From eddd848cbe28fcf98c2a944d2938db76fe3150d8 Mon Sep 17 00:00:00 2001 From: Tharsanan1 Date: Tue, 5 Mar 2024 17:25:55 +0530 Subject: [PATCH 1/4] Revert "Fix bug" This reverts commit fca5497f658435b2f4bfae6801dda866ae291e85. --- .../org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java index 4b46115c1..c6e263962 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java @@ -530,12 +530,9 @@ private Boolean isJWTExpired(JWTValidationInfo payload) { * * @param list1 The first list to check. * @param list2 The second list to check against. - * @return true if list1 is empty else if at least one element from list1 exists in list2, otherwise false. + * @return true if at least one element from list1 exists in list2, otherwise false. */ public static boolean checkAnyExist(List list1, List list2) { - if (list1.size() == 0) { - return true; - } return list1.stream().anyMatch(list2::contains); } } From 8f63c996ff116b6013c7fdda1b76a09eb38343e1 Mon Sep 17 00:00:00 2001 From: Tharsanan1 Date: Tue, 5 Mar 2024 17:25:55 +0530 Subject: [PATCH 2/4] Revert "Improve code" This reverts commit 0bb86db70a9545268d467928ee5550550d459034. --- .../model/JWTAuthenticationConfig.java | 17 ++++++-------- .../model/Oauth2AuthenticationConfig.java | 9 +++----- .../java/org/wso2/apk/enforcer/api/Utils.java | 2 +- .../security/jwt/JWTAuthenticator.java | 22 +++++++++---------- 4 files changed, 21 insertions(+), 29 deletions(-) diff --git a/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/JWTAuthenticationConfig.java b/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/JWTAuthenticationConfig.java index bf9973f4d..ddc5db695 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/JWTAuthenticationConfig.java +++ b/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/JWTAuthenticationConfig.java @@ -18,21 +18,18 @@ package org.wso2.apk.enforcer.commons.model; -import java.util.List; +import java.util.ArrayList; -/** - * Defines JWT authentication config structure. - */ public class JWTAuthenticationConfig { - private String header; + private String Header; private boolean sendTokenToUpstream; - private List audience; + private ArrayList audience; public String getHeader() { - return header; + return Header; } public void setHeader(String header) { - this.header = header; + Header = header; } public boolean isSendTokenToUpstream() { @@ -43,11 +40,11 @@ public void setSendTokenToUpstream(boolean sendTokenToUpstream) { this.sendTokenToUpstream = sendTokenToUpstream; } - public List getAudience() { + public ArrayList getAudience() { return audience; } - public void setAudience(List audience) { + public void setAudience(ArrayList audience) { this.audience = audience; } } diff --git a/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/Oauth2AuthenticationConfig.java b/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/Oauth2AuthenticationConfig.java index c58d00845..0631c5c89 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/Oauth2AuthenticationConfig.java +++ b/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/Oauth2AuthenticationConfig.java @@ -18,19 +18,16 @@ package org.wso2.apk.enforcer.commons.model; -/** - * Defines OAuth2 authentication config structure. - */ public class Oauth2AuthenticationConfig { - private String header; + private String Header; private boolean sendTokenToUpstream; public String getHeader() { - return header; + return Header; } public void setHeader(String header) { - this.header = header; + Header = header; } public boolean isSendTokenToUpstream() { diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/api/Utils.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/api/Utils.java index 6c86a593c..b8b879d1c 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/api/Utils.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/api/Utils.java @@ -128,7 +128,7 @@ private static JWTAuthenticationConfig getJwtAuthenticationConfig(Operation oper jwtAuthenticationConfig.setHeader(operation.getApiAuthentication().getJwt().getHeader()); jwtAuthenticationConfig.setSendTokenToUpstream(operation.getApiAuthentication().getJwt() .getSendTokenToUpstream()); - List audience = new ArrayList<>(); + ArrayList audience = new ArrayList<>(); for (int i = 0; i < operation.getApiAuthentication().getJwt().getAudienceCount(); i++) { audience.add(operation.getApiAuthentication().getJwt().getAudience(i)); } diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java index c6e263962..50db84dc7 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java @@ -48,7 +48,6 @@ import org.wso2.apk.enforcer.security.jwt.validator.RevokedJWTDataHolder; import org.wso2.apk.enforcer.server.RevokedTokenRedisClient; import org.wso2.apk.enforcer.subscription.SubscriptionDataHolder; -import org.wso2.apk.enforcer.subscription.SubscriptionDataStore; import org.wso2.apk.enforcer.tracing.TracingConstants; import org.wso2.apk.enforcer.tracing.TracingSpan; import org.wso2.apk.enforcer.tracing.TracingTracer; @@ -132,9 +131,9 @@ public AuthenticationContext authenticate(RequestContext requestContext) throws if (validationInfo.isValid()) { List audFromAPI = getAudience(requestContext.getMatchedResourcePaths()); List audFromToken = validationInfo.getAudience(); - if (!checkAnyExist(audFromAPI, audFromToken)) { + if (!checkAllExist(audFromAPI, audFromToken)) { throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), - APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE); + APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Required audience not available in the JWT aud."); } Map claims = validationInfo.getClaims(); // Validate token type @@ -268,8 +267,8 @@ private String getTokenHeader(ArrayList matchedResourceConfigs) return ""; } - private List getAudience(ArrayList matchedResourceConfigs) { - List audience = new ArrayList<>(); + private ArrayList getAudience(ArrayList matchedResourceConfigs) { + ArrayList audience = new ArrayList<>(); for (ResourceConfig resourceConfig : matchedResourceConfigs) { if (resourceConfig.getAuthenticationConfig() != null && resourceConfig.getAuthenticationConfig().getJwtAuthenticationConfig() != null) { @@ -526,13 +525,12 @@ private Boolean isJWTExpired(JWTValidationInfo payload) { } /** - * Checks if at least one element from list1 exists in list2. - * - * @param list1 The first list to check. - * @param list2 The second list to check against. - * @return true if at least one element from list1 exists in list2, otherwise false. + * Checks if all elements in the first list are present in the second list. + * @param list1 The list of elements to check. + * @param list2 The list in which to check for the elements. + * @return True if all elements in list1 are present in list2, false otherwise. */ - public static boolean checkAnyExist(List list1, List list2) { - return list1.stream().anyMatch(list2::contains); + public static boolean checkAllExist(List list1, List list2) { + return list1.stream().allMatch(list2::contains); } } From 36102654e9e09d17074f61d0ec8479d203a1b4f1 Mon Sep 17 00:00:00 2001 From: Tharsanan1 Date: Tue, 5 Mar 2024 17:25:55 +0530 Subject: [PATCH 3/4] Revert "Add integration test for audience validation" This reverts commit eeeb6c11d157872b76109a65a348f2dca983f618. --- .../ballerina/TokenUtil.bal | 3 +- .../tests/jwt-resource-level-security-test.go | 42 +----------- .../tests/jwt-resource-level-security.yaml | 66 ------------------- 3 files changed, 2 insertions(+), 109 deletions(-) diff --git a/idp/idp-domain-service/ballerina/TokenUtil.bal b/idp/idp-domain-service/ballerina/TokenUtil.bal index 902acd34b..38e480164 100644 --- a/idp/idp-domain-service/ballerina/TokenUtil.bal +++ b/idp/idp-domain-service/ballerina/TokenUtil.bal @@ -114,8 +114,7 @@ public class TokenUtil { keyId: issuerConfiguration.keyId, signatureConfig: { config: {keyFile: idpConfiguration.keyStores.signing.keyFile} - }, - audience: "aud1" + } }; if username is string { issuerConfig.username = username; diff --git a/test/integration/integration/tests/jwt-resource-level-security-test.go b/test/integration/integration/tests/jwt-resource-level-security-test.go index 62c9eb2b0..679e6018b 100644 --- a/test/integration/integration/tests/jwt-resource-level-security-test.go +++ b/test/integration/integration/tests/jwt-resource-level-security-test.go @@ -92,47 +92,7 @@ var ResourceLevelJWT = suite.IntegrationTest{ }, Backend: "infra-backend-v1", Namespace: ns, - Response: http.Response{StatusCode: 401}, - }, - // Test wrong audience - { - Request: http.Request{ - Host: "resource-level-jwt.test.gw.wso2.com", - Path: "/resource-level-jwt/v1.0.0/v2/echo-1", - Headers: map[string]string{ - "content-type": "application/json", - "internal-key": token, - }, - Method: "GET", - }, - ExpectedRequest: &http.ExpectedRequest{ - Request: http.Request{ - Path: "/v2/echo-1", - }, - }, - Backend: "infra-backend-v1", - Namespace: ns, - Response: http.Response{StatusCode: 401}, - }, - // Test correct audience - { - Request: http.Request{ - Host: "resource-level-jwt.test.gw.wso2.com", - Path: "/resource-level-jwt/v1.0.0/v2/echo-2", - Headers: map[string]string{ - "content-type": "application/json", - "internal-key": token, - }, - Method: "GET", - }, - ExpectedRequest: &http.ExpectedRequest{ - Request: http.Request{ - Path: "/v2/echo-2", - }, - }, - Backend: "infra-backend-v1", - Namespace: ns, - Response: http.Response{StatusCode: 200}, + Response: http.Response{StatusCode: 401}, }, } for i := range testCases { diff --git a/test/integration/integration/tests/resources/tests/jwt-resource-level-security.yaml b/test/integration/integration/tests/resources/tests/jwt-resource-level-security.yaml index 529b48aa5..889b12c4c 100644 --- a/test/integration/integration/tests/resources/tests/jwt-resource-level-security.yaml +++ b/test/integration/integration/tests/resources/tests/jwt-resource-level-security.yaml @@ -60,34 +60,6 @@ spec: group: dp.wso2.com kind: Authentication name: resource-level-jwt-authentication - - matches: - - path: - type: PathPrefix - value: /v2/echo-1 - backendRefs: - - group: dp.wso2.com - kind: Backend - name: infra-backend-v1 - filters: - - type: ExtensionRef - extensionRef: - group: dp.wso2.com - kind: Authentication - name: resource-level-jwt-authentication-1 - - matches: - - path: - type: PathPrefix - value: /v2/echo-2 - backendRefs: - - group: dp.wso2.com - kind: Backend - name: infra-backend-v1 - filters: - - type: ExtensionRef - extensionRef: - group: dp.wso2.com - kind: Authentication - name: resource-level-jwt-authentication-2 --- apiVersion: dp.wso2.com/v1alpha2 kind: Authentication @@ -106,44 +78,6 @@ spec: group: gateway.networking.k8s.io namespace: gateway-integration-test-infra --- -apiVersion: dp.wso2.com/v1alpha2 -kind: Authentication -metadata: - name: resource-level-jwt-authentication-1 - namespace: gateway-integration-test-infra -spec: - override: - disabled: false - authTypes: - jwt: - disabled: false - audience: - - "test" - targetRef: - kind: Resource - name: resource-level-jwt - group: gateway.networking.k8s.io - namespace: gateway-integration-test-infra ---- -apiVersion: dp.wso2.com/v1alpha2 -kind: Authentication -metadata: - name: resource-level-jwt-authentication-2 - namespace: gateway-integration-test-infra -spec: - override: - disabled: false - authTypes: - jwt: - disabled: false - audience: - - "aud1" - targetRef: - kind: Resource - name: resource-level-jwt - group: gateway.networking.k8s.io - namespace: gateway-integration-test-infra ---- apiVersion: dp.wso2.com/v1alpha1 kind: Backend metadata: From 88a8bdb658f4ffcfc681a6d358ebe14dbea8d45a Mon Sep 17 00:00:00 2001 From: Tharsanan1 Date: Tue, 5 Mar 2024 17:25:55 +0530 Subject: [PATCH 4/4] Revert "Add JWT authentication" This reverts commit 43b28a6ac577b250fd5454bb2117c6254168f82f. --- .../discovery/api/api_authentication.proto | 13 +- .../internal/oasparser/config_generator.go | 16 +- .../internal/oasparser/model/api_operation.go | 7 +- .../internal/oasparser/model/http_route.go | 23 +- .../discovery/api/api_authentication.pb.go | 161 +++--- .../dp/v1alpha1/authentication_conversion.go | 28 - .../apis/dp/v1alpha2/authentication_types.go | 24 +- .../apis/dp/v1alpha2/zz_generated.deepcopy.go | 42 +- .../bases/dp.wso2.com_authentications.yaml | 78 +-- .../commons/dto/JWTValidationInfo.java | 10 - .../commons/model/AuthenticationConfig.java | 11 - .../model/JWTAuthenticationConfig.java | 12 +- .../model/Oauth2AuthenticationConfig.java | 40 -- .../java/org/wso2/apk/enforcer/api/Utils.java | 55 +- .../discovery/api/APIAuthentication.java | 188 +++---- .../api/APIAuthenticationOrBuilder.java | 16 +- .../discovery/api/APIAuthenticationProto.java | 47 +- .../wso2/apk/enforcer/discovery/api/JWT.java | 195 ------- .../enforcer/discovery/api/JWTOrBuilder.java | 25 - .../discovery/api/Oauth2OrBuilder.java | 39 -- .../api/{Oauth2.java => TestConsoleKey.java} | 132 ++--- .../apk/enforcer/security/AuthFilter.java | 19 +- .../jwt/InternalAPIKeyAuthenticator.java | 312 +++++++++++ .../security/jwt/JWTAuthenticator.java | 61 +-- .../security/jwt/Oauth2Authenticator.java | 516 ------------------ .../security/jwt/validator/JWTValidator.java | 1 - ...lidatorTest.java => JWTValidatorTest.java} | 80 +-- .../crds/dp.wso2.com_authentications.yaml | 78 +-- .../integration/tests/custom-auth-header.go | 35 +- .../tests/jwt-api-level-security-test.go | 107 ---- .../tests/jwt-resource-level-security-test.go | 106 ---- .../resources/tests/custom-auth-header.yaml | 7 +- .../tests/jwt-api-level-security.yaml | 83 --- .../tests/jwt-resource-level-security.yaml | 89 --- .../integration/utils/http/helpers.go | 9 - test/integration/scripts/run-tests.sh | 2 - test/integration/scripts/setup-hosts.sh | 2 - 37 files changed, 788 insertions(+), 1881 deletions(-) delete mode 100644 gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/Oauth2AuthenticationConfig.java delete mode 100644 gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/Oauth2OrBuilder.java rename gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/{Oauth2.java => TestConsoleKey.java} (78%) create mode 100644 gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/InternalAPIKeyAuthenticator.java delete mode 100644 gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/Oauth2Authenticator.java rename gateway/enforcer/org.wso2.apk.enforcer/src/test/java/org/wso2/apk/enforcer/jwt/{Oauth2ValidatorTest.java => JWTValidatorTest.java} (92%) delete mode 100644 test/integration/integration/tests/jwt-api-level-security-test.go delete mode 100644 test/integration/integration/tests/jwt-resource-level-security-test.go delete mode 100644 test/integration/integration/tests/resources/tests/jwt-api-level-security.yaml delete mode 100644 test/integration/integration/tests/resources/tests/jwt-resource-level-security.yaml diff --git a/adapter/api/proto/wso2/discovery/api/api_authentication.proto b/adapter/api/proto/wso2/discovery/api/api_authentication.proto index 32f0c894d..efbff0caf 100644 --- a/adapter/api/proto/wso2/discovery/api/api_authentication.proto +++ b/adapter/api/proto/wso2/discovery/api/api_authentication.proto @@ -35,17 +35,16 @@ message APIKey { message JWT { string header = 1; // name of the header containing the JWT bool sendTokenToUpstream = 2; // send the token to upstream - repeated string audience = 3; -} - -message Oauth2 { - string header = 1; // name of the header containing the JWT - bool sendTokenToUpstream = 2; // send the token to upstream } message APIAuthentication { bool disabled = 1; // disable authentication JWT jwt = 2; repeated APIKey apikey = 3; - Oauth2 Oauth2 = 4; + TestConsoleKey testConsoleKey = 4; +} + +message TestConsoleKey { + string header = 1; // name of the header containing the test key + bool sendTokenToUpstream = 2; // send the token to upstream } diff --git a/adapter/internal/oasparser/config_generator.go b/adapter/internal/oasparser/config_generator.go index 9650162f6..e5fc9314d 100644 --- a/adapter/internal/oasparser/config_generator.go +++ b/adapter/internal/oasparser/config_generator.go @@ -258,7 +258,6 @@ func castAPIAuthenticationsToEnforcerAPIAuthentications(authentication *model.Au enforcerAuthentication.Jwt = &api.JWT{ Header: strings.ToLower(authentication.JWT.Header), SendTokenToUpstream: authentication.JWT.SendTokenToUpstream, - Audience: authentication.JWT.Audience, } } var apiKeys []*api.APIKey @@ -274,12 +273,19 @@ func castAPIAuthenticationsToEnforcerAPIAuthentications(authentication *model.Au }) } enforcerAuthentication.Apikey = apiKeys - if authentication.Oauth2 != nil { - enforcerAuthentication.Oauth2 = &api.Oauth2{ - Header: strings.ToLower(authentication.Oauth2.Header), - SendTokenToUpstream: authentication.Oauth2.SendTokenToUpstream, + if authentication.TestConsoleKey != nil { + enforcerAuthentication.TestConsoleKey = &api.TestConsoleKey{ + Header: strings.ToLower(authentication.TestConsoleKey.Header), + SendTokenToUpstream: authentication.TestConsoleKey.SendTokenToUpstream, } } + if authentication.TestConsoleKey != nil { + enforcerAuthentication.TestConsoleKey = &api.TestConsoleKey{ + Header: strings.ToLower(authentication.TestConsoleKey.Header), + SendTokenToUpstream: authentication.TestConsoleKey.SendTokenToUpstream, + } + } + return enforcerAuthentication } diff --git a/adapter/internal/oasparser/model/api_operation.go b/adapter/internal/oasparser/model/api_operation.go index d26dde0f2..a3d228544 100644 --- a/adapter/internal/oasparser/model/api_operation.go +++ b/adapter/internal/oasparser/model/api_operation.go @@ -50,18 +50,17 @@ type Authentication struct { Disabled bool JWT *JWT APIKey []APIKey - Oauth2 *Oauth2 + TestConsoleKey *TestConsoleKey } // JWT holds JWT related configurations type JWT struct { Header string SendTokenToUpstream bool - Audience []string } -// Oauth2 holds Oauth2 related configurations -type Oauth2 struct { +// TestConsoleKey holds testkey related configurations +type TestConsoleKey struct { Header string SendTokenToUpstream bool } diff --git a/adapter/internal/oasparser/model/http_route.go b/adapter/internal/oasparser/model/http_route.go index b560aecbc..11fb078d7 100644 --- a/adapter/internal/oasparser/model/http_route.go +++ b/adapter/internal/oasparser/model/http_route.go @@ -19,6 +19,7 @@ package model import ( "github.com/google/uuid" + "github.com/wso2/apk/adapter/internal/loggers" "github.com/wso2/apk/adapter/internal/oasparser/constants" "github.com/wso2/apk/adapter/internal/operator/utils" dpv1alpha1 "github.com/wso2/apk/common-go-libs/apis/dp/v1alpha1" @@ -233,28 +234,19 @@ func getSecurity(authScheme *dpv1alpha2.Authentication) *Authentication { sendTokenToUpstream = authScheme.Spec.Override.AuthTypes.Oauth2.SendTokenToUpstream } auth := &Authentication{Disabled: false, - Oauth2: &Oauth2{Header: authHeader, SendTokenToUpstream: sendTokenToUpstream}, + TestConsoleKey: &TestConsoleKey{Header: constants.TestConsoleKeyHeader}, + JWT: &JWT{Header: authHeader, SendTokenToUpstream: sendTokenToUpstream}, } if authScheme != nil && authScheme.Spec.Override != nil { if authScheme.Spec.Override.Disabled != nil && *authScheme.Spec.Override.Disabled { return &Authentication{Disabled: true} } authFound := false - if authScheme.Spec.Override.AuthTypes != nil && !authScheme.Spec.Override.AuthTypes.Oauth2.Disabled { - authFound = true - } else { - auth = &Authentication{Disabled: false} - } - if authScheme.Spec.Override.AuthTypes != nil && authScheme.Spec.Override.AuthTypes.JWT.Disabled != nil && !