Search in sources :

Example 11 with APISecurityException

use of org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException in project carbon-apimgt by wso2.

the class OAuthAuthenticator method authenticate.

@MethodStats
public AuthenticationResponse authenticate(MessageContext synCtx) throws APIManagementException {
    boolean isJwtToken = false;
    String accessToken = null;
    String remainingAuthHeader = "";
    boolean defaultVersionInvoked = false;
    Map headers = (Map) ((Axis2MessageContext) synCtx).getAxis2MessageContext().getProperty(org.apache.axis2.context.MessageContext.TRANSPORT_HEADERS);
    String tenantDomain = GatewayUtils.getTenantDomain();
    keyManagerList = GatewayUtils.getKeyManagers(synCtx);
    if (keyValidator == null) {
        this.keyValidator = new APIKeyValidator();
    }
    if (jwtValidator == null) {
        this.jwtValidator = new JWTValidator(this.keyValidator, tenantDomain);
    }
    config = getApiManagerConfiguration();
    removeOAuthHeadersFromOutMessage = isRemoveOAuthHeadersFromOutMessage();
    securityContextHeader = getSecurityContextHeader();
    if (headers != null) {
        requestOrigin = (String) headers.get("Origin");
        // Extract the access token from auth header
        // From 1.0.7 version of this component onwards remove the OAuth authorization header from
        // the message is configurable. So we dont need to remove headers at this point.
        String authHeader = (String) headers.get(getSecurityHeader());
        if (authHeader == null) {
            if (log.isDebugEnabled()) {
                log.debug("OAuth2 Authentication: Expected authorization header with the name '".concat(getSecurityHeader()).concat("' was not found."));
            }
        } else {
            ArrayList<String> remainingAuthHeaders = new ArrayList<>();
            boolean consumerkeyFound = false;
            String[] splitHeaders = authHeader.split(oauthHeaderSplitter);
            if (splitHeaders != null) {
                for (int i = 0; i < splitHeaders.length; i++) {
                    String[] elements = splitHeaders[i].split(consumerKeySegmentDelimiter);
                    if (elements != null && elements.length > 1) {
                        int j = 0;
                        boolean isConsumerKeyHeaderAvailable = false;
                        for (String element : elements) {
                            if (!"".equals(element.trim())) {
                                if (consumerKeyHeaderSegment.equals(elements[j].trim())) {
                                    isConsumerKeyHeaderAvailable = true;
                                } else if (isConsumerKeyHeaderAvailable) {
                                    accessToken = removeLeadingAndTrailing(elements[j].trim());
                                    consumerkeyFound = true;
                                }
                            }
                            j++;
                        }
                    }
                    if (!consumerkeyFound) {
                        remainingAuthHeaders.add(splitHeaders[i]);
                    } else {
                        consumerkeyFound = false;
                    }
                }
            }
            remainingAuthHeader = String.join(oauthHeaderSplitter, remainingAuthHeaders);
        }
        if (log.isDebugEnabled()) {
            log.debug(accessToken != null ? "Received Token ".concat(accessToken) : "No valid Authorization header found");
        }
        // Check if client invoked the default version API (accessing API without version).
        defaultVersionInvoked = headers.containsKey(defaultAPIHeader);
    }
    if (log.isDebugEnabled()) {
        log.debug("Default Version API invoked");
    }
    if (removeOAuthHeadersFromOutMessage) {
        // Remove authorization headers sent for authentication at the gateway and pass others to the backend
        if (StringUtils.isNotBlank(remainingAuthHeader)) {
            if (log.isDebugEnabled()) {
                log.debug("Removing OAuth key from Authorization header");
            }
            headers.put(getSecurityHeader(), remainingAuthHeader);
        } else {
            if (log.isDebugEnabled()) {
                log.debug("Removing Authorization header from headers");
            }
            headers.remove(getSecurityHeader());
        }
    }
    if (removeDefaultAPIHeaderFromOutMessage) {
        headers.remove(defaultAPIHeader);
    }
    String apiContext = (String) synCtx.getProperty(RESTConstants.REST_API_CONTEXT);
    String apiVersion = (String) synCtx.getProperty(RESTConstants.SYNAPSE_REST_API_VERSION);
    String httpMethod = (String) ((Axis2MessageContext) synCtx).getAxis2MessageContext().getProperty(Constants.Configuration.HTTP_METHOD);
    String matchingResource = (String) synCtx.getProperty(APIConstants.API_ELECTED_RESOURCE);
    SignedJWTInfo signedJWTInfo = null;
    // If the matching resource does not require authentication
