use of org.wso2.carbon.apimgt.api.model.APIKey in project carbon-apimgt by wso2.
the class APIThrottleHandler method doRoleBasedAccessThrottling.
private boolean doRoleBasedAccessThrottling(MessageContext synCtx, ConfigurationContext cc) {
boolean canAccess = true;
ThrottleDataHolder dataHolder = (ThrottleDataHolder) cc.getPropertyNonReplicable(ThrottleConstants.THROTTLE_INFO_KEY);
if (throttle.getThrottleContext(ThrottleConstants.ROLE_BASED_THROTTLE_KEY) == null) {
// skip role base throttling
return true;
}
ConcurrentAccessController cac = null;
if (isClusteringEnable) {
// for clustered env.,gets it from axis configuration context
cac = (ConcurrentAccessController) cc.getProperty(key);
}
if (!synCtx.isResponse()) {
// gets the remote caller role name
AuthenticationContext authContext = APISecurityUtils.getAuthenticationContext(synCtx);
String accessToken;
String consumerKey;
String authorizedUser;
String roleID;
String applicationId;
String applicationTier;
if (authContext != null) {
// Although the method says getApiKey, what is actually returned is the Bearer header (accessToken)
accessToken = authContext.getApiKey();
consumerKey = authContext.getConsumerKey();
authorizedUser = authContext.getUsername();
roleID = authContext.getTier();
applicationTier = authContext.getApplicationTier();
applicationId = authContext.getApplicationId();
if (accessToken == null || roleID == null) {
log.warn("No consumer key or role information found on the request - " + "Throttling not applied");
return true;
}
} else {
log.warn("No authentication context information found on the request - " + "Throttling not applied");
return true;
}
// Domain name based throttling
// check whether a configuration has been defined for this role name or not
// loads the ThrottleContext
ThrottleContext resourceContext = throttle.getThrottleContext(RESOURCE_THROTTLE_KEY);
if (resourceContext == null) {
log.warn("Unable to load throttle context");
return true;
}
// Loads the ThrottleConfiguration
ThrottleConfiguration config = resourceContext.getThrottleConfiguration();
if (config != null) {
String applicationRoleId = null;
// If an application level tier has been specified and it is not 'Unlimited'
if (applicationTier != null && !APIConstants.UNLIMITED_TIER.equals(applicationTier)) {
// Get the configuration role of the application
// applicationRoleId = config.getConfigurationKeyOfCaller(applicationTier);
applicationRoleId = applicationTier;
}
AccessInformation info = null;
// If application level throttling is applied
if (applicationRoleId != null) {
ThrottleContext applicationThrottleContext = getApplicationThrottleContext(synCtx, dataHolder, applicationId);
if (isClusteringEnable) {
applicationThrottleContext.setConfigurationContext(cc);
applicationThrottleContext.setThrottleId(id);
}
// First throttle by application
try {
info = applicationRoleBasedAccessController.canAccess(applicationThrottleContext, applicationId, applicationRoleId);
if (log.isDebugEnabled()) {
log.debug("Throttle by Application " + applicationId);
log.debug("Allowed = " + (info != null ? info.isAccessAllowed() : "false"));
}
} catch (ThrottleException e) {
log.warn("Exception occurred while performing role " + "based throttling", e);
synCtx.setProperty(APIThrottleConstants.THROTTLED_OUT_REASON, APIThrottleConstants.APPLICATION_LIMIT_EXCEEDED);
return false;
}
// check for the permission for access
if (info != null && !info.isAccessAllowed()) {
log.info("Exceeded the allocated quota in Application level.");
// if the access has denied by rate based throttling
if (cac != null) {
cac.incrementAndGet();
// set back if this is a clustered env
if (isClusteringEnable) {
cc.setProperty(key, cac);
resourceContext.setConfigurationContext(cc);
// replicate the current state of ConcurrentAccessController
try {
Replicator.replicate(cc, new String[] { key });
} catch (ClusteringFault clusteringFault) {