*authScheme.Spec.Override.AuthTypes.JWT.Disabled { - audience := make([]string, 0) - if len(authScheme.Spec.Override.AuthTypes.JWT.Audience) > 0 { - audience = authScheme.Spec.Override.AuthTypes.JWT.Audience + if authScheme.Spec.Override.AuthTypes != nil && authScheme.Spec.Override.AuthTypes.Oauth2.Disabled { + auth = &Authentication{Disabled: false, + TestConsoleKey: &TestConsoleKey{Header: constants.TestConsoleKeyHeader}, } - jwtHeader := constants.TestConsoleKeyHeader - if len(authScheme.Spec.Override.AuthTypes.JWT.Header) > 0 { - jwtHeader = authScheme.Spec.Override.AuthTypes.JWT.Header - } - auth.JWT = &JWT{Header: jwtHeader, SendTokenToUpstream: sendTokenToUpstream, Audience: audience} + } else { authFound = true } if authScheme.Spec.Override.AuthTypes != nil && authScheme.Spec.Override.AuthTypes.APIKey != nil { @@ -270,6 +262,7 @@ func getSecurity(authScheme *dpv1alpha2.Authentication) *Authentication { auth.APIKey = apiKeys } if !authFound { + loggers.LoggerOasparser.Debug("Disabled security.") return &Authentication{Disabled: true} } } diff --git a/adapter/pkg/discovery/api/wso2/discovery/api/api_authentication.pb.go b/adapter/pkg/discovery/api/wso2/discovery/api/api_authentication.pb.go index be0fb06e1..4f0c0bd78 100644 --- a/adapter/pkg/discovery/api/wso2/discovery/api/api_authentication.pb.go +++ b/adapter/pkg/discovery/api/wso2/discovery/api/api_authentication.pb.go @@ -105,9 +105,8 @@ type JWT struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - Header string `protobuf:"bytes,1,opt,name=header,proto3" json:"header,omitempty"` // name of the header containing the JWT - SendTokenToUpstream bool `protobuf:"varint,2,opt,name=sendTokenToUpstream,proto3" json:"sendTokenToUpstream,omitempty"` // send the token to upstream - Audience []string `protobuf:"bytes,3,rep,name=audience,proto3" json:"audience,omitempty"` + Header string `protobuf:"bytes,1,opt,name=header,proto3" json:"header,omitempty"` // name of the header containing the JWT + SendTokenToUpstream bool `protobuf:"varint,2,opt,name=sendTokenToUpstream,proto3" json:"sendTokenToUpstream,omitempty"` // send the token to upstream } func (x *JWT) Reset() { @@ -156,24 +155,19 @@ func (x *JWT) GetSendTokenToUpstream() bool { return false } -func (x *JWT) GetAudience() []string { - if x != nil { - return x.Audience - } - return nil -} - -type Oauth2 struct { +type APIAuthentication struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - Header string `protobuf:"bytes,1,opt,name=header,proto3" json:"header,omitempty"` // name of the header containing the JWT - SendTokenToUpstream bool `protobuf:"varint,2,opt,name=sendTokenToUpstream,proto3" json:"sendTokenToUpstream,omitempty"` // send the token to upstream + Disabled bool `protobuf:"varint,1,opt,name=disabled,proto3" json:"disabled,omitempty"` // disable authentication + Jwt *JWT `protobuf:"bytes,2,opt,name=jwt,proto3" json:"jwt,omitempty"` + Apikey []*APIKey `protobuf:"bytes,3,rep,name=apikey,proto3" json:"apikey,omitempty"` + TestConsoleKey *TestConsoleKey `protobuf:"bytes,4,opt,name=testConsoleKey,proto3" json:"testConsoleKey,omitempty"` } -func (x *Oauth2) Reset() { - *x = Oauth2{} +func (x *APIAuthentication) Reset() { + *x = APIAuthentication{} if protoimpl.UnsafeEnabled { mi := &file_wso2_discovery_api_api_authentication_proto_msgTypes[2] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -181,13 +175,13 @@ func (x *Oauth2) Reset() { } } -func (x *Oauth2) String() string { +func (x *APIAuthentication) String() string { return protoimpl.X.MessageStringOf(x) } -func (*Oauth2) ProtoMessage() {} +func (*APIAuthentication) ProtoMessage() {} -func (x *Oauth2) ProtoReflect() protoreflect.Message { +func (x *APIAuthentication) ProtoReflect() protoreflect.Message { mi := &file_wso2_discovery_api_api_authentication_proto_msgTypes[2] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -199,38 +193,50 @@ func (x *Oauth2) ProtoReflect() protoreflect.Message { return mi.MessageOf(x) } -// Deprecated: Use Oauth2.ProtoReflect.Descriptor instead. -func (*Oauth2) Descriptor() ([]byte, []int) { +// Deprecated: Use APIAuthentication.ProtoReflect.Descriptor instead. +func (*APIAuthentication) Descriptor() ([]byte, []int) { return file_wso2_discovery_api_api_authentication_proto_rawDescGZIP(), []int{2} } -func (x *Oauth2) GetHeader() string { +func (x *APIAuthentication) GetDisabled() bool { if x != nil { - return x.Header + return x.Disabled } - return "" + return false } -func (x *Oauth2) GetSendTokenToUpstream() bool { +func (x *APIAuthentication) GetJwt() *JWT { if x != nil { - return x.SendTokenToUpstream + return x.Jwt } - return false + return nil } -type APIAuthentication struct { +func (x *APIAuthentication) GetApikey() []*APIKey { + if x != nil { + return x.Apikey + } + return nil +} + +func (x *APIAuthentication) GetTestConsoleKey() *TestConsoleKey { + if x != nil { + return x.TestConsoleKey + } + return nil +} + +type TestConsoleKey struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - Disabled bool `protobuf:"varint,1,opt,name=disabled,proto3" json:"disabled,omitempty"` // disable authentication - Jwt *JWT `protobuf:"bytes,2,opt,name=jwt,proto3" json:"jwt,omitempty"` - Apikey []*APIKey `protobuf:"bytes,3,rep,name=apikey,proto3" json:"apikey,omitempty"` - Oauth2 *Oauth2 `protobuf:"bytes,4,opt,name=Oauth2,proto3" json:"Oauth2,omitempty"` + Header string `protobuf:"bytes,1,opt,name=header,proto3" json:"header,omitempty"` // name of the header containing the test key + SendTokenToUpstream bool `protobuf:"varint,2,opt,name=sendTokenToUpstream,proto3" json:"sendTokenToUpstream,omitempty"` // send the token to upstream } -func (x *APIAuthentication) Reset() { - *x = APIAuthentication{} +func (x *TestConsoleKey) Reset() { + *x = TestConsoleKey{} if protoimpl.UnsafeEnabled { mi := &file_wso2_discovery_api_api_authentication_proto_msgTypes[3] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -238,13 +244,13 @@ func (x *APIAuthentication) Reset() { } } -func (x *APIAuthentication) String() string { +func (x *TestConsoleKey) String() string { return protoimpl.X.MessageStringOf(x) } -func (*APIAuthentication) ProtoMessage() {} +func (*TestConsoleKey) ProtoMessage() {} -func (x *APIAuthentication) ProtoReflect() protoreflect.Message { +func (x *TestConsoleKey) ProtoReflect() protoreflect.Message { mi := &file_wso2_discovery_api_api_authentication_proto_msgTypes[3] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -256,37 +262,23 @@ func (x *APIAuthentication) ProtoReflect() protoreflect.Message { return mi.MessageOf(x) } -// Deprecated: Use APIAuthentication.ProtoReflect.Descriptor instead. -func (*APIAuthentication) Descriptor() ([]byte, []int) { +// Deprecated: Use TestConsoleKey.ProtoReflect.Descriptor instead. +func (*TestConsoleKey) Descriptor() ([]byte, []int) { return file_wso2_discovery_api_api_authentication_proto_rawDescGZIP(), []int{3} } -func (x *APIAuthentication) GetDisabled() bool { - if x != nil { - return x.Disabled - } - return false -} - -func (x *APIAuthentication) GetJwt() *JWT { - if x != nil { - return x.Jwt - } - return nil -} - -func (x *APIAuthentication) GetApikey() []*APIKey { +func (x *TestConsoleKey) GetHeader() string { if x != nil { - return x.Apikey + return x.Header } - return nil + return "" } -func (x *APIAuthentication) GetOauth2() *Oauth2 { +func (x *TestConsoleKey) GetSendTokenToUpstream() bool { if x != nil { - return x.Oauth2 + return x.SendTokenToUpstream } - return nil + return false } var File_wso2_discovery_api_api_authentication_proto protoreflect.FileDescriptor @@ -302,19 +294,12 @@ var file_wso2_discovery_api_api_authentication_proto_rawDesc = []byte{ 0x30, 0x0a, 0x13, 0x73, 0x65, 0x6e, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x54, 0x6f, 0x55, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13, 0x73, 0x65, 0x6e, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x54, 0x6f, 0x55, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, - 0x6d, 0x22, 0x6b, 0x0a, 0x03, 0x4a, 0x57, 0x54, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, + 0x6d, 0x22, 0x4f, 0x0a, 0x03, 0x4a, 0x57, 0x54, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x30, 0x0a, 0x13, 0x73, 0x65, 0x6e, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x54, 0x6f, 0x55, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13, 0x73, 0x65, 0x6e, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x54, 0x6f, 0x55, 0x70, 0x73, 0x74, 0x72, 0x65, - 0x61, 0x6d, 0x12, 0x1a, 0x0a, 0x08, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x03, - 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x52, - 0x0a, 0x06, 0x4f, 0x61, 0x75, 0x74, 0x68, 0x32, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, - 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, - 0x12, 0x30, 0x0a, 0x13, 0x73, 0x65, 0x6e, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x54, 0x6f, 0x55, - 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13, 0x73, - 0x65, 0x6e, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x54, 0x6f, 0x55, 0x70, 0x73, 0x74, 0x72, 0x65, - 0x61, 0x6d, 0x22, 0xc2, 0x01, 0x0a, 0x11, 0x41, 0x50, 0x49, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, + 0x61, 0x6d, 0x22, 0xda, 0x01, 0x0a, 0x11, 0x41, 0x50, 0x49, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x29, 0x0a, 0x03, 0x6a, 0x77, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, @@ -323,18 +308,26 @@ var file_wso2_discovery_api_api_authentication_proto_rawDesc = []byte{ 0x32, 0x0a, 0x06, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x77, 0x73, 0x6f, 0x32, 0x2e, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x41, 0x50, 0x49, 0x4b, 0x65, 0x79, 0x52, 0x06, 0x61, 0x70, 0x69, - 0x6b, 0x65, 0x79, 0x12, 0x32, 0x0a, 0x06, 0x4f, 0x61, 0x75, 0x74, 0x68, 0x32, 0x18, 0x04, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x77, 0x73, 0x6f, 0x32, 0x2e, 0x64, 0x69, 0x73, 0x63, 0x6f, - 0x76, 0x65, 0x72, 0x79, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x4f, 0x61, 0x75, 0x74, 0x68, 0x32, 0x52, - 0x06, 0x4f, 0x61, 0x75, 0x74, 0x68, 0x32, 0x42, 0x7e, 0x0a, 0x23, 0x6f, 0x72, 0x67, 0x2e, 0x77, - 0x73, 0x6f, 0x32, 0x2e, 0x61, 0x70, 0x6b, 0x2e, 0x65, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x72, - 0x2e, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x2e, 0x61, 0x70, 0x69, 0x42, 0x16, - 0x41, 0x50, 0x49, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3d, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, - 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2f, - 0x67, 0x6f, 0x2d, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x2d, 0x70, 0x6c, 0x61, 0x6e, 0x65, - 0x2f, 0x77, 0x73, 0x6f, 0x32, 0x2f, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x2f, - 0x61, 0x70, 0x69, 0x3b, 0x61, 0x70, 0x69, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x6b, 0x65, 0x79, 0x12, 0x4a, 0x0a, 0x0e, 0x74, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x73, 0x6f, + 0x6c, 0x65, 0x4b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x77, 0x73, + 0x6f, 0x32, 0x2e, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x2e, 0x61, 0x70, 0x69, + 0x2e, 0x54, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x73, 0x6f, 0x6c, 0x65, 0x4b, 0x65, 0x79, 0x52, + 0x0e, 0x74, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x73, 0x6f, 0x6c, 0x65, 0x4b, 0x65, 0x79, 0x22, + 0x5a, 0x0a, 0x0e, 0x54, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x73, 0x6f, 0x6c, 0x65, 0x4b, 0x65, + 0x79, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x30, 0x0a, 0x13, 0x73, 0x65, 0x6e, + 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x54, 0x6f, 0x55, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13, 0x73, 0x65, 0x6e, 0x64, 0x54, 0x6f, 0x6b, 0x65, + 0x6e, 0x54, 0x6f, 0x55, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x42, 0x7e, 0x0a, 0x23, 0x6f, + 0x72, 0x67, 0x2e, 0x77, 0x73, 0x6f, 0x32, 0x2e, 0x61, 0x70, 0x6b, 0x2e, 0x65, 0x6e, 0x66, 0x6f, + 0x72, 0x63, 0x65, 0x72, 0x2e, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x2e, 0x61, + 0x70, 0x69, 0x42, 0x16, 0x41, 0x50, 0x49, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3d, 0x67, 0x69, + 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x70, 0x72, + 0x6f, 0x78, 0x79, 0x2f, 0x67, 0x6f, 0x2d, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x2d, 0x70, + 0x6c, 0x61, 0x6e, 0x65, 0x2f, 0x77, 0x73, 0x6f, 0x32, 0x2f, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, + 0x65, 0x72, 0x79, 0x2f, 0x61, 0x70, 0x69, 0x3b, 0x61, 0x70, 0x69, 0x62, 0x06, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x33, } var ( @@ -353,13 +346,13 @@ var file_wso2_discovery_api_api_authentication_proto_msgTypes = make([]protoimpl var file_wso2_discovery_api_api_authentication_proto_goTypes = []interface{}{ (*APIKey)(nil), // 0: wso2.discovery.api.APIKey (*JWT)(nil), // 1: wso2.discovery.api.JWT - (*Oauth2)(nil), // 2: wso2.discovery.api.Oauth2 - (*APIAuthentication)(nil), // 3: wso2.discovery.api.APIAuthentication + (*APIAuthentication)(nil), // 2: wso2.discovery.api.APIAuthentication + (*TestConsoleKey)(nil), // 3: wso2.discovery.api.TestConsoleKey } var file_wso2_discovery_api_api_authentication_proto_depIdxs = []int32{ 1, // 0: wso2.discovery.api.APIAuthentication.jwt:type_name -> wso2.discovery.api.JWT 0, // 1: wso2.discovery.api.APIAuthentication.apikey:type_name -> wso2.discovery.api.APIKey - 2, // 2: wso2.discovery.api.APIAuthentication.Oauth2:type_name -> wso2.discovery.api.Oauth2 + 3, // 2: wso2.discovery.api.APIAuthentication.testConsoleKey:type_name -> wso2.discovery.api.TestConsoleKey 3, // [3:3] is the sub-list for method output_type 3, // [3:3] is the sub-list for method input_type 3, // [3:3] is the sub-list for extension type_name @@ -398,7 +391,7 @@ func file_wso2_discovery_api_api_authentication_proto_init() { } } file_wso2_discovery_api_api_authentication_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*Oauth2); i { + switch v := v.(*APIAuthentication); i { case 0: return &v.state case 1: @@ -410,7 +403,7 @@ func file_wso2_discovery_api_api_authentication_proto_init() { } } file_wso2_discovery_api_api_authentication_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*APIAuthentication); i { + switch v := v.(*TestConsoleKey); i { case 0: return &v.state case 1: diff --git a/common-go-libs/apis/dp/v1alpha1/authentication_conversion.go b/common-go-libs/apis/dp/v1alpha1/authentication_conversion.go index e9f28d11d..b60287f24 100644 --- a/common-go-libs/apis/dp/v1alpha1/authentication_conversion.go +++ b/common-go-libs/apis/dp/v1alpha1/authentication_conversion.go @@ -71,22 +71,6 @@ func (src *Authentication) ConvertTo(dstRaw conversion.Hub) error { dst.Spec.Override.AuthTypes.APIKey = append(dst.Spec.Override.AuthTypes.APIKey, convertedAPIKeyAuth) } - // Convert testConsoleKey Override to v1alpha2.JWT - if src.Spec.Override.AuthTypes.TestConsoleKey != (TestConsoleKeyAuth{}) { - dst.Spec.Override.AuthTypes.JWT = v1alpha2.JWT{ - Header: src.Spec.Override.AuthTypes.TestConsoleKey.Header, - SendTokenToUpstream: src.Spec.Override.AuthTypes.TestConsoleKey.SendTokenToUpstream, - } - } - - // Convert testConsoleKey Default to v1alpha2.JWT - if src.Spec.Default.AuthTypes.TestConsoleKey != (TestConsoleKeyAuth{}) { - dst.Spec.Default.AuthTypes.JWT = v1alpha2.JWT{ - Header: src.Spec.Default.AuthTypes.TestConsoleKey.Header, - SendTokenToUpstream: src.Spec.Default.AuthTypes.TestConsoleKey.SendTokenToUpstream, - } - } - // Status dst.Status = v1alpha2.AuthenticationStatus(src.Status) @@ -134,18 +118,6 @@ func (src *Authentication) ConvertFrom(srcRaw conversion.Hub) error { src.Spec.Override.AuthTypes.APIKey = append(src.Spec.Override.AuthTypes.APIKey, convertedAPIKeyAuth) } - // Convert testConsoleKey Override to v1alpha1.TestConsoleKey - src.Spec.Override.AuthTypes.TestConsoleKey = TestConsoleKeyAuth{ - Header: dst.Spec.Override.AuthTypes.JWT.Header, - SendTokenToUpstream: dst.Spec.Override.AuthTypes.JWT.SendTokenToUpstream, - } - - // Convert testConsoleKey Default to v1alpha1.TestConsoleKey - src.Spec.Default.AuthTypes.TestConsoleKey = TestConsoleKeyAuth{ - Header: dst.Spec.Default.AuthTypes.JWT.Header, - SendTokenToUpstream: dst.Spec.Default.AuthTypes.JWT.SendTokenToUpstream, - } - // Status src.Status = AuthenticationStatus(dst.Status) return nil diff --git a/common-go-libs/apis/dp/v1alpha2/authentication_types.go b/common-go-libs/apis/dp/v1alpha2/authentication_types.go index c0eb99d3e..b3000fec1 100644 --- a/common-go-libs/apis/dp/v1alpha2/authentication_types.go +++ b/common-go-libs/apis/dp/v1alpha2/authentication_types.go @@ -55,10 +55,10 @@ type APIAuth struct { // +nullable APIKey []APIKeyAuth `json:"apiKey,omitempty"` - // JWT is to specify the JWT authentication scheme details + // TestConsoleKey is to specify the Test Console Key authentication scheme details // // +optional - JWT JWT `json:"jwt,omitempty"` + TestConsoleKey TestConsoleKeyAuth `json:"testConsoleKey,omitempty"` // MutualSSL is to specify the features and certificates for mutual SSL // @@ -91,31 +91,19 @@ type MutualSSLConfig struct { ConfigMapRefs []*RefConfig `json:"configMapRefs,omitempty"` } -// JWT Json Web Token Authentication scheme details -type JWT struct { - - // Disabled is to disable JWT authentication - // - // +kubebuilder:default=true - // +optional - Disabled *bool `json:"disabled"` - - // Header is the header name used to pass the JWT +// TestConsoleKeyAuth Test Console Key Authentication scheme details +type TestConsoleKeyAuth struct { + // Header is the header name used to pass the Test Console Key // // +kubebuilder:default:=internal-key // +optional // +kubebuilder:validation:MinLength=1 Header string `json:"header,omitempty"` - // SendTokenToUpstream is to specify whether the JWT should be sent to the upstream + // SendTokenToUpstream is to specify whether the Test Console Key should be sent to the upstream // // +optional SendTokenToUpstream bool `json:"sendTokenToUpstream,omitempty"` - - // Audience who can invoke a corresponding API - // - // +optional - Audience []string `json:"audience,omitempty"` } // Oauth2Auth OAuth2 Authentication scheme details diff --git a/common-go-libs/apis/dp/v1alpha2/zz_generated.deepcopy.go b/common-go-libs/apis/dp/v1alpha2/zz_generated.deepcopy.go index 0400f7780..9f683a179 100644 --- a/common-go-libs/apis/dp/v1alpha2/zz_generated.deepcopy.go +++ b/common-go-libs/apis/dp/v1alpha2/zz_generated.deepcopy.go @@ -64,7 +64,7 @@ func (in *APIAuth) DeepCopyInto(out *APIAuth) { *out = make([]APIKeyAuth, len(*in)) copy(*out, *in) } - in.JWT.DeepCopyInto(&out.JWT) + out.TestConsoleKey = in.TestConsoleKey if in.MutualSSL != nil { in, out := &in.MutualSSL, &out.MutualSSL *out = new(MutualSSLConfig) @@ -766,31 +766,6 @@ func (in *JWKS) DeepCopy() *JWKS { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *JWT) DeepCopyInto(out *JWT) { - *out = *in - if in.Disabled != nil { - in, out := &in.Disabled, &out.Disabled - *out = new(bool) - **out = **in - } - if in.Audience != nil { - in, out := &in.Audience, &out.Audience - *out = make([]string, len(*in)) - copy(*out, *in) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWT. -func (in *JWT) DeepCopy() *JWT { - if in == nil { - return nil - } - out := new(JWT) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MutualSSL) DeepCopyInto(out *MutualSSL) { *out = *in @@ -964,6 +939,21 @@ func (in *SignatureValidation) DeepCopy() *SignatureValidation { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TestConsoleKeyAuth) DeepCopyInto(out *TestConsoleKeyAuth) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TestConsoleKeyAuth. +func (in *TestConsoleKeyAuth) DeepCopy() *TestConsoleKeyAuth { + if in == nil { + return nil + } + out := new(TestConsoleKeyAuth) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TokenIssuer) DeepCopyInto(out *TokenIssuer) { *out = *in diff --git a/common-go-libs/config/crd/bases/dp.wso2.com_authentications.yaml b/common-go-libs/config/crd/bases/dp.wso2.com_authentications.yaml index 784a583d6..1418de8c2 100644 --- a/common-go-libs/config/crd/bases/dp.wso2.com_authentications.yaml +++ b/common-go-libs/config/crd/bases/dp.wso2.com_authentications.yaml @@ -275,30 +275,6 @@ spec: type: object nullable: true type: array - jwt: - description: JWT is to specify the JWT authentication scheme - details - properties: - audience: - description: Audience who can invoke a corresponding API - items: - type: string - type: array - disabled: - default: true - description: Disabled is to disable JWT authentication - type: boolean - header: - default: internal-key - description: Header is the header name used to pass the - JWT - minLength: 1 - type: string - sendTokenToUpstream: - description: SendTokenToUpstream is to specify whether - the JWT should be sent to the upstream - type: boolean - type: object mtls: description: MutualSSL is to specify the features and certificates for mutual SSL @@ -388,6 +364,21 @@ spec: the OAuth2 token should be sent to the upstream type: boolean type: object + testConsoleKey: + description: TestConsoleKey is to specify the Test Console + Key authentication scheme details + properties: + header: + default: internal-key + description: Header is the header name used to pass the + Test Console Key + minLength: 1 + type: string + sendTokenToUpstream: + description: SendTokenToUpstream is to specify whether + the Test Console Key should be sent to the upstream + type: boolean + type: object type: object disabled: description: Disabled is to disable all authentications @@ -426,30 +417,6 @@ spec: type: object nullable: true type: array - jwt: - description: JWT is to specify the JWT authentication scheme - details - properties: - audience: - description: Audience who can invoke a corresponding API - items: - type: string - type: array - disabled: - default: true - description: Disabled is to disable JWT authentication - type: boolean - header: - default: internal-key - description: Header is the header name used to pass the - JWT - minLength: 1 - type: string - sendTokenToUpstream: - description: SendTokenToUpstream is to specify whether - the JWT should be sent to the upstream - type: boolean - type: object mtls: description: MutualSSL is to specify the features and certificates for mutual SSL @@ -539,6 +506,21 @@ spec: the OAuth2 token should be sent to the upstream type: boolean type: object + testConsoleKey: + description: TestConsoleKey is to specify the Test Console + Key authentication scheme details + properties: + header: + default: internal-key + description: Header is the header name used to pass the + Test Console Key + minLength: 1 + type: string + sendTokenToUpstream: + description: SendTokenToUpstream is to specify whether + the Test Console Key should be sent to the upstream + type: boolean + type: object type: object disabled: description: Disabled is to disable all authentications diff --git a/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/dto/JWTValidationInfo.java b/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/dto/JWTValidationInfo.java index ed818a6f2..dc8259a97 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/dto/JWTValidationInfo.java +++ b/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/dto/JWTValidationInfo.java @@ -42,7 +42,6 @@ public class JWTValidationInfo implements Serializable { private String identifier; private JWTClaimsSet jwtClaimsSet; private String token; - private List audience = new ArrayList<>(); public JWTValidationInfo() { @@ -58,15 +57,6 @@ public JWTValidationInfo(JWTValidationInfo jwtValidationInfo) { this.claims = jwtValidationInfo.getClaims(); this.validationCode = jwtValidationInfo.getValidationCode(); this.keyManager = jwtValidationInfo.getKeyManager(); - this.audience = jwtValidationInfo.audience; - } - - public List getAudience() { - return audience; - } - - public void setAudience(List audience) { - this.audience = audience; } public String getToken() { diff --git a/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/AuthenticationConfig.java b/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/AuthenticationConfig.java index b0c5ff67f..ade16982d 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/AuthenticationConfig.java +++ b/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/AuthenticationConfig.java @@ -24,7 +24,6 @@ public class AuthenticationConfig { private JWTAuthenticationConfig jwtAuthenticationConfig; private List apiKeyAuthenticationConfigs; private InternalKeyConfig internalKeyConfig; - private Oauth2AuthenticationConfig oauth2AuthenticationConfig; private boolean Disabled; public JWTAuthenticationConfig getJwtAuthenticationConfig() { @@ -58,14 +57,4 @@ public InternalKeyConfig getInternalKeyConfig() { public void setInternalKeyConfig(InternalKeyConfig internalKeyConfig) { this.internalKeyConfig = internalKeyConfig; } - - public Oauth2AuthenticationConfig getOauth2AuthenticationConfig() { - - return oauth2AuthenticationConfig; - } - - public void setOauth2AuthenticationConfig(Oauth2AuthenticationConfig oauth2AuthenticationConfig) { - - this.oauth2AuthenticationConfig = oauth2AuthenticationConfig; - } } diff --git a/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/JWTAuthenticationConfig.java b/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/JWTAuthenticationConfig.java index ddc5db695..b222e2f6c 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/JWTAuthenticationConfig.java +++ b/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/JWTAuthenticationConfig.java @@ -18,12 +18,10 @@ package org.wso2.apk.enforcer.commons.model; -import java.util.ArrayList; - public class JWTAuthenticationConfig { private String Header; private boolean sendTokenToUpstream; - private ArrayList audience; + public String getHeader() { return Header; } @@ -39,12 +37,4 @@ public boolean isSendTokenToUpstream() { public void setSendTokenToUpstream(boolean sendTokenToUpstream) { this.sendTokenToUpstream = sendTokenToUpstream; } - - public ArrayList getAudience() { - return audience; - } - - public void setAudience(ArrayList audience) { - this.audience = audience; - } } diff --git a/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/Oauth2AuthenticationConfig.java b/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/Oauth2AuthenticationConfig.java deleted file mode 100644 index 0631c5c89..000000000 --- a/gateway/enforcer/org.wso2.apk.