Key Manager Visibility in Developer Portal

components/apimgt/org.wso2.carbon.apimgt.api/src/main/java/org/wso2/carbon/apimgt/api/APIAdmin.java

@@ -18,6 +18,7 @@
 package org.wso2.carbon.apimgt.api;
 
 import org.wso2.carbon.apimgt.api.dto.KeyManagerConfigurationDTO;
+import org.wso2.carbon.apimgt.api.dto.KeyManagerPermissionConfigurationDTO;
 import org.wso2.carbon.apimgt.api.model.APICategory;
 import org.wso2.carbon.apimgt.api.model.Application;
 import org.wso2.carbon.apimgt.api.model.ApplicationInfo;
@@ -332,6 +333,14 @@ KeyManagerConfigurationDTO addKeyManagerConfiguration(KeyManagerConfigurationDTO
     KeyManagerConfigurationDTO updateKeyManagerConfiguration(KeyManagerConfigurationDTO keyManagerConfigurationDTO)
             throws APIManagementException;
 
+    /**
+     * This method used to get key manager permissions with key manager id and role
+     * @param id uuid of key manager
+     * @return key manager permissions
+     * @throws APIManagementException
+     */
+    KeyManagerPermissionConfigurationDTO getKeyManagerPermissions(String id) throws APIManagementException;
+
     /**
      * hTis method used to delete IDP mapped with key manager
      * @param organization organization requested

components/apimgt/org.wso2.carbon.apimgt.api/src/main/java/org/wso2/carbon/apimgt/api/APIConsumer.java

@@ -21,6 +21,7 @@
 
 import org.json.simple.JSONArray;
 import org.json.simple.JSONObject;
+import org.wso2.carbon.apimgt.api.dto.KeyManagerConfigurationDTO;
 import org.wso2.carbon.apimgt.api.model.API;
 import org.wso2.carbon.apimgt.api.model.APIIdentifier;
 import org.wso2.carbon.apimgt.api.model.APIKey;
@@ -797,4 +798,35 @@ Set<SubscribedAPI> getPaginatedSubscribedAPIsByApplication(Application applicati
      * @throws APIManagementException if failed to retrieve policy.
      */
     Tier getThrottlePolicyByName(String name, int policyType, String organization) throws APIManagementException;
+
+    /**
+     * This method used to retrieve key manager configurations for tenant
+     * @param organization organization of the key manager
+     * @param username username of the logged in user
+     * @return KeyManagerConfigurationDTO list
+     * @throws APIManagementException if error occurred
+     */
+    List<KeyManagerConfigurationDTO> getKeyManagerConfigurationsByOrganization(String organization, String username)
+            throws APIManagementException;
+
+    /**
+     * This method used to check if key manager configuration is allowed for user
+     * @param keyManagerId uuid of the key manager
+     * @param username username of the logged in user
+     * @return boolean
+     * @throws APIManagementException if error occurred
+     */
+    boolean isKeyManagerAllowedForUser(String keyManagerId, String username) throws APIManagementException;
+
+    /**
+     * This method used to check if key manager configuration by name is allowed for user
+     * @param keyManagerName name of the key manager
+     * @param organization organization of the logged in user
+     * @param username username of the logged in user
+     * @return boolean
+     * @throws APIManagementException if error occurred
+     */
+    boolean isKeyManagerByNameAllowedForUser(String keyManagerName, String organization, String username)
+            throws APIManagementException;
+
 }

components/apimgt/org.wso2.carbon.apimgt.api/src/main/java/org/wso2/carbon/apimgt/api/ExceptionCodes.java

