wso2 · Kirishikesan · Jan 9, 2024 · Aug 31, 2023 · Sep 5, 2023 · Sep 5, 2023
@@ -18,6 +18,7 @@
 package org.wso2.carbon.apimgt.api;
 
 import org.wso2.carbon.apimgt.api.dto.KeyManagerConfigurationDTO;
+import org.wso2.carbon.apimgt.api.dto.KeyManagerPermissionConfigurationDTO;
 import org.wso2.carbon.apimgt.api.model.APICategory;
 import org.wso2.carbon.apimgt.api.model.Application;
 import org.wso2.carbon.apimgt.api.model.ApplicationInfo;
@@ -332,6 +333,14 @@ KeyManagerConfigurationDTO addKeyManagerConfiguration(KeyManagerConfigurationDTO
     KeyManagerConfigurationDTO updateKeyManagerConfiguration(KeyManagerConfigurationDTO keyManagerConfigurationDTO)
             throws APIManagementException;
 
+    /**
+     * This method used to get key manager permissions with key manager id and role
+     * @param id uuid of key manager
+     * @return key manager permissions
+     * @throws APIManagementException
+     */
+    KeyManagerPermissionConfigurationDTO getKeyManagerPermissions(String id) throws APIManagementException;
+
     /**
      * hTis method used to delete IDP mapped with key manager
      * @param organization organization requested

@@ -21,6 +21,7 @@
 
 import org.json.simple.JSONArray;
 import org.json.simple.JSONObject;
+import org.wso2.carbon.apimgt.api.dto.KeyManagerConfigurationDTO;
 import org.wso2.carbon.apimgt.api.model.API;
 import org.wso2.carbon.apimgt.api.model.APIIdentifier;
 import org.wso2.carbon.apimgt.api.model.APIKey;
@@ -797,4 +798,33 @@ Set<SubscribedAPI> getPaginatedSubscribedAPIsByApplication(Application applicati
      * @throws APIManagementException if failed to retrieve policy.
      */
     Tier getThrottlePolicyByName(String name, int policyType, String organization) throws APIManagementException;
+
+    /**
+     * This method used to retrieve key manager configurations for tenant
+     * @param organization organization of the key manager
+     * @param username username of the logged in user
+     * @return KeyManagerConfigurationDTO list
+     * @throws APIManagementException if error occurred
+     */
+    List<KeyManagerConfigurationDTO> getKeyManagerConfigurationsByOrganization(String organization, String username) throws APIManagementException;
+
+    /**
+     * This method used to check if key manager configuration is allowed for user
+     * @param keyManagerId uuid of the key manager
+     * @param username username of the logged in user
+     * @return boolean
+     * @throws APIManagementException if error occurred
+     */
+    boolean isKeyManagerAllowedForUser(String keyManagerId, String username) throws APIManagementException;
+
+    /**
+     * This method used to check if key manager configuration by name is allowed for user
+     * @param keyManagerName name of the key manager
+     * @param organization organization of the logged in user
+     * @param username username of the logged in user
+     * @return boolean
+     * @throws APIManagementException if error occurred
+     */
+    boolean isKeyManagerByNameAllowedForUser(String keyManagerName, String organization, String username) throws APIManagementException;
+
 }
@@ -541,6 +541,7 @@ public enum ExceptionCodes implements ErrorHandler {
             "Revision deployment request conflicted with the current deployment state of the revision %s. Please try again later", false),
     INVALID_API_ID(902006, "Invalid API ID", 404, "The provided API ID is not found %s", false),
     INVALID_ENDPOINT_CONFIG(902012, "Endpoint config value(s) is(are) not valid", 400, "Endpoint config value(s) is(are) not valid"),
+    KEY_MANAGER_RESTRICTED_FOR_USER(902013, "Unauthorized Access to Key Manager", 403, "Key Manager is Restricted for this user"),
     ARTIFACT_SYNC_HTTP_REQUEST_FAILED(903009, "Error while retrieving from remote endpoint", 500, "Error while executing HTTP request to retrieve from remote endpoint");
 
     private final long errorCode;