    Timer timer = getTimer(MetricManager.name(APIConstants.METRICS_PREFIX, this.getClass().getSimpleName(), "GET_RESOURCE_AUTH"));
    Timer.Context context = timer.start();
    org.apache.axis2.context.MessageContext axis2MessageCtx = ((Axis2MessageContext) synCtx).getAxis2MessageContext();
    org.apache.axis2.context.MessageContext.setCurrentMessageContext(axis2MessageCtx);
    String authenticationScheme;
    try {
        // Initial guess of a JWT token using the presence of a DOT.
        if (StringUtils.isNotEmpty(accessToken) && accessToken.contains(APIConstants.DOT)) {
            try {
                if (StringUtils.countMatches(accessToken, APIConstants.DOT) != 2) {
                    log.debug("Invalid JWT token. The expected token format is <header.payload.signature>");
                    throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid JWT token");
                }
                signedJWTInfo = getSignedJwt(accessToken);
                if (GatewayUtils.isInternalKey(signedJWTInfo.getJwtClaimsSet()) || GatewayUtils.isAPIKey(signedJWTInfo.getJwtClaimsSet())) {
                    log.debug("Invalid Token Provided");
                    return new AuthenticationResponse(false, isMandatory, true, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
                }
                String keyManager = ServiceReferenceHolder.getInstance().getJwtValidationService().getKeyManagerNameIfJwtValidatorExist(signedJWTInfo);
                if (StringUtils.isNotEmpty(keyManager)) {
                    if (log.isDebugEnabled()) {
                        log.debug("KeyManager " + keyManager + "found for authenticate token " + GatewayUtils.getMaskedToken(accessToken));
                    }
                    if (keyManagerList.contains(APIConstants.KeyManager.API_LEVEL_ALL_KEY_MANAGERS) || keyManagerList.contains(keyManager)) {
                        if (log.isDebugEnabled()) {
                            log.debug("Elected KeyManager " + keyManager + "found in API level list " + String.join(",", keyManagerList));
                        }
                        isJwtToken = true;
                    } else {
                        if (log.isDebugEnabled()) {
                            log.debug("Elected KeyManager " + keyManager + " not found in API level list " + String.join(",", keyManagerList));
                        }
                        return new AuthenticationResponse(false, isMandatory, true, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
                    }
                } else {
                    if (log.isDebugEnabled()) {
                        log.debug("KeyManager not found for accessToken " + GatewayUtils.getMaskedToken(accessToken));
                    }
                }
            } catch (ParseException | IllegalArgumentException e) {
                log.debug("Not a JWT token. Failed to decode the token header.", e);
            } catch (APIManagementException e) {
                log.error("error while check validation of JWt", e);
                return new AuthenticationResponse(false, isMandatory, true, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
            }
        }
        authenticationScheme = getAPIKeyValidator().getResourceAuthenticationScheme(synCtx);
    } catch (APISecurityException ex) {
        return new AuthenticationResponse(false, isMandatory, true, ex.getErrorCode(), ex.getMessage());
    }
    context.stop();
    APIKeyValidationInfoDTO info;
    if (APIConstants.NO_MATCHING_AUTH_SCHEME.equals(authenticationScheme)) {
        info = new APIKeyValidationInfoDTO();
        info.setAuthorized(false);
        info.setValidationStatus(900906);
    } else if (accessToken == null || apiContext == null || apiVersion == null) {
        if (log.isDebugEnabled()) {
            if (accessToken == null) {
                log.debug("OAuth headers not found");
            } else if (apiContext == null) {
                log.debug("Couldn't find API Context");
            } else {
                log.debug("Could not find api version");
            }
        }
        return new AuthenticationResponse(false, isMandatory, true, APISecurityConstants.API_AUTH_MISSING_CREDENTIALS, "Required OAuth credentials not provided");
    } else {
        // Start JWT token validation
        if (isJwtToken) {
            try {
                AuthenticationContext authenticationContext = jwtValidator.authenticate(signedJWTInfo, synCtx);
                APISecurityUtils.setAuthenticationContext(synCtx, authenticationContext, securityContextHeader);
                log.debug("User is authorized using JWT token to access the resource.");
                synCtx.setProperty(APIMgtGatewayConstants.END_USER_NAME, authenticationContext.getUsername());
                return new AuthenticationResponse(true, isMandatory, false, 0, null);
            } catch (APISecurityException ex) {
