diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/dto/RevokedJWTConsumerKeyDTO.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/dto/RevokedJWTConsumerKeyDTO.java index d2966ce33f58..d69f906df4d4 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/dto/RevokedJWTConsumerKeyDTO.java +++ b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/dto/RevokedJWTConsumerKeyDTO.java @@ -28,10 +28,10 @@ public class RevokedJWTConsumerKeyDTO { @SerializedName("consumer_key") private String consumerKey; - @SerializedName("is_revoke_app_only") - private boolean isRevokedAppOnly; @SerializedName("revocation_time") private Long revocationTime; + @SerializedName("organization") + private String organization; public void setRevocationTime(Long revocationTime) { this.revocationTime = revocationTime; @@ -49,11 +49,11 @@ public void setConsumerKey(String consumerKey) { this.consumerKey = consumerKey; } - public boolean isRevokedAppOnly() { - return isRevokedAppOnly; + public String getOrganization() { + return organization; } - public void setRevokedAppOnly(boolean revokedAppOnly) { - isRevokedAppOnly = revokedAppOnly; + public void setOrganization(String organization) { + this.organization = organization; } } diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/dto/RevokedJWTUserDTO.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/dto/RevokedJWTUserDTO.java index 730040399af8..afb647713c7f 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/dto/RevokedJWTUserDTO.java +++ b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/dto/RevokedJWTUserDTO.java @@ -25,17 +25,29 @@ */ public class RevokedJWTUserDTO { - @SerializedName("user_uuid") - private String userUUID; + @SerializedName("subject_id") + private String subjectId; + @SerializedName("subject_id_type") + private String subjectIdType; @SerializedName("revocation_time") private Long revocationTime; + @SerializedName("organization") + private String organization; - public String getUserUUID() { - return userUUID; + public String getSubjectId() { + return subjectId; } - public void setUserUUID(String userUUID) { - this.userUUID = userUUID; + public void setSubjectId(String subjectId) { + this.subjectId = subjectId; + } + + public String getSubjectIdType() { + return subjectIdType; + } + + public void setSubjectIdType(String subjectIdType) { + this.subjectIdType = subjectIdType; } public Long getRevocationTime() { @@ -45,4 +57,12 @@ public Long getRevocationTime() { public void setRevocationTime(Long revocationTime) { this.revocationTime = revocationTime; } + + public String getOrganization() { + return organization; + } + + public void setOrganization(String organization) { + this.organization = organization; + } } diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/internal/ServiceReferenceHolder.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/internal/ServiceReferenceHolder.java index a25214f79056..ade19418b387 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/internal/ServiceReferenceHolder.java +++ b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/internal/ServiceReferenceHolder.java @@ -35,8 +35,6 @@ import org.wso2.carbon.apimgt.impl.jwt.JWTValidationService; import org.wso2.carbon.apimgt.impl.keymgt.KeyManagerDataService; import org.wso2.carbon.apimgt.impl.throttling.APIThrottleDataService; -import org.wso2.carbon.apimgt.impl.token.RevokedConsumerKeyEventService; -import org.wso2.carbon.apimgt.impl.token.RevokedUserEventService; import org.wso2.carbon.apimgt.impl.token.RevokedTokenService; import org.wso2.carbon.apimgt.impl.utils.APIUtil; import org.wso2.carbon.apimgt.impl.webhooks.SubscriptionsDataService; @@ -110,8 +108,6 @@ public ThrottleDataHolder getThrottleDataHolder() { } private ArtifactRetriever artifactRetriever; private int gatewayCount = 1; - private RevokedConsumerKeyEventService revokedConsumerKeyEventService; - private RevokedUserEventService revokedUserEventService; private ServiceReferenceHolder() { @@ -423,21 +419,6 @@ public void setRedisPool(JedisPool redisPool) { this.redisPool = redisPool; } - public RevokedConsumerKeyEventService getRevokedConsumerKeyService() { - return revokedConsumerKeyEventService; - } - - public void setRevokedConsumerKeyService(RevokedConsumerKeyEventService revokedConsumerKeyEventService) { - this.revokedConsumerKeyEventService = revokedConsumerKeyEventService; - } - - public RevokedUserEventService getRevokedUserEventService() { - return revokedUserEventService; - } - - public void setRevokedUserEventService(RevokedUserEventService revokedUserEventService) { - this.revokedUserEventService = revokedUserEventService; - } public AnalyticsCustomDataProvider getAnalyticsCustomDataProvider() { return analyticsCustomDataProvider; } diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/jwt/InternalRevokedJWTDataHolder.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/jwt/InternalRevokedJWTDataHolder.java index 959d2c894885..c193cf066d0c 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/jwt/InternalRevokedJWTDataHolder.java +++ b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/jwt/InternalRevokedJWTDataHolder.java @@ -41,6 +41,7 @@ private InternalRevokedJWTDataHolder() { /** * This method can be used to get the singleton instance of this class. + * * @return the singleton instance. */ public static InternalRevokedJWTDataHolder getInstance() { @@ -59,13 +60,12 @@ public void addInternalRevokedJWTClientIDToMap(String consumerKey, Long revocati public boolean isJWTTokenClientIdExistsInRevokedMap(String consumerKey, Long jwtGeneratedTimestamp) { - if (internalRevokedConsumerKeyMap.containsKey(consumerKey)) { - Long jwtRevokedTime = internalRevokedConsumerKeyMap.get(consumerKey); + Long jwtRevokedTime = internalRevokedConsumerKeyMap.get(consumerKey); - if (jwtRevokedTime != null) { - Timestamp jwtRevokedTimestamp = new Timestamp(jwtRevokedTime); - return jwtRevokedTimestamp.after(new Timestamp(jwtGeneratedTimestamp)); - } + if (jwtRevokedTime != null) { + Timestamp jwtRevokedTimestamp = new Timestamp(jwtRevokedTime); + jwtRevokedTimestamp.toLocalDateTime(); + return jwtRevokedTimestamp.after(new Timestamp(jwtGeneratedTimestamp)); } return false; } @@ -81,14 +81,13 @@ public void addInternalRevokedJWTClientIDToAppOnlyMap(String consumerKey, Long r public boolean isJWTTokenClientIdExistsInRevokedAppOnlyMap(String consumerKey, Long jwtGeneratedTimestamp) { - if (internalRevokedConsumerKeyAppOnlyMap.containsKey(consumerKey)) { - Long jwtRevokedTime = internalRevokedConsumerKeyAppOnlyMap.get(consumerKey); + Long jwtRevokedTime = internalRevokedConsumerKeyAppOnlyMap.get(consumerKey); - if (jwtRevokedTime != null) { - Timestamp jwtRevokedTimestamp = new Timestamp(jwtRevokedTime); - return jwtRevokedTimestamp.after(new Timestamp(jwtGeneratedTimestamp)); - } + if (jwtRevokedTime != null) { + Timestamp jwtRevokedTimestamp = new Timestamp(jwtRevokedTime); + return jwtRevokedTimestamp.after(new Timestamp(jwtGeneratedTimestamp)); } + return false; } @@ -103,13 +102,11 @@ public void addInternalRevokedJWTUserIDToMap(String userUUID, Long revocationTim public boolean isJWTTokenUserIdExistsInRevokedMap(String user, Long jwtGeneratedTimestamp) { - if (internalRevokedUserEventRuleMap.containsKey(user)) { - Long jwtRevokedTime = internalRevokedUserEventRuleMap.get(user); + Long jwtRevokedTime = internalRevokedUserEventRuleMap.get(user); - if (jwtRevokedTime != null) { - Timestamp jwtRevokedTimestamp = new Timestamp(jwtRevokedTime); - return jwtRevokedTimestamp.after(new Timestamp(jwtGeneratedTimestamp)); - } + if (jwtRevokedTime != null) { + Timestamp jwtRevokedTimestamp = new Timestamp(jwtRevokedTime); + return jwtRevokedTimestamp.after(new Timestamp(jwtGeneratedTimestamp)); } return false; } diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/jwt/InternallyRevokedJWTConsumerKeyRetriever.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/jwt/InternallyRevokedJWTConsumerKeyRetriever.java index fe868d7018b4..7f94dead9ec4 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/jwt/InternallyRevokedJWTConsumerKeyRetriever.java +++ b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/jwt/InternallyRevokedJWTConsumerKeyRetriever.java @@ -107,16 +107,9 @@ private void loadRevokedJWTConsumerKeysFromWebService() { RevokedJWTConsumerKeyDTO[] revokedJWTConsumerKeyDTOS = retrieveRevokedJWTConsumerKeysData(); if (revokedJWTConsumerKeyDTOS != null) { for (RevokedJWTConsumerKeyDTO revokedJWTConsumerKey : revokedJWTConsumerKeyDTOS) { - if (revokedJWTConsumerKey.isRevokedAppOnly()) { - // handle user event revocations of app tokens since the 'sub' claim is client id - InternalRevokedJWTDataHolder.getInstance(). - addInternalRevokedJWTClientIDToAppOnlyMap(revokedJWTConsumerKey.getConsumerKey(), - revokedJWTConsumerKey.getRevocationTime()); - } else { - InternalRevokedJWTDataHolder.getInstance(). - addInternalRevokedJWTClientIDToMap(revokedJWTConsumerKey.getConsumerKey(), - revokedJWTConsumerKey.getRevocationTime()); - } + InternalRevokedJWTDataHolder.getInstance(). + addInternalRevokedJWTClientIDToMap(revokedJWTConsumerKey.getConsumerKey(), + revokedJWTConsumerKey.getRevocationTime()); if (log.isDebugEnabled()) { log.debug("JWT signature : " + revokedJWTConsumerKey.getConsumerKey() + " added to the revoke map."); diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/jwt/InternallyRevokedRuleByUserEventRetriever.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/jwt/InternallyRevokedRuleByUserEventRetriever.java index e9da55445449..082d4ac920e8 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/jwt/InternallyRevokedRuleByUserEventRetriever.java +++ b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/jwt/InternallyRevokedRuleByUserEventRetriever.java @@ -39,11 +39,17 @@ private void loadRevokedJWTUsersFromWebService() { RevokedJWTUserDTO[] revokedJWTUserDTOs = retrieveRevokedJWTUsersData(); if (revokedJWTUserDTOs != null) { for (RevokedJWTUserDTO revokedJWTUserDTO : revokedJWTUserDTOs) { - InternalRevokedJWTDataHolder.getInstance(). - addInternalRevokedJWTUserIDToMap(revokedJWTUserDTO.getUserUUID(), - revokedJWTUserDTO.getRevocationTime()); + if ("USER_ID".equals(revokedJWTUserDTO.getSubjectIdType())) { + InternalRevokedJWTDataHolder.getInstance(). + addInternalRevokedJWTUserIDToMap(revokedJWTUserDTO.getSubjectId(), + revokedJWTUserDTO.getRevocationTime()); + } else if ("CLIENT_ID".equals(revokedJWTUserDTO.getSubjectIdType())) { + InternalRevokedJWTDataHolder.getInstance(). + addInternalRevokedJWTClientIDToAppOnlyMap(revokedJWTUserDTO.getSubjectId(), + revokedJWTUserDTO.getRevocationTime()); + } if (log.isDebugEnabled()) { - log.debug("User uuid : " + revokedJWTUserDTO.getUserUUID() + log.debug("Subject Id : " + revokedJWTUserDTO.getSubjectId() + " added to the user event revoke map."); } } diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/listeners/GatewayTokenRevocationMessageListener.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/listeners/GatewayTokenRevocationMessageListener.java index edb62f5b46fb..e11d336ad4c6 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/listeners/GatewayTokenRevocationMessageListener.java +++ b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/listeners/GatewayTokenRevocationMessageListener.java @@ -25,6 +25,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.wso2.carbon.apimgt.gateway.internal.ServiceReferenceHolder; +import org.wso2.carbon.apimgt.gateway.jwt.InternalRevokedJWTDataHolder; import org.wso2.carbon.apimgt.impl.APIConstants; import javax.jms.*; @@ -49,14 +50,14 @@ public void onMessage(Message message) { if (payloadData.get("type") != null && payloadData.get("type").asText() .equals(APIConstants.NotificationEvent.INTERNAL_TOKEN_REVOCATION_CONSUMER_KEY_EVENT)) { handleInternallyRevokedConsumerKeyMessage(payloadData.get("consumerKey").asText() - , payloadData.get("isRevokeAppOnly").asBoolean() , payloadData.get("revocationTime").asLong(), payloadData.get("type").asText()); } if (payloadData.get("type") != null && payloadData.get("type").asText() .equals(APIConstants.NotificationEvent.INTERNAL_TOKEN_REVOCATION_USER_EVENT)) { - handleInternallyRevokedUserEventMessage(payloadData.get("userUUID").asText(), - payloadData.get("revocationTime").asLong(), payloadData.get("type").asText()); + handleInternallyRevokedUserEventMessage(payloadData.get("subjectId").asText(), + payloadData.get("subjectIdType").asText(), payloadData.get("revocationTime").asLong(), + payloadData.get("type").asText()); } if (APIConstants.TopicNames.TOPIC_TOKEN_REVOCATION.equalsIgnoreCase(jmsDestination.getTopicName())) { @@ -106,18 +107,21 @@ private void handleRevokedTokenMessage(String revokedToken, long expiryTime, Str } } - private void handleInternallyRevokedConsumerKeyMessage(String consumerKey, boolean isRevokeAppOnly, - long revocationTime, String type) { + private void handleInternallyRevokedConsumerKeyMessage(String consumerKey, long revocationTime, String type) { if (APIConstants.NotificationEvent.INTERNAL_TOKEN_REVOCATION_CONSUMER_KEY_EVENT.equals(type)) { - ServiceReferenceHolder.getInstance().getRevokedConsumerKeyService() - .addConsumerKeyIntoMap(consumerKey, isRevokeAppOnly, revocationTime); + InternalRevokedJWTDataHolder.getInstance().addInternalRevokedJWTClientIDToMap(consumerKey, revocationTime); } } - private void handleInternallyRevokedUserEventMessage(String userUUID, long revocationTime, String type) { + private void handleInternallyRevokedUserEventMessage(String subjectId, String subjectIdType, + long revocationTime, String type) { if (APIConstants.NotificationEvent.INTERNAL_TOKEN_REVOCATION_USER_EVENT.equals(type)) { - ServiceReferenceHolder.getInstance().getRevokedUserEventService() - .addUserEventIntoMap(userUUID, revocationTime); + if ("USER_ID".equals(subjectIdType)) { + InternalRevokedJWTDataHolder.getInstance().addInternalRevokedJWTUserIDToMap(subjectId, revocationTime); + } else if ("CLIENT_ID".equals(subjectIdType)) { + InternalRevokedJWTDataHolder.getInstance().addInternalRevokedJWTClientIDToAppOnlyMap(subjectId, + revocationTime); + } } } } diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/listeners/ServerStartupListener.