From 61569ac8d5a8e9bb79b114a178250d4c47f31ad8 Mon Sep 17 00:00:00 2001 From: Mevan Date: Sun, 10 Nov 2024 20:42:08 +0530 Subject: [PATCH 1/4] Fix scope validation issue when multiple security schemes are configured --- .../enforcer/security/KeyValidator.java | 21 ++++++------------- .../security/TokenValidationContext.java | 9 ++++++++ .../security/jwt/JWTAuthenticator.java | 2 ++ 3 files changed, 17 insertions(+), 15 deletions(-) diff --git a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/KeyValidator.java b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/KeyValidator.java index cb8e8fe308..e677d048ba 100644 --- a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/KeyValidator.java +++ b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/KeyValidator.java @@ -86,22 +86,13 @@ public static boolean validateScopes(TokenValidationContext validationContext) t ResourceConfig matchedResource = validationContext.getMatchingResourceConfig(); boolean scopesValidated = false; - if (matchedResource.getSecuritySchemas().entrySet().size() > 0) { - for (Map.Entry> pair : matchedResource.getSecuritySchemas().entrySet()) { - boolean validate = false; - if (pair.getValue() != null && pair.getValue().size() > 0) { - scopesValidated = false; - for (String scope : pair.getValue()) { - if (scopesSet.contains(scope)) { - scopesValidated = true; - validate = true; - break; - } - } - } else { + + List requiredScopes = matchedResource.getSecuritySchemas() + .get(validationContext.getSecurityScheme()); + if (requiredScopes != null && !requiredScopes.isEmpty()) { + for (String scope : requiredScopes) { + if (scopesSet.contains(scope)) { scopesValidated = true; - } - if (validate) { break; } } diff --git a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/TokenValidationContext.java b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/TokenValidationContext.java index a460c09b06..93d5ed3471 100644 --- a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/TokenValidationContext.java +++ b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/TokenValidationContext.java @@ -46,6 +46,7 @@ public class TokenValidationContext { private AccessTokenInfo tokenInfo; private String authorizationCode; private String tenantDomain; + private String securityScheme; private List keyManagers = new ArrayList<>(); public AccessTokenInfo getTokenInfo() { @@ -179,5 +180,13 @@ public void setKeyManagers(List keyManagers) { this.keyManagers = keyManagers; } + + public String getSecurityScheme() { + return securityScheme; + } + + public void setSecurityScheme(String securityScheme) { + this.securityScheme = securityScheme; + } } diff --git a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/jwt/JWTAuthenticator.java b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/jwt/JWTAuthenticator.java index 925f3e4763..a1cd2e7239 100644 --- a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/jwt/JWTAuthenticator.java +++ b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/jwt/JWTAuthenticator.java @@ -83,6 +83,7 @@ public class JWTAuthenticator implements Authenticator { private static final Logger log = LogManager.getLogger(JWTAuthenticator.class); + private static final String SWAGGER_OAUTH2_SECURITY_SCHEME_NAME = "default"; private final JWTValidator jwtValidator = new JWTValidator(); private final boolean isGatewayTokenCacheEnabled; private AbstractAPIMgtGatewayJWTGenerator jwtGenerator; @@ -573,6 +574,7 @@ private void validateScopes(String apiContext, String apiVersion, ResourceConfig tokenValidationContext.setMatchingResourceConfig(matchingResource); tokenValidationContext.setContext(apiContext); tokenValidationContext.setVersion(apiVersion); + tokenValidationContext.setSecurityScheme(SWAGGER_OAUTH2_SECURITY_SCHEME_NAME); boolean