                return new AuthenticationResponse(false, isMandatory, true, ex.getErrorCode(), ex.getMessage());
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("Matching resource is: ".concat(matchingResource));
        }
        timer = getTimer(MetricManager.name(APIConstants.METRICS_PREFIX, this.getClass().getSimpleName(), "GET_KEY_VALIDATION_INFO"));
        context = timer.start();
        try {
            info = getAPIKeyValidator().getKeyValidationInfo(apiContext, accessToken, apiVersion, authenticationScheme, matchingResource, httpMethod, defaultVersionInvoked, keyManagerList);
        } catch (APISecurityException ex) {
            return new AuthenticationResponse(false, isMandatory, true, ex.getErrorCode(), ex.getMessage());
        }
        context.stop();
        synCtx.setProperty(APIMgtGatewayConstants.APPLICATION_NAME, info.getApplicationName());
        synCtx.setProperty(APIMgtGatewayConstants.END_USER_NAME, info.getEndUserName());
        synCtx.setProperty(APIMgtGatewayConstants.SCOPES, info.getScopes() == null ? null : info.getScopes().toString());
    }
    if (info.isAuthorized()) {
        AuthenticationContext authContext = new AuthenticationContext();
        authContext.setAuthenticated(true);
        authContext.setTier(info.getTier());
        authContext.setApiKey(accessToken);
        authContext.setKeyType(info.getType());
        if (info.getEndUserName() != null) {
            authContext.setUsername(info.getEndUserName());
        } else {
            authContext.setUsername(APIConstants.END_USER_ANONYMOUS);
        }
        authContext.setCallerToken(info.getEndUserToken());
        authContext.setApplicationId(info.getApplicationId());
        authContext.setApplicationUUID(info.getApplicationUUID());
        authContext.setApplicationName(info.getApplicationName());
        authContext.setApplicationTier(info.getApplicationTier());
        authContext.setSubscriber(info.getSubscriber());
        authContext.setConsumerKey(info.getConsumerKey());
        authContext.setApiTier(info.getApiTier());
        authContext.setThrottlingDataList(info.getThrottlingDataList());
        authContext.setSubscriberTenantDomain(info.getSubscriberTenantDomain());
        authContext.setSpikeArrestLimit(info.getSpikeArrestLimit());
        authContext.setSpikeArrestUnit(info.getSpikeArrestUnit());
        authContext.setStopOnQuotaReach(info.isStopOnQuotaReach());
        authContext.setIsContentAware(info.isContentAware());
        APISecurityUtils.setAuthenticationContext(synCtx, authContext, securityContextHeader);
        if (info.getProductName() != null && info.getProductProvider() != null) {
            authContext.setProductName(info.getProductName());
            authContext.setProductProvider(info.getProductProvider());
        }
        /* Synapse properties required for BAM Mediator*/
        // String tenantDomain = MultitenantUtils.getTenantDomain(info.getApiPublisher());
        synCtx.setProperty("api.ut.apiPublisher", info.getApiPublisher());
        synCtx.setProperty("API_NAME", info.getApiName());
        /* GraphQL Query Analysis Information */
        if (APIConstants.GRAPHQL_API.equals(synCtx.getProperty(APIConstants.API_TYPE))) {
            synCtx.setProperty(APIConstants.MAXIMUM_QUERY_DEPTH, info.getGraphQLMaxDepth());
            synCtx.setProperty(APIConstants.MAXIMUM_QUERY_COMPLEXITY, info.getGraphQLMaxComplexity());
        }
        if (log.isDebugEnabled()) {
            log.debug("User is authorized to access the Resource");
        }
        return new AuthenticationResponse(true, isMandatory, false, 0, null);
    } else {
        if (log.isDebugEnabled()) {
            log.debug("User is NOT authorized to access the Resource");
        }
        return new AuthenticationResponse(false, isMandatory, true, info.getValidationStatus(), "Access failure for API: " + apiContext + ", version: " + apiVersion + " status: (" + info.getValidationStatus() + ") - " + APISecurityConstants.getAuthenticationFailureMessage(info.getValidationStatus()));
    }
}
Also used : APISecurityException(org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException) AuthenticationContext(org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationContext) APIKeyValidator(org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator) ArrayList(java.util.ArrayList) AuthenticationResponse(org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationResponse) Timer(org.wso2.carbon.metrics.manager.Timer) APIManagementException(org.wso2.carbon.apimgt.api.APIManagementException) ParseException(java.text.ParseException) JWTValidator(org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator) SignedJWTInfo(org.wso2.carbon.apimgt.impl.jwt.SignedJWTInfo) Map(java.util.Map) TreeMap(java.util.TreeMap) APIKeyValidationInfoDTO(org.wso2.carbon.apimgt.impl.dto.APIKeyValidationInfoDTO) Axis2MessageContext(org.apache.synapse.core.axis2.Axis2MessageContext) MethodStats(org.wso2.carbon.apimgt.gateway.MethodStats)

