diff --git a/adapter/api/proto/wso2/discovery/config/enforcer/config.proto b/adapter/api/proto/wso2/discovery/config/enforcer/config.proto index e2b91213e..9e7404f6d 100644 --- a/adapter/api/proto/wso2/discovery/config/enforcer/config.proto +++ b/adapter/api/proto/wso2/discovery/config/enforcer/config.proto @@ -50,4 +50,7 @@ message Config { bool mandateSubscriptionValidation = 13; HttpClient httpClient = 14; + + bool mandateInternalKeyValidation = 15; + } diff --git a/adapter/config/default_config.go b/adapter/config/default_config.go index ce30cd1ab..bb33986b9 100644 --- a/adapter/config/default_config.go +++ b/adapter/config/default_config.go @@ -206,6 +206,7 @@ var defaultConfig = &Config{ Type: "azure", }, MandateSubscriptionValidation: false, + MandateInternalKeyValidation: false, }, ManagementServer: managementServer{ Enabled: false, diff --git a/adapter/config/types.go b/adapter/config/types.go index 3a6a6d679..92cb283b1 100644 --- a/adapter/config/types.go +++ b/adapter/config/types.go @@ -163,6 +163,7 @@ type enforcer struct { Filters []filter Metrics Metrics MandateSubscriptionValidation bool + MandateInternalKeyValidation bool Client httpClient } diff --git a/adapter/internal/discovery/xds/marshaller.go b/adapter/internal/discovery/xds/marshaller.go index 0b4fcfc94..7bfc4e805 100644 --- a/adapter/internal/discovery/xds/marshaller.go +++ b/adapter/internal/discovery/xds/marshaller.go @@ -80,6 +80,8 @@ func MarshalConfig(config *config.Config) *enforcer.Config { Type: config.Enforcer.Metrics.Type, } mandateSubscriptionValidation := config.Enforcer.MandateSubscriptionValidation + mandateInternalKeyValidation := config.Enforcer.MandateInternalKeyValidation + analytics := &enforcer.Analytics{ Enabled: config.Analytics.Enabled, Properties: config.Analytics.Properties, @@ -157,6 +159,7 @@ func MarshalConfig(config *config.Config) *enforcer.Config { Filters: filters, Soap: soap, MandateSubscriptionValidation: mandateSubscriptionValidation, + MandateInternalKeyValidation: mandateInternalKeyValidation, HttpClient: httpClient, } } diff --git a/adapter/pkg/discovery/api/wso2/discovery/config/enforcer/config.pb.go b/adapter/pkg/discovery/api/wso2/discovery/config/enforcer/config.pb.go index 7acd2de17..0f0eca465 100644 --- a/adapter/pkg/discovery/api/wso2/discovery/config/enforcer/config.pb.go +++ b/adapter/pkg/discovery/api/wso2/discovery/config/enforcer/config.pb.go @@ -40,6 +40,7 @@ type Config struct { Soap *Soap `protobuf:"bytes,12,opt,name=soap,proto3" json:"soap,omitempty"` MandateSubscriptionValidation bool `protobuf:"varint,13,opt,name=mandateSubscriptionValidation,proto3" json:"mandateSubscriptionValidation,omitempty"` HttpClient *HttpClient `protobuf:"bytes,14,opt,name=httpClient,proto3" json:"httpClient,omitempty"` + MandateInternalKeyValidation bool `protobuf:"varint,15,opt,name=mandateInternalKeyValidation,proto3" json:"mandateInternalKeyValidation,omitempty"` } func (x *Config) Reset() { @@ -172,6 +173,13 @@ func (x *Config) GetHttpClient() *HttpClient { return nil } +func (x *Config) GetMandateInternalKeyValidation() bool { + if x != nil { + return x.MandateInternalKeyValidation + } + return false +} + var File_wso2_discovery_config_enforcer_config_proto protoreflect.FileDescriptor var file_wso2_discovery_config_enforcer_config_proto_rawDesc = []byte{ @@ -214,7 +222,7 @@ var file_wso2_discovery_config_enforcer_config_proto_rawDesc = []byte{ 0x73, 0x6f, 0x61, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x2b, 0x77, 0x73, 0x6f, 0x32, 0x2f, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x65, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x72, 0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, - 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xe3, 0x07, 0x0a, 0x06, 0x43, 0x6f, 0x6e, 0x66, + 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xa7, 0x08, 0x0a, 0x06, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x44, 0x0a, 0x08, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x77, 0x73, 0x6f, 0x32, 0x2e, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x65, 0x6e, 0x66, @@ -276,17 +284,21 @@ var file_wso2_discovery_config_enforcer_config_proto_rawDesc = []byte{ 0x0e, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x77, 0x73, 0x6f, 0x32, 0x2e, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x65, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x72, 0x2e, 0x48, 0x74, 0x74, 0x70, 0x43, 0x6c, 