log.error("Error during replicating states", clusteringFault);
}
}
}
synCtx.setProperty(APIThrottleConstants.THROTTLED_OUT_REASON, APIThrottleConstants.APPLICATION_LIMIT_EXCEEDED);
return false;
}
}
// ---------------End of application level throttling------------
// ==============================Start of Resource level throttling======================================
// get throttling information for given request with resource path and http verb
// VerbInfoDTO verbInfoDTO = null;
// verbInfoDTO = validator.getVerbInfoDTOFromAPIData(apiContext, apiVersion, requestPath, httpMethod);
VerbInfoDTO verbInfoDTO = (VerbInfoDTO) synCtx.getProperty(APIConstants.VERB_INFO_DTO);
String resourceLevelRoleId = null;
// no data related to verb information data
if (verbInfoDTO == null) {
log.warn("Error while getting throttling information for resource and http verb");
return false;
} else {
// Not only we can proceed
String resourceAndHTTPVerbThrottlingTier = verbInfoDTO.getThrottling();
// If there no any tier then we need to set it as unlimited
if (resourceAndHTTPVerbThrottlingTier == null) {
log.warn("Unable to find throttling information for resource and http verb. Throttling will " + "not apply");
} else {
resourceLevelRoleId = resourceAndHTTPVerbThrottlingTier;
}
// adding consumerKey and authz_user combination instead of access token to resourceAndHTTPVerbKey
// This avoids sending more than the permitted number of requests in a unit time by
// regenerating the access token
String resourceAndHTTPVerbKey = verbInfoDTO.getRequestKey() + '-' + consumerKey + ':' + authorizedUser;
// if request not null then only we proceed
if (resourceLevelRoleId != null) {
try {
// if application level throttling has passed
if (!APIConstants.UNLIMITED_TIER.equals(resourceLevelRoleId) && (info == null || info.isAccessAllowed())) {
// If this is a clustered env.
if (isClusteringEnable) {
resourceContext.setConfigurationContext(cc);
resourceContext.setThrottleId(id + "resource");
}
info = roleBasedAccessController.canAccess(resourceContext, resourceAndHTTPVerbKey, resourceAndHTTPVerbThrottlingTier);
}
} catch (ThrottleException e) {
log.warn("Exception occurred while performing resource" + "based throttling", e);
synCtx.setProperty(APIThrottleConstants.THROTTLED_OUT_REASON, APIThrottleConstants.RESOURCE_LIMIT_EXCEEDED);
return false;
}
// check for the permission for access
if (info != null && !info.isAccessAllowed()) {
log.info("Exceeded the allocated quota in Resource level.");
// if the access has denied by rate based throttling
if (cac != null) {
cac.incrementAndGet();
// set back if this is a clustered env
if (isClusteringEnable) {
cc.setProperty(key, cac);
// replicate the current state of ConcurrentAccessController
try {
Replicator.replicate(cc, new String[] { key });
} catch (ClusteringFault clusteringFault) {
log.error("Error during replicating states", clusteringFault);
}
}
}
if (isContinueOnThrottleReached(resourceAndHTTPVerbThrottlingTier)) {
// limit has reached.
if (synCtx.getProperty(APIConstants.API_USAGE_THROTTLE_OUT_PROPERTY_KEY) == null) {
synCtx.setProperty(APIConstants.API_USAGE_THROTTLE_OUT_PROPERTY_KEY, Boolean.TRUE);
}
} else {
synCtx.setProperty(APIThrottleConstants.THROTTLED_OUT_REASON, APIThrottleConstants.RESOURCE_LIMIT_EXCEEDED);
return false;
}
}
} else {
log.warn("Unable to find the throttle policy for role.");
}
}
// ==============================End of Resource level throttling=======================================
// ---------------Start of API level throttling------------------
// Domain name based throttling
// check whether a configuration has been defined for this role name or not
// loads the ThrottleContext
ThrottleContext context = throttle.getThrottleContext(ThrottleConstants.ROLE_BASED_THROTTLE_KEY);
String apiKey;
if (context == null) {
log.warn("Unable to load throttle context");
return true;
}
// If this is a clustered env.