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/model/Oauth2AuthenticationConfig.java +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.org) All Rights Reserved. - * - * WSO2 LLC. licenses this file to you under the Apache License, - * Version 2.0 (the "License"); you may not use this file except - * in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.wso2.apk.enforcer.commons.model; - -public class Oauth2AuthenticationConfig { - private String Header; - private boolean sendTokenToUpstream; - - public String getHeader() { - return Header; - } - - public void setHeader(String header) { - Header = header; - } - - public boolean isSendTokenToUpstream() { - return sendTokenToUpstream; - } - - public void setSendTokenToUpstream(boolean sendTokenToUpstream) { - this.sendTokenToUpstream = sendTokenToUpstream; - } -} diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/api/Utils.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/api/Utils.java index b8b879d1c..8c2ee4e76 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/api/Utils.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/api/Utils.java @@ -19,8 +19,8 @@ import org.wso2.apk.enforcer.commons.model.APIKeyAuthenticationConfig; import org.wso2.apk.enforcer.commons.model.AuthenticationConfig; +import org.wso2.apk.enforcer.commons.model.InternalKeyConfig; import org.wso2.apk.enforcer.commons.model.JWTAuthenticationConfig; -import org.wso2.apk.enforcer.commons.model.Oauth2AuthenticationConfig; import org.wso2.apk.enforcer.discovery.api.APIKey; import org.wso2.apk.enforcer.discovery.api.EndpointClusterConfig; import org.wso2.apk.enforcer.discovery.api.Operation; @@ -92,50 +92,35 @@ public static ResourceConfig buildResource(Operation operation, String resPath, AuthenticationConfig authenticationConfig = new AuthenticationConfig(); if (operation.hasApiAuthentication()) { authenticationConfig.setDisabled(operation.getApiAuthentication().getDisabled()); - if (operation.getApiAuthentication().hasOauth2()) { - Oauth2AuthenticationConfig oAuth2AuthenticationConfig = new Oauth2AuthenticationConfig(); - oAuth2AuthenticationConfig.setHeader(operation.getApiAuthentication().getOauth2().getHeader()); - oAuth2AuthenticationConfig.setSendTokenToUpstream(operation.getApiAuthentication().getOauth2() - .getSendTokenToUpstream()); - authenticationConfig.setOauth2AuthenticationConfig(oAuth2AuthenticationConfig); - } if (operation.getApiAuthentication().hasJwt()) { - JWTAuthenticationConfig jwtAuthenticationConfig = getJwtAuthenticationConfig(operation); + JWTAuthenticationConfig jwtAuthenticationConfig = new JWTAuthenticationConfig(); + jwtAuthenticationConfig.setHeader(operation.getApiAuthentication().getJwt().getHeader()); + jwtAuthenticationConfig.setSendTokenToUpstream(operation.getApiAuthentication().getJwt() + .getSendTokenToUpstream()); authenticationConfig.setJwtAuthenticationConfig(jwtAuthenticationConfig); } - List apiKeyAuthenticationConfigs = getApiKeyAuthenticationConfigs(operation); + List apiKeyAuthenticationConfigs = new ArrayList<>(); + for (APIKey apiKey : operation.getApiAuthentication().getApikeyList()) { + APIKeyAuthenticationConfig apiKeyAuthenticationConfig = new APIKeyAuthenticationConfig(); + apiKeyAuthenticationConfig.setIn(apiKey.getIn()); + apiKeyAuthenticationConfig.setName(apiKey.getName()); + apiKeyAuthenticationConfig.setSendTokenToUpstream(apiKey.getSendTokenToUpstream()); + apiKeyAuthenticationConfigs.add(apiKeyAuthenticationConfig); + } authenticationConfig.setApiKeyAuthenticationConfigs(apiKeyAuthenticationConfigs); + if(operation.getApiAuthentication().hasTestConsoleKey()) { + InternalKeyConfig internalKeyConfig = new InternalKeyConfig(); + internalKeyConfig.setSendTokenToUpstream(operation.getApiAuthentication().getTestConsoleKey() + .getSendTokenToUpstream()); + internalKeyConfig.setHeader(operation.getApiAuthentication().getTestConsoleKey().getHeader()); + authenticationConfig.setInternalKeyConfig(internalKeyConfig); + } } resource.setAuthenticationConfig(authenticationConfig); resource.setScopes(operation.getScopesList().toArray(new String[0])); return resource; } - private static List getApiKeyAuthenticationConfigs(Operation operation) { - List apiKeyAuthenticationConfigs = new ArrayList<>(); - for (APIKey apiKey : operation.getApiAuthentication().getApikeyList()) { - APIKeyAuthenticationConfig apiKeyAuthenticationConfig = new APIKeyAuthenticationConfig(); - apiKeyAuthenticationConfig.setIn(apiKey.getIn()); - apiKeyAuthenticationConfig.setName(apiKey.getName()); - apiKeyAuthenticationConfig.setSendTokenToUpstream(apiKey.getSendTokenToUpstream()); - apiKeyAuthenticationConfigs.add(apiKeyAuthenticationConfig); - } - return apiKeyAuthenticationConfigs; - } - - private static JWTAuthenticationConfig getJwtAuthenticationConfig(Operation operation) { - JWTAuthenticationConfig jwtAuthenticationConfig = new JWTAuthenticationConfig(); - jwtAuthenticationConfig.setHeader(operation.getApiAuthentication().getJwt().getHeader()); - jwtAuthenticationConfig.setSendTokenToUpstream(operation.getApiAuthentication().getJwt() - .getSendTokenToUpstream()); - ArrayList audience = new ArrayList<>(); - for (int i = 0; i < operation.getApiAuthentication().getJwt().getAudienceCount(); i++) { - audience.add(operation.getApiAuthentication().getJwt().getAudience(i)); - } - jwtAuthenticationConfig.setAudience(audience); - return jwtAuthenticationConfig; - } - public static PolicyConfig genPolicyConfig(OperationPolicies operationPolicies) { PolicyConfig policyConfig = new PolicyConfig(); if (operationPolicies.getRequestCount() > 0) { diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthentication.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthentication.java index 439f65eb7..3c7df3b21 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthentication.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthentication.java @@ -78,14 +78,14 @@ private APIAuthentication( break; } case 34: { - org.wso2.apk.enforcer.discovery.api.Oauth2.Builder subBuilder = null; - if (oauth2_ != null) { - subBuilder = oauth2_.toBuilder(); + org.wso2.apk.enforcer.discovery.api.TestConsoleKey.Builder subBuilder = null; + if (testConsoleKey_ != null) { + subBuilder = testConsoleKey_.toBuilder(); } - oauth2_ = input.readMessage(org.wso2.apk.enforcer.discovery.api.Oauth2.parser(), extensionRegistry); + testConsoleKey_ = input.readMessage(org.wso2.apk.enforcer.discovery.api.TestConsoleKey.parser(), extensionRegistry); if (subBuilder != null) { - subBuilder.mergeFrom(oauth2_); - oauth2_ = subBuilder.buildPartial(); + subBuilder.mergeFrom(testConsoleKey_); + testConsoleKey_ = subBuilder.buildPartial(); } break; @@ -206,30 +206,30 @@ public org.wso2.apk.enforcer.discovery.api.APIKeyOrBuilder getApikeyOrBuilder( return apikey_.get(index); } - public static final int OAUTH2_FIELD_NUMBER = 4; - private org.wso2.apk.enforcer.discovery.api.Oauth2 oauth2_; + public static final int TESTCONSOLEKEY_FIELD_NUMBER = 4; + private org.wso2.apk.enforcer.discovery.api.TestConsoleKey testConsoleKey_; /** - * .wso2.discovery.api.Oauth2 Oauth2 = 4; - * @return Whether the oauth2 field is set. + * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; + * @return Whether the testConsoleKey field is set. */ @java.lang.Override - public boolean hasOauth2() { - return oauth2_ != null; + public boolean hasTestConsoleKey() { + return testConsoleKey_ != null; } /** - * .wso2.discovery.api.Oauth2 Oauth2 = 4; - * @return The oauth2. + * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; + * @return The testConsoleKey. */ @java.lang.Override - public org.wso2.apk.enforcer.discovery.api.Oauth2 getOauth2() { - return oauth2_ == null ? org.wso2.apk.enforcer.discovery.api.Oauth2.getDefaultInstance() : oauth2_; + public org.wso2.apk.enforcer.discovery.api.TestConsoleKey getTestConsoleKey() { + return testConsoleKey_ == null ? org.wso2.apk.enforcer.discovery.api.TestConsoleKey.getDefaultInstance() : testConsoleKey_; } /** - * .wso2.discovery.api.Oauth2 Oauth2 = 4; + * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; */ @java.lang.Override - public org.wso2.apk.enforcer.discovery.api.Oauth2OrBuilder getOauth2OrBuilder() { - return getOauth2(); + public org.wso2.apk.enforcer.discovery.api.TestConsoleKeyOrBuilder getTestConsoleKeyOrBuilder() { + return getTestConsoleKey(); } private byte memoizedIsInitialized = -1; @@ -255,8 +255,8 @@ public void writeTo(com.google.protobuf.CodedOutputStream output) for (int i = 0; i < apikey_.size(); i++) { output.writeMessage(3, apikey_.get(i)); } - if (oauth2_ != null) { - output.writeMessage(4, getOauth2()); + if (testConsoleKey_ != null) { + output.writeMessage(4, getTestConsoleKey()); } unknownFields.writeTo(output); } @@ -279,9 +279,9 @@ public int getSerializedSize() { size += com.google.protobuf.CodedOutputStream .computeMessageSize(3, apikey_.get(i)); } - if (oauth2_ != null) { + if (testConsoleKey_ != null) { size += com.google.protobuf.CodedOutputStream - .computeMessageSize(4, getOauth2()); + .computeMessageSize(4, getTestConsoleKey()); } size += unknownFields.getSerializedSize(); memoizedSize = size; @@ -307,10 +307,10 @@ public boolean equals(final java.lang.Object obj) { } if (!getApikeyList() .equals(other.getApikeyList())) return false; - if (hasOauth2() != other.hasOauth2()) return false; - if (hasOauth2()) { - if (!getOauth2() - .equals(other.getOauth2())) return false; + if (hasTestConsoleKey() != other.hasTestConsoleKey()) return false; + if (hasTestConsoleKey()) { + if (!getTestConsoleKey() + .equals(other.getTestConsoleKey())) return false; } if (!unknownFields.equals(other.unknownFields)) return false; return true; @@ -334,9 +334,9 @@ public int hashCode() { hash = (37 * hash) + APIKEY_FIELD_NUMBER; hash = (53 * hash) + getApikeyList().hashCode(); } - if (hasOauth2()) { - hash = (37 * hash) + OAUTH2_FIELD_NUMBER; - hash = (53 * hash) + getOauth2().hashCode(); + if (hasTestConsoleKey()) { + hash = (37 * hash) + TESTCONSOLEKEY_FIELD_NUMBER; + hash = (53 * hash) + getTestConsoleKey().hashCode(); } hash = (29 * hash) + unknownFields.hashCode(); memoizedHashCode = hash; @@ -486,11 +486,11 @@ public Builder clear() { } else { apikeyBuilder_.clear(); } - if (oauth2Builder_ == null) { - oauth2_ = null; + if (testConsoleKeyBuilder_ == null) { + testConsoleKey_ = null; } else { - oauth2_ = null; - oauth2Builder_ = null; + testConsoleKey_ = null; + testConsoleKeyBuilder_ = null; } return this; } @@ -534,10 +534,10 @@ public org.wso2.apk.enforcer.discovery.api.APIAuthentication buildPartial() { } else { result.apikey_ = apikeyBuilder_.build(); } - if (oauth2Builder_ == null) { - result.oauth2_ = oauth2_; + if (testConsoleKeyBuilder_ == null) { + result.testConsoleKey_ = testConsoleKey_; } else { - result.oauth2_ = oauth2Builder_.build(); + result.testConsoleKey_ = testConsoleKeyBuilder_.build(); } onBuilt(); return result; @@ -619,8 +619,8 @@ public Builder mergeFrom(org.wso2.apk.enforcer.discovery.api.APIAuthentication o } } } - if (other.hasOauth2()) { - mergeOauth2(other.getOauth2()); + if (other.hasTestConsoleKey()) { + mergeTestConsoleKey(other.getTestConsoleKey()); } this.mergeUnknownFields(other.unknownFields); onChanged(); @@ -1054,123 +1054,123 @@ public org.wso2.apk.enforcer.discovery.api.APIKey.Builder addApikeyBuilder( return apikeyBuilder_; } - private org.wso2.apk.enforcer.discovery.api.Oauth2 oauth2_; + private org.wso2.apk.enforcer.discovery.api.TestConsoleKey testConsoleKey_; private com.google.protobuf.SingleFieldBuilderV3< - org.wso2.apk.enforcer.discovery.api.Oauth2, org.wso2.apk.enforcer.discovery.api.Oauth2.Builder, org.wso2.apk.enforcer.discovery.api.Oauth2OrBuilder> oauth2Builder_; + org.wso2.apk.enforcer.discovery.api.TestConsoleKey, org.wso2.apk.enforcer.discovery.api.TestConsoleKey.Builder, org.wso2.apk.enforcer.discovery.api.TestConsoleKeyOrBuilder> testConsoleKeyBuilder_; /** - * .wso2.discovery.api.Oauth2 Oauth2 = 4; - * @return Whether the oauth2 field is set. + * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; + * @return Whether the testConsoleKey field is set. */ - public boolean hasOauth2() { - return oauth2Builder_ != null || oauth2_ != null; + public boolean hasTestConsoleKey() { + return testConsoleKeyBuilder_ != null || testConsoleKey_ != null; } /** - * .wso2.discovery.api.Oauth2 Oauth2 = 4; - * @return The oauth2. + * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; + * @return The testConsoleKey. */ - public org.wso2.apk.enforcer.discovery.api.Oauth2 getOauth2() { - if (oauth2Builder_ == null) { - return oauth2_ == null ? org.wso2.apk.enforcer.discovery.api.Oauth2.getDefaultInstance() : oauth2_; + public org.wso2.apk.enforcer.discovery.api.TestConsoleKey getTestConsoleKey() { + if (testConsoleKeyBuilder_ == null) { + return testConsoleKey_ == null ? org.wso2.apk.enforcer.discovery.api.TestConsoleKey.getDefaultInstance() : testConsoleKey_; } else { - return oauth2Builder_.getMessage(); + return testConsoleKeyBuilder_.getMessage(); } } /** - * .wso2.discovery.api.Oauth2 Oauth2 = 4; + * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; */ - public Builder setOauth2(org.wso2.apk.enforcer.discovery.api.Oauth2 value) { - if (oauth2Builder_ == null) { + public Builder setTestConsoleKey(org.wso2.apk.enforcer.discovery.api.TestConsoleKey value) { + if (testConsoleKeyBuilder_ == null) { if (value == null) { throw new NullPointerException(); } - oauth2_ = value; + testConsoleKey_ = value; onChanged(); } else { - oauth2Builder_.setMessage(value); + testConsoleKeyBuilder_.setMessage(value); } return this; } /** - * .wso2.discovery.api.Oauth2 Oauth2 = 4; + * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; */ - public Builder setOauth2( - org.wso2.apk.enforcer.discovery.api.Oauth2.Builder builderForValue) { - if (oauth2Builder_ == null) { - oauth2_ = builderForValue.build(); + public Builder setTestConsoleKey( + org.wso2.apk.enforcer.discovery.api.TestConsoleKey.Builder builderForValue) { + if (testConsoleKeyBuilder_ == null) { + testConsoleKey_ = builderForValue.build(); onChanged(); } else { - oauth2Builder_.setMessage(builderForValue.build()); + testConsoleKeyBuilder_.setMessage(builderForValue.build()); } return this; } /** - * .wso2.discovery.api.Oauth2 Oauth2 = 4; + * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; */ - public Builder mergeOauth2(org.wso2.apk.enforcer.discovery.api.Oauth2 value) { - if (oauth2Builder_ == null) { - if (oauth2_ != null) { - oauth2_ = - org.wso2.apk.enforcer.discovery.api.Oauth2.newBuilder(oauth2_).mergeFrom(value).buildPartial(); + public Builder mergeTestConsoleKey(org.wso2.apk.enforcer.discovery.api.TestConsoleKey value) { + if (testConsoleKeyBuilder_ == null) { + if (testConsoleKey_ != null) { + testConsoleKey_ = + org.wso2.apk.enforcer.discovery.api.TestConsoleKey.newBuilder(testConsoleKey_).mergeFrom(value).buildPartial(); } else { - oauth2_ = value; + testConsoleKey_ = value; } onChanged(); } else { - oauth2Builder_.mergeFrom(value); + testConsoleKeyBuilder_.mergeFrom(value); } return this; } /** - * .wso2.discovery.api.Oauth2 Oauth2 = 4; + * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; */ - public Builder clearOauth2() { - if (oauth2Builder_ == null) { - oauth2_ = null; + public Builder clearTestConsoleKey() { + if (testConsoleKeyBuilder_ == null) { + testConsoleKey_ = null; onChanged(); } else { - oauth2_ = null; - oauth2Builder_ = null; + testConsoleKey_ = null; + testConsoleKeyBuilder_ = null; } return this; } /** - * .wso2.discovery.api.Oauth2 Oauth2 = 4; + * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; */ - public org.wso2.apk.enforcer.discovery.api.Oauth2.Builder getOauth2Builder() { + public org.wso2.apk.enforcer.discovery.api.TestConsoleKey.Builder getTestConsoleKeyBuilder() { onChanged(); - return getOauth2FieldBuilder().getBuilder(); + return getTestConsoleKeyFieldBuilder().getBuilder(); } /** - * .wso2.discovery.api.Oauth2 Oauth2 = 4; + * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; */ - public org.wso2.apk.enforcer.discovery.api.Oauth2OrBuilder getOauth2OrBuilder() { - if (oauth2Builder_ != null) { - return oauth2Builder_.getMessageOrBuilder(); + public org.wso2.apk.enforcer.discovery.api.TestConsoleKeyOrBuilder getTestConsoleKeyOrBuilder() { + if (testConsoleKeyBuilder_ != null) { + return testConsoleKeyBuilder_.getMessageOrBuilder(); } else { - return oauth2_ == null ? - org.wso2.apk.enforcer.discovery.api.Oauth2.getDefaultInstance() : oauth2_; + return testConsoleKey_ == null ? + org.wso2.apk.enforcer.discovery.api.TestConsoleKey.getDefaultInstance() : testConsoleKey_; } } /** - * .wso2.discovery.api.Oauth2 Oauth2 = 4; + * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; */ private com.google.protobuf.SingleFieldBuilderV3< - org.wso2.apk.enforcer.discovery.api.Oauth2, org.wso2.apk.enforcer.discovery.api.Oauth2.Builder, org.wso2.apk.enforcer.discovery.api.Oauth2OrBuilder> - getOauth2FieldBuilder() { - if (oauth2Builder_ == null) { - oauth2Builder_ = new com.google.protobuf.SingleFieldBuilderV3< - org.wso2.apk.enforcer.discovery.api.Oauth2, org.wso2.apk.enforcer.discovery.api.Oauth2.Builder, org.wso2.apk.enforcer.discovery.api.Oauth2OrBuilder>( - getOauth2(), + org.wso2.apk.enforcer.discovery.api.TestConsoleKey, org.wso2.apk.enforcer.discovery.api.TestConsoleKey.Builder, org.wso2.apk.enforcer.discovery.api.TestConsoleKeyOrBuilder> + getTestConsoleKeyFieldBuilder() { + if (testConsoleKeyBuilder_ == null) { + testConsoleKeyBuilder_ = new com.google.protobuf.SingleFieldBuilderV3< + org.wso2.apk.enforcer.discovery.api.TestConsoleKey, org.wso2.apk.enforcer.discovery.api.TestConsoleKey.Builder, org.wso2.apk.enforcer.discovery.api.TestConsoleKeyOrBuilder>( + getTestConsoleKey(), getParentForChildren(), isClean()); - oauth2_ = null; + testConsoleKey_ = null; } - return oauth2Builder_; + return testConsoleKeyBuilder_; } @java.lang.Override public final Builder setUnknownFields( diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthenticationOrBuilder.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthenticationOrBuilder.java index 110ea4c81..047efca17 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthenticationOrBuilder.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthenticationOrBuilder.java @@ -57,17 +57,17 @@ org.wso2.apk.enforcer.discovery.api.APIKeyOrBuilder getApikeyOrBuilder( int index); /** - * .wso2.discovery.api.Oauth2 Oauth2 = 4; - * @return Whether the oauth2 field is set. + * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; + * @return Whether the testConsoleKey field is set. */ - boolean hasOauth2(); + boolean hasTestConsoleKey(); /** - * .wso2.discovery.api.Oauth2 Oauth2 = 4; - * @return The oauth2. + * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; + * @return The testConsoleKey. */ - org.wso2.apk.enforcer.discovery.api.Oauth2 getOauth2(); + org.wso2.apk.enforcer.discovery.api.TestConsoleKey getTestConsoleKey(); /** - * .wso2.discovery.api.Oauth2 Oauth2 = 4; + * .wso2.discovery.api.TestConsoleKey testConsoleKey = 4; */ - org.wso2.apk.enforcer.discovery.api.Oauth2OrBuilder getOauth2OrBuilder(); + org.wso2.apk.enforcer.discovery.api.TestConsoleKeyOrBuilder getTestConsoleKeyOrBuilder(); } diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthenticationProto.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthenticationProto.java index 9c112c460..29ece1c09 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthenticationProto.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/APIAuthenticationProto.java @@ -25,15 +25,15 @@ public static void registerAllExtensions( com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internal_static_wso2_discovery_api_JWT_fieldAccessorTable; static final com.google.protobuf.Descriptors.Descriptor - internal_static_wso2_discovery_api_Oauth2_descriptor; + internal_static_wso2_discovery_api_APIAuthentication_descriptor; static final com.google.protobuf.GeneratedMessageV3.FieldAccessorTable - internal_static_wso2_discovery_api_Oauth2_fieldAccessorTable; + internal_static_wso2_discovery_api_APIAuthentication_fieldAccessorTable; static final com.google.protobuf.Descriptors.Descriptor - internal_static_wso2_discovery_api_APIAuthentication_descriptor; + internal_static_wso2_discovery_api_TestConsoleKey_descriptor; static final com.google.protobuf.GeneratedMessageV3.FieldAccessorTable - internal_static_wso2_discovery_api_APIAuthentication_fieldAccessorTable; + internal_static_wso2_discovery_api_TestConsoleKey_fieldAccessorTable; public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() { @@ -46,17 +46,18 @@ public static void registerAllExtensions( "\n+wso2/discovery/api/api_authentication." + "proto\022\022wso2.discovery.api\"?\n\006APIKey\022\014\n\004n" + "ame\030\001 \001(\t\022\n\n\002in\030\002 \001(\t\022\033\n\023sendTokenToUpst" + - "ream\030\003 \001(\010\"D\n\003JWT\022\016\n\006header\030\001 \001(\t\022\033\n\023sen" + - "dTokenToUpstream\030\002 \001(\010\022\020\n\010audience\030\003 \003(\t" + - "\"5\n\006Oauth2\022\016\n\006header\030\001 \001(\t\022\033\n\023sendTokenT" + - "oUpstream\030\002 \001(\010\"\243\001\n\021APIAuthentication\022\020\n" + - "\010disabled\030\001 \001(\010\022$\n\003jwt\030\002 \001(\0132\027.wso2.disc" + - "overy.api.JWT\022*\n\006apikey\030\003 \003(\0132\032.wso2.dis" + - "covery.api.APIKey\022*\n\006Oauth2\030\004 \001(\0132\032.wso2" + - ".discovery.api.Oauth2B~\n#org.wso2.apk.en" + - "forcer.discovery.apiB\026APIAuthenticationP" + - "rotoP\001Z=github.com/envoyproxy/go-control" + - "-plane/wso2/discovery/api;apib\006proto3" + "ream\030\003 \001(\010\"2\n\003JWT\022\016\n\006header\030\001 \001(\t\022\033\n\023sen" + + "dTokenToUpstream\030\002 \001(\010\"\263\001\n\021APIAuthentica" + + "tion\022\020\n\010disabled\030\001 \001(\010\022$\n\003jwt\030\002 \001(\0132\027.ws" + + "o2.discovery.api.JWT\022*\n\006apikey\030\003 \003(\0132\032.w" + + "so2.discovery.api.APIKey\022:\n\016testConsoleK" + + "ey\030\004 \001(\0132\".wso2.discovery.api.TestConsol" + + "eKey\"=\n\016TestConsoleKey\022\016\n\006header\030\001 \001(\t\022\033" + + "\n\023sendTokenToUpstream\030\002 \001(\010B~\n#org.wso2." + + "apk.enforcer.discovery.apiB\026APIAuthentic" + + "ationProtoP\001Z=github.com/envoyproxy/go-c" + + "ontrol-plane/wso2/discovery/api;apib\006pro" + + "to3" }; descriptor = com.google.protobuf.Descriptors.FileDescriptor .internalBuildGeneratedFileFrom(descriptorData, @@ -73,19 +74,19 @@ public static void registerAllExtensions( internal_static_wso2_discovery_api_JWT_fieldAccessorTable = new com.google.protobuf.GeneratedMessageV3.FieldAccessorTable( internal_static_wso2_discovery_api_JWT_descriptor, - new java.lang.String[] { "Header", "SendTokenToUpstream", "Audience", }); - internal_static_wso2_discovery_api_Oauth2_descriptor = - getDescriptor().getMessageTypes().get(2); - internal_static_wso2_discovery_api_Oauth2_fieldAccessorTable = new - com.google.protobuf.GeneratedMessageV3.FieldAccessorTable( - internal_static_wso2_discovery_api_Oauth2_descriptor, new java.lang.String[] { "Header", "SendTokenToUpstream", }); internal_static_wso2_discovery_api_APIAuthentication_descriptor = - getDescriptor().getMessageTypes().get(3); + getDescriptor().getMessageTypes().get(2); internal_static_wso2_discovery_api_APIAuthentication_fieldAccessorTable = new com.google.protobuf.GeneratedMessageV3.FieldAccessorTable( internal_static_wso2_discovery_api_APIAuthentication_descriptor, - new java.lang.String[] { "Disabled", "Jwt", "Apikey", "Oauth2", }); + new java.lang.String[] { "Disabled", "Jwt", "Apikey", "TestConsoleKey", }); + internal_static_wso2_discovery_api_TestConsoleKey_descriptor = + getDescriptor().getMessageTypes().get(3); + internal_static_wso2_discovery_api_TestConsoleKey_fieldAccessorTable = new + com.google.protobuf.GeneratedMessageV3.FieldAccessorTable( + internal_static_wso2_discovery_api_TestConsoleKey_descriptor, + new java.lang.String[] { "Header", "SendTokenToUpstream", }); } // @@protoc_insertion_point(outer_class_scope) diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/JWT.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/JWT.java index fa94ed063..e1f5fa246 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/JWT.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/JWT.java @@ -17,7 +17,6 @@ private JWT(com.google.protobuf.GeneratedMessageV3.Builder builder) { } private JWT() { header_ = ""; - audience_ = com.google.protobuf.LazyStringArrayList.EMPTY; } @java.lang.Override @@ -40,7 +39,6 @@ private JWT( if (extensionRegistry == null) { throw new java.lang.NullPointerException(); } - int mutable_bitField0_ = 0; com.google.protobuf.UnknownFieldSet.Builder unknownFields = com.google.protobuf.UnknownFieldSet.newBuilder(); try { @@ -62,15 +60,6 @@ private JWT( sendTokenToUpstream_ = input.readBool(); break; } - case 26: { - java.lang.String s = input.readStringRequireUtf8(); - if (!((mutable_bitField0_ & 0x00000001) != 0)) { - audience_ = new com.google.protobuf.LazyStringArrayList(); - mutable_bitField0_ |= 0x00000001; - } - audience_.add(s); - break; - } default: { if (!parseUnknownField( input, unknownFields, extensionRegistry, tag)) { @@ -86,9 +75,6 @@ private JWT( throw new com.google.protobuf.InvalidProtocolBufferException( e).setUnfinishedMessage(this); } finally { - if (((mutable_bitField0_ & 0x00000001) != 0)) { - audience_ = audience_.getUnmodifiableView(); - } this.unknownFields = unknownFields.build(); makeExtensionsImmutable(); } @@ -167,41 +153,6 @@ public boolean getSendTokenToUpstream() { return sendTokenToUpstream_; } - public static final int AUDIENCE_FIELD_NUMBER = 3; - private com.google.protobuf.LazyStringList audience_; - /** - * repeated string audience = 3; - * @return A list containing the audience. - */ - public com.google.protobuf.ProtocolStringList - getAudienceList() { - return audience_; - } - /** - * repeated string audience = 3; - * @return The count of audience. - */ - public int getAudienceCount() { - return audience_.size(); - } - /** - * repeated string audience = 3; - * @param index The index of the element to return. - * @return The audience at the given index. - */ - public java.lang.String getAudience(int index) { - return audience_.get(index); - } - /** - * repeated string audience = 3; - * @param index The index of the value to return. - * @return The bytes of the audience at the given index. - */ - public com.google.protobuf.ByteString - getAudienceBytes(int index) { - return audience_.getByteString(index); - } - private byte memoizedIsInitialized = -1; @java.lang.Override public final boolean isInitialized() { @@ -222,9 +173,6 @@ public void writeTo(com.google.protobuf.CodedOutputStream output) if (sendTokenToUpstream_ != false) { output.writeBool(2, sendTokenToUpstream_); } - for (int i = 0; i < audience_.size(); i++) { - com.google.protobuf.GeneratedMessageV3.writeString(output, 3, audience_.getRaw(i)); - } unknownFields.writeTo(output); } @@ -241,14 +189,6 @@ public int getSerializedSize() { size += com.google.protobuf.CodedOutputStream .computeBoolSize(2, sendTokenToUpstream_); } - { - int dataSize = 0; - for (int i = 0; i < audience_.size(); i++) { - dataSize += computeStringSizeNoTag(audience_.getRaw(i)); - } - size += dataSize; - size += 1 * getAudienceList().size(); - } size += unknownFields.getSerializedSize(); memoizedSize = size; return size; @@ -268,8 +208,6 @@ public boolean equals(final java.lang.Object obj) { .equals(other.getHeader())) return false; if (getSendTokenToUpstream() != other.getSendTokenToUpstream()) return false; - if (!getAudienceList() - .equals(other.getAudienceList())) return false; if (!unknownFields.equals(other.unknownFields)) return false; return true; } @@ -286,10 +224,6 @@ public int hashCode() { hash = (37 * hash) + SENDTOKENTOUPSTREAM_FIELD_NUMBER; hash = (53 * hash) + com.google.protobuf.Internal.hashBoolean( getSendTokenToUpstream()); - if (getAudienceCount() > 0) { - hash = (37 * hash) + AUDIENCE_FIELD_NUMBER; - hash = (53 * hash) + getAudienceList().hashCode(); - } hash = (29 * hash) + unknownFields.hashCode(); memoizedHashCode = hash; return hash; @@ -427,8 +361,6 @@ public Builder clear() { sendTokenToUpstream_ = false; - audience_ = com.google.protobuf.LazyStringArrayList.EMPTY; - bitField0_ = (bitField0_ & ~0x00000001); return this; } @@ -455,14 +387,8 @@ public org.wso2.apk.enforcer.discovery.api.JWT build() { @java.lang.Override public org.wso2.apk.enforcer.discovery.api.JWT buildPartial() { org.wso2.apk.enforcer.discovery.api.JWT result = new org.wso2.apk.enforcer.discovery.api.JWT(this); - int from_bitField0_ = bitField0_; result.header_ = header_; result.sendTokenToUpstream_ = sendTokenToUpstream_; - if (((bitField0_ & 0x00000001) != 0)) { - audience_ = audience_.getUnmodifiableView(); - bitField0_ = (bitField0_ & ~0x00000001); - } - result.audience_ = audience_; onBuilt(); return result; } @@ -518,16 +444,6 @@ public Builder mergeFrom(org.wso2.apk.enforcer.discovery.api.JWT other) { if (other.getSendTokenToUpstream() != false) { setSendTokenToUpstream(other.getSendTokenToUpstream()); } - if (!other.audience_.isEmpty()) { - if (audience_.isEmpty()) { - audience_ = other.audience_; - bitField0_ = (bitField0_ & ~0x00000001); - } else { - ensureAudienceIsMutable(); - audience_.addAll(other.audience_); - } - onChanged(); - } this.mergeUnknownFields(other.unknownFields); onChanged(); return this; @@ -556,7 +472,6 @@ public Builder mergeFrom( } return this; } - private int bitField0_; private java.lang.Object header_ = ""; /** @@ -696,116 +611,6 @@ public Builder clearSendTokenToUpstream() { onChanged(); return this; } - - private com.google.protobuf.LazyStringList audience_ = com.google.protobuf.LazyStringArrayList.EMPTY; - private void ensureAudienceIsMutable() { - if (!((bitField0_ & 0x00000001) != 0)) { - audience_ = new com.google.protobuf.LazyStringArrayList(audience_); - bitField0_ |= 0x00000001; - } - } - /** - * repeated string audience = 3; - * @return A list containing the audience. - */ - public com.google.protobuf.ProtocolStringList - getAudienceList() { - return audience_.getUnmodifiableView(); - } - /** - * repeated string audience = 3; - * @return The count of audience. - */ - public int getAudienceCount() { - return audience_.size(); - } - /** - * repeated string audience = 3; - * @param index The index of the element to return. - * @return The audience at the given index. - */ - public java.lang.String getAudience(int index) { - return audience_.get(index); - } - /** - * repeated string audience = 3; - * @param index The index of the value to return. - * @return The bytes of the audience at the given index. - */ - public com.google.protobuf.ByteString - getAudienceBytes(int index) { - return audience_.getByteString(index); - } - /** - * repeated string audience = 3; - * @param index The index to set the value at. - * @param value The audience to set. - * @return This builder for chaining. - */ - public Builder setAudience( - int index, java.lang.String value) { - if (value == null) { - throw new NullPointerException(); - } - ensureAudienceIsMutable(); - audience_.set(index, value); - onChanged(); - return this; - } - /** - * repeated string audience = 3; - * @param value The audience to add. - * @return This builder for chaining. - */ - public Builder addAudience( - java.lang.String value) { - if (value == null) { - throw new NullPointerException(); - } - ensureAudienceIsMutable(); - audience_.add(value); - onChanged(); - return this; - } - /** - * repeated string audience = 3; - * @param values The audience to add. - * @return This builder for chaining. - */ - public Builder addAllAudience( - java.lang.Iterable values) { - ensureAudienceIsMutable(); - com.google.protobuf.AbstractMessageLite.Builder.addAll( - values, audience_); - onChanged(); - return this; - } - /** - * repeated string audience = 3; - * @return This builder for chaining. - */ - public Builder clearAudience() { - audience_ = com.google.protobuf.LazyStringArrayList.EMPTY; - bitField0_ = (bitField0_ & ~0x00000001); - onChanged(); - return this; - } - /** - * repeated string audience = 3; - * @param value The bytes of the audience to add. - * @return This builder for chaining. - */ - public Builder addAudienceBytes( - com.google.protobuf.ByteString value) { - if (value == null) { - throw new NullPointerException(); - } - checkByteStringIsUtf8(value); - ensureAudienceIsMutable(); - audience_.add(value); - onChanged(); - return this; - } @java.lang.Override public final Builder setUnknownFields( final com.google.protobuf.UnknownFieldSet unknownFields) { diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/JWTOrBuilder.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/JWTOrBuilder.java index 0b1220acc..3b1eee4ba 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/JWTOrBuilder.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/JWTOrBuilder.java @@ -36,29 +36,4 @@ public interface JWTOrBuilder extends * @return The sendTokenToUpstream. */ boolean getSendTokenToUpstream(); - - /** - * repeated string audience = 3; - * @return A list containing the audience. - */ - java.util.List - getAudienceList(); - /** - * repeated string audience = 3; - * @return The count of audience. - */ - int getAudienceCount(); - /** - * repeated string audience = 3; - * @param index The index of the element to return. - * @return The audience at the given index. - */ - java.lang.String getAudience(int index); - /** - * repeated string audience = 3; - * @param index The index of the value to return. - * @return The bytes of the audience at the given index. - */ - com.google.protobuf.ByteString - getAudienceBytes(int index); } diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/Oauth2OrBuilder.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/Oauth2OrBuilder.java deleted file mode 100644 index 1c8bd7ce7..000000000 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/Oauth2OrBuilder.java +++ /dev/null @@ -1,39 +0,0 @@ -// Generated by the protocol buffer compiler. DO NOT EDIT! -// source: wso2/discovery/api/api_authentication.proto - -package org.wso2.apk.enforcer.discovery.api; - -public interface Oauth2OrBuilder extends - // @@protoc_insertion_point(interface_extends:wso2.discovery.api.Oauth2) - com.google.protobuf.MessageOrBuilder { - - /** - *
-   * name of the header containing the JWT
-   * 
- * - * string header = 1; - * @return The header. - */ - java.lang.String getHeader(); - /** - *
-   * name of the header containing the JWT
-   * 
- * - * string header = 1; - * @return The bytes for header. - */ - com.google.protobuf.ByteString - getHeaderBytes(); - - /** - *
-   * send the token to upstream
-   * 
- * - * bool sendTokenToUpstream = 2; - * @return The sendTokenToUpstream. - */ - boolean getSendTokenToUpstream(); -} diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/Oauth2.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/TestConsoleKey.java similarity index 78% rename from gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/Oauth2.java rename to gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/TestConsoleKey.java index e90bb7414..987c16fb5 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/Oauth2.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/api/TestConsoleKey.java @@ -4,18 +4,18 @@ package org.wso2.apk.enforcer.discovery.api; /** - * Protobuf type {@code wso2.discovery.api.Oauth2} + * Protobuf type {@code wso2.discovery.api.TestConsoleKey} */ -public final class Oauth2 extends +public final class TestConsoleKey extends com.google.protobuf.GeneratedMessageV3 implements - // @@protoc_insertion_point(message_implements:wso2.discovery.api.Oauth2) - Oauth2OrBuilder { + // @@protoc_insertion_point(message_implements:wso2.discovery.api.TestConsoleKey) + TestConsoleKeyOrBuilder { private static final long serialVersionUID = 0L; - // Use Oauth2.newBuilder() to construct. - private Oauth2(com.google.protobuf.GeneratedMessageV3.Builder builder) { + // Use TestConsoleKey.newBuilder() to construct. + private TestConsoleKey(com.google.protobuf.GeneratedMessageV3.Builder builder) { super(builder); } - private Oauth2() { + private TestConsoleKey() { header_ = ""; } @@ -23,7 +23,7 @@ private Oauth2() { @SuppressWarnings({"unused"}) protected java.lang.Object newInstance( UnusedPrivateParameter unused) { - return new Oauth2(); + return new TestConsoleKey(); } @java.lang.Override @@ -31,7 +31,7 @@ protected java.lang.Object newInstance( getUnknownFields() { return this.unknownFields; } - private Oauth2( + private TestConsoleKey( com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException { @@ -81,22 +81,22 @@ private Oauth2( } public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() { - return org.wso2.apk.enforcer.discovery.api.APIAuthenticationProto.internal_static_wso2_discovery_api_Oauth2_descriptor; + return org.wso2.apk.enforcer.discovery.api.APIAuthenticationProto.internal_static_wso2_discovery_api_TestConsoleKey_descriptor; } @java.lang.Override protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable() { - return org.wso2.apk.enforcer.discovery.api.APIAuthenticationProto.internal_static_wso2_discovery_api_Oauth2_fieldAccessorTable + return org.wso2.apk.enforcer.discovery.api.APIAuthenticationProto.internal_static_wso2_discovery_api_TestConsoleKey_fieldAccessorTable .ensureFieldAccessorsInitialized( - org.wso2.apk.enforcer.discovery.api.Oauth2.class, org.wso2.apk.enforcer.discovery.api.Oauth2.Builder.class); + org.wso2.apk.enforcer.discovery.api.TestConsoleKey.class, org.wso2.apk.enforcer.discovery.api.TestConsoleKey.Builder.class); } public static final int HEADER_FIELD_NUMBER = 1; private volatile java.lang.Object header_; /** *
-   * name of the header containing the JWT
+   * name of the header containing the test key
    * 
* * string header = 1; @@ -117,7 +117,7 @@ public java.lang.String getHeader() { } /** *
-   * name of the header containing the JWT
+   * name of the header containing the test key
    * 
* * string header = 1; @@ -199,10 +199,10 @@ public boolean equals(final java.lang.Object obj) { if (obj == this) { return true; } - if (!(obj instanceof org.wso2.apk.enforcer.discovery.api.Oauth2)) { + if (!(obj instanceof org.wso2.apk.enforcer.discovery.api.TestConsoleKey)) { return super.equals(obj); } - org.wso2.apk.enforcer.discovery.api.Oauth2 other = (org.wso2.apk.enforcer.discovery.api.Oauth2) obj; + org.wso2.apk.enforcer.discovery.api.TestConsoleKey other = (org.wso2.apk.enforcer.discovery.api.TestConsoleKey) obj; if (!getHeader() .equals(other.getHeader())) return false; @@ -229,69 +229,69 @@ public int hashCode() { return hash; } - public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseFrom( + public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseFrom( java.nio.ByteBuffer data) throws com.google.protobuf.InvalidProtocolBufferException { return PARSER.parseFrom(data); } - public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseFrom( + public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseFrom( java.nio.ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException { return PARSER.parseFrom(data, extensionRegistry); } - public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseFrom( + public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseFrom( com.google.protobuf.ByteString data) throws com.google.protobuf.InvalidProtocolBufferException { return PARSER.parseFrom(data); } - public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseFrom( + public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseFrom( com.google.protobuf.ByteString data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException { return PARSER.parseFrom(data, extensionRegistry); } - public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseFrom(byte[] data) + public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseFrom(byte[] data) throws com.google.protobuf.InvalidProtocolBufferException { return PARSER.parseFrom(data); } - public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseFrom( + public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseFrom( byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException { return PARSER.parseFrom(data, extensionRegistry); } - public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseFrom(java.io.InputStream input) + public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseFrom(java.io.InputStream input) throws java.io.IOException { return com.google.protobuf.GeneratedMessageV3 .parseWithIOException(PARSER, input); } - public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseFrom( + public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseFrom( java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws java.io.IOException { return com.google.protobuf.GeneratedMessageV3 .parseWithIOException(PARSER, input, extensionRegistry); } - public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseDelimitedFrom(java.io.InputStream input) + public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseDelimitedFrom(java.io.InputStream input) throws java.io.IOException { return com.google.protobuf.GeneratedMessageV3 .parseDelimitedWithIOException(PARSER, input); } - public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseDelimitedFrom( + public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseDelimitedFrom( java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws java.io.IOException { return com.google.protobuf.GeneratedMessageV3 .parseDelimitedWithIOException(PARSER, input, extensionRegistry); } - public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseFrom( + public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseFrom( com.google.protobuf.CodedInputStream input) throws java.io.IOException { return com.google.protobuf.GeneratedMessageV3 .parseWithIOException(PARSER, input); } - public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseFrom( + public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey parseFrom( com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws java.io.IOException { @@ -304,7 +304,7 @@ public static org.wso2.apk.enforcer.discovery.api.Oauth2 parseFrom( public static Builder newBuilder() { return DEFAULT_INSTANCE.toBuilder(); } - public static Builder newBuilder(org.wso2.apk.enforcer.discovery.api.Oauth2 prototype) { + public static Builder newBuilder(org.wso2.apk.enforcer.discovery.api.TestConsoleKey prototype) { return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype); } @java.lang.Override @@ -320,26 +320,26 @@ protected Builder newBuilderForType( return builder; } /** - * Protobuf type {@code wso2.discovery.api.Oauth2} + * Protobuf type {@code wso2.discovery.api.TestConsoleKey} */ public static final class Builder extends com.google.protobuf.GeneratedMessageV3.Builder implements - // @@protoc_insertion_point(builder_implements:wso2.discovery.api.Oauth2) - org.wso2.apk.enforcer.discovery.api.Oauth2OrBuilder { + // @@protoc_insertion_point(builder_implements:wso2.discovery.api.TestConsoleKey) + org.wso2.apk.enforcer.discovery.api.TestConsoleKeyOrBuilder { public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() { - return org.wso2.apk.enforcer.discovery.api.APIAuthenticationProto.internal_static_wso2_discovery_api_Oauth2_descriptor; + return org.wso2.apk.enforcer.discovery.api.APIAuthenticationProto.internal_static_wso2_discovery_api_TestConsoleKey_descriptor; } @java.lang.Override protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable() { - return org.wso2.apk.enforcer.discovery.api.APIAuthenticationProto.internal_static_wso2_discovery_api_Oauth2_fieldAccessorTable + return org.wso2.apk.enforcer.discovery.api.APIAuthenticationProto.internal_static_wso2_discovery_api_TestConsoleKey_fieldAccessorTable .ensureFieldAccessorsInitialized( - org.wso2.apk.enforcer.discovery.api.Oauth2.class, org.wso2.apk.enforcer.discovery.api.Oauth2.Builder.class); + org.wso2.apk.enforcer.discovery.api.TestConsoleKey.class, org.wso2.apk.enforcer.discovery.api.TestConsoleKey.Builder.class); } - // Construct using org.wso2.apk.enforcer.discovery.api.Oauth2.newBuilder() + // Construct using org.wso2.apk.enforcer.discovery.api.TestConsoleKey.newBuilder() private Builder() { maybeForceBuilderInitialization(); } @@ -367,17 +367,17 @@ public Builder clear() { @java.lang.Override public com.google.protobuf.Descriptors.Descriptor getDescriptorForType() { - return org.wso2.apk.enforcer.discovery.api.APIAuthenticationProto.internal_static_wso2_discovery_api_Oauth2_descriptor; + return org.wso2.apk.enforcer.discovery.api.APIAuthenticationProto.internal_static_wso2_discovery_api_TestConsoleKey_descriptor; } @java.lang.Override - public org.wso2.apk.enforcer.discovery.api.Oauth2 getDefaultInstanceForType() { - return org.wso2.apk.enforcer.discovery.api.Oauth2.getDefaultInstance(); + public org.wso2.apk.enforcer.discovery.api.TestConsoleKey getDefaultInstanceForType() { + return org.wso2.apk.enforcer.discovery.api.TestConsoleKey.getDefaultInstance(); } @java.lang.Override - public org.wso2.apk.enforcer.discovery.api.Oauth2 build() { - org.wso2.apk.enforcer.discovery.api.Oauth2 result = buildPartial(); + public org.wso2.apk.enforcer.discovery.api.TestConsoleKey build() { + org.wso2.apk.enforcer.discovery.api.TestConsoleKey result = buildPartial(); if (!result.isInitialized()) { throw newUninitializedMessageException(result); } @@ -385,8 +385,8 @@ public org.wso2.apk.enforcer.discovery.api.Oauth2 build() { } @java.lang.Override - public org.wso2.apk.enforcer.discovery.api.Oauth2 buildPartial() { - org.wso2.apk.enforcer.discovery.api.Oauth2 result = new org.wso2.apk.enforcer.discovery.api.Oauth2(this); + public org.wso2.apk.enforcer.discovery.api.TestConsoleKey buildPartial() { + org.wso2.apk.enforcer.discovery.api.TestConsoleKey result = new org.wso2.apk.enforcer.discovery.api.TestConsoleKey(this); result.header_ = header_; result.sendTokenToUpstream_ = sendTokenToUpstream_; onBuilt(); @@ -427,16 +427,16 @@ public Builder addRepeatedField( } @java.lang.Override public Builder mergeFrom(com.google.protobuf.Message other) { - if (other instanceof org.wso2.apk.enforcer.discovery.api.Oauth2) { - return mergeFrom((org.wso2.apk.enforcer.discovery.api.Oauth2)other); + if (other instanceof org.wso2.apk.enforcer.discovery.api.TestConsoleKey) { + return mergeFrom((org.wso2.apk.enforcer.discovery.api.TestConsoleKey)other); } else { super.mergeFrom(other); return this; } } - public Builder mergeFrom(org.wso2.apk.enforcer.discovery.api.Oauth2 other) { - if (other == org.wso2.apk.enforcer.discovery.api.Oauth2.getDefaultInstance()) return this; + public Builder mergeFrom(org.wso2.apk.enforcer.discovery.api.TestConsoleKey other) { + if (other == org.wso2.apk.enforcer.discovery.api.TestConsoleKey.getDefaultInstance()) return this; if (!other.getHeader().isEmpty()) { header_ = other.header_; onChanged(); @@ -459,11 +459,11 @@ public Builder mergeFrom( com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws java.io.IOException { - org.wso2.apk.enforcer.discovery.api.Oauth2 parsedMessage = null; + org.wso2.apk.enforcer.discovery.api.TestConsoleKey parsedMessage = null; try { parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry); } catch (com.google.protobuf.InvalidProtocolBufferException e) { - parsedMessage = (org.wso2.apk.enforcer.discovery.api.Oauth2) e.getUnfinishedMessage(); + parsedMessage = (org.wso2.apk.enforcer.discovery.api.TestConsoleKey) e.getUnfinishedMessage(); throw e.unwrapIOException(); } finally { if (parsedMessage != null) { @@ -476,7 +476,7 @@ public Builder mergeFrom( private java.lang.Object header_ = ""; /** *
-     * name of the header containing the JWT
+     * name of the header containing the test key
      * 
* * string header = 1; @@ -496,7 +496,7 @@ public java.lang.String getHeader() { } /** *
-     * name of the header containing the JWT
+     * name of the header containing the test key
      * 
* * string header = 1; @@ -517,7 +517,7 @@ public java.lang.String getHeader() { } /** *
-     * name of the header containing the JWT
+     * name of the header containing the test key
      * 
* * string header = 1; @@ -536,7 +536,7 @@ public Builder setHeader( } /** *
-     * name of the header containing the JWT
+     * name of the header containing the test key
      * 
* * string header = 1; @@ -550,7 +550,7 @@ public Builder clearHeader() { } /** *
-     * name of the header containing the JWT
+     * name of the header containing the test key
      * 
* * string header = 1; @@ -624,41 +624,41 @@ public final Builder mergeUnknownFields( } - // @@protoc_insertion_point(builder_scope:wso2.discovery.api.Oauth2) + // @@protoc_insertion_point(builder_scope:wso2.discovery.api.TestConsoleKey) } - // @@protoc_insertion_point(class_scope:wso2.discovery.api.Oauth2) - private static final org.wso2.apk.enforcer.discovery.api.Oauth2 DEFAULT_INSTANCE; + // @@protoc_insertion_point(class_scope:wso2.discovery.api.TestConsoleKey) + private static final org.wso2.apk.enforcer.discovery.api.TestConsoleKey DEFAULT_INSTANCE; static { - DEFAULT_INSTANCE = new org.wso2.apk.enforcer.discovery.api.Oauth2(); + DEFAULT_INSTANCE = new org.wso2.apk.enforcer.discovery.api.TestConsoleKey(); } - public static org.wso2.apk.enforcer.discovery.api.Oauth2 getDefaultInstance() { + public static org.wso2.apk.enforcer.discovery.api.TestConsoleKey getDefaultInstance() { return DEFAULT_INSTANCE; } - private static final com.google.protobuf.Parser - PARSER = new com.google.protobuf.AbstractParser() { + private static final com.google.protobuf.Parser + PARSER = new com.google.protobuf.AbstractParser() { @java.lang.Override - public Oauth2 parsePartialFrom( + public TestConsoleKey parsePartialFrom( com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException { - return new Oauth2(input, extensionRegistry); + return new TestConsoleKey(input, extensionRegistry); } }; - public static com.google.protobuf.Parser parser() { + public static com.google.protobuf.Parser parser() { return PARSER; } @java.lang.Override - public com.google.protobuf.Parser getParserForType() { + public com.google.protobuf.Parser getParserForType() { return PARSER; } @java.lang.Override - public org.wso2.apk.enforcer.discovery.api.Oauth2 getDefaultInstanceForType() { + public org.wso2.apk.enforcer.discovery.api.TestConsoleKey getDefaultInstanceForType() { return DEFAULT_INSTANCE; } diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/AuthFilter.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/AuthFilter.java index dcfa4dbf1..4771be009 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/AuthFilter.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/AuthFilter.java @@ -32,8 +32,8 @@ import org.wso2.apk.enforcer.constants.APIConstants; import org.wso2.apk.enforcer.constants.InterceptorConstants; import org.wso2.apk.enforcer.security.jwt.APIKeyAuthenticator; +import org.wso2.apk.enforcer.security.jwt.InternalAPIKeyAuthenticator; import org.wso2.apk.enforcer.security.jwt.JWTAuthenticator; -import org.wso2.apk.enforcer.security.jwt.Oauth2Authenticator; import org.wso2.apk.enforcer.security.jwt.UnsecuredAPIAuthenticator; import org.wso2.apk.enforcer.security.mtls.MTLSAuthenticator; import org.wso2.apk.enforcer.util.FilterUtils; @@ -91,13 +91,13 @@ private void initializeAuthenticators(APIConfig apiConfig) { boolean isGatewayTokenCacheEnabled = enforcerConfig.getCacheDto().isEnabled(); JWTConfigurationDto jwtConfigurationDto = apiConfig.getJwtConfigurationDto(); - Authenticator oauthAuthenticator = new Oauth2Authenticator(jwtConfigurationDto, isGatewayTokenCacheEnabled); - authenticators.add(oauthAuthenticator); + Authenticator jwtAuthenticator = new JWTAuthenticator(jwtConfigurationDto, isGatewayTokenCacheEnabled); + authenticators.add(jwtAuthenticator); APIKeyAuthenticator apiKeyAuthenticator = new APIKeyAuthenticator(jwtConfigurationDto); authenticators.add(apiKeyAuthenticator); - Authenticator jwtAuthenticator = new JWTAuthenticator(jwtConfigurationDto, isGatewayTokenCacheEnabled); - authenticators.add(jwtAuthenticator); + Authenticator authenticator = new InternalAPIKeyAuthenticator(jwtConfigurationDto); + authenticators.add(authenticator); Authenticator unsecuredAPIAuthenticator = new UnsecuredAPIAuthenticator(); authenticators.add(unsecuredAPIAuthenticator); @@ -263,18 +263,17 @@ private void setInterceptorAPIMetadata(RequestContext requestContext) { private void populateRemoveAndProtectedAuthHeaders(RequestContext requestContext) { requestContext.getMatchedResourcePaths().forEach(resourcePath -> { - Oauth2AuthenticationConfig oauth2AuthenticationConfig = resourcePath.getAuthenticationConfig() - .getOauth2AuthenticationConfig(); JWTAuthenticationConfig jwtAuthenticationConfig = resourcePath.getAuthenticationConfig() .getJwtAuthenticationConfig(); + InternalKeyConfig internalKeyConfig = resourcePath.getAuthenticationConfig().getInternalKeyConfig(); List apiKeyAuthenticationConfig = resourcePath.getAuthenticationConfig() .getApiKeyAuthenticationConfigs(); - if (oauth2AuthenticationConfig != null && !oauth2AuthenticationConfig.isSendTokenToUpstream()) { - requestContext.getRemoveHeaders().add(oauth2AuthenticationConfig.getHeader()); - } if (jwtAuthenticationConfig != null && !jwtAuthenticationConfig.isSendTokenToUpstream()) { requestContext.getRemoveHeaders().add(jwtAuthenticationConfig.getHeader()); } + if (internalKeyConfig != null && !internalKeyConfig.isSendTokenToUpstream()) { + requestContext.getRemoveHeaders().add(internalKeyConfig.getHeader()); + } if (apiKeyAuthenticationConfig != null && !apiKeyAuthenticationConfig.isEmpty()) { requestContext.getQueryParamsToRemove().addAll(apiKeyAuthenticationConfig.stream() .filter(apiKeyAuthenticationConfig1 -> !apiKeyAuthenticationConfig1.isSendTokenToUpstream() diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/InternalAPIKeyAuthenticator.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/InternalAPIKeyAuthenticator.java new file mode 100644 index 000000000..54fa21740 --- /dev/null +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/InternalAPIKeyAuthenticator.java @@ -0,0 +1,312 @@ +/* + * Copyright (c) 2021, WSO2 LLC. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 LLC. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.wso2.apk.enforcer.security.jwt; + +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.jwt.SignedJWT; +import io.opentelemetry.context.Scope; +import net.minidev.json.JSONObject; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; +import org.apache.logging.log4j.ThreadContext; +import org.wso2.apk.enforcer.common.CacheProviderUtil; +import org.wso2.apk.enforcer.commons.dto.JWTConfigurationDto; +import org.wso2.apk.enforcer.commons.dto.JWTInfoDto; +import org.wso2.apk.enforcer.commons.dto.JWTValidationInfo; +import org.wso2.apk.enforcer.commons.exception.APISecurityException; +import org.wso2.apk.enforcer.commons.jwtgenerator.AbstractAPIMgtGatewayJWTGenerator; +import org.wso2.apk.enforcer.commons.logging.ErrorDetails; +import org.wso2.apk.enforcer.commons.logging.LoggingConstants; +import org.wso2.apk.enforcer.commons.model.AuthenticationContext; +import org.wso2.apk.enforcer.commons.model.InternalKeyConfig; +import org.wso2.apk.enforcer.commons.model.RequestContext; +import org.wso2.apk.enforcer.config.ConfigHolder; +import org.wso2.apk.enforcer.config.EnforcerConfig; +import org.wso2.apk.enforcer.config.dto.APIKeyIssuerDto; +import org.wso2.apk.enforcer.constants.APIConstants; +import org.wso2.apk.enforcer.constants.APISecurityConstants; +import org.wso2.apk.enforcer.dto.APIKeyValidationInfoDTO; +import org.wso2.apk.enforcer.dto.JWTTokenPayloadInfo; +import org.wso2.apk.enforcer.tracing.TracingConstants; +import org.wso2.apk.enforcer.tracing.TracingSpan; +import org.wso2.apk.enforcer.tracing.TracingTracer; +import org.wso2.apk.enforcer.tracing.Utils; +import org.wso2.apk.enforcer.util.BackendJwtUtils; +import org.wso2.apk.enforcer.util.FilterUtils; + +import java.text.ParseException; + +/** + * Implements the authenticator interface to authenticate request using an Internal Key. + */ +public class InternalAPIKeyAuthenticator extends APIKeyHandler { + + private static final Logger log = LogManager.getLogger(InternalAPIKeyAuthenticator.class); + + private AbstractAPIMgtGatewayJWTGenerator jwtGenerator; + private final boolean isGatewayTokenCacheEnabled; + + public InternalAPIKeyAuthenticator(final JWTConfigurationDto jwtConfigurationDto) { + + EnforcerConfig enforcerConfig = ConfigHolder.getInstance().getConfig(); + this.isGatewayTokenCacheEnabled = enforcerConfig.getCacheDto().isEnabled(); + if (jwtConfigurationDto.isEnabled()) { + this.jwtGenerator = BackendJwtUtils.getApiMgtGatewayJWTGenerator(jwtConfigurationDto); + } + } + + @Override + public boolean canAuthenticate(RequestContext requestContext) { + + InternalKeyConfig internalKeyConfig = requestContext.getMatchedResourcePaths().get(0) + .getAuthenticationConfig().getInternalKeyConfig(); + if (internalKeyConfig != null) { + String internalKey = requestContext.getHeaders().get(internalKeyConfig.getHeader()); + return isAPIKey(internalKey); + } + return false; + } + + @Override + public AuthenticationContext authenticate(RequestContext requestContext) throws APISecurityException { + + TracingTracer tracer = null; + TracingSpan apiKeyAuthenticatorSpan = null; + Scope apiKeyAuthenticatorSpanScope = null; + TracingSpan apiKeyValidateSubscriptionSpan = null; + TracingSpan verifyTokenInCacheSpan = null; + TracingSpan verifyTokenWithoutCacheSpan = null; + + if (requestContext.getMatchedAPI() != null) { + log.debug("Internal Key Authentication initialized"); + + try { + if (Utils.tracingEnabled()) { + tracer = Utils.getGlobalTracer(); + apiKeyAuthenticatorSpan = Utils.startSpan(TracingConstants.API_KEY_AUTHENTICATOR_SPAN, tracer); + apiKeyAuthenticatorSpanScope = apiKeyAuthenticatorSpan.getSpan().makeCurrent(); + Utils.setTag(apiKeyAuthenticatorSpan, APIConstants.LOG_TRACE_ID, + ThreadContext.get(APIConstants.LOG_TRACE_ID)); + } + // Extract internal from the request while removing it from the msg context. + String internalKey = requestContext.getHeaders().get(requestContext.getMatchedResourcePaths().get(0) + .getAuthenticationConfig().getInternalKeyConfig().getHeader()); + + String[] splitToken = internalKey.split("\\."); + SignedJWT signedJWT = SignedJWT.parse(internalKey); + JWTClaimsSet payload = signedJWT.getJWTClaimsSet(); + + // Check if the decoded header contains type as 'InternalKey'. + if (!isInternalKey(payload)) { + log.error("Invalid Internal Key token type. " + FilterUtils.getMaskedToken(splitToken[0])); + // To provide support for API keys. If internal key name's header name value changed similar + // to the API key header name this will enable that support. + AuthenticationContext authenticationContext = new AuthenticationContext(); + authenticationContext.setAuthenticated(false); + + // We check the type before verifying the signature. In case the type was incorrect but also not an + // API key, this will throw a NPE at RestAPI class setStatusCode method. This prevents it. + FilterUtils.setUnauthenticatedErrorToContext(requestContext); + return authenticationContext; + } + + String tokenIdentifier = payload.getJWTID(); + + checkInRevokedMap(tokenIdentifier, splitToken); + + String apiVersion = requestContext.getMatchedAPI().getVersion(); + String apiContext = requestContext.getMatchedAPI().getBasePath(); + String organization = requestContext.getMatchedAPI().getOrganizationId(); + // Verify token when it is found in cache + JWTTokenPayloadInfo jwtTokenPayloadInfo = (JWTTokenPayloadInfo) + CacheProviderUtil.getOrganizationCache(organization).getGatewayInternalKeyDataCache().getIfPresent(tokenIdentifier); + + boolean isVerified = isVerifiedApiKeyInCache(tokenIdentifier, internalKey, payload, splitToken, + "InternalKey", jwtTokenPayloadInfo, organization); + Scope verifyTokenInCacheSpanScope = null; + if (jwtTokenPayloadInfo != null) { + if (Utils.tracingEnabled()) { + verifyTokenInCacheSpan = Utils.startSpan(TracingConstants.VERIFY_TOKEN_IN_CACHE_SPAN, tracer); + verifyTokenInCacheSpanScope = verifyTokenInCacheSpan.getSpan().makeCurrent(); + Utils.setTag(verifyTokenInCacheSpan, APIConstants.LOG_TRACE_ID, + ThreadContext.get(APIConstants.LOG_TRACE_ID)); + } + String cachedToken = jwtTokenPayloadInfo.getAccessToken(); + isVerified = cachedToken.equals(internalKey) && !isJwtTokenExpired(payload, "InternalKey", + organization); + if (Utils.tracingEnabled()) { + verifyTokenInCacheSpanScope.close(); + Utils.finishSpan(verifyTokenInCacheSpan); + } + } else if (CacheProviderUtil.getOrganizationCache(organization).getInvalidGatewayInternalKeyCache().getIfPresent(tokenIdentifier) != null + && internalKey + .equals(CacheProviderUtil.getOrganizationCache(organization).getInvalidGatewayInternalKeyCache().getIfPresent(tokenIdentifier))) { + + log.debug("Internal Key retrieved from the invalid internal Key cache. Internal Key: " + + FilterUtils.getMaskedToken(splitToken[0])); + + log.error("Invalid Internal Key. " + FilterUtils.getMaskedToken(splitToken[0])); + throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), + APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, + APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE); + } + + Scope verifyTokenWithoutCacheSpanScope = null; + // Verify token when it is not found in cache + if (!isVerified) { + log.debug("Internal Key not found in the cache."); + if (Utils.tracingEnabled()) { + verifyTokenWithoutCacheSpan = Utils.startSpan(TracingConstants.VERIFY_TOKEN_SPAN, tracer); + verifyTokenWithoutCacheSpanScope = verifyTokenWithoutCacheSpan.getSpan().makeCurrent(); + Utils.setTag(verifyTokenWithoutCacheSpan, APIConstants.LOG_TRACE_ID, + ThreadContext.get(APIConstants.LOG_TRACE_ID)); + } + try { + APIKeyIssuerDto runtimeTokenIssuerDto = + ConfigHolder.getInstance().getConfig().getRuntimeTokenIssuerDto(); + if (runtimeTokenIssuerDto != null && runtimeTokenIssuerDto.isEnabled()) { + isVerified = verifyTokenWhenNotInCache(runtimeTokenIssuerDto.getPublicCertificate(), + signedJWT, splitToken, payload, "InternalKey", organization); + } else { + // Logs an error only if Internal Keys are used. + log.error("InternalAPIKeyAuthenticator has not been properly initialized. {} {}", + "Empty certificate alias.", + ErrorDetails.errorLog(LoggingConstants.Severity.MAJOR, 6605)); + } + } finally { + if (Utils.tracingEnabled()) { + if (verifyTokenWithoutCacheSpanScope != null) { + verifyTokenWithoutCacheSpanScope.close(); + } + if (verifyTokenWithoutCacheSpan != null) { + Utils.finishSpan(verifyTokenWithoutCacheSpan); + } + } + } + } + + if (isVerified) { + log.debug("Internal Key signature is verified."); + + if (jwtTokenPayloadInfo == null) { + // Retrieve payload from InternalKey + log.debug("InternalKey payload not found in the cache."); + + jwtTokenPayloadInfo = new JWTTokenPayloadInfo(); + jwtTokenPayloadInfo.setPayload(payload); + jwtTokenPayloadInfo.setAccessToken(internalKey); + CacheProviderUtil.getOrganizationCache(organization).getGatewayInternalKeyDataCache().put(tokenIdentifier, jwtTokenPayloadInfo); + } + Scope apiKeyValidateSubscriptionSpanScope = null; + if (Utils.tracingEnabled()) { + apiKeyValidateSubscriptionSpan = Utils + .startSpan(TracingConstants.API_KEY_VALIDATE_SUBSCRIPTION_SPAN, tracer); + apiKeyValidateSubscriptionSpanScope = apiKeyValidateSubscriptionSpan.getSpan().makeCurrent(); + Utils.setTag(apiKeyValidateSubscriptionSpan, APIConstants.LOG_TRACE_ID, + ThreadContext.get(APIConstants.LOG_TRACE_ID)); + } + JSONObject api; // kept outside to make this reachable for methods outside