├── .gitignore ├── LICENSE ├── NOTICE ├── README.md ├── apiproxy ├── edgemicro-auth.xml ├── policies │ ├── Access-App-Info-2.xml │ ├── Access-App-Info.xml │ ├── AccessTokenRequest.xml │ ├── Adjust-Quota.xml │ ├── Authenticate-Call.xml │ ├── AuthenticationError.xml │ ├── Create-OAuth-Request.xml │ ├── Create-Refresh-Request.xml │ ├── Delete-KVM-EMG-Keys.xml │ ├── Delete-KVM-Future-Keys.xml │ ├── DistributedQuota.xml │ ├── Extract-API-Key.xml │ ├── Extract-OAuth-Params.xml │ ├── Extract-Refresh-Params.xml │ ├── Extract-Rotate-Key-Params.xml │ ├── Extract-Upgrade-KVM-Params.xml │ ├── Generate-Access-Token.xml │ ├── Generate-JWK.xml │ ├── Generate-VerifyKey-Token.xml │ ├── Get-Future-Keys.xml │ ├── Get-Private-Keys.xml │ ├── Get-Public-Key.xml │ ├── Get-Public-Keys.xml │ ├── JavaCallout.xml │ ├── Lookup-Entity.xml │ ├── Lookup-Filter.xml │ ├── Populate-Entity.xml │ ├── Populate-Product-List.xml │ ├── Products-to-JSON-2.xml │ ├── Products-to-JSON.xml │ ├── Raise-Fault-Bad-Request.xml │ ├── Raise-Fault-Unknown-Request.xml │ ├── RefreshAccessToken.xml │ ├── ReturnVersion.xml │ ├── Rotate-Key.xml │ ├── Send-JWK-Message.xml │ ├── Send-Product-List.xml │ ├── Send-Public-Key.xml │ ├── Send-Rotate-Key-Response.xml │ ├── Send-Upgrade-KVM-Response.xml │ ├── Set-JWT-Variables.xml │ ├── Set-Quota-Response.xml │ ├── Set-Quota-Variables.xml │ ├── Set-Response.xml │ ├── Update-KVM-For-New-Keys.xml │ ├── Update-KVM-Future-Keys.xml │ ├── Update-KVM-Rotated-Keys.xml │ ├── Update-KVM-Upgraded-Keys.xml │ ├── Upgrade-KVM.xml │ ├── Validate-Future-Key-Nbf.xml │ ├── Validate-Params.xml │ └── Verify-API-Key.xml ├── proxies │ └── default.xml └── resources │ ├── java │ └── micro-gateway-products-javacallout-2.0.0.jar │ └── jsc │ ├── adjust-quota.js │ ├── generate-jwk.js │ ├── generate-verify-jwt.js │ ├── jsrsasign-all-min.js │ ├── jwt-initialization.js │ ├── rotate-key.js │ ├── send-jwk-response.js │ ├── send-product-list.js │ ├── send-public-key.js │ ├── send-rotate-key-response.js │ ├── send-upgrade-kvm-response.js │ ├── set-jwt-variables.js │ ├── set-quota-variables.js │ ├── set-response.js │ ├── upgrade-kvm.js │ ├── validate-future-key-nbf.js │ └── validate-params.js ├── npm-shrinkwrap.json └── package.json /.gitignore: -------------------------------------------------------------------------------- 1 | # Logs 2 | logs 3 | *.log 4 | npm-debug.log* 5 | 6 | # Runtime data 7 | pids 8 | *.pid 9 | *.seed 10 | 11 | # Directory for instrumented libs generated by jscoverage/JSCover 12 | lib-cov 13 | 14 | # Coverage directory used by tools like istanbul 15 | coverage 16 | 17 | # Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files) 18 | .grunt 19 | 20 | # node-waf configuration 21 | .lock-wscript 22 | 23 | # Compiled binary addons (http://nodejs.org/api/addons.html) 24 | build/Release 25 | 26 | # Dependency directory 27 | node_modules 28 | 29 | # Optional npm cache directory 30 | .npm 31 | 32 | # Optional REPL history 33 | .node_repl_history 34 | 35 | #Local files 36 | .DS_Store 37 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /NOTICE: -------------------------------------------------------------------------------- 1 | edgemicro-auth 2 | Copyright 2016 Apigee Corporation. 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # edgemicro-auth 2 | edgemicro-auth is an open source project that implements the edgemicro-auth Apigee Edge proxy. 3 | 4 | When configuring [Apigee Edge Microgateway](http://docs.apigee.com/microgateway/content/edge-microgateway-home) (please refer to docs [here](http://docs.apigee.com/microgateway/latest/edge-microgateway-tutorial#Part1)), an 5 | Apigee Edge proxy called edgemicro-auth gets install on the org and environment. 6 | 7 | The edgemicro-auth proxy provides four functions: 8 | * Provides a list of all products in the org (/products) 9 | * Provides a signed JWT if the API Key is valid (/verifyApiKey) 10 | * Provides the public key that can be used to validate the JWT (/publicKey) 11 | * Generates an access token, which is a signed JWT. Supports client_credentials grant type (/token) 12 | 13 | ## Purpose 14 | The original implementation is node.js implementation which leverages volos plugins and Apigee a127. 15 | If no customizations are needed, then this implementation works just fine. Customizations that users 16 | frequently ask for include: 17 | * Include additional/custom claims to JWT 18 | * Support for other grant types 19 | * Support for refresh tokens 20 | * Set custom expiry on tokens 21 | 22 | Some of these customizations would have been been possible by modifying the node.js implementation, 23 | this project reimplements the edgemicro-auth the ENTIRE implementation using Apigee Edge policies. 24 | In addition to a 1:1 implementation, the customizations mentioned above are also implemented. 25 | 26 | ## Support 27 | This is an open-source project of the Apigee Corporation. It is not covered by Apigee support contracts. 28 | However, we will support you as best we can. For help, please open an issue in this GitHub project. 29 | You are also always welcome to submit a pull request. 30 | 31 | ### Certificate management and Setup 32 | The original implementation of of edgemicro-auth uses Apigee's [secure storage](docs.apigee.com/api-services/content/using-secure-store). 33 | However, this implementation uses KVM entries to store public-key and private-key. The proxy expects a mapIdentifier called 'microgateway' 34 | Contained within the 'microgateway' is one entry called 'publicKey' with the RSA public key and one entry called 'privateKey' 35 | with one entry called 'privateKey' 36 | 37 | 38 | ### Customizations 39 | 40 | #### How do I set custom expiry? 41 | In the flow named 'Obtain Access Token' you'll find an Assign Message Policy called 'Create OAuth Request'. Change the value here 42 | ``` 43 | 44 | token_expiry 45 | 300000 46 | 47 | ``` 48 | 49 | #### How do I add or modify claims? 50 | The "Obtain Access Token" flow has a assign message policy called "Add Custom Claims". This policy is disabled by default. 51 | After enabling the policy, you can add claims inside the policy. Here is a sample: 52 | ``` 53 | 54 | claims 55 | {"claim1": "abc", "claim2": "efg"} 56 | 57 | ``` 58 | The claims must be set as a JSON (stringifyed) in the claims variable. 59 | 60 | #### How can I get refresh tokens? 61 | The OAuth v2 policy supports password grant. If a request is sent as below: 62 | ``` 63 | POST /token 64 | { 65 | "client_id":"foo", 66 | "client_secret":"foo", 67 | "grant_type":"password", 68 | "username":"blah", 69 | "password": "blah" 70 | } 71 | ``` 72 | If valid, the response will contain a refresh token. 73 | 74 | #### How do I refresh an access_token? 75 | Send a request as below: 76 | ``` 77 | POST /refresh 78 | { 79 | "grant_type": "refresh_token", 80 | "refresh_token": "foo", 81 | "client_id":"blah", 82 | "client_secret":"blah" 83 | } 84 | ``` 85 | If valid, the response will contain a new access_token. 86 | 87 | #### What grant types are supported? 88 | client_credentials, password and refresh_token 89 | Users can extend the Apigee OAuth v2 policy to add support for the remaining grant types. 90 | 91 | #### Support for JSON Web Keys 92 | Microgateway stores private keys and public keys in an encrypted kvm. The proxy exposes an endpoint '/jwkPublicKeys' to return public keys as JWK. 93 | * Support for "kid" - Key Identifiers. If the KVM includes a field called 'private_key_kid' (value can be any string), the JWT header will include the "kid" 94 | ``` 95 | { 96 | "alg": "RS256", 97 | "typ": "JWT", 98 | "kid": "1" 99 | } 100 | 101 | * The "kid" can be leveraged during validation of the JWT (not yet implemented in microgateway) 102 | ``` 103 | ### Release Notes 104 | v2.4.13 - 3/1/19 105 | Bug Fix: Improve character escaping for JSON formatting 106 | -------------------------------------------------------------------------------- /apiproxy/edgemicro-auth.