Encrypt secret fields in gateway configs

msm1992 · msm1992 · commit d6585f146e1e · 2025-02-11T10:06:01.000+05:30
diff --git a/components/apimgt/org.wso2.carbon.apimgt.api/src/main/java/org/wso2/carbon/apimgt/api/model/Environment.java b/components/apimgt/org.wso2.carbon.apimgt.api/src/main/java/org/wso2/carbon/apimgt/api/model/Environment.java
@@ -59,6 +59,28 @@ public class Environment implements Serializable {
     private String[] visibilityRoles;
     private String visibility;
 
+    public Environment(Environment environment) {
+        this.type = environment.type;
+        this.serverURL = environment.serverURL;
+        this.userName = environment.userName;
+        this.password = environment.password;
+        this.apiGatewayEndpoint = environment.apiGatewayEndpoint;
+        this.websocketGatewayEndpoint = environment.websocketGatewayEndpoint;
+        this.webSubGatewayEndpoint = environment.webSubGatewayEndpoint;
+        this.isDefault = environment.isDefault;
+        this.id = environment.id;
+        this.uuid = environment.uuid;
+        this.name = environment.name;
+        this.displayName = environment.displayName;
+        this.description = environment.description;
+        this.isReadOnly = environment.isReadOnly;
+        this.vhosts = new ArrayList<>(environment.vhosts);
+        this.provider = environment.provider;
+        this.gatewayType = environment.gatewayType;
+        this.additionalProperties = new HashMap<>(environment.additionalProperties);
+        this.visibilityRoles = environment.visibilityRoles;
+        this.visibility = environment.visibility;
+    }
     private GatewayVisibilityPermissionConfigurationDTO permissions = new GatewayVisibilityPermissionConfigurationDTO();
 
     public boolean isDefault() {
diff --git a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIAdminImpl.java b/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIAdminImpl.java
@@ -69,6 +69,7 @@
 import org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO;
 import org.wso2.carbon.apimgt.impl.dao.LabelsDAO;
 import org.wso2.carbon.apimgt.impl.dao.constants.SQLConstants;
+import org.wso2.carbon.apimgt.impl.deployer.ExternalGatewayDeployer;
 import org.wso2.carbon.apimgt.impl.dto.ThrottleProperties;
 import org.wso2.carbon.apimgt.impl.dto.WorkflowProperties;
 import org.wso2.carbon.apimgt.impl.factory.PersistenceFactory;
@@ -157,6 +158,10 @@ public List<Environment> getAllEnvironments(String tenantDomain) throws APIManag
         // add read only environments first and dynamic environments later
         APIUtil.getReadOnlyEnvironments().values().stream().filter(env -> !dynamicEnvNames.contains(env.getName())).forEach(allEnvs::add);
         allEnvs.addAll(dynamicEnvs);
+
+        for (Environment env : allEnvs) {
+            decryptGatewayConfigurationValues(env);
+        }
         return allEnvs;
     }
 
@@ -175,6 +180,7 @@ public Environment getEnvironment(String tenantDomain, String uuid) throws APIMa
                 );
             }
         }
+        maskValues(env);
         return env;
     }
 
@@ -189,6 +195,8 @@ public Environment addEnvironment(String tenantDomain, Environment environment)
                             String.format("name '%s'", environment.getName())));
         }
         validateForUniqueVhostNames(environment);
+        Environment environmentToStore =  new Environment(environment);
+        encryptGatewayConfigurationValues(null, environmentToStore);
         return apiMgtDAO.addEnvironment(tenantDomain, environment);
     }
 
@@ -792,6 +800,31 @@ private void encryptKeyManagerConfigurationValues(KeyManagerConfigurationDTO ret
         }
     }
 