// check for configuration role of the caller
config = context.getThrottleConfiguration();
String consumerRoleID = config.getConfigurationKeyOfCaller(roleID);
if (isClusteringEnable) {
context.setConfigurationContext(cc);
context.setThrottleId(id);
}
try {
String apiContext = (String) synCtx.getProperty(RESTConstants.REST_API_CONTEXT);
String apiVersion = (String) synCtx.getProperty(RESTConstants.SYNAPSE_REST_API_VERSION);
apiContext = apiContext != null ? apiContext : "";
apiVersion = apiVersion != null ? apiVersion : "";
// adding consumerKey and authz_user combination instead of access token to apiKey
// This avoids sending more than the permitted number of requests in a unit time by
// regenerating the access token
apiKey = apiContext + ':' + apiVersion + ':' + consumerKey + ':' + authorizedUser;
// if application level throttling has passed
if (!APIConstants.UNLIMITED_TIER.equals(roleID) && (info == null || info.isAccessAllowed())) {
// Throttle by access token
info = roleBasedAccessController.canAccess(context, apiKey, consumerRoleID);
}
} catch (ThrottleException e) {
log.warn("Exception occurred while performing role " + "based throttling", e);
synCtx.setProperty(APIThrottleConstants.THROTTLED_OUT_REASON, APIThrottleConstants.API_LIMIT_EXCEEDED);
return false;
}
// check for the permission for access
if (info != null && !info.isAccessAllowed()) {
log.info("Exceeded the allocated quota in API level.");
// if the access has denied by rate based throttling
if (cac != null) {
cac.incrementAndGet();
// set back if this is a clustered env
if (isClusteringEnable) {
cc.setProperty(key, cac);
// replicate the current state of ConcurrentAccessController
try {
Replicator.replicate(cc, new String[] { key });
} catch (ClusteringFault clusteringFault) {
log.error("Error during replicating states", clusteringFault);
}
}
}
if (isContinueOnThrottleReached(consumerRoleID)) {
// limit has reached.
if (synCtx.getProperty(APIConstants.API_USAGE_THROTTLE_OUT_PROPERTY_KEY) == null) {
synCtx.setProperty(APIConstants.API_USAGE_THROTTLE_OUT_PROPERTY_KEY, Boolean.TRUE);
}
if (log.isDebugEnabled()) {
log.debug("Request throttled at API level for throttle key" + apiKey + ". But role " + consumerRoleID + "allows to continue to serve requests");
}
} else {
synCtx.setProperty(APIThrottleConstants.THROTTLED_OUT_REASON, APIThrottleConstants.API_LIMIT_EXCEEDED);
return false;
}
}
}
}
// ---------------End of API level throttling------------------
// ---------------Start of Hard throttling------------------
ThrottleContext hardThrottleContext = throttle.getThrottleContext(APIThrottleConstants.HARD_THROTTLING_CONFIGURATION);
try {
String apiContext = (String) synCtx.getProperty(RESTConstants.REST_API_CONTEXT);
String apiVersion = (String) synCtx.getProperty(RESTConstants.SYNAPSE_REST_API_VERSION);
apiContext = apiContext != null ? apiContext : "";
apiVersion = apiVersion != null ? apiVersion : "";
AuthenticationContext authContext = APISecurityUtils.getAuthenticationContext(synCtx);
if (hardThrottleContext != null && authContext.getKeyType() != null) {
String throttleKey = apiContext + ':' + apiVersion + ':' + authContext.getKeyType();
AccessInformation info = null;
if (isClusteringEnable) {
hardThrottleContext.setConfigurationContext(cc);
}
if (APIConstants.API_KEY_TYPE_PRODUCTION.equals(authContext.getKeyType())) {
hardThrottleContext.setThrottleId(id + APIThrottleConstants.PRODUCTION_HARD_LIMIT);
info = roleBasedAccessController.canAccess(hardThrottleContext, throttleKey, APIThrottleConstants.PRODUCTION_HARD_LIMIT);
} else if (APIConstants.API_KEY_TYPE_SANDBOX.equals(authContext.getKeyType())) {
hardThrottleContext.setThrottleId(id + APIThrottleConstants.SANDBOX_HARD_LIMIT);
info = roleBasedAccessController.canAccess(hardThrottleContext, throttleKey, APIThrottleConstants.SANDBOX_HARD_LIMIT);
}
if (log.isDebugEnabled()) {
log.debug("Throttle by hard limit " + throttleKey);
log.debug("Allowed = " + (info != null ? info.isAccessAllowed() : "false"));
}
if (info != null && !info.isAccessAllowed()) {
synCtx.setProperty(APIThrottleConstants.THROTTLED_OUT_REASON, APIThrottleConstants.HARD_LIMIT_EXCEEDED);
log.info("Hard Throttling limit exceeded.");
return false;
}
}
} catch (ThrottleException e) {
log.warn("Exception occurred while performing role based throttling", e);
synCtx.setProperty(APIThrottleConstants.THROTTLED_OUT_REASON, APIThrottleConstants.HARD_LIMIT_EXCEEDED);
return false;
}
return canAccess;
}
use of org.wso2.carbon.apimgt.api.model.APIKey in project carbon-apimgt by wso2.
