use of org.wso2.carbon.apimgt.impl.kmclient.model.TokenInfo in project carbon-apimgt by wso2.
the class APIConsumerImpl method mapExistingOAuthClient.
/**
* @param jsonString this string will contain oAuth app details
* @param userName user name of logged in user.
* @param clientId this is the consumer key of oAuthApplication
* @param applicationName this is the APIM appication name.
* @param keyType
* @param tokenType this is theApplication Token Type. This can be either default or jwt.
* @param keyManagerName key Manager name
* @return
* @throws APIManagementException
*/
@Override
public Map<String, Object> mapExistingOAuthClient(String jsonString, String userName, String clientId, String applicationName, String keyType, String tokenType, String keyManagerName, String tenantDomain) throws APIManagementException {
String callBackURL = null;
if (StringUtils.isEmpty(tenantDomain)) {
tenantDomain = MultitenantUtils.getTenantDomain(userName);
}
String keyManagerId = null;
KeyManagerConfigurationDTO keyManagerConfiguration = null;
if (keyManagerName != null) {
keyManagerConfiguration = apiMgtDAO.getKeyManagerConfigurationByName(tenantDomain, keyManagerName);
if (keyManagerConfiguration == null) {
keyManagerConfiguration = apiMgtDAO.getKeyManagerConfigurationByUUID(keyManagerName);
if (keyManagerConfiguration != null) {
keyManagerId = keyManagerName;
keyManagerName = keyManagerConfiguration.getName();
}
} else {
keyManagerId = keyManagerConfiguration.getUuid();
}
} else {
keyManagerName = APIConstants.KeyManager.DEFAULT_KEY_MANAGER;
keyManagerConfiguration = apiMgtDAO.getKeyManagerConfigurationByName(tenantDomain, keyManagerName);
keyManagerId = keyManagerConfiguration.getUuid();
}
if (keyManagerConfiguration == null || !keyManagerConfiguration.isEnabled()) {
throw new APIManagementException("Key Manager " + keyManagerName + " doesn't exist in Tenant " + tenantDomain, ExceptionCodes.KEY_MANAGER_NOT_REGISTERED);
}
if (KeyManagerConfiguration.TokenType.EXCHANGED.toString().equals(keyManagerConfiguration.getTokenType())) {
throw new APIManagementException("Key Manager " + keyManagerName + " doesn't support to generate" + " Client Application", ExceptionCodes.KEY_MANAGER_NOT_SUPPORT_OAUTH_APP_CREATION);
}
OAuthAppRequest oauthAppRequest = ApplicationUtils.createOauthAppRequest(applicationName, clientId, callBackURL, "default", jsonString, tokenType, tenantDomain, keyManagerName);
// if clientId is null in the argument `ApplicationUtils#createOauthAppRequest` will set it using
// the props in `jsonString`. Hence we are taking the updated `clientId` here
clientId = oauthAppRequest.getOAuthApplicationInfo().getClientId();
KeyManager keyManager = KeyManagerHolder.getKeyManagerInstance(tenantDomain, keyManagerName);
if (keyManager == null) {
throw new APIManagementException("Key Manager " + keyManagerName + "Couldn't initialized in tenant " + tenantDomain + ".", ExceptionCodes.KEY_MANAGER_NOT_REGISTERED);
}
// Get application ID
int applicationId = apiMgtDAO.getApplicationId(applicationName, userName);
// Checking if clientId is mapped with another application.
if (apiMgtDAO.isKeyMappingExistsForConsumerKeyOrApplication(applicationId, keyManagerName, keyManagerId, keyType, clientId)) {
throw new APIManagementException("Key Mappings already exists for application " + applicationName + " or consumer key " + clientId, ExceptionCodes.KEY_MAPPING_ALREADY_EXIST);
}
if (log.isDebugEnabled()) {
log.debug("Client ID " + clientId + " not mapped previously with another application. No existing " + "key mappings available for application " + applicationName);
}
// createApplication on oAuthorization server.
