Search in sources :

Example 6 with MethodStats

use of org.wso2.carbon.apimgt.gateway.MethodStats in project carbon-apimgt by wso2.

the class PreAuthenticationInterceptor method handleMessage.

@Override
@MethodStats
public void handleMessage(Message message) throws Fault {
    String path = (String) message.get(Message.PATH_INFO);
    if (path.contains(APIConstants.RestApiConstants.REST_API_OLD_VERSION)) {
        path = path.replace("/" + APIConstants.RestApiConstants.REST_API_OLD_VERSION, "");
    }
    String httpMethod = (String) message.get(Message.HTTP_REQUEST_METHOD);
    Dictionary<URITemplate, List<String>> allowedResourcePathsMap;
    // If Authorization headers are present anonymous URI check will be skipped
    ArrayList authHeaders = (ArrayList) ((TreeMap) (message.get(Message.PROTOCOL_HEADERS))).get(RestApiConstants.AUTH_HEADER_NAME);
    if (authHeaders != null)
        return;
    // Check if the accessing URI is allowed and then authorization is skipped
    try {
        allowedResourcePathsMap = RestApiUtil.getAllowedURIsToMethodsMap();
        Enumeration<URITemplate> uriTemplateSet = allowedResourcePathsMap.keys();
        ArrayList requestedTenantDomain = (ArrayList) ((TreeMap) (message.get(Message.PROTOCOL_HEADERS))).get(RestApiConstants.HEADER_X_WSO2_TENANT);
        String tenantDomain = null;
        if (requestedTenantDomain != null) {
            tenantDomain = RestApiUtil.getRequestedTenantDomain(requestedTenantDomain.get(0).toString());
        }
        if (StringUtils.isEmpty(tenantDomain)) {
            tenantDomain = RestApiCommonUtil.getLoggedInUserTenantDomain();
        }
        while (uriTemplateSet.hasMoreElements()) {
            URITemplate uriTemplate = uriTemplateSet.nextElement();
            if (uriTemplate.matches(path, new HashMap<String, String>())) {
                List<String> allowedVerbs = allowedResourcePathsMap.get(uriTemplate);
                if (allowedVerbs.contains(httpMethod)) {
                    if (StringUtils.startsWith((String) message.get(Message.BASE_PATH), "/" + RestApiConstants.REST_API_DEVELOPER_PORTAL_CONTEXT)) {
                        // Authentication will be skipped for /swagger.yaml, /settings, /tenants resources of
                        // the devportal REST API
                        boolean doSkipAuthentication = StringUtils.equals(path, "/" + RestApiConstants.REST_API_DEVELOPER_PORTAL_CONTEXT + RestApiConstants.RESOURCE_PATH_SWAGGER) || StringUtils.equals(path, "/" + RestApiConstants.REST_API_DEVELOPER_PORTAL_CONTEXT + RestApiConstants.REST_API_DEVELOPER_PORTAL_RESOURCE_PATH_SETTINGS) || StringUtils.equals(path, "/" + RestApiConstants.REST_API_DEVELOPER_PORTAL_CONTEXT + RestApiConstants.REST_API_DEVELOPER_PORTAL_RESOURCE_PATH_TENANTS);
                        if (!doSkipAuthentication) {
                            message.put(RestApiConstants.AUTHENTICATION_REQUIRED, !RestApiUtil.isDevPortalAnonymousEnabled(tenantDomain));
                        } else {
                            message.put(RestApiConstants.AUTHENTICATION_REQUIRED, false);
                        }
                    } else {
                        message.put(RestApiConstants.AUTHENTICATION_REQUIRED, false);
                    }
                    PrivilegedCarbonContext carbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
                    carbonContext.setUsername(CarbonConstants.REGISTRY_ANONNYMOUS_USERNAME);
                    carbonContext.setTenantDomain(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME);
                    carbonContext.setTenantId(MultitenantConstants.SUPER_TENANT_ID);
                    return;
                }
            }
        }
    } catch (APIManagementException e) {
        RestApiUtil.handleInternalServerError("Unable to retrieve/process allowed URIs for REST API", e, logger);
    }
}
Also used : APIManagementException(org.wso2.carbon.apimgt.api.APIManagementException) URITemplate(org.wso2.uri.template.URITemplate) ArrayList(java.util.ArrayList) ArrayList(java.util.ArrayList) List(java.util.List) PrivilegedCarbonContext(org.wso2.carbon.context.PrivilegedCarbonContext) MethodStats(org.wso2.carbon.apimgt.rest.api.util.MethodStats)

Example 7 with MethodStats

use of org.wso2.carbon.apimgt.gateway.MethodStats in project carbon-apimgt by wso2.

the class SubscriberRegistrationInterceptor method loadTenantRegistry.