the class SolaceSubscriptionsNotifier method crateSubscription.
/**
* Create subscriptions to Solace APIs
*
* @param event SubscriptionEvent to create Solace API subscriptions
* @throws NotifierException if error occurs when creating subscription for Solace APIs
*/
private void crateSubscription(SubscriptionEvent event) throws NotifierException {
String apiUUID = event.getApiUUID();
String applicationUUID = event.getApplicationUUID();
try {
APIProvider apiProvider = APIManagerFactory.getInstance().getAPIProvider(CarbonContext.getThreadLocalCarbonContext().getUsername());
API api = apiProvider.getAPIbyUUID(apiUUID, apiMgtDAO.getOrganizationByAPIUUID(apiUUID));
APIConsumer apiConsumer = APIManagerFactory.getInstance().getAPIConsumer(CarbonContext.getThreadLocalCarbonContext().getUsername());
Application application = apiMgtDAO.getApplicationByUUID(applicationUUID);
Set<APIKey> consumerKeys = apiConsumer.getApplicationKeysOfApplication(application.getId());
for (APIKey apiKey : consumerKeys) {
application.addKey(apiKey);
}
// Check whether the subscription is belongs to an API deployed in Solace
if (SolaceConstants.SOLACE_ENVIRONMENT.equals(api.getGatewayVendor())) {
ArrayList<String> solaceApiProducts = new ArrayList<>();
List<Environment> deployedSolaceEnvironments = SolaceNotifierUtils.getDeployedSolaceEnvironmentsFromRevisionDeployments(api);
String applicationOrganizationName = SolaceNotifierUtils.getSolaceOrganizationName(deployedSolaceEnvironments);
if (applicationOrganizationName != null) {
try {
boolean apiProductDeployedIntoSolace = SolaceNotifierUtils.checkApiProductAlreadyDeployedIntoSolaceEnvironments(api, deployedSolaceEnvironments);
if (apiProductDeployedIntoSolace) {
for (Environment environment : deployedSolaceEnvironments) {
solaceApiProducts.add(SolaceNotifierUtils.generateApiProductNameForSolaceBroker(api, environment.getName()));
}
SolaceNotifierUtils.deployApplicationToSolaceBroker(application, solaceApiProducts, applicationOrganizationName);
}
} catch (IOException e) {
log.error(e.getMessage());
}
} else {
if (log.isDebugEnabled()) {
log.error("Cannot create solace application " + application.getName() + "with API product " + "deployed in different organizations...");
}
throw new APIManagementException("Cannot create solace application " + application.getName() + "with API product deployed in different organizations...");
}
}
} catch (APIManagementException e) {
throw new NotifierException(e.getMessage());
}
}
use of org.wso2.carbon.apimgt.api.model.APIKey in project carbon-apimgt by wso2.
the class ApplicationsApiServiceImpl method applicationsApplicationIdKeysKeyTypeRegenerateSecretPost.
/**
* Re generate consumer secret.
*
* @param applicationId Application Id
* @param keyType Key Type (Production | Sandbox)
* @return A response object containing application keys.
