From fdcb59c504aef68a9aa9360cec8e301478d8bb71 Mon Sep 17 00:00:00 2001 From: Ashera Silva Date: Wed, 18 Oct 2023 19:29:37 +0530 Subject: [PATCH] Add subscription validation support for API invocaitons --- .../commoncontroller/common_controller.go | 3 +- .../samples/cp_v1alpha2_application.yaml | 2 +- .../controllers/cp/subscription_controller.go | 2 +- .../enforcer/analytics/AnalyticsUtils.java | 2 +- .../apk/enforcer/constants/APIConstants.java | 8 +- .../constants/APISecurityConstants.java | 3 + .../enforcer/dto/APIKeyValidationInfoDTO.java | 54 ++-- .../apk/enforcer/security/KeyValidator.java | 237 +++++++++--------- .../security/jwt/APIKeyAuthenticator.java | 5 +- .../jwt/InternalAPIKeyAuthenticator.java | 4 +- .../security/jwt/JWTAuthenticator.java | 195 ++++---------- .../jwt/UnsecuredAPIAuthenticator.java | 5 +- .../wso2/apk/enforcer/server/AuthServer.java | 3 +- .../subscription/SubscriptionDataHolder.java | 6 +- .../subscription/SubscriptionDataStore.java | 37 +-- .../SubscriptionDataStoreImpl.java | 102 ++++---- .../wso2/apk/enforcer/util/FilterUtils.java | 3 - .../org/wso2/apk/enforcer/util/JWTUtils.java | 7 +- 18 files changed, 284 insertions(+), 394 deletions(-) diff --git a/common-controller/commoncontroller/common_controller.go b/common-controller/commoncontroller/common_controller.go index 851de0481a..09cf1907e9 100644 --- a/common-controller/commoncontroller/common_controller.go +++ b/common-controller/commoncontroller/common_controller.go @@ -150,6 +150,7 @@ func runCommonEnforcerServer(server xdsv3.Server, enforcerServer wso2_server.Ser port uint) { var grpcOptions []grpc.ServerOption grpcOptions = append(grpcOptions, grpc.MaxConcurrentStreams(grpcMaxConcurrentStreams)) + // TODO(Ashera): Add TLS support for Common Controller - Enforcer connection publicKeyLocation, privateKeyLocation, truststoreLocation := utils.GetKeyLocations() cert, err := utils.GetServerCertificate(publicKeyLocation, privateKeyLocation) @@ -192,7 +193,7 @@ func runCommonEnforcerServer(server xdsv3.Server, enforcerServer wso2_server.Ser // register health service healthservice.RegisterHealthServer(grpcServer, &health.Server{}) - loggers.LoggerAPKOperator.Info("port: ", port, " management server listening") + loggers.LoggerAPKOperator.Info("port: ", port, " common enforcer server listening") go func() { loggers.LoggerAPKOperator.Info("Starting XDS GRPC server.") if err = grpcServer.Serve(lis); err != nil { diff --git a/common-controller/internal/operator/config/samples/cp_v1alpha2_application.yaml b/common-controller/internal/operator/config/samples/cp_v1alpha2_application.yaml index 3b6a395611..c8d45fce61 100644 --- a/common-controller/internal/operator/config/samples/cp_v1alpha2_application.yaml +++ b/common-controller/internal/operator/config/samples/cp_v1alpha2_application.yaml @@ -18,5 +18,5 @@ spec: oauth2: environments: - envId: dev - appId: yef14gh8syDvTt56rdtIHYbjF_Ya # OAuth2 consumer key + appId: 45f1c5c8-a92e-11ed-afa1-0242ac120002 # OAuth2 consumer key keyType: PRODUCTION diff --git a/common-controller/internal/operator/controllers/cp/subscription_controller.go b/common-controller/internal/operator/controllers/cp/subscription_controller.go index 073117914a..5d9f92daaf 100644 --- a/common-controller/internal/operator/controllers/cp/subscription_controller.go +++ b/common-controller/internal/operator/controllers/cp/subscription_controller.go @@ -106,7 +106,7 @@ func marshalSubscriptionList(subscriptionList []cpv1alpha2.Subscription) *subscr for _, subInternal := range subscriptionList { subscribedAPI := &subscription.SubscribedAPI{} sub := &subscription.Subscription{ - Uuid: string(subInternal.UID), + Uuid: subInternal.Name, SubStatus: subInternal.Spec.SubscriptionStatus, Organization: subInternal.Spec.Organization, } diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/analytics/AnalyticsUtils.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/analytics/AnalyticsUtils.java index add9a1618d..2baa6b9dab 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/analytics/AnalyticsUtils.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/analytics/AnalyticsUtils.java @@ -48,7 +48,7 @@ public static String setDefaultIfNull(String value) { } public static String getAPIProvider(String uuid) { - API api = SubscriptionDataHolder.getInstance().getTenantSubscriptionStore().getApiByContextAndVersion(uuid); + API api = SubscriptionDataHolder.getInstance().getSubscriptionDataStore().getApiByContextAndVersion(uuid); if (api == null) { return AnalyticsConstants.DEFAULT_FOR_UNASSIGNED; } diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/constants/APIConstants.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/constants/APIConstants.java index d2e69757bc..96192dcb03 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/constants/APIConstants.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/constants/APIConstants.java @@ -47,7 +47,7 @@ public class APIConstants { public static final String API_KEY_TYPE_SANDBOX = "SANDBOX"; public static final String AUTHORIZATION_HEADER_BASIC = "Basic"; - public static final String API_SECURITY_OAUTH2 = "oauth2"; + public static final String API_SECURITY_OAUTH2 = "OAuth2"; public static final String API_SECURITY_BASIC_AUTH = "basic_auth"; public static final String SWAGGER_API_KEY_AUTH_TYPE_NAME = "apiKey"; public static final String SWAGGER_API_KEY_IN_HEADER = "Header"; @@ -125,6 +125,7 @@ public static class SubscriptionStatus { public static final String PROD_ONLY_BLOCKED = "PROD_ONLY_BLOCKED"; public static final String ON_HOLD = "ON_HOLD"; public static final String REJECTED = "REJECTED"; + public static final String INACTIVE = "INACTIVE"; private SubscriptionStatus() { @@ -149,9 +150,10 @@ public static class JwtTokenConstants { public static final String APPLICATION_NAME = "name"; public static final String APPLICATION_TIER = "tier"; public static final String APPLICATION_OWNER = "owner"; - public static final String KEY_TYPE = "keytype"; - public static final String CONSUMER_KEY = "consumerKey"; + public static final String KEY_TYPE = "keyType"; + public static final String CLIENT_ID = "clientId"; public static final String SUBSCRIPTION_TIER = "subscriptionTier"; + public static final String SUBSCRIPTION_ORGANIZATION = "organization"; public static final String SUBSCRIBER_TENANT_DOMAIN = "subscriberTenantDomain"; public static final String TIER_INFO = "tierInfo"; public static final String STOP_ON_QUOTA_REACH = "stopOnQuotaReach"; diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/constants/APISecurityConstants.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/constants/APISecurityConstants.java index 9e734d6ada..15d88d9964 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/constants/APISecurityConstants.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/constants/APISecurityConstants.java @@ -70,6 +70,9 @@ public class APISecurityConstants { public static final int API_AUTH_MISSING_OPEN_API_DEF = 900911; public static final String API_AUTH_MISSING_OPEN_API_DEF_ERROR_MESSAGE = "Internal Server Error"; + public static final int SUBSCRIPTION_NOT_FOUND = 900912; + public static final String SUBSCRIPTION_NOT_FOUND_MESSAGE = "Subscription validation failed"; + // TODO: (renuka) check error codes with APIM: https://github.com/wso2/wso2-synapse/pull/1899/files#r809710868 public static final int OPA_AUTH_FORBIDDEN = 901101; public static final String OPA_AUTH_FORBIDDEN_MESSAGE = "Forbidden"; diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/dto/APIKeyValidationInfoDTO.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/dto/APIKeyValidationInfoDTO.java index eeab20c2a0..9b4498d500 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/dto/APIKeyValidationInfoDTO.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/dto/APIKeyValidationInfoDTO.java @@ -42,17 +42,12 @@ public class APIKeyValidationInfoDTO implements Serializable { private String userType; private String endUserToken; private String endUserName; - private int applicationId; private String applicationName; - private String applicationTier; //use this to pass key validation status private int validationStatus; private long validityPeriod; private long issuedTime; private List authorizedDomains; - //Following throttle data list can be use to hold throttle data and api level throttle key - //should be its first element. - private List throttlingDataList; private int spikeArrestLimit; private String subscriberTenantDomain; private String spikeArrestUnit; @@ -65,17 +60,11 @@ public class APIKeyValidationInfoDTO implements Serializable { private int graphQLMaxComplexity; private String apiVersion; private String apiUUID; + private String apiName; + private String apiContext; private String applicationUUID; private Map appAttributes; - public List getThrottlingDataList() { - return throttlingDataList; - } - - public void setThrottlingDataList(List throttlingDataList) { - this.throttlingDataList = throttlingDataList; - } - public boolean isContentAware() { return contentAware; } @@ -86,11 +75,10 @@ public void setContentAware(boolean contentAware) { private Set scopes; - private String apiName; - private String consumerKey; private String apiPublisher; + private String securityScheme; public boolean isAuthorized() { return authorized; @@ -140,14 +128,6 @@ public void setEndUserName(String endUserName) { this.endUserName = endUserName; } - public int getApplicationId() { - return applicationId; - } - - public void setApplicationId(int applicationId) { - this.applicationId = applicationId; - } - public String getApplicationName() { return applicationName; } @@ -156,14 +136,6 @@ public void setApplicationName(String applicationName) { this.applicationName = applicationName; } - public String getApplicationTier() { - return applicationTier; - } - - public void setApplicationTier(String applicationTier) { - this.applicationTier = applicationTier; - } - public int getValidationStatus() { return validationStatus; } @@ -212,6 +184,14 @@ public void setApiName(String apiName) { this.apiName = apiName; } + public String getApiContext() { + return apiContext; + } + + public void setApiContext(String apiContext) { + this.apiContext = apiContext; + } + public String getConsumerKey() { return consumerKey; } @@ -228,6 +208,14 @@ public void setApiPublisher(String apiPublisher) { this.apiPublisher = apiPublisher; } + public String getSecurityScheme() { + return securityScheme; + } + + public void setSecurityScheme(String securityScheme) { + this.securityScheme = securityScheme; + } + public Set getScopes() { return scopes; } @@ -246,13 +234,12 @@ public String toString() { append(" , userType:").append(userType). append(" , endUserToken:").append(endUserToken). append(" , endUserName:").append(endUserName). - append(" , applicationId:").append(applicationId). append(" , applicationName:").append(applicationName). - append(" , applicationTier:").append(applicationTier). append(" , validationStatus:").append(validationStatus). append(" , validityPeriod:").append(validityPeriod). append(" , issuedTime:").append(issuedTime). append(" , apiName:").append(apiName). + append(" , apiContext:").append(apiContext). append(" , consumerKey:").append(consumerKey). append(" , spikeArrestLimit:").append(spikeArrestLimit). append(" , spikeArrestUnit:").append(spikeArrestUnit). @@ -261,6 +248,7 @@ public String toString() { append(" , productName:").append(productName). append(" , productProvider:").append(productProvider). append(" , apiPublisher:").append(apiPublisher). + append(" , securityScheme:").append(securityScheme). append(" , graphQLMaxDepth:").append(graphQLMaxDepth). append(" , graphQLMaxComplexity:").append(graphQLMaxComplexity); diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/KeyValidator.