Fix review comments and did changes to admin rest apis

Author: Naduni Pamudika

components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/apikey/ApiKeyAuthenticator.java

@@ -180,9 +180,9 @@ public AuthenticationResponse authenticate(MessageContext synCtx) {
                         ApiKeyAuthenticatorUtils.checkTokenExpired(isGatewayTokenCacheEnabled, cacheKey, tokenIdentifier, apiKey,
                                 tenantDomain, payload);
                         ApiKeyAuthenticatorUtils.validateAPIKeyRestrictions(payload, GatewayUtils.getIp(axis2MessageContext),
-                                apiContext, apiVersion, referer, null);
-                        APIKeyValidationInfoDTO apiKeyValidationInfoDTO = GatewayUtils.validateAPISubscription(apiContext, apiVersion, payload,
-                                null, 0, splitToken[0]);
+                                apiContext, apiVersion, referer);
+                        APIKeyValidationInfoDTO apiKeyValidationInfoDTO = GatewayUtils.validateAPISubscription(apiContext,
+                                apiVersion, payload, splitToken[0]);
                         String endUserToken = ApiKeyAuthenticatorUtils.getEndUserToken(apiKeyValidationInfoDTO, jwtConfigurationDto, apiKey,
                                 signedJWT, payload, tokenIdentifier, apiContext, apiVersion, isGatewayTokenCacheEnabled);
                         AuthenticationContext authenticationContext = GatewayUtils.generateAuthenticationContext(tokenIdentifier,
@@ -271,7 +271,7 @@ public AuthenticationContext validateOpaqueApiKey(String apiKey, String apiConte
         // Validate subscription
         APIKeyValidationInfoDTO apiKeyValidationInfoDTO = null;
         try {
-            apiKeyValidationInfoDTO = GatewayUtils.validateAPISubscription(apiContext, apiVersion, null, apiKeyInfo.getKeyType(),
+            apiKeyValidationInfoDTO = GatewayUtils.validateAPISubscription(apiContext, apiVersion, apiKeyInfo.getKeyType(),
                     apiKeyInfo.getAppId(), apiKey);
             if (apiKeyValidationInfoDTO != null && apiKeyValidationInfoDTO.isAuthorized()) {
                 if (log.isDebugEnabled()) {
@@ -293,7 +293,7 @@ public AuthenticationContext validateOpaqueApiKey(String apiKey, String apiConte
         }
 
         // Check for permittedIP and permittedReferrers
-        ApiKeyAuthenticatorUtils.validateAPIKeyRestrictions(null, ip,
+        ApiKeyAuthenticatorUtils.validateAPIKeyRestrictions(ip,
                 apiContext, apiVersion, referrer, apiKeyInfo.getAdditionalProperties());
 
         // TODO: Check for api key expiry and status is ACTIVE

components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/inbound/websocket/Authentication/ApiKeyAuthenticator.java

@@ -110,9 +110,9 @@ public InboundProcessorResponseDTO authenticate(InboundMessageContext inboundMes
                             apiKey, tenantDomain, payload);
                     ApiKeyAuthenticatorUtils.validateAPIKeyRestrictions(payload, inboundMessageContext.getUserIP(),
                             apiContext, apiVersion, inboundMessageContext.getRequestHeaders().
-                                    get(APIMgtGatewayConstants.REFERER), null);
+                                    get(APIMgtGatewayConstants.REFERER));
                     APIKeyValidationInfoDTO apiKeyValidationInfoDTO = GatewayUtils.validateAPISubscription(apiContext, apiVersion,
-                            payload, null, 0, splitToken[0]);
+                            payload, splitToken[0]);
                     String endUserToken = ApiKeyAuthenticatorUtils.getEndUserToken(apiKeyValidationInfoDTO, jwtConfigurationDto,
                             apiKey, signedJWT, payload, tokenIdentifier, apiContext, apiVersion, isGatewayTokenCacheEnabled);
                     AuthenticationContext authenticationContext = GatewayUtils.generateAuthenticationContext(tokenIdentifier,

components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/utils/ApiKeyAuthenticatorUtils.java