valid = KeyValidator.validateScopes(tokenValidationContext); if (valid) { From b214e4cea310d264a5b18a68e93e67f3436bd164 Mon Sep 17 00:00:00 2001 From: Mevan Date: Sun, 10 Nov 2024 21:06:31 +0530 Subject: [PATCH 2/4] remove unused import --- .../org/wso2/choreo/connect/enforcer/security/KeyValidator.java | 1 - 1 file changed, 1 deletion(-) diff --git a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/KeyValidator.java b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/KeyValidator.java index e677d048ba..e9c8c28c1f 100644 --- a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/KeyValidator.java +++ b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/KeyValidator.java @@ -41,7 +41,6 @@ import java.util.ArrayList; import java.util.List; -import java.util.Map; import java.util.Set; /** From 426e44e5d9ca23430ce6fa08686b89f6edc93c71 Mon Sep 17 00:00:00 2001 From: Mevan Date: Sun, 10 Nov 2024 22:57:51 +0530 Subject: [PATCH 3/4] Change security scheme name for scopes_openAPI.yaml --- .../src/test/resources/openAPIs/scopes_openAPI.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/integration/test-integration/src/test/resources/openAPIs/scopes_openAPI.yaml b/integration/test-integration/src/test/resources/openAPIs/scopes_openAPI.yaml index 68eef094c1..38052b9b15 100644 --- a/integration/test-integration/src/test/resources/openAPIs/scopes_openAPI.yaml +++ b/integration/test-integration/src/test/resources/openAPIs/scopes_openAPI.yaml @@ -10,7 +10,7 @@ info: name: Apache 2.0 url: 'http://www.apache.org/licenses/LICENSE-2.0.html' security: - - petstore_auth: + - default: - 'write:scopes' x-wso2-cors: accessControlAllowOrigins: @@ -102,7 +102,7 @@ paths: '404': description: Pet not found security: - - petstore_auth: [] + - default: [] '/pets/findByTags': get: tags: @@ -132,7 +132,7 @@ paths: '400': description: Invalid tag value security: - - petstore_auth: + - default: - 'write:scopes' - 'read:scopes' deprecated: true @@ -141,7 +141,7 @@ securityDefinitions: type: apiKey name: api_key in: header - petstore_auth: + default: type: oauth2 authorizationUrl: 'http://mockBackend:2380/oauth/authorize' flow: implicit From 36e36f9ef88e7eefc51afe447d66fa5d2aa4d859 Mon Sep 17 00:00:00 2001 From: Mevan Date: Sun, 10 Nov 2024 23:59:53 +0530 Subject: [PATCH 4/4] Change security scheme name for security related swaggers --- .../api_key_swagger_security_openAPI.yaml | 4 ++-- .../src/test/resources/openAPIs/openAPI.yaml | 24 +++++++++---------- .../resources/openAPIs/openAPI_startup.yaml | 4 ++-- .../resources/openAPIs/security_openAPI.yaml | 8 +++---- 4 files changed, 20 insertions(+), 20 deletions(-) diff --git a/integration/test-integration/src/test/resources/openAPIs/api_key_swagger_security_openAPI.yaml b/integration/test-integration/src/test/resources/openAPIs/api_key_swagger_security_openAPI.yaml index b4cb20324b..983d2b4623 100644 --- a/integration/test-integration/src/test/resources/openAPIs/api_key_swagger_security_openAPI.yaml +++ b/integration/test-integration/src/test/resources/openAPIs/api_key_swagger_security_openAPI.yaml @@ -82,7 +82,7 @@ paths: '400': description: Invalid tag value security: - - petstore_auth: + - default: - write:pets '/jwtheader': get: @@ -116,7 +116,7 @@ securityDefinitions: type: apiKey name: x-api-key-header in: header - petstore_auth: + default: type: oauth2 authorizationUrl: 'http://mockBackend:2380/oauth/authorize' flow: implicit diff --git a/integration/test-integration/src/test/resources/openAPIs/openAPI.yaml b/integration/test-integration/src/test/resources/openAPIs/openAPI.yaml