Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix scope validation issue when multiple security schemes are configured #3618

Merged
merged 4 commits into from
Nov 11, 2024
Merged

Fix scope validation issue when multiple security schemes are configured #3618

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
61569ac
Fix scope validation issue when multiple security schemes are configured
mevan-karu Nov 10, 2024
b214e4c
remove unused import
mevan-karu Nov 10, 2024
426e44e
Change security scheme name for scopes_openAPI.yaml
mevan-karu Nov 10, 2024
36e36f9
Change security scheme name for security related swaggers
mevan-karu Nov 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 6 additions & 16 deletions ...parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/KeyValidator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,6 @@

import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Set;

/**
Expand Down Expand Up @@ -86,22 +85,13 @@ public static boolean validateScopes(TokenValidationContext validationContext) t

ResourceConfig matchedResource = validationContext.getMatchingResourceConfig();
boolean scopesValidated = false;
if (matchedResource.getSecuritySchemas().entrySet().size() > 0) {
for (Map.Entry<String, List<String>> pair : matchedResource.getSecuritySchemas().entrySet()) {
boolean validate = false;
if (pair.getValue() != null && pair.getValue().size() > 0) {
scopesValidated = false;
for (String scope : pair.getValue()) {
if (scopesSet.contains(scope)) {
scopesValidated = true;
validate = true;
break;
}
}
} else {

List<String> requiredScopes = matchedResource.getSecuritySchemas()
.get(validationContext.getSecurityScheme());
if (requiredScopes != null && !requiredScopes.isEmpty()) {
for (String scope : requiredScopes) {
if (scopesSet.contains(scope)) {
scopesValidated = true;
}
if (validate) {
break;
}
}
Expand Down
9 changes: 9 additions & 0 deletions ...orcer/src/main/java/org/wso2/choreo/connect/enforcer/security/TokenValidationContext.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ public class TokenValidationContext {
private AccessTokenInfo tokenInfo;
private String authorizationCode;
private String tenantDomain;
private String securityScheme;
private List<String> keyManagers = new ArrayList<>();

public AccessTokenInfo getTokenInfo() {
Expand Down Expand Up @@ -179,5 +180,13 @@ public void setKeyManagers(List<String> keyManagers) {

this.keyManagers = keyManagers;
}

public String getSecurityScheme() {
return securityScheme;
}

public void setSecurityScheme(String securityScheme) {
this.securityScheme = securityScheme;
}
}

2 changes: 2 additions & 0 deletions ...nforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/jwt/JWTAuthenticator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@
public class JWTAuthenticator implements Authenticator {

private static final Logger log = LogManager.getLogger(JWTAuthenticator.class);
private static final String SWAGGER_OAUTH2_SECURITY_SCHEME_NAME = "default";
private final JWTValidator jwtValidator = new JWTValidator();
private final boolean isGatewayTokenCacheEnabled;
private AbstractAPIMgtGatewayJWTGenerator jwtGenerator;
Expand Down Expand Up @@ -573,6 +574,7 @@ private void validateScopes(String apiContext, String apiVersion, ResourceConfig
tokenValidationContext.setMatchingResourceConfig(matchingResource);
tokenValidationContext.setContext(apiContext);
tokenValidationContext.setVersion(apiVersion);
tokenValidationContext.setSecurityScheme(SWAGGER_OAUTH2_SECURITY_SCHEME_NAME);

