refactors jet authenticator to pick tenant specific key store

4.x.x
ayyoob 9 years ago
parent ace6c2dbfc
commit 2ceff61811

@ -78,7 +78,10 @@ public class APIPublisherServiceImpl implements APIPublisherService {
+ api.getId().getVersion() + "'"); + api.getId().getVersion() + "'");
} }
} else { } else {
api.setStatus(provider.getAPI(api.getId()).getStatus()); if (provider.getAPI(api.getId()).getStatus() == APIStatus.CREATED) {
provider.changeLifeCycleStatus(api.getId(), PUBLISH_ACTION);
}
api.setStatus(APIStatus.PUBLISHED);
provider.updateAPI(api); provider.updateAPI(api);
if (log.isDebugEnabled()) { if (log.isDebugEnabled()) {
log.debug("An API already exists with the name '" + api.getId().getApiName() + log.debug("An API already exists with the name '" + api.getId().getApiName() +

@ -18,6 +18,7 @@
package org.wso2.carbon.apimgt.webapp.publisher; package org.wso2.carbon.apimgt.webapp.publisher;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.apimgt.api.APIManagementException; import org.wso2.carbon.apimgt.api.APIManagementException;
@ -111,7 +112,8 @@ public class APIPublisherUtil {
// adding scopes to the api // adding scopes to the api
Set<URITemplate> uriTemplates = config.getUriTemplates(); Set<URITemplate> uriTemplates = config.getUriTemplates();
Map<String, Scope> apiScopes = new HashMap<>(); Map<String, Scope> apiScopes = new HashMap<>();
Scope existingScope;
String existingPermissions;
if (uriTemplates != null) { if (uriTemplates != null) {
// this creates distinct scopes list // this creates distinct scopes list
for (URITemplate template : uriTemplates) { for (URITemplate template : uriTemplates) {
@ -119,6 +121,12 @@ public class APIPublisherUtil {
if (scope != null) { if (scope != null) {
if (apiScopes.get(scope.getKey()) == null) { if (apiScopes.get(scope.getKey()) == null) {
apiScopes.put(scope.getKey(), scope); apiScopes.put(scope.getKey(), scope);
} else {
existingScope = apiScopes.get(scope.getKey());
existingPermissions = existingScope.getRoles();
existingPermissions = getDistinctPermissions(existingPermissions + "," + scope.getRoles());
existingScope.setRoles(existingPermissions);
apiScopes.put(scope.getKey(), existingScope);
} }
} }
} }
@ -300,4 +308,9 @@ public class APIPublisherUtil {
return apiConfig; return apiConfig;
} }
private static String getDistinctPermissions(String permissions) {
String[] unique = new HashSet<String>(Arrays.asList(permissions.split(","))).toArray(new String[0]);
return StringUtils.join(unique, ",");
}
} }

@ -117,7 +117,10 @@
org.apache.axiom.soap.impl.builder, org.apache.axiom.soap.impl.builder,
org.apache.axiom.om, org.apache.axiom.om,
org.apache.axiom.om.impl.builder, org.apache.axiom.om.impl.builder,
org.apache.axiom.om.util org.apache.axiom.om.util,
org.wso2.carbon.registry.core.*,
org.wso2.carbon.registry.common.*;version="${carbon.registry.imp.pkg.version.range}",
org.wso2.carbon.registry.indexing.*; version="${carbon.registry.imp.pkg.version.range}",
</Import-Package> </Import-Package>
</instructions> </instructions>
</configuration> </configuration>
@ -214,6 +217,14 @@
<groupId>commons-pool.wso2</groupId> <groupId>commons-pool.wso2</groupId>
<artifactId>commons-pool</artifactId> <artifactId>commons-pool</artifactId>
</dependency> </dependency>
<dependency>
<groupId>org.wso2.carbon.registry</groupId>
<artifactId>org.wso2.carbon.registry.indexing</artifactId>
</dependency>
<dependency>
<groupId>org.wso2.carbon</groupId>
<artifactId>org.wso2.carbon.registry.core</artifactId>
</dependency>
</dependencies> </dependencies>
</project> </project>