@@ -42,9 +42,9 @@
     private String tokenType;
     private String externalReferenceId = null;
     private String alias = null;
+    private KeyManagerPermissionConfigurationDTO permissions = new KeyManagerPermissionConfigurationDTO();
 
     public KeyManagerConfigurationDTO() {
-
     }
 
     public KeyManagerConfigurationDTO(KeyManagerConfigurationDTO keyManagerConfigurationDTO) {
@@ -60,6 +60,7 @@
         this.tokenType = keyManagerConfigurationDTO.getTokenType();
         this.externalReferenceId = keyManagerConfigurationDTO.getExternalReferenceId();
         this.endpoints = keyManagerConfigurationDTO.getEndpoints();
+        this.setPermissions(keyManagerConfigurationDTO.getPermissions());
     }
     public String getName() {
 
@@ -184,4 +185,15 @@
 
         this.endpoints = endpoints;
     }
+
+    public KeyManagerPermissionConfigurationDTO getPermissions () {
+        return permissions;
+    }
+
+    public void setPermissions (KeyManagerPermissionConfigurationDTO permissions) {
+        if (permissions == null) {
+            permissions = new KeyManagerPermissionConfigurationDTO();
+        }
+        this.permissions = permissions;
+    }
 }
@@ -0,0 +1,43 @@
+package org.wso2.carbon.apimgt.api.dto;
+
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ *KeyManagerPermissionConfiguration model
+ */
+public class KeyManagerPermissionConfigurationDTO implements Serializable {
+
+    private String permissionType = null;
+    private List<String> roles = new ArrayList<String>();
+
+    public KeyManagerPermissionConfigurationDTO () {
+        this.setPermissionType("PUBLIC");
+    }
+
+    public KeyManagerPermissionConfigurationDTO(String permissionType, List<String> roles) {
+        this.permissionType = permissionType;
+        this.roles = roles;
+    }
+
+    public String getPermissionType () {
+        return permissionType;
+    }
+
+    public void setPermissionType (String permissionType) {
+        this.permissionType = permissionType;
+    }
+
+    public List<String> getRoles() {
+        return roles;
+    }
+
+    public void setRoles(List<String> roles) {
+        if (roles == null) {
+            return;
+        }
+        this.roles = roles;
+    }
+}
@@ -39,6 +39,7 @@
 import org.wso2.carbon.apimgt.api.APIMgtResourceNotFoundException;
 import org.wso2.carbon.apimgt.api.ExceptionCodes;
 import org.wso2.carbon.apimgt.api.dto.KeyManagerConfigurationDTO;
+import org.wso2.carbon.apimgt.api.dto.KeyManagerPermissionConfigurationDTO;
 import org.wso2.carbon.apimgt.api.model.APICategory;
 import org.wso2.carbon.apimgt.api.model.Application;
 import org.wso2.carbon.apimgt.api.model.ApplicationInfo;
@@ -745,6 +746,17 @@
                 .notify(decryptedKeyManagerConfiguration, APIConstants.KeyManager.KeyManagerEvent.ACTION_UPDATE);
         return keyManagerConfigurationDTO;
     }
+    @Override
+    public KeyManagerPermissionConfigurationDTO getKeyManagerPermissions(String id) throws APIManagementException {
+
+        KeyManagerPermissionConfigurationDTO keyManagerPermissionConfigurationDTO;
+        try {
+            keyManagerPermissionConfigurationDTO = apiMgtDAO.getKeyManagerPermissions(id);
+        } catch (APIManagementException e) {
+            throw new APIManagementException("Key Manager Permissions retrieval failed for Key Manager id " + id);
+        }
+        return keyManagerPermissionConfigurationDTO;
+    }
 
     private IdentityProvider updatedIDP(IdentityProvider retrievedIDP,
                                         KeyManagerConfigurationDTO keyManagerConfigurationDTO) {

@@ -2596,6 +2596,9 @@ public static class KeyManager {
         public static final String PKCE_MANDATORY = "pkceMandatory";
         public static final String PKCE_SUPPORT_PLAIN = "pkceSupportPlain";
         public static final String BYPASS_CLIENT_CREDENTIALS = "bypassClientCredentials";
+        public static final String PERMISSIONS = "permissions";
+        public static final String ROLES = "roles";
+        public static final String PERMISSION_TYPE = "permissionType";
 
