Merge pull request #11140 from swagger-api/auth-access-control

Auth access control

Author: gracekarina

modules/swagger-codegen/pom.xml

@@ -314,6 +314,12 @@
             <version>${swagger-codegen-generators-version}</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>com.github.tomakehurst</groupId>
+            <artifactId>wiremock</artifactId>
+            <version>2.25.0</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
     <repositories>
         <repository>

modules/swagger-codegen/src/main/java/io/swagger/codegen/v3/config/CodegenConfigurator.java

@@ -10,6 +10,7 @@
 import io.swagger.codegen.v3.CodegenConfigLoader;
 import io.swagger.codegen.v3.CodegenConstants;
 import io.swagger.codegen.v3.auth.AuthParser;
+import io.swagger.codegen.v3.service.HostAccessControl;
 import io.swagger.parser.OpenAPIParser;
 import io.swagger.v3.oas.models.OpenAPI;
 import io.swagger.v3.core.util.Json;
@@ -28,6 +29,7 @@
 import java.io.IOException;
 import java.io.Serializable;
 import java.net.URI;
+import java.net.URL;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
@@ -37,6 +39,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.function.Predicate;
 
 import static org.apache.commons.lang3.StringUtils.isNotEmpty;
 
@@ -93,6 +96,25 @@ public CodegenConfigurator() {
         this.setOutputDir(".");
     }
 
+    private List<HostAccessControl> allowedAuthHosts = new ArrayList<>();
+    private List<HostAccessControl> deniedAuthHosts = new ArrayList<>();
+
+    public List<HostAccessControl> getAllowedAuthHosts() {
+        return allowedAuthHosts;
+    }
+
+    public void setAllowedAuthHosts(List<HostAccessControl> allowedAuthHosts) {
+        this.allowedAuthHosts = allowedAuthHosts;
+    }
+
+    public List<HostAccessControl> getDeniedAuthHosts() {
+        return deniedAuthHosts;
+    }
+
+    public void setDeniedAuthHosts(List<HostAccessControl> deniedAuthHosts) {
+        this.deniedAuthHosts = deniedAuthHosts;
+    }
+
     public CodegenConfigurator setLang(String lang) {
         this.lang = lang;
         return this;
@@ -470,8 +492,59 @@ public ClientOptInput toClientOptInput() {
 
         CodegenConfig config = CodegenConfigLoader.forName(lang);
         ClientOptInput input = new ClientOptInput();
+
+        Predicate<URL> urlMatcher = null;
+        if (!allowedAuthHosts.isEmpty() || !deniedAuthHosts.isEmpty()) {
+            urlMatcher = (url) -> {
+                String host = url.getHost();
+                // first check denies
+                for (HostAccessControl check: deniedAuthHosts) {
+                    if (check.isRegex()) {
+                        if (host.matches(check.getHost())) {
+                            return false;
+                        }
+                    } else if (check.isEndsWith()){
+                        if (host.toLowerCase().endsWith(check.getHost().toLowerCase())){
+                            return false;
+                        }
+                    } else {
+                        if (host.equalsIgnoreCase(check.getHost())) {
+                            return false;
+                        }
+                    }
+                }
+                // then allows
+                for (HostAccessControl check: allowedAuthHosts) {
+                    if (check.isRegex()) {
+                        if (!host.matches(check.getHost())) {
+                            return false;
+                        }
+                    } else if (check.isEndsWith()){
+                        if (!host.toLowerCase().endsWith(check.getHost().toLowerCase())){
+                            return false;
+                        }
+                    } else {
+                        if (!host.equalsIgnoreCase(check.getHost())) {
+                            return false;
+                        }
+                    }
+                }
+                return true;
+            };
+        }
+
         final List<AuthorizationValue> authorizationValues = AuthParser.parse(auth);
+        if (!authorizationValues.isEmpty() && urlMatcher != null) {
+            for (AuthorizationValue authVal: authorizationValues) {
+                if (authVal.getUrlMatcher() == null) {
+                    authVal.setUrlMatcher(urlMatcher);
+                }
+            }
+        }
         if (authorizationValue != null) {
+            if (urlMatcher != null) {
+                authorizationValue.setUrlMatcher(urlMatcher);
+            }
             authorizationValues.add(authorizationValue);
         }
 

modules/swagger-codegen/src/main/java/io/swagger/codegen/v3/service/GeneratorUtil.java

