api-manager Support separate client side MTLS for product and sandbox

Problem

API can be secured with MTLS and there are can be two different certificates for production and sandbox environments. Current MTLS feature only supports having a single certificate, internally we consider it as production.

Solution

Supporting uploading and managing MTLS separately for production and sandbox.

Affected Component

APIM

Version

5.x.x

Implementation

No response

Related Issues

No response

Suggested Labels

No response

Jan 29 '24 05:01 dushaniw

Update [2024-05-16]

After analysing this issue, it was identified that this involves changes in DB schema, hence this feature can be delivered in a new release.

created the design outline document.

May 21 '24 04:05 RusJaI

Update [2024- 05-21]

Designed the UI for uploading certificates and modified the design outline doc

May 22 '24 06:05 RusJaI

Update [2024-05-22]

Analysed the expected modifications to the Publisher REST API and documented the existing and proposed structures of payloads and responses.

Initiated the email thread :

[Architecture] Support separate client side MTLS for production and sandbox endpoints in API Manager

May 22 '24 06:05 RusJaI

Update [2024-05-27]

Had the design review today. Started working on the suggested modifications.

May 27 '24 07:05 RusJaI

Update [2024-05 28 and 29]

Worked on the backend implementation This includes database and API level changes related to client-certificates, including the key type in client certificate objects to access in MutualSSLAuthenticator. Modify the existing database scripts.

PR : https://github.com/wso2/carbon-apimgt/pull/12455

Left to do :

Need to verify the keyType that should be provided for handleNoAuthentication() flow
Need to fix the affected unit tests and add new tests where applicable
Need to test the backend implementation thoroughly including the behaviours with certificate chains
The changes affects the existing integration tests. Need to fix them
Check the possibilities to add new tests.
Make UI changes suggested in Design review (this includes react component level changes)

May 29 '24 16:05 RusJaI

Update [2024-05-30]

Modified existing unit tests and added new tests where applicable
Did the suggested UI modifications
Started manual testing. Identified a bug in the following flow : When uploaded separate certificates for production and sandbox endpoints in publisher portal and try to invoke sandbox endpoint with production type certificate, it returns a 200 response. The reason is that previously in MutualSSLAuthenticator.authenticate() it had only verified whether the certificate came in the message context is available in the truststore. Since we diferentiate the certificate by the keyType in this feature, the received certificate need to be searched in the truststore along with the invoked environment type (production or sandbox).

May 30 '24 13:05 RusJaI

Update [2024-05-31]

Implemented a fix for the previously identified situation : When both MTLS and Application level security type like OAuth2 is selected as mandatory, and invoke the gateway endpoint with bearer token for Sandbox and client certificate uploaded for production type it returns a 200 response.

Had a discussion regarding the above fix : This was mentioned as somewhat expected, and discussed to specifically mention in the documentation about it.

In the discussion, it was identified that the proposed fix cannot be applied due to the backward incompatibility.

May 31 '24 12:05 RusJaI

Update [2024-06-3, 4]

Created a QA Doc and Performed manual testing. Shared the QA doc in the email thread to verify the test outcomes.

Putting the rest of the work on-hold due to another urgent RnD allocation from today onwards.

Jun 04 '24 08:06 RusJaI

Update [2024-06-19, 20]

Modified the integration tests, covering the new behaviour Modified the UI tests. Fixed some issues identified in UI, while executing the tests.

Jun 22 '24 11:06 RusJaI

Update [2024-06-24]

Worked on the documentation changes.

Jun 26 '24 08:06 RusJaI

Update [2024-06-25,26]

Worked on an issue identified after the QA doc was reviewed.

Jun 26 '24 08:06 RusJaI

Please find the PRs related to the feature as follows :

Description	PR
UI Implementation and UI tests	https://github.com/wso2/apim-apps/pull/706
Backend Implementation and Integration tests.	https://github.com/wso2/carbon-apimgt/pull/12455, https://github.com/wso2/product-apim/pull/13503
Documentation	https://github.com/wso2/docs-apim/pull/8077

Jun 26 '24 09:06 RusJaI

As per the decision to facilitate two production and sandbox certs with same alias, the existing REST API have to be marked as deprecated and a new REST API should be introduced. Started working on the proposed modifications.

Jun 28 '24 09:06 RusJaI

@RusJaI With this change, do we have an option to disable MTLS for sandbox endpoint while keep it enable for production endpoint?

Jul 03 '24 22:07 mohanvive

@RusJaI With this change, do we have an option to disable MTLS for sandbox endpoint while keep it enable for production endpoint?

@mohanvive what is expected from this feature is when MTLS enabled user can upload certificates for production and sandbox key types and invoke the endpoints accordingly.

Let's consider a scenario where only transport level security is enabled and we've chosen MTLS there : When API is invoked using a certificate, it checks the key type that certificate belong to, based on the uploaded certificates under production and sandbox key types. For example if the key type is SANDBOX, the SANDBOX endpoint is invoked.

Jul 04 '24 08:07 RusJaI

@RusJaI Thanks for the explanation. I have some further queries.

Do we have an option to upload certificate only for the production endpoint without sandbox.
If (1) is possible, then what is the expected behaviour?

Jul 04 '24 13:07 mohanvive

@RusJaI Thanks for the explanation. I have some further queries.

Do we have an option to upload certificate only for the production endpoint without sandbox.

Yes. We can select, for which endpoint type we are uploading the certificate. There you can upload certificate only for the production endpoint.

If (1) is possible, then what is the expected behaviour?

When invoking the API, if you are providing one of the certificates that you've uploaded under production certificates, the production endpoint should be invoked. Else (if the certificate you are providing during the invocation is not among the certificates you've uploaded for endpoint types) there will be an authentication failure.

Jul 04 '24 14:07 RusJaI

Update [2024-07-04]

Did the frontend and backend implementation to facilitate the same alias for production and sandbox certificates.

This effort involved the following :

Make changes in DB scripts and data layers to include the key type in composite primary key.
Change the directory structure of storing the client certificates
Modify the key format in trust store entries
Deprecate the existing client certificate APIs and introduce new set of APIs (/client-cert/{keyType}/)
Related frontend changes (methods to invoke APIs for production and sandbox types separately in component functions and api client, maintain separate alias lists for operations related to endpoint certs and client certs,remove usage button for client certificates.)

Jul 05 '24 07:07 RusJaI

Update [2024-07-05]

Following scenarios were tested : -Add/ delete client certificates -Add /delete endpoint certificates -Invoke endpoints when MTLS enabled in following combinations :

MTLS - mandatory with no application level security selected
MTLS mandatory and basic auth optional
MTLS optional and basic auth mandatory

Identified an authentication failure for optional optional scenario. Created issue : https://github.com/wso2/api-manager/issues/2988

Jul 05 '24 08:07 RusJaI

Hi all, The implementation of this task is done. PRs are under review. Following tasks which are left to do :

[x] Check the integration tests with newly added changes
[x] Update Documentation

Jul 11 '24 09:07 RusJaI