@ -21,6 +21,8 @@ package org.wso2.carbon.webapp.authenticator.framework;
import org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService; import org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService;
import org.wso2.carbon.device.mgt.core.scep.SCEPManager; import org.wso2.carbon.device.mgt.core.scep.SCEPManager;
import org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService; import org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService;
import org.wso2.carbon.registry.core.service.TenantRegistryLoader;
import org.wso2.carbon.registry.indexing.service.TenantIndexingLoader;
import org.wso2.carbon.user.core.service.RealmService; import org.wso2.carbon.user.core.service.RealmService;
public class AuthenticatorFrameworkDataHolder { public class AuthenticatorFrameworkDataHolder {
@ -30,6 +32,8 @@ public class AuthenticatorFrameworkDataHolder {
private CertificateManagementService certificateManagementService; private CertificateManagementService certificateManagementService;
private SCEPManager scepManager; private SCEPManager scepManager;
private OAuth2TokenValidationService oAuth2TokenValidationService; private OAuth2TokenValidationService oAuth2TokenValidationService;
private TenantIndexingLoader tenantIndexingLoader;
private TenantRegistryLoader tenantRegistryLoader;
private static AuthenticatorFrameworkDataHolder private static AuthenticatorFrameworkDataHolder
thisInstance = new AuthenticatorFrameworkDataHolder(); thisInstance = new AuthenticatorFrameworkDataHolder();
@ -92,4 +96,21 @@ public class AuthenticatorFrameworkDataHolder {
OAuth2TokenValidationService oAuth2TokenValidationService) { OAuth2TokenValidationService oAuth2TokenValidationService) {
this.oAuth2TokenValidationService = oAuth2TokenValidationService; this.oAuth2TokenValidationService = oAuth2TokenValidationService;
} }
public TenantIndexingLoader getTenantIndexingLoader() {
return tenantIndexingLoader;
}
public void setTenantIndexingLoader(
TenantIndexingLoader tenantIndexingLoader) {
this.tenantIndexingLoader = tenantIndexingLoader;
}
public void setTenantRegistryLoader(TenantRegistryLoader tenantRegistryLoader) {
this.tenantRegistryLoader = tenantRegistryLoader;
}
public TenantRegistryLoader getTenantRegistryLoader() {
return tenantRegistryLoader;
}
} }

