Merge pull request #3491 from renuka-fernando/choreo-remove-unused-ke…

…y-manager-configs

Remove unnecessary configs passed from Adapter to Enforcer through xDS messages

adapter/config/default_config.go

@@ -50,6 +50,14 @@ var defaultConfig = &Config{
 			CertFile:           "/home/wso2/security/truststore/consul/local-dc-client-consul-0.pem",
 			KeyFile:            "/home/wso2/security/truststore/consul/local-dc-client-consul-0-key.pem",
 		},
+		XdsPayloadFormatter: xdsPayloadFormatter{
+			KeyManagerConfigs: keyManagerConfigs{
+				RetainKeys: []string{
+					"self_validate_jwt", "issuer", "claim_mappings", "consumer_key_claim",
+					"scopes_claim", "jwks_endpoint", "certificate_type", "certificate_value", "environments",
+				},
+			},
+		},
 		Keystore: keystore{
 			KeyPath:  "/home/wso2/security/keystore/mg.key",
 			CertPath: "/home/wso2/security/keystore/mg.pem",

adapter/config/types.go

@@ -89,6 +89,8 @@ type adapter struct {
 	VhostMapping []vhostMapping
 	// Consul represents the configuration required to connect to consul service discovery
 	Consul consul
+	// XdsPayloadFormatter represents the configuration to format the xds payload
+	XdsPayloadFormatter xdsPayloadFormatter
 	// Keystore contains the keyFile and Cert File of the adapter
 	Keystore keystore
 	// Trusted Certificates
@@ -208,6 +210,16 @@ type consul struct {
 	KeyFile string
 }
 
+type xdsPayloadFormatter struct {
+	// KeyManagerConfigs contains format configurations related to key manager configuration
+	KeyManagerConfigs keyManagerConfigs
+}
+
+type keyManagerConfigs struct {
+	// RetainKeys contains the keys that should be retained in the xds payload
+	RetainKeys []string
+}
+
 // Global CORS configurations
 type globalCors struct {
 	Enabled          bool

adapter/internal/discovery/xds/marshaller.go

@@ -342,6 +342,8 @@ func marshalKeyMappingMapToList(keyMappingMap map[string]*subscription.Applicati
 
 // MarshalKeyManager converts the data into KeyManager proto type
 func MarshalKeyManager(keyManager *types.KeyManager) *keymgt.KeyManagerConfig {
+	// Filter the key manager configuration based on the configuration retention list
+	keyManager.Configuration = getFilteredKeyManagerConfig(keyManager.Configuration)
 	configList, err := json.Marshal(keyManager.Configuration)
 	configuration := string(configList)
 	if err == nil {

adapter/internal/discovery/xds/payloadfmt.go

@@ -0,0 +1,33 @@
+/*
+ *  Copyright (c) 2024, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+package xds
+
+import "github.com/wso2/product-microgateway/adapter/config"
+
+func getFilteredKeyManagerConfig(kmConfigMap map[string]interface{}) map[string]interface{} {
+	filteredKMConfigMap := make(map[string]interface{})
+	conf, _ := config.ReadConfigs()
+
+	for _, retainKey := range conf.Adapter.XdsPayloadFormatter.KeyManagerConfigs.RetainKeys {
+		// Does not required to check for case sensitivity as the enforcer reads from a hash map
+		val, ok := kmConfigMap[retainKey]
+		if ok {
+			filteredKMConfigMap[retainKey] = val
+		}
+	}
+	return filteredKMConfigMap
+}