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/KeyValidator.java index 22afd771f2..29b743d3da 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/KeyValidator.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/KeyValidator.java @@ -29,18 +29,19 @@ import org.wso2.apk.enforcer.commons.model.ResourceConfig; import org.wso2.apk.enforcer.constants.APIConstants; import org.wso2.apk.enforcer.constants.APISecurityConstants; -import org.wso2.apk.enforcer.constants.GeneralErrorCodeConstants; import org.wso2.apk.enforcer.dto.APIKeyValidationInfoDTO; import org.wso2.apk.enforcer.models.API; import org.wso2.apk.enforcer.models.Application; import org.wso2.apk.enforcer.models.ApplicationKeyMapping; +import org.wso2.apk.enforcer.models.ApplicationMapping; import org.wso2.apk.enforcer.models.Subscription; import org.wso2.apk.enforcer.subscription.SubscriptionDataHolder; import org.wso2.apk.enforcer.subscription.SubscriptionDataStore; -import org.wso2.apk.enforcer.util.FilterUtils; import java.util.List; import java.util.Set; +import java.util.regex.Matcher; +import java.util.regex.Pattern; /** * Does the subscription and scope validation. @@ -109,74 +110,89 @@ public static boolean validateScopes(TokenValidationContext validationContext) t } /** - * Validate subscriptions for access tokens. + * Validate subscriptions for access tokens by utilizing the consumer key. * - * @param uuid uuid of the API - * @param apiContext API context, used for logging purposes and to extract the tenant domain - * @param apiVersion API version, used for logging purposes - * @param consumerKey consumer key related to the token - * @param keyManager key manager related to the token - * @return validation information about the request + * @param validationInfo Token validation related details. This will be populated based on the available data during + * the subscription validation. + * @throws APISecurityException throws if subscription validation fails. */ - public static APIKeyValidationInfoDTO validateSubscription(String uuid, String apiContext, String apiVersion, - String consumerKey, String envType, String keyManager) { + public static void validateSubscriptionUsingConsumerKey(APIKeyValidationInfoDTO validationInfo) + throws APISecurityException { + API api; + Application app; + Subscription sub; + ApplicationKeyMapping keyMapping; + ApplicationMapping appMapping; + String apiName = validationInfo.getApiName(); + String apiContext = validationInfo.getApiContext(); + String apiVersion = validationInfo.getApiVersion(); + String consumerKey = validationInfo.getConsumerKey(); + String securityScheme = validationInfo.getSecurityScheme(); + String keyType = validationInfo.getType(); + log.debug("Before validating subscriptions"); - log.debug("Validation Info : { uuid : {}, context : {}, version : {}, consumerKey : {} }", - uuid, apiContext, apiVersion, consumerKey); - String apiTenantDomain = FilterUtils.getTenantDomainFromRequestURL(apiContext); - if (apiTenantDomain == null) { - apiTenantDomain = APIConstants.SUPER_TENANT_DOMAIN_NAME; - } + log.debug("Validation Info : { name : {}, context : {}, version : {}, consumerKey : {} }", + apiName, apiContext, apiVersion, consumerKey); - API api = null; - ApplicationKeyMapping key = null; - Application app = null; - Subscription sub = null; + SubscriptionDataStore datastore = SubscriptionDataHolder.getInstance().getSubscriptionDataStore(); - SubscriptionDataStore datastore = SubscriptionDataHolder.getInstance() - .getTenantSubscriptionStore(apiTenantDomain); - //TODO add a check to see whether datastore is initialized an load data using rest api if it is not loaded // TODO: (VirajSalaka) Handle the scenario where the event is dropped. if (datastore != null) { - api = datastore.getApiByContextAndVersion(uuid); + api = datastore.getMatchingAPI(apiContext, apiVersion); if (api != null) { - // TODO: (Sampath) Handle the scenario when App keys are generated properly and sent -// key = datastore.getKeyMappingByKeyAndKeyManager(consumerKey, keyManager); -// if (key != null) { - app = datastore.getApplicationById(key.getApplicationUUID()); - if (app != null) { - sub = datastore.getSubscriptionById(app.getUUID(), api.getApiUUID()); - if (sub != null) { - log.debug("All information is retrieved from the inmemory data store."); + // Get application key mapping using the consumer key, key type and security scheme + keyMapping = datastore.getMatchingApplicationKeyMapping(consumerKey, keyType, securityScheme); + + if (keyMapping != null) { + // Get application and application mapping using application UUID + String applicationUUID = keyMapping.getApplicationUUID(); + app = datastore.getMatchingApplication(applicationUUID); + appMapping = datastore.getMatchingApplicationMapping(applicationUUID); + + if (appMapping != null && app != null) { + // Get subscription using the subscription UUID + String subscriptionUUID = appMapping.getSubscriptionRef(); + sub = datastore.getMatchingSubscription(subscriptionUUID); + + // Validate subscription + if (sub != null) { + validate(validationInfo, api, app, sub); + if (!validationInfo.isAuthorized() && validationInfo.getValidationStatus() == 0) { + // Scenario where validation failed and message is not set + validationInfo.setValidationStatus( + APIConstants.KeyValidationStatus.API_AUTH_RESOURCE_FORBIDDEN); + } + log.debug("After