OAuthApplicationInfo oAuthApplication = isOauthAppValidation() ? keyManager.mapOAuthApplication(oauthAppRequest) : oauthAppRequest.getOAuthApplicationInfo();
// Do application mapping with consumerKey.
String keyMappingId = UUID.randomUUID().toString();
apiMgtDAO.createApplicationKeyTypeMappingForManualClients(keyType, applicationId, clientId, keyManagerId, keyMappingId);
Object enableTokenGeneration = keyManager.getKeyManagerConfiguration().getParameter(APIConstants.KeyManager.ENABLE_TOKEN_GENERATION);
AccessTokenInfo tokenInfo;
if (enableTokenGeneration != null && (Boolean) enableTokenGeneration && oAuthApplication.getJsonString().contains(APIConstants.GRANT_TYPE_CLIENT_CREDENTIALS)) {
AccessTokenRequest tokenRequest = ApplicationUtils.createAccessTokenRequest(keyManager, oAuthApplication, null);
tokenInfo = keyManager.getNewApplicationAccessToken(tokenRequest);
} else {
tokenInfo = new AccessTokenInfo();
tokenInfo.setAccessToken("");
tokenInfo.setValidityPeriod(0L);
String[] noScopes = new String[] { "N/A" };
tokenInfo.setScope(noScopes);
oAuthApplication.addParameter("tokenScope", Arrays.toString(noScopes));
}
Map<String, Object> keyDetails = new HashMap<String, Object>();
if (tokenInfo != null) {
keyDetails.put("validityTime", tokenInfo.getValidityPeriod());
keyDetails.put("accessToken", tokenInfo.getAccessToken());
keyDetails.put("tokenDetails", tokenInfo.getJSONString());
}
keyDetails.put(APIConstants.FrontEndParameterNames.CONSUMER_KEY, oAuthApplication.getClientId());
keyDetails.put(APIConstants.FrontEndParameterNames.CONSUMER_SECRET, oAuthApplication.getParameter("client_secret"));
keyDetails.put(APIConstants.FrontEndParameterNames.CLIENT_DETAILS, oAuthApplication.getJsonString());
keyDetails.put(APIConstants.FrontEndParameterNames.KEY_MAPPING_ID, keyMappingId);
keyDetails.put(APIConstants.FrontEndParameterNames.MODE, APIConstants.OAuthAppMode.MAPPED.name());
return keyDetails;
}
use of org.wso2.carbon.apimgt.impl.kmclient.model.TokenInfo in project carbon-apimgt by wso2.
the class APIConsumerImpl method requestApprovalForApplicationRegistration.
/**
* This method specifically implemented for REST API by removing application and data access logic
* from host object layer. So as per new implementation we need to pass requested scopes to this method
* as tokenScope. So we will do scope related other logic here in this method.
* So host object should only pass required 9 parameters.
*/
@Override
public Map<String, Object> requestApprovalForApplicationRegistration(String userId, Application application, String tokenType, String callbackUrl, String[] allowedDomains, String validityTime, String tokenScope, String jsonString, String keyManagerName, String tenantDomain, boolean isImportMode) throws APIManagementException {
boolean isTenantFlowStarted = false;
if (StringUtils.isEmpty(tenantDomain)) {
tenantDomain = MultitenantUtils.getTenantDomain(userId);
} else {
int tenantId = APIUtil.getInternalOrganizationId(tenantDomain);
// To handle choreo scenario.
