0631c5c895 --- /dev/null +++ b/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/Oauth2AuthenticationConfig.java @@ -0,0 +1,40 @@ +/* + * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 LLC. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.wso2.apk.enforcer.commons.model; + +public class Oauth2AuthenticationConfig { + private String Header; + private boolean sendTokenToUpstream; + + public String getHeader() { + return Header; + } + + public void setHeader(String header) { + Header = header; + } + + public boolean isSendTokenToUpstream() { + return sendTokenToUpstream; + } + + public void setSendTokenToUpstream(boolean sendTokenToUpstream) { + this.sendTokenToUpstream = sendTokenToUpstream; + } +} diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/api/Utils.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/api/Utils.java index 8c2ee4e76c..b8b879d1cc 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/api/Utils.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/api/Utils.java @@ -19,8 +19,8 @@ import org.wso2.apk.enforcer.commons.model.APIKeyAuthenticationConfig; import org.wso2.apk.enforcer.commons.model.AuthenticationConfig; -import org.wso2.apk.enforcer.commons.model.InternalKeyConfig; import org.wso2.apk.enforcer.commons.model.JWTAuthenticationConfig; +import org.wso2.apk.enforcer.commons.model.Oauth2AuthenticationConfig; import org.wso2.apk.enforcer.discovery.api.APIKey; import org.wso2.apk.enforcer.discovery.api.EndpointClusterConfig; import org.wso2.apk.enforcer.discovery.api.Operation; @@ -92,35 +92,50 @@ public static ResourceConfig buildResource(Operation operation, String resPath, AuthenticationConfig authenticationConfig = new AuthenticationConfig(); if (operation.hasApiAuthentication()) { authenticationConfig.setDisabled(operation.getApiAuthentication().getDisabled()); - if (operation.getApiAuthentication().hasJwt()) { - JWTAuthenticationConfig jwtAuthenticationConfig = new JWTAuthenticationConfig(); - jwtAuthenticationConfig.setHeader(operation.getApiAuthentication().getJwt().getHeader()); - jwtAuthenticationConfig.setSendTokenToUpstream(operation.getApiAuthentication().getJwt() + if (operation.getApiAuthentication().hasOauth2()) { + Oauth2AuthenticationConfig oAuth2AuthenticationConfig = new Oauth2AuthenticationConfig(); + oAuth2AuthenticationConfig.setHeader(operation.getApiAuthentication().getOauth2().getHeader()); + oAuth2AuthenticationConfig.setSendTokenToUpstream(operation.getApiAuthentication().getOauth2() .getSendTokenToUpstream()); - authenticationConfig.setJwtAuthenticationConfig(jwtAuthenticationConfig); + authenticationConfig.setOauth2AuthenticationConfig(oAuth2AuthenticationConfig); } - List apiKeyAuthenticationConfigs = new ArrayList<>(); - for (APIKey apiKey : operation.getApiAuthentication().getApikeyList()) { - APIKeyAuthenticationConfig apiKeyAuthenticationConfig = new APIKeyAuthenticationConfig(); - apiKeyAuthenticationConfig.setIn(apiKey.getIn()); - apiKeyAuthenticationConfig.setName(apiKey.getName()); - apiKeyAuthenticationConfig.setSendTokenToUpstream(apiKey.getSendTokenToUpstream()); - apiKeyAuthenticationConfigs.add(apiKeyAuthenticationConfig); + if (operation.getApiAuthentication().hasJwt()) { + JWTAuthenticationConfig jwtAuthenticationConfig = getJwtAuthenticationConfig(operation); + authenticationConfig.setJwtAuthenticationConfig(jwtAuthenticationConfig); } + List apiKeyAuthenticationConfigs = getApiKeyAuthenticationConfigs(operation); authenticationConfig.setApiKeyAuthenticationConfigs(apiKeyAuthenticationConfigs); - if(operation.getApiAuthentication().hasTestConsoleKey()) { - InternalKeyConfig internalKeyConfig = new InternalKeyConfig(); - internalKeyConfig.setSendTokenToUpstream(operation.getApiAuthentication().getTestConsoleKey() - .getSendTokenToUpstream()); - internalKeyConfig.setHeader(operation.getApiAuthentication().getTestConsoleKey().getHeader()); - authenticationConfig.setInternalKeyConfig(internalKeyConfig); - } } resource.setAuthenticationConfig(authenticationConfig); resource.setScopes(operation.getScopesList().toArray(new String[0])); return resource; } + private static List getApiKeyAuthenticationConfigs(Operation operation) { + List apiKeyAuthenticationConfigs = new ArrayList<>(); + for (APIKey apiKey : operation.getApiAuthentication().getApikeyList()) { + APIKeyAuthenticationConfig apiKeyAuthenticationConfig = new APIKeyAuthenticationConfig(); + apiKeyAuthenticationConfig.setIn(apiKey.getIn()); + apiKeyAuthenticationConfig.setName(apiKey.getName()); + apiKeyAuthenticationConfig.setSendTokenToUpstream(apiKey.getSendTokenToUpstream()); + apiKeyAuthenticationConfigs.add(apiKeyAuthenticationConfig); + } + return apiKeyAuthenticationConfigs; + } + + private static JWTAuthenticationConfig getJwtAuthenticationConfig(Operation operation) { + JWTAuthenticationConfig jwtAuthenticationConfig = new JWTAuthenticationConfig(); + jwtAuthenticationConfig.setHeader(operation.getApiAuthentication().getJwt().getHeader()); + jwtAuthenticationConfig.setSendTokenToUpstream(operation.getApiAuthentication().getJwt() + .getSendTokenToUpstream()); + ArrayList audience = new ArrayList<>(); + for (int i = 0; i < operation.getApiAuthentication().getJwt().getAudienceCount(); i++) { + audience.add(operation.getApiAuthentication().getJwt().getAudience(i)); + } + jwtAuthenticationConfig.setAudience(audience); + return jwtAuthenticationConfig; + } + public static PolicyConfig genPolicyConfig(OperationPolicies operationPolicies) { PolicyConfig policyConfig = new PolicyConfig(); if (operationPolicies.getRequestCount() > 0) { diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthentication.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthentication.java index 3c7df3b218..439f65eb75 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthentication.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthentication.java @@ -78,14 +78,14 @@ private APIAuthentication( break; } case 34: { - org.wso2.apk.enforcer.discovery.api.TestConsoleKey.Builder subBuilder = null; - if (testConsoleKey_ != null) { - subBuilder = testConsoleKey_.toBuilder(); + org.wso2.apk.enforcer.discovery.api.Oauth2.Builder subBuilder = null; + if (oauth2_ != null) { + subBuilder = oauth2_.toBuilder(); } - testConsoleKey_ = input.readMessage(org.wso2.apk.enforcer.discovery.api.TestConsoleKey.parser(), extensionRegistry); + oauth2_ = input.readMessage(org.wso2.apk.enforcer.discovery.api.Oauth2.parser(), extensionRegistry); if (subBuilder != null) { - subBuilder.mergeFrom(testConsoleKey_); - testConsoleKey_ = subBuilder.buildPartial(); + subBuilder.mergeFrom(oauth2_); + oauth2_ = subBuilder.buildPartial(); } break; @@ -206,30 +206,30 @@ public org.wso2.apk.enforcer.discovery.api.APIKeyOrBuilder getApikeyOrBuilder( return apikey_.get(index); } - public static final int TESTCONSOLEKEY_FIELD_NUMBER = 4; - private org.wso2.apk.enforcer.discovery.api.TestConsoleKey testConsoleKey_; + public static final int OAUTH2_FIELD_NUMBER = 4; + private org.wso2.apk.enforcer.discovery.api.Oauth2 oauth2_; /** - * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; - * @return Whether the testConsoleKey field is set. + * .wso2.discovery.api.Oauth2 Oauth2 = 4; + * @return Whether the oauth2 field is set. */ @java.lang.Override - public boolean hasTestConsoleKey() { - return testConsoleKey_ != null; + public boolean hasOauth2() { + return oauth2_ != null; } /** - * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; - * @return The testConsoleKey. + * .wso2.discovery.api.Oauth2 Oauth2 = 4; + * @return The oauth2. */ @java.lang.Override - public org.wso2.apk.enforcer.discovery.api.TestConsoleKey getTestConsoleKey() { - return testConsoleKey_ == null ? org.wso2.apk.enforcer.discovery.api.TestConsoleKey.getDefaultInstance() : testConsoleKey_; + public org.wso2.apk.enforcer.discovery.api.Oauth2 getOauth2() { + return oauth2_ == null ? org.wso2.apk.enforcer.discovery.api.Oauth2.getDefaultInstance() : oauth2_; } /** - * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; + * .wso2.discovery.api.Oauth2 Oauth2 = 4; */ @java.lang.Override - public org.wso2.apk.enforcer.discovery.api.TestConsoleKeyOrBuilder getTestConsoleKeyOrBuilder() { - return getTestConsoleKey(); + public org.wso2.apk.enforcer.discovery.api.Oauth2OrBuilder getOauth2OrBuilder() { + return getOauth2(); } private byte memoizedIsInitialized = -1; @@ -255,8 +255,8 @@ public void writeTo(com.google.protobuf.CodedOutputStream output) for (int i = 0; i < apikey_.size(); i++) { output.writeMessage(3, apikey_.get(i)); } - if (testConsoleKey_ != null) { - output.writeMessage(4, getTestConsoleKey()); + if (oauth2_ != null) { + output.writeMessage(4, getOauth2()); } unknownFields.writeTo(output); } @@ -279,9 +279,9 @@ public int getSerializedSize() { size += com.google.protobuf.CodedOutputStream .computeMessageSize(3, apikey_.get(i)); } - if (testConsoleKey_ != null) { + if (oauth2_ != null) { size += com.google.protobuf.CodedOutputStream - .computeMessageSize(4, getTestConsoleKey()); + .computeMessageSize(4, getOauth2()); } size += unknownFields.getSerializedSize(); memoizedSize = size; @@ -307,10 +307,10 @@ public boolean equals(final java.lang.Object obj) { } if (!getApikeyList() .equals(other.getApikeyList())) return false; - if (hasTestConsoleKey() != other.hasTestConsoleKey()) return false; - if (hasTestConsoleKey()) { - if (!getTestConsoleKey() - .equals(other.getTestConsoleKey())) return false; + if (hasOauth2() != other.hasOauth2()) return false; + if (hasOauth2()) { + if (!getOauth2() + .equals(other.getOauth2())) return false; } if (!unknownFields.equals(other.unknownFields)) return false; return true; @@ -334,9 +334,9 @@ public int hashCode() { hash = (37 * hash) + APIKEY_FIELD_NUMBER; hash = (53 * hash) + getApikeyList().hashCode(); } - if (hasTestConsoleKey()) { - hash = (37 * hash) + TESTCONSOLEKEY_FIELD_NUMBER; - hash = (53 * hash) + getTestConsoleKey().hashCode(); + if (hasOauth2()) { + hash = (37 * hash) + OAUTH2_FIELD_NUMBER; + hash = (53 * hash) + getOauth2().hashCode(); } hash = (29 * hash) + unknownFields.hashCode(); memoizedHashCode = hash; @@ -486,11 +486,11 @@ public Builder clear() { } else { apikeyBuilder_.clear(); } - if (testConsoleKeyBuilder_ == null) { - testConsoleKey_ = null; + if (oauth2Builder_ == null) { + oauth2_ = null; } else { - testConsoleKey_ = null; - testConsoleKeyBuilder_ = null; + oauth2_ = null; + oauth2Builder_ = null; } return this; } @@ -534,10 +534,10 @@ public org.wso2.apk.enforcer.discovery.api.APIAuthentication buildPartial() { } else { result.apikey_ = apikeyBuilder_.build(); } - if (testConsoleKeyBuilder_ == null) { - result.testConsoleKey_ = testConsoleKey_; + if (oauth2Builder_ == null) { + result.oauth2_ = oauth2_; } else { - result.testConsoleKey_ = testConsoleKeyBuilder_.build(); + result.oauth2_ = oauth2Builder_.build(); } onBuilt(); return result; @@ -619,8 +619,8 @@ public Builder mergeFrom(org.wso2.apk.enforcer.discovery.api.APIAuthentication o } } } - if (other.hasTestConsoleKey()) { - mergeTestConsoleKey(other.getTestConsoleKey()); + if (other.hasOauth2()) { + mergeOauth2(other.getOauth2()); } this.mergeUnknownFields(other.unknownFields); onChanged(); @@ -1054,123 +1054,123 @@ public org.wso2.apk.enforcer.discovery.api.APIKey.Builder addApikeyBuilder( return apikeyBuilder_; } - private org.wso2.apk.enforcer.discovery.api.TestConsoleKey testConsoleKey_; + private org.wso2.apk.enforcer.discovery.api.Oauth2 oauth2_; private com.google.protobuf.SingleFieldBuilderV3< - org.wso2.apk.enforcer.discovery.api.TestConsoleKey, org.wso2.apk.enforcer.discovery.api.TestConsoleKey.Builder, org.wso2.apk.enforcer.discovery.api.TestConsoleKeyOrBuilder> testConsoleKeyBuilder_; + org.wso2.apk.enforcer.discovery.api.Oauth2, org.wso2.apk.enforcer.discovery.api.Oauth2.Builder, org.wso2.apk.enforcer.discovery.api.Oauth2OrBuilder> oauth2Builder_; /** - * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; - * @return Whether the testConsoleKey field is set. + * .wso2.discovery.api.Oauth2 Oauth2 = 4; + * @return Whether the oauth2 field is set. */ - public boolean hasTestConsoleKey() { - return testConsoleKeyBuilder_ != null || testConsoleKey_ != null; + public boolean hasOauth2() { + return oauth2Builder_ != null || oauth2_ != null; } /** - * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; - * @return The testConsoleKey. + * .wso2.discovery.api.Oauth2 Oauth2 = 4; + * @return The oauth2. */ - public org.wso2.apk.enforcer.discovery.api.TestConsoleKey getTestConsoleKey() { - if (testConsoleKeyBuilder_ == null) { - return testConsoleKey_ == null ? org.wso2.apk.enforcer.discovery.api.TestConsoleKey.getDefaultInstance() : testConsoleKey_; + public org.wso2.apk.enforcer.discovery.api.Oauth2 getOauth2() { + if (oauth2Builder_ == null) { + return oauth2_ == null ? org.wso2.apk.enforcer.discovery.api.Oauth2.getDefaultInstance() : oauth2_; } else { - return testConsoleKeyBuilder_.getMessage(); + return oauth2Builder_.getMessage(); } } /** - * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; + * .wso2.discovery.api.Oauth2 Oauth2 = 4; */ - public Builder setTestConsoleKey(org.wso2.apk.enforcer.discovery.api.TestConsoleKey value) { - if (testConsoleKeyBuilder_ == null) { + public Builder setOauth2(org.wso2.apk.enforcer.discovery.api.Oauth2 value) { + if (oauth2Builder_ == null) { if (value == null) { throw new NullPointerException(); } - testConsoleKey_ = value; + oauth2_ = value; onChanged(); } else { - testConsoleKeyBuilder_.setMessage(value); + oauth2Builder_.setMessage(value); } return this; } /** - * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; + * .wso2.discovery.api.Oauth2 Oauth2 = 4; */ - public Builder setTestConsoleKey( - org.wso2.apk.enforcer.discovery.api.TestConsoleKey.Builder builderForValue) { - if (testConsoleKeyBuilder_ == null) { - testConsoleKey_ = builderForValue.build(); + public Builder setOauth2( + org.wso2.apk.enforcer.discovery.api.Oauth2.Builder builderForValue) { + if (oauth2Builder_ == null) { + oauth2_ = builderForValue.build(); onChanged(); } else { - testConsoleKeyBuilder_.setMessage(builderForValue.build()); + oauth2Builder_.setMessage(builderForValue.build()); } return this; } /** - * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; + * .wso2.discovery.api.Oauth2 Oauth2 = 4; */ - public Builder mergeTestConsoleKey(org.wso2.apk.enforcer.discovery.api.TestConsoleKey value) { - if (testConsoleKeyBuilder_ == null) { - if (testConsoleKey_ != null) { - testConsoleKey_ = - org.wso2.apk.enforcer.discovery.api.TestConsoleKey.newBuilder(testConsoleKey_).mergeFrom(value).buildPartial(); + public Builder mergeOauth2(org.wso2.apk.enforcer.discovery.api.Oauth2 value) { + if (oauth2Builder_ == null) { + if (oauth2_ != null) { + oauth2_ = + org.wso2.apk.enforcer.discovery.api.Oauth2.newBuilder(oauth2_).mergeFrom(value).buildPartial(); } else { - testConsoleKey_ = value; + oauth2_ = value; } onChanged(); } else { - testConsoleKeyBuilder_.mergeFrom(value); + oauth2Builder_.mergeFrom(value); } return this; } /** - * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; + * .wso2.discovery.api.Oauth2 Oauth2 = 4; */ - public Builder clearTestConsoleKey() { - if (testConsoleKeyBuilder_ == null) { - testConsoleKey_ = null; + public Builder clearOauth2() { + if (oauth2Builder_ == null) { + oauth2_ = null; onChanged(); } else { - testConsoleKey_ = null; - testConsoleKeyBuilder_ = null; + oauth2_ = null; + oauth2Builder_ = null; } return this; } /** - * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; + * .wso2.discovery.api.Oauth2 Oauth2 = 4; */ - public org.wso2.apk.enforcer.discovery.api.TestConsoleKey.Builder getTestConsoleKeyBuilder() { + public org.wso2.apk.enforcer.discovery.api.Oauth2.Builder getOauth2Builder() { onChanged(); - return getTestConsoleKeyFieldBuilder().getBuilder(); + return getOauth2FieldBuilder().getBuilder(); } /** - * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; + * .wso2.discovery.api.Oauth2 Oauth2 = 4; */ - public org.wso2.apk.enforcer.discovery.api.TestConsoleKeyOrBuilder getTestConsoleKeyOrBuilder() { - if (testConsoleKeyBuilder_ != null) { - return testConsoleKeyBuilder_.getMessageOrBuilder(); + public org.wso2.apk.enforcer.discovery.api.Oauth2OrBuilder getOauth2OrBuilder() { + if (oauth2Builder_ != null) { + return oauth2Builder_.getMessageOrBuilder(); } else { - return testConsoleKey_ == null ? - org.wso2.apk.enforcer.discovery.api.TestConsoleKey.getDefaultInstance() : testConsoleKey_; + return oauth2_ == null ? + org.wso2.apk.enforcer.discovery.api.Oauth2.getDefaultInstance() : oauth2_; } } /** - * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; + * .wso2.discovery.api.Oauth2 Oauth2 = 4; */ private com.google.protobuf.SingleFieldBuilderV3< - org.wso2.apk.enforcer.discovery.api.TestConsoleKey, org.wso2.apk.enforcer.discovery.api.TestConsoleKey.Builder, org.wso2.apk.enforcer.discovery.api.TestConsoleKeyOrBuilder> - getTestConsoleKeyFieldBuilder() { - if (testConsoleKeyBuilder_ == null) { - testConsoleKeyBuilder_ = new com.google.protobuf.SingleFieldBuilderV3< - org.wso2.apk.enforcer.discovery.api.TestConsoleKey, org.wso2.apk.enforcer.discovery.api.TestConsoleKey.Builder, org.wso2.apk.enforcer.discovery.api.TestConsoleKeyOrBuilder>( - getTestConsoleKey(), + org.wso2.apk.enforcer.discovery.api.Oauth2, org.wso2.apk.enforcer.discovery.api.Oauth2.Builder, org.wso2.apk.enforcer.discovery.api.Oauth2OrBuilder> + getOauth2FieldBuilder() { + if (oauth2Builder_ == null) { + oauth2Builder_ = new com.google.protobuf.SingleFieldBuilderV3< + org.wso2.apk.enforcer.discovery.api.Oauth2, org.wso2.apk.enforcer.discovery.api.Oauth2.Builder, org.wso2.apk.enforcer.discovery.api.Oauth2OrBuilder>( + getOauth2(), getParentForChildren(), isClean()); - testConsoleKey_ = null; + oauth2_ = null; } - return testConsoleKeyBuilder_; + return oauth2Builder_; } @java.lang.Override public final Builder setUnknownFields( diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthenticationOrBuilder.