/**
* Authenticate the request
*
* @param context
* @param version
* @param accessToken
* @param requiredAuthenticationLevel
* @param clientDomain
* @return
* @throws APIManagementException
* @throws APIFaultException
*/
public boolean doAuthenticate(
String context,
String version,
String accessToken,
String requiredAuthenticationLevel,
String clientDomain)
throws APIManagementException, APIFaultException {
if (APIConstants.AUTH_NO_AUTHENTICATION.equals(requiredAuthenticationLevel)) {
return true;
}
APITokenValidator tokenValidator = new APITokenValidator();
apiKeyValidationDTO =
tokenValidator.validateKey(
context, version, accessToken, requiredAuthenticationLevel, clientDomain);
if (apiKeyValidationDTO.isAuthorized()) {
String userName = apiKeyValidationDTO.getEndUserName();
PrivilegedCarbonContext.getThreadLocalCarbonContext()
.setUsername(apiKeyValidationDTO.getEndUserName());
try {
PrivilegedCarbonContext.getThreadLocalCarbonContext()
.setTenantId(IdentityUtil.getTenantIdOFUser(userName));
} catch (IdentityException e) {
log.error("Error while retrieving Tenant Id", e);
return false;
}
return true;
} else {
throw new APIFaultException(
apiKeyValidationDTO.getValidationStatus(),
"Access failure for API: "
+ context
+ ", version: "
+ version
+ " with key: "
+ accessToken);
}
}
/**
* Get the API key validated against the specified API
*
* @param context API context
* @param apiKey API key to be validated
* @param apiVersion API version number
* @return An APIKeyValidationInfoDTO object
* @throws APISecurityException If an error occurs while accessing backend services
*/
public APIKeyValidationInfoDTO getKeyValidationInfo(
String context,
String apiKey,
String apiVersion,
String authenticationScheme,
String clientDomain,
String matchingResource,
String httpVerb,
boolean defaultVersionInvoked)
throws APISecurityException {
String prefixedVersion = apiVersion;
// Check if client has invoked the default version API.
if (defaultVersionInvoked) {
// Prefix the version so that it looks like _default_1.0 (_default_<version>)).
// This is so that the Key Validator knows that this request is coming through a default api
// version
prefixedVersion = APIConstants.DEFAULT_VERSION_PREFIX.concat(prefixedVersion);
}
String cacheKey =
APIUtil.getAccessTokenCacheKey(
apiKey, context, prefixedVersion, matchingResource, httpVerb, authenticationScheme);
// If Gateway key caching is enabled.
if (gatewayKeyCacheEnabled) {
// Get the access token from the first level cache.
String cachedToken = (String) getGatewayTokenCache().get(apiKey);
// If the access token exists in the first level cache.
if (cachedToken != null) {
APIKeyValidationInfoDTO info = (APIKeyValidationInfoDTO) getGatewayKeyCache().get(cacheKey);
if (info != null) {
if (APIUtil.isAccessTokenExpired(info)) {
log.info("Invalid OAuth Token : Access Token " + apiKey + " expired.");
info.setAuthorized(false);
// in cache, if token is expired remove cache entry.
getGatewayKeyCache().remove(cacheKey);
// Remove from the first level token cache as well.
getGatewayTokenCache().remove(apiKey);
}
return info;
}
}
}
// synchronized (apiKey.intern()) {
// We synchronize on the API key here to allow concurrent processing
// of different API keys - However when a burst of requests with the
// same key is encountered, only one will be allowed to execute the logic,
// and the rest will pick the value from the cache.
// info = (APIKeyValidationInfoDTO) infoCache.get(cacheKey);
// if (info != null) {
// return info;
// }
APIKeyValidationInfoDTO info =
doGetKeyValidationInfo(
context,
prefixedVersion,
apiKey,
authenticationScheme,
clientDomain,
matchingResource,
httpVerb);
if (info != null) {
if (gatewayKeyCacheEnabled) {
// Get the tenant domain of the API that is being invoked.