         public static class KeyManagerEvent {
 

@@ -32,13 +32,15 @@
 import org.json.simple.parser.ParseException;
 import org.wso2.carbon.CarbonConstants;
 import org.wso2.carbon.apimgt.api.APIConsumer;
+import org.wso2.carbon.apimgt.api.APIAdmin;
 import org.wso2.carbon.apimgt.api.APIDefinition;
 import org.wso2.carbon.apimgt.api.APIManagementException;
 import org.wso2.carbon.apimgt.api.APIMgtAuthorizationFailedException;
 import org.wso2.carbon.apimgt.api.APIMgtResourceNotFoundException;
 import org.wso2.carbon.apimgt.api.ExceptionCodes;
 import org.wso2.carbon.apimgt.api.WorkflowResponse;
 import org.wso2.carbon.apimgt.api.dto.KeyManagerConfigurationDTO;
+import org.wso2.carbon.apimgt.api.dto.KeyManagerPermissionConfigurationDTO;
 import org.wso2.carbon.apimgt.api.model.API;
 import org.wso2.carbon.apimgt.api.model.APIIdentifier;
 import org.wso2.carbon.apimgt.api.model.APIKey;
@@ -4234,4 +4236,94 @@
                     apiTypeWrapper.getTier(), username));
         }
     }
+
+    /**
+     * This method is used to retrieve key manager configurations for tenant
+     * @param organization organization of the key manager
+     * @param username username of the logged-in user
+     * @return KeyManagerConfigurationDTO list
+     * @throws APIManagementException if error occurred
+     */
+    @Override
+    public List<KeyManagerConfigurationDTO> getKeyManagerConfigurationsByOrganization(
+            String organization, String username) throws APIManagementException {
+
+        APIAdmin apiAdmin = new APIAdminImpl();
+        List<KeyManagerConfigurationDTO> keyManagerConfigurations =
+                apiAdmin.getKeyManagerConfigurationsByOrganization(organization);
+        List<KeyManagerConfigurationDTO> permittedKeyManagerConfigurations = new ArrayList<>();
+        if (keyManagerConfigurations.size() > 0) {
+            for (KeyManagerConfigurationDTO keyManagerConfiguration : keyManagerConfigurations) {
+                if (isKeyManagerAllowedForUser(keyManagerConfiguration.getUuid(), username)) {
+                    permittedKeyManagerConfigurations.add(keyManagerConfiguration);
+                }
+            }
+        }
+        return permittedKeyManagerConfigurations;
+    }
+
+    /**
+     * This method is used to check if key manager configuration is allowed for user
+     * @param keyManagerId uuid of the key manager
+     * @param username username of the logged in user
+     * @return boolean
+     * @throws APIManagementException if error occurred
+     */
+    @Override
+    public boolean isKeyManagerAllowedForUser(String keyManagerId, String username) throws APIManagementException {
+
+        APIAdmin apiAdmin = new APIAdminImpl();
+        KeyManagerPermissionConfigurationDTO permissions = apiAdmin.getKeyManagerPermissions(keyManagerId);
+        String permissionType = permissions.getPermissionType();
+        if (permissions != null && !permissionType.equals("PUBLIC")) {
+            String[] permissionRoles = permissions.getRoles()
+                    .stream()
+                    .toArray(String[]::new);
+            String[] userRoles = APIUtil.getListOfRoles(username);
+            boolean roleIsRestricted = hasIntersection(userRoles, permissionRoles);
+            if (("ALLOW".equals(permissionType) && !roleIsRestricted)
+                    || ("DENY".equals(permissionType) && roleIsRestricted)) {
+                return false;
+            }
+        }
+        return true;
+    }
+
+    @Override
+    public boolean isKeyManagerByNameAllowedForUser(String keyManagerName, String organization, String username)
+            throws APIManagementException {
+        APIAdmin apiAdmin = new APIAdminImpl();
+        KeyManagerConfigurationDTO keyManagerConfiguration = apiAdmin
+                .getKeyManagerConfigurationByName(organization, keyManagerName);
+        KeyManagerPermissionConfigurationDTO permissions = keyManagerConfiguration.getPermissions();
+        String permissionType = permissions.getPermissionType();
+        if (permissions != null && !permissionType.equals("PUBLIC")) {
+            String[] permissionRoles = permissions.getRoles()
+                    .stream()
+                    .toArray(String[]::new);
+            String[] userRoles = APIUtil.getListOfRoles(username);
+            boolean roleIsRestricted = hasIntersection(userRoles, permissionRoles);
+            if (("ALLOW".equals(permissionType) && !roleIsRestricted)
+                    || ("DENY".equals(permissionType) && roleIsRestricted)) {
+                return false;
+            }
+        }
+        return true;
+    }
+
+    public static boolean hasIntersection(String[] arr1, String[] arr2) {
+        Set<String> set = new HashSet<>();
+
+        for (String element : arr1) {
+            set.add(element);
+        }
+
+        for (String element : arr2) {
+            if (set.contains(element)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
 }