if (tenantId == MultitenantConstants.SUPER_TENANT_ID) {
tenantDomain = MultitenantConstants.SUPER_TENANT_DOMAIN_NAME;
}
}
String keyManagerId = null;
if (keyManagerName != null) {
KeyManagerConfigurationDTO keyManagerConfiguration = apiMgtDAO.getKeyManagerConfigurationByName(tenantDomain, keyManagerName);
if (keyManagerConfiguration == null) {
keyManagerConfiguration = apiMgtDAO.getKeyManagerConfigurationByUUID(keyManagerName);
if (keyManagerConfiguration != null) {
keyManagerId = keyManagerName;
keyManagerName = keyManagerConfiguration.getName();
}
} else {
keyManagerId = keyManagerConfiguration.getUuid();
}
if (keyManagerConfiguration == null || !keyManagerConfiguration.isEnabled()) {
throw new APIManagementException("Key Manager " + keyManagerName + " doesn't exist in Tenant " + tenantDomain, ExceptionCodes.KEY_MANAGER_NOT_REGISTERED);
}
if (KeyManagerConfiguration.TokenType.EXCHANGED.toString().equals(keyManagerConfiguration.getTokenType())) {
throw new APIManagementException("Key Manager " + keyManagerName + " doesn't support to generate" + " Client Application", ExceptionCodes.KEY_MANAGER_NOT_SUPPORT_OAUTH_APP_CREATION);
}
Object enableOauthAppCreation = keyManagerConfiguration.getProperty(APIConstants.KeyManager.ENABLE_OAUTH_APP_CREATION);
if (enableOauthAppCreation != null && !(Boolean) enableOauthAppCreation) {
if (isImportMode) {
log.debug("Importing application when KM OAuth App creation is disabled. Trying to map keys");
// in the `jsonString` and ApplicationUtils#createOauthAppRequest logic handles it.
return mapExistingOAuthClient(jsonString, userId, null, application.getName(), tokenType, APIConstants.DEFAULT_TOKEN_TYPE, keyManagerName, tenantDomain);
} else {
throw new APIManagementException("Key Manager " + keyManagerName + " doesn't support to generate" + " Client Application", ExceptionCodes.KEY_MANAGER_NOT_SUPPORT_OAUTH_APP_CREATION);
}
}
}
try {
if (tenantDomain != null && !MultitenantConstants.SUPER_TENANT_DOMAIN_NAME.equals(tenantDomain)) {
isTenantFlowStarted = startTenantFlowForTenantDomain(tenantDomain);
}
// check if there are any existing key mappings set for the application and the key manager.
if (apiMgtDAO.isKeyMappingExistsForApplication(application.getId(), keyManagerName, keyManagerId, tokenType)) {
throw new APIManagementException("Key Mappings already exists for application " + application.getName(), ExceptionCodes.KEY_MAPPING_ALREADY_EXIST);
}
// initiate WorkflowExecutor
WorkflowExecutor appRegistrationWorkflow = null;
// initiate ApplicationRegistrationWorkflowDTO
ApplicationRegistrationWorkflowDTO appRegWFDto = null;
ApplicationKeysDTO appKeysDto = new ApplicationKeysDTO();
boolean isCaseInsensitiveComparisons = Boolean.parseBoolean(getAPIManagerConfiguration().getFirstProperty(APIConstants.API_STORE_FORCE_CI_COMPARISIONS));
boolean isUserAppOwner;
if (isCaseInsensitiveComparisons) {
isUserAppOwner = application.getSubscriber().getName().equalsIgnoreCase(userId);
} else {
isUserAppOwner = application.getSubscriber().getName().equals(userId);
}
if (!isUserAppOwner) {
throw new APIManagementException("user: " + application.getSubscriber().getName() + ", " + "attempted to generate tokens for application owned by: " + userId);
}
// if its a PRODUCTION application.
if (APIConstants.API_KEY_TYPE_PRODUCTION.equals(tokenType)) {
// initiate workflow type. By default simple work flow will be
// executed.
appRegistrationWorkflow = getWorkflowExecutor(WorkflowConstants.WF_TYPE_AM_APPLICATION_REGISTRATION_PRODUCTION);
appRegWFDto = (ApplicationRegistrationWorkflowDTO) WorkflowExecutorFactory.getInstance().createWorkflowDTO(WorkflowConstants.WF_TYPE_AM_APPLICATION_REGISTRATION_PRODUCTION);
} else // if it is a sandBox application.