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/listeners/ServerStartupListener.java index 693a8ed8f9a4..f33abca17c2a 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/listeners/ServerStartupListener.java +++ b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/listeners/ServerStartupListener.java @@ -52,8 +52,6 @@ public void completedServerStartup() { ServiceReferenceHolder.getInstance().setAPIThrottleDataService(throttleDataServiceImpl); ServiceReferenceHolder.getInstance().setThrottleDataHolder(throttleDataHolder); ServiceReferenceHolder.getInstance().setRevokedTokenService(new RevokedTokenDataImpl()); - ServiceReferenceHolder.getInstance().setRevokedConsumerKeyService(new RevokedConsumerKeyEventServiceImpl()); - ServiceReferenceHolder.getInstance().setRevokedUserEventService(new RevokedUserEventServiceImpl()); SubscriptionsDataService subscriptionsDataService = new SubscriptionsDataServiceImpl(); ServiceReferenceHolder.getInstance().setSubscriptionsDataService(subscriptionsDataService); log.debug("APIThrottleDataService Registered..."); diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/service/RevokedConsumerKeyEventServiceImpl.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/service/RevokedConsumerKeyEventServiceImpl.java deleted file mode 100644 index 1980c06ba578..000000000000 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/service/RevokedConsumerKeyEventServiceImpl.java +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright (c) 2023, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. - * - * WSO2 Inc. licenses this file to you under the Apache License, - * Version 2.0 (the "License"); you may not use this file except - * in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.wso2.carbon.apimgt.gateway.service; - -import org.wso2.carbon.apimgt.gateway.jwt.InternalRevokedJWTDataHolder; -import org.wso2.carbon.apimgt.impl.token.RevokedConsumerKeyEventService; - -public class RevokedConsumerKeyEventServiceImpl implements RevokedConsumerKeyEventService { - @Override - public void addConsumerKeyIntoMap(String consumerKey, boolean isRevokeAppOnly, Long revocationTime) { - if (isRevokeAppOnly) { - // handle user event revocations of app tokens since the 'sub' claim is client id - InternalRevokedJWTDataHolder.getInstance(). - addInternalRevokedJWTClientIDToAppOnlyMap(consumerKey, revocationTime); - } else { - InternalRevokedJWTDataHolder.getInstance(). - addInternalRevokedJWTClientIDToMap(consumerKey, revocationTime); - } - } -} diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/service/RevokedUserEventServiceImpl.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/service/RevokedUserEventServiceImpl.java deleted file mode 100644 index c8d884d75bd4..000000000000 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/service/RevokedUserEventServiceImpl.java +++ /dev/null @@ -1,11 +0,0 @@ -package org.wso2.carbon.apimgt.gateway.service; - -import org.wso2.carbon.apimgt.gateway.jwt.InternalRevokedJWTDataHolder; -import org.wso2.carbon.apimgt.impl.token.RevokedUserEventService; - -public class RevokedUserEventServiceImpl implements RevokedUserEventService { - @Override - public void addUserEventIntoMap(String userUUID, long revocationTime) { - InternalRevokedJWTDataHolder.getInstance().addInternalRevokedJWTUserIDToMap(userUUID, revocationTime); - } -} diff --git a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/dao/ApiMgtDAO.java b/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/dao/ApiMgtDAO.java index fe88ec27e985..0150be10cc90 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/dao/ApiMgtDAO.java +++ b/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/dao/ApiMgtDAO.java @@ -143,21 +143,7 @@ import java.sql.SQLIntegrityConstraintViolationException; import java.sql.Timestamp; import java.sql.Types; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Calendar; -import java.util.Collections; -import java.util.Comparator; -import java.util.Date; -import java.util.HashMap; -import java.util.HashSet; -import java.util.LinkedHashMap; -import java.util.LinkedHashSet; -import java.util.List; -import java.util.Map; -import java.util.Set; -import java.util.TreeMap; -import java.util.UUID; +import java.util.*; import java.util.regex.Pattern; import java.util.stream.Collectors; @@ -15266,38 +15252,56 @@ public void addRevokedJWTSignature(String eventId, String jwtSignature, String t /** - * Persist revoked jwt signatures to database. + * Persist revoked jwt consumer keys to database. * - * @param eventId * @param consumerKey consumer key of the JWT. * @param revocationTime revocation time of the token. - * @param tenantId tenant id of the jwt subject. + * @param organization organization of the consumer key. */ - public void addRevokedConsumerKey(String consumerKey, boolean isRevokeAppOnly, - long revocationTime, int tenantId) throws APIManagementException { - String addConsumerKey = SQLConstants.RevokedJWTConstants.ADD_OR_UPDATE_REVOKED_RULE_BY_CONSUMER_KEY_EVENT; + public void addRevokedConsumerKey(String consumerKey, long revocationTime, String organization) + throws APIManagementException { + try (Connection conn = APIMgtDBUtil.getConnection()) { conn.setAutoCommit(false); - try (PreparedStatement ps = conn.prepareStatement(addConsumerKey)) { - ps.setString(1, consumerKey); - ps.setBoolean(2, isRevokeAppOnly); - ps.setTimestamp(3, new Timestamp(revocationTime)); - ps.setInt(4, tenantId); + String updateQuery = SQLConstants.RevokedJWTConstants.UPDATE_CONSUMER_KEY_EVENT_RULE; + try (PreparedStatement ps = conn.prepareStatement(updateQuery)) { + ps.setTimestamp(1, new Timestamp(revocationTime), + Calendar.getInstance(TimeZone.getTimeZone("UTC"))); + ps.setString(2, consumerKey); + ps.setString(3, organization); + int