adapter/internal/discovery/xds/payloadfmt_test.go

@@ -0,0 +1,64 @@
+/*
+ *  Copyright (c) 2024, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+package xds
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetFilteredKeyManagerConfig(t *testing.T) {
+	kmConfigMap := map[string]interface{}{
+		"claim_mappings":     []string{},
+		"authorize_endpoint": "https://api.asgardeo.io/t/renukafernando/oauth2/authorize",
+		"grant_types": []string{
+			"refresh_token ",
+			"password",
+			"client_credentials",
+			"authorization_code",
+			"implicit",
+		},
+		"enable_oauth_app_creation":      true,
+		"certificate_value":              "https://api.asgardeo.io/t/renukafernando/oauth2/jwks",
+		"enable_map_oauth_consumer_apps": false,
+		"enable_token_hash":              false,
+		"revoke_endpoint":                "https://api.asgardeo.io/t/renukafernando/oauth2/revoke",
+		"well_known_endpoint":            "https://api.asgardeo.io/t/renukafernando/oauth2/token/.well-known/openid-configuration",
+		"self_validate_jwt":              true,
+		"scopes_claim":                   "scope",
+		"enable_token_encryption":        false,
+		"client_registration_endpoint":   "https://api.asgardeo.io/t/renukafernando/api/server/v1",
+		"logout_endpoint":                "https://api.asgardeo.io/t/renukafernando/oidc/logout",
+		"consumer_key_claim":             "azp",
+		"certificate_type":               "JWKS",
+		"token_endpoint":                 "https://api.asgardeo.io/t/renukafernando/oauth2/token",
+		"environments":                   []string{"Production"},
+	}
+	expectedKmConfigMap := map[string]interface{}{
+		"claim_mappings":     []string{},
+		"certificate_value":  "https://api.asgardeo.io/t/renukafernando/oauth2/jwks",
+		"self_validate_jwt":  true,
+		"scopes_claim":       "scope",
+		"consumer_key_claim": "azp",
+		"certificate_type":   "JWKS",
+		"environments":       []string{"Production"},
+	}
+
+	filteredConfig := getFilteredKeyManagerConfig(kmConfigMap)
+	assert.Equal(t, expectedKmConfigMap, filteredConfig, "Filtered Key Manager Configuration is not as expected")
+}

adapter/internal/messaging/notification_listener.go

@@ -161,7 +161,7 @@ func handleKeyManagerEvents(data []byte) {
 		delete(xds.KeyManagerMap, xds.GenerateKeyManagerMapKey(keyManagerEvent.Name, keyManagerEvent.Organization))
 		xds.GenerateAndUpdateKeyManagerList()
 	} else if decodedByte != nil {
-		logger.LoggerInternalMsg.Infof("decoded Key Manager stream %s", string(decodedByte))
+		logger.LoggerInternalMsg.Debugf("decoded Key Manager stream %s", string(decodedByte))
 		kmConfigMapErr := json.Unmarshal([]byte(string(decodedByte)), &kmConfigMap)
 		if kmConfigMapErr != nil {
 			logger.LoggerInternalMsg.Errorf("Error occurred while unmarshalling key manager config map %v", kmConfigMapErr)
@@ -174,7 +174,7 @@ func handleKeyManagerEvents(data []byte) {
 				Type: keyManagerEvent.Type, Enabled: keyManagerEvent.Enabled,
 				TenantDomain: keyManagerEvent.TenantDomain, Organization: keyManagerEvent.Organization,
 				Configuration: kmConfigMap}
-			logger.LoggerInternalMsg.Infof("Key Manager data %v", keyManager.Configuration)
+			logger.LoggerInternalMsg.Debugf("Key Manager data %v", keyManager.Configuration)
 			xds.KeyManagerMap[xds.GenerateKeyManagerMapKey(keyManagerEvent.Name, keyManagerEvent.Organization)] = xds.MarshalKeyManager(&keyManager)
 			xds.GenerateAndUpdateKeyManagerList()
 		}

adapter/pkg/messaging/azure_connection.go

@@ -22,12 +22,14 @@ import (
 	"context"
 	"errors"
 	"os"
+	"regexp"
 	"strconv"
 	"time"
 
 	asb "github.com/Azure/azure-sdk-for-go/sdk/messaging/azservicebus"
 	"github.com/Azure/azure-sdk-for-go/sdk/messaging/azservicebus/admin"
 	"github.com/google/uuid"
+	"github.com/sirupsen/logrus"
 	logger "github.com/wso2/product-microgateway/adapter/pkg/loggers"
 )
 