@@ -277,12 +277,11 @@ public static void checkTokenExpired(boolean isGatewayTokenCacheEnabled, String
      * @param apiContext The API context.
      * @param apiVersion The API version.
      * @param referer    The http referer.
-     * @param additionalProperties Additional properties sent with an opaque API key.
      * @throws APISecurityException If the API Key is not allowed to access the API.
      * @throws APIManagementException If an error occurs while validating the restrictions.
      */
     public static void validateAPIKeyRestrictions(JWTClaimsSet payload, String clientIP, String apiContext,
-                                                  String apiVersion, String referer, Map<String, String> additionalProperties)
+                                                  String apiVersion, String referer)
             throws APISecurityException, APIManagementException {
 
         String permittedIPList = null;
@@ -294,12 +293,69 @@ public static void validateAPIKeyRestrictions(JWTClaimsSet payload, String clien
             if (payload.getClaim(APIConstants.JwtTokenConstants.PERMITTED_REFERER) != null) {
                 permittedRefererList = (String) payload.getClaim(APIConstants.JwtTokenConstants.PERMITTED_REFERER);
             }
-        } else {
-            if (additionalProperties != null) {
-                // Taking values from the DB for an opaque API key
-                permittedIPList = additionalProperties.get(APIConstants.JwtTokenConstants.PERMITTED_IP);
-                permittedRefererList = additionalProperties.get(APIConstants.JwtTokenConstants.PERMITTED_REFERER);
+        }
+        if (StringUtils.isNotEmpty(permittedIPList)) {
+            // Validate client IP against permitted IPs
+            if (StringUtils.isNotEmpty(clientIP)) {
+                for (String restrictedIP : permittedIPList.split(",")) {
+                    if (APIUtil.isIpInNetwork(clientIP, restrictedIP.trim())) {
+                        // Client IP is allowed
+                        return;
+                    }
+                }
+                if (log.isDebugEnabled()) {
+                    if (StringUtils.isNotEmpty(clientIP)) {
+                        log.debug("Invocations to API: " + apiContext + ":" + apiVersion +
+                                " is not permitted for client with IP: " + clientIP);
+                    }
+                }
+                throw new APISecurityException(APISecurityConstants.API_AUTH_FORBIDDEN,
+                        "Access forbidden for the invocations");
+            }
+        }
+        if (StringUtils.isNotEmpty(permittedRefererList)) {
+            // Validate http referer against the permitted referrers
+            if (StringUtils.isNotEmpty(referer)) {
+                for (String restrictedReferer : permittedRefererList.split(",")) {
+                    String restrictedRefererRegExp = restrictedReferer.trim()
+                            .replace("*", "[^ ]*");
+                    if (referer.matches(restrictedRefererRegExp)) {
+                        // Referer is allowed
+                        return;
+                    }
+                }
+                if (log.isDebugEnabled()) {
+                    if (StringUtils.isNotEmpty(referer)) {
+                        log.debug("Invocations to API: " + apiContext + ":" + apiVersion +
+                                " is not permitted for referer: " + referer);
+                    }
+                }
             }
+            throw new APISecurityException(APISecurityConstants.API_AUTH_FORBIDDEN,
+                    "Access forbidden for the invocations");
+        }
+    }
+
+    /**
+     * This method is used to validate the API Key against the given restrictions.
+     * @param clientIP   The client IP.
+     * @param apiContext The API context.
+     * @param apiVersion The API version.
+     * @param referer    The http referer.
+     * @param additionalProperties Additional properties sent with an opaque API key.
+     * @throws APISecurityException If the API Key is not allowed to access the API.
+     * @throws APIManagementException If an error occurs while validating the restrictions.
+     */
+    public static void validateAPIKeyRestrictions(String clientIP, String apiContext,
+                                                  String apiVersion, String referer, Map<String, String> additionalProperties)
+            throws APISecurityException {
+
+        String permittedIPList = null;
+        String permittedRefererList = null;
+        if (additionalProperties != null) {
+            // Taking values from the DB for an opaque API key
+            permittedIPList = additionalProperties.get(APIConstants.JwtTokenConstants.PERMITTED_IP);
+            permittedRefererList = additionalProperties.get(APIConstants.JwtTokenConstants.PERMITTED_REFERER);
         }
         if (StringUtils.isNotEmpty(permittedIPList)) {
             // Validate client IP against permitted IPs

components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/utils/GatewayUtils.java