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthenticationOrBuilder.java index 047efca17d..110ea4c817 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthenticationOrBuilder.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthenticationOrBuilder.java @@ -57,17 +57,17 @@ org.wso2.apk.enforcer.discovery.api.APIKeyOrBuilder getApikeyOrBuilder( int index); /** - * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; - * @return Whether the testConsoleKey field is set. + * .wso2.discovery.api.Oauth2 Oauth2 = 4; + * @return Whether the oauth2 field is set. */ - boolean hasTestConsoleKey(); + boolean hasOauth2(); /** - * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; - * @return The testConsoleKey. + * .wso2.discovery.api.Oauth2 Oauth2 = 4; + * @return The oauth2. */ - org.wso2.apk.enforcer.discovery.api.TestConsoleKey getTestConsoleKey(); + org.wso2.apk.enforcer.discovery.api.Oauth2 getOauth2(); /** - * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; + * .wso2.discovery.api.Oauth2 Oauth2 = 4; */ - org.wso2.apk.enforcer.discovery.api.TestConsoleKeyOrBuilder getTestConsoleKeyOrBuilder(); + org.wso2.apk.enforcer.discovery.api.Oauth2OrBuilder getOauth2OrBuilder(); } diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthenticationProto.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthenticationProto.java index 29ece1c09c..9c112c460f 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthenticationProto.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthenticationProto.java @@ -25,15 +25,15 @@ public static void registerAllExtensions( com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internal_static_wso2_discovery_api_JWT_fieldAccessorTable; static final com.google.protobuf.Descriptors.Descriptor - internal_static_wso2_discovery_api_APIAuthentication_descriptor; + internal_static_wso2_discovery_api_Oauth2_descriptor; static final com.google.protobuf.GeneratedMessageV3.FieldAccessorTable - internal_static_wso2_discovery_api_APIAuthentication_fieldAccessorTable; + internal_static_wso2_discovery_api_Oauth2_fieldAccessorTable; static final com.google.protobuf.Descriptors.Descriptor - internal_static_wso2_discovery_api_TestConsoleKey_descriptor; + internal_static_wso2_discovery_api_APIAuthentication_descriptor; static final com.google.protobuf.GeneratedMessageV3.FieldAccessorTable - internal_static_wso2_discovery_api_TestConsoleKey_fieldAccessorTable; + internal_static_wso2_discovery_api_APIAuthentication_fieldAccessorTable; public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() { @@ -46,18 +46,17 @@ public static void registerAllExtensions( "\n+wso2/discovery/api/api_authentication." + "proto\022\022wso2.discovery.api\"?\n\006APIKey\022\014\n\004n" + "ame\030\001 \001(\t\022\n\n\002in\030\002 \001(\t\022\033\n\023sendTokenToUpst" + - "ream\030\003 \001(\010\"2\n\003JWT\022\016\n\006header\030\001 \001(\t\022\033\n\023sen" + - "dTokenToUpstream\030\002 \001(\010\"\263\001\n\021APIAuthentica" + - "tion\022\020\n\010disabled\030\001 \001(\010\022$\n\003jwt\030\002 \001(\0132\027.ws" + - "o2.discovery.api.JWT\022*\n\006apikey\030\003 \003(\0132\032.w" + - "so2.discovery.api.APIKey\022:\n\016testConsoleK" + - "ey\030\004 \001(\0132\".wso2.discovery.api.TestConsol" + - "eKey\"=\n\016TestConsoleKey\022\016\n\006header\030\001 \001(\t\022\033" + - "\n\023sendTokenToUpstream\030\002 \001(\010B~\n#org.wso2." + - "apk.enforcer.discovery.apiB\026APIAuthentic" + - "ationProtoP\001Z=github.com/envoyproxy/go-c" + - "ontrol-plane/wso2/discovery/api;apib\006pro" + - "to3" + "ream\030\003 \001(\010\"D\n\003JWT\022\016\n\006header\030\001 \001(\t\022\033\n\023sen" + + "dTokenToUpstream\030\002 \001(\010\022\020\n\010audience\030\003 \003(\t" + + "\"5\n\006Oauth2\022\016\n\006header\030\001 \001(\t\022\033\n\023sendTokenT" + + "oUpstream\030\002 \001(\010\"\243\001\n\021APIAuthentication\022\020\n" + + "\010disabled\030\001 \001(\010\022$\n\003jwt\030\002 \001(\0132\027.wso2.disc" + + "overy.api.JWT\022*\n\006apikey\030\003 \003(\0132\032.wso2.dis" + + "covery.api.APIKey\022*\n\006Oauth2\030\004 \001(\0132\032.wso2" + + ".discovery.api.Oauth2B~\n#org.wso2.apk.en" + + "forcer.discovery.apiB\026APIAuthenticationP" + + "rotoP\001Z=github.com/envoyproxy/go-control" + + "-plane/wso2/discovery/api;apib\006proto3" }; descriptor = com.google.protobuf.Descriptors.FileDescriptor .internalBuildGeneratedFileFrom(descriptorData, @@ -74,19 +73,19 @@ public static void registerAllExtensions( internal_static_wso2_discovery_api_JWT_fieldAccessorTable = new com.google.protobuf.GeneratedMessageV3.FieldAccessorTable( internal_static_wso2_discovery_api_JWT_descriptor, + new java.lang.String[] { "Header", "SendTokenToUpstream", "Audience", }); + internal_static_wso2_discovery_api_Oauth2_descriptor = + getDescriptor().getMessageTypes().get(2); + internal_static_wso2_discovery_api_Oauth2_fieldAccessorTable = new + com.google.protobuf.GeneratedMessageV3.FieldAccessorTable( + internal_static_wso2_discovery_api_Oauth2_descriptor, new java.lang.String[] { "Header", "SendTokenToUpstream", }); internal_static_wso2_discovery_api_APIAuthentication_descriptor = - getDescriptor().getMessageTypes().get(2); + getDescriptor().getMessageTypes().get(3); internal_static_wso2_discovery_api_APIAuthentication_fieldAccessorTable = new com.google.protobuf.GeneratedMessageV3.FieldAccessorTable( internal_static_wso2_discovery_api_APIAuthentication_descriptor, - new java.lang.String[] { "Disabled", "Jwt", "Apikey", "TestConsoleKey", }); - internal_static_wso2_discovery_api_TestConsoleKey_descriptor = - getDescriptor().getMessageTypes().get(3); - internal_static_wso2_discovery_api_TestConsoleKey_fieldAccessorTable = new - com.google.protobuf.GeneratedMessageV3.FieldAccessorTable( - internal_static_wso2_discovery_api_TestConsoleKey_descriptor, - new java.lang.String[] { "Header", "SendTokenToUpstream", }); + new java.lang.String[] { "Disabled", "Jwt", "Apikey", "Oauth2", }); } // @@protoc_insertion_point(outer_class_scope) diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/JWT.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/JWT.java index e1f5fa2468..fa94ed0631 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/JWT.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/JWT.java @@ -17,6 +17,7 @@ private JWT(com.google.protobuf.GeneratedMessageV3.Builder builder) { } private JWT() { header_ = ""; + audience_ = com.google.protobuf.LazyStringArrayList.EMPTY; } @java.lang.Override @@ -39,6 +40,7 @@ private JWT( if (extensionRegistry == null) { throw new java.lang.NullPointerException(); } + int mutable_bitField0_ = 0; com.google.protobuf.UnknownFieldSet.Builder unknownFields = com.google.protobuf.UnknownFieldSet.newBuilder(); try { @@ -60,6 +62,15 @@ private JWT( sendTokenToUpstream_ = input.readBool(); break; } + case 26: { + java.lang.String s = input.readStringRequireUtf8(); + if (!((mutable_bitField0_ & 0x00000001) != 0)) { + audience_ = new com.google.protobuf.LazyStringArrayList(); + mutable_bitField0_ |= 0x00000001; + } + audience_.add(s); + break; + } default: { if (!parseUnknownField( input, unknownFields, extensionRegistry, tag)) { @@ -75,6 +86,9 @@ private JWT( throw new com.google.protobuf.InvalidProtocolBufferException( e).setUnfinishedMessage(this); } finally { + if (((mutable_bitField0_ & 0x00000001) != 0)) { + audience_ = audience_.getUnmodifiableView(); + } this.unknownFields = unknownFields.build(); makeExtensionsImmutable(); } @@ -153,6 +167,41 @@ public boolean getSendTokenToUpstream() { return sendTokenToUpstream_; } + public static final int AUDIENCE_FIELD_NUMBER = 3; + private com.google.protobuf.LazyStringList audience_; + /** + * repeated string audience = 3; + * @return A list containing the audience. + */ + public com.google.protobuf.ProtocolStringList + getAudienceList() { + return audience_; + } + /** + * repeated string audience = 3; + * @return The count of audience. + */ + public int getAudienceCount() { + return audience_.size(); + } + /** + * repeated string audience = 3; + * @param index The index of the element to return. + * @return The audience at the given index. + */ + public java.lang.String getAudience(int index) { + return audience_.get(index); + } + /** + * repeated string audience = 3; + * @param index The index of the value to return. + * @return The bytes of the audience at the given index. + */ + public com.google.protobuf.ByteString + getAudienceBytes(int index) { + return audience_.getByteString(index); + } + private byte memoizedIsInitialized = -1; @java.lang.Override public final boolean isInitialized() { @@ -173,6 +222,9 @@ public void writeTo(com.google.protobuf.CodedOutputStream output) if (sendTokenToUpstream_ != false) { output.writeBool(2, sendTokenToUpstream_); } + for (int i = 0; i < audience_.size(); i++) { + com.google.protobuf.GeneratedMessageV3.writeString(output, 3, audience_.getRaw(i)); + } unknownFields.writeTo(output); } @@ -189,6 +241,14 @@ public int getSerializedSize() { size += com.google.protobuf.CodedOutputStream .computeBoolSize(2, sendTokenToUpstream_); } + { + int dataSize = 0; + for (int i = 0; i < audience_.size(); i++) { + dataSize += computeStringSizeNoTag(audience_.getRaw(i)); + } + size += dataSize; + size += 1 * getAudienceList().size(); + } size += unknownFields.getSerializedSize(); memoizedSize = size; return size; @@ -208,6 +268,8 @@ public boolean equals(final java.lang.Object obj) { .equals(other.getHeader())) return false; if (getSendTokenToUpstream() != other.getSendTokenToUpstream()) return false; + if (!getAudienceList() + .equals(other.getAudienceList())) return false; if (!unknownFields.equals(other.unknownFields)) return false; return true; } @@ -224,6 +286,10 @@ public int hashCode() { hash = (37 * hash) + SENDTOKENTOUPSTREAM_FIELD_NUMBER; hash = (53 * hash) + com.google.protobuf.Internal.hashBoolean( getSendTokenToUpstream()); + if (getAudienceCount() > 0) { + hash = (37 * hash) + AUDIENCE_FIELD_NUMBER; + hash = (53 * hash) + getAudienceList().hashCode(); + } hash = (29 * hash) + unknownFields.hashCode(); memoizedHashCode = hash; return hash; @@ -361,6 +427,8 @@ public Builder clear() { sendTokenToUpstream_ = false; + audience_ = com.google.protobuf.LazyStringArrayList.EMPTY; + bitField0_ = (bitField0_ & ~0x00000001); return this; } @@ -387,8 +455,14 @@ public org.wso2.apk.enforcer.discovery.api.JWT build() { @java.lang.Override public org.wso2.apk.enforcer.discovery.api.JWT buildPartial() { org.wso2.apk.enforcer.discovery.api.JWT result = new org.wso2.apk.enforcer.discovery.api.JWT(this); + int from_bitField0_ = bitField0_; result.header_ = header_; result.sendTokenToUpstream_ = sendTokenToUpstream_; + if (((bitField0_ & 0x00000001) != 0)) { + audience_ = audience_.getUnmodifiableView(); + bitField0_ = (bitField0_ & ~0x00000001); + } + result.audience_ = audience_; onBuilt(); return result; } @@ -444,6 +518,16 @@ public Builder mergeFrom(org.wso2.apk.enforcer.discovery.api.JWT other) { if (other.getSendTokenToUpstream() != false) { setSendTokenToUpstream(other.getSendTokenToUpstream()); } + if (!other.audience_.isEmpty()) { + if (audience_.isEmpty()) { + audience_ = other.audience_; + bitField0_ = (bitField0_ & ~0x00000001); + } else { + ensureAudienceIsMutable(); + audience_.addAll(other.audience_); + } + onChanged(); + } this.mergeUnknownFields(other.unknownFields); onChanged(); return this; @@ -472,6 +556,7 @@ public Builder mergeFrom( } return this; } + private int bitField0_; private java.lang.Object header_ = ""; /** @@ -611,6 +696,116 @@ public Builder clearSendTokenToUpstream() { onChanged(); return this; } + + private com.google.protobuf.LazyStringList audience_ = com.google.protobuf.LazyStringArrayList.EMPTY; + private void ensureAudienceIsMutable() { + if (!((bitField0_ & 0x00000001) != 0)) { + audience_ = new com.google.protobuf.LazyStringArrayList(audience_); + bitField0_ |= 0x00000001; + } + } + /** + * repeated string audience = 3; + * @return A list containing the audience. + */ + public com.google.protobuf.ProtocolStringList + getAudienceList() { + return audience_.getUnmodifiableView(); + } + /** + * repeated string audience = 3; + * @return The count of audience. + */ + public int getAudienceCount() { + return audience_.size(); + } + /** + * repeated string audience = 3; + * @param index The index of the element to return. + * @return The audience at the given index. + */ + public java.lang.String getAudience(int index) { + return audience_.get(index); + } + /** + * repeated string audience = 3; + * @param index The index of the value to return. + * @return The bytes of the audience at the given index. + */ + public com.google.protobuf.ByteString + getAudienceBytes(int index) { + return audience_.getByteString(index); + } + /** + * repeated string audience = 3; + * @param index The index to set the value at. + * @param value The audience to set. + * @return This builder for chaining. + */ + public Builder setAudience( + int index, java.lang.String value) { + if (value == null) { + throw new NullPointerException(); + } + ensureAudienceIsMutable(); + audience_.set(index, value); + onChanged(); + return this; + } + /** + * repeated string audience = 3; + * @param value The audience to add. + * @return This builder for chaining. + */ + public Builder addAudience( + java.lang.String value) { + if (value == null) { + throw new NullPointerException(); + } + ensureAudienceIsMutable(); + audience_.add(value); + onChanged(); + return this; + } + /** + * repeated string audience = 3; + * @param values The audience to add. + * @return This builder for chaining. + */ + public Builder addAllAudience( + java.lang.Iterable values) { + ensureAudienceIsMutable(); + com.google.protobuf.AbstractMessageLite.Builder.addAll( + values, audience_); + onChanged(); + return this; + } + /** + * repeated string audience = 3; + * @return This builder for chaining. + */ + public Builder clearAudience() { + audience_ = com.google.protobuf.LazyStringArrayList.EMPTY; + bitField0_ = (bitField0_ & ~0x00000001); + onChanged(); + return this; + } + /** + * repeated string audience = 3; + * @param value The bytes of the audience to add. + * @return This builder for chaining. + */ + public Builder addAudienceBytes( + com.google.protobuf.ByteString value) { + if (value == null) { + throw new NullPointerException(); + } + checkByteStringIsUtf8(value); + ensureAudienceIsMutable(); + audience_.add(value); + onChanged(); + return this; + } @java.lang.Override public final Builder setUnknownFields( final com.google.protobuf.UnknownFieldSet unknownFields) { diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/JWTOrBuilder.