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | /edgemicro-auth 4 | 5 | edgemicro-auth 6 | edgemicro-auth 7 | 8 | 9 | Access-App-Info-2 10 | Access-App-Info 11 | AccessTokenRequest 12 | Adjust-Quota 13 | Authenticate-Call 14 | AuthenticationError 15 | Create-OAuth-Request 16 | Create-Refresh-Request 17 | DistributedQuota 18 | Extract-API-Key 19 | Extract-OAuth-Params 20 | Extract-Refresh-Params 21 | Generate-Access-Token 22 | Generate-JWK 23 | Generate-VerifyKey-Token 24 | Get-Private-Keys 25 | Get-Public-Key 26 | Get-Public-Keys 27 | JavaCallout 28 | Lookup-Entity 29 | Lookup-Filter 30 | Populate-Entity 31 | Populate-Product-List 32 | Products-to-JSON-2 33 | Products-to-JSON 34 | Raise-Fault-Unknown-Request 35 | RefreshAccessToken 36 | ReturnVersion 37 | Send-JWK-Message 38 | Send-Product-List 39 | Send-Public-Key 40 | Set-JWT-Variables 41 | Set-Quota-Response 42 | Set-Quota-Variables 43 | Set-Response 44 | Validate-Params 45 | Verify-API-Key 46 | Extract-Rotate-Key-Params 47 | Rotate-Key 48 | Update-KVM-Rotated-Keys 49 | Send-Rotate-Key-Response 50 | Extract-Upgrade-KVM-Params 51 | Upgrade-KVM 52 | Update-KVM-Upgraded-Keys 53 | Send-Upgrade-KVM-Response 54 | Delete-KVM-EMG-Keys 55 | Raise-Fault-Bad-Request 56 | Get-Future-Keys 57 | Update-KVM-For-New-Keys 58 | Update-KVM-Future-Keys 59 | Validate-Future-Key-Nbf 60 | Delete-KVM-Future-Keys 61 | 62 | 63 | default 64 | 65 | 66 | java://micro-gateway-products-javacallout-2.0.0.jar 67 | jsc://adjust-quota.js 68 | jsc://generate-jwk.js 69 | jsc://generate-verify-jwt.js 70 | jsc://jsrsasign-all-min.js 71 | jsc://jwt-initialization.js 72 | jsc://rotate-key.js 73 | jsc://send-jwk-response.js 74 | jsc://send-product-list.js 75 | jsc://send-public-key.js 76 | jsc://send-rotate-key-response.js 77 | jsc://send-upgrade-kvm-response.js 78 | jsc://set-jwt-variables.js 79 | jsc://set-quota-variables.js 80 | jsc://set-response.js 81 | jsc://upgrade-kvm.js 82 | jsc://validate-params.js 83 | 84 | 85 | 86 | 87 | 88 | 89 | -------------------------------------------------------------------------------- /apiproxy/policies/Access-App-Info-2.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Access App Info 2 4 | 5 | 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /apiproxy/policies/Access-App-Info.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Access App Info 4 | 5 | 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /apiproxy/policies/AccessTokenRequest.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | AccessTokenRequest 4 | 5 | 6 | 7 | 8 | FORM_PARAM 9 | 10 | 1800000 11 | false 12 | GenerateAccessToken 13 | 43200000 14 | 15 | FORM_PARAM 16 | 17 | true 18 | request.formparam.scope 19 | 20 | password 21 | client_credentials 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /apiproxy/policies/Adjust-Quota.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Adjust Quota 4 | 5 | 6 | jsc://adjust-quota.js 7 | 8 | -------------------------------------------------------------------------------- /apiproxy/policies/Authenticate-Call.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Authenticate Call 4 | 5 | 6 | 7 | 8 | 9 |
{request.header.Authorization}
10 | 11 | GET 12 | /edgemicro/authenticate/organization/{organization.name}/environment/{environment.name} 13 | 14 | false 15 | 16 | calloutResponse 17 | 18 | 19 | https://edgemicroservices.apigee.net 20 | 21 | 22 | -------------------------------------------------------------------------------- /apiproxy/policies/AuthenticationError.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | AuthenticationError 4 | 5 | 6 | 7 | 8 | 9 | 10 | { 11 | "error":"unauthorized", 12 | "error_description": "authentication failed @errText#" 13 | } 14 | 15 | 401 16 | Unauthorized 17 | 18 | 19 | true 20 | false 21 | 22 | -------------------------------------------------------------------------------- /apiproxy/policies/Create-OAuth-Request.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Create OAuth Request 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | {client_id} 12 | {client_secret} 13 | {grant_type} 14 | {username} 15 | {password} 16 | {scp} 17 | 18 | /token 19 | 20 | 21 | token_expiry 22 | 1800000 23 | 24 | 25 | refresh_token_expiry 26 | 43200000 27 | 28 | true 29 | 30 | 31 | -------------------------------------------------------------------------------- /apiproxy/policies/Create-Refresh-Request.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Create Refresh Request 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | {client_id} 12 | {client_secret} 13 | {refresh_token} 14 | {grant_type} 15 | 16 | /token 17 | 18 | 19 | token_expiry 20 | 1800000 21 | 22 | 23 | refresh_token_expiry 24 | 7200000 25 | 26 | true 27 | 28 | 29 | -------------------------------------------------------------------------------- /apiproxy/policies/Delete-KVM-EMG-Keys.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Delete Kvm 4 | 5 | 6 | false 7 | -1 8 | 9 | 10 | 11 | public_key2 12 | 13 | 14 | 15 | 16 | public_key2_kid 17 | 18 | 19 | environment 20 | 21 | -------------------------------------------------------------------------------- /apiproxy/policies/Delete-KVM-Future-Keys.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Delete KVM Future Keys 4 | 5 | 6 | false 7 | -1 8 | 9 | 10 | 11 | future_keys_nbf 12 | 13 | 14 | 15 | 16 | future_certficate 17 | 18 | 19 | 20 | 21 | future_private_key_kid 22 | 23 | 24 | 25 | 26 | future_private_key 27 | 28 | 29 | 30 | 31 | future_public_key1_kid 32 | 33 | 34 | 35 | 36 | future_public_key1 37 | 38 | 39 | 40 | 41 | future_public_key2_kid 42 | 43 | 44 | 45 | 46 | future_public_key2 47 | 48 | 49 | environment 50 | -------------------------------------------------------------------------------- /apiproxy/policies/DistributedQuota.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | DistributedQuota 4 | 5 | 6 | 7 | 8 | 9 | 10 | 5 11 | 100 12 | 13 | 14 | false 15 | true 16 | false 17 | 2019-10-10 12:00:00 18 | false 19 | 20 | 21 | -------------------------------------------------------------------------------- /apiproxy/policies/Extract-API-Key.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Extract API Key 4 | 5 | 6 |
7 | {proxyProto} 8 |
9 |
10 | {proxyHost} 11 |
12 | true 13 | 14 | 15 | $.apiKey 16 | 17 | 18 | request 19 | 20 | -------------------------------------------------------------------------------- /apiproxy/policies/Extract-OAuth-Params.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Extract OAuth Params 4 | 5 | 6 |
7 | {proxyProto} 8 |
9 |
10 | {proxyHost} 11 |
12 |
13 | Basic {clientCreds} 14 |
15 | 16 | {grant_type} 17 | 18 | 19 | {username} 20 | 21 | 22 | {password} 23 | 24 | 25 | {scp} 26 | 27 | true 28 | 29 | 30 | $.client_id 31 | 32 | 33 | $.client_id 34 | 35 | 36 | $.client_secret 37 | 38 | 39 | $.grant_type 40 | 41 | 42 | $.username 43 | 44 | 45 | $.password 46 | 47 | 48 | $.scope 49 | 50 | 51 | request 52 | 53 | -------------------------------------------------------------------------------- /apiproxy/policies/Extract-Refresh-Params.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Extract Refresh Params 4 | 5 | 6 |
7 | {proxyProto} 8 |
9 |
10 | {proxyHost} 11 |