Example 12 with APISecurityException

use of org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException in project carbon-apimgt by wso2.

the class ApiKeyAuthenticator method authenticate.

@Override
public AuthenticationResponse authenticate(MessageContext synCtx) {
    if (log.isDebugEnabled()) {
        log.info("ApiKey Authentication initialized");
    }
    try {
        // Extract apikey from the request while removing it from the msg context.
        String apiKey = extractApiKey(synCtx);
        JWTTokenPayloadInfo payloadInfo = null;
        if (jwtConfigurationDto == null) {
            jwtConfigurationDto = ServiceReferenceHolder.getInstance().getAPIManagerConfiguration().getJwtConfigurationDto();
        }
        if (jwtGenerationEnabled == null) {
            jwtGenerationEnabled = jwtConfigurationDto.isEnabled();
        }
        if (apiMgtGatewayJWTGenerator == null) {
            apiMgtGatewayJWTGenerator = ServiceReferenceHolder.getInstance().getApiMgtGatewayJWTGenerator().get(jwtConfigurationDto.getGatewayJWTGeneratorImpl());
        }
        String[] splitToken = apiKey.split("\\.");
        JWSHeader decodedHeader;
        JWTClaimsSet payload = null;
        SignedJWT signedJWT = null;
        String tokenIdentifier, certAlias;
        if (splitToken.length != 3) {
            log.error("Api Key does not have the format {header}.{payload}.{signature} ");
            throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
        }
        signedJWT = SignedJWT.parse(apiKey);
        payload = signedJWT.getJWTClaimsSet();
        decodedHeader = signedJWT.getHeader();
        tokenIdentifier = payload.getJWTID();
        // Check if the decoded header contains type as 'JWT'.
        if (!JOSEObjectType.JWT.equals(decodedHeader.getType())) {
            if (log.isDebugEnabled()) {
                log.debug("Invalid Api Key token type. Api Key: " + GatewayUtils.getMaskedToken(splitToken[0]));
            }
            log.error("Invalid Api Key token type.");
            throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
        }
        if (!GatewayUtils.isAPIKey(payload)) {
            log.error("Invalid Api Key. Internal Key Sent");
            throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
        }
        if (decodedHeader.getKeyID() == null) {
            if (log.isDebugEnabled()) {
                log.debug("Invalid Api Key. Could not find alias in header. Api Key: " + GatewayUtils.getMaskedToken(splitToken[0]));
            }
            log.error("Invalid Api Key. Could not find alias in header");
            throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
        } else {
            certAlias = decodedHeader.getKeyID();
        }
        String apiContext = (String) synCtx.getProperty(RESTConstants.REST_API_CONTEXT);
        String apiVersion = (String) synCtx.getProperty(RESTConstants.SYNAPSE_REST_API_VERSION);
        String httpMethod = (String) ((Axis2MessageContext) synCtx).getAxis2MessageContext().getProperty(Constants.Configuration.HTTP_METHOD);
        String matchingResource = (String) synCtx.getProperty(APIConstants.API_ELECTED_RESOURCE);
        OpenAPI openAPI = (OpenAPI) synCtx.getProperty(APIMgtGatewayConstants.OPEN_API_OBJECT);
        if (openAPI == null && !APIConstants.GRAPHQL_API.equals(synCtx.getProperty(APIConstants.API_TYPE))) {
            log.error("Swagger is missing in the gateway. " + "Therefore, Api Key authentication cannot be performed.");
            return new AuthenticationResponse(false, isMandatory, true, APISecurityConstants.API_AUTH_MISSING_OPEN_API_DEF, APISecurityConstants.API_AUTH_MISSING_OPEN_API_DEF_ERROR_MESSAGE);
        }
        String resourceCacheKey = APIUtil.getResourceInfoDTOCacheKey(apiContext, apiVersion, matchingResource, httpMethod);
        VerbInfoDTO verbInfoDTO = new VerbInfoDTO();
        verbInfoDTO.setHttpVerb(httpMethod);
        // Not doing resource level authentication
        verbInfoDTO.setAuthType(APIConstants.AUTH_NO_AUTHENTICATION);
        verbInfoDTO.setRequestKey(resourceCacheKey);
        verbInfoDTO.setThrottling(OpenAPIUtils.getResourceThrottlingTier(openAPI, synCtx));
        List<VerbInfoDTO> verbInfoList = new ArrayList<>();
        verbInfoList.add(verbInfoDTO);
        synCtx.setProperty(APIConstants.VERB_INFO_DTO, verbInfoList);
        String cacheKey = GatewayUtils.getAccessTokenCacheKey(tokenIdentifier, apiContext, apiVersion, matchingResource, httpMethod);
        String tenantDomain = GatewayUtils.getTenantDomain();
        boolean isVerified = false;
        // Validate from cache
        if (isGatewayTokenCacheEnabled == null) {
            isGatewayTokenCacheEnabled = GatewayUtils.isGatewayTokenCacheEnabled();
        }
        if (isGatewayTokenCacheEnabled) {
            String cacheToken = (String) getGatewayApiKeyCache().get(tokenIdentifier);
            if (cacheToken != null) {
                if (log.isDebugEnabled()) {