@@ -891,29 +891,20 @@ public static JSONObject validateAPISubscription(String apiContext, String apiVe
      * @param apiContext API context
      * @param apiVersion API version
      * @param payload    The payload of the JWT token
-     * @param type    The key type
-     * @param applicationId Application Id
      * @param token      The token which was used to invoke the API
      * @return an APIKeyValidationInfoDTO containing APIKey validation information.
      * If the subscription information is not found, return a null object.
      * @throws APISecurityException if the user is not subscribed to the API
      */
     public static APIKeyValidationInfoDTO validateAPISubscription(String apiContext, String apiVersion, JWTClaimsSet payload,
-                                                                  String type, int applicationId, String token)
+                                                                  String token)
             throws APISecurityException {
 
         APIKeyValidator apiKeyValidator = new APIKeyValidator();
         APIKeyValidationInfoDTO apiKeyValidationInfoDTO = null;
-        String keyType;
-        if (type != null) {
-            keyType = type;
-        } else {
-            keyType = (String) payload.getClaim(APIConstants.JwtTokenConstants.KEY_TYPE);
-        }
+        String keyType = (String) payload.getClaim(APIConstants.JwtTokenConstants.KEY_TYPE);
         int appId = 0;
-        if (applicationId != 0) {
-            appId = applicationId;
-        } else if (payload.getClaim(APIConstants.JwtTokenConstants.APPLICATION) != null) {
+        if (payload.getClaim(APIConstants.JwtTokenConstants.APPLICATION) != null) {
             try {
                 Map<String, Object> applicationObjMap =
                         payload.getJSONObjectClaim(APIConstants.JwtTokenConstants.APPLICATION);
@@ -949,6 +940,53 @@ public static APIKeyValidationInfoDTO validateAPISubscription(String apiContext,
         return apiKeyValidationInfoDTO;
     }
 
+    /**
+     * Validate whether the user is subscribed to the invoked API. If subscribed, return a APIKeyValidationInfoDTO
+     * object containing the API information to authenticate API Keys.
+     *
+     * @param apiContext API context
+     * @param apiVersion API version
+     * @param keyType    The key type
+     * @param applicationId Application Id
+     * @param apiKey      The api key which was used to invoke the API
+     * @return an APIKeyValidationInfoDTO containing APIKey validation information.
+     * If the subscription information is not found, return a null object.
+     * @throws APISecurityException if the user is not subscribed to the API
+     */
+    public static APIKeyValidationInfoDTO validateAPISubscription(String apiContext, String apiVersion, String keyType,
+                                                                  int applicationId, String apiKey)
+            throws APISecurityException {
+
+        APIKeyValidator apiKeyValidator = new APIKeyValidator();
+        APIKeyValidationInfoDTO apiKeyValidationInfoDTO = null;
+        int appId = 0;
+        if (applicationId != 0) {
+            appId = applicationId;
+        }
+        // Validate subscription
+        // If the appId is equal to 0 then it's an internal key
+        if (appId != 0) {
+            apiKeyValidationInfoDTO =
+                    apiKeyValidator.validateSubscription(apiContext, apiVersion, appId, getTenantDomain(), keyType);
+            if (apiKeyValidationInfoDTO.isAuthorized()) {
+                if (log.isDebugEnabled()) {
+                    log.debug("User is subscribed to the API: " + apiContext + ", " +
+                            "version: " + apiVersion + ". Token: " + getMaskedToken(apiKey));
+                }
+                apiKeyValidationInfoDTO.setType(keyType);
+            } else {
+                if (log.isDebugEnabled()) {
+                    log.debug("User is not subscribed to access the API: " + apiContext +
+                            ", version: " + apiVersion + ". Token: " + getMaskedToken(apiKey));
+                }
+                log.error("User is not subscribed to access the API.");
+                throw new APISecurityException(APISecurityConstants.API_AUTH_FORBIDDEN,
+                        APISecurityConstants.API_AUTH_FORBIDDEN_MESSAGE);
+            }
+        }
+        return apiKeyValidationInfoDTO;
+    }
+
     /**
      * Verify the JWT token signature.
      *

components/apimgt/org.wso2.carbon.apimgt.rest.api.admin.v1/src/gen/java/org/wso2/carbon/apimgt/rest/api/admin/v1/ApiKeysApi.java