0x69, 0x65, 0x6e, - 0x74, 0x52, 0x0a, 0x68, 0x74, 0x74, 0x70, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x42, 0x90, 0x01, - 0x0a, 0x2f, 0x6f, 0x72, 0x67, 0x2e, 0x77, 0x73, 0x6f, 0x32, 0x2e, 0x61, 0x70, 0x6b, 0x2e, 0x65, - 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x72, 0x2e, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, - 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x65, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, - 0x72, 0x42, 0x0b, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, - 0x5a, 0x4e, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x6e, 0x76, - 0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2f, 0x67, 0x6f, 0x2d, 0x63, 0x6f, 0x6e, 0x74, 0x72, - 0x6f, 0x6c, 0x2d, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x2f, 0x77, 0x73, 0x6f, 0x32, 0x2f, 0x64, 0x69, - 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x65, - 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x72, 0x3b, 0x65, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x72, - 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x74, 0x52, 0x0a, 0x68, 0x74, 0x74, 0x70, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x12, 0x42, 0x0a, + 0x1c, 0x6d, 0x61, 0x6e, 0x64, 0x61, 0x74, 0x65, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, + 0x4b, 0x65, 0x79, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0f, 0x20, + 0x01, 0x28, 0x08, 0x52, 0x1c, 0x6d, 0x61, 0x6e, 0x64, 0x61, 0x74, 0x65, 0x49, 0x6e, 0x74, 0x65, + 0x72, 0x6e, 0x61, 0x6c, 0x4b, 0x65, 0x79, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x42, 0x90, 0x01, 0x0a, 0x2f, 0x6f, 0x72, 0x67, 0x2e, 0x77, 0x73, 0x6f, 0x32, 0x2e, 0x61, + 0x70, 0x6b, 0x2e, 0x65, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x72, 0x2e, 0x64, 0x69, 0x73, 0x63, + 0x6f, 0x76, 0x65, 0x72, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x65, 0x6e, 0x66, + 0x6f, 0x72, 0x63, 0x65, 0x72, 0x42, 0x0b, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x50, 0x72, 0x6f, + 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x4e, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, + 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2f, 0x67, 0x6f, 0x2d, 0x63, + 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x2d, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x2f, 0x77, 0x73, 0x6f, + 0x32, 0x2f, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x2f, 0x63, 0x6f, 0x6e, 0x66, + 0x69, 0x67, 0x2f, 0x65, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x72, 0x3b, 0x65, 0x6e, 0x66, 0x6f, + 0x72, 0x63, 0x65, 0x72, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/api/Utils.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/api/Utils.java index 6c86a593c..c2b2d46bb 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/api/Utils.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/api/Utils.java @@ -32,6 +32,8 @@ import org.wso2.apk.enforcer.commons.model.RequestContext; import org.wso2.apk.enforcer.commons.model.ResourceConfig; import org.wso2.apk.enforcer.commons.model.RetryConfig; +import org.wso2.apk.enforcer.config.ConfigHolder; +import org.wso2.apk.enforcer.constants.APIConstants; import org.wso2.apk.enforcer.constants.AdapterConstants; import java.util.ArrayList; @@ -90,6 +92,13 @@ public static ResourceConfig buildResource(Operation operation, String resPath, resource.setTier(operation.getTier()); resource.setEndpointSecurity(endpointSecurity); AuthenticationConfig authenticationConfig = new AuthenticationConfig(); + + if (ConfigHolder.getInstance().getConfig() + .getMandateInternalKeyValidation()) { + JWTAuthenticationConfig jwtAuthenticationConfig = getDefaultJwtAuthenticationConfig(); + authenticationConfig.setJwtAuthenticationConfig(jwtAuthenticationConfig); + } + if (operation.hasApiAuthentication()) { authenticationConfig.setDisabled(operation.getApiAuthentication().getDisabled()); if (operation.getApiAuthentication().hasOauth2()) { @@ -136,6 +145,13 @@ private static JWTAuthenticationConfig getJwtAuthenticationConfig(Operation oper return jwtAuthenticationConfig; } + private static JWTAuthenticationConfig getDefaultJwtAuthenticationConfig() { + JWTAuthenticationConfig jwtAuthenticationConfig = new JWTAuthenticationConfig(); + jwtAuthenticationConfig.setHeader(APIConstants.TEST_CONSOLE_KEY_HEADER); + jwtAuthenticationConfig.setSendTokenToUpstream(false); + return jwtAuthenticationConfig; + } + public static PolicyConfig genPolicyConfig(OperationPolicies operationPolicies) { PolicyConfig policyConfig = new PolicyConfig(); if (operationPolicies.getRequestCount() > 0) { diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/config/ConfigHolder.