*/
@Override
public Response applicationsApplicationIdKeysKeyTypeRegenerateSecretPost(String applicationId, String keyType, MessageContext messageContext) {
String username = RestApiCommonUtil.getLoggedInUsername();
try {
Set<APIKey> applicationKeys = getApplicationKeys(applicationId);
if (applicationKeys == null) {
return null;
}
for (APIKey apiKey : applicationKeys) {
if (keyType != null && keyType.equals(apiKey.getType()) && APIConstants.KeyManager.DEFAULT_KEY_MANAGER.equals(apiKey.getKeyManager())) {
APIConsumer apiConsumer = APIManagerFactory.getInstance().getAPIConsumer(username);
String clientId = apiKey.getConsumerKey();
String clientSecret = apiConsumer.renewConsumerSecret(clientId, APIConstants.KeyManager.DEFAULT_KEY_MANAGER);
ApplicationKeyDTO applicationKeyDTO = new ApplicationKeyDTO();
applicationKeyDTO.setConsumerKey(clientId);
applicationKeyDTO.setConsumerSecret(clientSecret);
return Response.ok().entity(applicationKeyDTO).build();
}
}
} catch (APIManagementException e) {
RestApiUtil.handleInternalServerError("Error while re generating the consumer secret ", e, log);
}
return null;
}
use of org.wso2.carbon.apimgt.api.model.APIKey in project carbon-apimgt by wso2.
the class ApplicationsApiServiceImpl method applicationsApplicationIdApiKeysKeyTypeRevokePost.
@Override
public Response applicationsApplicationIdApiKeysKeyTypeRevokePost(String applicationId, String keyType, String ifMatch, APIKeyRevokeRequestDTO body, MessageContext messageContext) {
String username = RestApiCommonUtil.getLoggedInUsername();
String apiKey = body.getApikey();
if (!StringUtils.isEmpty(apiKey) && APIUtil.isValidJWT(apiKey)) {
try {
String[] splitToken = apiKey.split("\\.");
String signatureAlgorithm = APIUtil.getSignatureAlgorithm(splitToken);
String certAlias = APIUtil.getSigningAlias(splitToken);
Certificate certificate = APIUtil.getCertificateFromParentTrustStore(certAlias);
if (APIUtil.verifyTokenSignature(splitToken, certificate, signatureAlgorithm)) {
APIConsumer apiConsumer = APIManagerFactory.getInstance().getAPIConsumer(username);
Application application = apiConsumer.getApplicationByUUID(applicationId);
org.json.JSONObject decodedBody = new org.json.JSONObject(new String(Base64.getUrlDecoder().decode(splitToken[1])));
org.json.JSONObject appInfo = decodedBody.getJSONObject(APIConstants.JwtTokenConstants.APPLICATION);
if (appInfo != null && application != null) {
if (RestAPIStoreUtils.isUserOwnerOfApplication(application)) {
String appUuid = appInfo.getString(APIConstants.JwtTokenConstants.APPLICATION_UUID);
if (applicationId.equals(appUuid)) {
long expiryTime = Long.MAX_VALUE;
org.json.JSONObject payload = new org.json.JSONObject(new String(Base64.getUrlDecoder().decode(splitToken[1])));
if (payload.has(APIConstants.JwtTokenConstants.EXPIRY_TIME)) {
expiryTime = APIUtil.getExpiryifJWT(apiKey);
}
String tokenIdentifier = payload.getString(APIConstants.JwtTokenConstants.JWT_ID);
String tenantDomain = RestApiCommonUtil.getLoggedInUserTenantDomain();
apiConsumer.revokeAPIKey(tokenIdentifier, expiryTime, tenantDomain);
return Response.ok().build();
} else {
if (log.isDebugEnabled()) {
log.debug("Application uuid " + applicationId + " isn't matched with the " + "application in the token " + appUuid + " of API Key " + APIUtil.getMaskedToken(apiKey));
}
RestApiUtil.handleBadRequest("Validation failed for the given token ", log);
}
} else {
if (log.isDebugEnabled()) {
log.debug("Logged in user " + username + " isn't the owner of the application " + applicationId);
}
RestApiUtil.handleAuthorizationFailure(RestApiConstants.RESOURCE_APPLICATION, applicationId, log);
