Merge pull request #3608 from mevan-karu/choreo

Remove existing API key impl and replace it with new Choreo API key impl

enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/api/Utils.java

@@ -25,10 +25,8 @@
 import org.wso2.choreo.connect.enforcer.commons.model.RequestContext;
 import org.wso2.choreo.connect.enforcer.commons.model.ResourceConfig;
 import org.wso2.choreo.connect.enforcer.commons.model.RetryConfig;
-import org.wso2.choreo.connect.enforcer.commons.model.SecuritySchemaConfig;
 import org.wso2.choreo.connect.enforcer.config.ConfigHolder;
 import org.wso2.choreo.connect.enforcer.config.dto.AuthHeaderDto;
-import org.wso2.choreo.connect.enforcer.constants.APIConstants;
 import org.wso2.choreo.connect.enforcer.constants.Constants;
 import org.wso2.choreo.connect.enforcer.util.FilterUtils;
 
@@ -94,28 +92,6 @@ static void populateRemoveAndProtectedHeaders(RequestContext requestContext) {
             return;
         }
 
-        Map<String, SecuritySchemaConfig> securitySchemeDefinitions = requestContext.getMatchedAPI()
-                .getSecuritySchemeDefinitions();
-        // API key headers are considered to be protected headers, such that the header
-        // would not be sent
-        // to backend and traffic manager.
-        // This would prevent leaking credentials, even if user is invoking unsecured
-        // resource with some
-        // credentials.
-        for (Map.Entry<String, SecuritySchemaConfig> entry : securitySchemeDefinitions.entrySet()) {
-            SecuritySchemaConfig schema = entry.getValue();
-            if (APIConstants.SWAGGER_API_KEY_AUTH_TYPE_NAME.equalsIgnoreCase(schema.getType())) {
-                if (APIConstants.SWAGGER_API_KEY_IN_HEADER.equals(schema.getIn())) {
-                    requestContext.getProtectedHeaders().add(schema.getName());
-                    requestContext.getRemoveHeaders().add(schema.getName());
-                    continue;
-                }
-                if (APIConstants.SWAGGER_API_KEY_IN_QUERY.equals(schema.getIn())) {
-                    requestContext.getQueryParamsToRemove().add(schema.getName());
-                }
-            }
-        }
-
         // Internal-Key credential is considered to be protected headers, such that the
         // header would not be sent
         // to backend and traffic manager.

enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/AuthFilter.java

@@ -34,7 +34,6 @@
 import org.wso2.choreo.connect.enforcer.constants.InterceptorConstants;
 import org.wso2.choreo.connect.enforcer.exception.APISecurityException;
 import org.wso2.choreo.connect.enforcer.security.jwt.APIKeyAuthenticator;
-import org.wso2.choreo.connect.enforcer.security.jwt.ChoreoAPIKeyAuthenticator;
 import org.wso2.choreo.connect.enforcer.security.jwt.InternalAPIKeyAuthenticator;
 import org.wso2.choreo.connect.enforcer.security.jwt.JWTAuthenticator;
 import org.wso2.choreo.connect.enforcer.security.jwt.UnsecuredAPIAuthenticator;
@@ -67,7 +66,6 @@ private void initializeAuthenticators(APIConfig apiConfig) {
         boolean isApiKeyProtected = false;
         boolean isMutualSSLMandatory = false;
         boolean isOAuthBasicAuthMandatory = false;
-        boolean isChoreoApiKeyProtected = false;
 
         // Set security conditions
         if (apiConfig.getSecuritySchemeDefinitions() == null) {
@@ -88,7 +86,6 @@ private void initializeAuthenticators(APIConfig apiConfig) {
                         equalsIgnoreCase(APIConstants.API_SECURITY_OAUTH_BASIC_AUTH_API_KEY_MANDATORY)) {
                     isOAuthBasicAuthMandatory = true;
                 } else if (apiSecurityLevel.trim().equalsIgnoreCase(APIConstants.SWAGGER_API_KEY_AUTH_TYPE_NAME)) {
-                    isChoreoApiKeyProtected = true;
                     isApiKeyProtected = true;
                 }
             }
@@ -105,11 +102,6 @@ private void initializeAuthenticators(APIConfig apiConfig) {
             authenticators.add(apiKeyAuthenticator);
         }
 
-        if (isChoreoApiKeyProtected) {
-            ChoreoAPIKeyAuthenticator choreoAPIKeyAuthenticator = new ChoreoAPIKeyAuthenticator();
-            authenticators.add(choreoAPIKeyAuthenticator);
-        }
-
         Authenticator authenticator = new InternalAPIKeyAuthenticator(
                 ConfigHolder.getInstance().getConfig().getAuthHeader().getTestConsoleHeaderName().toLowerCase());
         authenticators.add(authenticator);

enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/jwt/JWTAuthenticator.java

@@ -526,8 +526,8 @@ protected String retrieveTokenFromRequestCtx(RequestContext requestContext) thro
             throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(),
                     APISecurityConstants.API_AUTH_MISSING_CREDENTIALS, "Missing Credentials");
         }
-        String[] splitToken = authHeaderVal.split("\\s");
-        String token = authHeaderVal;
+        String token = authHeaderVal.trim();
+        String[] splitToken = token.split("\\s");
         // Extract the token when it is sent as bearer token. i.e Authorization: Bearer <token>
         if (splitToken.length > 1) {
             token = splitToken[1];