@@ -37,10 +37,10 @@ public class ApiKeysApi  {
 
 
     @DELETE
-    @Path("/{applicationId}/{keyType}/{keyDisplayName}")
+    @Path("/{apiId}/{applicationId}/{keyType}/{keyDisplayName}")
 
     @Produces({ "application/json" })
-    @ApiOperation(value = "Revoke API Key", notes = "Revoke an API Key for the application ", response = Void.class, authorizations = {
+    @ApiOperation(value = "Revoke an API Key", notes = "Revoke an API Key for the API ", response = Void.class, authorizations = {
         @Authorization(value = "OAuth2Security", scopes = {
             @AuthorizationScope(scope = "apim:admin", description = "Manage all admin operations")
         })
@@ -49,8 +49,8 @@ public class ApiKeysApi  {
         @ApiResponse(code = 200, message = "OK. Api key revoked successfully. ", response = Void.class),
         @ApiResponse(code = 400, message = "Bad Request. Invalid request or validation error.", response = ErrorDTO.class),
         @ApiResponse(code = 412, message = "Precondition Failed. The request has not been performed because one of the preconditions is not met.", response = ErrorDTO.class) })
-    public Response apiKeysApplicationIdKeyTypeKeyDisplayNameDelete(@ApiParam(value = "Application UUID ",required=true) @PathParam("applicationId") String applicationId, @ApiParam(value = "**Application Key Type** standing for the type of the keys (i.e. Production or Sandbox). ",required=true, allowableValues="PRODUCTION, SANDBOX") @PathParam("keyType") String keyType, @ApiParam(value = "Name of the API key. ",required=true) @PathParam("keyDisplayName") String keyDisplayName) throws APIManagementException{
-        return delegate.apiKeysApplicationIdKeyTypeKeyDisplayNameDelete(applicationId, keyType, keyDisplayName, securityContext);
+    public Response apiKeysApiIdApplicationIdKeyTypeKeyDisplayNameDelete(@ApiParam(value = "**API ID** consisting of the **UUID** of the API. ",required=true) @PathParam("apiId") String apiId, @ApiParam(value = "Application UUID ",required=true) @PathParam("applicationId") String applicationId, @ApiParam(value = "**Application Key Type** standing for the type of the keys (i.e. Production or Sandbox). ",required=true, allowableValues="PRODUCTION, SANDBOX") @PathParam("keyType") String keyType, @ApiParam(value = "Name of the API key. URL-encode this value if it contains reserved path characters. ",required=true) @PathParam("keyDisplayName") String keyDisplayName) throws APIManagementException{
+        return delegate.apiKeysApiIdApplicationIdKeyTypeKeyDisplayNameDelete(apiId, applicationId, keyType, keyDisplayName, securityContext);
     }
 
     @GET

components/apimgt/org.wso2.carbon.apimgt.rest.api.admin.v1/src/gen/java/org/wso2/carbon/apimgt/rest/api/admin/v1/ApiKeysApiService.java

@@ -21,6 +21,6 @@
 
 
 public interface ApiKeysApiService {
-      public Response apiKeysApplicationIdKeyTypeKeyDisplayNameDelete(String applicationId, String keyType, String keyDisplayName, MessageContext messageContext) throws APIManagementException;
+      public Response apiKeysApiIdApplicationIdKeyTypeKeyDisplayNameDelete(String apiId, String applicationId, String keyType, String keyDisplayName, MessageContext messageContext) throws APIManagementException;
       public Response apiKeysGet(MessageContext messageContext) throws APIManagementException;
 }