rowsAffected = ps.executeUpdate(); - if (log.isDebugEnabled()) { - if (rowsAffected == 1) { - log.debug("Consumer key event token revocation rule inserted successfully."); + + if (rowsAffected == 0) { + if (log.isDebugEnabled()) { + log.debug("Consumer key event token revocation rule not found. Inserting new rule."); + } + conn.rollback(); + String insertQuery = SQLConstants.RevokedJWTConstants.INSERT_CONSUMER_KEY_EVENT_RULE; + try (PreparedStatement ps1 = conn.prepareStatement(insertQuery)) { + ps1.setString(1, consumerKey); + ps1.setTimestamp(2, new Timestamp(revocationTime), + Calendar.getInstance(TimeZone.getTimeZone("UTC"))); + ps1.setString(3, organization); + ps1.execute(); + } catch (SQLIntegrityConstraintViolationException e) { + log.warn("Consumer key event token revocation rule already persisted"); + conn.rollback(); } - if (rowsAffected == 2) { - log.debug("Consumer key token revocation rule updated successfully."); + } else { + if (log.isDebugEnabled()) { + log.debug("Consumer key event token revocation rule updated."); } + conn.commit(); } - conn.commit(); } catch (SQLException e) { conn.rollback(); + handleException("Error while inserting consumer key event token revocation rule to AM db." + + e.getMessage(), e); } } catch (SQLException e) { - handleException("Error while inserting consumer key event token revocation rule to AM db." + e.getMessage(), e); + handleException("Error while inserting consumer key event token revocation rule to AM db." + + e.getMessage(), e); } } @@ -15317,33 +15321,59 @@ private boolean isRevokedJWTSignatureExist(Connection conn, String eventId) thro } } - public boolean addRevokedRuleByUserEvent(String userID, long revocationTime) throws APIManagementException { + /** + * Persist revoked jwt users to database. + * @param subjectId User id or the client id of the JWT. + * @param subjectIdType Subject id type. Used to identify if the user id or the client id of the JWT. + * @param revocationTime revocation time of the token. + * @param organization organization of the user + * @return + * @throws APIManagementException + */ + public void addRevokedRuleByUserEvent(String subjectId, String subjectIdType, + long revocationTime, String organization) throws APIManagementException { - String sql = SQLConstants.RevokedJWTConstants.ADD_OR_UPDATE_REVOKED_RULE_BY_USER_EVENT; try (Connection conn = APIMgtDBUtil.getConnection()) { conn.setAutoCommit(false); - try (PreparedStatement ps = conn.prepareStatement(sql)) { - ps.setString(1, userID); - ps.setTimestamp(2, new Timestamp(revocationTime)); + String updateQuery = SQLConstants.RevokedJWTConstants.UPDATE_USER_EVENT_RULE; + try (PreparedStatement ps = conn.prepareStatement(updateQuery)) { + ps.setTimestamp(1, new Timestamp(revocationTime), + Calendar.getInstance(TimeZone.getTimeZone("UTC"))); + ps.setString(2, subjectId); + ps.setString(3, subjectIdType); + ps.setString(4, organization); int rowsAffected = ps.executeUpdate(); - if (log.isDebugEnabled()){ + + if (rowsAffected == 0) { if (log.isDebugEnabled()) { - if (rowsAffected == 1) { - log.debug("User event token revocation rule inserted successfully."); - } - if (rowsAffected == 2) { - log.debug("User event token revocation rule updated successfully."); - } + log.debug("User event token revocation rule not found. Inserting new rule."); } + conn.rollback(); + String insertQuery = SQLConstants.RevokedJWTConstants.INSERT_USER_EVENT_RULE; + try (PreparedStatement ps1 = conn.prepareStatement(insertQuery)) { + ps1.setString(1, subjectId); + ps1.setString(2, subjectIdType); + ps1.setTimestamp(3, new Timestamp(revocationTime)); + ps1.setString(4, organization); + ps1.execute(); + conn.commit(); + } catch (SQLIntegrityConstraintViolationException e) { + log.warn("User event token revocation rule already persisted"); + conn.rollback(); + } + } else { + if (log.isDebugEnabled()) { + log.debug("User event token revocation rule updated."); + } + conn.commit(); } - conn.commit(); } catch (SQLException e) { conn.rollback(); + handleException("Error while inserting user event token revocation rule to AM db." + e.getMessage(), e); } } catch (SQLException e) { handleException("Error while inserting user event token revocation rule to AM db." + e.getMessage(), e); } - return true; } /** diff --git a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/dao/constants/SQLConstants.java b/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/dao/constants/SQLConstants.java index 9cbe1a2bc058..5504d99feb18 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/dao/constants/SQLConstants.java +++ b/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/dao/constants/SQLConstants.java @@ -3381,18 +3381,27 @@ public static class RevokedJWTConstants { public static final String ADD_JWT_SIGNATURE = "INSERT INTO AM_REVOKED_JWT (UUID, SIGNATURE," + "EXPIRY_TIMESTAMP, TENANT_ID, TOKEN_TYPE) VALUES(?,?,?,?,?)"; - public static final String ADD_OR_UPDATE_REVOKED_RULE_BY_CONSUMER_KEY_EVENT = "INSERT " + - "INTO AM_INTERNAL_TOKEN_REVOCATION_CONSUMER_KEY_EVENTS\n" + - "(CONSUMER_KEY, IS_REVOKE_APP_ONLY, TIME_REVOKED, TENANT_ID)\n" + - "VALUES (?, ?, ?, ?) AS COLS\n" + - "ON DUPLICATE KEY UPDATE\n" + - "TIME_REVOKED = COLS.TIME_REVOKED"; - public static final String ADD_OR_UPDATE_REVOKED_RULE_BY_USER_EVENT = "INSERT " + - "INTO AM_INTERNAL_TOKEN_REVOCATION_USER_EVENTS\n" + - "(USER_ID, TIME_REVOKED)\n" + - "VALUES (?, ?) AS COLS\n" + - "ON DUPLICATE KEY UPDATE\n" + - "TIME_REVOKED = COLS.TIME_REVOKED"; + + public static final String INSERT_CONSUMER_KEY_EVENT_RULE = "INSERT " + + "INTO AM_INTERNAL_TOKEN_REVOCATION_CONSUMER_KEY_EVENTS " + + "(CONSUMER_KEY, TIME_REVOKED, ORGANIZATION) " + + "VALUES (?, ?, ?)"; + + public static final String UPDATE_CONSUMER_KEY_EVENT_RULE = "UPDATE " + + "AM_INTERNAL_TOKEN_REVOCATION_CONSUMER_KEY_EVENTS " + + "SET TIME_REVOKED = ? " + + "WHERE CONSUMER_KEY = ? AND ORGANIZATION = ?"; + + public static final String INSERT_USER_EVENT_RULE = "INSERT " + + "INTO AM_INTERNAL_TOKEN_REVOCATION_USER_EVENTS " + + "(SUBJECT_ID, SUBJECT_ID_TYPE, TIME_REVOKED, ORGANIZATION) " + + "VALUES (?, ?, ?, ?)"; + + public static final String UPDATE_USER_EVENT_RULE = "UPDATE " + + "AM_INTERNAL_TOKEN_REVOCATION_USER_EVENTS " + + "SET TIME_REVOKED = ? " + + "WHERE SUBJECT_ID = ? AND SUBJECT_ID_TYPE = ? AND ORGANIZATION = ?"; + public static final String CHECK_REVOKED_TOKEN_EXIST = "SELECT 1 FROM AM_REVOKED_JWT WHERE UUID = ?"; public static final String DELETE_REVOKED_JWT = "DELETE FROM AM_REVOKED_JWT WHERE EXPIRY_TIMESTAMP < ?"; } diff --git a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/token/RevokedConsumerKeyEventService.java b/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/token/RevokedConsumerKeyEventService.java deleted file mode 100644 index 45ae150bfbe5..000000000000 --- a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/token/RevokedConsumerKeyEventService.java +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.org) All Rights Reserved. - * - * WSO2 LLC. licenses this file to you under the Apache License, - * Version 2.0 (the "License"); you may not use this file except - * in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.wso2.carbon.apimgt.impl.token; - -public interface RevokedConsumerKeyEventService { - public void addConsumerKeyIntoMap(String consumerKey, boolean isRevokeAppOnly, Long expiryTime); -} diff --git a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/token/RevokedUserEventService.java b/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/token/RevokedUserEventService.java deleted file mode 100644 index 2c80321512b2..000000000000 --- a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/token/RevokedUserEventService.java +++ /dev/null @@ -1,23 +0,0 @@ -/* - * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.org) All Rights Reserved. - * - * WSO2 LLC. licenses this file to you under the Apache License, - * Version 2.0 (the "License"); you may not use this file except - * in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.wso2.carbon.apimgt.impl.token; - -public interface RevokedUserEventService { - void addUserEventIntoMap(String userUUID, long timeStamp); -} diff --git a/components/apimgt/org.wso2.carbon.apimgt.internal.service/src/gen/java/org/wso2/carbon/apimgt/internal/service/dto/RevokedJWTConsumerKeyDTO.java b/components/apimgt/org.wso2.carbon.apimgt.internal.service/src/gen/java/org/wso2/carbon/apimgt/internal/service/dto/RevokedJWTConsumerKeyDTO.java index ca1aae34bf6e..638ecdffba81 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.internal.service/src/gen/java/org/wso2/carbon/apimgt/internal/service/dto/RevokedJWTConsumerKeyDTO.java +++ b/components/apimgt/org.wso2.carbon.apimgt.internal.service/src/gen/java/org/wso2/carbon/apimgt/internal/service/dto/RevokedJWTConsumerKeyDTO.java @@ -17,10 +17,9 @@ public class RevokedJWTConsumerKeyDTO { private String consumerKey = null; - private Boolean isRevokeAppOnly = null; private Long revocationTime = null; private String type = null; - private String tenantId = null; + private String organization = null; /** * consumer key of the JWT. @@ -40,24 +39,6 @@ public void setConsumerKey(String consumerKey) { this.consumerKey = consumerKey; } - /** - * whether the consumer key is revoked only for the application type. - **/ - public RevokedJWTConsumerKeyDTO isRevokeAppOnly(Boolean isRevokeAppOnly) { - this.isRevokeAppOnly = isRevokeAppOnly; - return this; - } - - - @ApiModelProperty(value = "whether the consumer key is revoked only for the application type.") - @JsonProperty("is_revoke_app_only") - public Boolean isIsRevokeAppOnly() { - return isRevokeAppOnly; - } - public void setIsRevokeAppOnly(Boolean isRevokeAppOnly) { - this.isRevokeAppOnly = isRevokeAppOnly; - } - /** * revocation timestamp. **/ @@ -95,21 +76,21 @@ public void setType(String type) { } /** - * revoked consumer key's respective tenant Id. + * organization of the revoked consumer key **/ - public RevokedJWTConsumerKeyDTO tenantId(String tenantId) { - this.tenantId = tenantId; + public RevokedJWTConsumerKeyDTO organization(String organization) { + this.organization = organization; return this; } - @ApiModelProperty(value = "revoked consumer key's respective tenant Id.") - @JsonProperty("tenant_id") - public String getTenantId() { - return tenantId; + @ApiModelProperty(value = "organization of the revoked consumer key") + @JsonProperty("organization") + public String getOrganization() { + return organization; } - public void setTenantId(String tenantId) { - this.tenantId = tenantId; + public void setOrganization(String organization) { + this.organization = organization; } @@ -123,15 +104,14 @@ public boolean equals(java.lang.Object o) { } RevokedJWTConsumerKeyDTO revokedJWTConsumerKey = (RevokedJWTConsumerKeyDTO) o; return Objects.equals(consumerKey, revokedJWTConsumerKey.consumerKey) && - Objects.equals(isRevokeAppOnly, revokedJWTConsumerKey.isRevokeAppOnly) && Objects.equals(revocationTime, revokedJWTConsumerKey.revocationTime) && Objects.equals(type, revokedJWTConsumerKey.type) && - Objects.equals(tenantId, revokedJWTConsumerKey.tenantId); + Objects.equals(organization, revokedJWTConsumerKey.organization); } @Override public int hashCode() { - return Objects.hash(consumerKey, isRevokeAppOnly, revocationTime, type, tenantId); + return Objects.hash(consumerKey, revocationTime, type, organization); } @Override @@ -140,10 +120,9 @@ public String toString() { sb.append("class RevokedJWTConsumerKeyDTO {\n"); sb.append(" consumerKey: ").append(toIndentedString(consumerKey)).append("\n"); - sb.append(" isRevokeAppOnly: ").append(toIndentedString(isRevokeAppOnly)).append("\n"); sb.append(" revocationTime: ").append(toIndentedString(revocationTime)).append("\n"); sb.append(" type: ").append(toIndentedString(type)).append("\n"); - sb.append(" tenantId: ").append(toIndentedString(tenantId)).append("\n"); + sb.append(" organization: ").append(toIndentedString(organization)).append("\n"); sb.append("}"); return sb.toString(); } diff --git a/components/apimgt/org.wso2.carbon.apimgt.internal.service/src/gen/java/org/wso2/carbon/apimgt/internal/service/dto/RevokedJWTUserDTO.java b/components/apimgt/org.wso2.carbon.apimgt.internal.service/src/gen/java/org/wso2/carbon/apimgt/internal/service/dto/RevokedJWTUserDTO.java index 06dea6a31f4b..879e85bad65c 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.internal.service/src/gen/java/org/wso2/carbon/apimgt/internal/service/dto/RevokedJWTUserDTO.java +++ b/components/apimgt/org.wso2.carbon.apimgt.internal.service/src/gen/java/org/wso2/carbon/apimgt/internal/service/dto/RevokedJWTUserDTO.java @@ -16,25 +16,45 @@ public class RevokedJWTUserDTO { - private String userUuid = null; + private String subjectId = null; + private String subjectIdType = null; private Long revocationTime = null; + private String organization = null; /** - * User UUID of revoked JWT(s). + * Subject Id of the revoked JWT(s). Can be user id or client id. **/ - public RevokedJWTUserDTO userUuid(String userUuid) { - this.userUuid = userUuid; + public RevokedJWTUserDTO subjectId(String subjectId) { + this.subjectId = subjectId; return