Merge pull request #709 from madawas/master

Fixing multitenant issue in certificate verification endpoint
2025-10-06 02:01:45 +00:00 · 2017-04-26 21:25:24 +05:30 · 2017-04-26 21:25:24 +05:30 · 3526e6425f
commit 3526e6425f
parent 4429482a29 9ba509b512
4 changed files with 88 additions and 41 deletions
--- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/beans/ValidationResponse.java
+++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/beans/ValidationResponse.java
@ -19,7 +19,7 @@
 package org.wso2.carbon.certificate.mgt.cert.jaxrs.api.beans;
-public class ValidationResponce {
+public class ValidationResponse {
    private String JWTToken; // X-JWT-Assertion
    private String deviceId;
--- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/impl/CertificateManagementAdminServiceImpl.java
+++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/impl/CertificateManagementAdminServiceImpl.java
@ -1,3 +1,21 @@
 /*
 * Copyright (c) 2016-2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
 *
 * WSO2 Inc. licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file except
 * in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */
 package org.wso2.carbon.certificate.mgt.cert.jaxrs.api.impl;
 import org.apache.commons.logging.Log;
@ -6,7 +24,7 @@ import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.CertificateManagementAdmin
 import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.beans.CertificateList;
 import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.beans.EnrollmentCertificate;
 import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.beans.ErrorResponse;
-import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.beans.ValidationResponce;
+import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.beans.ValidationResponse;
 import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.util.CertificateMgtAPIUtils;
 import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.util.RequestValidationUtil;
 import org.wso2.carbon.certificate.mgt.core.dto.CertificateResponse;
@ -232,30 +250,41 @@ public class CertificateManagementAdminServiceImpl implements CertificateManagem
                    deviceIdentifier.setId(challengeToken);
                    deviceIdentifier.setType(DeviceManagementConstants.MobileDeviceTypes.MOBILE_DEVICE_TYPE_IOS);
                    TenantedDeviceWrapper tenantedDeviceWrapper = scepManager.getValidatedDevice(deviceIdentifier);
 //
 //                    var claims = {"http://wso2.org/claims/enduserTenantId": adminUserTenantId,
 //                            "http://wso2.org/claims/enduser": adminUsername};
                    Map<String, String> claims = new HashMap<>();
-                    claims.put("http://wso2.org/claims/enduserTenantId", String.valueOf(tenantedDeviceWrapper.getTenantId()));
+                    claims.put("http://wso2.org/claims/enduserTenantId",
-                    claims.put("http://wso2.org/claims/enduser", tenantedDeviceWrapper.getDevice().getEnrolmentInfo().getOwner());
+                            String.valueOf(tenantedDeviceWrapper.getTenantId()));
-                    claims.put("http://wso2.org/claims/deviceIdentifier", tenantedDeviceWrapper.getDevice().getDeviceIdentifier());
+                    claims.put("http://wso2.org/claims/enduser",
                            tenantedDeviceWrapper.getDevice().getEnrolmentInfo().getOwner() + "@"
                                    + tenantedDeviceWrapper.getTenantDomain());
                    claims.put("http://wso2.org/claims/deviceIdentifier",
                            tenantedDeviceWrapper.getDevice().getDeviceIdentifier());
                    claims.put("http://wso2.org/claims/deviceIdType", tenantedDeviceWrapper.getDevice().getType());
-                    JWTClientManagerService jwtClientManagerService = CertificateMgtAPIUtils.getJwtClientManagerService();
+                    String jwdToken;
-                    String jwdToken = jwtClientManagerService.getJWTClient().getJwtToken(
+                    try {
-                            tenantedDeviceWrapper.getDevice().getEnrolmentInfo().getOwner(), claims);
+                        PrivilegedCarbonContext.startTenantFlow();
-
+                        PrivilegedCarbonContext.getThreadLocalCarbonContext()
-                    ValidationResponce validationResponce = new ValidationResponce();
+                                .setTenantId(tenantedDeviceWrapper.getTenantId());
-                    validationResponce.setDeviceId(challengeToken);
+                        PrivilegedCarbonContext.getThreadLocalCarbonContext()
-                    validationResponce.setDeviceType(DeviceManagementConstants.MobileDeviceTypes.MOBILE_DEVICE_TYPE_IOS);
+                                .setTenantDomain(tenantedDeviceWrapper.getTenantDomain());
-                    validationResponce.setJWTToken(jwdToken);
+                        JWTClientManagerService jwtClientManagerService = CertificateMgtAPIUtils
-                    validationResponce.setTenantId(tenantedDeviceWrapper.getTenantId());
+                                .getJwtClientManagerService();
-
+                        jwdToken = jwtClientManagerService.getJWTClient()
-                    if (tenantedDeviceWrapper != null) {
+                                .getJwtToken(tenantedDeviceWrapper.getDevice().getEnrolmentInfo().getOwner(), claims,
-                        return Response.status(Response.Status.OK).entity(validationResponce).build();
+                                        true);
                    } finally {
                        PrivilegedCarbonContext.endTenantFlow();
