From ef35627fecdb8dc7d188c17927018198bcaaf1df Mon Sep 17 00:00:00 2001
From: Renuka Fernando <renukapiyumal@gmail.com>
Date: Fri, 16 Feb 2024 13:29:58 +0530
Subject: [PATCH 1/3] Remove unnecessary configs passed from Adapter to
 Enforcer through xDS messages

Signed-off-by: Renuka Fernando <renukapiyumal@gmail.com>
---
 adapter/config/default_config.go              |  8 +++
 adapter/config/types.go                       | 12 ++++
 adapter/internal/discovery/xds/marshaller.go  |  2 +
 adapter/internal/discovery/xds/payloadfmt.go  | 33 ++++++++++
 .../internal/discovery/xds/payloadfmt_test.go | 62 +++++++++++++++++++
 .../messaging/notification_listener.go        |  4 +-
 .../enforcer/keymgt/KeyManagerHolder.java     | 10 +--
 resources/conf/config.toml.template           |  9 ++-
 8 files changed, 133 insertions(+), 7 deletions(-)
 create mode 100644 adapter/internal/discovery/xds/payloadfmt.go
 create mode 100644 adapter/internal/discovery/xds/payloadfmt_test.go

diff --git a/adapter/config/default_config.go b/adapter/config/default_config.go
index 5e34e1c9c5..54efe005c7 100644
--- a/adapter/config/default_config.go
+++ b/adapter/config/default_config.go
@@ -50,6 +50,14 @@ var defaultConfig = &Config{
 			CertFile:           "/home/wso2/security/truststore/consul/local-dc-client-consul-0.pem",
 			KeyFile:            "/home/wso2/security/truststore/consul/local-dc-client-consul-0-key.pem",
 		},
+		XdsPayloadFormatter: xdsPayloadFormatter{
+			KeyManagerConfigs: keyManagerConfigs{
+				RetainKeys: []string{
+					"self_validate_jwt", "issuer", "claim_mappings", "consumer_key_claim",
+					"scopes_claim", "jwks_endpoint", "certificate_type", "certificate_value", "environments",
+				},
+			},
+		},
 		Keystore: keystore{
 			KeyPath:  "/home/wso2/security/keystore/mg.key",
 			CertPath: "/home/wso2/security/keystore/mg.pem",
diff --git a/adapter/config/types.go b/adapter/config/types.go
index 71afdbb218..9c848e8109 100644
--- a/adapter/config/types.go
+++ b/adapter/config/types.go
@@ -89,6 +89,8 @@ type adapter struct {
 	VhostMapping []vhostMapping
 	// Consul represents the configuration required to connect to consul service discovery
 	Consul consul
+	// XdsPayloadFormatter represents the configuration to format the xds payload
+	XdsPayloadFormatter xdsPayloadFormatter
 	// Keystore contains the keyFile and Cert File of the adapter
 	Keystore keystore
 	// Trusted Certificates
@@ -208,6 +210,16 @@ type consul struct {
 	KeyFile string
 }
 
+type xdsPayloadFormatter struct {
+	// KeyManagerConfigs contains format configurations related to key manager configuration
+	KeyManagerConfigs keyManagerConfigs
+}
+
+type keyManagerConfigs struct {
+	// RetainKeys contains the keys that should be retained in the xds payload
+	RetainKeys []string
+}
+
 // Global CORS configurations
 type globalCors struct {
 	Enabled          bool
diff --git a/adapter/internal/discovery/xds/marshaller.go b/adapter/internal/discovery/xds/marshaller.go
index dad24ecaad..156bff7705 100644
--- a/adapter/internal/discovery/xds/marshaller.go
+++ b/adapter/internal/discovery/xds/marshaller.go
@@ -342,6 +342,8 @@ func marshalKeyMappingMapToList(keyMappingMap map[string]*subscription.Applicati
 