+    private void encryptGatewayConfigurationValues(Environment retrievedGatewayConfigurationDTO,
+                                                   Environment updatedGatewayConfigurationDto)
+            throws APIManagementException {
+
+        ExternalGatewayDeployer gatewayDeployer = ServiceReferenceHolder.getInstance()
+                .getExternalGatewayDeployer(updatedGatewayConfigurationDto.getGatewayType());
+        if (gatewayDeployer != null) {
+            Map<String, String> additionalProperties = updatedGatewayConfigurationDto.getAdditionalProperties();
+            for (ConfigurationDto configurationDto : gatewayDeployer.getConnectionConfigurations()) {
+                if (configurationDto.isMask()) {
+                    String value = additionalProperties.get(configurationDto.getName());
+                    if (APIConstants.DEFAULT_MODIFIED_ENDPOINT_PASSWORD.equals(value)) {
+                        if (retrievedGatewayConfigurationDTO != null) {
+                            String unModifiedValue = retrievedGatewayConfigurationDTO.getAdditionalProperties()
+                                    .get(configurationDto.getName());
+                            additionalProperties.replace(configurationDto.getName(), unModifiedValue);
+                        }
+                    } else if (StringUtils.isNotEmpty(value)) {
+                        additionalProperties.replace(configurationDto.getName(), String.valueOf(encryptValues(value)));
+                    }
+                }
+            }
+        }
+    }
+
     private KeyManagerConfigurationDTO decryptKeyManagerConfigurationValues(
             KeyManagerConfigurationDTO keyManagerConfigurationDTO)
             throws APIManagementException {
@@ -807,6 +840,20 @@ private KeyManagerConfigurationDTO decryptKeyManagerConfigurationValues(
         return keyManagerConfigurationDTO;
     }
 
+    private Environment decryptGatewayConfigurationValues(Environment environment)
+            throws APIManagementException {
+
+        Map<String, String> additionalProperties = environment.getAdditionalProperties();
+        for (Map.Entry<String, String> entry : additionalProperties.entrySet()) {
+            String key = entry.getKey();
+            Object value = entry.getValue();
+            if (value != null) {
+                additionalProperties.replace(key, String.valueOf(decryptValue(value)));
+            }
+        }
+        return environment;
+    }
+
     private Object decryptValue(Object value) throws APIManagementException {
 
         if (value instanceof String) {
@@ -1464,6 +1511,20 @@ private void maskValues(KeyManagerConfigurationDTO keyManagerConfigurationDTO) {
         }
     }
 
+    private void maskValues(Environment environment) {
+        ExternalGatewayDeployer gatewayDeployer = ServiceReferenceHolder.getInstance()
+                .getExternalGatewayDeployer(environment.getGatewayType());
+
+        Map<String, String> additionalProperties = environment.getAdditionalProperties();
+        List<ConfigurationDto> connectionConfigurations = gatewayDeployer.getConnectionConfigurations();
+        for (ConfigurationDto connectionConfiguration : connectionConfigurations) {
+            if (connectionConfiguration.isMask()) {
+                additionalProperties.replace(connectionConfiguration.getName(),
+                        APIConstants.DEFAULT_MODIFIED_ENDPOINT_PASSWORD);
+            }
+        }
+    }
+
     /**
      * The method converts the date into timestamp
      *
diff --git a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/dao/ApiMgtDAO.java b/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/dao/ApiMgtDAO.java
@@ -15340,6 +15340,7 @@ public Environment getEnvironment(String tenantDomain, String uuid) throws APIMa
                     String displayName = rs.getString("DISPLAY_NAME");
                     String description = rs.getString("DESCRIPTION");
                     String provider = rs.getString("PROVIDER");
+                    String gatewayType = rs.getString("GATEWAY_TYPE");
                     Map<String, String> additionalProperties = new HashMap();
                     try (InputStream configuration = rs.getBinaryStream("CONFIGURATION")) {
                         if (configuration != null) {
@@ -15357,6 +15358,7 @@ public Environment getEnvironment(String tenantDomain, String uuid) throws APIMa
                     env.setDisplayName(displayName);
                     env.setDescription(description);
                     env.setProvider(provider);
+                    env.setGatewayType(gatewayType);
                     env.setVhosts(getVhostGatewayEnvironments(connection, id));
                     env.setPermissions(getGatewayVisibilityPermissions(uuid));
                     env.setAdditionalProperties(additionalProperties);
diff --git a/components/apimgt/org.wso2.carbon.apimgt.rest.api.admin.v1/src/gen/java/org/wso2/carbon/apimgt/rest/api/admin/v1/EnvironmentsApi.java b/components/apimgt/org.wso2.carbon.apimgt.rest.api.admin.v1/src/gen/java/org/wso2/carbon/apimgt/rest/api/admin/v1/EnvironmentsApi.java
@@ -54,6 +54,24 @@ public Response environmentsEnvironmentIdDelete(@ApiParam(value = "Environment U
         return delegate.environmentsEnvironmentIdDelete(environmentId, securityContext);
     }
 