@@ -541,6 +541,7 @@
             "Revision deployment request conflicted with the current deployment state of the revision %s. Please try again later", false),
     INVALID_API_ID(902006, "Invalid API ID", 404, "The provided API ID is not found %s", false),
     INVALID_ENDPOINT_CONFIG(902012, "Endpoint config value(s) is(are) not valid", 400, "Endpoint config value(s) is(are) not valid"),
+    KEY_MANAGER_RESTRICTED_FOR_USER(902013, "Unauthorized Access to Key Manager", 403, "Key Manager is Restricted for this user"),
     ARTIFACT_SYNC_HTTP_REQUEST_FAILED(903009, "Error while retrieving from remote endpoint", 500, "Error while executing HTTP request to retrieve from remote endpoint");
 
     private final long errorCode;

components/apimgt/org.wso2.carbon.apimgt.api/src/main/java/org/wso2/carbon/apimgt/api/dto/KeyManagerConfigurationDTO.java

@@ -42,9 +42,9 @@
     private String tokenType;
     private String externalReferenceId = null;
     private String alias = null;
+    private KeyManagerPermissionConfigurationDTO permissions = new KeyManagerPermissionConfigurationDTO();
 
     public KeyManagerConfigurationDTO() {
-
     }
 
     public KeyManagerConfigurationDTO(KeyManagerConfigurationDTO keyManagerConfigurationDTO) {
@@ -60,6 +60,7 @@
         this.tokenType = keyManagerConfigurationDTO.getTokenType();
         this.externalReferenceId = keyManagerConfigurationDTO.getExternalReferenceId();
         this.endpoints = keyManagerConfigurationDTO.getEndpoints();
+        this.setPermissions(keyManagerConfigurationDTO.getPermissions());
     }
     public String getName() {
 
@@ -184,4 +185,15 @@
 
         this.endpoints = endpoints;
     }
+
+    public KeyManagerPermissionConfigurationDTO getPermissions () {
+        return permissions;
+    }
+
+    public void setPermissions (KeyManagerPermissionConfigurationDTO permissions) {
+        if (permissions == null) {
+            permissions = new KeyManagerPermissionConfigurationDTO();
+        }
+        this.permissions = permissions;
+    }
 }

components/apimgt/org.wso2.carbon.apimgt.api/src/main/java/org/wso2/carbon/apimgt/api/dto/KeyManagerPermissionConfigurationDTO.java

@@ -0,0 +1,61 @@
+/*
+ *  Copyright (c) 2024, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
+ *
+ *  WSO2 LLC. licenses this file to you under the Apache License,
+ *  Version 2.0 (the "License"); you may not use this file except
+ *  in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.apimgt.api.dto;
+
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ *KeyManagerPermissionConfiguration model
+ */
+public class KeyManagerPermissionConfigurationDTO implements Serializable {
+
+    private String permissionType = null;
+    private List<String> roles = new ArrayList<String>();
+
+    public KeyManagerPermissionConfigurationDTO () {
+        this.setPermissionType("PUBLIC");
+    }
+
+    public KeyManagerPermissionConfigurationDTO(String permissionType, List<String> roles) {
+        this.permissionType = permissionType;
+        this.roles = roles;
+    }
+
+    public String getPermissionType () {
+        return permissionType;
+    }
+
+    public void setPermissionType (String permissionType) {
+        this.permissionType = permissionType;
+    }
+
+    public List<String> getRoles() {
+        return roles;
+    }
+
+    public void setRoles(List<String> roles) {
+        if (roles == null) {
+            return;
+        }
+        this.roles = roles;
+    }
+}