                    log.debug("Api Key retrieved from the Api Key cache.");
                }
                if (getGatewayApiKeyDataCache().get(cacheKey) != null) {
                    // Token is found in the key cache
                    payloadInfo = (JWTTokenPayloadInfo) getGatewayApiKeyDataCache().get(cacheKey);
                    String accessToken = payloadInfo.getAccessToken();
                    if (!accessToken.equals(apiKey)) {
                        isVerified = false;
                    } else {
                        isVerified = true;
                    }
                }
            } else if (getInvalidGatewayApiKeyCache().get(tokenIdentifier) != null) {
                if (log.isDebugEnabled()) {
                    log.debug("Api Key retrieved from the invalid Api Key cache. Api Key: " + GatewayUtils.getMaskedToken(splitToken[0]));
                }
                log.error("Invalid Api Key." + GatewayUtils.getMaskedToken(splitToken[0]));
                throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
            } else if (RevokedJWTDataHolder.isJWTTokenSignatureExistsInRevokedMap(tokenIdentifier)) {
                if (log.isDebugEnabled()) {
                    log.debug("Token retrieved from the revoked jwt token map. Token: " + GatewayUtils.getMaskedToken(splitToken[0]));
                }
                log.error("Invalid API Key. " + GatewayUtils.getMaskedToken(splitToken[0]));
                throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid API Key");
            }
        } else {
            if (RevokedJWTDataHolder.isJWTTokenSignatureExistsInRevokedMap(tokenIdentifier)) {
                if (log.isDebugEnabled()) {
                    log.debug("Token retrieved from the revoked jwt token map. Token: " + GatewayUtils.getMaskedToken(splitToken[0]));
                }
                log.error("Invalid JWT token. " + GatewayUtils.getMaskedToken(splitToken[0]));
                throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid JWT token");
            }
        }
        // Not found in cache or caching disabled
        if (!isVerified) {
            if (log.isDebugEnabled()) {
                log.debug("Api Key not found in the cache.");
            }
            try {
                signedJWT = (SignedJWT) JWTParser.parse(apiKey);
                payload = signedJWT.getJWTClaimsSet();
            } catch (JSONException | IllegalArgumentException | ParseException e) {
                if (log.isDebugEnabled()) {
                    log.debug("Invalid Api Key. Api Key: " + GatewayUtils.getMaskedToken(splitToken[0]), e);
                }
                log.error("Invalid JWT token. Failed to decode the Api Key body.");
                throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE, e);
            }
            try {
                isVerified = GatewayUtils.verifyTokenSignature(signedJWT, certAlias);
            } catch (APISecurityException e) {
                if (e.getErrorCode() == APISecurityConstants.API_AUTH_INVALID_CREDENTIALS) {
                    throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
                } else {
                    throw e;
                }
            }
            if (isGatewayTokenCacheEnabled) {
                // Add token to tenant token cache
                if (isVerified) {
                    getGatewayApiKeyCache().put(tokenIdentifier, tenantDomain);
                } else {
                    getInvalidGatewayApiKeyCache().put(tokenIdentifier, tenantDomain);
                }
                if (!MultitenantConstants.SUPER_TENANT_DOMAIN_NAME.equals(tenantDomain)) {
                    try {
                        // Start super tenant flow
                        PrivilegedCarbonContext.startTenantFlow();
                        PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME, true);
                        // Add token to super tenant token cache
                        if (isVerified) {
                            getGatewayApiKeyCache().put(tokenIdentifier, tenantDomain);
                        } else {
                            getInvalidGatewayApiKeyCache().put(tokenIdentifier, tenantDomain);
                        }
                    } finally {
                        PrivilegedCarbonContext.endTenantFlow();
                    }
                }
            }
        }
        // If Api Key signature is verified
        if (isVerified) {
            if (log.isDebugEnabled()) {
                log.debug("Api Key signature is verified.");
            }
            if (isGatewayTokenCacheEnabled && payloadInfo != null) {
                // Api Key is found in the key cache
                payload = payloadInfo.getPayload();
                if (isJwtTokenExpired(payload)) {
                    getGatewayApiKeyCache().remove(tokenIdentifier);
                    getInvalidGatewayApiKeyCache().put(tokenIdentifier, tenantDomain);
                    log.error("Api Key is expired");