this; } - @ApiModelProperty(value = "User UUID of revoked JWT(s).") - @JsonProperty("user_uuid") - public String getUserUuid() { - return userUuid; + @ApiModelProperty(value = "Subject Id of the revoked JWT(s). Can be user id or client id.") + @JsonProperty("subject_id") + public String getSubjectId() { + return subjectId; } - public void setUserUuid(String userUuid) { - this.userUuid = userUuid; + public void setSubjectId(String subjectId) { + this.subjectId = subjectId; + } + + /** + * Type of the subject id. User id or client id. + **/ + public RevokedJWTUserDTO subjectIdType(String subjectIdType) { + this.subjectIdType = subjectIdType; + return this; + } + + + @ApiModelProperty(value = "Type of the subject id. User id or client id.") + @JsonProperty("subject_id_type") + public String getSubjectIdType() { + return subjectIdType; + } + public void setSubjectIdType(String subjectIdType) { + this.subjectIdType = subjectIdType; } /** @@ -55,6 +75,24 @@ public void setRevocationTime(Long revocationTime) { this.revocationTime = revocationTime; } + /** + * Organization of the revoked user. + **/ + public RevokedJWTUserDTO organization(String organization) { + this.organization = organization; + return this; + } + + + @ApiModelProperty(value = "Organization of the revoked user.") + @JsonProperty("organization") + public String getOrganization() { + return organization; + } + public void setOrganization(String organization) { + this.organization = organization; + } + @Override public boolean equals(java.lang.Object o) { @@ -65,13 +103,15 @@ public boolean equals(java.lang.Object o) { return false; } RevokedJWTUserDTO revokedJWTUser = (RevokedJWTUserDTO) o; - return Objects.equals(userUuid, revokedJWTUser.userUuid) && - Objects.equals(revocationTime, revokedJWTUser.revocationTime); + return Objects.equals(subjectId, revokedJWTUser.subjectId) && + Objects.equals(subjectIdType, revokedJWTUser.subjectIdType) && + Objects.equals(revocationTime, revokedJWTUser.revocationTime) && + Objects.equals(organization, revokedJWTUser.organization); } @Override public int hashCode() { - return Objects.hash(userUuid, revocationTime); + return Objects.hash(subjectId, subjectIdType, revocationTime, organization); } @Override @@ -79,8 +119,10 @@ public String toString() { StringBuilder sb = new StringBuilder(); sb.append("class RevokedJWTUserDTO {\n"); - sb.append(" userUuid: ").append(toIndentedString(userUuid)).append("\n"); + sb.append(" subjectId: ").append(toIndentedString(subjectId)).append("\n"); + sb.append(" subjectIdType: ").append(toIndentedString(subjectIdType)).append("\n"); sb.append(" revocationTime: ").append(toIndentedString(revocationTime)).append("\n"); + sb.append(" organization: ").append(toIndentedString(organization)).append("\n"); sb.append("}"); return sb.toString(); } diff --git a/components/apimgt/org.wso2.carbon.apimgt.internal.service/src/main/java/org/wso2/carbon/apimgt/internal/service/utils/BlockConditionDBUtil.java b/components/apimgt/org.wso2.carbon.apimgt.internal.service/src/main/java/org/wso2/carbon/apimgt/internal/service/utils/BlockConditionDBUtil.java index a20047ec6fe3..31182d3480a2 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.internal.service/src/main/java/org/wso2/carbon/apimgt/internal/service/utils/BlockConditionDBUtil.java +++ b/components/apimgt/org.wso2.carbon.apimgt.internal.service/src/main/java/org/wso2/carbon/apimgt/internal/service/utils/BlockConditionDBUtil.java @@ -33,10 +33,7 @@ import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Timestamp; -import java.util.ArrayList; -import java.util.HashSet; -import java.util.List; -import java.util.Set; +import java.util.*; /** * Database utility to retrieve allow list,keyTemplates and Revoked Tokens. @@ -211,19 +208,20 @@ public static RevokedJWTListDTO getRevokedJWTs() { public static RevokedJWTConsumerKeyListDTO getRevokedJWTConsumerKeys() { RevokedJWTConsumerKeyListDTO revokedJWTConsumerKeyListDTO = new RevokedJWTConsumerKeyListDTO(); - String sqlQuery = "SELECT CONSUMER_KEY, IS_REVOKE_APP_ONLY, TIME_REVOKED " + + String sqlQuery = "SELECT CONSUMER_KEY, TIME_REVOKED, ORGANIZATION " + "FROM AM_INTERNAL_TOKEN_REVOCATION_CONSUMER_KEY_EVENTS"; try (Connection conn = APIMgtDBUtil.getConnection(); - PreparedStatement ps = conn.prepareStatement(sqlQuery);) { + PreparedStatement ps = conn.prepareStatement(sqlQuery)) { try (ResultSet rs = ps.executeQuery()) { while (rs.next()) { String consumerKey = rs.getString("CONSUMER_KEY"); - boolean isRevokeAppOnly = rs.getBoolean("IS_REVOKE_APP_ONLY"); - Timestamp revocationTime = rs.getTimestamp("TIME_REVOKED"); + Timestamp revocationTime = rs.getTimestamp("TIME_REVOKED", + Calendar.getInstance(TimeZone.getTimeZone("UTC"))); + String organization = rs.getString("ORGANIZATION"); RevokedJWTConsumerKeyDTO revokedJWTConsumerKeyDTO = new RevokedJWTConsumerKeyDTO(); revokedJWTConsumerKeyDTO.setConsumerKey(consumerKey); - revokedJWTConsumerKeyDTO.setIsRevokeAppOnly(isRevokeAppOnly); revokedJWTConsumerKeyDTO.setRevocationTime(revocationTime.getTime()); + revokedJWTConsumerKeyDTO.setOrganization(organization); revokedJWTConsumerKeyListDTO.add(revokedJWTConsumerKeyDTO); } } @@ -241,16 +239,22 @@ public static RevokedJWTConsumerKeyListDTO getRevokedJWTConsumerKeys() { public static RevokedJWTUserListDTO getRevokedJWTUsers() { RevokedJWTUserListDTO revokedJWTUserListDTO = new RevokedJWTUserListDTO(); - String sqlQuery = "SELECT USER_ID, TIME_REVOKED FROM AM_INTERNAL_TOKEN_REVOCATION_USER_EVENTS"; + String sqlQuery = "SELECT SUBJECT_ID, SUBJECT_ID_TYPE, TIME_REVOKED, ORGANIZATION " + + "FROM AM_INTERNAL_TOKEN_REVOCATION_USER_EVENTS"; try (Connection conn = APIMgtDBUtil.getConnection(); - PreparedStatement ps = conn.prepareStatement(sqlQuery);) { + PreparedStatement ps = conn.prepareStatement(sqlQuery)) { try (ResultSet rs = ps.executeQuery()) { while (rs.next()) { - String userUuid = rs.getString("USER_ID"); - Timestamp revocationTime = rs.getTimestamp("TIME_REVOKED"); + String subjectId = rs.getString("SUBJECT_ID"); + String subjectIdType = rs.getString("SUBJECT_ID_TYPE"); + Timestamp revocationTime = rs.getTimestamp("TIME_REVOKED", + Calendar.getInstance(TimeZone.getTimeZone("UTC"))); + String organization = rs.getString("ORGANIZATION"); RevokedJWTUserDTO revokedJWTUserDTO = new RevokedJWTUserDTO(); - revokedJWTUserDTO.setUserUuid(userUuid); + revokedJWTUserDTO.setSubjectId(subjectId); + revokedJWTUserDTO.setSubjectIdType(subjectIdType); revokedJWTUserDTO.setRevocationTime(revocationTime.getTime()); + revokedJWTUserDTO.setOrganization(organization); revokedJWTUserListDTO.add(revokedJWTUserDTO); } } diff --git a/components/apimgt/org.wso2.carbon.apimgt.internal.service/src/main/resources/api.yaml b/components/apimgt/org.wso2.carbon.apimgt.internal.service/src/main/resources/api.yaml index 7d97a5ba4e44..bc2d8ec96cad 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.internal.service/src/main/resources/api.yaml +++ b/components/apimgt/org.wso2.carbon.apimgt.internal.service/src/main/resources/api.yaml @@ -761,13 +761,19 @@ definitions: $ref: '#/definitions/RevokedJWTUser' RevokedJWTUser: properties: - user_uuid: + subject_id: type: string - description: User UUID of revoked JWT(s). + description: Subject Id of the revoked JWT(s). Can be user id or client id. + subject_id_type: + type: string + description: Type of the subject id. User id or client id. revocation_time: type: integer format: int64 description: revocation timestamp. + organization: + type: string + description: Organization of the revoked user. RevokedJWTConsumerKeyList: type: array items: @@ -777,9 +783,6 @@ definitions: consumer_key: type: string description: consumer key of the JWT. - is_revoke_app_only: - type: boolean - description: whether the consumer key is revoked only for the application type. revocation_time: type: integer format: int64 @@ -787,9 +790,9 @@ definitions: type: type: string description: revoked consumer key type. - tenant_id: + organization: type: string - description: revoked consumer key's respective tenant Id. + description: organization of the revoked consumer key RevokeAPIKey: properties: apiKey: diff --git a/components/apimgt/org.wso2.carbon.apimgt.internal.service/swagger.json b/components/apimgt/org.wso2.carbon.apimgt.internal.service/swagger.json index d36d597b6860..43bdc76dc1e1 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.internal.service/swagger.json +++ b/components/apimgt/org.wso2.carbon.apimgt.internal.service/swagger.json @@ -986,14 +986,22 @@ }, "RevokedJWTUser" : { "properties" : { - "user_uuid" : { + "subject_id" : { "type" : "string", - "description" : "User UUID of revoked JWT(s)." + "description" : "Subject Id of the revoked JWT(s). Can be user id or client id." + }, + "subject_id_type" : { + "type" : "string", + "description" : "Type of the subject id. User id or client id." }, "revocation_time" : { "type" : "integer", "format" : "int64", "description" : "revocation timestamp." + }, + "organization" : { + "type" : "string", + "description" : "Organization of the revoked user." } } }, @@ -1009,10 +1017,6 @@ "type" : "string", "description" : "consumer key of the JWT." }, - "is_revoke_app_only" : { - "type" : "boolean", - "description" : "whether the consumer key is revoked only for the application type." - }, "revocation_time" : { "type" : "integer", "format" : "int64", @@ -1022,9 +1026,9 @@ "type" : "string", "description" : "revoked consumer key type." }, - "tenant_id" : { + "organization" : { "type" : "string", - "description" : "revoked consumer key's respective tenant Id." + "description" : "organization of the revoked consumer key" } } }, diff --git a/components/apimgt/org.wso2.carbon.apimgt.notification/src/main/java/org/wso2/carbon/apimgt/notification/AbstractKeyManagerEventHandler.java b/components/apimgt/org.wso2.carbon.apimgt.notification/src/main/java/org/wso2/carbon/apimgt/notification/AbstractKeyManagerEventHandler.java index 30e843a53c34..a3376e3db5a0 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.notification/src/main/java/org/wso2/carbon/apimgt/notification/AbstractKeyManagerEventHandler.java +++ b/components/apimgt/org.wso2.carbon.apimgt.notification/src/main/java/org/wso2/carbon/apimgt/notification/AbstractKeyManagerEventHandler.java @@ -81,16 +81,19 @@ public boolean handleTokenRevocationEvent(TokenRevocationEvent tokenRevocationEv public boolean handleInternalTokenRevocationByConsumerKeyEvent(InternalTokenRevocationConKeyEvent consumerKeyEvent) throws APIManagementException { - ApiMgtDAO.getInstance().addRevokedConsumerKey( - consumerKeyEvent.getConsumerKey(), consumerKeyEvent.isRevokeAppOnly(), - consumerKeyEvent.getRevocationTime(), consumerKeyEvent.getTenantId()); + ApiMgtDAO.getInstance().addRevokedConsumerKey(consumerKeyEvent.getConsumerKey(), + consumerKeyEvent.getRevocationTime(), consumerKeyEvent.getOrganization()); // TODO: check whether we need to implement RevocationRequestPublisher based mechanism to send events // realtime or persistent storage as done in revocationRequestPublisher.publishRevocationEvents() method // in handleTokenRevocationEvent() - Object[] objects = new Object[]{consumerKeyEvent.getEventId(), consumerKeyEvent.getConsumerKey(), - consumerKeyEvent.isRevokeAppOnly(), consumerKeyEvent.getRevocationTime(), - consumerKeyEvent.getType(), consumerKeyEvent.getTenantId()}; + Object[] objects = new Object[]{ + consumerKeyEvent.getEventId(), + consumerKeyEvent.getConsumerKey(), + consumerKeyEvent.getRevocationTime(), + consumerKeyEvent.getOrganization(), + consumerKeyEvent.getType() + }; EventPublisherEvent tokenRevocationEvent = new EventPublisherEvent( APIConstants.TOKEN_REVOCATION_CONSUMER_KEY_EVENT_STREAM_ID, System.currentTimeMillis(), objects); @@ -102,13 +105,15 @@ public boolean handleInternalTokenRevocationByConsumerKeyEvent(InternalTokenRevo public void handleInternalTokenRevocationByUserEvent(InternalTokenRevocationUserEvent internalTokenRevocationEvent) throws APIManagementException { - //persist two revocation rules in the AM database to hande `sub` claim in both scenarios (username and uuid) - ApiMgtDAO.getInstance().addRevokedRuleByUserEvent(internalTokenRevocationEvent.getUserUUID(), - internalTokenRevocationEvent.getRevocationTime()); + ApiMgtDAO.getInstance().addRevokedRuleByUserEvent(internalTokenRevocationEvent.getSubjectId(), + internalTokenRevocationEvent.getSubjectIdType(), internalTokenRevocationEvent.getRevocationTime(), + internalTokenRevocationEvent.getOrganization()); Object[] objects = new Object[]{internalTokenRevocationEvent.getEventId(), - internalTokenRevocationEvent.getUserUUID(), + internalTokenRevocationEvent.getSubjectId(), + internalTokenRevocationEvent.getSubjectIdType(), internalTokenRevocationEvent.getRevocationTime(), + internalTokenRevocationEvent.getOrganization(), internalTokenRevocationEvent.getType() }; EventPublisherEvent tokenRevocationEvent = new EventPublisherEvent( diff --git a/components/apimgt/org.wso2.carbon.apimgt.notification/src/main/java/org/wso2/carbon/apimgt/notification/event/InternalTokenRevocationConKeyEvent.java b/components/apimgt/org.wso2.carbon.apimgt.notification/src/main/java/org/wso2/carbon/apimgt/notification/event/InternalTokenRevocationConKeyEvent.java