Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove unnecessary configs passed from Adapter to Enforcer through xDS messages #3491

Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions adapter/config/default_config.go
Original file line number Diff line number Diff line change
@@ -50,6 +50,14 @@ var defaultConfig = &Config{
CertFile: "/home/wso2/security/truststore/consul/local-dc-client-consul-0.pem",
KeyFile: "/home/wso2/security/truststore/consul/local-dc-client-consul-0-key.pem",
},
XdsPayloadFormatter: xdsPayloadFormatter{
KeyManagerConfigs: keyManagerConfigs{
RetainKeys: []string{
"self_validate_jwt", "issuer", "claim_mappings", "consumer_key_claim",
"scopes_claim", "jwks_endpoint", "certificate_type", "certificate_value", "environments",
},
},
},
Keystore: keystore{
KeyPath: "/home/wso2/security/keystore/mg.key",
CertPath: "/home/wso2/security/keystore/mg.pem",
12 changes: 12 additions & 0 deletions adapter/config/types.go
Original file line number Diff line number Diff line change
@@ -89,6 +89,8 @@ type adapter struct {
VhostMapping []vhostMapping
// Consul represents the configuration required to connect to consul service discovery
Consul consul
// XdsPayloadFormatter represents the configuration to format the xds payload
XdsPayloadFormatter xdsPayloadFormatter
// Keystore contains the keyFile and Cert File of the adapter
Keystore keystore
// Trusted Certificates
@@ -208,6 +210,16 @@ type consul struct {
KeyFile string
}

type xdsPayloadFormatter struct {
// KeyManagerConfigs contains format configurations related to key manager configuration
KeyManagerConfigs keyManagerConfigs
}

type keyManagerConfigs struct {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need a new struct ?

type xdsPayloadFormatter struct {
	RetainKeysForKeyManagerConfigs []string
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, looks good. But in case we need to add another config for key managers, for example, filter out some keys we can add just another field in TOML for key managers.

[adapter.xdsPayloadFormatter.keyManagerConfigs]
# Retain only the following keys in the Key Manager configurations from Control Plane events and send to Enforcer
retainKeys = ["self_validate_jwt", "issuer", "claim_mappings", "consumer_key_claim", "scopes_claim", "jwks_endpoint", "certificate_type", "certificate_value", "environments"]

// RetainKeys contains the keys that should be retained in the xds payload
RetainKeys []string
}

// Global CORS configurations
type globalCors struct {
Enabled bool
2 changes: 2 additions & 0 deletions adapter/internal/discovery/xds/marshaller.go
Original file line number Diff line number Diff line change
@@ -342,6 +342,8 @@ func marshalKeyMappingMapToList(keyMappingMap map[string]*subscription.Applicati

// MarshalKeyManager converts the data into KeyManager proto type
func MarshalKeyManager(keyManager *types.KeyManager) *keymgt.KeyManagerConfig {
// Filter the key manager configuration based on the configuration retention list
keyManager.Configuration = getFilteredKeyManagerConfig(keyManager.Configuration)
configList, err := json.Marshal(keyManager.Configuration)
configuration := string(configList)
if err == nil {
33 changes: 33 additions & 0 deletions adapter/internal/discovery/xds/payloadfmt.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
/*
* Copyright (c) 2024, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package xds

import "github.com/wso2/product-microgateway/adapter/config"

func getFilteredKeyManagerConfig(kmConfigMap map[string]interface{}) map[string]interface{} {
filteredKMConfigMap := make(map[string]interface{})
conf, _ := config.ReadConfigs()

for _, retainKey := range conf.Adapter.XdsPayloadFormatter.KeyManagerConfigs.RetainKeys {
// Does not required to check for case sensitivity as the enforcer reads from a hash map
val, ok := kmConfigMap[retainKey]
if ok {
filteredKMConfigMap[retainKey] = val
}
}
return filteredKMConfigMap
}
62 changes: 62 additions & 0 deletions adapter/internal/discovery/xds/payloadfmt_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
/*
* Copyright (c) 2024, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package xds

import (
"testing"

"github.com/stretchr/testify/assert"
)

func TestGetFilteredKeyManagerConfig(t *testing.T) {
kmConfigMap := map[string]interface{}{
"claim_mappings": []string{},
"authorize_endpoint": "https://api.asgardeo.io/t/renukafernando/oauth2/authorize",
"grant_types": []string{
"refresh_token ",
"password",
"client_credentials",
"authorization_code",
"implicit",
},
"enable_oauth_app_creation": true,
"certificate_value": "https://api.asgardeo.io/t/renukafernando/oauth2/jwks",
"enable_map_oauth_consumer_apps": false,
"enable_token_hash": false,
"revoke_endpoint": "https://api.asgardeo.io/t/renukafernando/oauth2/revoke",
"well_known_endpoint": "https://api.asgardeo.io/t/renukafernando/oauth2/token/.well-known/openid-configuration",
"self_validate_jwt": true,
"scopes_claim": "scope",
"enable_token_encryption": false,
"client_registration_endpoint": "https://api.asgardeo.io/t/renukafernando/api/server/v1",
"logout_endpoint": "https://api.asgardeo.io/t/renukafernando/oidc/logout",
"consumer_key_claim": "azp",
"certificate_type": "JWKS",
"token_endpoint": "https://api.asgardeo.io/t/renukafernando/oauth2/token",
}
expectedKmConfigMap := map[string]interface{}{
"claim_mappings": []string{},
"certificate_value": "https://api.asgardeo.io/t/renukafernando/oauth2/jwks",
"self_validate_jwt": true,
"scopes_claim": "scope",
"consumer_key_claim": "azp",
"certificate_type": "JWKS",
}