}
} else {
if (log.isDebugEnabled()) {
if (application == null) {
log.debug("Application with given id " + applicationId + " doesn't not exist ");
}
if (appInfo == null) {
log.debug("Application information doesn't exist in the token " + APIUtil.getMaskedToken(apiKey));
}
}
RestApiUtil.handleBadRequest("Validation failed for the given token ", log);
}
} else {
if (log.isDebugEnabled()) {
log.debug("Signature verification of given token " + APIUtil.getMaskedToken(apiKey) + " is failed");
}
RestApiUtil.handleInternalServerError("Validation failed for the given token", log);
}
} catch (APIManagementException e) {
String msg = "Error while revoking API Key of application " + applicationId;
if (log.isDebugEnabled()) {
log.debug("Error while revoking API Key of application " + applicationId + " and token " + APIUtil.getMaskedToken(apiKey));
}
log.error(msg, e);
RestApiUtil.handleInternalServerError(msg, e, log);
}
} else {
log.debug("Provided API Key " + APIUtil.getMaskedToken(apiKey) + " is not valid");
RestApiUtil.handleBadRequest("Provided API Key isn't valid ", log);
}
return null;
}
use of org.wso2.carbon.apimgt.api.model.APIKey in project carbon-apimgt by wso2.
the class ApplicationsApiServiceImpl method applicationsApplicationIdApiKeysKeyTypeGeneratePost.
@Override
public Response applicationsApplicationIdApiKeysKeyTypeGeneratePost(String applicationId, String keyType, String ifMatch, APIKeyGenerateRequestDTO body, MessageContext messageContext) {
String userName = RestApiCommonUtil.getLoggedInUsername();
Application application;
int validityPeriod;
try {
APIConsumer apiConsumer = APIManagerFactory.getInstance().getAPIConsumer(userName);
if ((application = apiConsumer.getApplicationByUUID(applicationId)) == null) {
RestApiUtil.handleResourceNotFoundError(RestApiConstants.RESOURCE_APPLICATION, applicationId, log);
} else {
if (!RestAPIStoreUtils.isUserAccessAllowedForApplication(application)) {
RestApiUtil.handleAuthorizationFailure(RestApiConstants.RESOURCE_APPLICATION, applicationId, log);
} else {
if (APIConstants.API_KEY_TYPE_PRODUCTION.equalsIgnoreCase(keyType)) {
application.setKeyType(APIConstants.API_KEY_TYPE_PRODUCTION);
} else if (APIConstants.API_KEY_TYPE_SANDBOX.equalsIgnoreCase(keyType)) {
application.setKeyType(APIConstants.API_KEY_TYPE_SANDBOX);
} else {
RestApiUtil.handleBadRequest("Invalid keyType. KeyType should be either PRODUCTION or SANDBOX", log);
}
if (body != null && body.getValidityPeriod() != null && body.getValidityPeriod() > 0) {
validityPeriod = body.getValidityPeriod();
} else {
validityPeriod = -1;
}
String restrictedIP = null;
String restrictedReferer = null;
if (body.getAdditionalProperties() != null) {
Map additionalProperties = (HashMap) body.getAdditionalProperties();
if (additionalProperties.get(APIConstants.JwtTokenConstants.PERMITTED_IP) != null) {
restrictedIP = (String) additionalProperties.get(APIConstants.JwtTokenConstants.PERMITTED_IP);
}
if (additionalProperties.get(APIConstants.JwtTokenConstants.PERMITTED_REFERER) != null) {
restrictedReferer = (String) additionalProperties.get(APIConstants.JwtTokenConstants.PERMITTED_REFERER);
}
}
String apiKey = apiConsumer.generateApiKey(application, userName, validityPeriod, restrictedIP, restrictedReferer);
APIKeyDTO apiKeyDto = ApplicationKeyMappingUtil.formApiKeyToDTO(apiKey, validityPeriod);
return Response.ok().entity(apiKeyDto).build();
}
}
} catch (APIManagementException e) {
RestApiUtil.handleInternalServerError("Error while generatig API Keys for application " + applicationId, e, log);
}
return null;
}
Aggregations