the try block + try { + api = validateAPISubscription(apiContext, apiVersion, payload, splitToken, + false); + if (api != null) { + log.debug("Internal Key Authentication is successful."); + } + } finally { + log.debug("Internal Key authentication is completed."); + if (Utils.tracingEnabled()) { + apiKeyValidateSubscriptionSpanScope.close(); + Utils.finishSpan(apiKeyValidateSubscriptionSpan); + } + } + //Get APIKeyValidationInfoDTO for internal key with limited info + APIKeyValidationInfoDTO apiKeyValidationInfoDTO = getAPIKeyValidationDTO(requestContext); + + // Generate or get backend JWT + JWTConfigurationDto jwtConfigurationDto = ConfigHolder.getInstance(). + getConfig().getJwtConfigurationDto(); + if (jwtConfigurationDto.isEnabled()) { + JWTValidationInfo validationInfo = new JWTValidationInfo(); + validationInfo.setUser(payload.getSubject()); + JWTInfoDto jwtInfoDto = FilterUtils + .generateJWTInfoDto(null, validationInfo, apiKeyValidationInfoDTO, requestContext); + String endUserToken = BackendJwtUtils.generateAndRetrieveJWTToken(jwtGenerator, tokenIdentifier, + jwtInfoDto, isGatewayTokenCacheEnabled, organization); + // Set generated jwt token as a response header + requestContext.addOrModifyHeaders(jwtConfigurationDto.getJwtHeader(), endUserToken); + } + + return FilterUtils.generateAuthenticationContext(tokenIdentifier, payload, api, + requestContext.getMatchedAPI().getUuid(), internalKey); + } else { + log.error("Internal Key authentication failed. " + FilterUtils.getMaskedToken(splitToken[0]), + ErrorDetails.errorLog(LoggingConstants.Severity.MINOR, 6602)); + CacheProviderUtil.getOrganizationCache(organization).getGatewayInternalKeyDataCache().invalidate(payload.getJWTID()); + CacheProviderUtil.getOrganizationCache(organization).getInvalidGatewayInternalKeyCache().put(payload.getJWTID(), internalKey); + throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), + APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, + APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE); + } + } catch (ParseException e) { + log.warn("Internal Key authentication failed. ", e); + throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), + APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, + "Internal key authentication failed."); + + } finally { + if (Utils.tracingEnabled()) { + apiKeyAuthenticatorSpanScope.close(); + Utils.finishSpan(apiKeyAuthenticatorSpan); + } + } + } + throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), + APISecurityConstants.API_AUTH_GENERAL_ERROR, APISecurityConstants.API_AUTH_GENERAL_ERROR_MESSAGE); + } + + private APIKeyValidationInfoDTO getAPIKeyValidationDTO(RequestContext requestContext) + throws ParseException { + + APIKeyValidationInfoDTO validationInfoDTO = new APIKeyValidationInfoDTO(); + validationInfoDTO.setType(requestContext.getMatchedAPI().getEnvType()); + + //check whether name is assigned correctly (This was not populated in JWTAuthenticator) + validationInfoDTO.setApiName(requestContext.getMatchedAPI().getName()); + validationInfoDTO.setApiVersion(requestContext.getMatchedAPI().getVersion()); + return validationInfoDTO; + } + + @Override + public String getChallengeString() { + + return ""; + } + + @Override + public String getName() { + + return "Internal Key"; + } + + @Override + public int getPriority() { + + return -10; + } +} + diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java index 50db84dc7..fc99a686c 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java @@ -30,9 +30,9 @@ import org.wso2.apk.enforcer.commons.dto.JWTConfigurationDto; import org.wso2.apk.enforcer.commons.dto.JWTInfoDto; import org.wso2.apk.enforcer.commons.dto.JWTValidationInfo; +import org.wso2.apk.enforcer.commons.jwtgenerator.AbstractAPIMgtGatewayJWTGenerator; import org.wso2.apk.enforcer.commons.exception.APISecurityException; import org.wso2.apk.enforcer.commons.exception.EnforcerException; -import org.wso2.apk.enforcer.commons.jwtgenerator.AbstractAPIMgtGatewayJWTGenerator; import org.wso2.apk.enforcer.commons.model.APIConfig; import org.wso2.apk.enforcer.commons.model.AuthenticationContext; import org.wso2.apk.enforcer.commons.model.RequestContext; @@ -44,10 +44,12 @@ import org.wso2.apk.enforcer.security.Authenticator; import org.wso2.apk.enforcer.security.KeyValidator; import org.wso2.apk.enforcer.security.TokenValidationContext; +import org.wso2.apk.enforcer.security.jwt.validator.JWTConstants; import org.wso2.apk.enforcer.security.jwt.validator.JWTValidator; import org.wso2.apk.enforcer.security.jwt.validator.RevokedJWTDataHolder; -import org.wso2.apk.enforcer.server.RevokedTokenRedisClient; import org.wso2.apk.enforcer.subscription.SubscriptionDataHolder; +import org.wso2.apk.enforcer.server.RevokedTokenRedisClient; +import org.wso2.apk.enforcer.subscription.SubscriptionDataStore; import org.wso2.apk.enforcer.tracing.TracingConstants; import org.wso2.apk.enforcer.tracing.TracingSpan; import org.wso2.apk.enforcer.tracing.TracingTracer; @@ -61,7 +63,6 @@ import java.util.Date; import java.util.HashMap; import java.util.HashSet; -import java.util.List; import java.util.Map; import java.util.Set; @@ -89,7 +90,15 @@ public boolean canAuthenticate(RequestContext requestContext) { if (!StringUtils.equals(authHeader, "")) { String authHeaderValue = retrieveAuthHeaderValue(requestContext, authHeader); - return authHeaderValue != null && !StringUtils.containsWhitespace(authHeaderValue) && authHeaderValue.split("\\.").length == 3; + + // Check keyword bearer in header to prevent conflicts with custom authentication + // (that maybe added with custom filters / interceptors / opa) + // which also includes a jwt in the auth header yet with a scheme other than 'bearer'. + // + // StringUtils.startsWithIgnoreCase(null, "bearer") = false + // StringUtils.startsWithIgnoreCase("abc", "bearer") = false + // StringUtils.startsWithIgnoreCase("Bearer abc", "bearer") = true + return StringUtils.startsWithIgnoreCase(authHeaderValue, JWTConstants.BEARER) && authHeaderValue.trim().split("\\s+").length == 2 && authHeaderValue.split("\\.").length == 3; } return false; } @@ -113,6 +122,11 @@ public AuthenticationContext authenticate(RequestContext requestContext) throws } String authHeader = getTokenHeader(requestContext.getMatchedResourcePaths()); String jwtToken = retrieveAuthHeaderValue(requestContext, authHeader); + String[] splitToken = jwtToken.split("\\s"); + // Extract the token when it is sent as bearer token. i.e Authorization: Bearer + if (splitToken.length > 1) { + jwtToken = splitToken[1]; + } String context = requestContext.getMatchedAPI().getBasePath(); String name = requestContext.getMatchedAPI().getName(); String envType = requestContext.getMatchedAPI().getEnvType(); @@ -129,12 +143,6 @@ public AuthenticationContext authenticate(RequestContext requestContext) throws } if (validationInfo != null) { if (validationInfo.isValid()) { - List audFromAPI = getAudience(requestContext.getMatchedResourcePaths()); - List audFromToken = validationInfo.getAudience(); - if (!checkAllExist(audFromAPI, audFromToken)) { - throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), - APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Required audience not available in the JWT aud."); - } Map claims = validationInfo.getClaims(); // Validate token type Object keyType = claims.get("keytype"); @@ -170,7 +178,7 @@ public AuthenticationContext authenticate(RequestContext requestContext) throws if (consumerKey != null) { validateSubscriptionUsingConsumerKey(apiKeyValidationInfoDTO, name, version, context, consumerKey, envType, organization, - "", requestContext.getMatchedAPI()); + splitToken, requestContext.getMatchedAPI()); } else { log.error("Error while extracting consumer key from token"); throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), @@ -267,21 +275,10 @@ private String getTokenHeader(ArrayList matchedResourceConfigs) return ""; } - private ArrayList getAudience(ArrayList matchedResourceConfigs) { - ArrayList audience = new ArrayList<>(); - for (ResourceConfig resourceConfig : matchedResourceConfigs) { - if (resourceConfig.getAuthenticationConfig() != null && - resourceConfig.getAuthenticationConfig().getJwtAuthenticationConfig() != null) { - return resourceConfig.getAuthenticationConfig().getJwtAuthenticationConfig().getAudience(); - } - } - return audience; - } - @Override public String getChallengeString() { - return "JWT realm=\"APK\""; + return "Bearer realm=\"APK\""; } @Override @@ -348,13 +345,13 @@ private void validateScopes(String apiContext, String apiVersion, ArrayList list1, List list2) { - return list1.stream().allMatch(list2::contains); - } } diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/Oauth2Authenticator.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/Oauth2Authenticator.java deleted file mode 100644 index 0c20eb00b..000000000 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/Oauth2Authenticator.java +++ /dev/null @@ -1,516 +0,0 @@ -/* - * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.org) All Rights Reserved. - * - * WSO2 LLC. licenses this file to you under the Apache License, - * Version 2.0 (the "License"); you may not use this file except - * in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.wso2.apk.enforcer.security.jwt; - -import com.nimbusds.jwt.JWTClaimsSet; -import com.nimbusds.jwt.SignedJWT; -import com.nimbusds.jwt.util.DateUtils; -import io.opentelemetry.context.Scope; -import org.apache.commons.lang3.StringUtils; -import org.apache.logging.log4j.LogManager; -import org.apache.logging.log4j.Logger; -import org.apache.logging.log4j.ThreadContext; -import org.wso2.apk.enforcer.common.CacheProviderUtil; -import org.wso2.apk.enforcer.commons.dto.ClaimValueDTO; -import org.wso2.apk.enforcer.commons.dto.JWTConfigurationDto; -import org.wso2.apk.enforcer.commons.dto.JWTInfoDto; -import org.wso2.apk.enforcer.commons.dto.JWTValidationInfo; -import org.wso2.apk.enforcer.commons.jwtgenerator.AbstractAPIMgtGatewayJWTGenerator; -import org.wso2.apk.enforcer.commons.exception.APISecurityException; -import org.wso2.apk.enforcer.commons.exception.EnforcerException; -import org.wso2.apk.enforcer.commons.model.APIConfig; -import org.wso2.apk.enforcer.commons.model.AuthenticationContext; -import org.wso2.apk.enforcer.commons.model.RequestContext; -import org.wso2.apk.enforcer.commons.model.ResourceConfig; -import org.wso2.apk.enforcer.config.ConfigHolder; -import org.wso2.apk.enforcer.constants.APIConstants; -import org.wso2.apk.enforcer.constants.APISecurityConstants; -import org.wso2.apk.enforcer.dto.APIKeyValidationInfoDTO; -import org.wso2.apk.enforcer.security.Authenticator; -import org.wso2.apk.enforcer.security.KeyValidator; -import org.wso2.apk.enforcer.security.TokenValidationContext; -import org.wso2.apk.enforcer.security.jwt.validator.JWTConstants; -import org.wso2.apk.enforcer.security.jwt.validator.JWTValidator; -import org.wso2.apk.enforcer.security.jwt.validator.RevokedJWTDataHolder; -import org.wso2.apk.enforcer.subscription.SubscriptionDataHolder; -import org.wso2.apk.enforcer.server.RevokedTokenRedisClient; -import org.wso2.apk.enforcer.tracing.TracingConstants; -import org.wso2.apk.enforcer.tracing.TracingSpan; -import org.wso2.apk.enforcer.tracing.TracingTracer; -import org.wso2.apk.enforcer.tracing.Utils; -import org.wso2.apk.enforcer.util.BackendJwtUtils; -import org.wso2.apk.enforcer.util.FilterUtils; -import org.wso2.apk.enforcer.util.JWTUtils; - -import java.text.ParseException; -import java.util.ArrayList; -import java.util.Date; -import java.util.HashMap; -import java.util.HashSet; -import java.util.Map; -import java.util.Set; - -/** - * Implements the authenticator interface to authenticate request using a JWT token. - */ -public class Oauth2Authenticator implements Authenticator { - - private static final Logger log = LogManager.getLogger(Oauth2Authenticator.class); - private final boolean isGatewayTokenCacheEnabled; - private AbstractAPIMgtGatewayJWTGenerator jwtGenerator; - - public Oauth2Authenticator(final JWTConfigurationDto jwtConfigurationDto, final boolean isGatewayTokenCacheEnabled) { - - this.isGatewayTokenCacheEnabled = isGatewayTokenCacheEnabled; - if (jwtConfigurationDto.isEnabled()) { - this.jwtGenerator = BackendJwtUtils.getApiMgtGatewayJWTGenerator(jwtConfigurationDto); - this.jwtGenerator.setJWTConfigurationDto(jwtConfigurationDto); - } - } - - @Override - public boolean canAuthenticate(RequestContext requestContext) { - String authHeader = getTokenHeader(requestContext.getMatchedResourcePaths()); - - if (!StringUtils.equals(authHeader, "")) { - String authHeaderValue = retrieveAuthHeaderValue(requestContext, authHeader); - - // Check keyword bearer in header to prevent conflicts with custom authentication - // (that maybe added with custom filters / interceptors / opa) - // which also includes a jwt in the auth header yet with a scheme other than 'bearer'. - // - // StringUtils.startsWithIgnoreCase(null, "bearer") = false - // StringUtils.startsWithIgnoreCase("abc", "bearer") = false - // StringUtils.startsWithIgnoreCase("Bearer abc", "bearer") = true - return StringUtils.startsWithIgnoreCase(authHeaderValue, JWTConstants.BEARER) && authHeaderValue.trim().split("\\s+").length == 2 && authHeaderValue.split("\\.").length == 3; - } - return false; - } - - @Override - public AuthenticationContext authenticate(RequestContext requestContext) throws APISecurityException { - - TracingTracer tracer = null; - TracingSpan jwtAuthenticatorInfoSpan = null; - Scope jwtAuthenticatorInfoSpanScope = null; - TracingSpan validateSubscriptionSpan = null; - TracingSpan validateScopesSpan = null; - - try { - if (Utils.tracingEnabled()) { - tracer = Utils.getGlobalTracer(); - jwtAuthenticatorInfoSpan = Utils.startSpan(TracingConstants.JWT_AUTHENTICATOR_SPAN, tracer); - jwtAuthenticatorInfoSpanScope = jwtAuthenticatorInfoSpan.getSpan().makeCurrent(); - Utils.setTag(jwtAuthenticatorInfoSpan, APIConstants.LOG_TRACE_ID, - ThreadContext.get(APIConstants.LOG_TRACE_ID)); - } - String authHeader = getTokenHeader(requestContext.getMatchedResourcePaths()); - String jwtToken = retrieveAuthHeaderValue(requestContext, authHeader); - String[] splitToken = jwtToken.split("\\s"); - // Extract the token when it is sent as bearer token. i.e Authorization: Bearer - if (splitToken.length > 1) { - jwtToken = splitToken[1]; - } - String context = requestContext.getMatchedAPI().getBasePath(); - String name = requestContext.getMatchedAPI().getName(); - String envType = requestContext.getMatchedAPI().getEnvType(); - String version = requestContext.getMatchedAPI().getVersion(); - String organization = requestContext.getMatchedAPI().getOrganizationId(); - String environment = requestContext.getMatchedAPI().getEnvironment(); - - JWTValidationInfo validationInfo = getJwtValidationInfo(jwtToken, organization, environment); - if (RevokedTokenRedisClient.getRevokedTokens().contains(validationInfo.getIdentifier())) { - log.info("Revoked JWT token. ", validationInfo.getIdentifier()); - throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), - APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, - APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE); - } - if (validationInfo != null) { - if (validationInfo.isValid()) { - Map claims = validationInfo.getClaims(); - // Validate token type - Object keyType = claims.get("keytype"); - if (keyType != null && !keyType.toString().equalsIgnoreCase(requestContext.getMatchedAPI().getEnvType())) { - throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), - APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid key type."); - } - - // Validate subscriptions - APIKeyValidationInfoDTO apiKeyValidationInfoDTO = new APIKeyValidationInfoDTO(); - Scope validateSubscriptionSpanScope = null; - boolean isSystemAPI = requestContext.getMatchedAPI().isSystemAPI(); - boolean isGatewayLevelSubscriptionValidationEnabled = ConfigHolder.getInstance().getConfig() - .getMandateSubscriptionValidation(); - try { - // If subscription validation is mandated at Gateway level, all API invocations should undergo - // subscription validation. When not mandated, we check whether the API has enabled - // subscription validation. - if (!isSystemAPI && (isGatewayLevelSubscriptionValidationEnabled || requestContext.getMatchedAPI() - .isSubscriptionValidation())) { - if (Utils.tracingEnabled()) { - validateSubscriptionSpan = - Utils.startSpan(TracingConstants.SUBSCRIPTION_VALIDATION_SPAN, tracer); - validateSubscriptionSpanScope = validateSubscriptionSpan.getSpan().makeCurrent(); - Utils.setTag(validateSubscriptionSpan, APIConstants.LOG_TRACE_ID, - ThreadContext.get(APIConstants.LOG_TRACE_ID)); - } - - // Get consumer key from the JWT token claim set - String consumerKey = validationInfo.getConsumerKey(); - - // Subscription validation using consumer key - if (consumerKey != null) { - validateSubscriptionUsingConsumerKey(apiKeyValidationInfoDTO, name, version, context, - consumerKey, envType, organization, - splitToken, requestContext.getMatchedAPI()); - } else { - log.error("Error while extracting consumer key from token"); - throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), - APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, - "Invalid JWT token. Error while extracting consumer key from token"); - } - } else { - // In this case, the application related properties are populated so that analytics - // could provide much better insights. - // Since application notion becomes less meaningful with subscription validation disabled, - // the application name would be populated under the convention "anon:" - JWTUtils.updateApplicationNameForSubscriptionDisabledFlow(apiKeyValidationInfoDTO, - APIConstants.KeyManager.DEFAULT_KEY_MANAGER); - } - } finally { - if (Utils.tracingEnabled()) { - if (validateSubscriptionSpan != null) { - validateSubscriptionSpanScope.close(); - Utils.finishSpan(validateSubscriptionSpan); - } - } - } - - // Validate scopes - Scope validateScopesSpanScope = null; - try { - if (Utils.tracingEnabled()) { - validateScopesSpan = Utils.startSpan(TracingConstants.SCOPES_VALIDATION_SPAN, tracer); - validateScopesSpanScope = validateScopesSpan.getSpan().makeCurrent(); - Utils.setTag(validateScopesSpan, APIConstants.LOG_TRACE_ID, - ThreadContext.get(APIConstants.LOG_TRACE_ID)); - } - validateScopes(context, version, requestContext.getMatchedResourcePaths(), validationInfo, - jwtToken); - } finally { - if (Utils.tracingEnabled()) { - validateScopesSpanScope.close(); - Utils.finishSpan(validateScopesSpan); - } - } - log.debug("JWT authentication successful."); - - // Generate or get backend JWT - String endUserToken = null; - - // jwt generator is only set if the backend jwt is enabled - if (this.jwtGenerator != null) { - JWTConfigurationDto configurationDto = this.jwtGenerator.getJWTConfigurationDto(); - Map claimMap = new HashMap<>(); - if (configurationDto != null) { - claimMap = configurationDto.getCustomClaims(); - } - JWTInfoDto jwtInfoDto = FilterUtils.generateJWTInfoDto(null, validationInfo, - apiKeyValidationInfoDTO, requestContext); - - // set custom claims get from the CR - jwtInfoDto.setClaims(claimMap); - endUserToken = BackendJwtUtils.generateAndRetrieveJWTToken(this.jwtGenerator, - validationInfo.getIdentifier(), jwtInfoDto, isGatewayTokenCacheEnabled, organization); - // Set generated jwt token as a response header - // Change the backendJWTConfig to API level - requestContext.addOrModifyHeaders(this.jwtGenerator.getJWTConfigurationDto().getJwtHeader(), - endUserToken); - } - - return FilterUtils.generateAuthenticationContext(requestContext, validationInfo.getIdentifier(), - validationInfo, apiKeyValidationInfoDTO, endUserToken, jwtToken, true); - } else { - throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), - validationInfo.getValidationCode(), - APISecurityConstants.getAuthenticationFailureMessage(validationInfo.getValidationCode())); - } - } else { - throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), - APISecurityConstants.API_AUTH_GENERAL_ERROR, - APISecurityConstants.API_AUTH_GENERAL_ERROR_MESSAGE); - } - } finally { - if (Utils.tracingEnabled()) { - jwtAuthenticatorInfoSpanScope.close(); - Utils.finishSpan(jwtAuthenticatorInfoSpan); - } - } - - } - - private String getTokenHeader(ArrayList matchedResourceConfigs) { - for (ResourceConfig resourceConfig : matchedResourceConfigs) { - if (resourceConfig.getAuthenticationConfig() != null && - resourceConfig.getAuthenticationConfig().getOauth2AuthenticationConfig() != null) { - return resourceConfig.getAuthenticationConfig().getOauth2AuthenticationConfig().getHeader(); - } - } - return ""; - } - - @Override - public String getChallengeString() { - - return "Bearer realm=\"APK\""; - } - - @Override - public String getName() { - - return "Oauth2"; - } - - @Override - public int getPriority() { - - return 10; - } - - private String retrieveAuthHeaderValue(RequestContext requestContext, String header) { - Map headers = requestContext.getHeaders(); - return headers.get(header); - } - - /** - * Validate scopes bound to the resource of the API being invoked against the scopes specified - * in the JWT token payload. - * - * @param apiContext API Context - * @param apiVersion API Version - * @param matchingResources Accessed API resources - * @param jwtValidationInfo Validated JWT Information - * @param jwtToken JWT Token - * @throws APISecurityException in case of scope validation failure - */ - private void validateScopes(String apiContext, String apiVersion, ArrayList matchingResources, - JWTValidationInfo jwtValidationInfo, String jwtToken) throws APISecurityException { - - APIKeyValidationInfoDTO apiKeyValidationInfoDTO = new APIKeyValidationInfoDTO(); - Set scopeSet = new HashSet<>(jwtValidationInfo.getScopes()); - apiKeyValidationInfoDTO.setScopes(scopeSet); - - TokenValidationContext