Merge pull request #3618 from mevan-karu/api_key_impl

Fix scope validation issue when multiple security schemes are configured
wso2 · Nov 11, 2024 · c6ae86d · c6ae86d
2 parents cdb10a3 + 36e36f9
commit c6ae86d
Show file tree

Hide file tree

Showing 8 changed files with 41 additions and 40 deletions.
diff --git a/...parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/KeyValidator.java b/...parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/KeyValidator.java
@@ -41,7 +41,6 @@
 
 import java.util.ArrayList;
 import java.util.List;
-import java.util.Map;
 import java.util.Set;
 
 /**
@@ -86,22 +85,13 @@ public static boolean validateScopes(TokenValidationContext validationContext) t
 
         ResourceConfig matchedResource = validationContext.getMatchingResourceConfig();
         boolean scopesValidated = false;
-        if (matchedResource.getSecuritySchemas().entrySet().size() > 0) {
-            for (Map.Entry<String, List<String>> pair : matchedResource.getSecuritySchemas().entrySet()) {
-                boolean validate = false;
-                if (pair.getValue() != null && pair.getValue().size() > 0) {
-                    scopesValidated = false;
-                    for (String scope : pair.getValue()) {
-                        if (scopesSet.contains(scope)) {
-                            scopesValidated = true;
-                            validate = true;
-                            break;
-                        }
-                    }
-                } else {
+
+        List<String> requiredScopes = matchedResource.getSecuritySchemas()
+                .get(validationContext.getSecurityScheme());
+        if (requiredScopes != null && !requiredScopes.isEmpty()) {
+            for (String scope : requiredScopes) {
+                if (scopesSet.contains(scope)) {
                     scopesValidated = true;
-                }
-                if (validate) {
                     break;
                 }
             }

diff --git a/...orcer/src/main/java/org/wso2/choreo/connect/enforcer/security/TokenValidationContext.java b/...orcer/src/main/java/org/wso2/choreo/connect/enforcer/security/TokenValidationContext.java
@@ -46,6 +46,7 @@ public class TokenValidationContext {
     private AccessTokenInfo tokenInfo;
     private String authorizationCode;
     private String tenantDomain;
+    private String securityScheme;
     private List<String> keyManagers = new ArrayList<>();
 
     public AccessTokenInfo getTokenInfo() {
@@ -179,5 +180,13 @@ public void setKeyManagers(List<String> keyManagers) {
 
         this.keyManagers = keyManagers;
     }
+
+    public String getSecurityScheme() {
+        return securityScheme;
+    }
+
+    public void setSecurityScheme(String securityScheme) {
+        this.securityScheme = securityScheme;
+    }
 }
 
diff --git a/...nforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/jwt/JWTAuthenticator.java b/...nforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/jwt/JWTAuthenticator.java
@@ -83,6 +83,7 @@
 public class JWTAuthenticator implements Authenticator {
 
     private static final Logger log = LogManager.getLogger(JWTAuthenticator.class);
+    private static final String SWAGGER_OAUTH2_SECURITY_SCHEME_NAME = "default";
     private final JWTValidator jwtValidator = new JWTValidator();
     private final boolean isGatewayTokenCacheEnabled;
     private AbstractAPIMgtGatewayJWTGenerator jwtGenerator;
@@ -573,6 +574,7 @@ private void validateScopes(String apiContext, String apiVersion, ResourceConfig
             tokenValidationContext.setMatchingResourceConfig(matchingResource);
             tokenValidationContext.setContext(apiContext);
             tokenValidationContext.setVersion(apiVersion);
+            tokenValidationContext.setSecurityScheme(SWAGGER_OAUTH2_SECURITY_SCHEME_NAME);
 
             boolean valid = KeyValidator.validateScopes(tokenValidationContext);
             if (valid) {

diff --git a/...ration/test-integration/src/test/resources/openAPIs/api_key_swagger_security_openAPI.yaml b/...ration/test-integration/src/test/resources/openAPIs/api_key_swagger_security_openAPI.yaml
@@ -82,7 +82,7 @@ paths:
         '400':
           description: Invalid tag value
       security:
-        - petstore_auth:
+        - default:
             - write:pets
   '/jwtheader':
     get:
@@ -116,7 +116,7 @@ securityDefinitions:
     type: apiKey
     name: x-api-key-header
     in: header
-  petstore_auth:
+  default:
     type: oauth2
     authorizationUrl: 'http://mockBackend:2380/oauth/authorize'
     flow: implicit

