Merge pull request #3597 from mevan-karu/pat_impl_choreo

VirajSalaka · web-flow · commit 94d91492fbc5 · 2024-10-04T08:16:47.000+05:30
Add support to send PAT JWT to backend
diff --git a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/jwt/APIKeyUtils.java b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/jwt/APIKeyUtils.java
@@ -97,10 +97,10 @@ public static String generateAPIKeyHash(String apiKey) {
     /**
      * This function exchanges a given API key to an JWT token.
      *
-     * @param pat    PAT
+     * @param keyHash    Key Hash
      * @return JWT corresponding to given PAT.
      */
-    public static Optional<String> exchangePATToJWT(String pat) {
+    public static Optional<String> exchangePATToJWT(String keyHash) {
 
         URL url = null;
         try {
@@ -115,7 +115,6 @@ public static Optional<String> exchangePATToJWT(String pat) {
             // Create a request to exchange API key to JWT.
             HttpPost exchangeRequest = new HttpPost(url.toURI());
             exchangeRequest.addHeader("Content-Type", ContentType.APPLICATION_JSON.toString());
-            String keyHash = generateAPIKeyHash(pat);
             exchangeRequest.setEntity(new StringEntity(createPATExchangeRequest(keyHash)));
             try (CloseableHttpResponse response = httpClient.execute(exchangeRequest)) {
                 if (response.getStatusLine().getStatusCode() == 200) {
diff --git a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/jwt/JWTAuthenticator.java b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/jwt/JWTAuthenticator.java
@@ -193,7 +193,7 @@ public AuthenticationContext authenticate(RequestContext requestContext) throws
             }
             // Handle PAT logic
             if (isPATEnabled && token.startsWith(APIKeyConstants.PAT_PREFIX)) {
-                token = exchangeJWTForPAT(token);
+                token = exchangeJWTForPAT(requestContext, token);
             }
             String context = requestContext.getMatchedAPI().getBasePath();
             String name = requestContext.getMatchedAPI().getName();
@@ -806,7 +806,7 @@ private String getJWTTokenIdentifier(SignedJWTInfo signedJWTInfo) {
         return signedJWTInfo.getSignedJWT().getSignature().toString();
     }
 
-    private String exchangeJWTForPAT(String pat) throws APISecurityException {
+    private String exchangeJWTForPAT(RequestContext requestContext, String pat) throws APISecurityException {
         if (!APIKeyUtils.isValidAPIKey(pat)) {
             throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(),
                     APISecurityConstants.API_AUTH_INVALID_CREDENTIALS,
@@ -820,13 +820,15 @@ private String exchangeJWTForPAT(String pat) throws APISecurityException {
             }
             return (String) cachedJWT;
         }
-        Optional<String> jwt = APIKeyUtils.exchangePATToJWT(pat);
+        Optional<String> jwt = APIKeyUtils.exchangePATToJWT(keyHash);
         if (jwt.isEmpty()) {
             throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(),
                     APISecurityConstants.API_AUTH_INVALID_CREDENTIALS,
                     APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
         }
         CacheProvider.getGatewayAPIKeyJWTCache().put(keyHash, jwt.get());
+        // Add jwt to x-forwarded-authorization header.
+        requestContext.addOrModifyHeaders("x-forwarded-authorization", jwt.get());
         return jwt.get();
     }
 

Original file line number	Diff line number	Diff line change
`@@ -193,7 +193,7 @@ public AuthenticationContext authenticate(RequestContext requestContext) throws`
`193`	`193`	`}`
`194`	`194`	`// Handle PAT logic`
`195`	`195`	`if (isPATEnabled && token.startsWith(APIKeyConstants.PAT_PREFIX)) {`
`196`		`- token = exchangeJWTForPAT(token);`
	`196`	`+ token = exchangeJWTForPAT(requestContext, token);`
`197`	`197`	`}`
`198`	`198`	`String context = requestContext.getMatchedAPI().getBasePath();`
`199`	`199`	`String name = requestContext.getMatchedAPI().getName();`
`@@ -806,7 +806,7 @@ private String getJWTTokenIdentifier(SignedJWTInfo signedJWTInfo) {`
`806`	`806`	`return signedJWTInfo.getSignedJWT().getSignature().toString();`
`807`	`807`	`}`
`808`	`808`
`809`		`- private String exchangeJWTForPAT(String pat) throws APISecurityException {`
	`809`	`+ private String exchangeJWTForPAT(RequestContext requestContext, String pat) throws APISecurityException {`
`810`	`810`	`if (!APIKeyUtils.isValidAPIKey(pat)) {`
`811`	`811`	`throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(),`
`812`	`812`	`APISecurityConstants.API_AUTH_INVALID_CREDENTIALS,`
`@@ -820,13 +820,15 @@ private String exchangeJWTForPAT(String pat) throws APISecurityException {`
`820`	`820`	`}`
`821`	`821`	`return (String) cachedJWT;`
`822`	`822`	`}`
`823`		`- Optional<String> jwt = APIKeyUtils.exchangePATToJWT(pat);`
	`823`	`+ Optional<String> jwt = APIKeyUtils.exchangePATToJWT(keyHash);`
`824`	`824`	`if (jwt.isEmpty()) {`
`825`	`825`	`throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(),`
`826`	`826`	`APISecurityConstants.API_AUTH_INVALID_CREDENTIALS,`
`827`	`827`	`APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);`
`828`	`828`	`}`
`829`	`829`	`CacheProvider.getGatewayAPIKeyJWTCache().put(keyHash, jwt.get());`
	`830`	`+ // Add jwt to x-forwarded-authorization header.`
	`831`	`+ requestContext.addOrModifyHeaders("x-forwarded-authorization", jwt.get());`
`830`	`832`	`return jwt.get();`
`831`	`833`	`}`
`832`	`834`