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/config/ConfigHolder.java index 8f424d888..3f9f63212 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/config/ConfigHolder.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/config/ConfigHolder.java @@ -173,6 +173,7 @@ private void parseConfigs(Config config) { populateAPIKeyIssuer(config.getSecurity().getApiKey()); populateInternalTokenIssuer(config.getSecurity().getRuntimeToken()); populateMandateSubscriptionValidationConfig(config.getMandateSubscriptionValidation()); + populateMandateInternalKeyValidationConfig(config.getMandateInternalKeyValidation()); populateHttpClientConfig(config.getHttpClient()); // resolve string variables provided as environment variables. resolveConfigsWithEnvs(this.config); @@ -225,6 +226,10 @@ private void populateMandateSubscriptionValidationConfig(boolean mandateSubscrip config.setMandateSubscriptionValidation(mandateSubscriptionValidation); } + private void populateMandateInternalKeyValidationConfig(boolean mandateInternalKeyValidation) { + config.setMandateInternalKeyValidation(mandateInternalKeyValidation); + } + private void populateManagementCredentials(Management management) { ManagementCredentialsDto managementCredentialsDto = new ManagementCredentialsDto(); diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/config/EnforcerConfig.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/config/EnforcerConfig.java index 0eafcd05e..c8eeb7586 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/config/EnforcerConfig.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/config/EnforcerConfig.java @@ -61,6 +61,7 @@ public class EnforcerConfig { private SoapErrorResponseConfigDto soapErrorResponseConfigDto; private boolean mandateSubscriptionValidation; + private boolean mandateInternalKeyValidation; private ClientConfigDto httpClientConfigDto; public ClientConfigDto getHttpClientConfigDto() { @@ -224,5 +225,13 @@ public boolean getMandateSubscriptionValidation() { public void setMandateSubscriptionValidation(boolean mandateSubscriptionValidation) { this.mandateSubscriptionValidation = mandateSubscriptionValidation; } + + public boolean getMandateInternalKeyValidation() { + return mandateInternalKeyValidation; + } + + public void setMandateInternalKeyValidation(boolean mandateInternalKeyValidation) { + this.mandateInternalKeyValidation = mandateInternalKeyValidation; + } } diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/constants/APIConstants.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/constants/APIConstants.java index 4028f4361..348f29150 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/constants/APIConstants.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/constants/APIConstants.java @@ -57,6 +57,7 @@ public class APIConstants { public static final String API_SECURITY_MUTUAL_SSL_NAME = "mtls"; public static final String CLIENT_CERTIFICATE_HEADER_DEFAULT = "X-WSO2-CLIENT-CERTIFICATE"; public static final String WWW_AUTHENTICATE = "WWW-Authenticate"; + public static final String TEST_CONSOLE_KEY_HEADER = "internal-key"; public static final String BEGIN_CERTIFICATE_STRING = "-----BEGIN CERTIFICATE-----"; public static final String END_CERTIFICATE_STRING = "-----END CERTIFICATE-----"; diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/config/enforcer/Config.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/config/enforcer/Config.java index 60fd86a76..e6d37cb50 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/config/enforcer/Config.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/config/enforcer/Config.java @@ -224,6 +224,11 @@ private Config( break; } + case 120: { + + mandateInternalKeyValidation_ = input.readBool(); + break; + } default: { if (!parseUnknownField( input, unknownFields, extensionRegistry, tag)) { @@ -622,6 +627,17 @@ public org.wso2.apk.enforcer.discovery.config.enforcer.HttpClientOrBuilder getHt return getHttpClient(); } + public static final int MANDATEINTERNALKEYVALIDATION_FIELD_NUMBER = 15; + private boolean mandateInternalKeyValidation_; + /** + * bool mandateInternalKeyValidation = 15; + * @return The mandateInternalKeyValidation. + */ + @java.lang.Override + public