                    throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
                }
                validateAPIKeyRestrictions(payload, synCtx);
            } else {
                // Retrieve payload from ApiKey
                if (log.isDebugEnabled()) {
                    log.debug("ApiKey payload not found in the cache.");
                }
                if (payload == null) {
                    try {
                        signedJWT = (SignedJWT) JWTParser.parse(apiKey);
                        payload = signedJWT.getJWTClaimsSet();
                    } catch (JSONException | IllegalArgumentException | ParseException e) {
                        if (log.isDebugEnabled()) {
                            log.debug("Invalid ApiKey. ApiKey: " + GatewayUtils.getMaskedToken(splitToken[0]));
                        }
                        log.error("Invalid Api Key. Failed to decode the Api Key body.");
                        throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE, e);
                    }
                }
                if (isJwtTokenExpired(payload)) {
                    if (isGatewayTokenCacheEnabled) {
                        getGatewayApiKeyCache().remove(tokenIdentifier);
                        getInvalidGatewayApiKeyCache().put(tokenIdentifier, tenantDomain);
                    }
                    log.error("Api Key is expired");
                    throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
                }
                validateAPIKeyRestrictions(payload, synCtx);
                if (isGatewayTokenCacheEnabled) {
                    JWTTokenPayloadInfo jwtTokenPayloadInfo = new JWTTokenPayloadInfo();
                    jwtTokenPayloadInfo.setPayload(payload);
                    jwtTokenPayloadInfo.setAccessToken(apiKey);
                    getGatewayApiKeyDataCache().put(cacheKey, jwtTokenPayloadInfo);
                }
            }
            net.minidev.json.JSONObject api = GatewayUtils.validateAPISubscription(apiContext, apiVersion, payload, splitToken, false);
            if (log.isDebugEnabled()) {
                log.debug("Api Key authentication successful.");
            }
            String endUserToken = null;
            String contextHeader = null;
            if (jwtGenerationEnabled) {
                SignedJWTInfo signedJWTInfo = new SignedJWTInfo(apiKey, signedJWT, payload);
                JWTValidationInfo jwtValidationInfo = getJwtValidationInfo(signedJWTInfo);
                JWTInfoDto jwtInfoDto = GatewayUtils.generateJWTInfoDto(api, jwtValidationInfo, null, synCtx);
                endUserToken = generateAndRetrieveBackendJWTToken(tokenIdentifier, jwtInfoDto);
                contextHeader = getContextHeader();
            }
            AuthenticationContext authenticationContext;
            authenticationContext = GatewayUtils.generateAuthenticationContext(tokenIdentifier, payload, api, getApiLevelPolicy(), endUserToken, synCtx);
            APISecurityUtils.setAuthenticationContext(synCtx, authenticationContext, contextHeader);
            if (log.isDebugEnabled()) {
                log.debug("User is authorized to access the resource using Api Key.");
            }
            return new AuthenticationResponse(true, isMandatory, false, 0, null);
        }
        if (log.isDebugEnabled()) {
            log.debug("Api Key signature verification failure. Api Key: " + GatewayUtils.getMaskedToken(splitToken[0]));
        }
        log.error("Invalid Api Key. Signature verification failed.");
        throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
    } catch (APISecurityException e) {
        return new AuthenticationResponse(false, isMandatory, true, e.getErrorCode(), e.getMessage());
    } catch (ParseException e) {
        log.error("Error while parsing API Key", e);
        return new AuthenticationResponse(false, isMandatory, true, APISecurityConstants.API_AUTH_GENERAL_ERROR, APISecurityConstants.API_AUTH_GENERAL_ERROR_MESSAGE);
    }
}
Also used : APISecurityException(org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException) JWTTokenPayloadInfo(org.wso2.carbon.apimgt.gateway.dto.JWTTokenPayloadInfo) AuthenticationContext(org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationContext) ArrayList(java.util.ArrayList) SignedJWT(com.nimbusds.jwt.SignedJWT) JWTValidationInfo(org.wso2.carbon.apimgt.common.gateway.dto.JWTValidationInfo) SignedJWTInfo(org.wso2.carbon.apimgt.impl.jwt.SignedJWTInfo) JWSHeader(com.nimbusds.jose.JWSHeader) Axis2MessageContext(org.apache.synapse.core.axis2.Axis2MessageContext) JWTInfoDto(org.wso2.carbon.apimgt.common.gateway.dto.JWTInfoDto) JSONException(org.json.JSONException) AuthenticationResponse(org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationResponse) VerbInfoDTO(org.wso2.carbon.apimgt.impl.dto.VerbInfoDTO) JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet) ParseException(java.text.ParseException) OpenAPI(io.swagger.v3.oas.models.OpenAPI)

