Add authorized API

wso2 · Oct 11, 2023 · 92aa4f9 · 92aa4f9
1 parent 65457d1
commit 92aa4f9
Show file tree

Hide file tree

Showing 18 changed files with 1,411 additions and 2 deletions.
diff --git a/...tion.management/org.wso2.carbon.identity.api.server.application.management.common/pom.xml b/...tion.management/org.wso2.carbon.identity.api.server.application.management.common/pom.xml
@@ -81,5 +81,10 @@
             <artifactId>org.wso2.carbon.identity.auth.attribute.handler</artifactId>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.identity.framework</groupId>
+            <artifactId>org.wso2.carbon.identity.api.resource.mgt</artifactId>
+            <scope>provided</scope>
+        </dependency>
     </dependencies>
 </project>
diff --git a/...bon/identity/api/server/application/management/common/ApplicationManagementConstants.java b/...bon/identity/api/server/application/management/common/ApplicationManagementConstants.java
@@ -51,6 +51,8 @@ private ApplicationManagementConstants() {
     public static final String NAME = "name";
     public static final String CLIENT_ID = "clientId";
     public static final String ISSUER = "issuer";
+    public static final String RBAC = "RBAC";
+    public static final String NO_POLICY = "NO POLICY";
 
     public static final String NON_EXISTING_USER_CODE = "30007 - ";
 
@@ -102,6 +104,21 @@ public enum ErrorMessage {
         USE_EXTERNAL_CONSENT_PAGE_NOT_SUPPORTED("60506",
                 "Unsupported application property.",
                 "'useExternalConsentPage' is not yet supported for SAML applications in this version of the API."),
+        API_RESOURCE_NOT_FOUND("60507",
+                "API resource not found.",
+                "API resource with id: %s is not found in the tenant domain: %s."),
+        SCOPES_NOT_FOUND("60508",
+                "API scopes not found.",
+                "One or more scopes in the request is not found for the API resource with Id: %s in the " +
+                        "tenant domain: %s."),
+        API_RESOURCE_ALREADY_AUTHORIZED("60509", "API resource already authorized.",
+                "API resource with id: %s is already authorized for the application with id: %s."),
+        AUTHORIZED_API_NOT_FOUND("60510", "API resource not authorized for the application.",
+                "API resource with id: %s is not authorized for the application with id: %s."),
+        INVALID_POLICY_VALUE("60511", "Invalid policy id value provided.",
+                "Invalid policy id value. It should be 'RBAC' or 'No Policy'."),
+        INVALID_POLICY_TYPE_FOR_API_RESOURCE("60512", "Invalid policy type provided for the API " +
+                "resource.", "API resource with id: %s doesn't allow the provided policy type: %s."),
 
         // Server Errors.
         ERROR_RETRIEVING_SAML_METADATA("65001",

diff --git a/...identity/api/server/application/management/common/ApplicationManagementServiceHolder.java b/...identity/api/server/application/management/common/ApplicationManagementServiceHolder.java
@@ -15,7 +15,9 @@
  */
 package org.wso2.carbon.identity.api.server.application.management.common;
 
+import org.wso2.carbon.identity.api.resource.mgt.APIResourceManager;
 import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
+import org.wso2.carbon.identity.application.mgt.AuthorizedAPIManagementService;
 import org.wso2.carbon.identity.cors.mgt.core.CORSManagementService;
 import org.wso2.carbon.identity.oauth.OAuthAdminServiceImpl;
 import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
@@ -37,6 +39,8 @@ public class ApplicationManagementServiceHolder {
     private static TemplateManager templateManager;
     private static CORSManagementService corsManagementService;
     private static RealmService realmService;
+    private static APIResourceManager apiResourceManager;
+    private static AuthorizedAPIManagementService authorizedAPIManagementService;
 
     public static ApplicationManagementService getApplicationManagementService() {
 
@@ -127,4 +131,45 @@ public static void setRealmService(RealmService realmService) {
 