boolean getMandateInternalKeyValidation() { + return mandateInternalKeyValidation_; + } + private byte memoizedIsInitialized = -1; @java.lang.Override public final boolean isInitialized() { @@ -678,6 +694,9 @@ public void writeTo(com.google.protobuf.CodedOutputStream output) if (httpClient_ != null) { output.writeMessage(14, getHttpClient()); } + if (mandateInternalKeyValidation_ != false) { + output.writeBool(15, mandateInternalKeyValidation_); + } unknownFields.writeTo(output); } @@ -743,6 +762,10 @@ public int getSerializedSize() { size += com.google.protobuf.CodedOutputStream .computeMessageSize(14, getHttpClient()); } + if (mandateInternalKeyValidation_ != false) { + size += com.google.protobuf.CodedOutputStream + .computeBoolSize(15, mandateInternalKeyValidation_); + } size += unknownFields.getSerializedSize(); memoizedSize = size; return size; @@ -822,6 +845,8 @@ public boolean equals(final java.lang.Object obj) { if (!getHttpClient() .equals(other.getHttpClient())) return false; } + if (getMandateInternalKeyValidation() + != other.getMandateInternalKeyValidation()) return false; if (!unknownFields.equals(other.unknownFields)) return false; return true; } @@ -888,6 +913,9 @@ public int hashCode() { hash = (37 * hash) + HTTPCLIENT_FIELD_NUMBER; hash = (53 * hash) + getHttpClient().hashCode(); } + hash = (37 * hash) + MANDATEINTERNALKEYVALIDATION_FIELD_NUMBER; + hash = (53 * hash) + com.google.protobuf.Internal.hashBoolean( + getMandateInternalKeyValidation()); hash = (29 * hash) + unknownFields.hashCode(); memoizedHashCode = hash; return hash; @@ -1106,6 +1134,8 @@ public Builder clear() { httpClient_ = null; httpClientBuilder_ = null; } + mandateInternalKeyValidation_ = false; + return this; } @@ -1203,6 +1233,7 @@ public org.wso2.apk.enforcer.discovery.config.enforcer.Config buildPartial() { } else { result.httpClient_ = httpClientBuilder_.build(); } + result.mandateInternalKeyValidation_ = mandateInternalKeyValidation_; onBuilt(); return result; } @@ -1316,6 +1347,9 @@ public Builder mergeFrom(org.wso2.apk.enforcer.discovery.config.enforcer.Config if (other.hasHttpClient()) { mergeHttpClient(other.getHttpClient()); } + if (other.getMandateInternalKeyValidation() != false) { + setMandateInternalKeyValidation(other.getMandateInternalKeyValidation()); + } this.mergeUnknownFields(other.unknownFields); onChanged(); return this; @@ -3044,6 +3078,37 @@ public org.wso2.apk.enforcer.discovery.config.enforcer.HttpClientOrBuilder getHt } return httpClientBuilder_; } + + private boolean mandateInternalKeyValidation_ ; + /** + * bool mandateInternalKeyValidation = 15; + * @return The mandateInternalKeyValidation. + */ + @java.lang.Override + public boolean getMandateInternalKeyValidation() { + return mandateInternalKeyValidation_; + } + /** + * bool mandateInternalKeyValidation = 15; + * @param value The mandateInternalKeyValidation to set. + * @return This builder for chaining. + */ + public Builder setMandateInternalKeyValidation(boolean value) { + + mandateInternalKeyValidation_ = value; + onChanged(); + return this; + } + /** + * bool mandateInternalKeyValidation = 15; + * @return This builder for chaining. + */ + public Builder clearMandateInternalKeyValidation() { + + mandateInternalKeyValidation_ = false; + onChanged(); + return this; + } @java.lang.Override public final Builder setUnknownFields( final com.google.protobuf.UnknownFieldSet unknownFields) { diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/config/enforcer/ConfigOrBuilder.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/config/enforcer/ConfigOrBuilder.java index 8ee7c234d..9bb944b65 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/config/enforcer/ConfigOrBuilder.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/config/enforcer/ConfigOrBuilder.java @@ -216,4 +216,10 @@ org.wso2.apk.enforcer.discovery.config.enforcer.FilterOrBuilder getFiltersOrBuil * .wso2.discovery.config.enforcer.HttpClient httpClient = 14; */ org.wso2.apk.enforcer.discovery.config.enforcer.HttpClientOrBuilder getHttpClientOrBuilder(); + + /** + * bool mandateInternalKeyValidation = 15; + * @return The mandateInternalKeyValidation. + */ + boolean getMandateInternalKeyValidation(); } diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/config/enforcer/ConfigProto.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/config/enforcer/ConfigProto.java index 1850792ed..1142d75aa 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/config/enforcer/ConfigProto.