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/JWTOrBuilder.java index 3b1eee4ba2..0b1220acc4 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/JWTOrBuilder.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/JWTOrBuilder.java @@ -36,4 +36,29 @@ public interface JWTOrBuilder extends * @return The sendTokenToUpstream. */ boolean getSendTokenToUpstream(); + + /** + * repeated string audience = 3; + * @return A list containing the audience. + */ + java.util.List + getAudienceList(); + /** + * repeated string audience = 3; + * @return The count of audience. + */ + int getAudienceCount(); + /** + * repeated string audience = 3; + * @param index The index of the element to return. + * @return The audience at the given index. + */ + java.lang.String getAudience(int index); + /** + * repeated string audience = 3; + * @param index The index of the value to return. + * @return The bytes of the audience at the given index. + */ + com.google.protobuf.ByteString + getAudienceBytes(int index); } diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/TestConsoleKey.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/Oauth2.java similarity index 78% rename from gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/TestConsoleKey.java rename to gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/Oauth2.java index 987c16fb56..e90bb74143 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/TestConsoleKey.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/Oauth2.java @@ -4,18 +4,18 @@ package org.wso2.apk.enforcer.discovery.api; /** - * Protobuf type {@code wso2.discovery.api.TestConsoleKey} + * Protobuf type {@code wso2.discovery.api.Oauth2} */ -public final class TestConsoleKey extends +public final class Oauth2 extends com.google.protobuf.GeneratedMessageV3 implements - // @@protoc_insertion_point(message_implements:wso2.discovery.api.TestConsoleKey) - TestConsoleKeyOrBuilder { + // @@protoc_insertion_point(message_implements:wso2.discovery.api.Oauth2) + Oauth2OrBuilder { private static final long serialVersionUID = 0L; - // Use TestConsoleKey.newBuilder() to construct. - private TestConsoleKey(com.google.protobuf.GeneratedMessageV3.Builder builder) { + // Use Oauth2.newBuilder() to construct. + private Oauth2(com.google.protobuf.GeneratedMessageV3.Builder builder) { super(builder); } - private TestConsoleKey() { + private Oauth2() { header_ = ""; } @@ -23,7 +23,7 @@ private TestConsoleKey() { @SuppressWarnings({"unused"}) protected java.lang.Object newInstance( UnusedPrivateParameter unused) { - return new TestConsoleKey(); + return new Oauth2(); } @java.lang.Override @@ -31,7 +31,7 @@ protected java.lang.Object newInstance( getUnknownFields() { return this.unknownFields; } - private TestConsoleKey( + private Oauth2( com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException { @@ -81,22 +81,22 @@ private TestConsoleKey( } public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() { - return org.wso2.apk.enforcer.discovery.api.APIAuthenticationProto.internal_static_wso2_discovery_api_TestConsoleKey_descriptor; + return org.wso2.apk.enforcer.discovery.api.APIAuthenticationProto.internal_static_wso2_discovery_api_Oauth2_descriptor; } @java.lang.Override protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable() { - return org.wso2.apk.enforcer.discovery.api.APIAuthenticationProto.internal_static_wso2_discovery_api_TestConsoleKey_fieldAccessorTable + return org.wso2.apk.enforcer.discovery.api.APIAuthenticationProto.internal_static_wso2_discovery_api_Oauth2_fieldAccessorTable .ensureFieldAccessorsInitialized( - org.wso2.apk.enforcer.discovery.api.TestConsoleKey.class, org.wso2.apk.enforcer.discovery.api.TestConsoleKey.Builder.class); + org.wso2.apk.enforcer.discovery.api.Oauth2.class, org.wso2.apk.enforcer.discovery.api.Oauth2.Builder.class); } public static final int HEADER_FIELD_NUMBER = 1; private volatile java.lang.Object header_; /** *
-   * name of the header containing the test key
+   * name of the header containing the JWT
    * 
* * string header = 1; @@ -117,7 +117,7 @@ public java.lang.String getHeader() { } /** *
-   * name of the header containing the test key
+   * name of the header containing the JWT
    * 
* * string header = 1; @@ -199,10 +199,10 @@ public boolean equals(final java.lang.Object obj) { if (obj == this) { return true; } - if (!(obj instanceof org.wso2.apk.enforcer.discovery.api.TestConsoleKey)) { + if (!(obj instanceof org.wso2.apk.enforcer.discovery.api.Oauth2)) { return super.equals(obj); } - org.wso2.apk.enforcer.discovery.api.TestConsoleKey other = (org.wso2.apk.enforcer.discovery.api.TestConsoleKey) obj; + org.wso2.apk.enforcer.discovery.api.Oauth2 other = (org.wso2.apk.enforcer.discovery.api.Oauth2) obj; if (!getHeader() .equals(other.getHeader())) return false; @@ -229,69 +229,69 @@ public int hashCode() { return hash; } - public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseFrom( + public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseFrom( java.nio.ByteBuffer data) throws com.google.protobuf.InvalidProtocolBufferException { return PARSER.parseFrom(data); } - public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseFrom( + public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseFrom( java.nio.ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException { return PARSER.parseFrom(data, extensionRegistry); } - public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseFrom( + public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseFrom( com.google.protobuf.ByteString data) throws com.google.protobuf.InvalidProtocolBufferException { return PARSER.parseFrom(data); } - public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseFrom( + public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseFrom( com.google.protobuf.ByteString data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException { return PARSER.parseFrom(data, extensionRegistry); } - public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseFrom(byte[] data) + public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseFrom(byte[] data) throws com.google.protobuf.InvalidProtocolBufferException { return PARSER.parseFrom(data); } - public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseFrom( + public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseFrom( byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException { return PARSER.parseFrom(data, extensionRegistry); } - public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseFrom(java.io.InputStream input) + public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseFrom(java.io.InputStream input) throws java.io.IOException { return com.google.protobuf.GeneratedMessageV3 .parseWithIOException(PARSER, input); } - public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseFrom( + public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseFrom( java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws java.io.IOException { return com.google.protobuf.GeneratedMessageV3 .parseWithIOException(PARSER, input, extensionRegistry); } - public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseDelimitedFrom(java.io.InputStream input) + public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseDelimitedFrom(java.io.InputStream input) throws java.io.IOException { return com.google.protobuf.GeneratedMessageV3 .parseDelimitedWithIOException(PARSER, input); } - public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseDelimitedFrom( + public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseDelimitedFrom( java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws java.io.IOException { return com.google.protobuf.GeneratedMessageV3 .parseDelimitedWithIOException(PARSER, input, extensionRegistry); } - public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseFrom( + public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseFrom( com.google.protobuf.CodedInputStream input) throws java.io.IOException { return com.google.protobuf.GeneratedMessageV3 .parseWithIOException(PARSER, input); } - public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseFrom( + public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseFrom( com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws java.io.IOException { @@ -304,7 +304,7 @@ public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseFrom( public static Builder newBuilder() { return DEFAULT_INSTANCE.toBuilder(); } - public static Builder newBuilder(org.wso2.apk.enforcer.discovery.api.TestConsoleKey prototype) { + public static Builder newBuilder(org.wso2.apk.enforcer.discovery.api.Oauth2 prototype) { return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype); } @java.lang.Override @@ -320,26 +320,26 @@ protected Builder newBuilderForType( return builder; } /** - * Protobuf type {@code wso2.discovery.api.TestConsoleKey} + * Protobuf type {@code wso2.discovery.api.Oauth2} */ public static final class Builder extends com.google.protobuf.GeneratedMessageV3.Builder implements - // @@protoc_insertion_point(builder_implements:wso2.discovery.api.TestConsoleKey) - org.wso2.apk.enforcer.discovery.api.TestConsoleKeyOrBuilder { + // @@protoc_insertion_point(builder_implements:wso2.discovery.api.Oauth2) + org.wso2.apk.enforcer.discovery.api.Oauth2OrBuilder { public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() { - return org.wso2.apk.enforcer.discovery.api.APIAuthenticationProto.internal_static_wso2_discovery_api_TestConsoleKey_descriptor; + return org.wso2.apk.enforcer.discovery.api.APIAuthenticationProto.internal_static_wso2_discovery_api_Oauth2_descriptor; } @java.lang.Override protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable() { - return org.wso2.apk.enforcer.discovery.api.APIAuthenticationProto.internal_static_wso2_discovery_api_TestConsoleKey_fieldAccessorTable + return org.wso2.apk.enforcer.discovery.api.APIAuthenticationProto.internal_static_wso2_discovery_api_Oauth2_fieldAccessorTable .ensureFieldAccessorsInitialized( - org.wso2.apk.enforcer.discovery.api.TestConsoleKey.class, org.wso2.apk.enforcer.discovery.api.TestConsoleKey.Builder.class); + org.wso2.apk.enforcer.discovery.api.Oauth2.class, org.wso2.apk.enforcer.discovery.api.Oauth2.Builder.class); } - // Construct using org.wso2.apk.enforcer.discovery.api.TestConsoleKey.newBuilder() + // Construct using org.wso2.apk.enforcer.discovery.api.Oauth2.newBuilder() private Builder() { maybeForceBuilderInitialization(); } @@ -367,17 +367,17 @@ public Builder clear() { @java.lang.Override public com.google.protobuf.Descriptors.Descriptor getDescriptorForType() { - return org.wso2.apk.enforcer.discovery.api.APIAuthenticationProto.internal_static_wso2_discovery_api_TestConsoleKey_descriptor; + return org.wso2.apk.enforcer.discovery.api.APIAuthenticationProto.internal_static_wso2_discovery_api_Oauth2_descriptor; } @java.lang.Override - public org.wso2.apk.enforcer.discovery.api.TestConsoleKey getDefaultInstanceForType() { - return org.wso2.apk.enforcer.discovery.api.TestConsoleKey.getDefaultInstance(); + public org.wso2.apk.enforcer.discovery.api.Oauth2 getDefaultInstanceForType() { + return org.wso2.apk.enforcer.discovery.api.Oauth2.getDefaultInstance(); } @java.lang.Override - public org.wso2.apk.enforcer.discovery.api.TestConsoleKey build() { - org.wso2.apk.enforcer.discovery.api.TestConsoleKey result = buildPartial(); + public org.wso2.apk.enforcer.discovery.api.Oauth2 build() { + org.wso2.apk.enforcer.discovery.api.Oauth2 result = buildPartial(); if (!result.isInitialized()) { throw newUninitializedMessageException(result); } @@ -385,8 +385,8 @@ public org.wso2.apk.enforcer.discovery.api.TestConsoleKey build() { } @java.lang.Override - public org.wso2.apk.enforcer.discovery.api.TestConsoleKey buildPartial() { - org.wso2.apk.enforcer.discovery.api.TestConsoleKey result = new org.wso2.apk.enforcer.discovery.api.TestConsoleKey(this); + public org.wso2.apk.enforcer.discovery.api.Oauth2 buildPartial() { + org.wso2.apk.enforcer.discovery.api.Oauth2 result = new org.wso2.apk.enforcer.discovery.api.Oauth2(this); result.header_ = header_; result.sendTokenToUpstream_ = sendTokenToUpstream_; onBuilt(); @@ -427,16 +427,16 @@ public Builder addRepeatedField( } @java.lang.Override public Builder mergeFrom(com.google.protobuf.Message other) { - if (other instanceof org.wso2.apk.enforcer.discovery.api.TestConsoleKey) { - return mergeFrom((org.wso2.apk.enforcer.discovery.api.TestConsoleKey)other); + if (other instanceof org.wso2.apk.enforcer.discovery.api.Oauth2) { + return mergeFrom((org.wso2.apk.enforcer.discovery.api.Oauth2)other); } else { super.mergeFrom(other); return this; } } - public Builder mergeFrom(org.wso2.apk.enforcer.discovery.api.TestConsoleKey other) { - if (other == org.wso2.apk.enforcer.discovery.api.TestConsoleKey.getDefaultInstance()) return this; + public Builder mergeFrom(org.wso2.apk.enforcer.discovery.api.Oauth2 other) { + if (other == org.wso2.apk.enforcer.discovery.api.Oauth2.getDefaultInstance()) return this; if (!other.getHeader().isEmpty()) { header_ = other.header_; onChanged(); @@ -459,11 +459,11 @@ public Builder mergeFrom( com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws java.io.IOException { - org.wso2.apk.enforcer.discovery.api.TestConsoleKey parsedMessage = null; + org.wso2.apk.enforcer.discovery.api.Oauth2 parsedMessage = null; try { parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry); } catch (com.google.protobuf.InvalidProtocolBufferException e) { - parsedMessage = (org.wso2.apk.enforcer.discovery.api.TestConsoleKey) e.getUnfinishedMessage(); + parsedMessage = (org.wso2.apk.enforcer.discovery.api.Oauth2) e.getUnfinishedMessage(); throw e.unwrapIOException(); } finally { if (parsedMessage != null) { @@ -476,7 +476,7 @@ public Builder mergeFrom( private java.lang.Object header_ = ""; /** *
-     * name of the header containing the test key
+     * name of the header containing the JWT
      * 
* * string header = 1; @@ -496,7 +496,7 @@ public java.lang.String getHeader() { } /** *
-     * name of the header containing the test key
+     * name of the header containing the JWT
      * 
* * string header = 1; @@ -517,7 +517,7 @@ public java.lang.String getHeader() { } /** *
-     * name of the header containing the test key
+     * name of the header containing the JWT
      * 
* * string header = 1; @@ -536,7 +536,7 @@ public Builder setHeader( } /** *
-     * name of the header containing the test key
+     * name of the header containing the JWT
      * 
* * string header = 1; @@ -550,7 +550,7 @@ public Builder clearHeader() { } /** *
-     * name of the header containing the test key
+     * name of the header containing the JWT
      * 