                    }
                    ValidationResponse validationResponse = new ValidationResponse();
                    validationResponse.setDeviceId(challengeToken);
                    validationResponse.setDeviceType(DeviceManagementConstants.MobileDeviceTypes.MOBILE_DEVICE_TYPE_IOS);
                    validationResponse.setJWTToken(jwdToken);
                    validationResponse.setTenantId(tenantedDeviceWrapper.getTenantId());
                    return Response.status(Response.Status.OK).entity(validationResponse).build();
                }
            }
--- a/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/JWTClient.java
+++ b/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/JWTClient.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ * Copyright (c) 2016-2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
 *
 * WSO2 Inc. licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file except
@ -29,7 +29,7 @@ import org.apache.http.client.methods.HttpPost;
 import org.apache.http.message.BasicNameValuePair;
 import org.json.simple.JSONObject;
 import org.json.simple.parser.JSONParser;
-import org.json.simple.parser.ParseException;;
+import org.json.simple.parser.ParseException;
 import org.wso2.carbon.identity.jwt.client.extension.constant.JWTConstants;
 import org.wso2.carbon.identity.jwt.client.extension.dto.AccessTokenInfo;
 import org.wso2.carbon.identity.jwt.client.extension.dto.JWTConfig;
@ -43,7 +43,6 @@ import java.security.KeyManagementException;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@ -195,6 +194,14 @@ public class JWTClient {
        return JWTClientUtil.generateSignedJWTAssertion(username, jwtConfig, isDefaultJWTClient, claims);
    }
    public String getJwtToken(String username, Map<String, String> claims, boolean enableTenantSigning)
            throws JWTClientException {
        if (enableTenantSigning) {
            return JWTClientUtil.generateSignedJWTAssertion(username, jwtConfig, false, claims);
        } else {
            return getJwtToken(username, claims);
        }
    }
 }
--- a/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/util/JWTClientUtil.java
+++ b/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/util/JWTClientUtil.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ * Copyright (c) 2016-2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
 *
 * WSO2 Inc. licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file except
@ -33,7 +33,6 @@ import org.apache.http.conn.ssl.SSLContextBuilder;
 import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
 import org.apache.http.impl.client.HttpClients;
 import org.apache.http.util.EntityUtils;
 import org.apache.solr.common.util.Hash;
 import org.wso2.carbon.base.MultitenantConstants;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.core.util.KeyStoreManager;
@ -49,14 +48,22 @@ import org.wso2.carbon.registry.core.service.RegistryService;
 import org.wso2.carbon.registry.core.service.TenantRegistryLoader;
 import org.wso2.carbon.utils.CarbonUtils;
-import java.io.*;
+import java.io.BufferedReader;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.net.URI;
 import java.net.URL;
-import java.security.*;
+import java.security.KeyManagementException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.security.UnrecoverableKeyException;
 import java.security.cert.CertificateException;
 import java.security.interfaces.RSAPrivateKey;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Properties;
@ -208,7 +215,6 @@ public class JWTClientUtil {
 	public static String generateSignedJWTAssertion(String username, JWTConfig jwtConfig, boolean isDefaultJWTClient,
 			Map<String, String> customClaims) throws JWTClientException {
 		try {
 			String subject = username;
 			long currentTimeMillis = System.currentTimeMillis();
 			// add the skew between servers
 			String iss = jwtConfig.getIssuer();
@ -246,8 +252,8 @@ public class JWTClientUtil {
 			String privateKeyAlias = jwtConfig.getPrivateKeyAlias();
 			String privateKeyPassword = jwtConfig.getPrivateKeyPassword();
 			KeyStore keyStore;
-			RSAPrivateKey rsaPrivateKey = null;
+			RSAPrivateKey rsaPrivateKey;
-			if (keyStorePath != null && !keyStorePath.isEmpty()) {
+			if (!isDefaultJWTClient && (keyStorePath != null && !keyStorePath.isEmpty())) {
 				String keyStorePassword = jwtConfig.getKeyStorePassword();
 				keyStore = loadKeyStore(new File(keyStorePath), keyStorePassword, "JKS");
 				rsaPrivateKey = (RSAPrivateKey) keyStore.getKey(privateKeyAlias, privateKeyPassword.toCharArray());
@ -261,13 +267,18 @@ public class JWTClientUtil {
 					String jksName = ksName + ".jks";
 					rsaPrivateKey = (RSAPrivateKey) tenantKeyStoreManager.getPrivateKey(jksName, tenantDomain);
 				} else {
 					try {
 						PrivilegedCarbonContext.startTenantFlow();
-					PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantId(MultitenantConstants.SUPER_TENANT_ID);
+						PrivilegedCarbonContext.getThreadLocalCarbonContext()
-					KeyStoreManager tenantKeyStoreManager = KeyStoreManager.getInstance(MultitenantConstants.SUPER_TENANT_ID);
+								.setTenantId(MultitenantConstants.SUPER_TENANT_ID);
 						KeyStoreManager tenantKeyStoreManager = KeyStoreManager
 								.getInstance(MultitenantConstants.SUPER_TENANT_ID);
 						rsaPrivateKey = (RSAPrivateKey) tenantKeyStoreManager.getDefaultPrivateKey();
 					} finally {
 						PrivilegedCarbonContext.endTenantFlow();
 					}
 				}
 			}
 			JWSSigner signer = new RSASSASigner(rsaPrivateKey);
 			SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), claimsSet);
 			signedJWT.sign(signer);