@MethodStats
private void loadTenantRegistry() throws APIManagementException {
    String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
    try {
        int tenantId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId();
        APIUtil.loadTenantRegistry(tenantId);
        APIUtil.loadTenantExternalStoreConfig(tenantDomain);
        APIUtil.loadTenantWorkFlowExtensions(tenantDomain);
        APIUtil.loadTenantSelfSignUpConfigurations(tenantDomain);
        APIUtil.loadAndSyncTenantConf(tenantDomain);
    } catch (RegistryException e) {
        throw new APIManagementException("Error occured while loading registry for tenant '" + tenantDomain + "'");
    }
}
Also used : APIManagementException(org.wso2.carbon.apimgt.api.APIManagementException) RegistryException(org.wso2.carbon.registry.core.exceptions.RegistryException) MethodStats(org.wso2.carbon.apimgt.rest.api.util.MethodStats)

Example 8 with MethodStats

use of org.wso2.carbon.apimgt.gateway.MethodStats in project carbon-apimgt by wso2.

the class SubscriberRegistrationInterceptor method handleMessage.

/**
 * Handles the incoming message after post authentication. Only used in Store REST API, to register a newly
 * signed up store user who hasn't logged in to Store for the first time either via REST API or Store UI.
 * This method will register the user as a subscriber
 * (register in AM_SUBSCRIBER table, add the default application for subscriber etc.).
 *
 * @param message cxf message
 */
@Override
@MethodStats
public void handleMessage(Message message) {
    String username = RestApiCommonUtil.getLoggedInUsername();
    // by-passes the interceptor if user is an annonymous user
    if (username.equalsIgnoreCase(APIConstants.WSO2_ANONYMOUS_USER)) {
        return;
    }
    // checking if the subscriber exists in the subscriber cache
    Cache<String, Subscriber> subscriberCache = Caching.getCacheManager(APIConstants.API_MANAGER_CACHE_MANAGER).getCache(APIConstants.API_SUBSCRIBER_CACHE);
    if (subscriberCache.get(username) != null) {
        return;
    }
    // check the existence in the database
    String groupId = RestApiUtil.getLoggedInUserGroupId();
    String tenantDomain = RestApiCommonUtil.getLoggedInUserTenantDomain();
    try {
        // takes a consumer object using the user set in thread local carbon context
        APIConsumer apiConsumer = RestApiCommonUtil.getLoggedInUserConsumer();
        Subscriber subscriber = apiConsumer.getSubscriber(username);
        if (subscriber == null) {
            synchronized ((username + LOCK_POSTFIX).intern()) {
                subscriber = apiConsumer.getSubscriber(username);
                if (subscriber == null) {
                    message.getExchange().get(RestApiConstants.USER_REST_API_SCOPES);
                    if (!hasSubscribeScope(message)) {
                        // permission. It should be allowed.
                        if (logger.isDebugEnabled()) {
                            logger.debug("User " + username + " does not have subscribe scope " + "(" + APIM_SUBSCRIBE_SCOPE + ")");
                        }
                        return;
                    }
                    if (!APIConstants.SUPER_TENANT_DOMAIN.equalsIgnoreCase(tenantDomain)) {
                        loadTenantRegistry();
                    }
                    apiConsumer.addSubscriber(username, groupId);
                    // The subscriber object added here is not a complete subscriber object. It will only contain
                    // username
                    subscriberCache.put(username, new Subscriber(username));
                    if (logger.isDebugEnabled()) {
                        logger.debug("Subscriber " + username + " added to AM_SUBSCRIBER database");
                    }
                }
            }
        } else {
            subscriberCache.put(username, subscriber);
        }
    } catch (APIManagementException e) {
        RestApiUtil.handleInternalServerError("Unable to add the subscriber " + username, e, logger);
    }
}
Also used : APIManagementException(org.wso2.carbon.apimgt.api.APIManagementException) Subscriber(org.wso2.carbon.apimgt.api.model.Subscriber) APIConsumer(org.wso2.carbon.apimgt.api.APIConsumer) MethodStats(org.wso2.carbon.apimgt.rest.api.util.MethodStats)

Example 9 with MethodStats

use of org.wso2.carbon.apimgt.gateway.MethodStats in project carbon-apimgt by wso2.

the class BasicAuthenticationInterceptor method handleMessage.