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/discovery/config/enforcer/ConfigProto.java @@ -43,7 +43,7 @@ public static void registerAllExtensions( "cer/tracing.proto\032,wso2/discovery/config" + "/enforcer/metrics.proto\032)wso2/discovery/" + "config/enforcer/soap.proto\032+wso2/discove" + - "ry/config/enforcer/client.proto\"\276\006\n\006Conf" + + "ry/config/enforcer/client.proto\"\344\006\n\006Conf" + "ig\022:\n\010security\030\001 \001(\0132(.wso2.discovery.co" + "nfig.enforcer.Security\022;\n\010keystore\030\002 \001(\013" + "2).wso2.discovery.config.enforcer.CertSt" + @@ -64,11 +64,12 @@ public static void registerAllExtensions( "\001(\0132$.wso2.discovery.config.enforcer.Soa" + "p\022%\n\035mandateSubscriptionValidation\030\r \001(\010" + "\022>\n\nhttpClient\030\016 \001(\0132*.wso2.discovery.co" + - "nfig.enforcer.HttpClientB\220\001\n/org.wso2.ap" + - "k.enforcer.discovery.config.enforcerB\013Co" + - "nfigProtoP\001ZNgithub.com/envoyproxy/go-co" + - "ntrol-plane/wso2/discovery/config/enforc" + - "er;enforcerb\006proto3" + "nfig.enforcer.HttpClient\022$\n\034mandateInter" + + "nalKeyValidation\030\017 \001(\010B\220\001\n/org.wso2.apk." + + "enforcer.discovery.config.enforcerB\013Conf" + + "igProtoP\001ZNgithub.com/envoyproxy/go-cont" + + "rol-plane/wso2/discovery/config/enforcer" + + ";enforcerb\006proto3" }; descriptor = com.google.protobuf.Descriptors.FileDescriptor .internalBuildGeneratedFileFrom(descriptorData, @@ -91,7 +92,7 @@ public static void registerAllExtensions( internal_static_wso2_discovery_config_enforcer_Config_fieldAccessorTable = new com.google.protobuf.GeneratedMessageV3.FieldAccessorTable( internal_static_wso2_discovery_config_enforcer_Config_descriptor, - new java.lang.String[] { "Security", "Keystore", "Truststore", "AuthService", "JwtGenerator", "Cache", "Analytics", "Management", "Tracing", "Metrics", "Filters", "Soap", "MandateSubscriptionValidation", "HttpClient", }); + new java.lang.String[] { "Security", "Keystore", "Truststore", "AuthService", "JwtGenerator", "Cache", "Analytics", "Management", "Tracing", "Metrics", "Filters", "Soap", "MandateSubscriptionValidation", "HttpClient", "MandateInternalKeyValidation", }); org.wso2.apk.enforcer.discovery.config.enforcer.CertStoreProto.getDescriptor(); org.wso2.apk.enforcer.discovery.config.enforcer.ServiceProto.getDescriptor(); org.wso2.apk.enforcer.discovery.config.enforcer.JWTGeneratorProto.getDescriptor(); diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java index 7ae7950dc..a500f7589 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java @@ -488,7 +488,8 @@ private Boolean isJWTExpired(JWTValidationInfo payload) { * @return true if list1 is empty else if at least one element from list1 exists in list2, otherwise false. */ public static boolean checkAnyExist(List list1, List list2) { - if (list1.size() == 0) { + + if (list1 == null || list1.size() == 0) { return true; } return list1.stream().anyMatch(list2::contains); diff --git a/helm-charts/README.md b/helm-charts/README.md index ca9c03968..8b4e8c54b 100644 --- a/helm-charts/README.md +++ b/helm-charts/README.md @@ -1,6 +1,6 @@ # apk-helm -![Version: 1.1.0-alpha](https://img.shields.io/badge/Version-1.1.0--alpha-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) +![Version: 1.1.0-beta](https://img.shields.io/badge/Version-1.1.0--beta-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) A Helm chart for APK components @@ -19,6 +19,7 @@ A Helm chart for APK components | wso2.subscription.imagePullSecrets | string | `""` | Optionally specify image pull secrets. | | wso2.apk.webhooks.validatingwebhookconfigurations | bool | `true` | | | wso2.apk.webhooks.mutatingwebhookconfigurations | bool | `true` | | +| wso2.apk.webhooks.conversionwebhookconfigurations | bool | `true` | | | wso2.apk.auth.enabled | bool | `true` | Enable Service Account Creation | | wso2.apk.auth.enableServiceAccountCreation | bool | `true` | Enable Service Account Creation | | wso2.apk.auth.enableClusterRoleCreation | bool | `true` | Enable Cluster Role Creation | @@ -40,7 +41,7 @@ A Helm chart for APK components | wso2.apk.idp.signing.secretName | string | `""` | IDP jwt signing certificate secret name | | wso2.apk.idp.signing.fileName | string | `""` | IDP jwt signing certificate file name | | wso2.apk.cp.enableApiPropagation | bool | `false` | Enable