index 7217759038..d964f1f3fe 100644 --- a/integration/test-integration/src/test/resources/openAPIs/openAPI.yaml +++ b/integration/test-integration/src/test/resources/openAPIs/openAPI.yaml @@ -81,7 +81,7 @@ paths: schema: $ref: '#/definitions/ApiResponse' security: - - petstore_auth: + - default: - 'write:pets' - 'read:pets' /pet: @@ -108,7 +108,7 @@ paths: '405': description: Invalid input security: - - petstore_auth: + - default: - 'write:pets' - 'read:pets' put: @@ -138,7 +138,7 @@ paths: '405': description: Validation exception security: - - petstore_auth: + - default: - 'write:pets' - 'read:pets' /pet/findByStatus: @@ -175,7 +175,7 @@ paths: '400': description: Invalid status value security: - - petstore_auth: + - default: - 'write:pets' /pets/findByTags: get: @@ -206,7 +206,7 @@ paths: '400': description: Invalid tag value security: - - petstore_auth: + - default: - 'write:pets' - 'read:pets' deprecated: true @@ -268,7 +268,7 @@ paths: '405': description: Invalid input security: - - petstore_auth: + - default: - 'write:pets' - 'read:pets' delete: @@ -297,7 +297,7 @@ paths: '404': description: Pet not found security: - - petstore_auth: + - default: - 'write:pets' - 'read:pets' /store/order: @@ -601,7 +601,7 @@ paths: '400': description: Invalid status value security: - - petstore_auth: [ ] + - default: [ ] /jwttoken: get: summary: Get the backend jwt token @@ -613,7 +613,7 @@ paths: '400': description: Invalid status value security: - - petstore_auth: [ ] + - default: [ ] /headers: get: summary: getHeaders @@ -627,7 +627,7 @@ paths: '404': description: Resource not found security: - - petstore_auth: [ ] + - default: [ ] /headers/{headerId}.api: get: summary: getHeaders @@ -641,13 +641,13 @@ paths: '404': description: Resource not found security: - - petstore_auth: [ ] + - default: [ ] securityDefinitions: api_key: type: apiKey name: api_key in: header - petstore_auth: + default: type: oauth2 authorizationUrl: 'http://mockBackend:2380/oauth/authorize' flow: implicit diff --git a/integration/test-integration/src/test/resources/openAPIs/openAPI_startup.yaml b/integration/test-integration/src/test/resources/openAPIs/openAPI_startup.yaml index bd7b51136c..f44906a957 100644 --- a/integration/test-integration/src/test/resources/openAPIs/openAPI_startup.yaml +++ b/integration/test-integration/src/test/resources/openAPIs/openAPI_startup.yaml @@ -76,14 +76,14 @@ paths: '400': description: Invalid status value security: - - petstore_auth: + - default: - 'write:pets' securityDefinitions: api_key: type: apiKey name: api_key in: header - petstore_auth: + default: type: oauth2 authorizationUrl: 'http://mockBackend:2380/oauth/authorize' flow: implicit diff --git a/integration/test-integration/src/test/resources/openAPIs/security_openAPI.yaml b/integration/test-integration/src/test/resources/openAPIs/security_openAPI.yaml index a136ff80a7..a76294cfe6 100644 --- a/integration/test-integration/src/test/resources/openAPIs/security_openAPI.yaml +++ b/integration/test-integration/src/test/resources/openAPIs/security_openAPI.yaml @@ -101,7 +101,7 @@ paths: '405': description: Invalid input security: - - petstore_auth: + - default: - 'write:pets' - 'read:pets' delete: @@ -130,7 +130,7 @@ paths: '404': description: Pet not found security: - - petstore_auth: + - default: - 'write:pets' - 'read:pets' '/removeauthheader': @@ -144,13 +144,13 @@ paths: '400': description: Invalid status value security: - - petstore_auth: [ ] + - default: [ ] securityDefinitions: api_key: type: apiKey name: api_key in: header - petstore_auth: + default: type: oauth2 authorizationUrl: 'http://mockBackend:2380/oauth/authorize' flow: implicit