12 | true 13 | 14 | 15 | $.client_id 16 | 17 | 18 | $.client_id 19 | 20 | 21 | $.client_secret 22 | 23 | 24 | $.refresh_token 25 | 26 | 27 | $.grant_type 28 | 29 | 30 | request 31 | 32 | -------------------------------------------------------------------------------- /apiproxy/policies/Extract-Rotate-Key-Params.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Extract Rotate Key Params 4 | 5 | 6 | true 7 | 8 | 9 | $.private_key_kid 10 | 11 | 12 | $.private_key 13 | 14 | 15 | $.public_key 16 | 17 | 18 | $.public_key1 19 | 20 | 21 | $.future_keys_nbf 22 | 23 | 24 | request 25 | 26 | -------------------------------------------------------------------------------- /apiproxy/policies/Extract-Upgrade-KVM-Params.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Extract Upgrade KVM Params 4 | 5 | 6 | true 7 | 8 | 9 | $.public_key 10 | 11 | 12 | request 13 | 14 | -------------------------------------------------------------------------------- /apiproxy/policies/Generate-Access-Token.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Generate Access Token 4 | 5 | 6 | Signed 7 | RS256 8 | true 9 | 10 | 11 | 12 | 13 | 14 | jwtmessage 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | microgateway 24 | false 25 | 1800000 26 | 27 | 28 | 29 | -------------------------------------------------------------------------------- /apiproxy/policies/Generate-JWK.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Generate JWK 4 | 5 | 6 | jsc://jwt-initialization.js 7 | jsc://jsrsasign-all-min.js 8 | jsc://generate-jwk.js 9 | 10 | -------------------------------------------------------------------------------- /apiproxy/policies/Generate-VerifyKey-Token.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Generate VerifyKey Token 4 | 5 | 6 | Signed 7 | RS256 8 | false 9 | 10 | 11 | 12 | 13 | 14 | jwtmessage 15 | 16 | 17 | 18 | 19 | 20 | 21 | microgateway 22 | false 23 | 1800000 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /apiproxy/policies/Get-Future-Keys.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Get Future Keys 4 | 5 | 6 | false 7 | -1 8 | 9 | 10 | 11 | future_keys_nbf 12 | 13 | 14 | 15 | 16 | future_private_key 17 | 18 | 19 | 20 | 21 | future_private_key_kid 22 | 23 | 24 | 25 | 26 | future_certficate 27 | 28 | 29 | 30 | 31 | future_public_key1_kid 32 | 33 | 34 | 35 | 36 | future_public_key1 37 | 38 | 39 | 40 | 41 | future_public_key2_kid 42 | 43 | 44 | 45 | 46 | future_public_key2 47 | 48 | 49 | environment 50 | -------------------------------------------------------------------------------- /apiproxy/policies/Get-Private-Keys.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Get Private Keys 4 | 5 | 6 | false 7 | -1 8 | 9 | 10 | 11 | private_key 12 | 13 | 14 | 15 | 16 | private_key_kid 17 | 18 | 19 | environment 20 | -------------------------------------------------------------------------------- /apiproxy/policies/Get-Public-Key.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Get Public Key 4 | 5 | 6 | false 7 | -1 8 | 9 | 10 | 11 | public_key 12 | 13 | 14 | environment 15 | 16 | -------------------------------------------------------------------------------- /apiproxy/policies/Get-Public-Keys.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Get Public Keys 4 | 5 | 6 | false 7 | -1 8 | 9 | 10 | 11 | public_key1 12 | 13 | 14 | 15 | 16 | public_key2 17 | 18 | 19 | 20 | 21 | public_key1_kid 22 | 23 | 24 | 25 | 26 | public_key2_kid 27 | 28 | 29 | environment 30 | 31 | -------------------------------------------------------------------------------- /apiproxy/policies/JavaCallout.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | JavaCallout 4 | 5 | 6 | io.apigee.microgateway.javacallout.Callout 7 | java://micro-gateway-products-javacallout-2.0.0.jar 8 | 9 | -------------------------------------------------------------------------------- /apiproxy/policies/Lookup-Entity.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Lookup Entity 4 | 5 | 6 | 7 | 8 | 9 | Exclusive 10 | apiCredential 11 | 12 | -------------------------------------------------------------------------------- /apiproxy/policies/Lookup-Filter.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Lookup Filter 4 | 5 | 6 | 7 | 8 | 9 | Exclusive 10 | productlist 11 | 12 | -------------------------------------------------------------------------------- /apiproxy/policies/Populate-Entity.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Populate Entity 4 | 5 | 6 | 7 | 8 | 9 | Exclusive 10 | 11 | 3600 12 | 13 | apiCredential 14 | 15 | -------------------------------------------------------------------------------- /apiproxy/policies/Populate-Product-List.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Populate Product List 4 | 5 | 6 | 7 | 8 | 9 | 10 | Exclusive 11 | 12 | 3600 13 | 14 | response.content 15 | 16 | -------------------------------------------------------------------------------- /apiproxy/policies/Products-to-JSON-2.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Products to JSON 2 4 | 5 | 6 | 7 | false 8 | false 9 | false 10 | false 11 | 12 | 0 13 | 14 | Credentials/Credential 15 | Credentials/Credential/ApiProducts/ApiProduct 16 | 17 | 18 | apiCredential 19 | AccessEntity.ChildNodes.Access-App-Info-2.App.Credentials 20 | 21 | -------------------------------------------------------------------------------- /apiproxy/policies/Products-to-JSON.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Products to JSON 4 | 5 | 6 | 7 | false 8 | false 9 | false 10 | false 11 | 12 | 0 13 | 14 | Credentials/Credential 15 | Credentials/Credential/ApiProducts/ApiProduct 16 | 17 | 18 | apiCredential 19 | AccessEntity.ChildNodes.Access-App-Info.App.Credentials 20 | 21 | -------------------------------------------------------------------------------- /apiproxy/policies/Raise-Fault-Bad-Request.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Raise Fault Forbidden Request 4 | 5 | 6 | 7 | 8 | 9 | 10 | { 11 | "error":"Bad Request", 12 | "error_description": "@errText#" 13 | } 14 | 15 | 400 16 | Bad Request 17 | 18 | 19 | true 20 | false 21 | 22 | -------------------------------------------------------------------------------- /apiproxy/policies/Raise-Fault-Unknown-Request.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Raise Fault-Unknown-Request 4 | 5 | 6 | 7 | 8 | 9 | 10 | { 11 | "error":"invalid_request", 12 | "error_description": "invalid request" 13 | } 14 | 15 | 400 16 | Bad Request 17 | 18 | 19 | true 20 | false 21 | 22 | -------------------------------------------------------------------------------- /apiproxy/policies/RefreshAccessToken.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | RefreshAccessToken 4 | 5 | 6 | 7 | 8 | FORM_PARAM 9 | 10 | 1800000 11 | false 12 | RefreshAccessToken 13 | 14 | FORM_PARAM 15 | 16 | true 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /apiproxy/policies/ReturnVersion.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | ReturnVersion 4 | 5 | 6 | 7 | response.status.code 8 | 200 9 | 10 | 11 | response.content 12 | 1.1.0 13 | 14 | 15 | response.header.Content-Type 16 | text/plain 17 | 18 | true 19 | 20 | 21 | -------------------------------------------------------------------------------- /apiproxy/policies/Rotate-Key.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Rotate Key 4 | 5 | 6 | jsc://rotate-key.js 7 | 8 | -------------------------------------------------------------------------------- /apiproxy/policies/Send-JWK-Message.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Send JWK Message 4 | 5 | 6 | jsc://send-jwk-response.js 7 | 8 | -------------------------------------------------------------------------------- /apiproxy/policies/Send-Product-List.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Send Product List 4 | 5 | 6 | jsc://send-product-list.js 7 | 8 | -------------------------------------------------------------------------------- /apiproxy/policies/Send-Public-Key.