Merge pull request #198 from Thumimku/useContextKeystore

[Cookie] Introduce of context keystore for GetCookie, SetCookie Fn for signing
wso2-extensions · Dec 13, 2024 · 9b51a9b · 9b51a9b
2 parents 7b6c407 + bd40752
commit 9b51a9b
Show file tree

Hide file tree

Showing 8 changed files with 64 additions and 13 deletions.
diff --git a/components/org.wso2.carbon.identity.conditional.auth.functions.http/pom.xml b/components/org.wso2.carbon.identity.conditional.auth.functions.http/pom.xml
@@ -111,6 +111,10 @@
             <groupId>org.wso2.carbon.identity.framework</groupId>
             <artifactId>org.wso2.carbon.identity.central.log.mgt</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.identity.framework</groupId>
+            <artifactId>org.wso2.carbon.security.mgt</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.wso2.carbon.crypto</groupId>
             <artifactId>org.wso2.carbon.crypto.impl</artifactId>
@@ -183,6 +187,8 @@
                             version="${carbon.identity.package.import.version.range}",
                             org.wso2.carbon.identity.application.authentication.framework.config.model.graph;
                             version="${carbon.identity.package.import.version.range}",
+                            org.wso2.carbon.security.keystore.service.*;
+                            version="${carbon.identity.package.import.version.range}",
                             org.wso2.carbon.identity.core.util; version="${carbon.identity.package.import.version.range}",
                             org.wso2.carbon.identity.central.log.mgt.*; version="${carbon.identity.package.import.version.range}",
                             org.wso2.carbon.user.core; version="${carbon.kernel.package.import.version.range}",

diff --git a/...ain/java/org/wso2/carbon/identity/conditional/auth/functions/http/CookieFunctionImpl.java b/...ain/java/org/wso2/carbon/identity/conditional/auth/functions/http/CookieFunctionImpl.java
@@ -34,6 +34,7 @@
 import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.JsServletRequest;
 import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.JsServletResponse;
 import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
+import org.wso2.carbon.identity.conditional.auth.functions.http.internal.HTTPFunctionsServiceHolder;
 import org.wso2.carbon.identity.conditional.auth.functions.http.util.HTTPConstants;
 import org.wso2.carbon.identity.core.util.IdentityUtil;
 
@@ -43,6 +44,8 @@
 import java.util.Optional;
 import javax.servlet.http.Cookie;
 
+import static org.wso2.carbon.identity.conditional.auth.functions.http.util.HTTPConstants.KEY_STORE_CONTEXT;
+
 /**
  * Implementation of the setCookie and getCookieValue functions.
  */
@@ -74,7 +77,11 @@ public void setCookie(JsServletResponse response, String name, Object... params)
             if (sign) {
                 try {
                     String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
-                    signature = Base64.encode(IdentityUtil.signWithTenantKey(value, tenantDomain));
+                    // getCookie, setCookie functionalities uses a functionality specific keystore.
+                    // The below code will create the keystore for this context on-demand if it does not exist.
+                    HTTPFunctionsServiceHolder.getInstance().getIdentityKeyStoreGenerator()
+                            .generateKeyStore(tenantDomain, KEY_STORE_CONTEXT);
+                    signature = Base64.encode(IdentityUtil.signWithTenantKey(value, tenantDomain, KEY_STORE_CONTEXT));
                 } catch (Exception e) {
                     log.error("Error occurred when signing the cookie value.", e);
                     return;
@@ -186,11 +193,7 @@ public String getCookieValue(JsServletRequest request, Object... params) {
                             String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext()
                                     .getTenantDomain();
                             boolean isValid = IdentityUtil.validateSignatureFromTenant(valueString, signature,
-                                    tenantDomain);
-                            // Fallback mechanism for already signed cookies.
-                            if (!isValid) {
-                                isValid = SignatureUtil.validateSignature(valueString, signature);
-                            }
+                                    tenantDomain, KEY_STORE_CONTEXT);
                             if (!isValid) {
                                 log.error("Cookie signature didn't matched with the cookie value.");
                                 return null;

diff --git a/.../java/org/wso2/carbon/identity/conditional/auth/functions/http/GetCookieFunctionImpl.java b/.../java/org/wso2/carbon/identity/conditional/auth/functions/http/GetCookieFunctionImpl.java
@@ -31,6 +31,7 @@
 import org.wso2.carbon.core.util.CryptoUtil;
 import org.wso2.carbon.core.util.SignatureUtil;
 import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.JsServletRequest;
+import org.wso2.carbon.identity.conditional.auth.functions.http.internal.HTTPFunctionsServiceHolder;
 import org.wso2.carbon.identity.conditional.auth.functions.http.util.HTTPConstants;
 import org.wso2.carbon.identity.core.util.IdentityUtil;
 