boolean valid = KeyValidator.validateScopes(tokenValidationContext);
if (valid) {
Expand Down
4 changes: 2 additions & 2 deletions ...ration/test-integration/src/test/resources/openAPIs/api_key_swagger_security_openAPI.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ paths:
'400':
description: Invalid tag value
security:
- petstore_auth:
- default:
- write:pets
'/jwtheader':
get:
Expand Down Expand Up @@ -116,7 +116,7 @@ securityDefinitions:
type: apiKey
name: x-api-key-header
in: header
petstore_auth:
default:
type: oauth2
authorizationUrl: 'http://mockBackend:2380/oauth/authorize'
flow: implicit
Expand Down
24 changes: 12 additions & 12 deletions integration/test-integration/src/test/resources/openAPIs/openAPI.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ paths:
schema:
$ref: '#/definitions/ApiResponse'
security:
- petstore_auth:
- default:
- 'write:pets'
- 'read:pets'
/pet:
Expand All @@ -108,7 +108,7 @@ paths:
'405':
description: Invalid input
security:
- petstore_auth:
- default:
- 'write:pets'
- 'read:pets'
put:
Expand Down Expand Up @@ -138,7 +138,7 @@ paths:
'405':
description: Validation exception
security:
- petstore_auth:
- default:
- 'write:pets'
- 'read:pets'
/pet/findByStatus:
Expand Down Expand Up @@ -175,7 +175,7 @@ paths:
'400':
description: Invalid status value
security:
- petstore_auth:
- default:
- 'write:pets'
/pets/findByTags:
get:
Expand Down Expand Up @@ -206,7 +206,7 @@ paths:
'400':
description: Invalid tag value
security:
- petstore_auth:
- default:
- 'write:pets'
- 'read:pets'
deprecated: true
Expand Down Expand Up @@ -268,7 +268,7 @@ paths:
'405':
description: Invalid input
security:
- petstore_auth:
- default:
- 'write:pets'
- 'read:pets'
delete:
Expand Down Expand Up @@ -297,7 +297,7 @@ paths:
'404':
description: Pet not found
security:
- petstore_auth:
- default:
- 'write:pets'
- 'read:pets'
/store/order:
Expand Down Expand Up @@ -601,7 +601,7 @@ paths:
'400':
description: Invalid status value
security:
- petstore_auth: [ ]
- default: [ ]
/jwttoken:
get:
summary: Get the backend jwt token
Expand All @@ -613,7 +613,7 @@ paths:
'400':
description: Invalid status value
security:
- petstore_auth: [ ]
- default: [ ]
/headers:
get:
summary: getHeaders
Expand All @@ -627,7 +627,7 @@ paths:
'404':
description: Resource not found
security:
- petstore_auth: [ ]
- default: [ ]
/headers/{headerId}.api:
get:
summary: getHeaders
Expand All @@ -641,13 +641,13 @@ paths:
'404':
description: Resource not found
security:
- petstore_auth: [ ]
- default: [ ]
securityDefinitions:
api_key:
type: apiKey
name: api_key
in: header
petstore_auth:
default:
type: oauth2
authorizationUrl: 'http://mockBackend:2380/oauth/authorize'
flow: implicit
Expand Down
4 changes: 2 additions & 2 deletions integration/test-integration/src/test/resources/openAPIs/openAPI_startup.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,14 +76,14 @@ paths:
'400':
description: Invalid status value
security:
- petstore_auth:
- default:
- 'write:pets'
securityDefinitions:
api_key:
type: apiKey
name: api_key
in: header
petstore_auth:
default:
type: oauth2
authorizationUrl: 'http://mockBackend:2380/oauth/authorize'
flow: implicit
Expand Down
8 changes: 4 additions & 4 deletions integration/test-integration/src/test/resources/openAPIs/scopes_openAPI.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ info:
name: Apache 2.0
url: 'http://www.apache.org/licenses/LICENSE-2.0.html'
security:
- petstore_auth:
- default:
- 'write:scopes'
x-wso2-cors:
accessControlAllowOrigins:
Expand Down Expand Up @@ -102,7 +102,7 @@ paths:
'404':
description: Pet not found
security:
- petstore_auth: []
- default: []
'/pets/findByTags':
get:
tags:
Expand Down Expand Up @@ -132,7 +132,7 @@ paths:
'400':
description: Invalid tag value
security:
- petstore_auth:
- default:
- 'write:scopes'
- 'read:scopes'
deprecated: true
Expand All @@ -141,7 +141,7 @@ securityDefinitions:
type: apiKey
name: api_key
in: header
petstore_auth:
default:
type: oauth2
authorizationUrl: 'http://mockBackend:2380/oauth/authorize'
flow: implicit
Expand Down
8 changes: 4 additions & 4 deletions integration/test-integration/src/test/resources/openAPIs/security_openAPI.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ paths:
'405':
description: Invalid input
security:
- petstore_auth:
- default:
- 'write:pets'
- 'read:pets'
delete:
Expand Down Expand Up @@ -130,7 +130,7 @@ paths:
'404':
description: Pet not found
security:
- petstore_auth:
- default:
- 'write:pets'
- 'read:pets'
'/removeauthheader':
Expand All @@ -144,13 +144,13 @@ paths:
'400':
description: Invalid status value
security:
- petstore_auth: [ ]
- default: [ ]
securityDefinitions:
api_key:
type: apiKey
name: api_key
in: header
petstore_auth:
default:
type: oauth2
authorizationUrl: 'http://mockBackend:2380/oauth/authorize'
flow: implicit
Expand Down
Loading