Supporting whitelisted organizations to access any environment with P…

…roduction tokens.
wso2 · Jan 5, 2024 · 964914c · 964914c
1 parent e1a23b2
commit 964914c
Showing 1 changed file with 13 additions and 3 deletions.
diff --git a/...nforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/jwt/JWTAuthenticator.java b/...nforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/jwt/JWTAuthenticator.java
@@ -304,9 +304,6 @@ public AuthenticationContext authenticate(RequestContext requestContext) throws
                     if (claims.getClaim("keytype") != null) {
                         authenticationContext.setKeyType(claims.getClaim("keytype").toString());
                     }
-                    // Check if the token has access to the gateway configured environment.
-                    checkTokenEnvAgainstDeploymentType(requestContext.getAuthenticationContext().getKeyType(),
-                            requestContext.getMatchedAPI());
                     if (!"Unlimited".equals(authenticationContext.getTier())) {
                         // For subscription rate limiting, it is required to populate dynamic metadata
                         String subscriptionId = authenticationContext.getApiUUID() + ":" +
@@ -411,6 +408,19 @@ private void checkTokenEnvAgainstDeploymentType(String keyType, APIConfig matche
         if (System.getenv("DEPLOYMENT_TYPE_ENFORCED") != null
                 && System.getenv("DEPLOYMENT_TYPE_ENFORCED").equalsIgnoreCase("false")
                 && keyType.equalsIgnoreCase(APIConstants.JwtTokenConstants.PRODUCTION_KEY_TYPE)) {
+            if (System.getenv("WHITELISTED_ORGANIZATIONS") != null) {
+                String[] whitelistedOrganizationsArray =
+                        System.getenv("WHITELISTED_ORGANIZATIONS").split("\\s+");
+                for (String whitelistedOrgId : whitelistedOrganizationsArray) {
+                    if (matchedAPI.getOrganizationId().equalsIgnoreCase(whitelistedOrgId)) {
+                        return;
+                    }
+                }
+                throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(),
+                        APISecurityConstants.API_AUTH_INVALID_ENVIRONMENT,
+                        APISecurityConstants.API_AUTH_INVALID_ENVIRONMENT_ERROR_MESSAGE);
+            }
+
             log.info("Deprecated: Production access token is used to access sandbox API deployment in " +
                     "organization : " +  matchedAPI.getOrganizationId());
             return;