Merge pull request #709 from madawas/master

Fixing multitenant issue in certificate verification endpoint
2025-10-06 02:01:45 +00:00 · 2017-04-26 21:25:24 +05:30 · 2017-04-26 21:25:24 +05:30 · 3526e6425f
commit 3526e6425f
parent 4429482a29 9ba509b512
4 changed files with 88 additions and 41 deletions
--- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/beans/ValidationResponse.java
+++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/beans/ValidationResponse.java
@ -19,7 +19,7 @@

 package org.wso2.carbon.certificate.mgt.cert.jaxrs.api.beans;

-public class ValidationResponce {
+public class ValidationResponse {

    private String JWTToken; // X-JWT-Assertion
    private String deviceId;
--- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/impl/CertificateManagementAdminServiceImpl.java
+++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/impl/CertificateManagementAdminServiceImpl.java
@ -1,3 +1,21 @@
+/*
+ * Copyright (c) 2016-2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
 package org.wso2.carbon.certificate.mgt.cert.jaxrs.api.impl;

 import org.apache.commons.logging.Log;
@ -6,7 +24,7 @@ import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.CertificateManagementAdmin
 import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.beans.CertificateList;
 import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.beans.EnrollmentCertificate;
 import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.beans.ErrorResponse;
-import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.beans.ValidationResponce;
+import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.beans.ValidationResponse;
 import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.util.CertificateMgtAPIUtils;
 import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.util.RequestValidationUtil;
 import org.wso2.carbon.certificate.mgt.core.dto.CertificateResponse;
@ -232,30 +250,41 @@ public class CertificateManagementAdminServiceImpl implements CertificateManagem
                    deviceIdentifier.setId(challengeToken);
                    deviceIdentifier.setType(DeviceManagementConstants.MobileDeviceTypes.MOBILE_DEVICE_TYPE_IOS);
                    TenantedDeviceWrapper tenantedDeviceWrapper = scepManager.getValidatedDevice(deviceIdentifier);
-//
-//                    var claims = {"http://wso2.org/claims/enduserTenantId": adminUserTenantId,
-//                            "http://wso2.org/claims/enduser": adminUsername};

                    Map<String, String> claims = new HashMap<>();

-                    claims.put("http://wso2.org/claims/enduserTenantId", String.valueOf(tenantedDeviceWrapper.getTenantId()));
-                    claims.put("http://wso2.org/claims/enduser", tenantedDeviceWrapper.getDevice().getEnrolmentInfo().getOwner());
-                    claims.put("http://wso2.org/claims/deviceIdentifier", tenantedDeviceWrapper.getDevice().getDeviceIdentifier());
+                    claims.put("http://wso2.org/claims/enduserTenantId",
+                            String.valueOf(tenantedDeviceWrapper.getTenantId()));
+                    claims.put("http://wso2.org/claims/enduser",
+                            tenantedDeviceWrapper.getDevice().getEnrolmentInfo().getOwner() + "@"
+                                    + tenantedDeviceWrapper.getTenantDomain());
+                    claims.put("http://wso2.org/claims/deviceIdentifier",
+                            tenantedDeviceWrapper.getDevice().getDeviceIdentifier());
                    claims.put("http://wso2.org/claims/deviceIdType", tenantedDeviceWrapper.getDevice().getType());

-                    JWTClientManagerService jwtClientManagerService = CertificateMgtAPIUtils.getJwtClientManagerService();
-                    String jwdToken = jwtClientManagerService.getJWTClient().getJwtToken(
-                            tenantedDeviceWrapper.getDevice().getEnrolmentInfo().getOwner(), claims);
-
-                    ValidationResponce validationResponce = new ValidationResponce();
-                    validationResponce.setDeviceId(challengeToken);
-                    validationResponce.setDeviceType(DeviceManagementConstants.MobileDeviceTypes.MOBILE_DEVICE_TYPE_IOS);
-                    validationResponce.setJWTToken(jwdToken);
-                    validationResponce.setTenantId(tenantedDeviceWrapper.getTenantId());
-
-                    if (tenantedDeviceWrapper != null) {
-                        return Response.status(Response.Status.OK).entity(validationResponce).build();
+                    String jwdToken;
+                    try {
+                        PrivilegedCarbonContext.startTenantFlow();
+                        PrivilegedCarbonContext.getThreadLocalCarbonContext()
+                                .setTenantId(tenantedDeviceWrapper.getTenantId());
+                        PrivilegedCarbonContext.getThreadLocalCarbonContext()
+                                .setTenantDomain(tenantedDeviceWrapper.getTenantDomain());
+                        JWTClientManagerService jwtClientManagerService = CertificateMgtAPIUtils
+                                .getJwtClientManagerService();
+                        jwdToken = jwtClientManagerService.getJWTClient()
+                                .getJwtToken(tenantedDeviceWrapper.getDevice().getEnrolmentInfo().getOwner(), claims,
+                                        true);
+                    } finally {
+                        PrivilegedCarbonContext.endTenantFlow();
                    }
+
+                    ValidationResponse validationResponse = new ValidationResponse();
+                    validationResponse.setDeviceId(challengeToken);
+                    validationResponse.setDeviceType(DeviceManagementConstants.MobileDeviceTypes.MOBILE_DEVICE_TYPE_IOS);
+                    validationResponse.setJWTToken(jwdToken);
+                    validationResponse.setTenantId(tenantedDeviceWrapper.getTenantId());
+
+                    return Response.status(Response.Status.OK).entity(validationResponse).build();
                }
            }

