Merge pull request #2272 from pubudu538/cc-redis

Mandate Internal-Key validation for DP to CP mode

adapter/api/proto/wso2/discovery/config/enforcer/config.proto

@@ -50,4 +50,7 @@ message Config {
     bool mandateSubscriptionValidation = 13;
 
     HttpClient httpClient = 14;
+
+    bool mandateInternalKeyValidation = 15;
+
 }

adapter/config/default_config.go

@@ -206,6 +206,7 @@ var defaultConfig = &Config{
 			Type:    "azure",
 		},
 		MandateSubscriptionValidation: false,
+		MandateInternalKeyValidation:  false,
 	},
 	ManagementServer: managementServer{
 		Enabled:   false,

adapter/config/types.go

@@ -163,6 +163,7 @@ type enforcer struct {
 	Filters                       []filter
 	Metrics                       Metrics
 	MandateSubscriptionValidation bool
+	MandateInternalKeyValidation  bool
 	Client                        httpClient
 }
 

adapter/internal/discovery/xds/marshaller.go

@@ -80,6 +80,8 @@ func MarshalConfig(config *config.Config) *enforcer.Config {
 		Type:    config.Enforcer.Metrics.Type,
 	}
 	mandateSubscriptionValidation := config.Enforcer.MandateSubscriptionValidation
+	mandateInternalKeyValidation := config.Enforcer.MandateInternalKeyValidation
+
 	analytics := &enforcer.Analytics{
 		Enabled:            config.Analytics.Enabled,
 		Properties:         config.Analytics.Properties,
@@ -157,6 +159,7 @@ func MarshalConfig(config *config.Config) *enforcer.Config {
 		Filters:                       filters,
 		Soap:                          soap,
 		MandateSubscriptionValidation: mandateSubscriptionValidation,
+		MandateInternalKeyValidation:  mandateInternalKeyValidation,
 		HttpClient:                    httpClient,
 	}
 }

gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/api/Utils.java

@@ -32,6 +32,8 @@
 import org.wso2.apk.enforcer.commons.model.RequestContext;
 import org.wso2.apk.enforcer.commons.model.ResourceConfig;
 import org.wso2.apk.enforcer.commons.model.RetryConfig;
+import org.wso2.apk.enforcer.config.ConfigHolder;
+import org.wso2.apk.enforcer.constants.APIConstants;
 import org.wso2.apk.enforcer.constants.AdapterConstants;
 
 import java.util.ArrayList;
@@ -90,6 +92,13 @@ public static ResourceConfig buildResource(Operation operation, String resPath,
         resource.setTier(operation.getTier());
         resource.setEndpointSecurity(endpointSecurity);
         AuthenticationConfig authenticationConfig = new AuthenticationConfig();
+
+        if (ConfigHolder.getInstance().getConfig()
+                .getMandateInternalKeyValidation()) {
+            JWTAuthenticationConfig jwtAuthenticationConfig = getDefaultJwtAuthenticationConfig();
+            authenticationConfig.setJwtAuthenticationConfig(jwtAuthenticationConfig);
+        }
+
         if (operation.hasApiAuthentication()) {
             authenticationConfig.setDisabled(operation.getApiAuthentication().getDisabled());
             if (operation.getApiAuthentication().hasOauth2()) {
@@ -136,6 +145,13 @@ private static JWTAuthenticationConfig getJwtAuthenticationConfig(Operation oper
         return jwtAuthenticationConfig;
     }
 
+    private static JWTAuthenticationConfig getDefaultJwtAuthenticationConfig() {
+        JWTAuthenticationConfig jwtAuthenticationConfig = new JWTAuthenticationConfig();
+        jwtAuthenticationConfig.setHeader(APIConstants.TEST_CONSOLE_KEY_HEADER);
+        jwtAuthenticationConfig.setSendTokenToUpstream(false);
+        return jwtAuthenticationConfig;
+    }
+
     public static PolicyConfig genPolicyConfig(OperationPolicies operationPolicies) {
         PolicyConfig policyConfig = new PolicyConfig();
         if (operationPolicies.getRequestCount() > 0) {

gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/config/ConfigHolder.java

@@ -173,6 +173,7 @@ private void parseConfigs(Config config) {
         populateAPIKeyIssuer(config.getSecurity().getApiKey());
         populateInternalTokenIssuer(config.getSecurity().getRuntimeToken());
         populateMandateSubscriptionValidationConfig(config.getMandateSubscriptionValidation());
+        populateMandateInternalKeyValidationConfig(config.getMandateInternalKeyValidation());
         populateHttpClientConfig(config.getHttpClient());
         // resolve string variables provided as environment variables.
         resolveConfigsWithEnvs(this.config);
@@ -225,6 +226,10 @@ private void populateMandateSubscriptionValidationConfig(boolean mandateSubscrip
         config.setMandateSubscriptionValidation(mandateSubscriptionValidation);
     }
 
+    private void populateMandateInternalKeyValidationConfig(boolean mandateInternalKeyValidation) {
+        config.setMandateInternalKeyValidation(mandateInternalKeyValidation);
+    }
+
     private void populateManagementCredentials(Management management) {
 
         ManagementCredentialsDto managementCredentialsDto = new ManagementCredentialsDto();

gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/config/EnforcerConfig.java

@@ -61,6 +61,7 @@ public class EnforcerConfig {
 
     private SoapErrorResponseConfigDto soapErrorResponseConfigDto;
     private boolean mandateSubscriptionValidation;
+    private boolean mandateInternalKeyValidation;
     private ClientConfigDto httpClientConfigDto;
 
     public ClientConfigDto getHttpClientConfigDto() {
@@ -224,5 +225,13 @@ public boolean getMandateSubscriptionValidation() {
     public void setMandateSubscriptionValidation(boolean mandateSubscriptionValidation) {
         this.mandateSubscriptionValidation = mandateSubscriptionValidation;
     }
+
+    public boolean getMandateInternalKeyValidation() {
+        return mandateInternalKeyValidation;
+    }
+
+    public void setMandateInternalKeyValidation(boolean mandateInternalKeyValidation) {
+        this.mandateInternalKeyValidation = mandateInternalKeyValidation;
+    }
 }
 

gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/constants/APIConstants.java

@@ -57,6 +57,7 @@ public class APIConstants {
     public static final String API_SECURITY_MUTUAL_SSL_NAME = "mtls";
     public static final String CLIENT_CERTIFICATE_HEADER_DEFAULT = "X-WSO2-CLIENT-CERTIFICATE";
     public static final String WWW_AUTHENTICATE = "WWW-Authenticate";
+    public static final String TEST_CONSOLE_KEY_HEADER = "internal-key";
 
     public static final String BEGIN_CERTIFICATE_STRING = "-----BEGIN CERTIFICATE-----";
     public static final String END_CERTIFICATE_STRING = "-----END CERTIFICATE-----";

gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java

@@ -488,7 +488,8 @@ private Boolean isJWTExpired(JWTValidationInfo payload) {
      * @return true if list1 is empty else if at least one element from list1 exists in list2, otherwise false.
      */
     public static boolean checkAnyExist(List<String> list1, List<String> list2) {
-        if (list1.size() == 0) {
+
+        if (list1 == null || list1.size() == 0) {
             return true;
         }
         return list1.stream().anyMatch(list2::contains);