wso2 · Krishanx92 · Jan 10, 2024 · Nov 23, 2023 · Nov 23, 2023 · Nov 23, 2023
@@ -28,6 +28,5 @@ option java_multiple_files = true;
 // Certificates config model
 message Certificate {
 	string alias   = 1;
-	string tier    = 2;
-	bytes  content = 3;
+	bytes  content = 2;
 }
@@ -51,6 +51,7 @@ message Api {
 	repeated Certificate clientCertificates = 14;
 	string mutualSSL = 15;
 	bool applicationSecurity = 16;
+	bool transportSecurity = 17;
 	/// string graphQLSchema = 22;
 	repeated GraphqlComplexity graphqlComplexityInfo = 23;
 	bool systemAPI = 24;

@@ -158,7 +158,7 @@ var defaultConfig = &Config{
 			},
 			MutualSSL: mutualSSL{
 				CertificateHeader:               "X-WSO2-CLIENT-CERTIFICATE",
-				EnableClientValidation:          true,
+				EnableClientValidation:          false,
 				ClientCertificateEncode:         false,
 				EnableOutboundCertificateHeader: false,
 			},

@@ -168,7 +168,6 @@ func GetEnforcerAPI(adapterInternalAPI model.AdapterInternalAPI, vhost string) *
 	for _, cert := range adapterInternalAPI.GetClientCerts() {
 		certificate := &api.Certificate{
 			Alias:   cert.Alias,
-			Tier:    cert.Tier,
 			Content: cert.Content,
 		}
 		clientCertificates = append(clientCertificates, certificate)
@@ -215,8 +214,9 @@ func GetEnforcerAPI(adapterInternalAPI model.AdapterInternalAPI, vhost string) *
 		EndpointSecurity:       generateRPCEndpointSecurity(adapterInternalAPI.EndpointSecurity),
 		// IsMockedApi:         isMockedAPI,
 		ClientCertificates:  clientCertificates,
-		MutualSSL:           adapterInternalAPI.GetXWSO2MutualSSL(),
+		MutualSSL:           adapterInternalAPI.GetMutualSSL(),
 		ApplicationSecurity: adapterInternalAPI.GetXWSO2ApplicationSecurity(),
+		TransportSecurity:   !adapterInternalAPI.GetDisableMtls(),
 		// GraphQLSchema:         adapterInternalAPI.GraphQLSchema,
 		// GraphqlComplexityInfo: adapterInternalAPI.GraphQLComplexities.Data.List,
 		SystemAPI:              adapterInternalAPI.IsSystemAPI,

@@ -58,14 +58,15 @@ type AdapterInternalAPI struct {
 	xWso2AuthHeader          string
 	disableAuthentications   bool
 	disableScopes            bool
+	disableMtls              bool
 	OrganizationID           string
 	IsPrototyped             bool
 	EndpointType             string
 	LifecycleStatus          string
 	xWso2RequestBodyPass     bool
 	IsDefaultVersion         bool
 	clientCertificates       []Certificate
-	xWso2MutualSSL           string
+	mutualSSL                string
 	xWso2ApplicationSecurity bool
 	EnvType                  string
 	backendJWTTokenInfo      *BackendJWTTokenInfo
@@ -227,7 +228,6 @@ type InterceptEndpoint struct {
 // Certificate contains information of a client certificate
 type Certificate struct {
 	Alias   string
-	Tier    string
 	Content []byte
 }
 
@@ -312,6 +312,11 @@ func (adapterInternalAPI *AdapterInternalAPI) GetDisableScopes() bool {
 	return adapterInternalAPI.disableScopes
 }
 
+// GetDisableMtls returns whether mTLS is disabled or not
+func (adapterInternalAPI *AdapterInternalAPI) GetDisableMtls() bool {
+	return adapterInternalAPI.disableMtls
+}
+
 // GetID returns the Id of the API
 func (adapterInternalAPI *AdapterInternalAPI) GetID() string {
 	return adapterInternalAPI.id
@@ -335,8 +340,16 @@ func (adapterInternalAPI *AdapterInternalAPI) GetClientCerts() []Certificate {
 }
 
 // SetClientCerts set the client certificates of the API
-func (adapterInternalAPI *AdapterInternalAPI) SetClientCerts(certs []Certificate) {
-	adapterInternalAPI.clientCertificates = certs
+func (adapterInternalAPI *AdapterInternalAPI) SetClientCerts(apiName string, certs []string) {
+	var clientCerts []Certificate
+	for i, cert := range certs {
+		clientCert := Certificate{
+			Alias:   apiName + "-cert-" + strconv.Itoa(i),
+			Content: []byte(cert),
+		}
+		clientCerts = append(clientCerts, clientCert)
+	}
+	adapterInternalAPI.clientCertificates = clientCerts
 }
 
 // SetID set the Id of the API
@@ -386,14 +399,19 @@ func (adapterInternalAPI *AdapterInternalAPI) GetXWSO2AuthHeader() string {
 	return adapterInternalAPI.xWso2AuthHeader
 }
 
-// SetXWSO2MutualSSL sets the optional or mandatory mTLS
-func (adapterInternalAPI *AdapterInternalAPI) SetXWSO2MutualSSL(mutualSSl string) {
-	adapterInternalAPI.xWso2MutualSSL = mutualSSl
+// SetMutualSSL sets the optional or mandatory mTLS
+func (adapterInternalAPI *AdapterInternalAPI) SetMutualSSL(mutualSSL string) {
+	adapterInternalAPI.mutualSSL = mutualSSL
+}
+
+// GetMutualSSL returns the optional or mandatory mTLS
+func (adapterInternalAPI *AdapterInternalAPI) GetMutualSSL() string {
+	return adapterInternalAPI.mutualSSL
 }
 