+    @GET
+    @Path("/{environmentId}")
+    
+    @Produces({ "application/json" })
+    @ApiOperation(value = "Get a Gateway Environment Configuration", notes = "Retrieve a single Gateway Environment Configuration. We should provide the Id of the Environment as a path parameter. ", response = EnvironmentDTO.class, authorizations = {
+        @Authorization(value = "OAuth2Security", scopes = {
+            @AuthorizationScope(scope = "apim:admin", description = "Manage all admin operations"),
+            @AuthorizationScope(scope = "apim:environment_manage", description = "Manage gateway environments")
+        })
+    }, tags={ "Environments",  })
+    @ApiResponses(value = { 
+        @ApiResponse(code = 200, message = "OK. Gateway Environment Configuration returned ", response = EnvironmentDTO.class),
+        @ApiResponse(code = 404, message = "Not Found. The specified resource does not exist.", response = ErrorDTO.class),
+        @ApiResponse(code = 406, message = "Not Acceptable. The requested media type is not supported.", response = ErrorDTO.class) })
+    public Response environmentsEnvironmentIdGet(@ApiParam(value = "Environment UUID (or Environment name defined in config) ",required=true) @PathParam("environmentId") String environmentId) throws APIManagementException{
+        return delegate.environmentsEnvironmentIdGet(environmentId, securityContext);
+    }
+
     @PUT
     @Path("/{environmentId}")
     @Consumes({ "application/json" })
diff --git a/components/apimgt/org.wso2.carbon.apimgt.rest.api.admin.v1/src/gen/java/org/wso2/carbon/apimgt/rest/api/admin/v1/EnvironmentsApiService.java b/components/apimgt/org.wso2.carbon.apimgt.rest.api.admin.v1/src/gen/java/org/wso2/carbon/apimgt/rest/api/admin/v1/EnvironmentsApiService.java
@@ -23,6 +23,7 @@
 
 public interface EnvironmentsApiService {
       public Response environmentsEnvironmentIdDelete(String environmentId, MessageContext messageContext) throws APIManagementException;
+      public Response environmentsEnvironmentIdGet(String environmentId, MessageContext messageContext) throws APIManagementException;
       public Response environmentsEnvironmentIdPut(String environmentId, EnvironmentDTO environmentDTO, MessageContext messageContext) throws APIManagementException;
       public Response environmentsGet(MessageContext messageContext) throws APIManagementException;
       public Response environmentsPost(EnvironmentDTO environmentDTO, MessageContext messageContext) throws APIManagementException;
diff --git a/components/apimgt/org.wso2.carbon.apimgt.rest.api.admin.v1/src/main/java/org/wso2/carbon/apimgt/rest/api/admin/v1/impl/EnvironmentsApiServiceImpl.java b/components/apimgt/org.wso2.carbon.apimgt.rest.api.admin.v1/src/main/java/org/wso2/carbon/apimgt/rest/api/admin/v1/impl/EnvironmentsApiServiceImpl.java
@@ -59,6 +59,19 @@ public Response environmentsEnvironmentIdDelete(String environmentId, MessageCon
         return Response.ok().build();
     }
 