if (APIConstants.API_KEY_TYPE_SANDBOX.equals(tokenType)) {
// if its a SANDBOX application.
appRegistrationWorkflow = getWorkflowExecutor(WorkflowConstants.WF_TYPE_AM_APPLICATION_REGISTRATION_SANDBOX);
appRegWFDto = (ApplicationRegistrationWorkflowDTO) WorkflowExecutorFactory.getInstance().createWorkflowDTO(WorkflowConstants.WF_TYPE_AM_APPLICATION_REGISTRATION_SANDBOX);
} else {
throw new APIManagementException("Invalid Token Type '" + tokenType + "' requested.");
}
// check whether callback url is empty and set null
if (StringUtils.isBlank(callbackUrl)) {
callbackUrl = null;
}
String applicationTokenType = application.getTokenType();
if (StringUtils.isEmpty(application.getTokenType())) {
applicationTokenType = APIConstants.DEFAULT_TOKEN_TYPE;
}
// Build key manager instance and create oAuthAppRequest by jsonString.
OAuthAppRequest request = ApplicationUtils.createOauthAppRequest(application.getName(), null, callbackUrl, tokenScope, jsonString, applicationTokenType, tenantDomain, keyManagerName);
request.getOAuthApplicationInfo().addParameter(ApplicationConstants.VALIDITY_PERIOD, validityTime);
request.getOAuthApplicationInfo().addParameter(ApplicationConstants.APP_KEY_TYPE, tokenType);
request.getOAuthApplicationInfo().addParameter(ApplicationConstants.APP_CALLBACK_URL, callbackUrl);
request.getOAuthApplicationInfo().setApplicationUUID(application.getUUID());
// Setting request values in WorkflowDTO - In future we should keep
// Application/OAuthApplication related
// information in the respective entities not in the workflowDTO.
appRegWFDto.setStatus(WorkflowStatus.CREATED);
appRegWFDto.setCreatedTime(System.currentTimeMillis());
appRegWFDto.setTenantDomain(tenantDomain);
appRegWFDto.setTenantId(tenantId);
appRegWFDto.setExternalWorkflowReference(appRegistrationWorkflow.generateUUID());
appRegWFDto.setWorkflowReference(appRegWFDto.getExternalWorkflowReference());
appRegWFDto.setApplication(application);
appRegWFDto.setKeyManager(keyManagerId);
request.setMappingId(appRegWFDto.getWorkflowReference());
if (!application.getSubscriber().getName().equals(userId)) {
appRegWFDto.setUserName(application.getSubscriber().getName());
} else {
appRegWFDto.setUserName(userId);
}
appRegWFDto.setCallbackUrl(appRegistrationWorkflow.getCallbackURL());
appRegWFDto.setAppInfoDTO(request);
appRegWFDto.setDomainList(allowedDomains);
appRegWFDto.setKeyDetails(appKeysDto);
appRegistrationWorkflow.execute(appRegWFDto);
Map<String, Object> keyDetails = new HashMap<String, Object>();
keyDetails.put(APIConstants.FrontEndParameterNames.KEY_STATE, appRegWFDto.getStatus().toString());
OAuthApplicationInfo applicationInfo = appRegWFDto.getApplicationInfo();
String keyMappingId = apiMgtDAO.getKeyMappingIdFromApplicationIdKeyTypeAndKeyManager(application.getId(), tokenType, keyManagerId);
keyDetails.put(APIConstants.FrontEndParameterNames.KEY_MAPPING_ID, keyMappingId);
if (applicationInfo != null) {
keyDetails.put(APIConstants.FrontEndParameterNames.CONSUMER_KEY, applicationInfo.getClientId());
keyDetails.put(APIConstants.FrontEndParameterNames.CONSUMER_SECRET, applicationInfo.getClientSecret());
keyDetails.put(ApplicationConstants.OAUTH_APP_DETAILS, applicationInfo.getJsonString());
keyDetails.put(APIConstants.FrontEndParameterNames.MODE, APIConstants.OAuthAppMode.CREATED.name());
}
// There can be instances where generating the Application Token is
// not required. In those cases,
// token info will have nothing.