         ApplicationManagementServiceHolder.realmService = realmService;
     }
+
+    /**
+     * Get APIResourceManager.
+     *
+     * @return APIResourceManager.
+     */
+    public static APIResourceManager getApiResourceManager() {
+
+        return apiResourceManager;
+    }
+
+    /**
+     * Set APIResourceManager.
+     *
+     * @param apiResourceManager APIResourceManager.
+     */
+    public static void setApiResourceManager(APIResourceManager apiResourceManager) {
+
+        ApplicationManagementServiceHolder.apiResourceManager = apiResourceManager;
+    }
+
+    /**
+     * Get AuthorizedAPIManagementService.
+     *
+     * @return AuthorizedAPIManagementService.
+     */
+    public static AuthorizedAPIManagementService getAuthorizedAPIManagementService() {
+
+        return authorizedAPIManagementService;
+    }
+
+    /**
+     * Set AuthorizedAPIManagementService.
+     *
+     * @param authorizedAPIManagementService AuthorizedAPIManagementService.
+     */
+    public static void setAuthorizedAPIManagementService(AuthorizedAPIManagementService
+                                                                 authorizedAPIManagementService) {
+
+        ApplicationManagementServiceHolder.authorizedAPIManagementService = authorizedAPIManagementService;
+    }
 }
diff --git a/...ty/api/server/application/management/common/factory/APIResourceMgtOSGiServiceFactory.java b/...ty/api/server/application/management/common/factory/APIResourceMgtOSGiServiceFactory.java
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.api.server.application.management.common.factory;
+
+import org.springframework.beans.factory.config.AbstractFactoryBean;
+import org.wso2.carbon.context.PrivilegedCarbonContext;
+import org.wso2.carbon.identity.api.resource.mgt.APIResourceManager;
+
+/**
+ * Factory class for APIResourceManagementOSGiService.
+ */
+public class APIResourceMgtOSGiServiceFactory extends AbstractFactoryBean<APIResourceManager> {
+
+    private APIResourceManager apiResourceManager;
+
+    @Override
+    public Class<?> getObjectType() {
+
+        return Object.class;
+    }
+
+    @Override
+    protected APIResourceManager createInstance() throws Exception {
+
+        if (this.apiResourceManager == null) {
+            apiResourceManager = (APIResourceManager) PrivilegedCarbonContext.
+                    getThreadLocalCarbonContext().getOSGiService(APIResourceManager.class, null);
+            if (apiResourceManager == null) {
+                throw new Exception("Unable to retrieve APIResourceManager service.");
+            }
+        }
+        return this.apiResourceManager;
+    }
+}
diff --git a/.../api/server/application/management/common/factory/AuthorizedAPIMgtOSGiServiceFactory.java b/.../api/server/application/management/common/factory/AuthorizedAPIMgtOSGiServiceFactory.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.api.server.application.management.common.factory;
+
+import org.springframework.beans.factory.config.AbstractFactoryBean;
+import org.wso2.carbon.context.PrivilegedCarbonContext;
+import org.wso2.carbon.identity.application.mgt.AuthorizedAPIManagementService;
+
+/**
+ * Factory Beans serves as a factory for creating other beans within the IOC container. This factory bean is used to
+ * instantiate the AuthorizedAPIManagementService type of object inside the container.
+ */
+public class AuthorizedAPIMgtOSGiServiceFactory extends AbstractFactoryBean<AuthorizedAPIManagementService> {
+
+    private AuthorizedAPIManagementService authorizedAPIManagementService;
+
+    @Override
+    public Class<?> getObjectType() {
+
+        return Object.class;
+    }
+
+    @Override
+    protected AuthorizedAPIManagementService createInstance() throws Exception {
+
+        if (this.authorizedAPIManagementService == null) {
+            authorizedAPIManagementService = (AuthorizedAPIManagementService)
+                    PrivilegedCarbonContext.getThreadLocalCarbonContext()
+                            .getOSGiService(AuthorizedAPIManagementService.class, null);
+            if (authorizedAPIManagementService == null) {
+                throw new Exception("Unable to retrieve AuthorizedAPIManagement service.");
+            }
+        }
+        return this.authorizedAPIManagementService;
+    }
+}
diff --git a/...lication.management/org.wso2.carbon.identity.api.server.application.management.v1/pom.xml b/...lication.management/org.wso2.carbon.identity.api.server.application.management.v1/pom.xml
@@ -129,6 +129,11 @@
             <artifactId>org.wso2.carbon.identity.core</artifactId>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.identity.framework</groupId>
+            <artifactId>org.wso2.carbon.identity.api.resource.mgt</artifactId>
+            <scope>provided</scope>
+        </dependency>
 
         <dependency>
             <groupId>org.wso2.carbon.identity.server.api</groupId>

diff --git a/...n/java/org/wso2/carbon/identity/api/server/application/management/v1/ApplicationsApi.java b/...n/java/org/wso2/carbon/identity/api/server/application/management/v1/ApplicationsApi.java
@@ -34,6 +34,9 @@
 import org.wso2.carbon.identity.api.server.application.management.v1.ApplicationTemplateModel;
 import org.wso2.carbon.identity.api.server.application.management.v1.ApplicationTemplatesList;
 import org.wso2.carbon.identity.api.server.application.management.v1.AuthProtocolMetadata;
+import org.wso2.carbon.identity.api.server.application.management.v1.AuthorizedAPICreationModel;
+import org.wso2.carbon.identity.api.server.application.management.v1.AuthorizedAPIPatchModel;
+import org.wso2.carbon.identity.api.server.application.management.v1.AuthorizedAPIResponse;
 import org.wso2.carbon.identity.api.server.application.management.v1.ConfiguredAuthenticatorsModal;
 import org.wso2.carbon.identity.api.server.application.management.v1.CustomInboundProtocolConfiguration;
 import org.wso2.carbon.identity.api.server.application.management.v1.CustomInboundProtocolMetaData;
@@ -68,6 +71,30 @@ public class ApplicationsApi  {
     @Autowired
     private ApplicationsApiService delegate;
 