validating subscriptions"); + return; + } else { + log.error( + "Valid subscription not found for access token. " + + "application: {}, app_UUID: {}, API name: {}, API context: {} API version : {}", + app.getName(), app.getUUID(), apiName, apiContext, apiVersion); + } } else { - log.info( - "Valid subscription not found for oauth access token. " + - "application: {} app_UUID: {} API_name: {} API_UUID : {}", - app.getName(), app.getUUID(), api.getApiName(), api.getApiUUID()); + log.error( + "Valid application and / or application mapping not found for application uuid : " + applicationUUID); } } else { - log.info("Application not found in the data store for uuid " + key.getApplicationUUID()); + log.error( + "Valid application key mapping not found in the data store for access token. " + + "Application identifier: {}, key type : {}, security scheme : {}", + consumerKey, keyType, securityScheme); } -// } else { -// log.info("Application key mapping not found in the data store for id consumerKey " + consumerKey); -// } } else { - log.info("API not found in the data store for API UUID :" + uuid); + log.error("API not found for API context : {} and API version : {}", apiContext, apiVersion); } } else { - log.error("Subscription data store is null for tenant domain " + apiTenantDomain); + log.error("Subscription data store is null"); } - - APIKeyValidationInfoDTO infoDTO = new APIKeyValidationInfoDTO(); - if (api != null && app != null && sub != null) { - validate(infoDTO, datastore, api, envType, app, sub); - } - if (!infoDTO.isAuthorized() && infoDTO.getValidationStatus() == 0) { - //Scenario where validation failed and message is not set - infoDTO.setValidationStatus(APIConstants.KeyValidationStatus.API_AUTH_RESOURCE_FORBIDDEN); + // If the execution reaches this point, it means that the subscription validation has failed. + if (log.isDebugEnabled()) { + log.debug("User is NOT authorized to access the API. Subscription validation failed for consumer key : " + + consumerKey); } - log.debug("After validating subscriptions"); - return infoDTO; + throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(), + APISecurityConstants.SUBSCRIPTION_NOT_FOUND, APISecurityConstants.SUBSCRIPTION_NOT_FOUND_MESSAGE); } /** @@ -188,19 +204,14 @@ public static APIKeyValidationInfoDTO validateSubscription(String uuid, String a * @return validation information about the request */ public static APIKeyValidationInfoDTO validateSubscription(String apiUuid, String apiContext, - JWTClaimsSet payload, String envType) { + JWTClaimsSet payload) { log.debug("Before validating subscriptions with API key. API_uuid: {}, context: {}", apiUuid, apiContext); - String apiTenantDomain = FilterUtils.getTenantDomainFromRequestURL(apiContext); - if (apiTenantDomain == null) { - apiTenantDomain = APIConstants.SUPER_TENANT_DOMAIN_NAME; - } API api = null; Application app = null; Subscription sub = null; - SubscriptionDataStore datastore = SubscriptionDataHolder.getInstance() - .getTenantSubscriptionStore(apiTenantDomain); + SubscriptionDataStore datastore = SubscriptionDataHolder.getInstance().getSubscriptionDataStore(); //TODO add a check to see whether datastore is initialized an load data using rest api if it is not loaded // TODO: (VirajSalaka) Handle the scenario where the event is dropped. if (datastore != null) { @@ -230,12 +241,12 @@ public static APIKeyValidationInfoDTO validateSubscription(String apiUuid, Strin log.info("API not found in the data store for API UUID :" + apiUuid); } } else { - log.error("Subscription data store is null for tenant domain " + apiTenantDomain); + log.error("Subscription data store is null"); } APIKeyValidationInfoDTO infoDTO = new APIKeyValidationInfoDTO(); if (api != null && app != null && sub != null) { - validate(infoDTO, datastore, api, envType, app, sub); + validate(infoDTO, api, app, sub); } if (!infoDTO.isAuthorized() && infoDTO.getValidationStatus() == 0) { //Scenario where validation failed and message is not set @@ -245,77 +256,69 @@ public static APIKeyValidationInfoDTO validateSubscription(String apiUuid, Strin return infoDTO; } - private static void validate(APIKeyValidationInfoDTO infoDTO, SubscriptionDataStore datastore, - API api, String keyType, Application app, Subscription sub) { + private static void validate(APIKeyValidationInfoDTO infoDTO, API api, Application app, Subscription sub) { + + // Validate subscription status String subscriptionStatus = sub.getSubscriptionStatus(); - if (APIConstants.SubscriptionStatus.BLOCKED.equals(subscriptionStatus)) { - infoDTO.setValidationStatus(APIConstants.KeyValidationStatus.API_BLOCKED); - infoDTO.setAuthorized(false); - return; - } else if (APIConstants.SubscriptionStatus.ON_HOLD.equals(subscriptionStatus) - || APIConstants.SubscriptionStatus.REJECTED.equals(subscriptionStatus)) { + if (APIConstants.SubscriptionStatus.INACTIVE.equals(subscriptionStatus)) { infoDTO.setValidationStatus(APIConstants.KeyValidationStatus.SUBSCRIPTION_INACTIVE); infoDTO.setAuthorized(false); return; - } else if (APIConstants.SubscriptionStatus.PROD_ONLY_BLOCKED.equals(subscriptionStatus) - && !APIConstants.API_KEY_TYPE_SANDBOX.equals(keyType)) { - infoDTO.setValidationStatus(APIConstants.KeyValidationStatus.API_BLOCKED); - infoDTO.setType(keyType); + } +// if (APIConstants.SubscriptionStatus.BLOCKED.equals(subscriptionStatus)) { +// infoDTO.setValidationStatus(APIConstants.KeyValidationStatus.API_BLOCKED); +// infoDTO.setAuthorized(false); +// return; +// } else if (APIConstants.SubscriptionStatus.ON_HOLD.equals(subscriptionStatus) +// || APIConstants.SubscriptionStatus.REJECTED.equals(subscriptionStatus)) { +// infoDTO.setValidationStatus(APIConstants.KeyValidationStatus.SUBSCRIPTION_INACTIVE); +// infoDTO.setAuthorized(false); +// return; +// } else