@@ -40,6 +41,8 @@
 
 import javax.servlet.http.Cookie;
 
+import static org.wso2.carbon.identity.conditional.auth.functions.http.util.HTTPConstants.KEY_STORE_CONTEXT;
+
 /**
  * Implementation of GetCookieFunction.
  */
@@ -103,11 +106,8 @@ public String getCookieValue(JsServletRequest request, Object... params) {
                         try {
                             String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext()
                                     .getTenantDomain();
-                            boolean isValid = IdentityUtil.validateSignatureFromTenant(valueString, signature, tenantDomain);
-                            // Fallback mechanism for already signed cookies.
-                            if (!isValid) {
-                                isValid = SignatureUtil.validateSignature(valueString, signature);
-                            }
+                            boolean isValid = IdentityUtil.validateSignatureFromTenant(valueString, signature,
+                                    tenantDomain, KEY_STORE_CONTEXT);
                             if (!isValid) {
                                 log.error("Cookie signature didn't matched with the cookie value.");
                                 return null;

diff --git a/.../java/org/wso2/carbon/identity/conditional/auth/functions/http/SetCookieFunctionImpl.java b/.../java/org/wso2/carbon/identity/conditional/auth/functions/http/SetCookieFunctionImpl.java
@@ -31,13 +31,16 @@
 import org.wso2.carbon.core.util.CryptoUtil;
 import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.JsServletResponse;
 import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
+import org.wso2.carbon.identity.conditional.auth.functions.http.internal.HTTPFunctionsServiceHolder;
 import org.wso2.carbon.identity.conditional.auth.functions.http.util.HTTPConstants;
 import org.wso2.carbon.identity.core.util.IdentityUtil;
 
 import java.nio.charset.StandardCharsets;
 import java.util.Map;
 import java.util.Optional;
 
+import static org.wso2.carbon.identity.conditional.auth.functions.http.util.HTTPConstants.KEY_STORE_CONTEXT;
+
 /**
  * Implementation of SetCookieFunction.
  */
@@ -68,7 +71,11 @@ public void setCookie(JsServletResponse response, String name, Object... params)
             if (sign) {
                 try {
                     String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
-                    signature = Base64.encode(IdentityUtil.signWithTenantKey(value, tenantDomain));
+                    // getCookie, setCookie functionalities uses a functionality specific keystore.
+                    // The below code will create the keystore for this context on-demand if it does not exist.
+                    HTTPFunctionsServiceHolder.getInstance().getIdentityKeyStoreGenerator()
+                            .generateKeyStore(tenantDomain, KEY_STORE_CONTEXT);
+                    signature = Base64.encode(IdentityUtil.signWithTenantKey(value, tenantDomain, KEY_STORE_CONTEXT));
                 } catch (Exception e) {
                     log.error("Error occurred when signing the cookie value.", e);
                     return;

diff --git a/...rbon/identity/conditional/auth/functions/http/internal/HTTPFunctionsServiceComponent.java b/...rbon/identity/conditional/auth/functions/http/internal/HTTPFunctionsServiceComponent.java
@@ -35,6 +35,7 @@
 import org.wso2.carbon.identity.conditional.auth.functions.http.HTTPPostFunctionImpl;
 import org.wso2.carbon.identity.conditional.auth.functions.http.SetCookieFunctionImpl;
 import org.wso2.carbon.identity.core.util.IdentityCoreInitializedEvent;
+import org.wso2.carbon.security.keystore.service.IdentityKeyStoreGenerator;
 