diff --git a/integration/test-integration/src/test/resources/openAPIs/openAPI.yaml b/integration/test-integration/src/test/resources/openAPIs/openAPI.yaml
@@ -81,7 +81,7 @@ paths:
           schema:
             $ref: '#/definitions/ApiResponse'
       security:
-        - petstore_auth:
+        - default:
             - 'write:pets'
             - 'read:pets'
   /pet:
@@ -108,7 +108,7 @@ paths:
         '405':
           description: Invalid input
       security:
-        - petstore_auth:
+        - default:
             - 'write:pets'
             - 'read:pets'
     put:
@@ -138,7 +138,7 @@ paths:
         '405':
           description: Validation exception
       security:
-        - petstore_auth:
+        - default:
             - 'write:pets'
             - 'read:pets'
   /pet/findByStatus:
@@ -175,7 +175,7 @@ paths:
         '400':
           description: Invalid status value
       security:
-        - petstore_auth:
+        - default:
             - 'write:pets'
   /pets/findByTags:
     get:
@@ -206,7 +206,7 @@ paths:
         '400':
           description: Invalid tag value
       security:
-        - petstore_auth:
+        - default:
             - 'write:pets'
             - 'read:pets'
       deprecated: true
@@ -268,7 +268,7 @@ paths:
         '405':
           description: Invalid input
       security:
-        - petstore_auth:
+        - default:
             - 'write:pets'
             - 'read:pets'
     delete:
@@ -297,7 +297,7 @@ paths:
         '404':
           description: Pet not found
       security:
-        - petstore_auth:
+        - default:
             - 'write:pets'
             - 'read:pets'
   /store/order:
@@ -601,7 +601,7 @@ paths:
         '400':
           description: Invalid status value
       security:
-        - petstore_auth: [ ]
+        - default: [ ]
   /jwttoken:
     get:
       summary: Get the backend jwt token
@@ -613,7 +613,7 @@ paths:
         '400':
           description: Invalid status value
       security:
-        - petstore_auth: [ ]
+        - default: [ ]
   /headers:
     get:
       summary: getHeaders
@@ -627,7 +627,7 @@ paths:
         '404':
           description: Resource not found
       security:
-        - petstore_auth: [ ]
+        - default: [ ]
   /headers/{headerId}.api:
     get:
       summary: getHeaders
@@ -641,13 +641,13 @@ paths:
         '404':
           description: Resource not found
       security:
-        - petstore_auth: [ ]
+        - default: [ ]
 securityDefinitions:
   api_key:
     type: apiKey
     name: api_key
     in: header
-  petstore_auth:
+  default:
     type: oauth2
     authorizationUrl: 'http://mockBackend:2380/oauth/authorize'
     flow: implicit

diff --git a/integration/test-integration/src/test/resources/openAPIs/openAPI_startup.yaml b/integration/test-integration/src/test/resources/openAPIs/openAPI_startup.yaml
@@ -76,14 +76,14 @@ paths:
         '400':
           description: Invalid status value
       security:
-        - petstore_auth:
+        - default:
             - 'write:pets'
 securityDefinitions:
   api_key:
     type: apiKey
     name: api_key
     in: header
-  petstore_auth:
+  default:
     type: oauth2
     authorizationUrl: 'http://mockBackend:2380/oauth/authorize'
     flow: implicit

diff --git a/integration/test-integration/src/test/resources/openAPIs/scopes_openAPI.yaml b/integration/test-integration/src/test/resources/openAPIs/scopes_openAPI.yaml
@@ -10,7 +10,7 @@ info:
     name: Apache 2.0
     url: 'http://www.apache.org/licenses/LICENSE-2.0.html'
 security:
-  - petstore_auth:
+  - default:
       - 'write:scopes'
 x-wso2-cors:
   accessControlAllowOrigins:
@@ -102,7 +102,7 @@ paths:
         '404':
           description: Pet not found
       security:
-        - petstore_auth: []
+        - default: []
   '/pets/findByTags':
     get:
       tags:
@@ -132,7 +132,7 @@ paths:
         '400':
           description: Invalid tag value
       security:
-        - petstore_auth:
+        - default:
             - 'write:scopes'
             - 'read:scopes'
       deprecated: true
@@ -141,7 +141,7 @@ securityDefinitions:
     type: apiKey
     name: api_key
     in: header
-  petstore_auth:
+  default:
     type: oauth2
     authorizationUrl: 'http://mockBackend:2380/oauth/authorize'
     flow: implicit

diff --git a/integration/test-integration/src/test/resources/openAPIs/security_openAPI.yaml b/integration/test-integration/src/test/resources/openAPIs/security_openAPI.yaml
@@ -101,7 +101,7 @@ paths:
         '405':
           description: Invalid input
       security:
-        - petstore_auth:
+        - default:
             - 'write:pets'
             - 'read:pets'
     delete:
@@ -130,7 +130,7 @@ paths:
         '404':
           description: Pet not found
       security:
-        - petstore_auth:
+        - default:
             - 'write:pets'
             - 'read:pets'
   '/removeauthheader':
@@ -144,13 +144,13 @@ paths:
         '400':
           description: Invalid status value
       security:
-        - petstore_auth: [ ]
+        - default: [ ]
 securityDefinitions:
   api_key:
     type: apiKey
     name: api_key
     in: header
-  petstore_auth:
+  default:
     type: oauth2
     authorizationUrl: 'http://mockBackend:2380/oauth/authorize'
     flow: implicit