Add scopes to the config ds

helm-charts/templates/data-plane/config-deployer/config-deploy-api-create-scope.yaml

@@ -0,0 +1,28 @@
+
+# Copyright (c) 2023, WSO2 LLC. (https://www.wso2.com) All Rights Reserved.
+#
+# WSO2 LLC. licenses this file to you under the Apache License,
+# Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+{{- if and .Values.wso2.apk.dp.enabled .Values.wso2.apk.dp.configdeployer.enabled }}
+apiVersion: dp.wso2.com/v1alpha1
+kind: Scope
+metadata:
+  labels:
+    managed-by: "apk"
+  name: {{ template "apk-helm.resource.prefix" . }}-api-create-scope
+  namespace: {{ .Release.Namespace }}
+spec:
+  names:
+  - apk:api_create
+{{- end -}}

helm-charts/templates/data-plane/config-deployer/config-deploy-api-route.yaml

@@ -34,6 +34,12 @@ spec:
     - group: "dp.wso2.com"
       kind: "Backend"
       name: "{{ template "apk-helm.resource.prefix" . }}-config-deployer-ds-backend"
+    filters:
+    - extensionRef:
+        group: dp.wso2.com
+        kind: Scope
+        name: {{ template "apk-helm.resource.prefix" . }}-api-create-scope
+      type: ExtensionRef
   - matches:
     - path:
         type: "RegularExpression"
@@ -43,6 +49,12 @@ spec:
     - group: "dp.wso2.com"
       kind: "Backend"
       name: "{{ template "apk-helm.resource.prefix" . }}-config-deployer-ds-backend"
+    filters:
+    - extensionRef:
+        group: dp.wso2.com
+        kind: Scope
+        name: {{ template "apk-helm.resource.prefix" . }}-api-create-scope
+      type: ExtensionRef
   parentRefs:
   - group: "gateway.networking.k8s.io"
     kind: "Gateway"

runtime/config-deployer-service/ballerina/resources/artifact-deployer-api.yaml

@@ -13,6 +13,9 @@ paths:
       tags:
         - APIs
       summary: Deploy API
+      security:
+        - OAuth2Security:
+            - apk:api_create
       description: | 
       operationId: deployAPI
       requestBody:
@@ -54,6 +57,9 @@ paths:
       tags:
         - APIs
       summary: Undeploy API
+      security:
+        - OAuth2Security:
+            - apk:api_create
       description: | 
       operationId: undeployAPI
       parameters:
@@ -132,3 +138,12 @@ components:
       schema:
         type: string
         default: application/json
+  securitySchemes:
+    OAuth2Security:
+      type: oauth2
+      flows:
+        password:
+          tokenUrl: https://localhost:9095/oauth2/token
+          scopes:
+            openid: Authorize access to user details
+            apk:api_create: Deploy and Undeploy APIs

test/cucumber-tests/src/test/java/org/wso2/apk/integration/api/BaseSteps.java

@@ -321,6 +321,19 @@ public void iHaveValidSubscription() throws Exception {
         headers.put(Constants.REQUEST_HEADERS.HOST, Constants.DEFAULT_IDP_HOST);
         headers.put(Constants.REQUEST_HEADERS.AUTHORIZATION, "Basic NDVmMWM1YzgtYTkyZS0xMWVkLWFmYTEtMDI0MmFjMTIwMDAyOjRmYmQ2MmVjLWE5MmUtMTFlZC1hZmExLTAyNDJhYzEyMDAwMg==");
 