if (APIConstants.SubscriptionStatus.PROD_ONLY_BLOCKED.equals(subscriptionStatus) +// && !APIConstants.API_KEY_TYPE_SANDBOX.equals(keyType)) { +// infoDTO.setValidationStatus(APIConstants.KeyValidationStatus.API_BLOCKED); +// infoDTO.setType(keyType); +// infoDTO.setAuthorized(false); +// return; +// } else if (APIConstants.LifecycleStatus.BLOCKED.equals(api.getLcState())) { +// infoDTO.setValidationStatus(GeneralErrorCodeConstants.API_BLOCKED_CODE); +// infoDTO.setAuthorized(false); +// return; +// } + + // Validate API details embedded within the subscription + // Validate API name + if (!infoDTO.getApiName().equals(sub.getSubscribedApi().getName())) { infoDTO.setAuthorized(false); return; - } else if (APIConstants.LifecycleStatus.BLOCKED.equals(api.getLcState())) { - infoDTO.setValidationStatus(GeneralErrorCodeConstants.API_BLOCKED_CODE); + } + // Validate API version + List versions = sub.getSubscribedApi().getVersions(); + boolean isApiVersionMatching = false; + for (String versionRegex : versions) { + // Do a regex match for version + String versionToMatch = infoDTO.getApiVersion(); + Pattern pattern = Pattern.compile(versionRegex); + Matcher matcher = pattern.matcher(versionToMatch); + if (matcher.matches()) { + isApiVersionMatching = true; + break; + } + } + if (!isApiVersionMatching) { infoDTO.setAuthorized(false); return; } - // TODO(Ashera): Revisit with Application and Subscription feature - //infoDTO.setTier(sub.getPolicyId()); - //infoDTO.setSubscriber(app.getSubName()); - //infoDTO.setApplicationId(app.getId()); + + // TODO(Ashera): Check if all app sub details are populated under the infoDTO infoDTO.setApplicationUUID(app.getUUID()); + infoDTO.setSubscriber(app.getOwner()); infoDTO.setApiName(api.getApiName()); infoDTO.setApiVersion(api.getApiVersion()); infoDTO.setApiPublisher(api.getApiProvider()); infoDTO.setApplicationName(app.getName()); - //infoDTO.setApplicationTier(app.getPolicy()); infoDTO.setAppAttributes(app.getAttributes()); infoDTO.setApiUUID(api.getApiUUID()); - infoDTO.setType(keyType); - //infoDTO.setSubscriberTenantDomain(app.getTenantDomain()); - - // Todo: (Sampath) This must be implemented as a part rate plans implementation. -// ApplicationPolicy appPolicy = datastore.getApplicationPolicyByName(app.getPolicy()); -// SubscriptionPolicy subPolicy = datastore.getSubscriptionPolicyByName(sub.getPolicyId()); -// ApiPolicy apiPolicy = datastore.getApiPolicyByName(api.getApiTier()); -// boolean isContentAware = appPolicy.isContentAware() || subPolicy.isContentAware() || -// (apiPolicy != null && apiPolicy.isContentAware()); -// infoDTO.setContentAware(isContentAware); -// int spikeArrest = 0; -// String apiLevelThrottlingKey = "api_level_throttling_key"; -// -// if (subPolicy.getRateLimitCount() > 0) { -// spikeArrest = subPolicy.getRateLimitCount(); -// } -// -// String spikeArrestUnit = null; -// -// if (subPolicy.getRateLimitTimeUnit() != null) { -// spikeArrestUnit = subPolicy.getRateLimitTimeUnit(); -// } -// boolean stopOnQuotaReach = subPolicy.isStopOnQuotaReach(); -// int graphQLMaxDepth = Math.max(subPolicy.getGraphQLMaxDepth(), 0); -// int graphQLMaxComplexity = Math.max(subPolicy.getGraphQLMaxComplexity(), 0); -// List list = new ArrayList<>(); -// list.add(apiLevelThrottlingKey); -// infoDTO.setSpikeArrestLimit(spikeArrest); -// infoDTO.setSpikeArrestUnit(spikeArrestUnit); -// infoDTO.setStopOnQuotaReach(stopOnQuotaReach); -// infoDTO.setGraphQLMaxDepth(graphQLMaxDepth); -// infoDTO.setGraphQLMaxComplexity(graphQLMaxComplexity); -// // We also need to set throttling data list associated with given API. This need to have -// // policy id and -// // condition id list for all throttling tiers associated with this API. -// infoDTO.setThrottlingDataList(list); infoDTO.setAuthorized(true); } } diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/APIKeyAuthenticator.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/APIKeyAuthenticator.java index 45fc78fcbc..c29fcc9f6f 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/APIKeyAuthenticator.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/APIKeyAuthenticator.java @@ -209,7 +209,7 @@ private AuthenticationContext processAPIKey(RequestContext requestContext, Strin APIKeyValidationInfoDTO validationInfoDto; log.debug("Validating subscription for API Key against subscription store." + " context: {} version: {}", apiContext, apiVersion); - validationInfoDto = KeyValidator.validateSubscription(apiUuid, apiContext, payload, envType); + validationInfoDto = KeyValidator.validateSubscription(apiUuid, apiContext, payload); if (!requestContext.getMatchedAPI().isSystemAPI()) { log.debug("Validating subscription for API Key using JWT claims against invoked API info." + " context: {} version: {}", apiContext, apiVersion); @@ -218,7 +218,7 @@ private AuthenticationContext processAPIKey(RequestContext requestContext, Strin log.debug("Creating API Key info DTO for unknown API and Application." + " context: {} version: {}", apiContext, apiVersion); validationInfoDto = new APIKeyValidationInfoDTO(); - JWTUtils.updateApplicationNameForSubscriptionDisabledKM(validationInfoDto, + JWTUtils.updateApplicationNameForSubscriptionDisabledFlow(validationInfoDto, APIConstants.KeyManager.APIM_APIKEY_ISSUER); validationInfoDto.setAuthorized(true); } @@ -312,7 +312,6 @@ private APIKeyValidationInfoDTO getAPIKeyValidationDTO(RequestContext requestCon if (app != null) { validationInfoDTO.setApplicationUUID(app.getAsString(APIConstants.JwtTokenConstants.APPLICATION_UUID)); validationInfoDTO.setApplicationName(app.getAsString(APIConstants.JwtTokenConstants.APPLICATION_NAME)); - validationInfoDTO.setApplicationTier(app.getAsString(APIConstants.JwtTokenConstants.APPLICATION_TIER)); //validationInfoDTO.setSubscriber(app.getAsString(APIConstants.JwtTokenConstants.APPLICATION_OWNER)); } diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/InternalAPIKeyAuthenticator.