Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[APIM-IS-KM] Add system property to avoid allowlisting apim rest api scopes #2328

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

[APIM-IS-KM] Add system property to avoid allowlisting apim rest api scopes #2328

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
fe9eccd
Add system property to avoid allowlisting apim rest api scopes
chashikajw Jan 19, 2024
accbf49
Merge branch 'master' into restrict-allowlisting-apim-restapi-scopes
chashikajw Mar 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions ...tity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -219,6 +219,8 @@ public static SubjectType fromValue(String text) {

public static final String RESTRICT_UNASSIGNED_SCOPES = "restrict.unassigned.scopes";

public static final String RESTRICT_APIM_REST_API_SCOPES = "restrict.apim.restapi.scopes";

public static final String TENANT_NAME_FROM_CONTEXT = "TenantNameFromContext";

//Oauth2 sp expire time configuration.
Expand Down
3 changes: 3 additions & 0 deletions ....oauth/src/main/java/org/wso2/carbon/identity/oauth2/internal/OAuth2ServiceComponent.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -442,6 +442,9 @@ protected void activate(ComponentContext context) {
boolean restrictUnassignedScopes = Boolean.parseBoolean(System.getProperty(
OAuthConstants.RESTRICT_UNASSIGNED_SCOPES));
OAuth2ServiceComponentHolder.setRestrictUnassignedScopes(restrictUnassignedScopes);
boolean restrictApimRestApiScopes = Boolean.parseBoolean(System.getProperty(
OAuthConstants.RESTRICT_APIM_REST_API_SCOPES));
OAuth2ServiceComponentHolder.setRestrictApimRestApiScopes(restrictApimRestApiScopes);
if (OAuthServerConfiguration.getInstance().isUseLegacyScopesAsAliasForNewScopesEnabled()
|| OAuthServerConfiguration.getInstance().isUseLegacyPermissionAccessForUserBasedAuth()) {
initializeLegacyScopeToNewScopeMappings();
Expand Down
9 changes: 9 additions & 0 deletions .../src/main/java/org/wso2/carbon/identity/oauth2/internal/OAuth2ServiceComponentHolder.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,7 @@ public class OAuth2ServiceComponentHolder {
private static List<String> jwtRenewWithoutRevokeAllowedGrantTypes = new ArrayList<>();
private static ConsentServerConfigsManagementService consentServerConfigsManagementService;
private static boolean restrictUnassignedScopes;
private static boolean restrictApimRestApiScopes;
private static ConfigurationContextService configurationContextService;
private List<JWTAccessTokenClaimProvider> jwtAccessTokenClaimProviders = new ArrayList<>();
private final List<OAuthAuthorizationRequestBuilder> oAuthAuthorizationRequestBuilders = new ArrayList<>();
Expand Down Expand Up @@ -551,6 +552,14 @@ public static void setRestrictUnassignedScopes(boolean restrictUnassignedScopes)
OAuth2ServiceComponentHolder.restrictUnassignedScopes = restrictUnassignedScopes;
}

public static boolean isRestrictApimRestApiScopes() {
return restrictApimRestApiScopes;
}

public static void setRestrictApimRestApiScopes(boolean restrictApimRestApiScopes) {
OAuth2ServiceComponentHolder.restrictApimRestApiScopes = restrictApimRestApiScopes;
}

public static ConfigurationContextService getConfigurationContextService() {

return configurationContextService;
Expand Down
38 changes: 26 additions & 12 deletions .../src/main/java/org/wso2/carbon/identity/oauth2/validators/scope/RoleBasedScopeIssuer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -283,14 +283,21 @@ public List<String> getScopes(OAuthAuthzReqMessageContext oAuthAuthzReqMessageCo
List<String> authorizedScopes;
List<String> requestedScopes = null;
List<String> scopes = new ArrayList<>();
boolean isRestrictApimRestApiScopes = OAuth2ServiceComponentHolder.isRestrictApimRestApiScopes();
boolean isRestrictUnassignedScopes = OAuth2ServiceComponentHolder.isRestrictUnassignedScopes();
if (oAuthAuthzReqMessageContext.getApprovedScope() != null) {
requestedScopes = new ArrayList<>(Arrays.asList(oAuthAuthzReqMessageContext.getApprovedScope()));
for (String scope : requestedScopes) {
// If requestedScopes contains Product REST APIs (Publisher/DevPortal/Admin) scopes, just let them pass
// to the final scope list returned from RoleBasedScopeIssuer. This is because RoleBasedScopeIssuer is
// not responsible for validating Product REST API scopes. Those will be handled by SystemScopeIssuer.
if (checkForProductRestAPIScopes(scope)) {
scopes.add(scope);
// If both system properties are true, it does not allowlist the APIM REST API scopes. This is to solve
// the security concern introduced by allow listing product REST APIs scopes.
if (!(isRestrictUnassignedScopes && isRestrictApimRestApiScopes)) {
for (String scope : requestedScopes) {
// If requestedScopes contains Product REST APIs (Publisher/DevPortal/Admin) scopes, just let
// them pass to the final scope list returned from RoleBasedScopeIssuer. This is because
// RoleBasedScopeIssuer is not responsible for validating Product REST API scopes. Those will be
// handled by SystemScopeIssuer.
if (checkForProductRestAPIScopes(scope)) {
scopes.add(scope);
}
}
}
requestedScopes.removeAll(scopes);
Expand Down Expand Up @@ -352,12 +359,19 @@ public List<String> getScopes(OAuthTokenReqMessageContext tokReqMsgCtx) {
List<String> authorizedScopes;
List<String> scopes = new ArrayList<>();
List<String> requestedScopes = new ArrayList<>(Arrays.asList(tokReqMsgCtx.getScope()));
for (String scope : requestedScopes) {
// If requestedScopes contains Product REST APIs (Publisher/DevPortal/Admin) scopes, just let them pass to
// the final scope list returned from RoleBasedScopeIssuer. This is because RoleBasedScopeIssuer is not
// responsible for validating Product REST API scopes. Those will be handled by the SystemScopeIssuer.
if (checkForProductRestAPIScopes(scope)) {
scopes.add(scope);
boolean isRestrictApimRestApiScopes = OAuth2ServiceComponentHolder.isRestrictApimRestApiScopes();
boolean isRestrictUnassignedScopes = OAuth2ServiceComponentHolder.isRestrictUnassignedScopes();
// If both system properties are true, it does not allowlist the APIM REST API scopes. This is to solve
// the security concern introduced by allow listing product REST APIs scopes.
if (!(isRestrictUnassignedScopes && isRestrictApimRestApiScopes)) {
for (String scope : requestedScopes) {
// If requestedScopes contains Product REST APIs (Publisher/DevPortal/Admin) scopes, just let
// them pass to the final scope list returned from RoleBasedScopeIssuer. This is because
// RoleBasedScopeIssuer is not responsible for validating Product REST API scopes. Those will be
// handled by the SystemScopeIssuer.
if (checkForProductRestAPIScopes(scope)) {
scopes.add(scope);
}
}
}
requestedScopes.removeAll(scopes);
Expand Down
Loading