@ -22,23 +22,24 @@ import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSVerifier; import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier; import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT; import com.nimbusds.jwt.SignedJWT;
import org.apache.axiom.util.base64.Base64Utils;
import org.apache.axis2.transport.http.HTTPConstants;
import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response; import org.apache.catalina.connector.Response;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.core.util.KeyStoreManager; import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.user.api.TenantManager; import org.wso2.carbon.registry.core.exceptions.RegistryException;
import org.wso2.carbon.registry.core.service.TenantRegistryLoader;
import org.wso2.carbon.user.api.UserStoreException; import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.api.UserStoreManager; import org.wso2.carbon.user.api.UserStoreManager;
import org.wso2.carbon.utils.multitenancy.MultitenantConstants;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils; import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
import org.wso2.carbon.webapp.authenticator.framework.AuthenticationInfo; import org.wso2.carbon.webapp.authenticator.framework.AuthenticationInfo;
import org.wso2.carbon.webapp.authenticator.framework.AuthenticatorFrameworkDataHolder; import org.wso2.carbon.webapp.authenticator.framework.AuthenticatorFrameworkDataHolder;
import java.security.PublicKey;
import java.security.interfaces.RSAPublicKey; import java.security.interfaces.RSAPublicKey;
import java.text.ParseException; import java.text.ParseException;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties; import java.util.Properties;
import java.util.StringTokenizer; import java.util.StringTokenizer;
@ -48,10 +49,11 @@ import java.util.StringTokenizer;
public class JWTAuthenticator implements WebappAuthenticator { public class JWTAuthenticator implements WebappAuthenticator {
private static final Log log = LogFactory.getLog(JWTAuthenticator.class); private static final Log log = LogFactory.getLog(JWTAuthenticator.class);
public static final String SIGNED_JWT_AUTH_USERNAME = "http://wso2.org/claims/enduser"; private static final String SIGNED_JWT_AUTH_USERNAME = "http://wso2.org/claims/enduser";
private static final String SIGNED_JWT_AUTH_TENANT_ID = "http://wso2.org/claims/enduserTenantId";
private static final String JWT_AUTHENTICATOR = "JWT"; private static final String JWT_AUTHENTICATOR = "JWT";
private static final String JWT_ASSERTION_HEADER = "X-JWT-Assertion"; private static final String JWT_ASSERTION_HEADER = "X-JWT-Assertion";
private static final Map<String, PublicKey> publicKeyHolder = new HashMap<>();
@Override @Override
public void init() { public void init() {
@ -79,21 +81,24 @@ public class JWTAuthenticator implements WebappAuthenticator {
authenticationInfo.setStatus(Status.CONTINUE); authenticationInfo.setStatus(Status.CONTINUE);
} }
//Get the filesystem keystore default primary certificate
KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(MultitenantConstants.SUPER_TENANT_ID);
try { try {
keyStoreManager.getDefaultPrimaryCertificate();
String authorizationHeader = request.getHeader(JWT_ASSERTION_HEADER); String authorizationHeader = request.getHeader(JWT_ASSERTION_HEADER);
JWSVerifier verifier =
new RSASSAVerifier((RSAPublicKey) keyStoreManager.getDefaultPublicKey());
SignedJWT jwsObject = SignedJWT.parse(authorizationHeader); SignedJWT jwsObject = SignedJWT.parse(authorizationHeader);
if (jwsObject.verify(verifier)) {
String username = jwsObject.getJWTClaimsSet().getStringClaim(SIGNED_JWT_AUTH_USERNAME); String username = jwsObject.getJWTClaimsSet().getStringClaim(SIGNED_JWT_AUTH_USERNAME);
String tenantDomain = MultitenantUtils.getTenantDomain(username); String tenantDomain = MultitenantUtils.getTenantDomain(username);
int tenantId = jwsObject.getJWTClaimsSet().getIntegerClaim(SIGNED_JWT_AUTH_TENANT_ID);
PublicKey publicKey = publicKeyHolder.get(tenantDomain);
if (publicKey == null) {
loadTenantRegistry(tenantId);
KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(tenantId);
publicKey = keyStoreManager.getDefaultPublicKey();
publicKeyHolder.put(tenantDomain, publicKey);
}
//Get the filesystem keystore default primary certificate
JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) publicKey);
if (jwsObject.verify(verifier)) {
username = MultitenantUtils.getTenantAwareUsername(username); username = MultitenantUtils.getTenantAwareUsername(username);
TenantManager tenantManager = AuthenticatorFrameworkDataHolder.getInstance().getRealmService().
getTenantManager();
int tenantId = tenantManager.getTenantId(tenantDomain);
if (tenantId == -1) { if (tenantId == -1) {
log.error("tenantDomain is not valid. username : " + username + ", tenantDomain " + log.error("tenantDomain is not valid. username : " + username + ", tenantDomain " +
": " + tenantDomain); ": " + tenantDomain);
@ -122,24 +127,6 @@ public class JWTAuthenticator implements WebappAuthenticator {
return authenticationInfo; return authenticationInfo;
} }
private String decodeAuthorizationHeader(String authorizationHeader) {
if (authorizationHeader == null) {
return null;
}
String[] splitValues = authorizationHeader.trim().split(" ");
byte[] decodedBytes = Base64Utils.decode(splitValues[1].trim());
if (decodedBytes != null) {
return new String(decodedBytes);
} else {
if (log.isDebugEnabled()) {
log.debug("Error decoding authorization header.");
}
return null;
}
}
@Override @Override
public String getName() { public String getName() {
return JWTAuthenticator.JWT_AUTHENTICATOR; return JWTAuthenticator.JWT_AUTHENTICATOR;
@ -159,4 +146,11 @@ public class JWTAuthenticator implements WebappAuthenticator {
public String getProperty(String name) { public String getProperty(String name) {
return null; return null;
} }
private static void loadTenantRegistry(int tenantId) throws RegistryException {
TenantRegistryLoader tenantRegistryLoader = AuthenticatorFrameworkDataHolder.getInstance().
getTenantRegistryLoader();
AuthenticatorFrameworkDataHolder.getInstance().getTenantIndexingLoader().loadTenantIndex(tenantId);
tenantRegistryLoader.loadTenantRegistry(tenantId);
}
} }