* * string header = 1; @@ -624,41 +624,41 @@ public final Builder mergeUnknownFields( } - // @@protoc_insertion_point(builder_scope:wso2.discovery.api.TestConsoleKey) + // @@protoc_insertion_point(builder_scope:wso2.discovery.api.Oauth2) } - // @@protoc_insertion_point(class_scope:wso2.discovery.api.TestConsoleKey) - private static final org.wso2.apk.enforcer.discovery.api.TestConsoleKey DEFAULT_INSTANCE; + // @@protoc_insertion_point(class_scope:wso2.discovery.api.Oauth2) + private static final org.wso2.apk.enforcer.discovery.api.Oauth2 DEFAULT_INSTANCE; static { - DEFAULT_INSTANCE = new org.wso2.apk.enforcer.discovery.api.TestConsoleKey(); + DEFAULT_INSTANCE = new org.wso2.apk.enforcer.discovery.api.Oauth2(); } - public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey getDefaultInstance() { + public static org.wso2.apk.enforcer.discovery.api.Oauth2 getDefaultInstance() { return DEFAULT_INSTANCE; } - private static final com.google.protobuf.Parser - PARSER = new com.google.protobuf.AbstractParser() { + private static final com.google.protobuf.Parser + PARSER = new com.google.protobuf.AbstractParser() { @java.lang.Override - public TestConsoleKey parsePartialFrom( + public Oauth2 parsePartialFrom( com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException { - return new TestConsoleKey(input, extensionRegistry); + return new Oauth2(input, extensionRegistry); } }; - public static com.google.protobuf.Parser parser() { + public static com.google.protobuf.Parser parser() { return PARSER; } @java.lang.Override - public com.google.protobuf.Parser getParserForType() { + public com.google.protobuf.Parser getParserForType() { return PARSER; } @java.lang.Override - public org.wso2.apk.enforcer.discovery.api.TestConsoleKey getDefaultInstanceForType() { + public org.wso2.apk.enforcer.discovery.api.Oauth2 getDefaultInstanceForType() { return DEFAULT_INSTANCE; } diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/Oauth2OrBuilder.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/Oauth2OrBuilder.java new file mode 100644 index 0000000000..1c8bd7ce7b --- /dev/null +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/Oauth2OrBuilder.java @@ -0,0 +1,39 @@ +// Generated by the protocol buffer compiler. DO NOT EDIT! +// source: wso2/discovery/api/api_authentication.proto + +package org.wso2.apk.enforcer.discovery.api; + +public interface Oauth2OrBuilder extends + // @@protoc_insertion_point(interface_extends:wso2.discovery.api.Oauth2) + com.google.protobuf.MessageOrBuilder { + + /** + *
+   * name of the header containing the JWT
+   * 
+ * + * string header = 1; + * @return The header. + */ + java.lang.String getHeader(); + /** + *
+   * name of the header containing the JWT
+   * 
+ * + * string header = 1; + * @return The bytes for header. + */ + com.google.protobuf.ByteString + getHeaderBytes(); + + /** + *
+   * send the token to upstream
+   * 
+ * + * bool sendTokenToUpstream = 2; + * @return The sendTokenToUpstream. + */ + boolean getSendTokenToUpstream(); +} diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/AuthFilter.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/AuthFilter.java index 4771be0093..dcfa4dbf13 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/AuthFilter.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/AuthFilter.java @@ -32,8 +32,8 @@ import org.wso2.apk.enforcer.constants.APIConstants; import org.wso2.apk.enforcer.constants.InterceptorConstants; import org.wso2.apk.enforcer.security.jwt.APIKeyAuthenticator; -import org.wso2.apk.enforcer.security.jwt.InternalAPIKeyAuthenticator; import org.wso2.apk.enforcer.security.jwt.JWTAuthenticator; +import org.wso2.apk.enforcer.security.jwt.Oauth2Authenticator; import org.wso2.apk.enforcer.security.jwt.UnsecuredAPIAuthenticator; import org.wso2.apk.enforcer.security.mtls.MTLSAuthenticator; import org.wso2.apk.enforcer.util.FilterUtils; @@ -91,13 +91,13 @@ private void initializeAuthenticators(APIConfig apiConfig) { boolean isGatewayTokenCacheEnabled = enforcerConfig.getCacheDto().isEnabled(); JWTConfigurationDto jwtConfigurationDto = apiConfig.getJwtConfigurationDto(); - Authenticator jwtAuthenticator = new JWTAuthenticator(jwtConfigurationDto, isGatewayTokenCacheEnabled); - authenticators.add(jwtAuthenticator); + Authenticator oauthAuthenticator = new Oauth2Authenticator(jwtConfigurationDto, isGatewayTokenCacheEnabled); + authenticators.add(oauthAuthenticator); APIKeyAuthenticator apiKeyAuthenticator = new APIKeyAuthenticator(jwtConfigurationDto); authenticators.add(apiKeyAuthenticator); - Authenticator authenticator = new InternalAPIKeyAuthenticator(jwtConfigurationDto); - authenticators.add(authenticator); + Authenticator jwtAuthenticator = new JWTAuthenticator(jwtConfigurationDto, isGatewayTokenCacheEnabled); + authenticators.add(jwtAuthenticator); Authenticator unsecuredAPIAuthenticator = new UnsecuredAPIAuthenticator(); authenticators.add(unsecuredAPIAuthenticator); @@ -263,17 +263,18 @@ private void setInterceptorAPIMetadata(RequestContext requestContext) { private void populateRemoveAndProtectedAuthHeaders(RequestContext requestContext) { requestContext.getMatchedResourcePaths().forEach(resourcePath -> { + Oauth2AuthenticationConfig oauth2AuthenticationConfig = resourcePath.getAuthenticationConfig() + .getOauth2AuthenticationConfig(); JWTAuthenticationConfig jwtAuthenticationConfig = resourcePath.getAuthenticationConfig() .getJwtAuthenticationConfig(); - InternalKeyConfig internalKeyConfig = resourcePath.getAuthenticationConfig().getInternalKeyConfig(); List apiKeyAuthenticationConfig = resourcePath.getAuthenticationConfig() .getApiKeyAuthenticationConfigs(); + if (oauth2AuthenticationConfig != null && !oauth2AuthenticationConfig.isSendTokenToUpstream()) { + requestContext.getRemoveHeaders().add(oauth2AuthenticationConfig.getHeader()); + } if (jwtAuthenticationConfig != null && !jwtAuthenticationConfig.isSendTokenToUpstream()) { requestContext.getRemoveHeaders().add(jwtAuthenticationConfig.getHeader()); } - if (internalKeyConfig != null && !internalKeyConfig.isSendTokenToUpstream()) { - requestContext.getRemoveHeaders().add(internalKeyConfig.getHeader()); - } if (apiKeyAuthenticationConfig != null && !apiKeyAuthenticationConfig.isEmpty()) { requestContext.getQueryParamsToRemove().addAll(apiKeyAuthenticationConfig.stream() .filter(apiKeyAuthenticationConfig1 -> !apiKeyAuthenticationConfig1.isSendTokenToUpstream() diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/InternalAPIKeyAuthenticator.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/InternalAPIKeyAuthenticator.java deleted file mode 100644 index 54fa21740f..0000000000 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/InternalAPIKeyAuthenticator.java +++ /dev/null @@ -1,312 +0,0 @@ -/* - * Copyright (c) 2021, WSO2 LLC. (http://www.wso2.org) All Rights Reserved. - * - * WSO2 LLC. licenses this file to you under the Apache License, - * Version 2.0 (the "License"); you may not use this file except - * in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.wso2.apk.enforcer.security.jwt; - -import com.nimbusds.jwt.JWTClaimsSet; -import com.nimbusds.jwt.SignedJWT; -import io.opentelemetry.context.Scope; -import net.minidev.json.JSONObject; -import org.apache.logging.log4j.LogManager; -import org.apache.logging.log4j.Logger; -import org.apache.logging.log4j.ThreadContext; -import org.wso2.apk.enforcer.common.CacheProviderUtil; -import org.wso2.apk.enforcer.commons.dto.JWTConfigurationDto; -import org.wso2.apk.enforcer.commons.dto.JWTInfoDto; -import org.wso2.apk.enforcer.commons.dto.JWTValidationInfo; -import org.wso2.apk.enforcer.commons.exception.APISecurityException; -import org.wso2.apk.enforcer.commons.jwtgenerator.AbstractAPIMgtGatewayJWTGenerator; -import org.wso2.apk.enforcer.commons.logging.ErrorDetails; -import org.wso2.apk.enforcer.commons.logging.LoggingConstants; -import org.wso2.apk.enforcer.commons.model.AuthenticationContext; -import org.wso2.apk.enforcer.commons.model.InternalKeyConfig; -import org.wso2.apk.enforcer.commons.model.RequestContext; -import org.wso2.apk.enforcer.config.ConfigHolder; -import org.wso2.apk.enforcer.config.EnforcerConfig; -import org.wso2.apk.enforcer.config.dto.APIKeyIssuerDto; -import org.wso2.apk.enforcer.constants.APIConstants; -import org.wso2.apk.enforcer.constants.APISecurityConstants; -import org.wso2.apk.enforcer.dto.APIKeyValidationInfoDTO; -import org.wso2.apk.enforcer.dto.JWTTokenPayloadInfo; -import org.wso2.apk.enforcer.tracing.TracingConstants; -import org.wso2.apk.enforcer.tracing.TracingSpan; -import org.wso2.apk.enforcer.tracing.TracingTracer; -import org.wso2.apk.enforcer.tracing.Utils; -import org.wso2.apk.enforcer.util.BackendJwtUtils; -import org.wso2.apk.enforcer.util.FilterUtils; - -import java.text.ParseException; - -/** - * Implements the authenticator interface to authenticate request using an Internal Key. - */ -public class InternalAPIKeyAuthenticator extends APIKeyHandler { - - private static final Logger log = LogManager.getLogger(InternalAPIKeyAuthenticator.class); - - private AbstractAPIMgtGatewayJWTGenerator jwtGenerator; - private final boolean isGatewayTokenCacheEnabled; - - public InternalAPIKeyAuthenticator(final JWTConfigurationDto jwtConfigurationDto) { - - EnforcerConfig enforcerConfig = ConfigHolder.getInstance().getConfig(); - this.isGatewayTokenCacheEnabled = enforcerConfig.getCacheDto().isEnabled(); - if (jwtConfigurationDto.isEnabled()) { - this.jwtGenerator = BackendJwtUtils.getApiMgtGatewayJWTGenerator(jwtConfigurationDto); - } - } - - @Override - public boolean canAuthenticate(RequestContext requestContext) { - - InternalKeyConfig internalKeyConfig = requestContext.getMatchedResourcePaths().get(0) - .getAuthenticationConfig().getInternalKeyConfig(); - if (internalKeyConfig != null) { - String internalKey = requestContext.getHeaders().get(internalKeyConfig.getHeader()); - return isAPIKey(internalKey); - } - return false; - } - - @Override - public AuthenticationContext authenticate(RequestContext requestContext) throws APISecurityException { - - TracingTracer tracer = null; - TracingSpan apiKeyAuthenticatorSpan = null; - Scope apiKeyAuthenticatorSpanScope = null; - TracingSpan apiKeyValidateSubscriptionSpan = null; - TracingSpan verifyTokenInCacheSpan = null; - TracingSpan verifyTokenWithoutCacheSpan = null; - - if (requestContext.getMatchedAPI() != null) { - log.debug("Internal Key Authentication initialized"); - - try { - if (Utils.tracingEnabled()) { - tracer = Utils.getGlobalTracer(); - apiKeyAuthenticatorSpan = Utils.startSpan(TracingConstants.API_KEY_AUTHENTICATOR_SPAN, tracer); - apiKeyAuthenticatorSpanScope = apiKeyAuthenticatorSpan.getSpan().makeCurrent(); - Utils.setTag(apiKeyAuthenticatorSpan, APIConstants.LOG_TRACE_ID, - ThreadContext.get(APIConstants.LOG_TRACE_ID)); - } - // Extract internal from the request while removing it from the msg context. - String internalKey = requestContext.getHeaders().get(requestContext.getMatchedResourcePaths().get(0) - .getAuthenticationConfig().getInternalKeyConfig().getHeader()); - - String[] splitToken = internalKey.split("\\."); - SignedJWT signedJWT = SignedJWT.parse(internalKey); - JWTClaimsSet payload = signedJWT.getJWTClaimsSet(); - - // Check if the decoded header contains type as 'InternalKey'. - if (!isInternalKey(payload)) { - log.error("Invalid Internal Key token type. " + FilterUtils.getMaskedToken(splitToken[0])); - // To provide support for API keys. If internal key name's header name value changed similar - // to the API key header name this will enable that support. - AuthenticationContext authenticationContext = new AuthenticationContext(); - authenticationContext.setAuthenticated(false); - - // We check the type before verifying the signature. In case the type was incorrect but also not an - // API key, this will throw a NPE at RestAPI class setStatusCode method. This prevents it. - FilterUtils.setUnauthenticatedErrorToContext(requestContext); - return authenticationContext; - } - - String tokenIdentifier = payload.getJWTID(); - - checkInRevokedMap(tokenIdentifier, splitToken); - - String apiVersion = requestContext.getMatchedAPI().getVersion(); - String apiContext = requestContext.getMatchedAPI().getBasePath(); - String organization = requestContext.getMatchedAPI().getOrganizationId(); - // Verify token when it is found in cache - JWTTokenPayloadInfo jwtTokenPayloadInfo = (JWTTokenPayloadInfo) - CacheProviderUtil.getOrganizationCache(organization).getGatewayInternalKeyDataCache().getIfPresent(tokenIdentifier); - - boolean isVerified = isVerifiedApiKeyInCache(tokenIdentifier, internalKey, payload, splitToken, - "InternalKey", jwtTokenPayloadInfo, organization); - Scope verifyTokenInCacheSpanScope = null; - if (jwtTokenPayloadInfo != null) { - if (Utils.tracingEnabled()) { - verifyTokenInCacheSpan = Utils.startSpan(TracingConstants.VERIFY_TOKEN_IN_CACHE_SPAN, tracer); - verifyTokenInCacheSpanScope = verifyTokenInCacheSpan.getSpan().makeCurrent(); - Utils.setTag(verifyTokenInCacheSpan, APIConstants.LOG_TRACE_ID, - ThreadContext.get(APIConstants.LOG_TRACE_ID)); - } - String cachedToken = jwtTokenPayloadInfo.getAccessToken(); - isVerified = cachedToken.equals(internalKey) && !isJwtTokenExpired(payload, "InternalKey", - organization); - if (Utils.tracingEnabled()) { - verifyTokenInCacheSpanScope.close(); - Utils.finishSpan(verifyTokenInCacheSpan); - } - } else if (CacheProviderUtil.getOrganizationCache(organization).getInvalidGatewayInternalKeyCache().getIfPresent(tokenIdentifier) != null - && internalKey - .equals(CacheProviderUtil.getOrganizationCache(organization).getInvalidGatewayInternalKeyCache().getIfPresent(tokenIdentifier))) { - - log.debug("Internal Key retrieved from the invalid internal Key cache. Internal Key: " - + FilterUtils.getMaskedToken(splitToken[0])); - - log.error("Invalid Internal Key. " + FilterUtils.getMaskedToken(splitToken[0])); - throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), - APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, - APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE); - } - - Scope verifyTokenWithoutCacheSpanScope = null; - // Verify token when it is not found in cache - if (!isVerified) { - log.debug("Internal Key not found in the cache."); - if (Utils.tracingEnabled()) { - verifyTokenWithoutCacheSpan = Utils.startSpan(TracingConstants.VERIFY_TOKEN_SPAN, tracer); - verifyTokenWithoutCacheSpanScope = verifyTokenWithoutCacheSpan.getSpan().makeCurrent(); - Utils.setTag(verifyTokenWithoutCacheSpan, APIConstants.LOG_TRACE_ID, - ThreadContext.get(APIConstants.LOG_TRACE_ID)); - } - try { - APIKeyIssuerDto runtimeTokenIssuerDto = - ConfigHolder.getInstance().getConfig().getRuntimeTokenIssuerDto(); - if (runtimeTokenIssuerDto != null && runtimeTokenIssuerDto.isEnabled()) { - isVerified = verifyTokenWhenNotInCache(runtimeTokenIssuerDto.getPublicCertificate(), - signedJWT, splitToken, payload, "InternalKey", organization); - } else { - // Logs an error only if Internal Keys are used. - log.error("InternalAPIKeyAuthenticator has not been properly initialized. {} {}", - "Empty certificate alias.", - ErrorDetails.errorLog(LoggingConstants.Severity.MAJOR, 6605)); - } - } finally { - if (Utils.tracingEnabled()) { - if (verifyTokenWithoutCacheSpanScope != null) { - verifyTokenWithoutCacheSpanScope.close(); - } - if (verifyTokenWithoutCacheSpan != null) { - Utils.finishSpan(verifyTokenWithoutCacheSpan); - } - } - } - } - - if (isVerified) { - log.debug("Internal Key signature is verified."); - - if (jwtTokenPayloadInfo == null) { - // Retrieve payload from InternalKey - log.debug("InternalKey payload not found in the cache."); - - jwtTokenPayloadInfo = new JWTTokenPayloadInfo(); - jwtTokenPayloadInfo.setPayload(payload); - jwtTokenPayloadInfo.setAccessToken(internalKey); - CacheProviderUtil.getOrganizationCache(organization).getGatewayInternalKeyDataCache().put(tokenIdentifier, jwtTokenPayloadInfo); - } - Scope apiKeyValidateSubscriptionSpanScope = null; - if (Utils.tracingEnabled()) { - apiKeyValidateSubscriptionSpan = Utils - .startSpan(TracingConstants.API_KEY_VALIDATE_SUBSCRIPTION_SPAN, tracer); - apiKeyValidateSubscriptionSpanScope = apiKeyValidateSubscriptionSpan.getSpan().makeCurrent(); - Utils.setTag(apiKeyValidateSubscriptionSpan, APIConstants.LOG_TRACE_ID, - ThreadContext.get(APIConstants.LOG_TRACE_ID)); - } - JSONObject api; // kept outside to make this reachable for methods outside the try block - try { - api = validateAPISubscription(apiContext, apiVersion, payload, splitToken, - false); - if (api != null) { - log.debug("Internal Key Authentication is successful."); - } - } finally { - log.debug("Internal Key authentication is completed."); - if (Utils.tracingEnabled()) { - apiKeyValidateSubscriptionSpanScope.close(); - Utils.finishSpan(apiKeyValidateSubscriptionSpan); - } - } - //Get APIKeyValidationInfoDTO for internal key with limited