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Send Public Key 4 | 5 | 6 | jsc://send-public-key.js 7 | 8 | -------------------------------------------------------------------------------- /apiproxy/policies/Send-Rotate-Key-Response.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Send Rotate Key Response 4 | 5 | 6 | jsc://send-rotate-key-response.js 7 | 8 | -------------------------------------------------------------------------------- /apiproxy/policies/Send-Upgrade-KVM-Response.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Send Upgrade KVM Response 4 | 5 | 6 | jsc://send-upgrade-kvm-response.js 7 | 8 | -------------------------------------------------------------------------------- /apiproxy/policies/Set-JWT-Variables.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Set JWT Variables 4 | 5 | 10 | jsc://set-jwt-variables.js 11 | 12 | -------------------------------------------------------------------------------- /apiproxy/policies/Set-Quota-Response.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Set Quota Response 4 | 5 | 6 | 7 | 8 | 9 | 10 | { 11 | "allowed": @ratelimit.DistributedQuota.allowed.count#, 12 | "used": @ratelimit.DistributedQuota.used.count#, 13 | "exceeded": @ratelimit.DistributedQuota.exceed.count#, 14 | "available": @ratelimit.DistributedQuota.available.count#, 15 | "expiryTime": @ratelimit.DistributedQuota.expiry.time#, 16 | "timestamp": @system.timestamp#@debugMpId# 17 | } 18 | 19 | true 20 | 21 | 22 | -------------------------------------------------------------------------------- /apiproxy/policies/Set-Quota-Variables.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Set Quota Variables 4 | 5 | 6 | jsc://set-quota-variables.js 7 | 8 | -------------------------------------------------------------------------------- /apiproxy/policies/Set-Response.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Set Response 4 | 5 | 6 | jsc://set-response.js 7 | 8 | -------------------------------------------------------------------------------- /apiproxy/policies/Update-KVM-For-New-Keys.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Update KVM For New Keys 4 | 5 | 6 | false 7 | -1 8 | 9 | 10 | 11 | private_key 12 | 13 | 14 | 15 | 16 | 17 | private_key_kid 18 | 19 | 20 | 21 | 22 | 23 | public_key 24 | 25 | 26 | 27 | 28 | 29 | public_key1 30 | 31 | 32 | 33 | 34 | 35 | public_key1_kid 36 | 37 | 38 | 39 | 40 | 41 | public_key2 42 | 43 | 44 | 45 | 46 | 47 | public_key2_kid 48 | 49 | 50 | 51 | 52 | 53 | future_keys_nbf 54 | 55 | 56 | 57 | 58 | future_certficate 59 | 60 | 61 | 62 | 63 | future_private_key_kid 64 | 65 | 66 | 67 | 68 | future_private_key 69 | 70 | 71 | 72 | 73 | future_public_key1_kid 74 | 75 | 76 | 77 | 78 | future_public_key1 79 | 80 | 81 | 82 | 83 | future_public_key2_kid 84 | 85 | 86 | 87 | 88 | future_public_key2 89 | 90 | 91 | environment 92 | -------------------------------------------------------------------------------- /apiproxy/policies/Update-KVM-Future-Keys.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Update KVM For Future Keys 4 | 5 | 6 | false 7 | -1 8 | 9 | 10 | 11 | future_private_key 12 | 13 | 14 | 15 | 16 | 17 | future_private_key_kid 18 | 19 | 20 | 21 | 22 | 23 | future_certficate 24 | 25 | 26 | 27 | 28 | 29 | future_keys_nbf 30 | 31 | 32 | 33 | 34 | 35 | future_public_key1_kid 36 | 37 | 38 | 39 | 40 | 41 | future_public_key1 42 | 43 | 44 | 45 | 46 | 47 | future_public_key2_kid 48 | 49 | 50 | 51 | 52 | 53 | future_public_key2 54 | 55 | 56 | 57 | 58 | 59 | public_key2_kid 60 | 61 | 62 | 63 | 64 | 65 | public_key2 66 | 67 | 68 | 69 | environment 70 | -------------------------------------------------------------------------------- /apiproxy/policies/Update-KVM-Rotated-Keys.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Update KVM For Rotated Keys 4 | 5 | 6 | false 7 | -1 8 | 9 | 10 | 11 | private_key 12 | 13 | 14 | 15 | 16 | 17 | private_key_kid 18 | 19 | 20 | 21 | 22 | 23 | public_key 24 | 25 | 26 | 27 | 28 | 29 | public_key1_kid 30 | 31 | 32 | 33 | 34 | 35 | public_key1 36 | 37 | 38 | 39 | 40 | 41 | public_key2_kid 42 | 43 | 44 | 45 | 46 | 47 | public_key2 48 | 49 | 50 | 51 | environment 52 | 53 | -------------------------------------------------------------------------------- /apiproxy/policies/Update-KVM-Upgraded-Keys.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Update KVM For Upgraded Keys 4 | 5 | 6 | false 7 | -1 8 | 9 | 10 | 11 | private_key_kid 12 | 13 | 14 | 15 | 16 | 17 | public_key1_kid 18 | 19 | 20 | 21 | 22 | 23 | public_key1 24 | 25 | 26 | 27 | environment 28 | 29 | -------------------------------------------------------------------------------- /apiproxy/policies/Upgrade-KVM.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Upgrade KVM 4 | 5 | 6 | jsc://upgrade-kvm.js 7 | 8 | -------------------------------------------------------------------------------- /apiproxy/policies/Validate-Future-Key-Nbf.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Validate Future Key Nbf 4 | 5 | 6 | jsc://validate-future-key-nbf.js 7 | 8 | -------------------------------------------------------------------------------- /apiproxy/policies/Validate-Params.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Validate Params 4 | 5 | 6 | jsc://validate-params.js 7 | 8 | -------------------------------------------------------------------------------- /apiproxy/policies/Verify-API-Key.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | Verify API Key 4 | 5 | 6 | 7 | (fault.name="InvalidApiKey") 8 | 9 | fault_invalid_key 10 | 11 | 12 | (fault.name="FailedToResolveAPIKey") 13 | 14 | fault_missing_key 15 | 16 | 17 | (fault.name="InvalidApiKeyForGivenResource") 18 | 19 | fault_insufficient_key_permissions 20 | 21 | 22 | (fault.name="ApiKeyNotApproved") 23 | 24 | fault_key_not_approved 25 | 26 | 27 | (fault.name="invalid_client-app_not_approved") 28 | 29 | fault_invalid_client_app 30 | 31 | 32 | (fault.name="DeveloperStatusNotActive") 33 | 34 | fault_developer_inactive 35 | 36 | 37 | (fault.name="CompanyStatusNotActive") 38 | 39 | fault_company_inactive 40 | 41 | 42 | 43 | 44 | 45 | 46 | -------------------------------------------------------------------------------- /apiproxy/proxies/default.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | (fault.name Matches "ExecutionFailed") 7 | 8 | (calloutResponse.status.code = "401") 9 | AuthenticationError 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | Get-Public-Key 21 | 22 | 23 | 24 | Send-Public-Key 25 | 26 | 27 | (proxy.pathsuffix MatchesPath "/publicKey") and (request.verb = "GET") 28 | 29 | 30 | 31 | 32 | 33 | request.header.Authorization is null 34 | 35 | AuthenticationError 36 | 37 | 38 | 39 | Authenticate-Call 40 | 41 | 42 | 43 | Extract-Upgrade-KVM-Params 44 | 45 | 46 | 47 | Get-Private-Keys 48 | 49 | 50 | 51 | Get-Future-Keys 52 | 53 | 54 | 55 | Get-Public-Key 56 | 57 | 58 | 59 | Get-Public-Keys 60 | 61 | 62 | 63 | Upgrade-KVM 64 | 65 | 66 | errText isnot null 67 | 68 | Raise-Fault-Bad-Request 69 | 70 | 71 | 72 | Update-KVM-Upgraded-Keys 73 | 74 | 75 | deletePublicKey2 = true 76 | 77 | Delete-KVM-EMG-Keys 78 | 79 | 80 | deleteFutureKeys = true 81 | 82 | Delete-KVM-Future-Keys 83 | 84 | 85 | 86 | 87 | 88 | Send-Upgrade-KVM-Response 89 | 90 | 91 | (proxy.pathsuffix MatchesPath "/upgradeKvm") and (request.verb = "POST") 92 | 93 | 94 | 95 | 96 | 97 | request.header.Authorization is null 98 | 99 | AuthenticationError 100 | 101 | 102 | 103 | Authenticate-Call 104 | 105 | 106 | 107 | Extract-Rotate-Key-Params 108 | 109 | 110 | 111 | Get-Private-Keys 112 | 113 | 114 | 115 | Get-Future-Keys 116 | 117 | 118 | 119 | Get-Public-Key 120 | 121 | 122 | 123 | Get-Public-Keys 124 | 125 | 126 | 127 | Rotate-Key 128 | 129 | 130 | errText isnot null 131 | 132 | Raise-Fault-Bad-Request 133 | 134 | 135 | nbf = false 136 | 137 | Update-KVM-Rotated-Keys 138 | 139 | 140 | nbf = true 141 | 142 | Update-KVM-Future-Keys 143 | 144 | 145 | 146 | 147 | 148 | Send-Rotate-Key-Response 149 | 150 | 151 | (proxy.pathsuffix MatchesPath "/rotateKey") and (request.verb = "POST") 152 | 153 | 154 | 155 | 156 | 157 | request.header.Authorization is null 158 | 159 | AuthenticationError 160 | 161 | 162 | 163 | Authenticate-Call 164 | 165 | 166 | 167 | Extract-API-Key 168 | 169 | 170 | 171 | Verify-API-Key 172 | 173 | 174 | 175 | Lookup-Entity 176 | 177 | 178 | lookupcache.Lookup-Entity.cachehit = false 179 | 180 | Access-App-Info-2 181 | 182 | 183 | lookupcache.Lookup-Entity.cachehit = false 184 | 185 | Products-to-JSON-2 186 | 187 | 188 | lookupcache.Lookup-Entity.cachehit = false 189 | 190 | Populate-Entity 191 | 192 | 193 | 194 | Get-Private-Keys 195 | 196 | 197 | 198 | Get-Future-Keys 199 | 200 | 201 | 202 | Get-Public-Keys 203 | 204 | 205 | 206 | Validate-Future-Key-Nbf 207 | 208 | 209 | applyNewKey = true 210 | 211 | Update-KVM-For-New-Keys 212 | 213 | 214 | 215 | Set-JWT-Variables 216 | 217 | 218 | 219 | Generate-VerifyKey-Token 220 | 221 | 222 | 223 | 224 | 225 | Set-Response 226 | 227 | 228 | (proxy.pathsuffix MatchesPath "/verifyApiKey") and (request.verb = "POST") 229 | 230 | 231 | 232 | 233 | 234 | request.header.Authorization is null 235 | 236 | AuthenticationError 237 | 238 | 239 | 240 | Authenticate-Call 241 | 242 | 243 | 244 | Lookup-Filter 245 | 246 | 247 | 248 | 249 | lookupcache.Lookup-Filter.cachehit = false 250 | 251 | JavaCallout 252 | 253 | 254 | lookupcache.Lookup-Filter.cachehit = false 255 | 256 | Populate-Product-List 257 | 258 | 259 | lookupcache.Lookup-Filter.cachehit = true 260 | 261 | Send-Product-List 262 | 263 | 264 | (proxy.pathsuffix MatchesPath "/products") and (request.verb = "GET") 265 | 266 | 267 | 268 | 269 | 270 | 271 | Extract-OAuth-Params 272 | 273 | 274 | 275 | Validate-Params 276 | 277 | 278 | errText isnot null 279 | 280 | AuthenticationError 281 | 282 | 283 | 284 | Verify-API-Key 285 | 286 | 287 | 288 | Create-OAuth-Request 289 | 290 | 291 | 292 | Access-App-Info 293 | 294 | 295 | 296 | Products-to-JSON 297 | 298 | 299 | 300 | AccessTokenRequest 301 | 302 | 303 | oauthV2.AccessTokenRequest.failed is true 304 | 305 | Raise-Fault-Unknown-Request 306 | 307 | 308 | 309 | Get-Private-Keys 310 | 311 | 312 | 313 | Get-Future-Keys 314 | 315 | 316 | 317 | Get-Public-Keys 318 | 319 | 320 | 321 | Validate-Future-Key-Nbf 322 | 323 | 324 | applyNewKey = true 325 | 326 | Update-KVM-For-New-Keys 327 | 328 | 329 | 330 | Set-JWT-Variables 331 | 332 | 333 | 334 | Generate-Access-Token 335 | 336 | 337 | 338 | 339 | 340 | Set-Response 341 | 342 | 343 | (proxy.pathsuffix MatchesPath "/token") and (request.verb = "POST") 344 | 345 | 346 | 347 | 348 | 349 | 350 | Extract-Refresh-Params 351 | 352 | 353 | 354 | Create-Refresh-Request 355 | 356 | 357 | 358 | Access-App-Info 359 | 360 | 361 | 362 | Products-to-JSON 363 | 364 | 365 | 366 | RefreshAccessToken 367 | 368 | 369 | 370 | Get-Private-Keys 371 | 372 | 373 | 374 | Get-Future-Keys 375 | 376 | 377 | 378 | Get-Public-Keys 379 | 380 | 381 | 382 | Validate-Future-Key-Nbf 383 | 384 | 385 | applyNewKey = true 386 | 387 | Update-KVM-For-New-Keys 388 | 389 | 390 | 391 | Set-JWT-Variables 392 | 393 | 394 | 395 | Generate-Access-Token 396 | 397 | 398 | 399 | 400 | 401 | Set-Response 402 | 403 | 404 | (proxy.pathsuffix MatchesPath "/refresh") and (request.verb = "POST") 405 | 406 | 407 | This flow returns public keys as JWK 408 | 409 | 410 | 411 | Get-Public-Keys 412 | 413 | 414 | 415 | Generate-JWK 416 | 417 | 418 | 419 | 420 | 421 | Send-JWK-Message 422 | 423 | 424 | (proxy.pathsuffix MatchesPath "/jwkPublicKeys") and (request.verb = "GET") 425 | 426 | 427 | 428 | 429 | 430 | 431 | ReturnVersion 432 | 433 | 434 | (proxy.pathsuffix MatchesPath "/v2/version") and (request.verb = "GET") 435 | 436 | 437 | 438 | 439 | request.header.Authorization is null 440 | 441 | AuthenticationError 442 | 443 | 444 | 445 | Authenticate-Call 446 | 447 | 448 | 449 | Set-Quota-Variables 450 | 451 | 452 | 453 | DistributedQuota 454 | 455 | 456 | 457 | Adjust-Quota 458 | 459 | 460 | 461 | 462 | 463 | Set-Quota-Response 464 | 465 | 466 | (proxy.pathsuffix MatchesPath "/v2/quotas**") and (request.verb = "POST") 467 | 468 | 469 | Unknown Request 470 | 471 | 472 | 473 | Raise-Fault-Unknown-Request 474 | 475 | 476 | 477 | 478 | 479 | 480 | 481 | 482 | 483 | 484 | 485 | 486 | 487 | 488 | /edgemicro-auth 489 | 490 | secure 491 | 492 | 493 | -------------------------------------------------------------------------------- /apiproxy/resources/java/micro-gateway-products-javacallout-2.0.0.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apigee/microgateway-edgeauth/1ccf0646ce445d91de9f1d68278f42fb3a5ef5bb/apiproxy/resources/java/micro-gateway-products-javacallout-2.0.0.jar -------------------------------------------------------------------------------- /apiproxy/resources/jsc/adjust-quota.js: -------------------------------------------------------------------------------- 1 | var debugMpId = context.getVariable("debug.mp.id"); 2 | if(debugMpId) { 3 | context.setVariable("debugMpId", ",\n\"debugMpId\" : \""+ context.getVariable("system.uuid")+ "\""); 4 | } 5 | -------------------------------------------------------------------------------- /apiproxy/resources/jsc/generate-jwk.js: -------------------------------------------------------------------------------- 1 | // Copyright 2018 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | const alg = "RS256"; 16 | const use = "sig"; 17 | var publicKey1 = context.getVariable("private.publicKey1"); 18 | var publicKey2 = context.getVariable("private.publicKey2"); 19 | var certificatelist = {}; 20 | 21 | certificatelist.keys = []; 22 | 23 | if (!publicKey1 && !publicKey2) { 24 | throw Error("No public keys found"); 25 | } 26 | 27 | if (publicKey1) { 28 | var key1 = KEYUTIL.getKey(publicKey1); 29 | var jwk1 = KEYUTIL.getJWKFromKey(key1); 30 | var public_key1_kid = context.getVariable("private.public_key1_kid") || null; 31 | jwk1.alg = alg; 32 | jwk1.use = use; 33 | if (public_key1_kid !== null) { 34 | jwk1.kid = public_key1_kid; 35 | } 36 | certificatelist.keys.push(jwk1); 37 | } 38 | 39 | if (publicKey2) { 40 | var key2 = KEYUTIL.getKey(publicKey2); 41 | var jwk2 = KEYUTIL.getJWKFromKey(key2); 42 | var public_key2_kid = context.getVariable("private.public_key2_kid") || null; 43 | jwk2.alg = alg; 44 | jwk2.use = use; 45 | if (public_key2_kid !== null) { 46 | jwk2.kid = public_key2_kid; 47 | } 48 | certificatelist.keys.push(jwk2); 49 | } 50 | 51 | context.setVariable("jwkmessage", JSON.stringify(certificatelist)); 52 | 53 | -------------------------------------------------------------------------------- /apiproxy/resources/jsc/generate-verify-jwt.js: -------------------------------------------------------------------------------- 1 | /**************************************************************************** 2 | The MIT License (MIT) 3 | 4 | Copyright (c) 2016 Apigee Corporation 5 | 6 | Permission is hereby granted, free of charge, to any person obtaining a copy 7 | of this software and associated documentation files (the "Software"), to deal 8 | in the Software without restriction, including without limitation the rights 9 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 10 | copies of the Software, and to permit persons to whom the Software is 11 | furnished to do so, subject to the following conditions: 12 | 13 | The above copyright notice and this permission notice shall be included in 14 | all copies or substantial portions of the Software. 