Example 13 with APISecurityException

use of org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException in project carbon-apimgt by wso2.

the class MutualSSLAuthenticator method authenticate.

@Override
public AuthenticationResponse authenticate(MessageContext messageContext) {
    org.apache.axis2.context.MessageContext axis2MessageContext = ((Axis2MessageContext) messageContext).getAxis2MessageContext();
    // try to retrieve the certificate
    X509Certificate sslCertObject;
    try {
        sslCertObject = Utils.getClientCertificate(axis2MessageContext);
        if (!APIUtil.isCertificateExistsInListenerTrustStore(sslCertObject)) {
            log.debug("Certificate in Header didn't exist in truststore");
            sslCertObject = null;
        }
    } catch (APIManagementException e) {
        return new AuthenticationResponse(false, isMandatory, !isMandatory, APISecurityConstants.API_AUTH_GENERAL_ERROR, e.getMessage());
    }
    /* If the certificate cannot be retrieved from the axis2Message context, then mutual SSL authentication has
         not happened in transport level.*/
    if (sslCertObject == null) {
        if (log.isDebugEnabled()) {
            log.debug("Mutual SSL authentication has not happened in the transport level for the API " + getAPIIdentifier(messageContext).toString() + ", hence API invocation is not allowed");
        }
        if (isMandatory) {
            log.error("Mutual SSL authentication failure");
        }
        return new AuthenticationResponse(false, isMandatory, !isMandatory, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
    } else {
        try {
            setAuthContext(messageContext, sslCertObject);
        } catch (APISecurityException ex) {
            return new AuthenticationResponse(false, isMandatory, !isMandatory, ex.getErrorCode(), ex.getMessage());
        }
    }
    return new AuthenticationResponse(true, isMandatory, true, 0, null);
}
Also used : APISecurityException(org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException) APIManagementException(org.wso2.carbon.apimgt.api.APIManagementException) AuthenticationResponse(org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationResponse) X509Certificate(javax.security.cert.X509Certificate) Axis2MessageContext(org.apache.synapse.core.axis2.Axis2MessageContext)

Example 14 with APISecurityException

use of org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException in project carbon-apimgt by wso2.

the class MutualSSLAuthenticator method setAuthContext.

/**
 * To set the authentication context in current message context.
 *
 * @param messageContext Relevant message context.
 * @param x509Certificate  SSL certificate.
 * @throws APISecurityException API Security Exception.
 */
private void setAuthContext(MessageContext messageContext, X509Certificate x509Certificate) throws APISecurityException {
    String subjectDN = x509Certificate.getSubjectDN().getName();
    String uniqueIdentifier = (x509Certificate.getSerialNumber() + "_" + x509Certificate.getIssuerDN()).replaceAll(",", "#").replaceAll("\"", "'").trim();
    String tier = certificates.get(uniqueIdentifier);
    if (StringUtils.isEmpty(tier)) {
        if (log.isDebugEnabled()) {
            log.debug("The client certificate presented is available in gateway, however it was not added against " + "the API " + getAPIIdentifier(messageContext));
        }
        if (isMandatory) {
            log.error("Mutual SSL authentication failure. API is not associated with the certificate");
        }
        throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
    }
    AuthenticationContext authContext = new AuthenticationContext();
    authContext.setAuthenticated(true);
    authContext.setUsername(subjectDN);
    try {
        LdapName ldapDN = new LdapName(subjectDN);
        for (Rdn rdn : ldapDN.getRdns()) {
            if (APIConstants.CERTIFICATE_COMMON_NAME.equalsIgnoreCase(rdn.getType())) {
                authContext.setUsername((String) rdn.getValue());
            }
        }
    } catch (InvalidNameException e) {
        log.warn("Cannot get the CN name from certificate:" + e.getMessage() + ". Please make sure the " + "certificate to include a proper common name that follows naming convention.");
        authContext.setUsername(subjectDN);
    }
    authContext.setApiTier(apiLevelPolicy);
    APIIdentifier apiIdentifier = getAPIIdentifier(messageContext);
    authContext.setKeyType(APIConstants.API_KEY_TYPE_PRODUCTION);
    authContext.setStopOnQuotaReach(true);
    authContext.setApiKey(uniqueIdentifier + "_" + apiIdentifier.toString());
    authContext.setTier(tier);
    /* For the mutual SSL based authenticated request, the resource level throttling is not considered, hence
        assigning the unlimited tier for that. */
    List<VerbInfoDTO> verbInfoList = new ArrayList<>(1);
    VerbInfoDTO verbInfoDTO = new VerbInfoDTO();
    verbInfoDTO.setThrottling(APIConstants.UNLIMITED_TIER);
    verbInfoList.add(verbInfoDTO);
    messageContext.setProperty(APIConstants.VERB_INFO_DTO, verbInfoList);
    if (log.isDebugEnabled()) {
        log.debug("Auth context for the API " + getAPIIdentifier(messageContext) + ": Username[" + authContext.getUsername() + "APIKey[(" + authContext.getApiKey() + "] Tier[" + authContext.getTier() + "]");
    }
    APISecurityUtils.setAuthenticationContext(messageContext, authContext, null);
}
Also used : APISecurityException(org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException) AuthenticationContext(org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationContext) InvalidNameException(javax.naming.InvalidNameException) VerbInfoDTO(org.wso2.carbon.apimgt.impl.dto.VerbInfoDTO) ArrayList(java.util.ArrayList) APIIdentifier(org.wso2.carbon.apimgt.api.model.APIIdentifier) Rdn(javax.naming.ldap.Rdn) LdapName(javax.naming.ldap.LdapName)