info - APIKeyValidationInfoDTO apiKeyValidationInfoDTO = getAPIKeyValidationDTO(requestContext); - - // Generate or get backend JWT - JWTConfigurationDto jwtConfigurationDto = ConfigHolder.getInstance(). - getConfig().getJwtConfigurationDto(); - if (jwtConfigurationDto.isEnabled()) { - JWTValidationInfo validationInfo = new JWTValidationInfo(); - validationInfo.setUser(payload.getSubject()); - JWTInfoDto jwtInfoDto = FilterUtils - .generateJWTInfoDto(null, validationInfo, apiKeyValidationInfoDTO, requestContext); - String endUserToken = BackendJwtUtils.generateAndRetrieveJWTToken(jwtGenerator, tokenIdentifier, - jwtInfoDto, isGatewayTokenCacheEnabled, organization); - // Set generated jwt token as a response header - requestContext.addOrModifyHeaders(jwtConfigurationDto.getJwtHeader(), endUserToken); - } - - return FilterUtils.generateAuthenticationContext(tokenIdentifier, payload, api, - requestContext.getMatchedAPI().getUuid(), internalKey); - } else { - log.error("Internal Key authentication failed. " + FilterUtils.getMaskedToken(splitToken[0]), - ErrorDetails.errorLog(LoggingConstants.Severity.MINOR, 6602)); - CacheProviderUtil.getOrganizationCache(organization).getGatewayInternalKeyDataCache().invalidate(payload.getJWTID()); - CacheProviderUtil.getOrganizationCache(organization).getInvalidGatewayInternalKeyCache().put(payload.getJWTID(), internalKey); - throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), - APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, - APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE); - } - } catch (ParseException e) { - log.warn("Internal Key authentication failed. ", e); - throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), - APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, - "Internal key authentication failed."); - - } finally { - if (Utils.tracingEnabled()) { - apiKeyAuthenticatorSpanScope.close(); - Utils.finishSpan(apiKeyAuthenticatorSpan); - } - } - } - throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), - APISecurityConstants.API_AUTH_GENERAL_ERROR, APISecurityConstants.API_AUTH_GENERAL_ERROR_MESSAGE); - } - - private APIKeyValidationInfoDTO getAPIKeyValidationDTO(RequestContext requestContext) - throws ParseException { - - APIKeyValidationInfoDTO validationInfoDTO = new APIKeyValidationInfoDTO(); - validationInfoDTO.setType(requestContext.getMatchedAPI().getEnvType()); - - //check whether name is assigned correctly (This was not populated in JWTAuthenticator) - validationInfoDTO.setApiName(requestContext.getMatchedAPI().getName()); - validationInfoDTO.setApiVersion(requestContext.getMatchedAPI().getVersion()); - return validationInfoDTO; - } - - @Override - public String getChallengeString() { - - return ""; - } - - @Override - public String getName() { - - return "Internal Key"; - } - - @Override - public int getPriority() { - - return -10; - } -} - diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java index 6e3c52c35b..a38c0e2922 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java @@ -30,9 +30,9 @@ import org.wso2.apk.enforcer.commons.dto.JWTConfigurationDto; import org.wso2.apk.enforcer.commons.dto.JWTInfoDto; import org.wso2.apk.enforcer.commons.dto.JWTValidationInfo; -import org.wso2.apk.enforcer.commons.jwtgenerator.AbstractAPIMgtGatewayJWTGenerator; import org.wso2.apk.enforcer.commons.exception.APISecurityException; import org.wso2.apk.enforcer.commons.exception.EnforcerException; +import org.wso2.apk.enforcer.commons.jwtgenerator.AbstractAPIMgtGatewayJWTGenerator; import org.wso2.apk.enforcer.commons.model.APIConfig; import org.wso2.apk.enforcer.commons.model.AuthenticationContext; import org.wso2.apk.enforcer.commons.model.RequestContext; @@ -44,11 +44,10 @@ import org.wso2.apk.enforcer.security.Authenticator; import org.wso2.apk.enforcer.security.KeyValidator; import org.wso2.apk.enforcer.security.TokenValidationContext; -import org.wso2.apk.enforcer.security.jwt.validator.JWTConstants; import org.wso2.apk.enforcer.security.jwt.validator.JWTValidator; import org.wso2.apk.enforcer.security.jwt.validator.RevokedJWTDataHolder; -import org.wso2.apk.enforcer.subscription.SubscriptionDataHolder; import org.wso2.apk.enforcer.server.RevokedTokenRedisClient; +import org.wso2.apk.enforcer.subscription.SubscriptionDataHolder; import org.wso2.apk.enforcer.tracing.TracingConstants; import org.wso2.apk.enforcer.tracing.TracingSpan; import org.wso2.apk.enforcer.tracing.TracingTracer; @@ -62,6 +61,7 @@ import java.util.Date; import java.util.HashMap; import java.util.HashSet; +import java.util.List; import java.util.Map; import java.util.Set; @@ -89,15 +89,7 @@ public boolean canAuthenticate(RequestContext requestContext) { if (!StringUtils.equals(authHeader, "")) { String authHeaderValue = retrieveAuthHeaderValue(requestContext, authHeader); - - // Check keyword bearer in header to prevent conflicts with custom authentication - // (that maybe added with custom filters / interceptors / opa) - // which also includes a jwt in the auth header yet with a scheme other than 'bearer'. - // - // StringUtils.startsWithIgnoreCase(null, "bearer") = false - // StringUtils.startsWithIgnoreCase("abc", "bearer") = false - // StringUtils.startsWithIgnoreCase("Bearer abc", "bearer") = true - return StringUtils.startsWithIgnoreCase(authHeaderValue, JWTConstants.BEARER) && authHeaderValue.trim().split("\\s+").length == 2 && authHeaderValue.split("\\.").length == 3; + return authHeaderValue != null && !StringUtils.containsWhitespace(authHeaderValue) && authHeaderValue.split("\\.").length == 3; } return false; } @@ -121,11 +113,6 @@ public AuthenticationContext authenticate(RequestContext requestContext) throws } String authHeader = getTokenHeader(requestContext.getMatchedResourcePaths()); String jwtToken = retrieveAuthHeaderValue(requestContext, authHeader); - String[] splitToken = jwtToken.split("\\s"); - // Extract the token when it is sent as bearer token. i.e Authorization: Bearer - if (splitToken.length > 1) { - jwtToken = splitToken[1]; - } String context = requestContext.getMatchedAPI().getBasePath(); String name = requestContext.getMatchedAPI().getName(); String envType = requestContext.getMatchedAPI().getEnvType(); @@ -142,6 +129,12 @@ public AuthenticationContext authenticate(RequestContext requestContext) throws } if (validationInfo != null) { if (validationInfo.isValid()) { + List audFromAPI = getAudience(requestContext.getMatchedResourcePaths()); + List audFromToken = validationInfo.getAudience(); + if (!checkAllExist(audFromAPI, audFromToken)) { + throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), + APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Required audience not available in the JWT aud."); + } Map claims = validationInfo.getClaims(); // Validate token type Object keyType = claims.get("keytype"); @@ -177,7 +170,7 @@ public AuthenticationContext authenticate(RequestContext requestContext) throws if (consumerKey != null) { validateSubscriptionUsingConsumerKey(apiKeyValidationInfoDTO, name, version, context, consumerKey, envType, organization, - splitToken, requestContext.getMatchedAPI()); + "", requestContext.getMatchedAPI()); } else { log.error("Error while extracting consumer key from token"); throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), @@ -274,10 +267,21 @@ private String getTokenHeader(ArrayList matchedResourceConfigs) return ""; } + private ArrayList getAudience(ArrayList matchedResourceConfigs) { + ArrayList audience = new ArrayList<>(); + for (ResourceConfig resourceConfig : matchedResourceConfigs) { + if (resourceConfig.getAuthenticationConfig() != null && + resourceConfig.getAuthenticationConfig().getJwtAuthenticationConfig() != null) { + return resourceConfig.getAuthenticationConfig().getJwtAuthenticationConfig().getAudience(); + } + } + return audience; + } + @Override public String getChallengeString() { - return "Bearer realm=\"APK\""; + return "JWT realm=\"APK\""; } @Override @@ -344,13 +348,13 @@ private void validateScopes(String apiContext, String apiVersion, ArrayList list1, List list2) { + return list1.stream().allMatch(list2::contains); + } } diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/Oauth2Authenticator.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/Oauth2Authenticator.java new file mode 100644 index 0000000000..0c20eb00b8 --- /dev/null +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/Oauth2Authenticator.java @@ -0,0 +1,516 @@ +/* + * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 LLC. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.wso2.apk.enforcer.security.jwt; + +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.jwt.SignedJWT; +import com.nimbusds.jwt.util.DateUtils; +import io.opentelemetry.context.Scope; +import org.apache.commons.lang3.StringUtils; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; +import org.apache.logging.log4j.ThreadContext; +import org.wso2.apk.enforcer.common.CacheProviderUtil; +import org.wso2.apk.enforcer.commons.dto.ClaimValueDTO; +import org.wso2.apk.enforcer.commons.dto.JWTConfigurationDto; +import org.wso2.apk.enforcer.commons.dto.JWTInfoDto; +import org.wso2.apk.enforcer.commons.dto.JWTValidationInfo; +import org.wso2.apk.enforcer.commons.jwtgenerator.AbstractAPIMgtGatewayJWTGenerator; +import org.wso2.apk.enforcer.commons.exception.APISecurityException; +import org.wso2.apk.enforcer.commons.exception.EnforcerException; +import org.wso2.apk.enforcer.commons.model.APIConfig; +import org.wso2.apk.enforcer.commons.model.AuthenticationContext; +import org.wso2.apk.enforcer.commons.model.RequestContext; +import org.wso2.apk.enforcer.commons.model.ResourceConfig; +import org.wso2.apk.enforcer.config.ConfigHolder; +import org.wso2.apk.enforcer.constants.APIConstants; +import org.wso2.apk.enforcer.constants.APISecurityConstants; +import org.wso2.apk.enforcer.dto.APIKeyValidationInfoDTO; +import org.wso2.apk.enforcer.security.Authenticator; +import org.wso2.apk.enforcer.security.KeyValidator; +import org.wso2.apk.enforcer.security.TokenValidationContext; +import org.wso2.apk.enforcer.security.jwt.validator.JWTConstants; +import org.wso2.apk.enforcer.security.jwt.validator.JWTValidator; +import org.wso2.apk.enforcer.security.jwt.validator.RevokedJWTDataHolder; +import org.wso2.apk.enforcer.subscription.SubscriptionDataHolder; +import org.wso2.apk.enforcer.server.RevokedTokenRedisClient; +import org.wso2.apk.enforcer.tracing.TracingConstants; +import org.wso2.apk.enforcer.tracing.TracingSpan; +import org.wso2.apk.enforcer.tracing.TracingTracer; +import org.wso2.apk.enforcer.tracing.Utils; +import org.wso2.apk.enforcer.util.BackendJwtUtils; +import org.wso2.apk.enforcer.util.FilterUtils; +import org.wso2.apk.enforcer.util.JWTUtils; + +import java.text.ParseException; +import java.util.ArrayList; +import java.util.Date; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import java.util.Set; + +/** + * Implements the authenticator interface to authenticate request using a JWT token. + */ +public class Oauth2Authenticator implements Authenticator { + + private static final Logger log = LogManager.getLogger(Oauth2Authenticator.class); + private final boolean isGatewayTokenCacheEnabled; + private AbstractAPIMgtGatewayJWTGenerator jwtGenerator; + + public Oauth2Authenticator(final JWTConfigurationDto jwtConfigurationDto, final boolean isGatewayTokenCacheEnabled) { + + this.isGatewayTokenCacheEnabled = isGatewayTokenCacheEnabled; + if (jwtConfigurationDto.isEnabled()) { + this.jwtGenerator = BackendJwtUtils.getApiMgtGatewayJWTGenerator(jwtConfigurationDto); + this.jwtGenerator.setJWTConfigurationDto(jwtConfigurationDto); + } + } + + @Override + public boolean canAuthenticate(RequestContext requestContext) { + String authHeader = getTokenHeader(requestContext.getMatchedResourcePaths()); + + if (!StringUtils.equals(authHeader, "")) { + String authHeaderValue = retrieveAuthHeaderValue(requestContext, authHeader); + + // Check keyword bearer in header to prevent conflicts with custom authentication + // (that maybe added with custom filters / interceptors / opa) + // which also includes a jwt in the auth header yet with a scheme other than 'bearer'. + // + // StringUtils.startsWithIgnoreCase(null, "bearer") = false + // StringUtils.startsWithIgnoreCase("abc", "bearer") = false + // StringUtils.startsWithIgnoreCase("Bearer abc", "bearer") = true + return StringUtils.startsWithIgnoreCase(authHeaderValue, JWTConstants.BEARER) && authHeaderValue.trim().split("\\s+").length == 2 && authHeaderValue.split("\\.").length == 3; + } + return false; + } + + @Override + public AuthenticationContext authenticate(RequestContext requestContext) throws APISecurityException { + + TracingTracer tracer = null; + TracingSpan jwtAuthenticatorInfoSpan = null; + Scope jwtAuthenticatorInfoSpanScope = null; + TracingSpan validateSubscriptionSpan = null; + TracingSpan validateScopesSpan = null; + + try { + if (Utils.tracingEnabled()) { + tracer = Utils.getGlobalTracer(); + jwtAuthenticatorInfoSpan = Utils.startSpan(TracingConstants.JWT_AUTHENTICATOR_SPAN, tracer); + jwtAuthenticatorInfoSpanScope = jwtAuthenticatorInfoSpan.getSpan().makeCurrent(); + Utils.setTag(jwtAuthenticatorInfoSpan, APIConstants.LOG_TRACE_ID, + ThreadContext.get(APIConstants.LOG_TRACE_ID)); + } + String authHeader = getTokenHeader(requestContext.getMatchedResourcePaths()); + String jwtToken = retrieveAuthHeaderValue(requestContext, authHeader); + String[] splitToken = jwtToken.split("\\s"); + // Extract the token when it is sent as bearer token. i.e Authorization: Bearer + if (splitToken.length > 1) { + jwtToken = splitToken[1]; + } + String context = requestContext.getMatchedAPI().getBasePath(); + String name = requestContext.getMatchedAPI().getName(); + String envType = requestContext.getMatchedAPI().getEnvType(); + String version = requestContext.getMatchedAPI().getVersion(); + String organization = requestContext.getMatchedAPI().getOrganizationId(); + String environment = requestContext.getMatchedAPI().getEnvironment(); + + JWTValidationInfo validationInfo = getJwtValidationInfo(jwtToken, organization, environment); + if (RevokedTokenRedisClient.getRevokedTokens().contains(validationInfo.getIdentifier())) { + log.info("Revoked JWT token. ", validationInfo.getIdentifier()); + throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), + APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, + APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE); + } + if (validationInfo != null) { + if (validationInfo.isValid()) { + Map claims = validationInfo.getClaims(); + // Validate token type + Object keyType = claims.get("keytype"); + if (keyType != null && !keyType.toString().equalsIgnoreCase(requestContext.getMatchedAPI().getEnvType())) { + throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), + APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid key type."); + } + + // Validate subscriptions + APIKeyValidationInfoDTO apiKeyValidationInfoDTO = new APIKeyValidationInfoDTO(); + Scope validateSubscriptionSpanScope = null; + boolean isSystemAPI = requestContext.getMatchedAPI().isSystemAPI(); + boolean isGatewayLevelSubscriptionValidationEnabled = ConfigHolder.getInstance().getConfig() + .getMandateSubscriptionValidation(); + try { + // If subscription validation is mandated at Gateway level, all API invocations should undergo + // subscription validation. When not mandated, we check whether the API has enabled + // subscription validation. + if (!isSystemAPI && (isGatewayLevelSubscriptionValidationEnabled || requestContext.getMatchedAPI() + .isSubscriptionValidation())) { + if (Utils.tracingEnabled()) { + validateSubscriptionSpan = + Utils.startSpan(TracingConstants.SUBSCRIPTION_VALIDATION_SPAN, tracer); + validateSubscriptionSpanScope = validateSubscriptionSpan.getSpan().makeCurrent(); + Utils.setTag(validateSubscriptionSpan, APIConstants.LOG_TRACE_ID, + ThreadContext.get(APIConstants.LOG_TRACE_ID)); + } + + // Get consumer key from the JWT token claim set + String consumerKey = validationInfo.getConsumerKey(); + + // Subscription validation using consumer key + if (consumerKey != null) { + validateSubscriptionUsingConsumerKey(apiKeyValidationInfoDTO, name, version, context, + consumerKey, envType, organization, + splitToken, requestContext.getMatchedAPI()); + } else { + log.error("Error while extracting consumer key from token"); + throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), + APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, + "Invalid JWT token. Error while extracting consumer key from token"); + } + } else { + // In this case, the application related properties are populated so that analytics + // could provide much better insights. + // Since application notion becomes less meaningful with subscription validation disabled, + // the application name would be populated under the convention "anon:" + JWTUtils.updateApplicationNameForSubscriptionDisabledFlow(apiKeyValidationInfoDTO, + APIConstants.KeyManager.DEFAULT_KEY_MANAGER); + } + } finally { + if (Utils.tracingEnabled()) { + if (validateSubscriptionSpan != null) { + validateSubscriptionSpanScope.close(); + Utils.finishSpan(validateSubscriptionSpan); + } + } + } + + // Validate scopes + Scope validateScopesSpanScope = null; + try { + if (Utils.tracingEnabled()) { + validateScopesSpan = Utils.startSpan(TracingConstants.SCOPES_VALIDATION_SPAN, tracer); + validateScopesSpanScope = validateScopesSpan.getSpan().makeCurrent(); + Utils.setTag(validateScopesSpan, APIConstants.LOG_TRACE_ID, + ThreadContext.get(APIConstants.LOG_TRACE_ID)); + } + validateScopes(context, version, requestContext.getMatchedResourcePaths(), validationInfo, + jwtToken); + } finally { + if (Utils.tracingEnabled()) { + validateScopesSpanScope.close(); + Utils.finishSpan(validateScopesSpan); + } + } + log.debug("JWT authentication successful."); + + // Generate or get backend JWT + String endUserToken = null; + + // jwt generator is only set if the backend jwt is enabled + if (this.jwtGenerator != null) { + JWTConfigurationDto configurationDto = this.jwtGenerator.getJWTConfigurationDto(); + Map claimMap = new HashMap<>(); + if (configurationDto != null) { + claimMap = configurationDto.getCustomClaims(); + } + JWTInfoDto jwtInfoDto = FilterUtils.generateJWTInfoDto(null, validationInfo, + apiKeyValidationInfoDTO, requestContext); + + // set custom claims get from the CR + jwtInfoDto.setClaims(claimMap); + endUserToken = BackendJwtUtils.generateAndRetrieveJWTToken(this.jwtGenerator, + validationInfo.getIdentifier(), jwtInfoDto, isGatewayTokenCacheEnabled, organization); + // Set generated jwt token as a response header + // Change the backendJWTConfig to API level + requestContext.addOrModifyHeaders(this.jwtGenerator.getJWTConfigurationDto().getJwtHeader(), + endUserToken); + } + + return FilterUtils.generateAuthenticationContext(requestContext, validationInfo.getIdentifier(), + validationInfo, apiKeyValidationInfoDTO, endUserToken, jwtToken, true); + } else { + throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), + validationInfo.getValidationCode(), + APISecurityConstants.getAuthenticationFailureMessage(validationInfo.getValidationCode())); + } + } else { + throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), + APISecurityConstants.API_AUTH_GENERAL_ERROR, + APISecurityConstants.API_AUTH_GENERAL_ERROR_MESSAGE); + } + } finally { + if (Utils.tracingEnabled()) { + jwtAuthenticatorInfoSpanScope.close(); + Utils.finishSpan(jwtAuthenticatorInfoSpan); + } + } + + } + + private String getTokenHeader(ArrayList matchedResourceConfigs) { + for (ResourceConfig resourceConfig : matchedResourceConfigs) { + if (resourceConfig.getAuthenticationConfig() != null && + resourceConfig.getAuthenticationConfig().getOauth2AuthenticationConfig() != null) { + return resourceConfig.getAuthenticationConfig().getOauth2AuthenticationConfig().getHeader(); + } + } + return ""; + } + + @Override + public String getChallengeString() { + + return "Bearer realm=\"APK\""; + } + + @Override + public String getName() { + + return "Oauth2"; + } + + @Override + public int getPriority() { + + return 10; + } + + private String retrieveAuthHeaderValue(RequestContext requestContext, String header) { + Map headers = requestContext.getHeaders(); + return headers.get(header); + } + + /** + * Validate scopes bound to the resource of the API being invoked against the scopes specified + * in the JWT token payload. + * + * @param apiContext API Context + * @param apiVersion API Version + * @param matchingResources Accessed API resources + * @param jwtValidationInfo Validated JWT Information + * @param jwtToken JWT Token + * @throws APISecurityException in case of scope validation failure + */ + private void validateScopes(String apiContext, String apiVersion, ArrayList matchingResources, + JWTValidationInfo jwtValidationInfo, String jwtToken) throws APISecurityException { + + APIKeyValidationInfoDTO apiKeyValidationInfoDTO = new APIKeyValidationInfoDTO(); + Set scopeSet = new HashSet<>(jwtValidationInfo.getScopes()); + apiKeyValidationInfoDTO.setScopes(scopeSet); + + TokenValidationContext tokenValidationContext = new TokenValidationContext(); + tokenValidationContext.setValidationInfoDTO(apiKeyValidationInfoDTO); + + tokenValidationContext.setAccessToken(jwtToken); + // since matching resources has same method for all, just get the first element's method is adequate. + // i.e. graphQL matching resources has same operation type for a request. + tokenValidationContext.setHttpVerb(matchingResources.get(0).getMethod().toString()); + tokenValidationContext.setMatchingResourceConfigs(matchingResources); + tokenValidationContext.setContext(apiContext); + tokenValidationContext.setVersion(apiVersion); + + boolean valid = KeyValidator.validateScopes(tokenValidationContext); + if (valid) { + log.debug("Scope validation was successful for the resource."); + } + } + + /** + * Validate whether the user is subscribed to the invoked API using consumer key. If subscribed, validate + * the API information embedded within the Subscription against the information from the request context. + * + * @param validationInfo Token validation related details. This will be populated based on the available data + * during the subscription validation. + * @param name API name + * @param version API version + * @param context API context + * @param consumerKey Consumer key extracted from the jwt token claim set + * @param envType The environment type, i.e. PRODUCTION or SANDBOX + * @param organization Organization extracted from the request context + * @param splitToken The split token + * @param matchedAPI + * @throws APISecurityException if the user is not subscribed to the API + */ + private void validateSubscriptionUsingConsumerKey(APIKeyValidationInfoDTO validationInfo, String name, + String version, String context, String consumerKey, + String envType, String organization, String[] splitToken, + APIConfig matchedAPI) throws APISecurityException { + + validationInfo.setApiName(name); + validationInfo.setApiVersion(version); + validationInfo.setApiContext(context); + validationInfo.setConsumerKey(consumerKey); + validationInfo.setType(matchedAPI.getApiType()); + validationInfo.setEnvType(envType); + validationInfo.setEnvironment(matchedAPI.getEnvironment()); + validationInfo.setSecurityScheme(APIConstants.API_SECURITY_OAUTH2); + validationInfo.setSubscriberOrganization(organization); + validationInfo.setApiContext(matchedAPI.getBasePath()); + validationInfo.setApiVersion(matchedAPI.getVersion()); + validationInfo.setApiName(matchedAPI.getName()); + KeyValidator.validateSubscriptionUsingConsumerKey(validationInfo); + + if (validationInfo.isAuthorized()) { + if (log.isDebugEnabled()) { + log.debug("User is subscribed to the API: " + name + ", " + "version: " + version + ". Token:" + " " + + FilterUtils.getMaskedToken(splitToken[0])); + } + } else { + if (log.isDebugEnabled()) { + log.debug("User is not subscribed to access the API: " + name + ", version: " + version + ". " + + "Token: " + FilterUtils.getMaskedToken(splitToken[0])); + } + throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(), + APISecurityConstants.API_AUTH_FORBIDDEN, APISecurityConstants.API_AUTH_FORBIDDEN_MESSAGE); + } + } + + /** + * Validate whether the token is a valid JWT and generate the JWTValidationInfo object. + * + * @param jwtToken The full JWT token + * @param organization organization of the API + * @param environment environment of the API + * @return + * @throws APISecurityException + */ + private JWTValidationInfo getJwtValidationInfo(String jwtToken, String organization, String environment) throws APISecurityException { + + if (isGatewayTokenCacheEnabled) { + String[] jwtParts = jwtToken.split("\\."); + String signature = jwtParts[2]; + Object validCacheToken = CacheProviderUtil.getOrganizationCache(organization).getGatewayKeyCache() + .getIfPresent(signature); + if (validCacheToken != null) { + JWTValidationInfo validationInfo = (JWTValidationInfo) validCacheToken; + if (!isJWTExpired(validationInfo)) { + if (!StringUtils.equals(validationInfo.getToken(), jwtToken)) { + log.warn("Suspected tampered token; a JWT token with the same signature is " + + "already available in the cache. Tampered token: " + FilterUtils.getMaskedToken(jwtToken)); + throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), + APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid JWT token"); + } + if (RevokedJWTDataHolder.isJWTTokenSignatureExistsInRevokedMap(validationInfo.getIdentifier())) { + log.debug("Token found in the revoked jwt token map."); + throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), + APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid JWT token"); + } + return validationInfo; + } else { + CacheProviderUtil.getOrganizationCache(organization).getGatewayKeyCache().invalidate(signature); + CacheProviderUtil.getOrganizationCache(organization).getInvalidTokenCache().put(signature, true); + throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), + APISecurityConstants.API_AUTH_ACCESS_TOKEN_EXPIRED, + APISecurityConstants.API_AUTH_ACCESS_TOKEN_EXPIRED_MESSAGE); + } + } else if (CacheProviderUtil.getOrganizationCache(organization).getInvalidTokenCache() + .getIfPresent(signature) != null) { + throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), + APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, + APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE); + } + } + + SignedJWT signedJWT; + JWTClaimsSet jwtClaimsSet; + SignedJWTInfo signedJWTInfo; + Scope decodeTokenHeaderSpanScope = null; + TracingSpan decodeTokenHeaderSpan = null; + try { + if (Utils.tracingEnabled()) { + TracingTracer tracer = Utils.getGlobalTracer(); + decodeTokenHeaderSpan = Utils.startSpan(TracingConstants.DECODE_TOKEN_HEADER_SPAN, tracer); + decodeTokenHeaderSpanScope = decodeTokenHeaderSpan.getSpan().makeCurrent(); + Utils.setTag(decodeTokenHeaderSpan, APIConstants.LOG_TRACE_ID, + ThreadContext.get(APIConstants.LOG_TRACE_ID)); + } + signedJWT = SignedJWT.parse(jwtToken); + jwtClaimsSet = signedJWT.getJWTClaimsSet(); + signedJWTInfo = new SignedJWTInfo(jwtToken, signedJWT, jwtClaimsSet); + } catch (ParseException | IllegalArgumentException e) { + log.error("Failed to decode the token header. {}", e.getMessage()); + throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), + APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Not a JWT token. Failed to decode the " + + "token header", e); + } finally { + if (Utils.tracingEnabled()) { + decodeTokenHeaderSpanScope.close(); + Utils.finishSpan(decodeTokenHeaderSpan); + } + } + + String signature = signedJWT.getSignature().toString(); + String jwtTokenIdentifier = StringUtils.isNotEmpty(jwtClaimsSet.getJWTID()) ? jwtClaimsSet.getJWTID() : + signature; + + // check whether the token is revoked + String jwtHeader = signedJWT.getHeader().toString(); + if (RevokedJWTDataHolder.isJWTTokenSignatureExistsInRevokedMap(jwtTokenIdentifier)) { + log.debug("Token retrieved from the revoked jwt token map. Token: " + + FilterUtils.getMaskedToken(jwtHeader)); + throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), + APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid JWT token"); + } + + try { + // Get issuer + String issuer = jwtClaimsSet.getIssuer(); + JWTValidator jwtValidator = SubscriptionDataHolder.getInstance().getSubscriptionDataStore(organization) + .getJWTValidatorByIssuer(issuer, environment); + // If no validator found for the issuer, we are not caching the token. + if (jwtValidator == null) { + throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), + APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, + APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE); + } + + JWTValidationInfo jwtValidationInfo = jwtValidator.validateToken(jwtToken, signedJWTInfo); + if (isGatewayTokenCacheEnabled) { + // Add token to tenant token cache + if (jwtValidationInfo.isValid()) { + CacheProviderUtil.getOrganizationCache(organization).getGatewayKeyCache().put(signature, + jwtValidationInfo); + } else { + CacheProviderUtil.getOrganizationCache(organization).getInvalidTokenCache().put(signature, true); + } + } + return jwtValidationInfo; + } catch (EnforcerException e) { + log.error("JWT Validation failed", e); + throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), + APISecurityConstants.API_AUTH_GENERAL_ERROR, + APISecurityConstants.API_AUTH_GENERAL_ERROR_MESSAGE); + } + } + + /** + * Check whether the jwt token is expired or not. + * + * @param payload The payload of the JWT token + * @return boolean true if the token is not expired, false otherwise + */ + private Boolean isJWTExpired(JWTValidationInfo payload) { + + long timestampSkew = FilterUtils.getTimeStampSkewInSeconds(); + Date now = new Date(); + Date exp = new Date(payload.getExpiryTime()); + return !DateUtils.isAfter(exp, now, timestampSkew); + } +} diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/validator/JWTValidator.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/validator/JWTValidator.java index 4a12de0b45..38e7c0eb70 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/validator/JWTValidator.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/validator/JWTValidator.java @@ -93,6 +93,7 @@ public JWTValidationInfo validateToken(String token, SignedJWTInfo signedJWTInfo jwtValidationInfo.setIdentifier(JWTUtils.getJWTTokenIdentifier(signedJWTInfo)); jwtValidationInfo.setJwtClaimsSet(signedJWTInfo.getJwtClaimsSet()); jwtValidationInfo.setToken(token); + jwtValidationInfo.setAudience(jwtClaimsSet.getAudience()); return jwtValidationInfo; } jwtValidationInfo.setValidationCode(APISecurityConstants.API_AUTH_ACCESS_TOKEN_EXPIRED); diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/test/java/org/wso2/apk/enforcer/jwt/JWTValidatorTest.java b/gateway/enforcer/org.wso2.apk.enforcer/src/test/java/org/wso2/apk/enforcer/jwt/Oauth2ValidatorTest.java similarity index 92% rename from gateway/enforcer/org.wso2.apk.enforcer/src/test/java/org/wso2/apk/enforcer/jwt/JWTValidatorTest.java rename to gateway/enforcer/org.wso2.apk.enforcer/src/test/java/org/wso2/apk/enforcer/jwt/Oauth2ValidatorTest.java index b4ceb92cf8..55376740c3 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/test/java/org/wso2/apk/enforcer/jwt/JWTValidatorTest.