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/InternalAPIKeyAuthenticator.java index 9a7a9fda0d..78c33ae5c2 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/InternalAPIKeyAuthenticator.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/InternalAPIKeyAuthenticator.java @@ -229,11 +229,9 @@ public AuthenticationContext authenticate(RequestContext requestContext) throws api = validateAPISubscription(apiContext, apiVersion, payload, splitToken, false); if (api != null) { - String context = requestContext.getMatchedAPI().getBasePath(); String uuid = requestContext.getMatchedAPI().getUuid(); - String apiTenantDomain = FilterUtils.getTenantDomainFromRequestURL(context); SubscriptionDataStore datastore = SubscriptionDataHolder.getInstance() - .getTenantSubscriptionStore(apiTenantDomain); + .getSubscriptionDataStore(); API subscriptionDataStoreAPI = datastore.getApiByContextAndVersion(uuid); if (subscriptionDataStoreAPI != null && APIConstants.LifecycleStatus.BLOCKED diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java index 5411cde9c0..a22ae53999 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java @@ -49,6 +49,7 @@ import org.wso2.apk.enforcer.security.TokenValidationContext; import org.wso2.apk.enforcer.security.jwt.validator.JWTConstants; import org.wso2.apk.enforcer.security.jwt.validator.RevokedJWTDataHolder; +import org.wso2.apk.enforcer.subscription.SubscriptionDataStoreImpl; import org.wso2.apk.enforcer.tracing.TracingConstants; import org.wso2.apk.enforcer.tracing.TracingSpan; import org.wso2.apk.enforcer.tracing.TracingTracer; @@ -73,6 +74,7 @@ public class JWTAuthenticator implements Authenticator { private static final Logger log = LogManager.getLogger(JWTAuthenticator.class); private final boolean isGatewayTokenCacheEnabled; private AbstractAPIMgtGatewayJWTGenerator jwtGenerator; + private SubscriptionDataStoreImpl subscriptionDataStore; public JWTAuthenticator(final JWTConfigurationDto jwtConfigurationDto, final boolean isGatewayTokenCacheEnabled) { @@ -81,6 +83,7 @@ public JWTAuthenticator(final JWTConfigurationDto jwtConfigurationDto, final boo this.jwtGenerator = BackendJwtUtils.getApiMgtGatewayJWTGenerator(jwtConfigurationDto); this.jwtGenerator.setJWTConfigurationDto(jwtConfigurationDto); } + this.subscriptionDataStore = SubscriptionDataStoreImpl.getInstance(); } @Override @@ -134,7 +137,6 @@ public AuthenticationContext authenticate(RequestContext requestContext) throws String envType = requestContext.getMatchedAPI().getEnvType(); String version = requestContext.getMatchedAPI().getVersion(); String organization = requestContext.getMatchedAPI().getOrganizationId(); - context = context + "/" + version; SignedJWTInfo signedJWTInfo; Scope decodeTokenHeaderSpanScope = null; try { @@ -185,8 +187,7 @@ public AuthenticationContext authenticate(RequestContext requestContext) throws APIKeyValidationInfoDTO apiKeyValidationInfoDTO = new APIKeyValidationInfoDTO(); Scope validateSubscriptionSpanScope = null; try { - // TODO(TharinduD) revisit when subscription validation is enabled - if (false) { + if (true) { // TODO(Ashera): Check if subscriptionValidation enabled if (Utils.tracingEnabled()) { validateSubscriptionSpan = Utils.startSpan(TracingConstants.SUBSCRIPTION_VALIDATION_SPAN, tracer); @@ -194,55 +195,31 @@ public AuthenticationContext authenticate(RequestContext requestContext) throws Utils.setTag(validateSubscriptionSpan, APIConstants.LOG_TRACE_ID, ThreadContext.get(APIConstants.LOG_TRACE_ID)); } - // if the token is self contained, validation subscription from `subscribedApis` claim - JSONObject api = validateSubscriptionFromClaim(name, version, claims, splitToken, envType - , apiKeyValidationInfoDTO, true); - if (api == null) { - if (log.isDebugEnabled()) { - log.debug("Begin subscription validation via Key Manager: " + validationInfo.getKeyManager()); - } - apiKeyValidationInfoDTO = validateSubscriptionUsingKeyManager(requestContext, - validationInfo); - if (log.isDebugEnabled()) { - log.debug("Subscription validation via Key Manager. Status: " + apiKeyValidationInfoDTO.isAuthorized()); - } - if (!apiKeyValidationInfoDTO.isAuthorized()) { - if (GeneralErrorCodeConstants.API_BLOCKED_CODE == apiKeyValidationInfoDTO.getValidationStatus()) { - FilterUtils.setErrorToContext(requestContext, - GeneralErrorCodeConstants.API_BLOCKED_CODE, - APIConstants.StatusCodes.SERVICE_UNAVAILABLE.getCode(), - GeneralErrorCodeConstants.API_BLOCKED_MESSAGE, - GeneralErrorCodeConstants.API_BLOCKED_DESCRIPTION); - throw new APISecurityException(APIConstants.StatusCodes.SERVICE_UNAVAILABLE.getCode(), apiKeyValidationInfoDTO.getValidationStatus(), GeneralErrorCodeConstants.API_BLOCKED_MESSAGE); - } else if (APISecurityConstants.API_SUBSCRIPTION_BLOCKED == apiKeyValidationInfoDTO.getValidationStatus()) { - FilterUtils.setErrorToContext(requestContext, - APISecurityConstants.API_SUBSCRIPTION_BLOCKED, - APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), - APISecurityConstants.API_SUBSCRIPTION_BLOCKED_MESSAGE, - APISecurityConstants.API_SUBSCRIPTION_BLOCKED_DESCRIPTION); - throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), apiKeyValidationInfoDTO.getValidationStatus(), APISecurityConstants.API_SUBSCRIPTION_BLOCKED_MESSAGE); - } - throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(), - apiKeyValidationInfoDTO.getValidationStatus(), "User is NOT