 /**
  * OSGi declarative services component which handle cookie related conditional auth functions.
@@ -112,4 +113,20 @@ protected void unsetIdentityCoreInitializedEventService(IdentityCoreInitializedE
     /* reference IdentityCoreInitializedEvent service to guarantee that this component will wait until identity core
          is started */
     }
+
+    @Reference(
+            service = IdentityKeyStoreGenerator.class,
+            cardinality = ReferenceCardinality.MANDATORY,
+            policy = ReferencePolicy.DYNAMIC,
+            unbind = "unsetIdentityKeyStoreGenerator"
+    )
+    public void setIdentityKeyStoreGenerator(IdentityKeyStoreGenerator identityKeyStoreGenerator) {
+
+        HTTPFunctionsServiceHolder.getInstance().setIdentityKeyStoreGenerator(identityKeyStoreGenerator);
+    }
+
+    public void unsetIdentityKeyStoreGenerator(IdentityKeyStoreGenerator identityKeyStoreGenerator) {
+
+        HTTPFunctionsServiceHolder.getInstance().setIdentityKeyStoreGenerator(null);
+    }
 }
diff --git a/.../carbon/identity/conditional/auth/functions/http/internal/HTTPFunctionsServiceHolder.java b/.../carbon/identity/conditional/auth/functions/http/internal/HTTPFunctionsServiceHolder.java
@@ -19,12 +19,14 @@
 package org.wso2.carbon.identity.conditional.auth.functions.http.internal;
 
 import org.wso2.carbon.identity.application.authentication.framework.JsFunctionRegistry;
+import org.wso2.carbon.security.keystore.service.IdentityKeyStoreGenerator;
 
 public class HTTPFunctionsServiceHolder {
 
     private static HTTPFunctionsServiceHolder instance = new HTTPFunctionsServiceHolder();
 
     private JsFunctionRegistry jsFunctionRegistry;
+    private IdentityKeyStoreGenerator identityKeyStoreGenerator;
 
     public static HTTPFunctionsServiceHolder getInstance() {
 
@@ -44,4 +46,14 @@ public void setJsFunctionRegistry(JsFunctionRegistry jsFunctionRegistry) {
 
         this.jsFunctionRegistry = jsFunctionRegistry;
     }
+
+    public IdentityKeyStoreGenerator getIdentityKeyStoreGenerator() {
+
+        return identityKeyStoreGenerator;
+    }
+
+    public void setIdentityKeyStoreGenerator(IdentityKeyStoreGenerator identityKeyStoreGenerator) {
+
+        this.identityKeyStoreGenerator = identityKeyStoreGenerator;
+    }
 }
diff --git a/...ain/java/org/wso2/carbon/identity/conditional/auth/functions/http/util/HTTPConstants.java b/...ain/java/org/wso2/carbon/identity/conditional/auth/functions/http/util/HTTPConstants.java
@@ -30,4 +30,5 @@ public class HTTPConstants {
     public static final String DECRYPT = "decrypt";
     public static final String VALUE = "value";
     public static final String SIGNATURE = "signature";
+    public static final String KEY_STORE_CONTEXT = "cookie";
 }
diff --git a/pom.xml b/pom.xml
@@ -293,6 +293,11 @@
                 <artifactId>org.wso2.carbon.identity.core</artifactId>
                 <version>${carbon.identity.framework.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.wso2.carbon.identity.framework</groupId>
+                <artifactId>org.wso2.carbon.security.mgt</artifactId>
+                <version>${carbon.identity.framework.version}</version>
+            </dependency>
             <dependency>
                 <groupId>org.openjdk.nashorn</groupId>
                 <artifactId>nashorn-core</artifactId>
@@ -523,7 +528,7 @@
         <carbon.kernel.version>4.10.22</carbon.kernel.version>
         <carbon.kernel.package.import.version.range>[4.6.0, 5.0.0)</carbon.kernel.package.import.version.range>
         <carbon.user.package.import.version.range>[1.0.1, 2.0.0)</carbon.user.package.import.version.range>
-        <carbon.identity.framework.version>7.7.22</carbon.identity.framework.version>
+        <carbon.identity.framework.version>7.7.34</carbon.identity.framework.version>
         <identity.organization.management.core.version>1.0.89</identity.organization.management.core.version>
         <carbon.identity.framework.testutils.version>5.20.447</carbon.identity.framework.testutils.version>
         <carbon.identity.package.import.version.range>[5.14.0, 8.0.0)</carbon.identity.package.import.version.range>