+    @Valid
+    @POST
+    @Path("/{applicationId}/authorized-apis")
+    @Consumes({ "application/json" })
+    @Produces({ "application/json" })
+    @ApiOperation(value = "Authorized an API to the application ", notes = "This API provides the capability to authorized an API to the application.<br>   <b>Permission required:</b> <br>       * /permission/admin/manage/identity/applicationmgt/create <br>   <b>Scope required:</b> <br>       * internal_application_mgt_create ", response = Void.class, authorizations = {
+        @Authorization(value = "BasicAuth"),
+        @Authorization(value = "OAuth2", scopes = {
+
+        })
+    }, tags={ "Authorized APIs", })
+    @ApiResponses(value = { 
+        @ApiResponse(code = 201, message = "Created", response = Void.class),
+        @ApiResponse(code = 400, message = "Bad Request", response = Error.class),
+        @ApiResponse(code = 401, message = "Unauthorized", response = Void.class),
+        @ApiResponse(code = 403, message = "Forbidden", response = Void.class),
+        @ApiResponse(code = 404, message = "Not Found", response = Void.class),
+        @ApiResponse(code = 500, message = "Server Error", response = Error.class)
+    })
+    public Response addAuthorizedAPI(@ApiParam(value = "ID of the application.",required=true) @PathParam("applicationId") String applicationId, @ApiParam(value = "" ) @Valid AuthorizedAPICreationModel authorizedAPICreationModel) {
+
+        return delegate.addAuthorizedAPI(applicationId,  authorizedAPICreationModel );
+    }
+
     @Valid
     @PUT
     @Path("/{applicationId}/owner")
@@ -190,6 +217,28 @@ public Response deleteApplicationTemplate(@ApiParam(value = "Application templat
         return delegate.deleteApplicationTemplate(templateId );
     }
 
+    @Valid
+    @DELETE
+    @Path("/{applicationId}/authorized-apis/{apiId}")
+
+    @Produces({ "application/json" })
+    @ApiOperation(value = "Remove API authorization from the application ", notes = "This API provides the capability to delete an authorized API of the application.<br>   <b>Permission required:</b> <br>       * /permission/admin/manage/identity/applicationmgt/delete <br>   <b>Scope required:</b> <br>       * internal_application_mgt_delete ", response = Void.class, authorizations = {
+        @Authorization(value = "BasicAuth"),
+        @Authorization(value = "OAuth2", scopes = {
+
+        })
+    }, tags={ "Authorized APIs", })
+    @ApiResponses(value = { 
+        @ApiResponse(code = 204, message = "No Content", response = Void.class),
+        @ApiResponse(code = 401, message = "Unauthorized", response = Void.class),
+        @ApiResponse(code = 403, message = "Forbidden", response = Void.class),
+        @ApiResponse(code = 500, message = "Server Error", response = Error.class)
+    })
+    public Response deleteAuthorizedAPI(@ApiParam(value = "ID of the application.",required=true) @PathParam("applicationId") String applicationId, @ApiParam(value = "ID of the API resource.",required=true) @PathParam("apiId") String apiId) {
+
+        return delegate.deleteAuthorizedAPI(applicationId,  apiId );
+    }
+
     @Valid
     @DELETE
     @Path("/{applicationId}/inbound-protocols/{inboundProtocolId}")
@@ -482,6 +531,29 @@ public Response getApplicationTemplate(@ApiParam(value = "Application template I
         return delegate.getApplicationTemplate(templateId );
     }
 
+    @Valid
+    @GET
+    @Path("/{applicationId}/authorized-apis")
+
+    @Produces({ "application/json" })
+    @ApiOperation(value = "Get authorized APIs of the application. ", notes = "This API provides the capability to retrieve all the authorized APIs of the application.<br>   <b>Permission required:</b> <br>       * /permission/admin/manage/identity/applicationmgt/view <br>   <b>Scope required:</b> <br>       * internal_application_mgt_view ", response = AuthorizedAPIResponse.class, responseContainer = "List", authorizations = {
+        @Authorization(value = "BasicAuth"),
+        @Authorization(value = "OAuth2", scopes = {
+
+        })
+    }, tags={ "Authorized APIs", })
+    @ApiResponses(value = { 
+        @ApiResponse(code = 200, message = "OK", response = AuthorizedAPIResponse.class, responseContainer = "List"),
+        @ApiResponse(code = 401, message = "Unauthorized", response = Void.class),
+        @ApiResponse(code = 403, message = "Forbidden", response = Void.class),
+        @ApiResponse(code = 404, message = "Not Found", response = Void.class),
+        @ApiResponse(code = 500, message = "Server Error", response = Error.class)
+    })
+    public Response getAuthorizedAPIs(@ApiParam(value = "ID of the application.",required=true) @PathParam("applicationId") String applicationId) {
+
+        return delegate.getAuthorizedAPIs(applicationId );
+    }
+
     @Valid
     @GET
     @Path("/{applicationId}/authenticators")
@@ -862,6 +934,30 @@ public Response patchApplication(@ApiParam(value = "ID of the application.",requ
         return delegate.patchApplication(applicationId,  applicationPatchModel );
     }
 