15 | 16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 21 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 22 | THE SOFTWARE. 23 | ****************************************************************************/ 24 | const alg = 'RS256'; 25 | const typ = 'JWT'; 26 | 27 | //private key used for signing JWT 28 | var key = context.getVariable("private.privateKey"); 29 | 30 | //get api product list 31 | var apiProducts = JSON.parse(context.getVariable('apiProducts')).ApiProducts.ApiProduct || []; 32 | 33 | var apiProductsList = []; 34 | //get only the product name; status is not used/sent 35 | apiProducts.forEach(function(apiProduct){ 36 | apiProductsList.push(apiProduct.Name); 37 | }); 38 | 39 | //build jwt claims 40 | var token_payload = { 41 | "application_name": context.getVariable("apigee.developer.app.name"), 42 | "client_id": context.getVariable("apigee.client_id"), 43 | "scopes": [], 44 | "api_product_list": apiProductsList, 45 | "iat": (new Date()).getTime(), 46 | "aud": ["microgateway"], 47 | "iss": context.getVariable("proxyProto") + "://" + context.getVariable("proxyHost") + context.getVariable("proxy.basepath")+context.getVariable("proxy.pathsuffix"), 48 | //create a unique identifier as per https://stackoverflow.com/questions/105034/create-guid-uuid-in-javascript 49 | "jti": 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function(c) { 50 | var r = Math.random()*16|0, v = c == 'x' ? r : (r&0x3|0x8); 51 | return v.toString(16); 52 | }) 53 | }; 54 | 55 | //build jwt header 56 | var token_header = { 57 | "typ": typ, 58 | "alg": alg 59 | }; 60 | 61 | //prepare response object 62 | var jws = { 63 | token: context.getVariable("jwt_jwt") 64 | }; 65 | 66 | //send response 67 | context.setVariable("response.header.Content-Type","application/json"); 68 | context.setVariable("response.header.Cache-Control","no-store"); 69 | context.setVariable("response.content", JSON.stringify(jws)); 70 | -------------------------------------------------------------------------------- /apiproxy/resources/jsc/jwt-initialization.js: -------------------------------------------------------------------------------- 1 | // Copyright 2018 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | /* 16 | * 17 | * A dummy navigator object - jsrasign expects to be running in a browser and expects 18 | * these to be in the global namespace 19 | * 20 | */ 21 | 22 | var navigator = navigator || {appName : ''}; 23 | var window = window || {}; 24 | -------------------------------------------------------------------------------- /apiproxy/resources/jsc/rotate-key.js: -------------------------------------------------------------------------------- 1 | var privateKey = context.getVariable("private.privateKey"); 2 | var cert = context.getVariable("private.publicKey"); 3 | var privateKeyKid = context.getVariable("private.private_key_kid"); 4 | var publicKey1Kid = context.getVariable("private.public_key1_kid"); 5 | var publicKey1 = context.getVariable("private.publicKey1"); 6 | 7 | validateKvm(); 8 | 9 | function validateKvm() { 10 | var newPrivateKey = context.getVariable('private_key') || ''; 11 | var newPrivateKeyKid = context.getVariable('private_key_kid') || ''; 12 | var newPublicKey = context.getVariable('public_key') || ''; 13 | var newPublicKey1 = context.getVariable('public_key1') || ''; 14 | var futureKeysNbf = context.getVariable('future_keys_nbf') || ''; 15 | 16 | if(privateKey === null || privateKey === '') { 17 | context.setVariable('errText', 'privateKey does not exist in kvm, Please run configure command'); 18 | return; 19 | } 20 | if(cert === null || cert === '') { 21 | context.setVariable('errText', 'publicKey does not exist in kvm, Please run configure command'); 22 | return; 23 | } 24 | if(privateKeyKid === null || privateKeyKid === '' ) { 25 | context.setVariable('errText', 'private_key_kid does not exist in kvm, Please run upgradekvm command'); 26 | return; 27 | } 28 | if(publicKey1Kid === null || publicKey1Kid === '') { 29 | context.setVariable('errText', 'public_key1_kid does not exist in kvm, Please run upgradekvm command'); 30 | return; 31 | }else{ 32 | context.setVariable('oldPublicKeyKid', publicKey1Kid); 33 | } 34 | if(publicKey1 === null || publicKey1 === '') { 35 | context.setVariable('errText', 'publicKey1 does not exist in kvm, Please run upgradekvm command'); 36 | return; 37 | }else{ 38 | context.setVariable('oldPublicKey', publicKey1); 39 | } 40 | if(newPrivateKey === null || newPrivateKey === '') { 41 | context.setVariable('errText', 'private_key is required'); 42 | return; 43 | }else{ 44 | context.setVariable('newPrivateKey', newPrivateKey); 45 | } 46 | if(newPublicKey === null || newPublicKey === '') { 47 | context.setVariable('errText', 'public_key is required'); 48 | return; 49 | }else{ 50 | context.setVariable('newPublicKey', newPublicKey); 51 | } 52 | if(newPublicKey1 === null || newPublicKey1 === '') { 53 | context.setVariable('errText', 'public_key1 is required'); 54 | return; 55 | }else{ 56 | context.setVariable('newPublicKey1', newPublicKey1); 57 | } 58 | if(futureKeysNbf) { 59 | //adding timestamp 60 | var updatedFutureKeysNbf = Date.now() + parseInt(futureKeysNbf); 61 | context.setVariable('nbf', true); 62 | context.setVariable('futureKeysNbf', updatedFutureKeysNbf.toString()); 63 | }else{ 64 | context.setVariable('nbf', false); 65 | } 66 | if(newPrivateKeyKid === null || newPrivateKeyKid === '') { 67 | //adding timestamp 68 | newPrivateKeyKid = Date.now(); 69 | context.setVariable('newPrivateKeyKid', newPrivateKeyKid.toString()); 70 | }else if(privateKeyKid == newPrivateKeyKid){ 71 | //adding timestamp 72 | newPrivateKeyKid = Date.now(); 73 | context.setVariable('newPrivateKeyKid', newPrivateKeyKid.toString()); 74 | context.setVariable('responseMessage', 'The kid : ' + privateKeyKid + ' already exists, ' + 'Key Rotation completed with kid : ' + newPrivateKeyKid); 75 | }else{ 76 | context.setVariable('newPrivateKeyKid', newPrivateKeyKid); 77 | } 78 | } -------------------------------------------------------------------------------- /apiproxy/resources/jsc/send-jwk-response.js: -------------------------------------------------------------------------------- 1 | // Copyright 2018 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | //send response 16 | context.setVariable("response.header.Content-Type","application/json"); 17 | context.setVariable("response.header.Cache-Control","no-store"); 18 | context.setVariable("response.content", context.getVariable("jwkmessage")); 19 | -------------------------------------------------------------------------------- /apiproxy/resources/jsc/send-product-list.js: -------------------------------------------------------------------------------- 1 | // Copyright 2018 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | //send response 16 | context.setVariable("response.header.Content-Type","application/json"); 17 | context.setVariable("response.header.Cache-Control","no-store"); 18 | context.setVariable("response.header.Pragma","no-cache"); 19 | context.setVariable("response.content", context.getVariable("productlist")); 20 | -------------------------------------------------------------------------------- /apiproxy/resources/jsc/send-public-key.js: -------------------------------------------------------------------------------- 1 | /**************************************************************************** 2 | The MIT License (MIT) 3 | 4 | Copyright (c) 2016 Apigee Corporation 5 | 6 | Permission is hereby granted, free of charge, to any person obtaining a copy 7 | of this software and associated documentation files (the "Software"), to deal 8 | in the Software without restriction, including without limitation the rights 9 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 10 | copies of the Software, and to permit persons to whom the Software is 11 | furnished to do so, subject to the following conditions: 12 | 13 | The above copyright notice and this permission notice shall be included in 14 | all copies or substantial portions of the Software. 