tokenValidationContext = new TokenValidationContext(); - tokenValidationContext.setValidationInfoDTO(apiKeyValidationInfoDTO); - - tokenValidationContext.setAccessToken(jwtToken); - // since matching resources has same method for all, just get the first element's method is adequate. - // i.e. graphQL matching resources has same operation type for a request. - tokenValidationContext.setHttpVerb(matchingResources.get(0).getMethod().toString()); - tokenValidationContext.setMatchingResourceConfigs(matchingResources); - tokenValidationContext.setContext(apiContext); - tokenValidationContext.setVersion(apiVersion); - - boolean valid = KeyValidator.validateScopes(tokenValidationContext); - if (valid) { - log.debug("Scope validation was successful for the resource."); - } - } - - /** - * Validate whether the user is subscribed to the invoked API using consumer key. If subscribed, validate - * the API information embedded within the Subscription against the information from the request context. - * - * @param validationInfo Token validation related details. This will be populated based on the available data - * during the subscription validation. - * @param name API name - * @param version API version - * @param context API context - * @param consumerKey Consumer key extracted from the jwt token claim set - * @param envType The environment type, i.e. PRODUCTION or SANDBOX - * @param organization Organization extracted from the request context - * @param splitToken The split token - * @param matchedAPI - * @throws APISecurityException if the user is not subscribed to the API - */ - private void validateSubscriptionUsingConsumerKey(APIKeyValidationInfoDTO validationInfo, String name, - String version, String context, String consumerKey, - String envType, String organization, String[] splitToken, - APIConfig matchedAPI) throws APISecurityException { - - validationInfo.setApiName(name); - validationInfo.setApiVersion(version); - validationInfo.setApiContext(context); - validationInfo.setConsumerKey(consumerKey); - validationInfo.setType(matchedAPI.getApiType()); - validationInfo.setEnvType(envType); - validationInfo.setEnvironment(matchedAPI.getEnvironment()); - validationInfo.setSecurityScheme(APIConstants.API_SECURITY_OAUTH2); - validationInfo.setSubscriberOrganization(organization); - validationInfo.setApiContext(matchedAPI.getBasePath()); - validationInfo.setApiVersion(matchedAPI.getVersion()); - validationInfo.setApiName(matchedAPI.getName()); - KeyValidator.validateSubscriptionUsingConsumerKey(validationInfo); - - if (validationInfo.isAuthorized()) { - if (log.isDebugEnabled()) { - log.debug("User is subscribed to the API: " + name + ", " + "version: " + version + ". Token:" + " " + - FilterUtils.getMaskedToken(splitToken[0])); - } - } else { - if (log.isDebugEnabled()) { - log.debug("User is not subscribed to access the API: " + name + ", version: " + version + ". " + - "Token: " + FilterUtils.getMaskedToken(splitToken[0])); - } - throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(), - APISecurityConstants.API_AUTH_FORBIDDEN, APISecurityConstants.API_AUTH_FORBIDDEN_MESSAGE); - } - } - - /** - * Validate whether the token is a valid JWT and generate the JWTValidationInfo object. - * - * @param jwtToken The full JWT token - * @param organization organization of the API - * @param environment environment of the API - * @return - * @throws APISecurityException - */ - private JWTValidationInfo getJwtValidationInfo(String jwtToken, String organization, String environment) throws APISecurityException { - - if (isGatewayTokenCacheEnabled) { - String[] jwtParts = jwtToken.split("\\."); - String signature = jwtParts[2]; - Object validCacheToken = CacheProviderUtil.getOrganizationCache(organization).getGatewayKeyCache() - .getIfPresent(signature); - if (validCacheToken != null) { - JWTValidationInfo validationInfo = (JWTValidationInfo) validCacheToken; - if (!isJWTExpired(validationInfo)) { - if (!StringUtils.equals(validationInfo.getToken(), jwtToken)) { - log.warn("Suspected tampered token; a JWT token with the same signature is " + - "already available in the cache. Tampered token: " + FilterUtils.getMaskedToken(jwtToken)); - throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), - APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid JWT token"); - } - if (RevokedJWTDataHolder.isJWTTokenSignatureExistsInRevokedMap(validationInfo.getIdentifier())) { - log.debug("Token found in the revoked jwt token map."); - throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), - APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid JWT token"); - } - return validationInfo; - } else { - CacheProviderUtil.getOrganizationCache(organization).getGatewayKeyCache().invalidate(signature); - CacheProviderUtil.getOrganizationCache(organization).getInvalidTokenCache().put(signature, true); - throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), - APISecurityConstants.API_AUTH_ACCESS_TOKEN_EXPIRED, - APISecurityConstants.API_AUTH_ACCESS_TOKEN_EXPIRED_MESSAGE); - } - } else if (CacheProviderUtil.getOrganizationCache(organization).getInvalidTokenCache() - .getIfPresent(signature) != null) { - throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), - APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, - APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE); - } - } - - SignedJWT signedJWT; - JWTClaimsSet jwtClaimsSet; - SignedJWTInfo signedJWTInfo; - Scope decodeTokenHeaderSpanScope = null; - TracingSpan decodeTokenHeaderSpan = null; - try { - if (Utils.tracingEnabled()) { - TracingTracer tracer = Utils.getGlobalTracer(); - decodeTokenHeaderSpan = Utils.startSpan(TracingConstants.DECODE_TOKEN_HEADER_SPAN, tracer); - decodeTokenHeaderSpanScope = decodeTokenHeaderSpan.getSpan().makeCurrent(); - Utils.setTag(decodeTokenHeaderSpan, APIConstants.LOG_TRACE_ID, - ThreadContext.get(APIConstants.LOG_TRACE_ID)); - } - signedJWT = SignedJWT.parse(jwtToken); - jwtClaimsSet = signedJWT.getJWTClaimsSet(); - signedJWTInfo = new SignedJWTInfo(jwtToken, signedJWT, jwtClaimsSet); - } catch (ParseException | IllegalArgumentException e) { - log.error("Failed to decode the token header. {}", e.getMessage()); - throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), - APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Not a JWT token. Failed to decode the " + - "token header", e); - } finally { - if (Utils.tracingEnabled()) { - decodeTokenHeaderSpanScope.close(); - Utils.finishSpan(decodeTokenHeaderSpan); - } - } - - String signature = signedJWT.getSignature().toString(); - String jwtTokenIdentifier = StringUtils.isNotEmpty(jwtClaimsSet.getJWTID()) ? jwtClaimsSet.getJWTID() : - signature; - - // check whether the token is revoked - String jwtHeader = signedJWT.getHeader().toString(); - if (RevokedJWTDataHolder.isJWTTokenSignatureExistsInRevokedMap(jwtTokenIdentifier)) { - log.debug("Token retrieved from the revoked jwt token map. Token: " + - FilterUtils.getMaskedToken(jwtHeader)); - throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), - APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid JWT token"); - } - - try { - // Get issuer - String issuer = jwtClaimsSet.getIssuer(); - JWTValidator jwtValidator = SubscriptionDataHolder.getInstance().getSubscriptionDataStore(organization) - .getJWTValidatorByIssuer(issuer, environment); - // If no validator found for the issuer, we are not caching the token. - if (jwtValidator == null) { - throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), - APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, - APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE); - } - - JWTValidationInfo jwtValidationInfo = jwtValidator.validateToken(jwtToken, signedJWTInfo); - if (isGatewayTokenCacheEnabled) { - // Add token to tenant token cache - if (jwtValidationInfo.isValid()) { - CacheProviderUtil.getOrganizationCache(organization).getGatewayKeyCache().put(signature, - jwtValidationInfo); - } else { - CacheProviderUtil.getOrganizationCache(organization).getInvalidTokenCache().put(signature, true); - } - } - return jwtValidationInfo; - } catch (EnforcerException e) { - log.error("JWT Validation failed", e); - throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), - APISecurityConstants.API_AUTH_GENERAL_ERROR, - APISecurityConstants.API_AUTH_GENERAL_ERROR_MESSAGE); - } - } - - /** - * Check whether the jwt token is expired or not. - * - * @param payload The payload of the JWT token - * @return boolean true if the token is not expired, false otherwise - */ - private Boolean isJWTExpired(JWTValidationInfo payload) { - - long timestampSkew = FilterUtils.getTimeStampSkewInSeconds(); - Date now = new Date(); - Date exp = new Date(payload.getExpiryTime()); - return !DateUtils.isAfter(exp, now, timestampSkew); - } -} diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/validator/JWTValidator.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/validator/JWTValidator.java index 38e7c0eb7..4a12de0b4 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/validator/JWTValidator.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/validator/JWTValidator.java @@ -93,7 +93,6 @@ public JWTValidationInfo validateToken(String token, SignedJWTInfo signedJWTInfo jwtValidationInfo.setIdentifier(JWTUtils.getJWTTokenIdentifier(signedJWTInfo)); jwtValidationInfo.setJwtClaimsSet(signedJWTInfo.getJwtClaimsSet()); jwtValidationInfo.setToken(token); - jwtValidationInfo.setAudience(jwtClaimsSet.getAudience()); return jwtValidationInfo; } jwtValidationInfo.setValidationCode(APISecurityConstants.API_AUTH_ACCESS_TOKEN_EXPIRED); diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/test/java/org/wso2/apk/enforcer/jwt/Oauth2ValidatorTest.java b/gateway/enforcer/org.wso2.apk.enforcer/src/test/java/org/wso2/apk/enforcer/jwt/JWTValidatorTest.java similarity index 92% rename from gateway/enforcer/org.wso2.apk.enforcer/src/test/java/org/wso2/apk/enforcer/jwt/Oauth2ValidatorTest.java rename to gateway/enforcer/org.wso2.apk.enforcer/src/test/java/org/wso2/apk/enforcer/jwt/JWTValidatorTest.java index 55376740c..b4ceb92cf 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/test/java/org/wso2/apk/enforcer/jwt/Oauth2ValidatorTest.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/test/java/org/wso2/apk/enforcer/jwt/JWTValidatorTest.java @@ -39,7 +39,7 @@ import org.wso2.apk.enforcer.commons.model.APIConfig; import org.wso2.apk.enforcer.commons.model.AuthenticationConfig; import org.wso2.apk.enforcer.commons.model.AuthenticationContext; -import org.wso2.apk.enforcer.commons.model.Oauth2AuthenticationConfig; +import org.wso2.apk.enforcer.commons.model.JWTAuthenticationConfig; import org.wso2.apk.enforcer.commons.model.RequestContext; import org.wso2.apk.enforcer.commons.model.ResourceConfig; import org.wso2.apk.enforcer.config.ConfigHolder; @@ -47,7 +47,7 @@ import org.wso2.apk.enforcer.config.dto.ExtendedTokenIssuerDto; import org.wso2.apk.enforcer.constants.APISecurityConstants; import org.wso2.apk.enforcer.security.KeyValidator; -import org.wso2.apk.enforcer.security.jwt.Oauth2Authenticator; +import org.wso2.apk.enforcer.security.jwt.JWTAuthenticator; import org.wso2.apk.enforcer.security.jwt.validator.JWTValidator; import org.wso2.apk.enforcer.server.RevokedTokenRedisClient; import org.wso2.apk.enforcer.subscription.SubscriptionDataHolder; @@ -59,7 +59,7 @@ import java.util.Map; import java.util.UUID; -public class Oauth2ValidatorTest { +public class JWTValidatorTest { @Before public void setup() { @@ -95,15 +95,15 @@ public void testJWTValidator() throws APISecurityException, EnforcerException { jwtValidationInfo.setKeyManager("Default"); JWTConfigurationDto jwtConfigurationDto = new JWTConfigurationDto(); - Oauth2Authenticator oauth2Authenticator = new Oauth2Authenticator(jwtConfigurationDto, true); + JWTAuthenticator jwtAuthenticator = new JWTAuthenticator(jwtConfigurationDto, true); RequestContext requestContext = Mockito.mock(RequestContext.class); ArrayList resourceConfigs = new ArrayList<>(); ResourceConfig resourceConfig = Mockito.mock(ResourceConfig.class); AuthenticationConfig authenticationConfig = new AuthenticationConfig(); - Oauth2AuthenticationConfig oauth2AuthenticationConfig = new Oauth2AuthenticationConfig(); - oauth2AuthenticationConfig.setHeader("Authorization"); - authenticationConfig.setOauth2AuthenticationConfig(oauth2AuthenticationConfig); + JWTAuthenticationConfig jwtAuthenticationConfig = new JWTAuthenticationConfig(); + jwtAuthenticationConfig.setHeader("Authorization"); + authenticationConfig.setJwtAuthenticationConfig(jwtAuthenticationConfig); Mockito.when(resourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig); Mockito.when(resourceConfig.getMethod()).thenReturn(ResourceConfig.HttpMethods.GET); resourceConfigs.add(resourceConfig); @@ -134,7 +134,7 @@ public void testJWTValidator() throws APISecurityException, EnforcerException { subscriptionDataHolderMockedStatic.when(SubscriptionDataHolder::getInstance).thenReturn(subscriptionDataHolder); Mockito.when(subscriptionDataHolder.getSubscriptionDataStore(organization)).thenReturn(subscriptionDataStore); Logger logger = Mockito.mock(Logger.class); - logManagerDummy.when(() -> LogManager.getLogger(Oauth2Authenticator.class)).thenReturn(logger); + logManagerDummy.when(() -> LogManager.getLogger(JWTAuthenticator.class)).thenReturn(logger); Log logger2 = Mockito.mock(Log.class); logFactoryDummy.when(() -> LogFactory.getLog(AbstractAPIMgtGatewayJWTGenerator.class)).thenReturn(logger2); cacheProviderUtilDummy.when(() -> CacheProviderUtil.getOrganizationCache(organization)) @@ -156,7 +156,7 @@ public void testJWTValidator() throws APISecurityException, EnforcerException { Mockito.when(subscriptionDataStore.getJWTValidatorByIssuer(issuer, environment)).thenReturn(jwtValidator); Mockito.when(jwtValidator.validateToken(Mockito.eq(jwt), Mockito.any())).thenReturn(jwtValidationInfo); keyValidaterDummy.when(() -> KeyValidator.validateScopes(Mockito.any())).thenReturn(true); - AuthenticationContext authenticate = oauth2Authenticator.authenticate(requestContext); + AuthenticationContext authenticate = jwtAuthenticator.authenticate(requestContext); Assert.assertNotNull(authenticate); Mockito.verify(gatewayKeyCache, Mockito.atLeast(1)).put(signature, jwtValidationInfo); } @@ -194,15 +194,15 @@ public void testRevokedToken() throws APISecurityException, EnforcerException { jwtValidationInfo.setIdentifier(revokedTokenJTI); JWTConfigurationDto jwtConfigurationDto = new JWTConfigurationDto(); - Oauth2Authenticator oauth2Authenticator = new Oauth2Authenticator(jwtConfigurationDto, true); + JWTAuthenticator jwtAuthenticator = new JWTAuthenticator(jwtConfigurationDto, true); RequestContext requestContext = Mockito.mock(RequestContext.class); ArrayList resourceConfigs = new ArrayList<>(); ResourceConfig resourceConfig = Mockito.mock(ResourceConfig.class); AuthenticationConfig authenticationConfig = new AuthenticationConfig(); - Oauth2AuthenticationConfig oauth2AuthenticationConfig = new Oauth2AuthenticationConfig(); - oauth2AuthenticationConfig.setHeader("Authorization"); - authenticationConfig.setOauth2AuthenticationConfig(oauth2AuthenticationConfig); + JWTAuthenticationConfig jwtAuthenticationConfig = new JWTAuthenticationConfig(); + jwtAuthenticationConfig.setHeader("Authorization"); + authenticationConfig.setJwtAuthenticationConfig(jwtAuthenticationConfig); Mockito.when(resourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig); Mockito.when(resourceConfig.getMethod()).thenReturn(ResourceConfig.HttpMethods.GET); resourceConfigs.add(resourceConfig); @@ -234,7 +234,7 @@ public void testRevokedToken() throws APISecurityException, EnforcerException { subscriptionDataHolderMockedStatic.when(SubscriptionDataHolder::getInstance).thenReturn(subscriptionDataHolder); Mockito.when(subscriptionDataHolder.getSubscriptionDataStore(organization)).thenReturn(subscriptionDataStore); Logger logger = Mockito.mock(Logger.class); - logManagerDummy.when(() -> LogManager.getLogger(Oauth2Authenticator.class)).thenReturn(logger); + logManagerDummy.when(() -> LogManager.getLogger(JWTAuthenticator.class)).thenReturn(logger); Log logger2 = Mockito.mock(Log.class); logFactoryDummy.when(() -> LogFactory.getLog(AbstractAPIMgtGatewayJWTGenerator.class)).thenReturn(logger2); cacheProviderUtilDummy.when(() -> CacheProviderUtil.getOrganizationCache(organization)) @@ -255,7 +255,7 @@ public void testRevokedToken() throws APISecurityException, EnforcerException { Mockito.when(jwtValidator.validateToken(Mockito.eq(jwt), Mockito.any())).thenReturn(jwtValidationInfo); keyValidaterDummy.when(() -> KeyValidator.validateScopes(Mockito.any())).thenReturn(true); try { - oauth2Authenticator.authenticate(requestContext); + jwtAuthenticator.authenticate(requestContext); Assert.fail("Authentication should fail for revoked tokens"); } catch (APISecurityException e) { Assert.assertEquals(e.getMessage(), e.getMessage(), @@ -299,15 +299,15 @@ public void testCachedJWTValidator() throws APISecurityException, EnforcerExcept jwtValidationInfo.setIdentifier(signature); JWTConfigurationDto jwtConfigurationDto = new JWTConfigurationDto(); - Oauth2Authenticator oauth2Authenticator = new Oauth2Authenticator(jwtConfigurationDto, true); + JWTAuthenticator jwtAuthenticator = new JWTAuthenticator(jwtConfigurationDto, true); RequestContext requestContext = Mockito.mock(RequestContext.class); ArrayList resourceConfigs = new ArrayList<>(); ResourceConfig resourceConfig = Mockito.mock(ResourceConfig.class); AuthenticationConfig authenticationConfig = new AuthenticationConfig(); - Oauth2AuthenticationConfig oauth2AuthenticationConfig = new Oauth2AuthenticationConfig(); - oauth2AuthenticationConfig.setHeader("Authorization"); - authenticationConfig.setOauth2AuthenticationConfig(oauth2AuthenticationConfig); + JWTAuthenticationConfig jwtAuthenticationConfig = new JWTAuthenticationConfig(); + jwtAuthenticationConfig.setHeader("Authorization"); + authenticationConfig.setJwtAuthenticationConfig(jwtAuthenticationConfig); Mockito.when(resourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig); Mockito.when(resourceConfig.getMethod()).thenReturn(ResourceConfig.HttpMethods.GET); resourceConfigs.add(resourceConfig); @@ -338,7 +338,7 @@ public void testCachedJWTValidator() throws APISecurityException, EnforcerExcept Mockito.when(subscriptionDataStore.getJWTValidatorByIssuer(issuer, environment)).thenReturn(jwtValidator); Mockito.when(jwtValidator.validateToken(Mockito.eq(jwt), Mockito.any())).thenReturn(jwtValidationInfo); keyValidatorDummy.when(() -> KeyValidator.validateScopes(Mockito.any())).thenReturn(true); - AuthenticationContext authenticate = oauth2Authenticator.authenticate(requestContext); + AuthenticationContext authenticate = jwtAuthenticator.authenticate(requestContext); Assert.assertNotNull(authenticate); Assert.assertEquals(authenticate.getConsumerKey(), jwtValidationInfo.getConsumerKey()); Mockito.verify(gatewayKeyCache, Mockito.atLeast(1)).getIfPresent(signature); @@ -367,15 +367,15 @@ public void testNonJTIJWTValidator() throws APISecurityException, EnforcerExcept jwtValidationInfo.setIdentifier(signature); JWTConfigurationDto jwtConfigurationDto = new JWTConfigurationDto(); - Oauth2Authenticator oauth2Authenticator = new Oauth2Authenticator(jwtConfigurationDto, true); + JWTAuthenticator jwtAuthenticator = new JWTAuthenticator(jwtConfigurationDto, true); RequestContext requestContext = Mockito.mock(RequestContext.class); ArrayList resourceConfigs = new ArrayList<>(); ResourceConfig resourceConfig = Mockito.mock(ResourceConfig.class); AuthenticationConfig authenticationConfig = new AuthenticationConfig(); - Oauth2AuthenticationConfig oauth2AuthenticationConfig = new Oauth2AuthenticationConfig(); - oauth2AuthenticationConfig.setHeader("Authorization"); - authenticationConfig.setOauth2AuthenticationConfig(oauth2AuthenticationConfig); + JWTAuthenticationConfig jwtAuthenticationConfig = new JWTAuthenticationConfig(); + jwtAuthenticationConfig.setHeader("Authorization"); + authenticationConfig.setJwtAuthenticationConfig(jwtAuthenticationConfig); Mockito.when(resourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig); Mockito.when(resourceConfig.getMethod()).thenReturn(ResourceConfig.HttpMethods.GET); resourceConfigs.add(resourceConfig); @@ -407,7 +407,7 @@ public void testNonJTIJWTValidator() throws APISecurityException, EnforcerExcept .thenReturn(jwtValidator); Mockito.when(jwtValidator.validateToken(Mockito.eq(jwt), Mockito.any())).thenReturn(jwtValidationInfo); keyValidatorDummy.when(() -> KeyValidator.validateScopes(Mockito.any())).thenReturn(true); - AuthenticationContext authenticate = oauth2Authenticator.authenticate(requestContext); + AuthenticationContext authenticate = jwtAuthenticator.authenticate(requestContext); Assert.assertNotNull(authenticate); Assert.assertEquals(authenticate.getConsumerKey(), jwtValidationInfo.getConsumerKey()); Mockito.verify(gatewayKeyCache, Mockito.atLeast(1)).getIfPresent(signature); @@ -442,15 +442,15 @@ public void testExpiredJWTValidator() { jwtValidationInfo.setIdentifier(signature); JWTConfigurationDto jwtConfigurationDto = new JWTConfigurationDto(); - Oauth2Authenticator oauth2Authenticator = new Oauth2Authenticator(jwtConfigurationDto, true); + JWTAuthenticator jwtAuthenticator = new JWTAuthenticator(jwtConfigurationDto, true); RequestContext requestContext = Mockito.mock(RequestContext.class); ArrayList resourceConfigs = new ArrayList<>(); ResourceConfig resourceConfig = Mockito.mock(ResourceConfig.class); AuthenticationConfig authenticationConfig = new AuthenticationConfig(); - Oauth2AuthenticationConfig oauth2AuthenticationConfig = new Oauth2AuthenticationConfig(); - oauth2AuthenticationConfig.setHeader("Authorization"); - authenticationConfig.setOauth2AuthenticationConfig(oauth2AuthenticationConfig); + JWTAuthenticationConfig