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/test/java/org/wso2/apk/enforcer/jwt/Oauth2ValidatorTest.java @@ -39,7 +39,7 @@ import org.wso2.apk.enforcer.commons.model.APIConfig; import org.wso2.apk.enforcer.commons.model.AuthenticationConfig; import org.wso2.apk.enforcer.commons.model.AuthenticationContext; -import org.wso2.apk.enforcer.commons.model.JWTAuthenticationConfig; +import org.wso2.apk.enforcer.commons.model.Oauth2AuthenticationConfig; import org.wso2.apk.enforcer.commons.model.RequestContext; import org.wso2.apk.enforcer.commons.model.ResourceConfig; import org.wso2.apk.enforcer.config.ConfigHolder; @@ -47,7 +47,7 @@ import org.wso2.apk.enforcer.config.dto.ExtendedTokenIssuerDto; import org.wso2.apk.enforcer.constants.APISecurityConstants; import org.wso2.apk.enforcer.security.KeyValidator; -import org.wso2.apk.enforcer.security.jwt.JWTAuthenticator; +import org.wso2.apk.enforcer.security.jwt.Oauth2Authenticator; import org.wso2.apk.enforcer.security.jwt.validator.JWTValidator; import org.wso2.apk.enforcer.server.RevokedTokenRedisClient; import org.wso2.apk.enforcer.subscription.SubscriptionDataHolder; @@ -59,7 +59,7 @@ import java.util.Map; import java.util.UUID; -public class JWTValidatorTest { +public class Oauth2ValidatorTest { @Before public void setup() { @@ -95,15 +95,15 @@ public void testJWTValidator() throws APISecurityException, EnforcerException { jwtValidationInfo.setKeyManager("Default"); JWTConfigurationDto jwtConfigurationDto = new JWTConfigurationDto(); - JWTAuthenticator jwtAuthenticator = new JWTAuthenticator(jwtConfigurationDto, true); + Oauth2Authenticator oauth2Authenticator = new Oauth2Authenticator(jwtConfigurationDto, true); RequestContext requestContext = Mockito.mock(RequestContext.class); ArrayList resourceConfigs = new ArrayList<>(); ResourceConfig resourceConfig = Mockito.mock(ResourceConfig.class); AuthenticationConfig authenticationConfig = new AuthenticationConfig(); - JWTAuthenticationConfig jwtAuthenticationConfig = new JWTAuthenticationConfig(); - jwtAuthenticationConfig.setHeader("Authorization"); - authenticationConfig.setJwtAuthenticationConfig(jwtAuthenticationConfig); + Oauth2AuthenticationConfig oauth2AuthenticationConfig = new Oauth2AuthenticationConfig(); + oauth2AuthenticationConfig.setHeader("Authorization"); + authenticationConfig.setOauth2AuthenticationConfig(oauth2AuthenticationConfig); Mockito.when(resourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig); Mockito.when(resourceConfig.getMethod()).thenReturn(ResourceConfig.HttpMethods.GET); resourceConfigs.add(resourceConfig); @@ -134,7 +134,7 @@ public void testJWTValidator() throws APISecurityException, EnforcerException { subscriptionDataHolderMockedStatic.when(SubscriptionDataHolder::getInstance).thenReturn(subscriptionDataHolder); Mockito.when(subscriptionDataHolder.getSubscriptionDataStore(organization)).thenReturn(subscriptionDataStore); Logger logger = Mockito.mock(Logger.class); - logManagerDummy.when(() -> LogManager.getLogger(JWTAuthenticator.class)).thenReturn(logger); + logManagerDummy.when(() -> LogManager.getLogger(Oauth2Authenticator.class)).thenReturn(logger); Log logger2 = Mockito.mock(Log.class); logFactoryDummy.when(() -> LogFactory.getLog(AbstractAPIMgtGatewayJWTGenerator.class)).thenReturn(logger2); cacheProviderUtilDummy.when(() -> CacheProviderUtil.getOrganizationCache(organization)) @@ -156,7 +156,7 @@ public void testJWTValidator() throws APISecurityException, EnforcerException { Mockito.when(subscriptionDataStore.getJWTValidatorByIssuer(issuer, environment)).thenReturn(jwtValidator); Mockito.when(jwtValidator.validateToken(Mockito.eq(jwt), Mockito.any())).thenReturn(jwtValidationInfo); keyValidaterDummy.when(() -> KeyValidator.validateScopes(Mockito.any())).thenReturn(true); - AuthenticationContext authenticate = jwtAuthenticator.authenticate(requestContext); + AuthenticationContext authenticate = oauth2Authenticator.authenticate(requestContext); Assert.assertNotNull(authenticate); Mockito.verify(gatewayKeyCache, Mockito.atLeast(1)).put(signature, jwtValidationInfo); } @@ -194,15 +194,15 @@ public void testRevokedToken() throws APISecurityException, EnforcerException { jwtValidationInfo.setIdentifier(revokedTokenJTI); JWTConfigurationDto jwtConfigurationDto = new JWTConfigurationDto(); - JWTAuthenticator jwtAuthenticator = new JWTAuthenticator(jwtConfigurationDto, true); + Oauth2Authenticator oauth2Authenticator = new Oauth2Authenticator(jwtConfigurationDto, true); RequestContext requestContext = Mockito.mock(RequestContext.class); ArrayList resourceConfigs = new ArrayList<>(); ResourceConfig resourceConfig = Mockito.mock(ResourceConfig.class); AuthenticationConfig authenticationConfig = new AuthenticationConfig(); - JWTAuthenticationConfig jwtAuthenticationConfig = new JWTAuthenticationConfig(); - jwtAuthenticationConfig.setHeader("Authorization"); - authenticationConfig.setJwtAuthenticationConfig(jwtAuthenticationConfig); + Oauth2AuthenticationConfig oauth2AuthenticationConfig = new Oauth2AuthenticationConfig(); + oauth2AuthenticationConfig.setHeader("Authorization"); + authenticationConfig.setOauth2AuthenticationConfig(oauth2AuthenticationConfig); Mockito.when(resourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig); Mockito.when(resourceConfig.getMethod()).thenReturn(ResourceConfig.HttpMethods.GET); resourceConfigs.add(resourceConfig); @@ -234,7 +234,7 @@ public void testRevokedToken() throws APISecurityException, EnforcerException { subscriptionDataHolderMockedStatic.when(SubscriptionDataHolder::getInstance).thenReturn(subscriptionDataHolder); Mockito.when(subscriptionDataHolder.getSubscriptionDataStore(organization)).thenReturn(subscriptionDataStore); Logger logger = Mockito.mock(Logger.class); - logManagerDummy.when(() -> LogManager.getLogger(JWTAuthenticator.class)).thenReturn(logger); + logManagerDummy.when(() -> LogManager.getLogger(Oauth2Authenticator.class)).thenReturn(logger); Log logger2 = Mockito.mock(Log.class); logFactoryDummy.when(() -> LogFactory.getLog(AbstractAPIMgtGatewayJWTGenerator.class)).thenReturn(logger2); cacheProviderUtilDummy.when(() -> CacheProviderUtil.getOrganizationCache(organization)) @@ -255,7 +255,7 @@ public void testRevokedToken() throws APISecurityException, EnforcerException { Mockito.when(jwtValidator.validateToken(Mockito.eq(jwt), Mockito.any())).thenReturn(jwtValidationInfo); keyValidaterDummy.when(() -> KeyValidator.validateScopes(Mockito.any())).thenReturn(true); try { - jwtAuthenticator.authenticate(requestContext); + oauth2Authenticator.authenticate(requestContext); Assert.fail("Authentication should fail for revoked tokens"); } catch (APISecurityException e) { Assert.assertEquals(e.getMessage(), e.getMessage(), @@ -299,15 +299,15 @@ public void testCachedJWTValidator() throws APISecurityException, EnforcerExcept jwtValidationInfo.setIdentifier(signature); JWTConfigurationDto jwtConfigurationDto = new JWTConfigurationDto(); - JWTAuthenticator jwtAuthenticator = new JWTAuthenticator(jwtConfigurationDto, true); + Oauth2Authenticator oauth2Authenticator = new Oauth2Authenticator(jwtConfigurationDto, true); RequestContext requestContext = Mockito.mock(RequestContext.class); ArrayList resourceConfigs = new ArrayList<>(); ResourceConfig resourceConfig = Mockito.mock(ResourceConfig.class); AuthenticationConfig authenticationConfig = new AuthenticationConfig(); - JWTAuthenticationConfig jwtAuthenticationConfig = new JWTAuthenticationConfig(); - jwtAuthenticationConfig.setHeader("Authorization"); - authenticationConfig.setJwtAuthenticationConfig(jwtAuthenticationConfig); + Oauth2AuthenticationConfig oauth2AuthenticationConfig = new Oauth2AuthenticationConfig(); + oauth2AuthenticationConfig.setHeader("Authorization"); + authenticationConfig.setOauth2AuthenticationConfig(oauth2AuthenticationConfig); Mockito.when(resourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig); Mockito.when(resourceConfig.getMethod()).thenReturn(ResourceConfig.HttpMethods.GET); resourceConfigs.add(resourceConfig); @@ -338,7 +338,7 @@ public void testCachedJWTValidator() throws APISecurityException, EnforcerExcept Mockito.when(subscriptionDataStore.getJWTValidatorByIssuer(issuer, environment)).thenReturn(jwtValidator); Mockito.when(jwtValidator.validateToken(Mockito.eq(jwt), Mockito.any())).thenReturn(jwtValidationInfo); keyValidatorDummy.when(() -> KeyValidator.validateScopes(Mockito.any())).thenReturn(true); - AuthenticationContext authenticate = jwtAuthenticator.authenticate(requestContext); + AuthenticationContext authenticate = oauth2Authenticator.authenticate(requestContext); Assert.assertNotNull(authenticate); Assert.assertEquals(authenticate.getConsumerKey(), jwtValidationInfo.getConsumerKey()); Mockito.verify(gatewayKeyCache, Mockito.atLeast(1)).getIfPresent(signature); @@ -367,15 +367,15 @@ public void testNonJTIJWTValidator() throws APISecurityException, EnforcerExcept jwtValidationInfo.setIdentifier(signature); JWTConfigurationDto jwtConfigurationDto = new JWTConfigurationDto(); - JWTAuthenticator jwtAuthenticator = new JWTAuthenticator(jwtConfigurationDto, true); + Oauth2Authenticator oauth2Authenticator = new Oauth2Authenticator(jwtConfigurationDto, true); RequestContext requestContext = Mockito.mock(RequestContext.class); ArrayList resourceConfigs = new ArrayList<>(); ResourceConfig resourceConfig = Mockito.mock(ResourceConfig.class); AuthenticationConfig authenticationConfig = new AuthenticationConfig(); - JWTAuthenticationConfig jwtAuthenticationConfig = new JWTAuthenticationConfig(); - jwtAuthenticationConfig.setHeader("Authorization"); - authenticationConfig.setJwtAuthenticationConfig(jwtAuthenticationConfig); + Oauth2AuthenticationConfig oauth2AuthenticationConfig = new Oauth2AuthenticationConfig(); + oauth2AuthenticationConfig.setHeader("Authorization"); + authenticationConfig.setOauth2AuthenticationConfig(oauth2AuthenticationConfig); Mockito.when(resourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig); Mockito.when(resourceConfig.getMethod()).thenReturn(ResourceConfig.HttpMethods.GET); resourceConfigs.add(resourceConfig); @@ -407,7 +407,7 @@ public void testNonJTIJWTValidator() throws APISecurityException, EnforcerExcept .thenReturn(jwtValidator); Mockito.when(jwtValidator.validateToken(Mockito.eq(jwt), Mockito.any())).thenReturn(jwtValidationInfo); keyValidatorDummy.when(() -> KeyValidator.validateScopes(Mockito.any())).thenReturn(true); - AuthenticationContext authenticate = jwtAuthenticator.authenticate(requestContext); + AuthenticationContext authenticate = oauth2Authenticator.authenticate(requestContext); Assert.assertNotNull(authenticate); Assert.assertEquals(authenticate.getConsumerKey(), jwtValidationInfo.getConsumerKey()); Mockito.verify(gatewayKeyCache, Mockito.atLeast(1)).getIfPresent(signature); @@ -442,15 +442,15 @@ public void testExpiredJWTValidator() { jwtValidationInfo.setIdentifier(signature); JWTConfigurationDto jwtConfigurationDto = new JWTConfigurationDto(); - JWTAuthenticator jwtAuthenticator = new JWTAuthenticator(jwtConfigurationDto, true); + Oauth2Authenticator oauth2Authenticator = new Oauth2Authenticator(jwtConfigurationDto, true); RequestContext requestContext = Mockito.mock(RequestContext.class); ArrayList resourceConfigs = new ArrayList<>(); ResourceConfig resourceConfig = Mockito.mock(ResourceConfig.class); AuthenticationConfig authenticationConfig = new AuthenticationConfig(); - JWTAuthenticationConfig jwtAuthenticationConfig = new JWTAuthenticationConfig(); - jwtAuthenticationConfig.setHeader("Authorization"); - authenticationConfig.setJwtAuthenticationConfig(jwtAuthenticationConfig); + Oauth2AuthenticationConfig oauth2AuthenticationConfig = new Oauth2AuthenticationConfig(); + oauth2AuthenticationConfig.setHeader("Authorization"); + authenticationConfig.setOauth2AuthenticationConfig(oauth2AuthenticationConfig); Mockito.when(resourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig); Mockito.when(resourceConfig.getMethod()).thenReturn(ResourceConfig.HttpMethods.GET); resourceConfigs.add(resourceConfig); @@ -475,7 +475,7 @@ public void testExpiredJWTValidator() { cacheProviderUtilDummy.when(() -> CacheProviderUtil.getOrganizationCache(organization)).thenReturn(cacheProvider); keyValidatorDummy.when(() -> KeyValidator.validateScopes(Mockito.any())).thenReturn(true); try { - jwtAuthenticator.authenticate(requestContext); + oauth2Authenticator.authenticate(requestContext); Assert.fail("Authentication should fail for expired tokens"); } catch (APISecurityException e) { Assert.assertEquals(e.getMessage(), e.getMessage(), @@ -517,15 +517,15 @@ public void testNoCacheExpiredJWTValidator() throws EnforcerException { jwtValidationInfo.setIdentifier(signature); JWTConfigurationDto jwtConfigurationDto = new JWTConfigurationDto(); - JWTAuthenticator jwtAuthenticator = new JWTAuthenticator(jwtConfigurationDto, true); + Oauth2Authenticator oauth2Authenticator = new Oauth2Authenticator(jwtConfigurationDto, true); RequestContext requestContext = Mockito.mock(RequestContext.class); ArrayList resourceConfigs = new ArrayList<>(); ResourceConfig resourceConfig = Mockito.mock(ResourceConfig.class); AuthenticationConfig authenticationConfig = new AuthenticationConfig(); - JWTAuthenticationConfig jwtAuthenticationConfig = new JWTAuthenticationConfig(); - jwtAuthenticationConfig.setHeader("Authorization"); - authenticationConfig.setJwtAuthenticationConfig(jwtAuthenticationConfig); + Oauth2AuthenticationConfig oauth2AuthenticationConfig = new Oauth2AuthenticationConfig(); + oauth2AuthenticationConfig.setHeader("Authorization"); + authenticationConfig.setOauth2AuthenticationConfig(oauth2AuthenticationConfig); Mockito.when(resourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig); Mockito.when(resourceConfig.getMethod()).thenReturn(ResourceConfig.HttpMethods.GET); resourceConfigs.add(resourceConfig); @@ -563,7 +563,7 @@ public void testNoCacheExpiredJWTValidator() throws EnforcerException { keyValidatorDummy.when(() -> KeyValidator.validateScopes(Mockito.any())).thenReturn(true); try { - jwtAuthenticator.authenticate(requestContext); + oauth2Authenticator.authenticate(requestContext); Assert.fail("Authentication should fail for expired tokens"); } catch (APISecurityException e) { Assert.assertEquals(e.getMessage(), APISecurityConstants.API_AUTH_ACCESS_TOKEN_EXPIRED_MESSAGE); @@ -617,15 +617,15 @@ public void testTamperedPayloadJWTValidator() throws EnforcerException { jwtValidationInfo.setIdentifier(signature); JWTConfigurationDto jwtConfigurationDto = new JWTConfigurationDto(); - JWTAuthenticator jwtAuthenticator = new JWTAuthenticator(jwtConfigurationDto, true); + Oauth2Authenticator oauth2Authenticator = new Oauth2Authenticator(jwtConfigurationDto, true); RequestContext requestContext = Mockito.mock(RequestContext.class); ArrayList resourceConfigs = new ArrayList<>(); ResourceConfig resourceConfig = Mockito.mock(ResourceConfig.class); AuthenticationConfig authenticationConfig = new AuthenticationConfig(); - JWTAuthenticationConfig jwtAuthenticationConfig = new JWTAuthenticationConfig(); - jwtAuthenticationConfig.setHeader("Authorization"); - authenticationConfig.setJwtAuthenticationConfig(jwtAuthenticationConfig); + Oauth2AuthenticationConfig oauth2AuthenticationConfig = new Oauth2AuthenticationConfig(); + oauth2AuthenticationConfig.setHeader("Authorization"); + authenticationConfig.setOauth2AuthenticationConfig(oauth2AuthenticationConfig); Mockito.when(resourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig); Mockito.when(resourceConfig.getMethod()).thenReturn(ResourceConfig.HttpMethods.GET); resourceConfigs.add(resourceConfig); @@ -664,7 +664,7 @@ public void testTamperedPayloadJWTValidator() throws EnforcerException { Mockito.when(jwtValidator.validateToken(Mockito.eq(jwt), Mockito.any())).thenReturn(jwtValidationInfo); keyValidatorDummy.when(() -> KeyValidator.validateScopes(Mockito.any())).thenReturn(true); try { - jwtAuthenticator.authenticate(requestContext); + oauth2Authenticator.authenticate(requestContext); Assert.fail("Authentication should fail for tampered tokens"); } catch (APISecurityException e) { Assert.assertEquals(e.getMessage(), "Invalid JWT token"); diff --git a/helm-charts/crds/dp.wso2.com_authentications.yaml b/helm-charts/crds/dp.wso2.com_authentications.yaml index 1418de8c2c..784a583d66 100644 --- a/helm-charts/crds/dp.wso2.com_authentications.yaml +++ b/helm-charts/crds/dp.wso2.com_authentications.yaml @@ -275,6 +275,30 @@ spec: type: object nullable: true type: array + jwt: + description: JWT is to specify the JWT authentication scheme + details + properties: + audience: + description: Audience who can invoke a corresponding API + items: + type: string + type: array + disabled: + default: true + description: Disabled is to disable JWT