Example 15 with APISecurityException

use of org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException in project carbon-apimgt by wso2.

the class APIAuthenticationHandler method isAuthenticate.

/**
 * Authenticates the given request using the authenticators which have been initialized.
 *
 * @param messageContext The message to be authenticated
 * @return true if the authentication is successful (never returns false)
 * @throws APISecurityException If an authentication failure or some other error occurs
 */
protected boolean isAuthenticate(MessageContext messageContext) throws APISecurityException, APIManagementException {
    boolean authenticated = false;
    AuthenticationResponse authenticationResponse;
    List<AuthenticationResponse> authResponses = new ArrayList<>();
    for (Authenticator authenticator : authenticators) {
        authenticationResponse = authenticator.authenticate(messageContext);
        if (authenticationResponse.isMandatoryAuthentication()) {
            // Update authentication status only if the authentication is a mandatory one
            authenticated = authenticationResponse.isAuthenticated();
        }
        if (!authenticationResponse.isAuthenticated()) {
            authResponses.add(authenticationResponse);
        }
        if (!authenticationResponse.isContinueToNextAuthenticator()) {
            break;
        }
    }
    if (!authenticated) {
        Pair<Integer, String> error = getError(authResponses);
        throw new APISecurityException(error.getKey(), error.getValue());
    }
    return true;
}
Also used : ArrayList(java.util.ArrayList) OAuthAuthenticator(org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator) BasicAuthAuthenticator(org.wso2.carbon.apimgt.gateway.handlers.security.basicauth.BasicAuthAuthenticator) InternalAPIKeyAuthenticator(org.wso2.carbon.apimgt.gateway.handlers.security.authenticator.InternalAPIKeyAuthenticator) MutualSSLAuthenticator(org.wso2.carbon.apimgt.gateway.handlers.security.authenticator.MutualSSLAuthenticator) ApiKeyAuthenticator(org.wso2.carbon.apimgt.gateway.handlers.security.apikey.ApiKeyAuthenticator)

Aggregations

APISecurityException (org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException)34 Test (org.junit.Test)28 PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)28 APIKeyValidationInfoDTO (org.wso2.carbon.apimgt.impl.dto.APIKeyValidationInfoDTO)28 Axis2MessageContext (org.apache.synapse.core.axis2.Axis2MessageContext)26 Cache (javax.cache.Cache)22 AuthenticationContext (org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationContext)16 JWTValidationInfo (org.wso2.carbon.apimgt.common.gateway.dto.JWTValidationInfo)15 APIKeyValidator (org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator)15 MessageContext (org.apache.synapse.MessageContext)14 APIManagerConfiguration (org.wso2.carbon.apimgt.impl.APIManagerConfiguration)14 SignedJWTInfo (org.wso2.carbon.apimgt.impl.jwt.SignedJWTInfo)12 SignedJWT (com.nimbusds.jwt.SignedJWT)11 HashMap (java.util.HashMap)11 VerbInfoDTO (org.wso2.carbon.apimgt.impl.dto.VerbInfoDTO)11 ArrayList (java.util.ArrayList)10 APIManagementException (org.wso2.carbon.apimgt.api.APIManagementException)10 ExtendedJWTConfigurationDto (org.wso2.carbon.apimgt.impl.dto.ExtendedJWTConfigurationDto)10 JWTValidationService (org.wso2.carbon.apimgt.impl.jwt.JWTValidationService)10 TokenValidationContext (org.wso2.carbon.apimgt.keymgt.service.TokenValidationContext)10