AccessTokenInfo tokenInfo = appRegWFDto.getAccessTokenInfo();
if (tokenInfo != null) {
keyDetails.put("accessToken", tokenInfo.getAccessToken());
keyDetails.put("validityTime", tokenInfo.getValidityPeriod());
keyDetails.put("tokenDetails", tokenInfo.getJSONString());
keyDetails.put("tokenScope", tokenInfo.getScopes());
}
JSONObject appLogObject = new JSONObject();
appLogObject.put("Generated keys for application", application.getName());
APIUtil.logAuditMessage(APIConstants.AuditLogConstants.APPLICATION, appLogObject.toString(), APIConstants.AuditLogConstants.UPDATED, this.username);
// if its a PRODUCTION application.
if (APIConstants.API_KEY_TYPE_PRODUCTION.equals(tokenType)) {
// get the workflow state once the executor is executed.
WorkflowDTO wfDTO = apiMgtDAO.retrieveWorkflowFromInternalReference(appRegWFDto.getExternalWorkflowReference(), WorkflowConstants.WF_TYPE_AM_APPLICATION_REGISTRATION_PRODUCTION);
// wfDTO is null when simple wf executor is used because wf state is not stored in the db and is always approved.
if (wfDTO != null) {
if (WorkflowStatus.APPROVED.equals(wfDTO.getStatus())) {
ApplicationRegistrationEvent applicationRegistrationEvent = new ApplicationRegistrationEvent(UUID.randomUUID().toString(), System.currentTimeMillis(), APIConstants.EventType.APPLICATION_REGISTRATION_CREATE.name(), tenantId, tenantDomain, application.getId(), application.getUUID(), applicationInfo.getClientId(), tokenType, keyManagerName);
APIUtil.sendNotification(applicationRegistrationEvent, APIConstants.NotifierType.APPLICATION_REGISTRATION.name());
}
} else {
ApplicationRegistrationEvent applicationRegistrationEvent = new ApplicationRegistrationEvent(UUID.randomUUID().toString(), System.currentTimeMillis(), APIConstants.EventType.APPLICATION_REGISTRATION_CREATE.name(), tenantId, tenantDomain, application.getId(), application.getUUID(), applicationInfo.getClientId(), tokenType, keyManagerName);
APIUtil.sendNotification(applicationRegistrationEvent, APIConstants.NotifierType.APPLICATION_REGISTRATION.name());
}
} else if (APIConstants.API_KEY_TYPE_SANDBOX.equals(tokenType)) {
// get the workflow state once the executor is executed.
WorkflowDTO wfDTO = apiMgtDAO.retrieveWorkflowFromInternalReference(appRegWFDto.getExternalWorkflowReference(), WorkflowConstants.WF_TYPE_AM_APPLICATION_REGISTRATION_SANDBOX);
// wfDTO is null when simple wf executor is used because wf state is not stored in the db and is always approved.