+        HttpResponse httpResponse = httpClient.doPost(Utils.getTokenEndpointURL(), headers, "grant_type=client_credentials&scope=" + Constants.API_CREATE_SCOPE,
+                Constants.CONTENT_TYPES.APPLICATION_X_WWW_FORM_URLENCODED);
+        sharedContext.setAccessToken(Utils.extractToken(httpResponse));
+        sharedContext.addStoreValue("accessToken", sharedContext.getAccessToken());
+    }
+
+    @Given("I have a valid subscription without api deploy permission")
+    public void iHaveValidSubscriptionWithAPICreateScope() throws Exception {
+
+        Map<String, String> headers = new HashMap<>();
+        headers.put(Constants.REQUEST_HEADERS.HOST, Constants.DEFAULT_IDP_HOST);
+        headers.put(Constants.REQUEST_HEADERS.AUTHORIZATION, "Basic NDVmMWM1YzgtYTkyZS0xMWVkLWFmYTEtMDI0MmFjMTIwMDAyOjRmYmQ2MmVjLWE5MmUtMTFlZC1hZmExLTAyNDJhYzEyMDAwMg==");
+
         HttpResponse httpResponse = httpClient.doPost(Utils.getTokenEndpointURL(), headers, "grant_type=client_credentials",
                 Constants.CONTENT_TYPES.APPLICATION_X_WWW_FORM_URLENCODED);
         sharedContext.setAccessToken(Utils.extractToken(httpResponse));

test/cucumber-tests/src/test/java/org/wso2/apk/integration/api/JWTGeneratorSteps.java

@@ -23,6 +23,8 @@
 import java.util.Date;
 import java.util.UUID;
 
+import org.wso2.apk.integration.utils.Constants;
+
 public class JWTGeneratorSteps {
 
     private final SharedContext sharedContext;
@@ -47,7 +49,7 @@ public void generateTokenFromIdp1(String kid) throws IOException, CertificateExc
                 .expirationTime(new Date(new Date().getTime() + 60 * 1000))
                 .jwtID(UUID.randomUUID().toString())
                 .claim("azp", UUID.randomUUID().toString())
-                .claim("scope", "default")
+                .claim("scope", Constants.API_CREATE_SCOPE)
                 .build();
         SignedJWT signedJWT = new SignedJWT(
                 new JWSHeader.Builder(JWSAlgorithm.RS256).keyID(kid).build(),
@@ -74,7 +76,7 @@ public void generateTokenFromIdp1WithOrganization(String organization) throws IO
                 .expirationTime(new Date(new Date().getTime() + 60 * 1000))
                 .jwtID(UUID.randomUUID().toString())
                 .claim("azp", UUID.randomUUID().toString())
-                .claim("scope", "default")
+                .claim("scope", Constants.API_CREATE_SCOPE)
                 .claim("organization", organization)
                 .build();
         SignedJWT signedJWT = new SignedJWT(

test/cucumber-tests/src/test/java/org/wso2/apk/integration/utils/Constants.java

@@ -27,6 +27,7 @@ public class Constants {
     public static final String DEFAULT_API_DEPLOYER = "api/deployer/1.0.0/";
     public static final String ACCESS_TOKEN = "accessToken";
     public static final String EMPTY_STRING = "";
+    public static final String API_CREATE_SCOPE = "apk:api_create";
     public static final String SPACE_STRING = " ";
     public static final String SUBSCRIPTION_BASIC_AUTH_TOKEN =
             "Basic NDVmMWM1YzgtYTkyZS0xMWVkLWFmYTEtMDI0MmFjMTIwMDAyOjRmYmQ2MmVjLWE5MmUtMTFlZC1hZmExLTAyNDJhYzEyMDAwMg==";

test/cucumber-tests/src/test/resources/tests/api/deployment.feature

@@ -1,4 +1,12 @@
 Feature: API Deployment
+  Scenario: Deploying an API without api create scope
+    Given The system is ready
+    And I have a valid subscription without api deploy permission
+    When I use the APK Conf file "artifacts/apk-confs/cors_API.apk-conf"
+    And the definition file "artifacts/definitions/cors_api.yaml"
+    And make the API deployment request
+    Then the response status code should be 403
+
   Scenario: Deploying an API
     Given The system is ready
     And I have a valid subscription
@@ -17,6 +25,12 @@ Feature: API Deployment
     Then the response status code should be 400
     And the response body should contain
       |"#/corsConfiguration/corsConfigurationEnabled: expected type: Boolean, found: String"|
+
+  Scenario Outline: Undeploy an API without api create scope
+    Given The system is ready
+    And I have a valid subscription without api deploy permission
+    When I undeploy the API whose ID is "<apiID>"
+    Then the response status code should be 403
 
   Scenario Outline: Undeploy an API
     Given The system is ready