/**
 * This method handles the incoming message by checking if an anonymous api is being called or invalid
 * authorization headers are present in the request. If not, authenticate the request.
 *
 * @param inMessage cxf Message
 */
@Override
@MethodStats
public void handleMessage(Message inMessage) {
    // by-passes the interceptor if user calls an anonymous api
    if (RestApiUtil.checkIfAnonymousAPI(inMessage)) {
        return;
    }
    String tenantDomain = CarbonContext.getThreadLocalCarbonContext().getTenantDomain();
    inMessage.put(RestApiConstants.TENANT_DOMAIN, tenantDomain);
    // Extract and check if "Authorization: Basic" is present in the request. If not, by-passes the interceptor.
    // If yes, set the request_authentication_scheme property in the message as basic_auth and execute the basic
    // authentication flow.
    AuthorizationPolicy policy = inMessage.get(AuthorizationPolicy.class);
    if (policy != null) {
        inMessage.put(RestApiConstants.REQUEST_AUTHENTICATION_SCHEME, RestApiConstants.BASIC_AUTHENTICATION);
        // Extract user credentials from the auth header and validate.
        String username = StringUtils.trim(policy.getUserName());
        String password = StringUtils.trim(policy.getPassword());
        if (StringUtils.isEmpty(username) || StringUtils.isEmpty(password)) {
            String errorMessage = StringUtils.isEmpty(username) ? "username cannot be null/empty." : "password cannot be null/empty.";
            log.error("Basic Authentication failed: " + errorMessage);
            throw new AuthenticationException("Unauthenticated request");
        } else if (!authenticate(inMessage, username, password)) {
            throw new AuthenticationException("Unauthenticated request");
        }
        log.debug("User logged into web app using Basic Authentication");
    }
}
Also used : AuthorizationPolicy(org.apache.cxf.configuration.security.AuthorizationPolicy) AuthenticationException(org.apache.cxf.interceptor.security.AuthenticationException) MethodStats(org.wso2.carbon.apimgt.rest.api.util.MethodStats)

Example 10 with MethodStats

use of org.wso2.carbon.apimgt.gateway.MethodStats in project carbon-apimgt by wso2.

the class TokenMergeInterceptor method handleMessage.

@MethodStats
public void handleMessage(Message message) throws Fault {
    // If Authorization headers are present anonymous URI check will be skipped
    String accessToken = RestApiUtil.extractOAuthAccessTokenFromMessage(message, RestApiConstants.REGEX_BEARER_PATTERN, RestApiConstants.AUTH_HEADER_NAME);
    if (accessToken == null) {
        return;
    }
    ArrayList tokenCookie = (ArrayList) ((TreeMap) (message.get(Message.PROTOCOL_HEADERS))).get(RestApiConstants.COOKIE_HEADER_NAME);
    if (tokenCookie == null) {
        return;
    }
    String cookie = tokenCookie.get(0).toString();
    if (cookie == null) {
        return;
    }
    cookie = cookie.trim();
    String[] cookies = cookie.split(";");
    String tokenFromCookie = Arrays.stream(cookies).filter(name -> name.contains(RestApiConstants.AUTH_COOKIE_NAME)).findFirst().orElse("");
    String[] tokenParts = tokenFromCookie.split("=");
    if (tokenParts.length == 2) {
        // Append the token section from cookie to token part from Auth header
        accessToken += tokenParts[1];
    }
    TreeMap headers = (TreeMap) message.get(Message.PROTOCOL_HEADERS);
    ArrayList authorizationHeader = new ArrayList<>();
    authorizationHeader.add(0, String.format("Bearer %s", accessToken));
    headers.put(RestApiConstants.AUTH_HEADER_NAME, authorizationHeader);
    message.put(Message.PROTOCOL_HEADERS, headers);
}
Also used : ArrayList(java.util.ArrayList) TreeMap(java.util.TreeMap) MethodStats(org.wso2.carbon.apimgt.rest.api.util.MethodStats)

Aggregations

MethodStats (org.wso2.carbon.apimgt.gateway.MethodStats)15 MethodStats (org.wso2.carbon.apimgt.rest.api.util.MethodStats)11 Axis2MessageContext (org.apache.synapse.core.axis2.Axis2MessageContext)8 APIManagementException (org.wso2.carbon.apimgt.api.APIManagementException)8 APISecurityException (org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException)6 Timer (org.wso2.carbon.metrics.manager.Timer)6 TracingSpan (org.wso2.carbon.apimgt.tracing.TracingSpan)5 TracingTracer (org.wso2.carbon.apimgt.tracing.TracingTracer)5 HashMap (java.util.HashMap)4 Map (java.util.Map)4 ArrayList (java.util.ArrayList)3 List (java.util.List)3 JWTValidationInfo (org.wso2.carbon.apimgt.common.gateway.dto.JWTValidationInfo)3 AuthenticationContext (org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationContext)3 APIKeyValidationInfoDTO (org.wso2.carbon.apimgt.impl.dto.APIKeyValidationInfoDTO)3 JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)2 TreeMap (java.util.TreeMap)2 AuthenticationException (org.apache.cxf.interceptor.security.AuthenticationException)2 Mediator (org.apache.synapse.Mediator)2 AuthenticationResponse (org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationResponse)2