String tenantDomain =
PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
// Add to first level Token Cache.
getGatewayTokenCache().put(apiKey, tenantDomain);
// Add to Key Cache.
getGatewayKeyCache().put(cacheKey, info);
// If this is NOT a super-tenant API that is being invoked
if (!MultitenantConstants.SUPER_TENANT_DOMAIN_NAME.equals(tenantDomain)) {
// Add the tenant domain as a reference to the super tenant cache so we know from which
// tenant cache
// to remove the entry when the need occurs to clear this particular cache entry.
try {
PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext()
.setTenantDomain(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME, true);
getGatewayTokenCache().put(apiKey, tenantDomain);
} finally {
PrivilegedCarbonContext.endTenantFlow();
}
}
}
return info;
} else {
String warnMsg = "API key validation service returns null object";
log.warn(warnMsg);
throw new APISecurityException(APISecurityConstants.API_AUTH_GENERAL_ERROR, warnMsg);
}
}
private APIKeyValidationInfoDTO toDTO(
org.wso2.carbon.apimgt.impl.dto.xsd.APIKeyValidationInfoDTO generatedDto) {
APIKeyValidationInfoDTO dto = new APIKeyValidationInfoDTO();
dto.setSubscriber(generatedDto.getSubscriber());
dto.setAuthorized(generatedDto.getAuthorized());
dto.setTier(generatedDto.getTier());
dto.setType(generatedDto.getType());
dto.setEndUserToken(generatedDto.getEndUserToken());
dto.setEndUserName(generatedDto.getEndUserName());
dto.setApplicationName(generatedDto.getApplicationName());
dto.setEndUserName(generatedDto.getEndUserName());
dto.setConsumerKey(generatedDto.getConsumerKey());
// dto.setAuthorizedDomains(Arrays.asList(generatedDto.getAuthorizedDomains()));
dto.setValidationStatus(generatedDto.getValidationStatus());
dto.setApplicationId(generatedDto.getApplicationId());
dto.setApplicationTier(generatedDto.getApplicationTier());
dto.setApiPublisher(generatedDto.getApiPublisher());
dto.setApiName(generatedDto.getApiName());
dto.setValidityPeriod(generatedDto.getValidityPeriod());
dto.setIssuedTime(generatedDto.getIssuedTime());
dto.setApiTier(generatedDto.getApiTier());
dto.setContentAware(generatedDto.getContentAware());
dto.setScopes(
generatedDto.getScopes() == null
? null
: new HashSet<String>(Arrays.asList(generatedDto.getScopes())));
dto.setThrottlingDataList(Arrays.asList(generatedDto.getThrottlingDataList()));
dto.setSpikeArrestLimit(generatedDto.getSpikeArrestLimit());
dto.setSpikeArrestUnit(generatedDto.getSpikeArrestUnit());
dto.setSubscriberTenantDomain(generatedDto.getSubscriberTenantDomain());
dto.setStopOnQuotaReach(generatedDto.getStopOnQuotaReach());
return dto;
}
private APIKeyValidationInfoDTO toDTO(
org.wso2.carbon.apimgt.impl.dto.xsd.APIKeyValidationInfoDTO generatedDto) {
APIKeyValidationInfoDTO dto = new APIKeyValidationInfoDTO();
dto.setSubscriber(generatedDto.getSubscriber());
dto.setAuthorized(generatedDto.getAuthorized());
dto.setTier(generatedDto.getTier());
dto.setType(generatedDto.getType());
dto.setEndUserToken(generatedDto.getEndUserToken());
dto.setEndUserName(generatedDto.getEndUserName());
dto.setApplicationName(generatedDto.getApplicationName());
dto.setEndUserName(generatedDto.getEndUserName());
dto.setApplicationName(generatedDto.getApplicationName());
dto.setValidationStatus(generatedDto.getValidationStatus());
dto.setApplicationId(generatedDto.getApplicationId());
dto.setApplicationTier(generatedDto.getApplicationTier());
return dto;
}