 // MarshalKeyManager converts the data into KeyManager proto type
 func MarshalKeyManager(keyManager *types.KeyManager) *keymgt.KeyManagerConfig {
+	// Filter the key manager configuration based on the configuration retention list
+	keyManager.Configuration = getFilteredKeyManagerConfig(keyManager.Configuration)
 	configList, err := json.Marshal(keyManager.Configuration)
 	configuration := string(configList)
 	if err == nil {
diff --git a/adapter/internal/discovery/xds/payloadfmt.go b/adapter/internal/discovery/xds/payloadfmt.go
new file mode 100644
index 0000000000..7fd86e5744
--- /dev/null
+++ b/adapter/internal/discovery/xds/payloadfmt.go
@@ -0,0 +1,33 @@
+/*
+ *  Copyright (c) 2024, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+package xds
+
+import "github.com/wso2/product-microgateway/adapter/config"
+
+func getFilteredKeyManagerConfig(kmConfigMap map[string]interface{}) map[string]interface{} {
+	filteredKMConfigMap := make(map[string]interface{})
+	conf, _ := config.ReadConfigs()
+
+	for _, retainKey := range conf.Adapter.XdsPayloadFormatter.KeyManagerConfigs.RetainKeys {
+		// Does not required to check for case sensitivity as the enforcer reads from a hash map
+		val, ok := kmConfigMap[retainKey]
+		if ok {
+			filteredKMConfigMap[retainKey] = val
+		}
+	}
+	return filteredKMConfigMap
+}
diff --git a/adapter/internal/discovery/xds/payloadfmt_test.go b/adapter/internal/discovery/xds/payloadfmt_test.go
new file mode 100644
index 0000000000..b725ad4f41
--- /dev/null
+++ b/adapter/internal/discovery/xds/payloadfmt_test.go
@@ -0,0 +1,62 @@
+/*
+ *  Copyright (c) 2024, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+package xds
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetFilteredKeyManagerConfig(t *testing.T) {
+	kmConfigMap := map[string]interface{}{
+		"claim_mappings":     []string{},
+		"authorize_endpoint": "https://api.asgardeo.io/t/renukafernando/oauth2/authorize",
+		"grant_types": []string{
+			"refresh_token ",
+			"password",
+			"client_credentials",
+			"authorization_code",
+			"implicit",
+		},
+		"enable_oauth_app_creation":      true,
+		"certificate_value":              "https://api.asgardeo.io/t/renukafernando/oauth2/jwks",
+		"enable_map_oauth_consumer_apps": false,
+		"enable_token_hash":              false,
+		"revoke_endpoint":                "https://api.asgardeo.io/t/renukafernando/oauth2/revoke",
+		"well_known_endpoint":            "https://api.asgardeo.io/t/renukafernando/oauth2/token/.well-known/openid-configuration",
+		"self_validate_jwt":              true,
+		"scopes_claim":                   "scope",
+		"enable_token_encryption":        false,
+		"client_registration_endpoint":   "https://api.asgardeo.io/t/renukafernando/api/server/v1",
+		"logout_endpoint":                "https://api.asgardeo.io/t/renukafernando/oidc/logout",
+		"consumer_key_claim":             "azp",
+		"certificate_type":               "JWKS",
+		"token_endpoint":                 "https://api.asgardeo.io/t/renukafernando/oauth2/token",
+	}
+	expectedKmConfigMap := map[string]interface{}{
+		"claim_mappings":     []string{},
+		"certificate_value":  "https://api.asgardeo.io/t/renukafernando/oauth2/jwks",
+		"self_validate_jwt":  true,
+		"scopes_claim":       "scope",
+		"consumer_key_claim": "azp",
+		"certificate_type":   "JWKS",
+	}
+
+	filteredConfig := getFilteredKeyManagerConfig(kmConfigMap)
+	assert.Equal(t, expectedKmConfigMap, filteredConfig, "Filtered Key Manager Configuration is not as expected")
+}
diff --git a/adapter/internal/messaging/notification_listener.go b/adapter/internal/messaging/notification_listener.go
index 41250c5173..33bcb8a791 100644
--- a/adapter/internal/messaging/notification_listener.go
+++ b/adapter/internal/messaging/notification_listener.go
@@ -161,7 +161,7 @@ func handleKeyManagerEvents(data []byte) {
 		delete(xds.KeyManagerMap, xds.GenerateKeyManagerMapKey(keyManagerEvent.Name, keyManagerEvent.Organization))
 		xds.GenerateAndUpdateKeyManagerList()
 	} else if decodedByte != nil {
-		logger.LoggerInternalMsg.Infof("decoded Key Manager stream %s", string(decodedByte))
+		logger.LoggerInternalMsg.Debugf("decoded Key Manager stream %s", string(decodedByte))
 		kmConfigMapErr := json.Unmarshal([]byte(string(decodedByte)), &kmConfigMap)
 		if kmConfigMapErr != nil {
 			logger.LoggerInternalMsg.Errorf("Error occurred while unmarshalling key manager config map %v", kmConfigMapErr)
@@ -174,7 +174,7 @@ func handleKeyManagerEvents(data []byte) {
 				Type: keyManagerEvent.Type, Enabled: keyManagerEvent.Enabled,
 				TenantDomain: keyManagerEvent.TenantDomain, Organization: keyManagerEvent.Organization,
 				Configuration: kmConfigMap}
-			logger.LoggerInternalMsg.Infof("Key Manager data %v", keyManager.Configuration)
+			logger.LoggerInternalMsg.Debugf("Key Manager data %v", keyManager.Configuration)
 			xds.KeyManagerMap[xds.GenerateKeyManagerMapKey(keyManagerEvent.Name, keyManagerEvent.Organization)] = xds.MarshalKeyManager(&keyManager)
 			xds.GenerateAndUpdateKeyManagerList()
 		}
diff --git a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/keymgt/KeyManagerHolder.java b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/keymgt/KeyManagerHolder.java
index 8fc7d5294a..251f9b7fa2 100644
--- a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/keymgt/KeyManagerHolder.java
+++ b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/keymgt/KeyManagerHolder.java
@@ -80,6 +80,10 @@ public void populateKMIssuerConfiguration(List<KeyManagerConfig> kmIssuers) {
     private Map<String,  Map<String, ExtendedTokenIssuerDto>> getAllKmIssuers(List<KeyManagerConfig> kmIssuers) {
         Map<String,  Map<String, ExtendedTokenIssuerDto>> kmIssuerMap = new ConcurrentHashMap<>();
         for (KeyManagerConfig keyManagerConfig : kmIssuers) {
+            if (!keyManagerConfig.getEnabled()) {
+                continue;
+            }
+
             JSONObject configObj = new JSONObject(keyManagerConfig.getConfiguration());
             Map<String, Object> configuration = new HashMap<>();
             Iterator<String> keysItr = configObj.keys();
@@ -89,10 +93,8 @@ private Map<String,  Map<String, ExtendedTokenIssuerDto>> getAllKmIssuers(List<K
                 configuration.put(key, value);
             }
 