controlplane connection | -| wso2.apk.cp.enabledSubscription | bool | `false` | Enable controlplane connection | +| wso2.apk.cp.enabledSubscription | bool | `false` | Enable controlplane connection for subscription | | wso2.apk.cp.host | string | `"apim-apk-agent-service.apk.svc.cluster.local"` | Hostname of the APK agent service | | wso2.apk.cp.skipSSLVerification | bool | `false` | Skip SSL verification | | wso2.apk.cp.persistence | object | `{"type":"K8s"}` | Provide persistence mode DB/K8s | @@ -85,7 +86,7 @@ A Helm chart for APK components | wso2.apk.dp.configdeployer.deployment.strategy | string | `"RollingUpdate"` | Deployment strategy | | wso2.apk.dp.configdeployer.deployment.replicas | int | `1` | Number of replicas | | wso2.apk.dp.configdeployer.deployment.imagePullPolicy | string | `"Always"` | Image pull policy | -| wso2.apk.dp.configdeployer.deployment.image | string | `"wso2/apk-config-deployer-service:1.1.0-alpha"` | Image | +| wso2.apk.dp.configdeployer.deployment.image | string | `"wso2/apk-config-deployer-service:1.1.0-beta"` | Image | | wso2.apk.dp.configdeployer.deployment.configs.authorization | bool | `true` | Enable authorization for runtime api. | | wso2.apk.dp.configdeployer.deployment.configs.baseUrl | string | `"https://api.am.wso2.com:9095/api/runtime"` | Baseurl for runtime api. | | wso2.apk.dp.configdeployer.deployment.configs.tls.secretName | string | `""` | TLS secret name for runtime public certificate. | @@ -105,7 +106,7 @@ A Helm chart for APK components | wso2.apk.dp.adapter.deployment.strategy | string | `"RollingUpdate"` | Deployment strategy | | wso2.apk.dp.adapter.deployment.replicas | int | `1` | Number of replicas | | wso2.apk.dp.adapter.deployment.imagePullPolicy | string | `"Always"` | Image pull policy | -| wso2.apk.dp.adapter.deployment.image | string | `"wso2/apk-adapter:1.1.0-alpha"` | Image | +| wso2.apk.dp.adapter.deployment.image | string | `"wso2/apk-adapter:1.1.0-beta"` | Image | | wso2.apk.dp.adapter.deployment.security.sslHostname | string | `"adapter"` | Enable security for adapter. | | wso2.apk.dp.adapter.configs.apiNamespaces | string | `nil` | Optionally configure namespaces to watch for apis. | | wso2.apk.dp.adapter.configs.tls.secretName | string | `""` | TLS secret name for adapter public certificate. | @@ -127,7 +128,7 @@ A Helm chart for APK components | wso2.apk.dp.commonController.deployment.strategy | string | `"RollingUpdate"` | Deployment strategy | | wso2.apk.dp.commonController.deployment.replicas | int | `1` | Number of replicas | | wso2.apk.dp.commonController.deployment.imagePullPolicy | string | `"Always"` | Image pull policy | -| wso2.apk.dp.commonController.deployment.image | string | `"wso2/apk-common-controller:1.1.0-alpha"` | Image | +| wso2.apk.dp.commonController.deployment.image | string | `"wso2/apk-common-controller:1.1.0-beta"` | Image | | wso2.apk.dp.commonController.deployment.security.sslHostname | string | `"commoncontroller"` | hostname for the common controller | | wso2.apk.dp.commonController.deployment.configs.apiNamespaces | list | `["apk-v12"]` | Optionally configure namespaces to watch for apis,ratelimitpolicies,etc. | | wso2.apk.dp.commonController.deployment.redis.host | string | `"redis-master"` | Redis host | @@ -139,6 +140,8 @@ A Helm chart for APK components | wso2.apk.dp.commonController.deployment.redis.userKeyPath | string | `"/home/wso2/security/keystore/commoncontroller.key"` | Redis user key to use for redis connections | | wso2.apk.dp.commonController.deployment.redis.cACertPath | string | `"/home/wso2/security/keystore/commoncontroller.crt"` | Redis CA cert to use for redis connections | | wso2.apk.dp.commonController.deployment.redis.channelName | string | `"wso2-apk-revoked-tokens-channel"` | Token revocation subscription channel name | +| wso2.apk.dp.commonController.deployment.database.enabled | bool | `false` | Enable Database mode for persistence | +| wso2.apk.dp.commonController.deployment.database.name | string | `"DATAPLANE"` | name of the database containing controlplane data for the use of dataplane | | wso2.apk.dp.commonController.deployment.database.host | string | `"wso2apk-db-service.apk"` | | | wso2.apk.dp.commonController.deployment.database.port | int | `5432` | | | wso2.apk.dp.commonController.deployment.database.username | string | `"wso2carbon"` | | @@ -149,6 +152,8 @@ A Helm chart for APK components | wso2.apk.dp.commonController.deployment.database.poolOptions.poolMaxConnIdleTime | string | `"1h"` | | | wso2.apk.dp.commonController.deployment.database.poolOptions.poolHealthCheckPeriod | string | `"1m"` | | | wso2.apk.dp.commonController.deployment.database.poolOptions.poolMaxConnLifetimeJitter | string | `"1s"` | | +| wso2.apk.dp.commonController.logging.level | string | `"INFO"` | Optionally configure logging for common controller. LogLevels can be "DEBG", "FATL", "ERRO", "WARN", "INFO", "PANC" | +| wso2.apk.dp.commonController.logging.logFormat | string | `"TEXT"` | Log format can be "JSON", "TEXT" | | wso2.apk.dp.ratelimiter.enabled | bool | `true` | Enable the deployment of the Rate Limiter | | wso2.apk.dp.ratelimiter.deployment.resources.requests.memory | string | `"128Mi"` | CPU request for the container | | wso2.apk.dp.ratelimiter.deployment.resources.requests.cpu | string | `"100m"` | Memory request for the container | @@ -163,7 +168,7 @@ A Helm chart for APK components | wso2.apk.dp.ratelimiter.deployment.strategy | string | `"RollingUpdate"` | Deployment strategy | | wso2.apk.dp.ratelimiter.deployment.replicas | int | `1` | Number of replicas | | wso2.apk.dp.ratelimiter.deployment.imagePullPolicy | string | `"Always"` | Image pull policy | -| wso2.apk.dp.ratelimiter.deployment.image | string | `"wso2/apk-ratelimiter:1.1.0-alpha"` | Image | +| wso2.apk.dp.ratelimiter.deployment.image | string | `"wso2/apk-ratelimiter:1.1.0-beta"` | Image | | wso2.apk.dp.ratelimiter.deployment.security.sslHostname | string | `"ratelimiter"` | hostname for the rate limiter | | wso2.apk.dp.ratelimiter.deployment.configs.tls.secretName | string | `"ratelimiter-cert"` | TLS secret name for rate limiter public certificate. | | wso2.apk.dp.ratelimiter.deployment.configs.tls.certKeyFilename | string | `""` | TLS certificate file name. | @@ -183,7 +188,7 @@ A Helm chart for APK components | wso2.apk.dp.gatewayRuntime.deployment.router.livenessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | | wso2.apk.dp.gatewayRuntime.deployment.router.strategy | string | `"RollingUpdate"` | Deployment strategy | | wso2.apk.dp.gatewayRuntime.deployment.router.imagePullPolicy | string | `"Always"` | Image pull policy | -| wso2.apk.dp.gatewayRuntime.deployment.router.image | string | `"wso2/apk-router:1.1.0-alpha"` | Image | +| wso2.apk.dp.gatewayRuntime.deployment.router.image | string | `"wso2/apk-router:1.1.0-beta"` | Image | | wso2.apk.dp.gatewayRuntime.deployment.router.configs.enforcerResponseTimeoutInSeconds | int | `20` | The timeout for response coming from enforcer to route per API request | | wso2.apk.dp.gatewayRuntime.deployment.router.configs.useRemoteAddress | bool | `false` | If configured true, router appends the immediate downstream ip address to the x-forward-for header | | wso2.apk.dp.gatewayRuntime.deployment.router.configs.systemHost | string | `"localhost"` | System hostname for system API resources (eg: /testkey and /health) | @@ -211,13 +216,14 @@ A Helm chart for APK components | wso2.apk.dp.gatewayRuntime.deployment.enforcer.livenessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | | wso2.apk.dp.gatewayRuntime.deployment.enforcer.strategy | string | `"RollingUpdate"` | Deployment strategy | | wso2.apk.dp.gatewayRuntime.deployment.enforcer.imagePullPolicy | string | `"Always"` | Image pull policy | -| wso2.apk.dp.gatewayRuntime.deployment.enforcer.image | string | `"wso2/apk-enforcer:1.1.0-alpha"` | Image | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.image | string | `"wso2/apk-enforcer:1.1.0-beta"` | Image | | wso2.apk.dp.gatewayRuntime.deployment.enforcer.security.sslHostname | string | `"enforcer"` | hostname for the enforcer | | wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs.tls.secretName | string | `""` | TLS secret name for enforcer public certificate. | | wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs.tls.certKeyFilename | string | `""` | TLS certificate file name. | | wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs.tls.certFilename | string | `""` | TLS certificate file name. | | wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs.authService | object | `{"keepAliveTime":600,"maxHeaderLimit":8192,"maxMessageSize":1000000000,"threadPool":{"coreSize":400,"keepAliveTime":600,"maxSize":1000,"queueSize":2000}}` | The configurations of gRPC netty based server in Enforcer that handles the incoming requests