--- a/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/JWTClient.java
+++ b/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/JWTClient.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ * Copyright (c) 2016-2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
 *
 * WSO2 Inc. licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file except
@ -29,7 +29,7 @@ import org.apache.http.client.methods.HttpPost;
 import org.apache.http.message.BasicNameValuePair;
 import org.json.simple.JSONObject;
 import org.json.simple.parser.JSONParser;
-import org.json.simple.parser.ParseException;;
+import org.json.simple.parser.ParseException;
 import org.wso2.carbon.identity.jwt.client.extension.constant.JWTConstants;
 import org.wso2.carbon.identity.jwt.client.extension.dto.AccessTokenInfo;
 import org.wso2.carbon.identity.jwt.client.extension.dto.JWTConfig;
@ -43,7 +43,6 @@ import java.security.KeyManagementException;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
-import java.util.HashMap;
 import java.util.List;
 import java.util.Map;

@ -195,6 +194,14 @@ public class JWTClient {
        return JWTClientUtil.generateSignedJWTAssertion(username, jwtConfig, isDefaultJWTClient, claims);
    }

+    public String getJwtToken(String username, Map<String, String> claims, boolean enableTenantSigning)
+            throws JWTClientException {
+        if (enableTenantSigning) {
+            return JWTClientUtil.generateSignedJWTAssertion(username, jwtConfig, false, claims);
+        } else {
+            return getJwtToken(username, claims);
+        }
+    }
 }


--- a/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/util/JWTClientUtil.java
+++ b/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/util/JWTClientUtil.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ * Copyright (c) 2016-2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
 *
 * WSO2 Inc. licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file except
@ -33,7 +33,6 @@ import org.apache.http.conn.ssl.SSLContextBuilder;
 import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
 import org.apache.http.impl.client.HttpClients;
 import org.apache.http.util.EntityUtils;
-import org.apache.solr.common.util.Hash;
 import org.wso2.carbon.base.MultitenantConstants;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.core.util.KeyStoreManager;
@ -49,14 +48,22 @@ import org.wso2.carbon.registry.core.service.RegistryService;
 import org.wso2.carbon.registry.core.service.TenantRegistryLoader;
 import org.wso2.carbon.utils.CarbonUtils;

-import java.io.*;
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
 import java.net.URI;
 import java.net.URL;
-import java.security.*;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.security.UnrecoverableKeyException;
 import java.security.cert.CertificateException;
 import java.security.interfaces.RSAPrivateKey;
 import java.util.Date;
-import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Properties;
@ -200,15 +207,14 @@ public class JWTClientUtil {
 		tenantRegistryLoader.loadTenantRegistry(tenantId);
 	}

-    public static String generateSignedJWTAssertion(String username, JWTConfig jwtConfig, boolean isDefaultJWTClient)
-            throws JWTClientException {
-        return generateSignedJWTAssertion(username, jwtConfig, isDefaultJWTClient, null);
-    }
+	public static String generateSignedJWTAssertion(String username, JWTConfig jwtConfig, boolean isDefaultJWTClient)
+			throws JWTClientException {
+		return generateSignedJWTAssertion(username, jwtConfig, isDefaultJWTClient, null);
+	}

 	public static String generateSignedJWTAssertion(String username, JWTConfig jwtConfig, boolean isDefaultJWTClient,
-                                                    Map<String, String> customClaims) throws JWTClientException {
+			Map<String, String> customClaims) throws JWTClientException {
 		try {
-			String subject = username;
 			long currentTimeMillis = System.currentTimeMillis();
 			// add the skew between servers
 			String iss = jwtConfig.getIssuer();
@ -246,8 +252,8 @@ public class JWTClientUtil {
 			String privateKeyAlias = jwtConfig.getPrivateKeyAlias();
 			String privateKeyPassword = jwtConfig.getPrivateKeyPassword();
 			KeyStore keyStore;
-			RSAPrivateKey rsaPrivateKey = null;
-			if (keyStorePath != null && !keyStorePath.isEmpty()) {
+			RSAPrivateKey rsaPrivateKey;
+			if (!isDefaultJWTClient && (keyStorePath != null && !keyStorePath.isEmpty())) {
 				String keyStorePassword = jwtConfig.getKeyStorePassword();
 				keyStore = loadKeyStore(new File(keyStorePath), keyStorePassword, "JKS");
 				rsaPrivateKey = (RSAPrivateKey) keyStore.getKey(privateKeyAlias, privateKeyPassword.toCharArray());
@ -261,11 +267,16 @@ public class JWTClientUtil {
 					String jksName = ksName + ".jks";
 					rsaPrivateKey = (RSAPrivateKey) tenantKeyStoreManager.getPrivateKey(jksName, tenantDomain);
 				} else {
-					PrivilegedCarbonContext.startTenantFlow();
-					PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantId(MultitenantConstants.SUPER_TENANT_ID);
-					KeyStoreManager tenantKeyStoreManager = KeyStoreManager.getInstance(MultitenantConstants.SUPER_TENANT_ID);
-					rsaPrivateKey = (RSAPrivateKey) tenantKeyStoreManager.getDefaultPrivateKey();
-					PrivilegedCarbonContext.endTenantFlow();
+					try {
+						PrivilegedCarbonContext.startTenantFlow();
+						PrivilegedCarbonContext.getThreadLocalCarbonContext()
+								.setTenantId(MultitenantConstants.SUPER_TENANT_ID);
+						KeyStoreManager tenantKeyStoreManager = KeyStoreManager
+								.getInstance(MultitenantConstants.SUPER_TENANT_ID);
+						rsaPrivateKey = (RSAPrivateKey) tenantKeyStoreManager.getDefaultPrivateKey();
+					} finally {
+						PrivilegedCarbonContext.endTenantFlow();
+					}
 				}
 			}
 			JWSSigner signer = new RSASSASigner(rsaPrivateKey);