-            if (keyManagerConfig.getEnabled()) {
-                addKMTokenIssuers(keyManagerConfig.getName(), keyManagerConfig.getOrganization(),
-                        configuration, kmIssuerMap);
-            }
+            addKMTokenIssuers(keyManagerConfig.getName(), keyManagerConfig.getOrganization(),
+                configuration, kmIssuerMap);
         }
         return kmIssuerMap;
     }
diff --git a/resources/conf/config.toml.template b/resources/conf/config.toml.template
index 856b537241..588f767d49 100644
--- a/resources/conf/config.toml.template
+++ b/resources/conf/config.toml.template
@@ -66,6 +66,13 @@ sandboxVhost = "sandbox.host"
   # Optional path to the private key for Consul communication. If this is set, then you need to also set certFile
   keyFile = "/home/wso2/security/truststore/consul/local-dc-client-consul-0-key.pem"
 
+# Configurations for formatting xDS payloads sent to other Choreo Connect components
+[adapter.xdsPayloadFormatter]
+# Enforcer Key Manager formattings
+[adapter.xdsPayloadFormatter.keyManagerConfigs]
+# Retain only the following keys in the Key Manager configurations from Control Plane events and send to Enforcer
+retainKeys = ["self_validate_jwt", "issuer", "claim_mappings", "consumer_key_claim", "scopes_claim", "jwks_endpoint", "certificate_type", "certificate_value", "environments"]
+
 # Configurations required for router to route the traffic from different clients to services
 [router] # --------------------------------------------------------
   # Host for listener of Router
@@ -481,7 +488,7 @@ enabled = true
     # Number of tasks can be submitted to the worker pool without being blocked.
     queueSizePerPool = 1000
   # HTTP client configuration.
-  [controlPlane.httpClient] 
+  [controlPlane.hTTPClient]
     requestTimeOut = 30
 