15 | 16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 21 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 22 | THE SOFTWARE. 23 | ****************************************************************************/ 24 | 25 | //send response 26 | context.setVariable("response.header.Content-Type","text/plain"); 27 | context.setVariable("response.header.Cache-Control","no-store"); 28 | context.setVariable("response.content", unescape(context.getVariable("private.publicKey"))); 29 | context.setVariable("response.status.code", 200); 30 | -------------------------------------------------------------------------------- /apiproxy/resources/jsc/send-rotate-key-response.js: -------------------------------------------------------------------------------- 1 | //send response 2 | var message = context.getVariable('responseMessage') || 'Key Rotation successfully completed!'; 3 | context.setVariable("response.header.Content-Type","text/plain"); 4 | context.setVariable("response.header.Cache-Control","no-store"); 5 | context.setVariable("response.content", message); 6 | context.setVariable("response.status.code", 200); -------------------------------------------------------------------------------- /apiproxy/resources/jsc/send-upgrade-kvm-response.js: -------------------------------------------------------------------------------- 1 | //send response 2 | var message = 'KVM update complete'; 3 | context.setVariable("response.header.Content-Type","text/plain"); 4 | context.setVariable("response.header.Cache-Control","no-store"); 5 | context.setVariable("response.content", message); 6 | context.setVariable("response.status.code", 200); -------------------------------------------------------------------------------- /apiproxy/resources/jsc/set-jwt-variables.js: -------------------------------------------------------------------------------- 1 | // Copyright 2018 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | var apiCredential = JSON.parse(context.getVariable('apiCredential')); 16 | //{"Credentials":{"Credential":[{"Attributes":{},"ConsumerKey":"xxx","ConsumerSecret":"xx","ExpiresAt":"-1","IssuedAt":"1530046158362","ApiProducts":{"ApiProduct":{"Name":"details product","Status":"approved"}},"Scopes":{},"Status":"approved"}]}} 17 | var credentials = apiCredential.Credentials.Credential; 18 | 19 | var allowedStatus = properties.allowProductStatus; 20 | var productAllowedStatus=[]; 21 | 22 | try{ 23 | productAllowedStatus = allowedStatus.toLowerCase().split(','); 24 | }catch (err) { 25 | } 26 | 27 | var apiProductsList = []; 28 | try { 29 | var apiKey = context.getVariable('apikey').trim(); 30 | credentials.forEach(function(credential) { 31 | if (credential.ConsumerKey == apiKey) { 32 | credential.ApiProducts.ApiProduct.forEach(function(apiProduct){ 33 | if(productAllowedStatus && productAllowedStatus.length>0){ 34 | if(productAllowedStatus.indexOf(apiProduct.Status.toLowerCase()) != -1){ 35 | apiProductsList.push(apiProduct.Name); 36 | } 37 | }else{ 38 | apiProductsList.push(apiProduct.Name); 39 | } 40 | }); 41 | } 42 | }); 43 | } catch (err) { 44 | print(err); 45 | } 46 | 47 | var scope = context.getVariable("oauthv2accesstoken.AccessTokenRequest.scope"); 48 | if (scope) { 49 | var scopearr = scope.split(" "); 50 | context.setVariable("scp", scopearr.join()); 51 | } else { 52 | context.removeVariable('scp'); // To remove the invalid scope values if sent in /token request 53 | } 54 | 55 | context.setVariable("apiProductList", apiProductsList.join()); 56 | context.setVariable("nbf", new Date().toUTCString()); 57 | context.setVariable("iss", context.getVariable("proxyProto") + "://" + context.getVariable("proxyHost") + context.getVariable("proxy.basepath") + context.getVariable("proxy.pathsuffix")); 58 | context.setVariable("jti", 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function(c) { 59 | var r = Math.random() * 16 | 0, 60 | v = c == 'x' ? r : (r & 0x3 | 0x8); 61 | return v.toString(16); 62 | })); 63 | 64 | try { 65 | var token_expiry = context.getVariable("token_expiry") || ""; 66 | if (token_expiry !== "") { 67 | //set token expiry as milliseconds 68 | context.setVariable("token_expiry", parseInt(token_expiry, 10).toString()); 69 | } else { 70 | //set default token expiry to 30 mins 71 | context.setVariable("token_expiry", "1800000"); 72 | } 73 | } catch (err) { 74 | //set default token expiry to 30 mins 75 | context.setVariable("token_expiry", "1800000"); 76 | } 77 | 78 | -------------------------------------------------------------------------------- /apiproxy/resources/jsc/set-quota-variables.js: -------------------------------------------------------------------------------- 1 | 2 | context.setVariable('quota.identifier', request.body.asJSON.identifier); 3 | context.setVariable("quota.allow",request.body.asJSON.allow); 4 | context.setVariable("quota.interval",request.body.asJSON.interval); 5 | context.setVariable("quota.unit",request.body.asJSON.timeUnit); 6 | context.setVariable("quota.weight",request.body.asJSON.weight); 7 | context.setVariable("debug.mp.id", request.body.asJSON.debugMpId); 8 | -------------------------------------------------------------------------------- /apiproxy/resources/jsc/set-response.js: -------------------------------------------------------------------------------- 1 | // Copyright 2018 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | //prepare response object 16 | 17 | var jws = { 18 | token: context.getVariable('jwtmessage') 19 | }; 20 | 21 | if (context.getVariable('grant_type') === 'client_credentials' || context.getVariable('grant_type') === 'password') { 22 | if (context.getVariable("scp")) { 23 | jws.scope = context.getVariable("scp"); 24 | } 25 | 26 | jws.access_token = context.getVariable('jwtmessage'); 27 | jws.token_type = "Bearer"; 28 | 29 | // for /token flow 30 | jws.expires_in = context.getVariable("oauthv2accesstoken.AccessTokenRequest.expires_in"); 31 | 32 | // for any other flows if any 33 | if ( !jws.expires_in ) { 34 | jws.expires_in = parseInt( context.getVariable("token_expiry"), 10) / 1000; // convert to seconds 35 | }else { 36 | jws.expires_in = parseInt( jws.expires_in ); 37 | } 38 | 39 | //if refresh token exists, add it to response 40 | if (context.getVariable('grant_type') === "password") { 41 | jws.refresh_token = context.getVariable("oauthv2accesstoken.AccessTokenRequest.refresh_token"); 42 | jws.refresh_token_expires_in = context.getVariable("oauthv2accesstoken.AccessTokenRequest.refresh_token_expires_in"); 43 | jws.refresh_token_issued_at = context.getVariable("oauthv2accesstoken.AccessTokenRequest.refresh_token_issued_at") ; 44 | jws.refresh_token_status = context.getVariable("oauthv2accesstoken.AccessTokenRequest.refresh_token_status"); 45 | } 46 | } 47 | 48 | 49 | //send response 50 | context.setVariable("response.header.Content-Type","application/json"); 51 | context.setVariable("response.header.Cache-Control","no-store"); 52 | context.setVariable("response.header.Pragma","no-cache"); 53 | context.setVariable("response.content", JSON.stringify(jws)); 54 | -------------------------------------------------------------------------------- /apiproxy/resources/jsc/upgrade-kvm.js: -------------------------------------------------------------------------------- 1 | var cert = context.getVariable("private.publicKey"); 2 | var privateKey = context.getVariable("private.privateKey"); 3 | var privateKeyKid = context.getVariable("private.private_key_kid"); 4 | var publicKey1Kid = context.getVariable("private.public_key1_kid"); 5 | var publicKey2Kid = context.getVariable("private.public_key2_kid"); 6 | var futureKeysNbf = context.getVariable("private.future_keys_nbf"); 7 | 8 | validateKvm(); 9 | 10 | function validateKvm() { 11 | var publicKey1 = context.getVariable('public_key') || ''; 12 | 13 | if(publicKey1 === null || publicKey1 === '') { 14 | context.setVariable('errText', 'public_key is required'); 15 | return; 16 | } 17 | if(privateKey === null || privateKey === '') { 18 | context.setVariable('errText', 'KVM does not exist, Please run configure command'); 19 | return; 20 | } 21 | if(cert === null || cert === '') { 22 | context.setVariable('errText', 'KVM does not exist, Please run configure command'); 23 | return; 24 | } 25 | if(privateKeyKid === null || privateKeyKid === ''){ 26 | context.setVariable('privateKeyKid', '1'); 27 | context.setVariable('publicKey1Kid', '1'); 28 | }else{ 29 | context.setVariable('privateKeyKid', privateKeyKid); 30 | context.setVariable('publicKey1Kid', privateKeyKid); 31 | } 32 | if(publicKey1){ 33 | context.setVariable('publicKey1', publicKey1); 34 | } 35 | if(publicKey1Kid && publicKey2Kid && publicKey1Kid === publicKey2Kid){ 36 | context.setVariable('deletePublicKey2', true); 37 | } 38 | if(futureKeysNbf && futureKeysNbf < Date.now()){ 39 | context.setVariable('deleteFutureKeys', true); 40 | } 41 | } -------------------------------------------------------------------------------- /apiproxy/resources/jsc/validate-future-key-nbf.js: -------------------------------------------------------------------------------- 1 | var futureKeysNbf = context.getVariable("private.future_keys_nbf"); 2 | var futurePrivateKey = context.getVariable("private.future_private_key"); 3 | var futurePrivateKeyKid = context.getVariable("private.future_private_key_kid"); 4 | var futureCertficate = context.getVariable("private.future_certficate"); 5 | 6 | var futurePublicKey1Kid = context.getVariable("private.future_public_key1_kid"); 7 | var futurePublicKey1 = context.getVariable("private.future_public_key1"); 8 | var futurePublicKey2Kid = context.getVariable("private.future_public_key2_kid"); 9 | var futurePublicKey2 = context.getVariable("private.future_public_key2"); 10 | 11 | if(futureKeysNbf && futureKeysNbf < Date.now()){ 12 | var applyNewKey = true; 13 | 14 | if(futurePrivateKey && futurePrivateKey !== 'undefined'){ 15 | context.setVariable('private.privateKey', futurePrivateKey); 16 | } 17 | if(futurePrivateKeyKid && futurePrivateKeyKid !== 'undefined'){ 18 | context.setVariable('private.private_key_kid', futurePrivateKeyKid); 19 | } 20 | if(futureCertficate && futureCertficate !== 'undefined'){ 21 | context.setVariable('private.publicKey', futureCertficate); 22 | } 23 | if(futurePublicKey1Kid && futurePublicKey1Kid !== 'undefined'){ 24 | context.setVariable('private.public_key1_kid', futurePublicKey1Kid); 25 | } 26 | if(futurePublicKey1 && futurePublicKey1 !== 'undefined'){ 27 | context.setVariable('private.public_key1', futurePublicKey1); 28 | } 29 | if(futurePublicKey2Kid && futurePublicKey2Kid !== 'undefined'){ 30 | context.setVariable('private.public_key2_kid', futurePublicKey2Kid); 31 | } 32 | if(futurePublicKey2 && futurePublicKey2 !== 'undefined'){ 33 | context.setVariable('private.public_key2', futurePublicKey2); 34 | } 35 | context.setVariable('applyNewKey', applyNewKey); 36 | } -------------------------------------------------------------------------------- /apiproxy/resources/jsc/validate-params.js: -------------------------------------------------------------------------------- 1 | // Create Base64 Object 2 | var Base64={_keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",encode:function(e){var t="";var n,r,i,s,o,u,a;var f=0;e=Base64._utf8_encode(e);while(f>2;o=(n&3)<<4|r>>4;u=(r&15)<<2|i>>6;a=i&63;if(isNaN(r)){u=a=64}else if(isNaN(i)){a=64}t=t+this._keyStr.charAt(s)+this._keyStr.charAt(o)+this._keyStr.charAt(u)+this._keyStr.charAt(a)}return t},decode:function(e){var t="";var n,r,i;var s,o,u,a;var f=0;e=e.replace(/[^A-Za-z0-9\+\/\=]/g,"");while(f>4;r=(o&15)<<4|u>>2;i=(u&3)<<6|a;t=t+String.fromCharCode(n);if(u!=64){t=t+String.fromCharCode(r)}if(a!=64){t=t+String.fromCharCode(i)}}t=Base64._utf8_decode(t);return t},_utf8_encode:function(e){e=e.replace(/\r\n/g,"\n");var t="";for(var n=0;n127&&r<2048){t+=String.fromCharCode(r>>6|192);t+=String.fromCharCode(r&63|128)}else{t+=String.fromCharCode(r>>12|224);t+=String.fromCharCode(r>>6&63|128);t+=String.fromCharCode(r&63|128)}}return t},_utf8_decode:function(e){var t="";var n=0;var r=c1=c2=0;while(n191&&r<224){c2=e.charCodeAt(n+1);t+=String.fromCharCode((r&31)<<6|c2&63);n+=2}else{c2=e.charCodeAt(n+1);c3=e.charCodeAt(n+2);t+=String.fromCharCode((r&15)<<12|(c2&63)<<6|c3&63);n+=3}}return t}} 3 | 4 | validateParams(); 5 | 6 | function validateParams() { 7 | var client_id = context.getVariable('client_id') || ''; 8 | var client_secret = context.getVariable('client_secret') || ''; 9 | var clientCreds = context.getVariable('clientCreds') || ''; 10 | var grant_type = context.getVariable('grant_type') || ''; 11 | var username = context.getVariable('username') || ''; 12 | var password = context.getVariable('password') || ''; 13 | 14 | if (grant_type !== 'client_credentials' && grant_type !== 'password') { 15 | context.setVariable('errText', 'grant_type is missing or invalid'); 16 | return; 17 | } 18 | 19 | if (grant_type === 'password') { 20 | if (username === '' || password === '') { 21 | context.setVariable('errText', 'missing username and/or password'); 22 | return; 23 | } 24 | } 25 | 26 | if (client_id === '' || client_secret === '') { 27 | if (clientCreds === '') { 28 | context.setVariable('errText', 'missing client credentials'); 29 | return; 30 | } else { 31 | try { 32 | var decodedCreds = Base64.decode(clientCreds).split(':'); 33 | if (decodedCreds.length != 2) { 34 | context.setVariable('errText', 'error obtaining client credentials'); 35 | return; 36 | } else { 37 | context.setVariable('client_id', decodedCreds[0]); 38 | context.setVariable('apikey', decodedCreds[0]); 39 | context.setVariable('client_secret', decodedCreds[1]); 40 | } 41 | } catch (err) { 42 | context.setVariable('errText', 'error obtaining client credentials ' + err); 43 | } 44 | } 45 | } 46 | } 47 | 48 | 49 | -------------------------------------------------------------------------------- /npm-shrinkwrap.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "microgateway-edgeauth", 3 | "version": "3.2.2", 4 | "lockfileVersion": 1 5 | } 6 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "microgateway-edgeauth", 3 | "version": "3.2.2", 4 | "description": "this proxy is used by microgateway to get a list of products, oauth tokens and api keys", 5 | "main": "index.js", 6 | "scripts": { 7 | "test": "echo \"Error: no test specified\" && exit 1" 8 | }, 9 | "repository": { 10 | "type": "git", 11 | "url": "git+https://github.com/apigee-internal/microgateway-edgeauth.git" 12 | }, 13 | "keywords": [ 14 | "microgateway" 15 | ], 16 | "author": "srinandans@google.com", 17 | "license": "Apache-2.0", 18 | "bugs": { 19 | "url": "https://github.com/apigee-internal/microgateway-edgeauth/issues" 20 | }, 21 | "homepage": "https://github.com/apigee-internal/microgateway-edgeauth#readme" 22 | } 23 | --------------------------------------------------------------------------------