authentication + type: boolean + header: + default: internal-key + description: Header is the header name used to pass the + JWT + minLength: 1 + type: string + sendTokenToUpstream: + description: SendTokenToUpstream is to specify whether + the JWT should be sent to the upstream + type: boolean + type: object mtls: description: MutualSSL is to specify the features and certificates for mutual SSL @@ -364,21 +388,6 @@ spec: the OAuth2 token should be sent to the upstream type: boolean type: object - testConsoleKey: - description: TestConsoleKey is to specify the Test Console - Key authentication scheme details - properties: - header: - default: internal-key - description: Header is the header name used to pass the - Test Console Key - minLength: 1 - type: string - sendTokenToUpstream: - description: SendTokenToUpstream is to specify whether - the Test Console Key should be sent to the upstream - type: boolean - type: object type: object disabled: description: Disabled is to disable all authentications @@ -417,6 +426,30 @@ spec: type: object nullable: true type: array + jwt: + description: JWT is to specify the JWT authentication scheme + details + properties: + audience: + description: Audience who can invoke a corresponding API + items: + type: string + type: array + disabled: + default: true + description: Disabled is to disable JWT authentication + type: boolean + header: + default: internal-key + description: Header is the header name used to pass the + JWT + minLength: 1 + type: string + sendTokenToUpstream: + description: SendTokenToUpstream is to specify whether + the JWT should be sent to the upstream + type: boolean + type: object mtls: description: MutualSSL is to specify the features and certificates for mutual SSL @@ -506,21 +539,6 @@ spec: the OAuth2 token should be sent to the upstream type: boolean type: object - testConsoleKey: - description: TestConsoleKey is to specify the Test Console - Key authentication scheme details - properties: - header: - default: internal-key - description: Header is the header name used to pass the - Test Console Key - minLength: 1 - type: string - sendTokenToUpstream: - description: SendTokenToUpstream is to specify whether - the Test Console Key should be sent to the upstream - type: boolean - type: object type: object disabled: description: Disabled is to disable all authentications diff --git a/test/integration/integration/tests/custom-auth-header.go b/test/integration/integration/tests/custom-auth-header.go index a1a3fb6352..8288e65bd2 100644 --- a/test/integration/integration/tests/custom-auth-header.go +++ b/test/integration/integration/tests/custom-auth-header.go @@ -99,12 +99,45 @@ var CustomAuthHeader = suite.IntegrationTest{ Namespace: ns, Response: http.Response{StatusCode: 200}, }, + { + Request: http.Request{ + Host: "custom-auth-header.test.gw.wso2.com", + Path: "/custom-auth-header/v1.0.0/v2/echo-full/", + Method: "GET", + }, + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Path: "/v2/echo-full/", + }, + }, + Backend: "infra-backend-v1", + Namespace: ns, + Response: http.Response{StatusCode: 200}, + }, + { + Request: http.Request{ + Host: "custom-auth-header.test.gw.wso2.com", + Path: "/custom-auth-header/v2/echo-full/", + Method: "GET", + }, + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Path: "/v2/echo-full/", + }, + }, + Backend: "infra-backend-v1", + Namespace: ns, + Response: http.Response{StatusCode: 200}, + }, } for i := range testCases { tc := testCases[i] - tc.Request.Headers = http.AddBearerTokenToHeader(token, tc.Request.Headers) if (i == 2 || i == 3) { tc.Request.Headers = http.AddCustomBearerTokenHeader("testAuth", token, tc.Request.Headers) + } else if (i == 4 || i == 5) { + tc.Request.Headers = http.AddInternalTokenHeader("testJwt", token, tc.Request.Headers) + } else { + tc.Request.Headers = http.AddBearerTokenToHeader(token, tc.Request.Headers) } t.Run(tc.GetTestCaseName(i), func(t *testing.T) { t.Parallel() diff --git a/test/integration/integration/tests/jwt-api-level-security-test.go b/test/integration/integration/tests/jwt-api-level-security-test.go new file mode 100644 index 0000000000..b99c8d2947 --- /dev/null +++ b/test/integration/integration/tests/jwt-api-level-security-test.go @@ -0,0 +1,107 @@ +/* + * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.org) All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package tests + +import ( + "testing" + + "github.com/wso2/apk/test/integration/integration/utils/http" + "github.com/wso2/apk/test/integration/integration/utils/suite" +) + +func init() { + IntegrationTests = append(IntegrationTests, APILevelJWT) +} + +// APILevelJWT test +var APILevelJWT = suite.IntegrationTest{ + ShortName: "APILevelJWT", + Description: "Tests API level jwt security", + Manifests: []string{"tests/jwt-api-level-security.yaml"}, + Test: func(t *testing.T, suite *suite.IntegrationTestSuite) { + gwAddr := "api-level-jwt.test.gw.wso2.com:9095" + token := http.GetTestToken(t) + ns := "gateway-integration-test-infra" + + testCases := []http.ExpectedResponse{ + { + Request: http.Request{ + Host: "api-level-jwt.test.gw.wso2.com", + Path: "/api-level-jwt/v1.0.0/v2/echo-full", + Headers: map[string]string{ + "content-type": "application/json", + "internal-key": token, + }, + Method: "GET", + }, + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Path: "/v2/echo-full", + }, + }, + Backend: "infra-backend-v1", + Namespace: ns, + Response: http.Response{StatusCode: 200}, + }, + { + Request: http.Request{ + Host: "api-level-jwt.test.gw.wso2.com", + Path: "/api-level-jwt/v1.0.0/v2/echo-full", + Headers: map[string]string{ + "content-type": "application/json", + }, + Method: "GET", + }, + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Path: "/v2/echo-full", + }, + }, + Backend: "infra-backend-v1", + Namespace: ns, + Response: http.Response{StatusCode: 401}, + }, + { + Request: http.Request{ + Host: "api-level-jwt.test.gw.wso2.com", + Path: "/api-level-jwt/v1.0.0/v2/echo-full", + Headers: map[string]string{ + "content-type": "application/json", + "internal-key": "invalid", + }, + Method: "GET", + }, + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Path: "/v2/echo-full", + }, + }, + Backend: "infra-backend-v1", + Namespace: ns, + Response: http.Response{StatusCode: 401}, + }, + } + for i := range testCases { + tc := testCases[i] + t.Run(tc.GetTestCaseName(i), func(t *testing.T) { + t.Parallel() + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, tc) + }) + } + }, +} diff --git a/test/integration/integration/tests/jwt-resource-level-security-test.go b/test/integration/integration/tests/jwt-resource-level-security-test.go new file mode 100644 index 0000000000..679e6018b8 --- /dev/null +++ b/test/integration/integration/tests/jwt-resource-level-security-test.go @@ -0,0 +1,106 @@ +/* + * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.org) All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package tests + +import ( + "testing" + + "github.com/wso2/apk/test/integration/integration/utils/http" + "github.com/wso2/apk/test/integration/integration/utils/suite" +) + +func init() { + IntegrationTests = append(IntegrationTests, ResourceLevelJWT) +} + +// ResourceLevelJWT test +var ResourceLevelJWT = suite.IntegrationTest{ + ShortName: "ResourceLevelJWT", + Description: "Tests resource level jwt security", + Manifests: []string{"tests/jwt-resource-level-security.yaml"}, + Test: func(t *testing.T, suite *suite.IntegrationTestSuite) { + gwAddr := "resource-level-jwt.test.gw.wso2.com:9095" + token := http.GetTestToken(t) + ns := "gateway-integration-test-infra" + testCases := []http.ExpectedResponse{ + { + Request: http.Request{ + Host: "resource-level-jwt.test.gw.wso2.com", + Path: "/resource-level-jwt/v1.0.0/v2/echo-full", + Headers: map[string]string{ + "content-type": "application/json", + "internal-key": token, + }, + Method: "GET", + }, + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Path: "/v2/echo-full", + }, + }, + Backend: "infra-backend-v1", + Namespace: ns, + Response: http.Response{StatusCode: 200}, + }, + { + Request: http.Request{ + Host: "resource-level-jwt.test.gw.wso2.com", + Path: "/resource-level-jwt/v1.0.0/v2/echo-full", + Headers: map[string]string{ + "content-type": "application/json", + }, + Method: "GET", + }, + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Path: "/v2/echo-full", + }, + }, + Backend: "infra-backend-v1", + Namespace: ns, + Response: http.Response{StatusCode: 401}, + }, + { + Request: http.Request{ + Host: "resource-level-jwt.test.gw.wso2.com", + Path: "/resource-level-jwt/v1.0.0/v2/echo-full", + Headers: map[string]string{ + "content-type": "application/json", + "internal-key": "invalid", + }, + Method: "GET", + }, + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Path: "/v2/echo-full", + }, + }, + Backend: "infra-backend-v1", + Namespace: ns, + Response: http.Response{StatusCode: 401}, + }, + } + for i := range testCases { + tc := testCases[i] + t.Run(tc.GetTestCaseName(i), func(t *testing.T) { + t.Parallel() + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, tc) + }) + } + }, +} diff --git a/test/integration/integration/tests/resources/tests/custom-auth-header.yaml b/test/integration/integration/tests/resources/tests/custom-auth-header.yaml index 01ababa078..ef91bd9161 100644 --- a/test/integration/integration/tests/resources/tests/custom-auth-header.yaml +++ b/test/integration/integration/tests/resources/tests/custom-auth-header.yaml @@ -55,7 +55,7 @@ spec: kind: Backend name: infra-backend-v1 --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Authentication metadata: name: custom-auth-header-authentication @@ -66,7 +66,10 @@ spec: authTypes: oauth2: disabled: false - header: testAuth + header: testAuth + jwt: + disabled: false + header: testJwt targetRef: group: gateway.networking.k8s.io kind: API diff --git a/test/integration/integration/tests/resources/tests/jwt-api-level-security.yaml b/test/integration/integration/tests/resources/tests/jwt-api-level-security.yaml new file mode 100644 index 0000000000..d9a08b245d --- /dev/null +++ b/test/integration/integration/tests/resources/tests/jwt-api-level-security.yaml @@ -0,0 +1,83 @@ +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +apiVersion: dp.wso2.com/v1alpha2 +kind: API +metadata: + name: api-level-jwt + namespace: gateway-integration-test-infra +spec: + apiName: API with Backend Base Path + apiType: REST + apiVersion: v1.0.0 + basePath: /api-level-jwt/v1.0.0 + isDefaultVersion: true + #definitionFileRef: definition-file + production: + - httpRouteRefs: + - api-level-jwt-httproute + organization: wso2-org +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: api-level-jwt-httproute + namespace: gateway-integration-test-infra +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: default + namespace: apk-integration-test + sectionName: httpslistener + hostnames: + - api-level-jwt.test.gw.wso2.com + rules: + - matches: + - path: + type: PathPrefix + value: /v2/echo-full + backendRefs: + - group: dp.wso2.com + kind: Backend + name: infra-backend-v1 +--- +apiVersion: dp.wso2.com/v1alpha2 +kind: Authentication +metadata: + name: api-level-jwt-authentication + namespace: gateway-integration-test-infra +spec: + override: + disabled: false + authTypes: + jwt: + disabled: false + targetRef: + group: gateway.networking.k8s.io + kind: API + namespace: gateway-integration-test-infra + name: api-level-jwt +--- +apiVersion: dp.wso2.com/v1alpha1 +kind: Backend +metadata: + name: infra-backend-v1 + namespace: gateway-integration-test-infra +spec: + services: + - host: infra-backend-v1.gateway-integration-test-infra + port: 8080 diff --git a/test/integration/integration/tests/resources/tests/jwt-resource-level-security.yaml b/test/integration/integration/tests/resources/tests/jwt-resource-level-security.yaml new file mode 100644 index 0000000000..889b12c4c5 --- /dev/null +++ b/test/integration/integration/tests/resources/tests/jwt-resource-level-security.yaml @@ -0,0 +1,89 @@ +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +apiVersion: dp.wso2.com/v1alpha2 +kind: API +metadata: + name: resource-level-jwt + namespace: gateway-integration-test-infra +spec: + apiName: API with Backend Base Path + apiType: REST + apiVersion: v1.0.0 + basePath: /resource-level-jwt/v1.0.0 + isDefaultVersion: true + #definitionFileRef: definition-file + production: + - httpRouteRefs: + - resource-level-jwt-httproute + organization: wso2-org +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: resource-level-jwt-httproute + namespace: gateway-integration-test-infra +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: default + namespace: apk-integration-test + sectionName: httpslistener + hostnames: + - resource-level-jwt.test.gw.wso2.com + rules: + - matches: + - path: + type: PathPrefix + value: /v2/echo-full + backendRefs: + - group: dp.wso2.com + kind: Backend + name: infra-backend-v1 + filters: + - type: ExtensionRef + extensionRef: + group: dp.wso2.com + kind: Authentication + name: resource-level-jwt-authentication +--- +apiVersion: dp.wso2.com/v1alpha2 +kind: Authentication +metadata: + name: resource-level-jwt-authentication + namespace: gateway-integration-test-infra +spec: + override: + disabled: false + authTypes: + jwt: + disabled: false + targetRef: + kind: Resource + name: resource-level-jwt + group: gateway.networking.k8s.io + namespace: gateway-integration-test-infra +--- +apiVersion: dp.wso2.com/v1alpha1 +kind: Backend +metadata: + name: infra-backend-v1 + namespace: gateway-integration-test-infra +spec: + services: + - host: infra-backend-v1.gateway-integration-test-infra + port: 8080 diff --git a/test/integration/integration/utils/http/helpers.go b/test/integration/integration/utils/http/helpers.go index dc18d52642..54b8853d6b 100644 --- a/test/integration/integration/utils/http/helpers.go +++ b/test/integration/integration/utils/http/helpers.go @@ -34,3 +34,12 @@ func AddCustomBearerTokenHeader(headerName string, token string, headers map[str headers[headerName] = fmt.Sprintf("Bearer %s", token) return headers } + +// AddInternalTokenHeader adds a internal token to the request with specified auth header name. +func AddInternalTokenHeader(headerName string, token string, headers map[string]string) map[string]string { + if headers == nil { + headers = make(map[string]string) + } + headers[headerName] = token + return headers +} diff --git a/test/integration/scripts/run-tests.sh b/test/integration/scripts/run-tests.sh index 43d1a89ba1..7a50bd0567 100644 --- a/test/integration/scripts/run-tests.sh +++ b/test/integration/scripts/run-tests.sh @@ -79,6 +79,8 @@ sudo echo "$IP ratelimit-priority.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "$IP different-endpoint-with-same-route.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "$IP custom-auth-header.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "$IP gql.test.gw.wso2.com" | sudo tee -a /etc/hosts +sudo echo "$IP api-level-jwt.test.gw.wso2.com" | sudo tee -a /etc/hosts +sudo echo "$IP resource-level-jwt.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "255.255.255.255 broadcasthost" | sudo tee -a /etc/hosts sudo echo "::1 localhost" | sudo tee -a /etc/hosts diff --git a/test/integration/scripts/setup-hosts.sh b/test/integration/scripts/setup-hosts.sh index c74feb92d7..7ff4ff8afd 100644 --- a/test/integration/scripts/setup-hosts.sh +++ b/test/integration/scripts/setup-hosts.sh @@ -38,6 +38,8 @@ sudo echo "$IP ratelimit-priority.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "$IP different-endpoint-with-same-route.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "$IP custom-auth-header.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "$IP gql.test.gw.wso2.com" | sudo tee -a /etc/hosts +sudo echo "$IP api-level-jwt.test.gw.wso2.com" | sudo tee -a /etc/hosts +sudo echo "$IP resource-level-jwt.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "255.255.255.255 broadcasthost" | sudo tee -a /etc/hosts sudo echo "::1 localhost" | sudo tee -a /etc/hosts