 # Global Adapter related configurations

From d72f32f85a03e64aabf06b1e5e32ed7a82732e31 Mon Sep 17 00:00:00 2001
From: Renuka Fernando <renukapiyumal@gmail.com>
Date: Sun, 18 Feb 2024 21:50:44 +0530
Subject: [PATCH 2/3] Add environments field for test object

Signed-off-by: Renuka Fernando <renukapiyumal@gmail.com>
---
 adapter/internal/discovery/xds/payloadfmt_test.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/adapter/internal/discovery/xds/payloadfmt_test.go b/adapter/internal/discovery/xds/payloadfmt_test.go
index b725ad4f41..7bf3bef220 100644
--- a/adapter/internal/discovery/xds/payloadfmt_test.go
+++ b/adapter/internal/discovery/xds/payloadfmt_test.go
@@ -47,6 +47,7 @@ func TestGetFilteredKeyManagerConfig(t *testing.T) {
 		"consumer_key_claim":             "azp",
 		"certificate_type":               "JWKS",
 		"token_endpoint":                 "https://api.asgardeo.io/t/renukafernando/oauth2/token",
+		"environments":                   []string{"Production"},
 	}
 	expectedKmConfigMap := map[string]interface{}{
 		"claim_mappings":     []string{},
@@ -55,6 +56,7 @@ func TestGetFilteredKeyManagerConfig(t *testing.T) {
 		"scopes_claim":       "scope",
 		"consumer_key_claim": "azp",
 		"certificate_type":   "JWKS",
+		"environments":       []string{"Production"},
 	}
 
 	filteredConfig := getFilteredKeyManagerConfig(kmConfigMap)

From 4aad92a9d0785ebaadb29c01bd60f1bfc385ee9f Mon Sep 17 00:00:00 2001
From: Renuka Fernando <renukapiyumal@gmail.com>
Date: Mon, 19 Feb 2024 12:50:50 +0530
Subject: [PATCH 3/3] Mask Azure SharedAccessKey in connection URL

Signed-off-by: Renuka Fernando <renukapiyumal@gmail.com>
---
 adapter/pkg/messaging/azure_connection.go | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/adapter/pkg/messaging/azure_connection.go b/adapter/pkg/messaging/azure_connection.go
index c4f27bebb6..05f5412896 100644
--- a/adapter/pkg/messaging/azure_connection.go
+++ b/adapter/pkg/messaging/azure_connection.go
@@ -22,12 +22,14 @@ import (
 	"context"
 	"errors"
 	"os"
+	"regexp"
 	"strconv"
 	"time"
 
 	asb "github.com/Azure/azure-sdk-for-go/sdk/messaging/azservicebus"
 	"github.com/Azure/azure-sdk-for-go/sdk/messaging/azservicebus/admin"
 	"github.com/google/uuid"
+	"github.com/sirupsen/logrus"
 	logger "github.com/wso2/product-microgateway/adapter/pkg/loggers"
 )
 
@@ -83,7 +85,9 @@ func InitiateBrokerConnectionAndValidate(connectionString string, componentName
 	_, err := asb.NewClientFromConnectionString(connectionString, nil)
 
 	if err == nil {
-		logger.LoggerMsg.Debugf("ASB client initialized for connection url: %s", connectionString)
+		if logger.LoggerMsg.IsLevelEnabled(logrus.DebugLevel) {
+			logger.LoggerMsg.Debugf("ASB client initialized for connection url: %s", maskSharedAccessKey(connectionString))
+		}
 
 		for j := 0; j < reconnectRetryCount || reconnectRetryCount == -1; j++ {
 			err = nil
@@ -169,3 +173,9 @@ func logError(reconnectRetryCount int, reconnectInterval time.Duration, errVal e
 	}
 	logger.LoggerMsg.Errorf("%v. %s .Retrying after %s seconds", errVal, retryAttemptMessage, reconnectInterval)
 }
+
+func maskSharedAccessKey(endpoint string) string {
+	re := regexp.MustCompile(`(SharedAccessKey=)([^;]+)`)
+	maskedEndpoint := re.ReplaceAllString(endpoint, "${1}************")
+	return maskedEndpoint
+}