authorized to" + - " access the Resource. " + "API Subscription validation failed."); + // Get consumer key from the JWT token claim set + try { + String consumerKey = claims.getStringClaim(APIConstants.JwtTokenConstants.CLIENT_ID); + + // Subscription validation using consumer key + if (consumerKey != null) { + validateSubscriptionUsingConsumerKey(apiKeyValidationInfoDTO, name, version, context, + consumerKey, envType, APIConstants.API_SECURITY_OAUTH2, organization, + splitToken); } else { - /* GraphQL Query Analysis Information */ - if (APIConstants.ApiType.GRAPHQL.equals(requestContext.getMatchedAPI().getApiType())) { - requestContext.getProperties().put(GraphQLConstants.MAXIMUM_QUERY_DEPTH, - apiKeyValidationInfoDTO.getGraphQLMaxDepth()); - requestContext.getProperties().put(GraphQLConstants.MAXIMUM_QUERY_COMPLEXITY, - apiKeyValidationInfoDTO.getGraphQLMaxComplexity()); - } + log.error("Error while extracting consumer key from JWT token claim set"); } + } catch (ParseException e) { + log.error("Error while retrieving clientId from JWT token. {}", e.getMessage()); + throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(), + APISecurityConstants.API_AUTH_FORBIDDEN, APISecurityConstants.API_AUTH_FORBIDDEN_MESSAGE); } } else { // In this case, the application related properties are populated so that analytics // could provide much better insights. // Since application notion becomes less meaningful with subscription validation disabled, // the application name would be populated under the convention "anon:" - JWTUtils.updateApplicationNameForSubscriptionDisabledKM(apiKeyValidationInfoDTO, - validationInfo.getKeyManager()); + JWTUtils.updateApplicationNameForSubscriptionDisabledFlow(apiKeyValidationInfoDTO, + APIConstants.KeyManager.DEFAULT_KEY_MANAGER); } } finally { if (Utils.tracingEnabled()) { @@ -380,120 +357,52 @@ private void validateScopes(String apiContext, String apiVersion, ArrayList getMatchingApplications(String name, String uuid); - + ApplicationMapping getMatchingApplicationMapping(String uuid); /** * Filter the application key mapping map based on provided parameters - * @param applicationUUID Application uuid - * @param consumerKey The application consumer key - * @return List of key mappings which match the given parameters + * + * @param applicationIdentifier Application identifier + * @param keyType Key type, i.e. PRODUCTION or SANDBOX + * @param securityScheme Security scheme + * @return ApplicationKeyMapping which match the given parameters */ - List getMatchingKeyMapping(String applicationUUID, String consumerKey); + ApplicationKeyMapping getMatchingApplicationKeyMapping(String applicationIdentifier, String keyType, + String securityScheme); + /** + * Filter the applications map based on the provided parameters. + * + * @param uuid UUID of the application + * @return Application which match the given UUID + */ + Application getMatchingApplication(String uuid); /** - * Filter the subscriptions map based on the provided parameters + * Filter the subscriptions map based on the provided parameters. + * * @param uuid UUID of the subscription - * @param apiName Name of the api - * @param apiVersion Version of the api - * @param state Subscription state - * @return A List of subscriptions which matches the given parameters + * @return Subscription which matches the given UUID */ - List getMatchingSubscriptions(String uuid, String apiName, String apiVersion, String state); + Subscription getMatchingSubscription(String uuid); void addJWTIssuers(List jwtIssuers); diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/subscription/SubscriptionDataStoreImpl.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/subscription/SubscriptionDataStoreImpl.java index ade299fa7d..7472e5a889 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/subscription/SubscriptionDataStoreImpl.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/subscription/SubscriptionDataStoreImpl.java @@ -173,6 +173,7 @@ public void addApplications(List getMatchingApplications(String name, String uuid) { + public ApplicationKeyMapping getMatchingApplicationKeyMapping(String applicationIdentifier, String keyType, + String securityScheme) { - List applicationList = new ArrayList<>(); - for (Application application : applicationMap.values()) { - boolean isNameMatching = true; - boolean isUUIDMatching = true; - if (StringUtils.isNotEmpty(name)) { - isNameMatching = application.getName().contains(name); + for (ApplicationKeyMapping applicationKeyMapping : applicationKeyMappingMap.values()) { + boolean isApplicationIdentifierMatching = false; + boolean isSecuritySchemeMatching = false; + boolean isKeyTypeMatching = false; + + if (StringUtils.isNotEmpty(applicationIdentifier)) { + if (applicationKeyMapping.getApplicationIdentifier().equals(applicationIdentifier)) { + isApplicationIdentifierMatching = true; + } } - if (StringUtils.isNotEmpty(uuid)) { - isUUIDMatching = application.getUUID().equals(uuid); + if (StringUtils.isNotEmpty(securityScheme)) { + if (applicationKeyMapping.getSecurityScheme().equals(securityScheme)) { + isSecuritySchemeMatching = true; + } } - if (isNameMatching && isUUIDMatching) { - applicationList.add(application); + if (StringUtils.isNotEmpty(keyType)) { + if (applicationKeyMapping.getKeyType().equals(keyType)) { + isKeyTypeMatching = true; + } + } + + if (isApplicationIdentifierMatching && isSecuritySchemeMatching && isKeyTypeMatching) { + return applicationKeyMapping; } } - return applicationList; + return null; } @Override - public List getMatchingKeyMapping(String applicationUUID, String applicationIdentifier) { - - List applicationKeyMappingList = new ArrayList<>(); - - for (ApplicationKeyMapping