+    @Override
+    public Response environmentsEnvironmentIdGet(String environmentId, MessageContext messageContext) throws APIManagementException {
+        APIAdmin apiAdmin = new APIAdminImpl();
+        String organization = RestApiUtil.getValidatedOrganization(messageContext);
+        Environment environment = apiAdmin.getEnvironment(organization, environmentId);
+        if (environment != null) {
+            EnvironmentDTO environmentDTO = EnvironmentMappingUtil.fromEnvToEnvDTO(environment);
+            return Response.ok().entity(environmentDTO).build();
+        }
+        throw new APIManagementException("Requested Gateway Environment not found",
+                ExceptionCodes.GATEWAY_ENVIRONMENT_NOT_FOUND);
+    }
+
     /**
      * Update gateway environment
      *
diff --git a/components/apimgt/org.wso2.carbon.apimgt.rest.api.admin.v1/src/main/resources/admin-api.yaml b/components/apimgt/org.wso2.carbon.apimgt.rest.api.admin.v1/src/main/resources/admin-api.yaml
@@ -1943,6 +1943,41 @@ paths:
   # The "Individual Environment" resource APIs
   ######################################################
   /environments/{environmentId}:
+    get:
+      tags:
+        - Environments
+      summary: Get a Gateway Environment Configuration
+      description: |
+        Retrieve a single Gateway Environment Configuration. We should provide the Id of the Environment as a path parameter.
+      parameters:
+        - $ref: '#/components/parameters/environmentId'
+      responses:
+        200:
+          description: |
+            OK.
+            Gateway Environment Configuration returned
+          headers:
+            Content-Type:
+              description: |
+                The content type of the body.
+              schema:
+                type: string
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Environment'
+        404:
+          $ref: '#/components/responses/NotFound'
+        406:
+          $ref: '#/components/responses/NotAcceptable'
+      security:
+        - OAuth2Security:
+            - apim:admin
+            - apim:environment_manage
+      x-code-samples:
+        - lang: Curl
+          source: 'curl -k -H "Authorization: Bearer ae4eae22-3f65-387b-a171-d37eaa366fa8"
+          "https://127.0.0.1:9443/api/am/admin/v4/environments/8d263942-a6df-4cc2-a804-7a2525501450"'
     put:
       tags:
         - Environments
diff --git a/components/apimgt/org.wso2.carbon.apimgt.rest.api.common/src/main/resources/admin-api.yaml b/components/apimgt/org.wso2.carbon.apimgt.rest.api.common/src/main/resources/admin-api.yaml
@@ -1943,6 +1943,41 @@ paths:
   # The "Individual Environment" resource APIs
   ######################################################
   /environments/{environmentId}:
+    get:
+      tags:
+        - Environments
+      summary: Get a Gateway Environment Configuration
+      description: |
+        Retrieve a single Gateway Environment Configuration. We should provide the Id of the Environment as a path parameter.
+      parameters:
+        - $ref: '#/components/parameters/environmentId'
+      responses:
+        200:
+          description: |
+            OK.
+            Gateway Environment Configuration returned
+          headers:
+            Content-Type:
+              description: |
+                The content type of the body.
+              schema:
+                type: string
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Environment'
+        404:
+          $ref: '#/components/responses/NotFound'
+        406:
+          $ref: '#/components/responses/NotAcceptable'
+      security:
+        - OAuth2Security:
+            - apim:admin
+            - apim:environment_manage
+      x-code-samples:
+        - lang: Curl
+          source: 'curl -k -H "Authorization: Bearer ae4eae22-3f65-387b-a171-d37eaa366fa8"
+          "https://127.0.0.1:9443/api/am/admin/v4/environments/8d263942-a6df-4cc2-a804-7a2525501450"'
     put:
       tags:
         - Environments