@@ -83,7 +85,9 @@ func InitiateBrokerConnectionAndValidate(connectionString string, componentName
 	_, err := asb.NewClientFromConnectionString(connectionString, nil)
 
 	if err == nil {
-		logger.LoggerMsg.Debugf("ASB client initialized for connection url: %s", connectionString)
+		if logger.LoggerMsg.IsLevelEnabled(logrus.DebugLevel) {
+			logger.LoggerMsg.Debugf("ASB client initialized for connection url: %s", maskSharedAccessKey(connectionString))
+		}
 
 		for j := 0; j < reconnectRetryCount || reconnectRetryCount == -1; j++ {
 			err = nil
@@ -169,3 +173,9 @@ func logError(reconnectRetryCount int, reconnectInterval time.Duration, errVal e
 	}
 	logger.LoggerMsg.Errorf("%v. %s .Retrying after %s seconds", errVal, retryAttemptMessage, reconnectInterval)
 }
+
+func maskSharedAccessKey(endpoint string) string {
+	re := regexp.MustCompile(`(SharedAccessKey=)([^;]+)`)
+	maskedEndpoint := re.ReplaceAllString(endpoint, "${1}************")
+	return maskedEndpoint
+}

enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/keymgt/KeyManagerHolder.java

@@ -80,6 +80,10 @@ public void populateKMIssuerConfiguration(List<KeyManagerConfig> kmIssuers) {
     private Map<String,  Map<String, ExtendedTokenIssuerDto>> getAllKmIssuers(List<KeyManagerConfig> kmIssuers) {
         Map<String,  Map<String, ExtendedTokenIssuerDto>> kmIssuerMap = new ConcurrentHashMap<>();
         for (KeyManagerConfig keyManagerConfig : kmIssuers) {
+            if (!keyManagerConfig.getEnabled()) {
+                continue;
+            }
+
             JSONObject configObj = new JSONObject(keyManagerConfig.getConfiguration());
             Map<String, Object> configuration = new HashMap<>();
             Iterator<String> keysItr = configObj.keys();
@@ -89,10 +93,8 @@ private Map<String,  Map<String, ExtendedTokenIssuerDto>> getAllKmIssuers(List<K
                 configuration.put(key, value);
             }
 
-            if (keyManagerConfig.getEnabled()) {
-                addKMTokenIssuers(keyManagerConfig.getName(), keyManagerConfig.getOrganization(),
-                        configuration, kmIssuerMap);
-            }
+            addKMTokenIssuers(keyManagerConfig.getName(), keyManagerConfig.getOrganization(),
+                configuration, kmIssuerMap);
         }
         return kmIssuerMap;
     }

resources/conf/config.toml.template

@@ -66,6 +66,13 @@ sandboxVhost = "sandbox.host"
   # Optional path to the private key for Consul communication. If this is set, then you need to also set certFile
   keyFile = "/home/wso2/security/truststore/consul/local-dc-client-consul-0-key.pem"
 
+# Configurations for formatting xDS payloads sent to other Choreo Connect components
+[adapter.xdsPayloadFormatter]
+# Enforcer Key Manager formattings
+[adapter.xdsPayloadFormatter.keyManagerConfigs]
+# Retain only the following keys in the Key Manager configurations from Control Plane events and send to Enforcer
+retainKeys = ["self_validate_jwt", "issuer", "claim_mappings", "consumer_key_claim", "scopes_claim", "jwks_endpoint", "certificate_type", "certificate_value", "environments"]
+
 # Configurations required for router to route the traffic from different clients to services
 [router] # --------------------------------------------------------
   # Host for listener of Router
@@ -481,7 +488,7 @@ enabled = true
     # Number of tasks can be submitted to the worker pool without being blocked.
     queueSizePerPool = 1000
   # HTTP client configuration.
-  [controlPlane.httpClient] 
+  [controlPlane.hTTPClient]
     requestTimeOut = 30
 
 # Global Adapter related configurations