jwtAuthenticationConfig = new JWTAuthenticationConfig(); + jwtAuthenticationConfig.setHeader("Authorization"); + authenticationConfig.setJwtAuthenticationConfig(jwtAuthenticationConfig); Mockito.when(resourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig); Mockito.when(resourceConfig.getMethod()).thenReturn(ResourceConfig.HttpMethods.GET); resourceConfigs.add(resourceConfig); @@ -475,7 +475,7 @@ public void testExpiredJWTValidator() { cacheProviderUtilDummy.when(() -> CacheProviderUtil.getOrganizationCache(organization)).thenReturn(cacheProvider); keyValidatorDummy.when(() -> KeyValidator.validateScopes(Mockito.any())).thenReturn(true); try { - oauth2Authenticator.authenticate(requestContext); + jwtAuthenticator.authenticate(requestContext); Assert.fail("Authentication should fail for expired tokens"); } catch (APISecurityException e) { Assert.assertEquals(e.getMessage(), e.getMessage(), @@ -517,15 +517,15 @@ public void testNoCacheExpiredJWTValidator() throws EnforcerException { jwtValidationInfo.setIdentifier(signature); JWTConfigurationDto jwtConfigurationDto = new JWTConfigurationDto(); - Oauth2Authenticator oauth2Authenticator = new Oauth2Authenticator(jwtConfigurationDto, true); + JWTAuthenticator jwtAuthenticator = new JWTAuthenticator(jwtConfigurationDto, true); RequestContext requestContext = Mockito.mock(RequestContext.class); ArrayList resourceConfigs = new ArrayList<>(); ResourceConfig resourceConfig = Mockito.mock(ResourceConfig.class); AuthenticationConfig authenticationConfig = new AuthenticationConfig(); - Oauth2AuthenticationConfig oauth2AuthenticationConfig = new Oauth2AuthenticationConfig(); - oauth2AuthenticationConfig.setHeader("Authorization"); - authenticationConfig.setOauth2AuthenticationConfig(oauth2AuthenticationConfig); + JWTAuthenticationConfig jwtAuthenticationConfig = new JWTAuthenticationConfig(); + jwtAuthenticationConfig.setHeader("Authorization"); + authenticationConfig.setJwtAuthenticationConfig(jwtAuthenticationConfig); Mockito.when(resourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig); Mockito.when(resourceConfig.getMethod()).thenReturn(ResourceConfig.HttpMethods.GET); resourceConfigs.add(resourceConfig); @@ -563,7 +563,7 @@ public void testNoCacheExpiredJWTValidator() throws EnforcerException { keyValidatorDummy.when(() -> KeyValidator.validateScopes(Mockito.any())).thenReturn(true); try { - oauth2Authenticator.authenticate(requestContext); + jwtAuthenticator.authenticate(requestContext); Assert.fail("Authentication should fail for expired tokens"); } catch (APISecurityException e) { Assert.assertEquals(e.getMessage(), APISecurityConstants.API_AUTH_ACCESS_TOKEN_EXPIRED_MESSAGE); @@ -617,15 +617,15 @@ public void testTamperedPayloadJWTValidator() throws EnforcerException { jwtValidationInfo.setIdentifier(signature); JWTConfigurationDto jwtConfigurationDto = new JWTConfigurationDto(); - Oauth2Authenticator oauth2Authenticator = new Oauth2Authenticator(jwtConfigurationDto, true); + JWTAuthenticator jwtAuthenticator = new JWTAuthenticator(jwtConfigurationDto, true); RequestContext requestContext = Mockito.mock(RequestContext.class); ArrayList resourceConfigs = new ArrayList<>(); ResourceConfig resourceConfig = Mockito.mock(ResourceConfig.class); AuthenticationConfig authenticationConfig = new AuthenticationConfig(); - Oauth2AuthenticationConfig oauth2AuthenticationConfig = new Oauth2AuthenticationConfig(); - oauth2AuthenticationConfig.setHeader("Authorization"); - authenticationConfig.setOauth2AuthenticationConfig(oauth2AuthenticationConfig); + JWTAuthenticationConfig jwtAuthenticationConfig = new JWTAuthenticationConfig(); + jwtAuthenticationConfig.setHeader("Authorization"); + authenticationConfig.setJwtAuthenticationConfig(jwtAuthenticationConfig); Mockito.when(resourceConfig.getAuthenticationConfig()).thenReturn(authenticationConfig); Mockito.when(resourceConfig.getMethod()).thenReturn(ResourceConfig.HttpMethods.GET); resourceConfigs.add(resourceConfig); @@ -664,7 +664,7 @@ public void testTamperedPayloadJWTValidator() throws EnforcerException { Mockito.when(jwtValidator.validateToken(Mockito.eq(jwt), Mockito.any())).thenReturn(jwtValidationInfo); keyValidatorDummy.when(() -> KeyValidator.validateScopes(Mockito.any())).thenReturn(true); try { - oauth2Authenticator.authenticate(requestContext); + jwtAuthenticator.authenticate(requestContext); Assert.fail("Authentication should fail for tampered tokens"); } catch (APISecurityException e) { Assert.assertEquals(e.getMessage(), "Invalid JWT token"); diff --git a/helm-charts/crds/dp.wso2.com_authentications.yaml b/helm-charts/crds/dp.wso2.com_authentications.yaml index 784a583d6..1418de8c2 100644 --- a/helm-charts/crds/dp.wso2.com_authentications.yaml +++ b/helm-charts/crds/dp.wso2.com_authentications.yaml @@ -275,30 +275,6 @@ spec: type: object nullable: true type: array - jwt: - description: JWT is to specify the JWT authentication scheme - details - properties: - audience: - description: Audience who can invoke a corresponding API - items: - type: string - type: array - disabled: - default: true - description: Disabled is to disable JWT authentication - type: boolean - header: - default: internal-key - description: Header is the header name used to pass the - JWT - minLength: 1 - type: string - sendTokenToUpstream: - description: SendTokenToUpstream is to specify whether - the JWT should be sent to the upstream - type: boolean - type: object mtls: description: MutualSSL is to specify the features and certificates for mutual SSL @@ -388,6 +364,21 @@ spec: the OAuth2 token should be sent to the upstream type: boolean type: object + testConsoleKey: + description: TestConsoleKey is to specify the Test Console + Key authentication scheme details + properties: + header: + default: internal-key + description: Header is the header name used to pass the + Test Console Key + minLength: 1 + type: string + sendTokenToUpstream: + description: SendTokenToUpstream is to specify whether + the Test Console Key should be sent to the upstream + type: boolean + type: object type: object disabled: description: Disabled is to disable all authentications @@ -426,30 +417,6 @@ spec: type: object nullable: true type: array - jwt: - description: JWT is to specify the JWT authentication scheme - details - properties: - audience: - description: Audience who can invoke a corresponding API - items: - type: string - type: array - disabled: - default: true - description: Disabled is to disable JWT authentication - type: boolean - header: - default: internal-key - description: Header is the header name used to pass the - JWT - minLength: 1 - type: string - sendTokenToUpstream: - description: SendTokenToUpstream is to specify whether - the JWT should be sent to the upstream - type: boolean - type: object mtls: description: MutualSSL is to specify the features and certificates for mutual SSL @@ -539,6 +506,21 @@ spec: the OAuth2 token should be sent to the upstream type: boolean type: object + testConsoleKey: + description: TestConsoleKey is to specify the Test Console + Key authentication scheme details + properties: + header: + default: internal-key + description: Header is the header name used to pass the + Test Console Key + minLength: 1 + type: string + sendTokenToUpstream: + description: SendTokenToUpstream is to specify whether + the Test Console Key should be sent to the upstream + type: boolean + type: object type: object disabled: description: Disabled is to disable all authentications diff --git a/test/integration/integration/tests/custom-auth-header.go b/test/integration/integration/tests/custom-auth-header.go index 8288e65bd..a1a3fb635 100644 --- a/test/integration/integration/tests/custom-auth-header.go +++ b/test/integration/integration/tests/custom-auth-header.go @@ -99,45 +99,12 @@ var CustomAuthHeader = suite.IntegrationTest{ Namespace: ns, Response: http.Response{StatusCode: 200}, }, - { - Request: http.Request{ - Host: "custom-auth-header.test.gw.wso2.com", - Path: "/custom-auth-header/v1.0.0/v2/echo-full/", - Method: "GET", - }, - ExpectedRequest: &http.ExpectedRequest{ - Request: http.Request{ - Path: "/v2/echo-full/", - }, - }, - Backend: "infra-backend-v1", - Namespace: ns, - Response: http.Response{StatusCode: 200}, - }, - { - Request: http.Request{ - Host: "custom-auth-header.test.gw.wso2.com", - Path: "/custom-auth-header/v2/echo-full/", - Method: "GET", - }, - ExpectedRequest: &http.ExpectedRequest{ - Request: http.Request{ - Path: "/v2/echo-full/", - }, - }, - Backend: "infra-backend-v1", - Namespace: ns, - Response: http.Response{StatusCode: 200}, - }, } for i := range testCases { tc := testCases[i] + tc.Request.Headers = http.AddBearerTokenToHeader(token, tc.Request.Headers) if (i == 2 || i == 3) { tc.Request.Headers = http.AddCustomBearerTokenHeader("testAuth", token, tc.Request.Headers) - } else if (i == 4 || i == 5) { - tc.Request.Headers = http.AddInternalTokenHeader("testJwt", token, tc.Request.Headers) - } else { - tc.Request.Headers = http.AddBearerTokenToHeader(token, tc.Request.Headers) } t.Run(tc.GetTestCaseName(i), func(t *testing.T) { t.Parallel() diff --git a/test/integration/integration/tests/jwt-api-level-security-test.go b/test/integration/integration/tests/jwt-api-level-security-test.go deleted file mode 100644 index b99c8d294..000000000 --- a/test/integration/integration/tests/jwt-api-level-security-test.go +++ /dev/null @@ -1,107 +0,0 @@ -/* - * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.org) All Rights Reserved. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -package tests - -import ( - "testing" - - "github.com/wso2/apk/test/integration/integration/utils/http" - "github.com/wso2/apk/test/integration/integration/utils/suite" -) - -func init() { - IntegrationTests = append(IntegrationTests, APILevelJWT) -} - -// APILevelJWT test -var APILevelJWT = suite.IntegrationTest{ - ShortName: "APILevelJWT", - Description: "Tests API level jwt security", - Manifests: []string{"tests/jwt-api-level-security.yaml"}, - Test: func(t *testing.T, suite *suite.IntegrationTestSuite) { - gwAddr := "api-level-jwt.test.gw.wso2.com:9095" - token := http.GetTestToken(t) - ns := "gateway-integration-test-infra" - - testCases := []http.ExpectedResponse{ - { - Request: http.Request{ - Host: "api-level-jwt.test.gw.wso2.com", - Path: "/api-level-jwt/v1.0.0/v2/echo-full", - Headers: map[string]string{ - "content-type": "application/json", - "internal-key": token, - }, - Method: "GET", - }, - ExpectedRequest: &http.ExpectedRequest{ - Request: http.Request{ - Path: "/v2/echo-full", - }, - }, - Backend: "infra-backend-v1", - Namespace: ns, - Response: http.Response{StatusCode: 200}, - }, - { - Request: http.Request{ - Host: "api-level-jwt.test.gw.wso2.com", - Path: "/api-level-jwt/v1.0.0/v2/echo-full", - Headers: map[string]string{ - "content-type": "application/json", - }, - Method: "GET", - }, - ExpectedRequest: &http.ExpectedRequest{ - Request: http.Request{ - Path: "/v2/echo-full", - }, - }, - Backend: "infra-backend-v1", - Namespace: ns, - Response: http.Response{StatusCode: 401}, - }, - { - Request: http.Request{ - Host: "api-level-jwt.test.gw.wso2.com", - Path: "/api-level-jwt/v1.0.0/v2/echo-full", - Headers: map[string]string{ - "content-type": "application/json", - "internal-key": "invalid", - }, - Method: "GET", - }, - ExpectedRequest: &http.ExpectedRequest{ - Request: http.Request{ - Path: "/v2/echo-full", - }, - }, - Backend: "infra-backend-v1", - Namespace: ns, - Response: http.Response{StatusCode: 401}, - }, - } - for i := range testCases { - tc := testCases[i] - t.Run(tc.GetTestCaseName(i), func(t *testing.T) { - t.Parallel() - http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, tc) - }) - } - }, -} diff --git a/test/integration/integration/tests/jwt-resource-level-security-test.go b/test/integration/integration/tests/jwt-resource-level-security-test.go deleted file mode 100644 index 679e6018b..000000000 --- a/test/integration/integration/tests/jwt-resource-level-security-test.go +++ /dev/null @@ -1,106 +0,0 @@ -/* - * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.org) All Rights Reserved. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -package tests - -import ( - "testing" - - "github.com/wso2/apk/test/integration/integration/utils/http" - "github.com/wso2/apk/test/integration/integration/utils/suite" -) - -func init() { - IntegrationTests = append(IntegrationTests, ResourceLevelJWT) -} - -// ResourceLevelJWT test -var ResourceLevelJWT = suite.IntegrationTest{ - ShortName: "ResourceLevelJWT", - Description: "Tests resource level jwt security", - Manifests: []string{"tests/jwt-resource-level-security.yaml"}, - Test: func(t *testing.T, suite *suite.IntegrationTestSuite) { - gwAddr := "resource-level-jwt.test.gw.wso2.com:9095" - token := http.GetTestToken(t) - ns := "gateway-integration-test-infra" - testCases := []http.ExpectedResponse{ - { - Request: http.Request{ - Host: "resource-level-jwt.test.gw.wso2.com", - Path: "/resource-level-jwt/v1.0.0/v2/echo-full", - Headers: map[string]string{ - "content-type": "application/json", - "internal-key": token, - }, - Method: "GET", - }, - ExpectedRequest: &http.ExpectedRequest{ - Request: http.Request{ - Path: "/v2/echo-full", - }, - }, - Backend: "infra-backend-v1", - Namespace: ns, - Response: http.Response{StatusCode: 200}, - }, - { - Request: http.Request{ - Host: "resource-level-jwt.test.gw.wso2.com", - Path: "/resource-level-jwt/v1.0.0/v2/echo-full", - Headers: map[string]string{ - "content-type": "application/json", - }, - Method: "GET", - }, - ExpectedRequest: &http.ExpectedRequest{ - Request: http.Request{ - Path: "/v2/echo-full", - }, - }, - Backend: "infra-backend-v1", - Namespace: ns, - Response: http.Response{StatusCode: 401}, - }, - { - Request: http.Request{ - Host: "resource-level-jwt.test.gw.wso2.com", - Path: "/resource-level-jwt/v1.0.0/v2/echo-full", - Headers: map[string]string{ - "content-type": "application/json", - "internal-key": "invalid", - }, - Method: "GET", - }, - ExpectedRequest: &http.ExpectedRequest{ - Request: http.Request{ - Path: "/v2/echo-full", - }, - }, - Backend: "infra-backend-v1", - Namespace: ns, - Response: http.Response{StatusCode: 401}, - }, - } - for i := range testCases { - tc := testCases[i] - t.Run(tc.GetTestCaseName(i), func(t *testing.T) { - t.Parallel() - http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, tc) - }) - } - }, -} diff --git a/test/integration/integration/tests/resources/tests/custom-auth-header.yaml b/test/integration/integration/tests/resources/tests/custom-auth-header.yaml index 585359006..b80c3db47 100644 --- a/test/integration/integration/tests/resources/tests/custom-auth-header.yaml +++ b/test/integration/integration/tests/resources/tests/custom-auth-header.yaml @@ -55,7 +55,7 @@ spec: kind: Backend name: infra-backend-v1 --- -apiVersion: dp.wso2.com/v1alpha2 +apiVersion: dp.wso2.com/v1alpha1 kind: Authentication metadata: name: custom-auth-header-authentication @@ -66,10 +66,7 @@ spec: authTypes: oauth2: disabled: false - header: testAuth - jwt: - disabled: false - header: testJwt + header: testAuth targetRef: group: gateway.networking.k8s.io kind: API diff --git a/test/integration/integration/tests/resources/tests/jwt-api-level-security.yaml b/test/integration/integration/tests/resources/tests/jwt-api-level-security.yaml deleted file mode 100644 index d9a08b245..000000000 --- a/test/integration/integration/tests/resources/tests/jwt-api-level-security.yaml +++ /dev/null @@ -1,83 +0,0 @@ -# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. -# -# WSO2 LLC. licenses this file to you under the Apache License, -# Version 2.0 (the "License"); you may not use this file except -# in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. - -apiVersion: dp.wso2.com/v1alpha2 -kind: API -metadata: - name: api-level-jwt - namespace: gateway-integration-test-infra -spec: - apiName: API with Backend Base Path - apiType: REST - apiVersion: v1.0.0 - basePath: /api-level-jwt/v1.0.0 - isDefaultVersion: true - #definitionFileRef: definition-file - production: - - httpRouteRefs: - - api-level-jwt-httproute - organization: wso2-org ---- -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: api-level-jwt-httproute - namespace: gateway-integration-test-infra -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: default - namespace: apk-integration-test - sectionName: httpslistener - hostnames: - - api-level-jwt.test.gw.wso2.com - rules: - - matches: - - path: - type: PathPrefix - value: /v2/echo-full - backendRefs: - - group: dp.wso2.com - kind: Backend - name: infra-backend-v1 ---- -apiVersion: dp.wso2.com/v1alpha2 -kind: Authentication -metadata: - name: api-level-jwt-authentication - namespace: gateway-integration-test-infra -spec: - override: - disabled: false - authTypes: - jwt: - disabled: false - targetRef: - group: gateway.networking.k8s.io - kind: API - namespace: gateway-integration-test-infra - name: api-level-jwt ---- -apiVersion: dp.wso2.com/v1alpha1 -kind: Backend -metadata: - name: infra-backend-v1 - namespace: gateway-integration-test-infra -spec: - services: - - host: infra-backend-v1.gateway-integration-test-infra - port: 8080 diff --git a/test/integration/integration/tests/resources/tests/jwt-resource-level-security.yaml b/test/integration/integration/tests/resources/tests/jwt-resource-level-security.yaml deleted file mode 100644 index 889b12c4c..000000000 --- a/test/integration/integration/tests/resources/tests/jwt-resource-level-security.yaml +++ /dev/null @@ -1,89 +0,0 @@ -# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. -# -# WSO2 LLC. licenses this file to you under the Apache License, -# Version 2.0 (the "License"); you may not use this file except -# in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. - -apiVersion: dp.wso2.com/v1alpha2 -kind: API -metadata: - name: resource-level-jwt - namespace: gateway-integration-test-infra -spec: - apiName: API with Backend Base Path - apiType: REST - apiVersion: v1.0.0 - basePath: /resource-level-jwt/v1.0.0 - isDefaultVersion: true - #definitionFileRef: definition-file - production: - - httpRouteRefs: - - resource-level-jwt-httproute - organization: wso2-org ---- -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: resource-level-jwt-httproute - namespace: gateway-integration-test-infra -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: default - namespace: apk-integration-test - sectionName: httpslistener - hostnames: - - resource-level-jwt.test.gw.wso2.com - rules: - - matches: - - path: - type: PathPrefix - value: /v2/echo-full - backendRefs: - - group: dp.wso2.com - kind: Backend - name: infra-backend-v1 - filters: - - type: ExtensionRef - extensionRef: - group: dp.wso2.com - kind: Authentication - name: resource-level-jwt-authentication ---- -apiVersion: dp.wso2.com/v1alpha2 -kind: Authentication -metadata: - name: resource-level-jwt-authentication - namespace: gateway-integration-test-infra -spec: - override: - disabled: false - authTypes: - jwt: - disabled: false - targetRef: - kind: Resource - name: resource-level-jwt - group: gateway.networking.k8s.io - namespace: gateway-integration-test-infra ---- -apiVersion: dp.wso2.com/v1alpha1 -kind: Backend -metadata: - name: infra-backend-v1 - namespace: gateway-integration-test-infra -spec: - services: - - host: infra-backend-v1.gateway-integration-test-infra - port: 8080 diff --git a/test/integration/integration/utils/http/helpers.go b/test/integration/integration/utils/http/helpers.go index 54b8853d6..dc18d5264 100644 --- a/test/integration/integration/utils/http/helpers.go +++ b/test/integration/integration/utils/http/helpers.go @@ -34,12 +34,3 @@ func AddCustomBearerTokenHeader(headerName string, token string, headers map[str headers[headerName] = fmt.Sprintf("Bearer %s", token) return headers } - -// AddInternalTokenHeader adds a internal token to the request with specified auth header name. -func AddInternalTokenHeader(headerName string, token string, headers map[string]string) map[string]string { - if headers == nil { - headers = make(map[string]string) - } - headers[headerName] = token - return headers -} diff --git a/test/integration/scripts/run-tests.sh b/test/integration/scripts/run-tests.sh index 7a50bd056..43d1a89ba 100644 --- a/test/integration/scripts/run-tests.sh +++ b/test/integration/scripts/run-tests.sh @@ -79,8 +79,6 @@ sudo echo "$IP ratelimit-priority.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "$IP different-endpoint-with-same-route.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "$IP custom-auth-header.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "$IP gql.test.gw.wso2.com" | sudo tee -a /etc/hosts -sudo echo "$IP api-level-jwt.test.gw.wso2.com" | sudo tee -a /etc/hosts -sudo echo "$IP resource-level-jwt.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "255.255.255.255 broadcasthost" | sudo tee -a /etc/hosts sudo echo "::1 localhost" | sudo tee -a /etc/hosts diff --git a/test/integration/scripts/setup-hosts.sh b/test/integration/scripts/setup-hosts.sh index 7ff4ff8af..c74feb92d 100644 --- a/test/integration/scripts/setup-hosts.sh +++ b/test/integration/scripts/setup-hosts.sh @@ -38,8 +38,6 @@ sudo echo "$IP ratelimit-priority.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "$IP different-endpoint-with-same-route.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "$IP custom-auth-header.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "$IP gql.test.gw.wso2.com" | sudo tee -a /etc/hosts -sudo echo "$IP api-level-jwt.test.gw.wso2.com" | sudo tee -a /etc/hosts -sudo echo "$IP resource-level-jwt.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "255.255.255.255 broadcasthost" | sudo tee -a /etc/hosts sudo echo "::1 localhost" | sudo tee -a /etc/hosts