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIAdminImpl.java

@@ -39,6 +39,7 @@
 import org.wso2.carbon.apimgt.api.APIMgtResourceNotFoundException;
 import org.wso2.carbon.apimgt.api.ExceptionCodes;
 import org.wso2.carbon.apimgt.api.dto.KeyManagerConfigurationDTO;
+import org.wso2.carbon.apimgt.api.dto.KeyManagerPermissionConfigurationDTO;
 import org.wso2.carbon.apimgt.api.model.APICategory;
 import org.wso2.carbon.apimgt.api.model.Application;
 import org.wso2.carbon.apimgt.api.model.ApplicationInfo;
@@ -745,6 +746,17 @@
                 .notify(decryptedKeyManagerConfiguration, APIConstants.KeyManager.KeyManagerEvent.ACTION_UPDATE);
         return keyManagerConfigurationDTO;
     }
+    @Override
+    public KeyManagerPermissionConfigurationDTO getKeyManagerPermissions(String id) throws APIManagementException {
+
+        KeyManagerPermissionConfigurationDTO keyManagerPermissionConfigurationDTO;
+        try {
+            keyManagerPermissionConfigurationDTO = apiMgtDAO.getKeyManagerPermissions(id);
+        } catch (APIManagementException e) {
+            throw new APIManagementException("Key Manager Permissions retrieval failed for Key Manager id " + id, e);
+        }
+        return keyManagerPermissionConfigurationDTO;
+    }
 
     private IdentityProvider updatedIDP(IdentityProvider retrievedIDP,
                                         KeyManagerConfigurationDTO keyManagerConfigurationDTO) {

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIConstants.java

@@ -2596,6 +2596,9 @@ public static class KeyManager {
         public static final String PKCE_MANDATORY = "pkceMandatory";
         public static final String PKCE_SUPPORT_PLAIN = "pkceSupportPlain";
         public static final String BYPASS_CLIENT_CREDENTIALS = "bypassClientCredentials";
+        public static final String PERMISSIONS = "permissions";
+        public static final String ROLES = "roles";
+        public static final String PERMISSION_TYPE = "permissionType";
 
         public static class KeyManagerEvent {
 

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIConsumerImpl.java

@@ -32,13 +32,15 @@
 import org.json.simple.parser.ParseException;
 import org.wso2.carbon.CarbonConstants;
 import org.wso2.carbon.apimgt.api.APIConsumer;
+import org.wso2.carbon.apimgt.api.APIAdmin;
 import org.wso2.carbon.apimgt.api.APIDefinition;
 import org.wso2.carbon.apimgt.api.APIManagementException;
 import org.wso2.carbon.apimgt.api.APIMgtAuthorizationFailedException;
 import org.wso2.carbon.apimgt.api.APIMgtResourceNotFoundException;
 import org.wso2.carbon.apimgt.api.ExceptionCodes;
 import org.wso2.carbon.apimgt.api.WorkflowResponse;
 import org.wso2.carbon.apimgt.api.dto.KeyManagerConfigurationDTO;
+import org.wso2.carbon.apimgt.api.dto.KeyManagerPermissionConfigurationDTO;
 import org.wso2.carbon.apimgt.api.model.API;
 import org.wso2.carbon.apimgt.api.model.APIIdentifier;
 import org.wso2.carbon.apimgt.api.model.APIKey;
@@ -188,6 +190,9 @@
     public static final String API_NAME = "apiName";
     public static final String API_VERSION = "apiVersion";
     public static final String API_PROVIDER = "apiProvider";
+    private static final String PERMISSION_ALLOW = "ALLOW";
+    private static final String PERMISSION_DENY = "DENY";
+    private static final String PERMISSION_NOT_RESTRICTED = "PUBLIC";
     private static final String PRESERVED_CASE_SENSITIVE_VARIABLE = "preservedCaseSensitive";
 