-// GetXWSO2MutualSSL returns the optional or mandatory mTLS
-func (adapterInternalAPI *AdapterInternalAPI) GetXWSO2MutualSSL() string {
-	return adapterInternalAPI.xWso2MutualSSL
+// SetDisableMtls returns whether mTLS is disabled or not
+func (adapterInternalAPI *AdapterInternalAPI) SetDisableMtls(disableMtls bool) {
+	adapterInternalAPI.disableMtls = disableMtls
 }
 
 // SetXWSO2ApplicationSecurity sets the optional or mandatory application security
@@ -451,7 +469,7 @@ func (adapterInternalAPI *AdapterInternalAPI) SetInfoHTTPRouteCR(httpRoute *gwap
 	disableScopes := true
 	config := config.ReadConfigs()
 
-	var authScheme *dpv1alpha1.Authentication
+	var authScheme *dpv1alpha2.Authentication
 	if outputAuthScheme != nil {
 		authScheme = *outputAuthScheme
 	}
@@ -782,7 +800,7 @@ func (adapterInternalAPI *AdapterInternalAPI) SetInfoGQLRouteCR(gqlRoute *dpv1al
 	disableScopes := true
 	config := config.ReadConfigs()
 
-	var authScheme *dpv1alpha1.Authentication
+	var authScheme *dpv1alpha2.Authentication
 	if outputAuthScheme != nil {
 		authScheme = *outputAuthScheme
 	}

@@ -30,8 +30,8 @@ import (
 
 // ResourceParams contains httproute related parameters
 type ResourceParams struct {
-	AuthSchemes               map[string]dpv1alpha1.Authentication
-	ResourceAuthSchemes       map[string]dpv1alpha1.Authentication
+	AuthSchemes               map[string]dpv1alpha2.Authentication
+	ResourceAuthSchemes       map[string]dpv1alpha2.Authentication
 	APIPolicies               map[string]dpv1alpha2.APIPolicy
 	ResourceAPIPolicies       map[string]dpv1alpha2.APIPolicy
 	InterceptorServiceMapping map[string]dpv1alpha1.InterceptorService
@@ -207,9 +207,9 @@ func concatAPIPolicies(schemeUp *dpv1alpha2.APIPolicy, schemeDown *dpv1alpha2.AP
 	return &apiPolicy
 }
 
-func concatAuthSchemes(schemeUp *dpv1alpha1.Authentication, schemeDown *dpv1alpha1.Authentication) *dpv1alpha1.Authentication {
-	finalAuth := dpv1alpha1.Authentication{
-		Spec: dpv1alpha1.AuthenticationSpec{},
+func concatAuthSchemes(schemeUp *dpv1alpha2.Authentication, schemeDown *dpv1alpha2.Authentication) *dpv1alpha2.Authentication {
+	finalAuth := dpv1alpha2.Authentication{
+		Spec: dpv1alpha2.AuthenticationSpec{},
 	}
 	if schemeUp != nil && schemeDown != nil {
 		finalAuth.Spec.Override = utils.SelectPolicy(&schemeUp.Spec.Override, &schemeUp.Spec.Default, &schemeDown.Spec.Override, &schemeDown.Spec.Default)
@@ -224,7 +224,7 @@ func concatAuthSchemes(schemeUp *dpv1alpha1.Authentication, schemeDown *dpv1alph
 // getSecurity returns security schemes and it's definitions with flag to indicate if security is disabled
 // make sure authscheme only has external service override values. (i.e. empty default values)
 // tip: use concatScheme method
-func getSecurity(authScheme *dpv1alpha1.Authentication) *Authentication {
+func getSecurity(authScheme *dpv1alpha2.Authentication) *Authentication {
 	authHeader := constants.AuthorizationHeader
 	if authScheme != nil && authScheme.Spec.Override != nil && authScheme.Spec.Override.AuthTypes != nil && len(authScheme.Spec.Override.AuthTypes.Oauth2.Header) > 0 {
 		authHeader = authScheme.Spec.Override.AuthTypes.Oauth2.Header
@@ -249,7 +249,7 @@ func getSecurity(authScheme *dpv1alpha1.Authentication) *Authentication {
 		} else {
 			authFound = true
 		}
-		if authScheme.Spec.Override.AuthTypes.APIKey != nil {
+		if authScheme.Spec.Override.AuthTypes != nil && authScheme.Spec.Override.AuthTypes.APIKey != nil {
 			authFound = authFound || len(authScheme.Spec.Override.AuthTypes.APIKey) > 0
 			var apiKeys []APIKey
 			for _, apiKey := range authScheme.Spec.Override.AuthTypes.APIKey {

@@ -129,6 +129,15 @@ resources:
   kind: API
   path: github.com/wso2/apk/adapter/internal/operator/apis/dp/v1alpha2
   version: v1alpha2
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: wso2.com
+  group: dp
+  kind: Authentication
+  path: github.com/wso2/apk/adapter/internal/operator/apis/dp/v1alpha2
+  version: v1alpha2
 - api:
     crdVersion: v1
     namespaced: true