if (wfDTO != null) {
if (WorkflowStatus.APPROVED.equals(wfDTO.getStatus())) {
ApplicationRegistrationEvent applicationRegistrationEvent = new ApplicationRegistrationEvent(UUID.randomUUID().toString(), System.currentTimeMillis(), APIConstants.EventType.APPLICATION_REGISTRATION_CREATE.name(), tenantId, tenantDomain, application.getId(), application.getUUID(), applicationInfo.getClientId(), tokenType, keyManagerName);
APIUtil.sendNotification(applicationRegistrationEvent, APIConstants.NotifierType.APPLICATION_REGISTRATION.name());
}
} else {
ApplicationRegistrationEvent applicationRegistrationEvent = new ApplicationRegistrationEvent(UUID.randomUUID().toString(), System.currentTimeMillis(), APIConstants.EventType.APPLICATION_REGISTRATION_CREATE.name(), tenantId, tenantDomain, application.getId(), application.getUUID(), applicationInfo.getClientId(), tokenType, keyManagerName);
APIUtil.sendNotification(applicationRegistrationEvent, APIConstants.NotifierType.APPLICATION_REGISTRATION.name());
}
}
return keyDetails;
} catch (WorkflowException e) {
log.error("Could not execute Workflow", e);
throw new APIManagementException(e);
} finally {
if (isTenantFlowStarted) {
endTenantFlow();
}
}
}
use of org.wso2.carbon.apimgt.impl.kmclient.model.TokenInfo in project carbon-apimgt by wso2.
the class JWTUtil method validateScopes.
/**
* @param message CXF message to be validate
* @param tokenInfo Token information associated with incoming request
* @return return true if we found matching scope in resource and token information
* else false(means scope validation failed).
*/
public static boolean validateScopes(HashMap<String, Object> message, OAuthTokenInfo tokenInfo) {
String basePath = (String) message.get(RestApiConstants.BASE_PATH);
// path is obtained from Message.REQUEST_URI instead of Message.PATH_INFO, as Message.PATH_INFO contains
// decoded values of request parameters
String path = (String) message.get(RestApiConstants.REQUEST_URL);
String verb = (String) message.get(RestApiConstants.REQUEST_METHOD);
String resource = path.substring(basePath.length() - 1);
String[] scopes = tokenInfo.getScopes();
String version = (String) message.get(RestApiConstants.API_VERSION);
// get all the URI templates of the REST API from the base path
Set<URITemplate> uriTemplates = (Set<URITemplate>) message.get(RestApiConstants.URI_TEMPLATES);
if (uriTemplates.isEmpty()) {
if (log.isDebugEnabled()) {
log.debug("No matching scopes found for request with path: " + basePath + ". Skipping scope validation.");
}
return true;
}
for (Object template : uriTemplates.toArray()) {
org.wso2.uri.template.URITemplate templateToValidate = null;
Map<String, String> var = new HashMap<String, String>();
// check scopes with what we have
String templateString = ((URITemplate) template).getUriTemplate();
try {
templateToValidate = new org.wso2.uri.template.URITemplate(templateString);
} catch (URITemplateException e) {
log.error("Error while creating URI Template object to validate request. Template pattern: " + templateString, e);
}
if (templateToValidate != null && templateToValidate.matches(resource, var) && scopes != null && verb != null && verb.equalsIgnoreCase(((URITemplate) template).getHTTPVerb())) {
for (String scope : scopes) {
Scope scp = ((URITemplate) template).getScope();
if (scp != null) {
if (scope.equalsIgnoreCase(scp.getKey())) {
// we found scopes matches
if (log.isDebugEnabled()) {
log.debug("Scope validation successful for access token: " + message.get(RestApiConstants.MASKED_TOKEN) + " with scope: " + scp.getKey() + " for resource path: " + path + " and verb " + verb);
}
return true;
}
} else if (!((URITemplate) template).retrieveAllScopes().isEmpty()) {
List<Scope> scopesList = ((URITemplate) template).retrieveAllScopes();
for (Scope scpObj : scopesList) {
if (scope.equalsIgnoreCase(scpObj.getKey())) {
// we found scopes matches
if (log.isDebugEnabled()) {
log.debug("Scope validation successful for access token: " + message.get(RestApiConstants.MASKED_TOKEN) + " with scope: " + scpObj.getKey() + " for resource path: " + path + " and verb " + verb);
}
return true;
}
}
} else {
if (log.isDebugEnabled()) {
log.debug("Scope not defined in swagger for matching resource " + resource + " and verb " + verb + " . So consider as anonymous permission and let request to continue.");
}
return true;
}
}
}
}
return false;
}
Aggregations