applicationKeyMapping : applicationKeyMappingMap.values()) { - boolean isApplicationIdentifierMatching = true; - boolean isAppUUIDMatching = true; - - if (StringUtils.isNotEmpty(applicationUUID)) { - isAppUUIDMatching = applicationKeyMapping.getApplicationUUID().equals(applicationUUID); - } - if (StringUtils.isNotEmpty(applicationIdentifier)) { - isApplicationIdentifierMatching = applicationKeyMapping.getApplicationIdentifier() - .equals(applicationIdentifier); - } - if (isApplicationIdentifierMatching && isAppUUIDMatching) { - applicationKeyMappingList.add(applicationKeyMapping); + public ApplicationMapping getMatchingApplicationMapping(String uuid) { + for (ApplicationMapping applicationMapping : applicationMappingMap.values()) { + if (StringUtils.isNotEmpty(uuid)) { + if (applicationMapping.getApplicationRef().equals(uuid)) { + return applicationMapping; + } } } - return applicationKeyMappingList; + return null; } @Override - public List getMatchingSubscriptions(String uuid, String apiName, String apiVersion, String state) { - - List subscriptionList = new ArrayList<>(); + public Application getMatchingApplication(String uuid) { + for (Application application : applicationMap.values()) { + if (StringUtils.isNotEmpty(uuid)) { + if (application.getUUID().equals(uuid)) { + return application; + } + } + } + return null; + } + @Override + public Subscription getMatchingSubscription(String uuid) { for (Subscription subscription : subscriptionMap.values()) { - boolean isUUIDMatching = true; - boolean isApiNameMatching = true; - boolean isApiVersionMatching = true; - boolean isStateMatching = true; if (StringUtils.isNotEmpty(uuid)) { - isUUIDMatching = subscription.getSubscriptionId().equals(uuid); - } - if (StringUtils.isNotEmpty(apiName)) { - isApiNameMatching = subscription.getSubscribedApi().getName().equals(apiName); - } - if (StringUtils.isNotEmpty(apiVersion)) { - // Todo: Regex check - } - if (StringUtils.isNotEmpty(state)) { - isStateMatching = subscription.getSubscriptionStatus().equals(state); - } - if (isUUIDMatching && isApiNameMatching && isApiVersionMatching && isStateMatching) { - subscriptionList.add(subscription); + if (subscription.getSubscriptionId().equals(uuid)) { + return subscription; + } } } - return subscriptionList; + return null; } -// @Override -// public List getMatchingApplicationMapping - @Override public void addJWTIssuers(List jwtIssuers) { diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/util/FilterUtils.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/util/FilterUtils.java index 2cd818479b..73c05b568b 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/util/FilterUtils.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/util/FilterUtils.java @@ -274,10 +274,8 @@ public static AuthenticationContext generateAuthenticationContext(RequestContext authContext.setUsername(jwtValidationInfo.getUser()); if (apiKeyValidationInfoDTO != null) { - authContext.setApplicationId(apiKeyValidationInfoDTO.getApplicationId()); authContext.setApplicationUUID(apiKeyValidationInfoDTO.getApplicationUUID()); authContext.setApplicationName(apiKeyValidationInfoDTO.getApplicationName()); - authContext.setApplicationTier(apiKeyValidationInfoDTO.getApplicationTier()); authContext.setSubscriber(apiKeyValidationInfoDTO.getSubscriber()); authContext.setTier(apiKeyValidationInfoDTO.getTier()); authContext.setSubscriberTenantDomain(apiKeyValidationInfoDTO.getSubscriberTenantDomain()); @@ -413,7 +411,6 @@ private static void constructJWTContent(JSONObject subscribedAPI, if (apiKeyValidationInfoDTO != null) { jwtInfoDto.setApplicationId(apiKeyValidationInfoDTO.getApplicationUUID()); jwtInfoDto.setApplicationName(apiKeyValidationInfoDTO.getApplicationName()); - jwtInfoDto.setApplicationTier(apiKeyValidationInfoDTO.getApplicationTier()); jwtInfoDto.setKeyType(apiKeyValidationInfoDTO.getType()); jwtInfoDto.setSubscriber(apiKeyValidationInfoDTO.getSubscriber()); jwtInfoDto.setSubscriptionTier(apiKeyValidationInfoDTO.getTier()); diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/util/JWTUtils.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/util/JWTUtils.java index db3513bb24..37bf845d21 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/util/JWTUtils.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/util/JWTUtils.java @@ -39,7 +39,6 @@ import org.wso2.apk.enforcer.config.ConfigHolder; import org.wso2.apk.enforcer.constants.APIConstants; import org.wso2.apk.enforcer.constants.Constants; -import org.wso2.apk.enforcer.constants.JwtConstants; import org.wso2.apk.enforcer.dto.APIKeyValidationInfoDTO; import org.wso2.apk.enforcer.security.jwt.SignedJWTInfo; import org.wso2.apk.enforcer.security.jwt.validator.JWTValidator; @@ -254,14 +253,12 @@ public static boolean isExpired(long exp) { * @param apiKeyValidationInfoDTO empty JWT info DTO to be populated with anonymous details * @param kmReference name of the token service */ - public static void updateApplicationNameForSubscriptionDisabledKM(APIKeyValidationInfoDTO apiKeyValidationInfoDTO - , String kmReference) { + public static void updateApplicationNameForSubscriptionDisabledFlow(APIKeyValidationInfoDTO apiKeyValidationInfoDTO, + String kmReference) { String applicationRef = APIConstants.ANONYMOUS_PREFIX + kmReference; apiKeyValidationInfoDTO.setApplicationName(applicationRef); - apiKeyValidationInfoDTO.setApplicationId(-1); apiKeyValidationInfoDTO.setApplicationUUID(UUID.nameUUIDFromBytes(applicationRef.getBytes(StandardCharsets.UTF_8)).toString()); - apiKeyValidationInfoDTO.setApplicationTier(APIConstants.UNLIMITED_TIER); } public static JWTValidationInfo validateJWTToken(SignedJWTInfo signedJWTInfo, String organization) throws EnforcerException {