+    @Valid
+    @PATCH
+    @Path("/{applicationId}/authorized-apis/{apiId}")
+    @Consumes({ "application/json" })
+    @Produces({ "application/json" })
+    @ApiOperation(value = "Update authorized API scopes ", notes = "This API provides the capability to update an authorized API of the application.<br>   <b>Permission required:</b> <br>       * /permission/admin/manage/identity/applicationmgt/update <br>   <b>Scope required:</b> <br>       * internal_application_mgt_update ", response = Void.class, authorizations = {
+        @Authorization(value = "BasicAuth"),
+        @Authorization(value = "OAuth2", scopes = {
+
+        })
+    }, tags={ "Authorized APIs", })
+    @ApiResponses(value = { 
+        @ApiResponse(code = 200, message = "OK", response = Void.class),
+        @ApiResponse(code = 400, message = "Bad Request", response = Error.class),
+        @ApiResponse(code = 401, message = "Unauthorized", response = Void.class),
+        @ApiResponse(code = 403, message = "Forbidden", response = Void.class),
+        @ApiResponse(code = 404, message = "Not Found", response = Void.class),
+        @ApiResponse(code = 500, message = "Server Error", response = Error.class)
+    })
+    public Response patchAuthorizedAPI(@ApiParam(value = "ID of the application.",required=true) @PathParam("applicationId") String applicationId, @ApiParam(value = "ID of the API resource.",required=true) @PathParam("apiId") String apiId, @ApiParam(value = "" ) @Valid AuthorizedAPIPatchModel authorizedAPIPatchModel) {
+
+        return delegate.patchAuthorizedAPI(applicationId,  apiId,  authorizedAPIPatchModel );
+    }
+
     @Valid
     @POST
     @Path("/{applicationId}/inbound-protocols/oidc/regenerate-secret")

diff --git a/...org/wso2/carbon/identity/api/server/application/management/v1/ApplicationsApiService.java b/...org/wso2/carbon/identity/api/server/application/management/v1/ApplicationsApiService.java
@@ -23,6 +23,7 @@
 import org.wso2.carbon.identity.api.server.application.management.v1.*;
 import org.apache.cxf.jaxrs.ext.multipart.Attachment;
 import org.apache.cxf.jaxrs.ext.multipart.Multipart;
+
 import java.io.InputStream;
 import java.util.List;
 import org.wso2.carbon.identity.api.server.application.management.v1.AdaptiveAuthTemplates;
@@ -55,6 +56,8 @@
 
 public interface ApplicationsApiService {
 
+      public Response addAuthorizedAPI(String applicationId, AuthorizedAPICreationModel authorizedAPICreationModel);
+
       public Response changeApplicationOwner(String applicationId, ApplicationOwner applicationOwner);
 
       public Response createApplication(ApplicationModel applicationModel, String template);
@@ -65,6 +68,8 @@ public interface ApplicationsApiService {
 
       public Response deleteApplicationTemplate(String templateId);
 
+      public Response deleteAuthorizedAPI(String applicationId, String apiId);
+
       public Response deleteCustomInboundConfiguration(String applicationId, String inboundProtocolId);
 
       public Response deleteInboundOAuthConfiguration(String applicationId);
@@ -89,6 +94,8 @@ public interface ApplicationsApiService {
 
       public Response getApplicationTemplate(String templateId);
 
+      public Response getAuthorizedAPIs(String applicationId);
+
       public Response getConfiguredAuthenticators(String applicationId);
 
       public Response getCustomInboundConfiguration(String applicationId, String inboundProtocolId);
@@ -121,6 +128,8 @@ public interface ApplicationsApiService {
 
       public Response patchApplication(String applicationId, ApplicationPatchModel applicationPatchModel);
 
+      public Response patchAuthorizedAPI(String applicationId, String apiId, AuthorizedAPIPatchModel authorizedAPIPatchModel);
+
       public Response regenerateOAuthClientSecret(String applicationId);
 
       public Response revokeOAuthClient(String applicationId);