     private static final String GET_SUB_WORKFLOW_REF_FAILED = "Failed to get external workflow reference for subscription ";
@@ -4234,4 +4239,106 @@
                     apiTypeWrapper.getTier(), username));
         }
     }
+
+    /**
+     * This method is used to retrieve key manager configurations for tenant
+     * @param organization organization of the key manager
+     * @param username username of the logged-in user
+     * @return KeyManagerConfigurationDTO list
+     * @throws APIManagementException if error occurred
+     */
+    @Override
+    public List<KeyManagerConfigurationDTO> getKeyManagerConfigurationsByOrganization(
+            String organization, String username) throws APIManagementException {
+
+        APIAdmin apiAdmin = new APIAdminImpl();
+        List<KeyManagerConfigurationDTO> keyManagerConfigurations =
+                apiAdmin.getKeyManagerConfigurationsByOrganization(organization);
+        List<KeyManagerConfigurationDTO> permittedKeyManagerConfigurations = new ArrayList<>();
+        if (keyManagerConfigurations.size() > 0) {
+            for (KeyManagerConfigurationDTO keyManagerConfiguration : keyManagerConfigurations) {
+                if (isKeyManagerAllowedForUser(keyManagerConfiguration.getUuid(), username)) {
+                    permittedKeyManagerConfigurations.add(keyManagerConfiguration);
+                }
+            }
+        }
+        return permittedKeyManagerConfigurations;
+    }
+
+    /**
+     * This method is used to check if key manager configuration is allowed for user
+     * @param keyManagerId uuid of the key manager
+     * @param username username of the logged in user
+     * @return boolean returns if the key manager is allowed for the logged in user
+     * @throws APIManagementException if error occurred
+     */
+    @Override
+    public boolean isKeyManagerAllowedForUser(String keyManagerId, String username) throws APIManagementException {
+
+        APIAdmin apiAdmin = new APIAdminImpl();
+        KeyManagerPermissionConfigurationDTO permissions = apiAdmin.getKeyManagerPermissions(keyManagerId);
+        String permissionType = permissions.getPermissionType();
+        if (permissions != null && !permissionType.equals(PERMISSION_NOT_RESTRICTED)) {
+            String[] permissionRoles = permissions.getRoles()
+                    .stream()
+                    .toArray(String[]::new);
+            String[] userRoles = APIUtil.getListOfRoles(username);
+            boolean roleIsRestricted = hasIntersection(userRoles, permissionRoles);
+            if ((PERMISSION_ALLOW.equals(permissionType) && !roleIsRestricted)
+                    || (PERMISSION_DENY.equals(permissionType) && roleIsRestricted)) {
+                return false;
+            }
+        }
+        return true;
+    }
+
+
+    /**
+     * This method is used to check if key manager configuration is allowed for user
+     * @param keyManagerName name of the key manager
+     * @param organization organization of the logged in user
+     * @param username username of the logged in user
+     * @return boolean returns if the key manager is allowed for the logged in user
+     * @throws APIManagementException if error occurred
+     */
+    @Override
+    public boolean isKeyManagerByNameAllowedForUser(String keyManagerName, String organization, String username)
+            throws APIManagementException {
+        APIAdmin apiAdmin = new APIAdminImpl();
+        KeyManagerConfigurationDTO keyManagerConfiguration = apiAdmin
+                .getKeyManagerConfigurationByName(organization, keyManagerName);
+        KeyManagerPermissionConfigurationDTO permissions = keyManagerConfiguration.getPermissions();
+        String permissionType = permissions.getPermissionType();
+        //Checks if the keymanager is permission restricted and if the user is in the restricted list
+        if (permissions != null && !permissionType.equals(PERMISSION_NOT_RESTRICTED)) {
+            String[] permissionRoles = permissions.getRoles()
+                    .stream()
+                    .toArray(String[]::new);
+            String[] userRoles = APIUtil.getListOfRoles(username);
+            //list of common roles the user has and the restricted list
+            boolean roleIsRestricted = hasIntersection(userRoles, permissionRoles);
+            //Checks if the user is allowed to access the key manager
+            if ((PERMISSION_ALLOW.equals(permissionType) && !roleIsRestricted)
+                    || (PERMISSION_DENY.equals(permissionType) && roleIsRestricted)) {
+                return false;
+            }
+        }
+        return true;
+    }
+
+    public static boolean hasIntersection(String[] arr1, String[] arr2) {
+        Set<String> set = new HashSet<>();
+
+        for (String element : arr1) {
+            set.add(element);
+        }
+
+        for (String element : arr2) {
+            if (set.contains(element)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
 }