filteredConfig := getFilteredKeyManagerConfig(kmConfigMap)
assert.Equal(t, expectedKmConfigMap, filteredConfig, "Filtered Key Manager Configuration is not as expected")
}
4 changes: 2 additions & 2 deletions adapter/internal/messaging/notification_listener.go
Original file line number Diff line number Diff line change
@@ -161,7 +161,7 @@ func handleKeyManagerEvents(data []byte) {
delete(xds.KeyManagerMap, xds.GenerateKeyManagerMapKey(keyManagerEvent.Name, keyManagerEvent.Organization))
xds.GenerateAndUpdateKeyManagerList()
} else if decodedByte != nil {
logger.LoggerInternalMsg.Infof("decoded Key Manager stream %s", string(decodedByte))
logger.LoggerInternalMsg.Debugf("decoded Key Manager stream %s", string(decodedByte))
kmConfigMapErr := json.Unmarshal([]byte(string(decodedByte)), &kmConfigMap)
if kmConfigMapErr != nil {
logger.LoggerInternalMsg.Errorf("Error occurred while unmarshalling key manager config map %v", kmConfigMapErr)
@@ -174,7 +174,7 @@ func handleKeyManagerEvents(data []byte) {
Type: keyManagerEvent.Type, Enabled: keyManagerEvent.Enabled,
TenantDomain: keyManagerEvent.TenantDomain, Organization: keyManagerEvent.Organization,
Configuration: kmConfigMap}
logger.LoggerInternalMsg.Infof("Key Manager data %v", keyManager.Configuration)
logger.LoggerInternalMsg.Debugf("Key Manager data %v", keyManager.Configuration)
xds.KeyManagerMap[xds.GenerateKeyManagerMapKey(keyManagerEvent.Name, keyManagerEvent.Organization)] = xds.MarshalKeyManager(&keyManager)
xds.GenerateAndUpdateKeyManagerList()
}
Original file line number Diff line number Diff line change
@@ -80,6 +80,10 @@ public void populateKMIssuerConfiguration(List<KeyManagerConfig> kmIssuers) {
private Map<String, Map<String, ExtendedTokenIssuerDto>> getAllKmIssuers(List<KeyManagerConfig> kmIssuers) {
Map<String, Map<String, ExtendedTokenIssuerDto>> kmIssuerMap = new ConcurrentHashMap<>();
for (KeyManagerConfig keyManagerConfig : kmIssuers) {
if (!keyManagerConfig.getEnabled()) {
continue;
}

JSONObject configObj = new JSONObject(keyManagerConfig.getConfiguration());
Map<String, Object> configuration = new HashMap<>();
Iterator<String> keysItr = configObj.keys();
@@ -89,10 +93,8 @@ private Map<String, Map<String, ExtendedTokenIssuerDto>> getAllKmIssuers(List<K
configuration.put(key, value);
}

if (keyManagerConfig.getEnabled()) {
addKMTokenIssuers(keyManagerConfig.getName(), keyManagerConfig.getOrganization(),
configuration, kmIssuerMap);
}
addKMTokenIssuers(keyManagerConfig.getName(), keyManagerConfig.getOrganization(),
configuration, kmIssuerMap);
}
return kmIssuerMap;
}
9 changes: 8 additions & 1 deletion resources/conf/config.toml.template
Original file line number Diff line number Diff line change
@@ -66,6 +66,13 @@ sandboxVhost = "sandbox.host"
# Optional path to the private key for Consul communication. If this is set, then you need to also set certFile
keyFile = "/home/wso2/security/truststore/consul/local-dc-client-consul-0-key.pem"

# Configurations for formatting xDS payloads sent to other Choreo Connect components
[adapter.xdsPayloadFormatter]
# Enforcer Key Manager formattings
[adapter.xdsPayloadFormatter.keyManagerConfigs]
# Retain only the following keys in the Key Manager configurations from Control Plane events and send to Enforcer
retainKeys = ["self_validate_jwt", "issuer", "claim_mappings", "consumer_key_claim", "scopes_claim", "jwks_endpoint", "certificate_type", "certificate_value", "environments"]

# Configurations required for router to route the traffic from different clients to services
[router] # --------------------------------------------------------
# Host for listener of Router
@@ -481,7 +488,7 @@ enabled = true
# Number of tasks can be submitted to the worker pool without being blocked.
queueSizePerPool = 1000
# HTTP client configuration.
[controlPlane.httpClient]
[controlPlane.hTTPClient]
requestTimeOut = 30

# Global Adapter related configurations