from ext_authz | | wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs.mandateSubscriptionValidation | bool | `false` | Specifies whether subscription validation is mandated for all APIs. | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs.mandateInternalKeyValidation | bool | `false` | Specifies whether Internal-Key validation is mandated for all APIs. | | wso2.apk.dp.gatewayRuntime.deployment.enforcer.logging.level | string | `"DEBUG"` | Log level can be one of DEBUG, INFO, WARN, ERROR, OFF | | wso2.apk.dp.gatewayRuntime.deployment.enforcer.logging.logFile | string | `"logs/enforcer.log"` | Log file name | | wso2.apk.dp.gatewayRuntime.deployment.enforcer.redis.host | string | `"redis-master"` | Redis host | @@ -294,7 +300,7 @@ A Helm chart for APK components | idp.idpds.deployment.strategy | string | `"RollingUpdate"` | Deployment strategy | | idp.idpds.deployment.replicas | int | `1` | Number of replicas | | idp.idpds.deployment.imagePullPolicy | string | `"Always"` | Image pull policy | -| idp.idpds.deployment.image | string | `"wso2/apk-idp-domain-service:1.1.0-alpha"` | Image | +| idp.idpds.deployment.image | string | `"wso2/apk-idp-domain-service:1.1.0-beta"` | Image | | idp.idpui.deployment.resources.requests.memory | string | `"128Mi"` | CPU request for the container | | idp.idpui.deployment.resources.requests.cpu | string | `"100m"` | Memory request for the container | | idp.idpui.deployment.resources.limits.memory | string | `"1028Mi"` | CPU limit for the container | @@ -308,7 +314,7 @@ A Helm chart for APK components | idp.idpui.deployment.strategy | string | `"RollingUpdate"` | Deployment strategy | | idp.idpui.deployment.replicas | int | `1` | Number of replicas | | idp.idpui.deployment.imagePullPolicy | string | `"Always"` | Image pull policy | -| idp.idpui.deployment.image | string | `"wso2/apk-idp-ui:1.1.0-alpha"` | Image | +| idp.idpui.deployment.image | string | `"wso2/apk-idp-ui:1.1.0-beta"` | Image | | idp.idpui.configs.idpLoginUrl | string | `"https://idp.am.wso2.com:9095/commonauth/login"` | identity server Login URL | | idp.idpui.configs.idpAuthCallBackUrl | string | `"https://idp.am.wso2.com:9095/oauth2/auth-callback"` | identity server authCallBackUrl | | gatewaySystem.enabled | bool | `true` | Enable gateway system to install gateway system components | diff --git a/helm-charts/templates/data-plane/gateway-components/log-conf.yaml b/helm-charts/templates/data-plane/gateway-components/log-conf.yaml index 6cfb49e91..f034acbe5 100644 --- a/helm-charts/templates/data-plane/gateway-components/log-conf.yaml +++ b/helm-charts/templates/data-plane/gateway-components/log-conf.yaml @@ -85,8 +85,9 @@ data: {{end}} [enforcer] - {{ if and .Values.wso2.apk.dp.gatewayRuntime.deployment .Values.wso2.apk.dp.gatewayRuntime.deployment.enforcer .Values.wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs .Values.wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs.mandateSubscriptionValidation }} - mandateSubscriptionValidation = {{ .Values.wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs.mandateSubscriptionValidation }} + {{ if and .Values.wso2.apk.dp.gatewayRuntime.deployment .Values.wso2.apk.dp.gatewayRuntime.deployment.enforcer .Values.wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs }} + mandateSubscriptionValidation = {{ .Values.wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs.mandateSubscriptionValidation | default false }} + mandateInternalKeyValidation = {{ .Values.wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs.mandateInternalKeyValidation | default false }} {{ end }} {{ if and .Values.wso2.apk.dp.gatewayRuntime.deployment .Values.wso2.apk.dp.gatewayRuntime.deployment.enforcer .Values.wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs .Values.wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs.authService }} diff --git a/helm-charts/values.yaml.template b/helm-charts/values.yaml.template index 1a8a61fb6..dcdf05928 100644 --- a/helm-charts/values.yaml.template +++ b/helm-charts/values.yaml.template @@ -525,6 +525,8 @@ wso2: queueSize: 2000 # -- Specifies whether subscription validation is mandated for all APIs. mandateSubscriptionValidation: false + # -- Specifies whether Internal-Key validation is mandated for all APIs. + mandateInternalKeyValidation: false logging: # -- Optionally configure logging for enforcer. # -- Log level can be one of DEBUG, INFO, WARN, ERROR, OFF