@ -25,6 +25,8 @@ import org.osgi.service.component.ComponentContext;
import org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService; import org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService;
import org.wso2.carbon.device.mgt.core.scep.SCEPManager; import org.wso2.carbon.device.mgt.core.scep.SCEPManager;
import org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService; import org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService;
import org.wso2.carbon.registry.core.service.TenantRegistryLoader;
import org.wso2.carbon.registry.indexing.service.TenantIndexingLoader;
import org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve; import org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve;
import org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer; import org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer;
import org.wso2.carbon.user.core.service.RealmService; import org.wso2.carbon.user.core.service.RealmService;
@ -67,6 +69,17 @@ import java.util.Properties;
* policy="dynamic" * policy="dynamic"
* bind="setOAuth2ValidationService" * bind="setOAuth2ValidationService"
* unbind="unsetOAuth2ValidationService" * unbind="unsetOAuth2ValidationService"
* @scr.reference name="tenant.indexloader"
* interface="org.wso2.carbon.registry.indexing.service.TenantIndexingLoader"
* cardinality="1..1"
* policy="dynamic"
* bind="setTenantIndexLoader"
* unbind="unsetTenantIndexLoader"
* @scr.reference name="tenant.registryloader"
* interface="org.wso2.carbon.registry.core.service.TenantRegistryLoader"
* cardinality="1..1" policy="dynamic"
* bind="setTenantRegistryLoader"
* unbind="unsetTenantRegistryLoader"
*/ */
public class WebappAuthenticatorFrameworkServiceComponent { public class WebappAuthenticatorFrameworkServiceComponent {
@ -183,4 +196,20 @@ public class WebappAuthenticatorFrameworkServiceComponent {
} }
AuthenticatorFrameworkDataHolder.getInstance().setOAuth2TokenValidationService(null); AuthenticatorFrameworkDataHolder.getInstance().setOAuth2TokenValidationService(null);
} }
protected void setTenantIndexLoader(TenantIndexingLoader tenantIndexLoader) {
AuthenticatorFrameworkDataHolder.getInstance().setTenantIndexingLoader(tenantIndexLoader);
}
protected void unsetTenantIndexLoader(TenantIndexingLoader tenantIndexLoader) {
AuthenticatorFrameworkDataHolder.getInstance().setTenantIndexingLoader(null);
}
protected void setTenantRegistryLoader(TenantRegistryLoader tenantRegistryLoader) {
AuthenticatorFrameworkDataHolder.getInstance().setTenantRegistryLoader(tenantRegistryLoader);
}
protected void unsetTenantRegistryLoader(TenantRegistryLoader tenantRegistryLoader) {
AuthenticatorFrameworkDataHolder.getInstance().setTenantRegistryLoader(null);
}
} }

Loading…
Cancel
Save