index d47b3ae2451a..a760681e6f0f 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.notification/src/main/java/org/wso2/carbon/apimgt/notification/event/InternalTokenRevocationConKeyEvent.java +++ b/components/apimgt/org.wso2.carbon.apimgt.notification/src/main/java/org/wso2/carbon/apimgt/notification/event/InternalTokenRevocationConKeyEvent.java @@ -25,8 +25,8 @@ public class InternalTokenRevocationConKeyEvent extends Event { private String consumerKey; - private boolean isRevokeAppOnly; private long revocationTime; + private String organization; public String getConsumerKey() { return consumerKey; @@ -44,11 +44,11 @@ public void setRevocationTime(long revocationTime) { this.revocationTime = revocationTime; } - public boolean isRevokeAppOnly() { - return isRevokeAppOnly; + public String getOrganization() { + return organization; } - public void setRevokeAppOnly(boolean revokeAppOnly) { - isRevokeAppOnly = revokeAppOnly; + public void setOrganization(String organization) { + this.organization = organization; } } diff --git a/components/apimgt/org.wso2.carbon.apimgt.notification/src/main/java/org/wso2/carbon/apimgt/notification/event/InternalTokenRevocationUserEvent.java b/components/apimgt/org.wso2.carbon.apimgt.notification/src/main/java/org/wso2/carbon/apimgt/notification/event/InternalTokenRevocationUserEvent.java index 78eb56e36262..27ba278aae18 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.notification/src/main/java/org/wso2/carbon/apimgt/notification/event/InternalTokenRevocationUserEvent.java +++ b/components/apimgt/org.wso2.carbon.apimgt.notification/src/main/java/org/wso2/carbon/apimgt/notification/event/InternalTokenRevocationUserEvent.java @@ -4,8 +4,26 @@ * Event to notify token revocation of a user by user events. */ public class InternalTokenRevocationUserEvent extends Event { + private String subjectId; + private String subjectIdType; private long revocationTime; - private String userUUID; + private String organization; + + public String getSubjectId() { + return subjectId; + } + + public void setSubjectId(String subjectId) { + this.subjectId = subjectId; + } + + public String getSubjectIdType() { + return subjectIdType; + } + + public void setSubjectIdType(String subjectIdType) { + this.subjectIdType = subjectIdType; + } public long getRevocationTime() { return revocationTime; @@ -15,11 +33,11 @@ public void setRevocationTime(long revocationTime) { this.revocationTime = revocationTime; } - public String getUserUUID() { - return userUUID; + public String getOrganization() { + return organization; } - public void setUserUUID(String userUUID) { - this.userUUID = userUUID; + public void setOrganization(String organization) { + this.organization = organization; } } diff --git a/features/apimgt/org.wso2.carbon.apimgt.core.feature/src/main/resources/sql/h2.sql b/features/apimgt/org.wso2.carbon.apimgt.core.feature/src/main/resources/sql/h2.sql index 322c8e2b1065..9ea2fe17bcb9 100644 --- a/features/apimgt/org.wso2.carbon.apimgt.core.feature/src/main/resources/sql/h2.sql +++ b/features/apimgt/org.wso2.carbon.apimgt.core.feature/src/main/resources/sql/h2.sql @@ -2361,22 +2361,19 @@ CREATE TABLE IF NOT EXISTS AM_CORRELATION_PROPERTIES( FOREIGN KEY (COMPONENT_NAME) REFERENCES AM_CORRELATION_CONFIGS(COMPONENT_NAME) ON DELETE CASCADE ); -CREATE TABLE IF NOT EXISTS AM_INTERNAL_TOKEN_REVOCATION_CONSUMER_KEY_EVENTS ( - ID INTEGER NOT NULL AUTO_INCREMENT, + CREATE TABLE IF NOT EXISTS AM_INTERNAL_TOKEN_REVOCATION_CONSUMER_KEY_EVENTS ( CONSUMER_KEY VARCHAR(255) NOT NULL, - IS_REVOKE_APP_ONLY BOOLEAN NOT NULL DEFAULT FALSE, - TIME_REVOKED VARCHAR(255) NOT NULL, - TENANT_ID VARCHAR(255) NOT NULL, - PRIMARY KEY (ID), - UNIQUE (CONSUMER_KEY, IS_REVOKE_APP_ONLY) + TIME_REVOKED TIMESTAMP NOT NULL, + ORGANIZATION VARCHAR(100), + PRIMARY KEY (CONSUMER_KEY, ORGANIZATION) ); -CREATE TABLE IF NOT EXISTS AM_INTERNAL_TOKEN_REVOCATION_USER_EVENTS ( - ID INTEGER NOT NULL AUTO_INCREMENT, - USER_ID VARCHAR(255) NOT NULL, - TIME_REVOKED TIMESTAMP DEFAULT CURRENT_TIMESTAMP, - PRIMARY KEY (ID), - UNIQUE (USER_ID), + CREATE TABLE IF NOT EXISTS AM_INTERNAL_TOKEN_REVOCATION_USER_EVENTS ( + SUBJECT_ID VARCHAR(255) NOT NULL, + SUBJECT_ID_TYPE VARCHAR(100) NOT NULL, + TIME_REVOKED TIMESTAMP NOT NULL, + ORGANIZATION VARCHAR(100), + PRIMARY KEY (SUBJECT_ID, SUBJECT_ID_TYPE, ORGANIZATION) ); diff --git a/features/apimgt/org.wso2.carbon.apimgt.throttling.siddhi.extension.feature/src/main/resources/conf/eventstreams/org.wso2.apimgt.token.revocation.internal.consumer.key.event.stream_1.0.0.json b/features/apimgt/org.wso2.carbon.apimgt.throttling.siddhi.extension.feature/src/main/resources/conf/eventstreams/org.wso2.apimgt.token.revocation.internal.consumer.key.event.stream_1.0.0.json index f1864bb29ff4..7e94c4bc2a0c 100644 --- a/features/apimgt/org.wso2.carbon.apimgt.throttling.siddhi.extension.feature/src/main/resources/conf/eventstreams/org.wso2.apimgt.token.revocation.internal.consumer.key.event.stream_1.0.0.json +++ b/features/apimgt/org.wso2.carbon.apimgt.throttling.siddhi.extension.feature/src/main/resources/conf/eventstreams/org.wso2.apimgt.token.revocation.internal.consumer.key.event.stream_1.0.0.json @@ -12,21 +12,17 @@ "name": "consumerKey", "type": "STRING" }, - { - "name": "isRevokeAppOnly", - "type": "BOOLEAN" - }, { "name": "revocationTime", "type": "LONG" }, { - "name": "type", + "name": "organization", "type": "STRING" }, { - "name": "tenantId", - "type": "INT" + "name": "type", + "type": "STRING" } ] } \ No newline at end of file diff --git a/features/apimgt/org.wso2.carbon.apimgt.throttling.siddhi.extension.feature/src/main/resources/conf/eventstreams/org.wso2.apimgt.token.revocation.internal.user.event.stream_1.0.0.json b/features/apimgt/org.wso2.carbon.apimgt.throttling.siddhi.extension.feature/src/main/resources/conf/eventstreams/org.wso2.apimgt.token.revocation.internal.user.event.stream_1.0.0.json index ee79bc582c3e..b1f2534ec8b7 100644 --- a/features/apimgt/org.wso2.carbon.apimgt.throttling.siddhi.extension.feature/src/main/resources/conf/eventstreams/org.wso2.apimgt.token.revocation.internal.user.event.stream_1.0.0.json +++ b/features/apimgt/org.wso2.carbon.apimgt.throttling.siddhi.extension.feature/src/main/resources/conf/eventstreams/org.wso2.apimgt.token.revocation.internal.user.event.stream_1.0.0.json @@ -9,13 +9,21 @@ "type": "STRING" }, { - "name": "userUUID", + "name": "subjectId", + "type": "STRING" + }, + { + "name": "subjectIdType", "type": "STRING" }, { "name": "revocationTime", "type": "LONG" }, + { + "name": "organization", + "type": "STRING" + }, { "name": "type", "type": "STRING"