@@ -10,6 +10,7 @@
 import io.swagger.codegen.v3.config.CodegenConfigurator;
 import io.swagger.codegen.v3.service.exception.BadRequestException;
 import io.swagger.models.Swagger;
+import io.swagger.models.auth.UrlMatcher;
 import io.swagger.parser.SwaggerParser;
 import io.swagger.v3.core.util.Json;
 import org.apache.commons.lang3.StringUtils;
@@ -41,12 +42,68 @@ public static io.swagger.codegen.ClientOptInput getClientOptInputV2(GenerationRe
         String lang = generationRequest.getLang();
         validateSpec(lang, inputSpec, inputSpecURL);
         LOGGER.debug("getClientOptInputV2 - spec validated");
+        io.swagger.models.auth.UrlMatcher urlMatcher = null;
+        if (!generationRequest.getOptions().getAllowedAuthHosts().isEmpty() || !generationRequest.getOptions().getDeniedAuthHosts().isEmpty()) {
+            urlMatcher = url -> {
+                String host = url.getHost();
+                // first check denies
+                for (HostAccessControl check: generationRequest.getOptions().getDeniedAuthHosts()) {
+                    if (check.isRegex()) {
+                        if (host.matches(check.getHost())) {
+                            return false;
+                        }
+                    } else if (check.isEndsWith()){
+                        if (host.toLowerCase().endsWith(check.getHost().toLowerCase())){
+                            return false;
+                        }
+                    } else {
+                        if (host.equalsIgnoreCase(check.getHost())) {
+                            return false;
+                        }
+                    }
+                }
+                // then allows
+                for (HostAccessControl check: generationRequest.getOptions().getAllowedAuthHosts()) {
+                    if (check.isRegex()) {
+                        if (!host.matches(check.getHost())) {
+                            return false;
+                        }
+                    } else if (check.isEndsWith()){
+                        if (!host.toLowerCase().endsWith(check.getHost().toLowerCase())){
+                            return false;
+                        }
+                    } else {
+                        if (!host.equalsIgnoreCase(check.getHost())) {
+                            return false;
+                        }
+                    }
+                }
+                return true;
+            };
+        }
+
         final List<io.swagger.models.auth.AuthorizationValue> authorizationValues = io.swagger.codegen.auth.AuthParser.parse(generationRequest.getOptions().getAuth());
+        if (!authorizationValues.isEmpty() && urlMatcher != null) {
+            for (io.swagger.models.auth.AuthorizationValue authVal: authorizationValues) {
+                if (authVal.getUrlMatcher() == null) {
+                    authVal.setUrlMatcher(urlMatcher);
+                }
+            }
+        }
         if (generationRequest.getOptions().getAuthorizationValue() != null) {
             io.swagger.models.auth.AuthorizationValue authorizationValue = new io.swagger.models.auth.AuthorizationValue()
                     .value(generationRequest.getOptions().getAuthorizationValue().getValue())
                     .keyName(generationRequest.getOptions().getAuthorizationValue().getKeyName())
                     .type(generationRequest.getOptions().getAuthorizationValue().getType());
+            UrlMatcher predicateUrlMatcher = null;
+            if (generationRequest.getOptions().getAuthorizationValue().getUrlMatcher() != null) {
+                predicateUrlMatcher = url -> generationRequest.getOptions().getAuthorizationValue().getUrlMatcher().test(url);
+            }
+            if (predicateUrlMatcher != null) {
+                authorizationValue.setUrlMatcher(predicateUrlMatcher);
+            } else if (urlMatcher != null) {
+                authorizationValue.setUrlMatcher(urlMatcher);
+            }
             authorizationValues.add(authorizationValue);
         }
         LOGGER.debug("getClientOptInputV2 - processed auth");
@@ -235,7 +292,7 @@ public static ClientOptInput getClientOptInput(GenerationRequest generationReque
         }
         if (options.getResolveFully() != null) {
             configurator.setResolveFully(options.getResolveFully());
-        }        
+        }
         if (isNotEmpty(options.getArtifactVersion())) {
             configurator.setArtifactVersion(options.getArtifactVersion());
         }
@@ -290,6 +347,9 @@ public static ClientOptInput getClientOptInput(GenerationRequest generationReque
                 configurator.addAdditionalReservedWordMapping(entry.getKey(), entry.getValue());
             }
         }
+
+        configurator.setAllowedAuthHosts(options.getAllowedAuthHosts());
+        configurator.setDeniedAuthHosts(options.getDeniedAuthHosts());
         LOGGER.debug("getClientOptInput - end");
         return configurator.toClientOptInput();
     }

modules/swagger-codegen/src/main/java/io/swagger/codegen/v3/service/HostAccessControl.java

@@ -0,0 +1,31 @@
+package io.swagger.codegen.v3.service;
+
+public class HostAccessControl {
+    public String getHost() {
+        return host;
+    }
+
+    public void setHost(String host) {
+        this.host = host;
+    }
+
+    public boolean isRegex() {
+        return regex;
+    }
+
+    public void setRegex(boolean regex) {
+        this.regex = regex;
+    }
+
+    public boolean isEndsWith() {
+        return endsWith;
+    }
+
+    public void setEndsWith(boolean endsWith) {
+        this.endsWith = endsWith;
+    }
+
+    private String host;
+    private boolean regex;
+    private boolean endsWith;
+}

modules/swagger-codegen/src/main/java/io/swagger/codegen/v3/service/Options.java

@@ -42,11 +42,41 @@ public class Options {
 
     private boolean flattenInlineComposedSchemas = false;
 
+    private List<HostAccessControl> allowedAuthHosts = new ArrayList<>();
+    private List<HostAccessControl> deniedAuthHosts = new ArrayList<>();
+
+    public List<HostAccessControl> getAllowedAuthHosts() {
+        return allowedAuthHosts;
+    }
+
+    public void setAllowedAuthHosts(List<HostAccessControl> allowedAuthHosts) {
+        this.allowedAuthHosts = allowedAuthHosts;
+    }
+
+    public List<HostAccessControl> getDeniedAuthHosts() {
+        return deniedAuthHosts;
+    }
+
+    public void setDeniedAuthHosts(List<HostAccessControl> deniedAuthHosts) {
+        this.deniedAuthHosts = deniedAuthHosts;
+    }
+
+    public Options allowedAuthHosts(List<HostAccessControl> allowedAuthHosts) {
+        this.allowedAuthHosts = allowedAuthHosts;
+        return this;
+    }
+
+    public Options deniedAuthHosts(List<HostAccessControl> deniedAuthHosts) {
+        this.deniedAuthHosts = deniedAuthHosts;
+        return this;
+    }
+
     public Options authorizationValue(AuthorizationValue authorizationValue) {
         this.authorizationValue = authorizationValue;
         return this;
     }
 
+
     public AuthorizationValue getAuthorizationValue() {
         return authorizationValue;
     }
@@ -455,4 +485,10 @@ public Options flattenInlineComposedSchema(boolean flattenInlineComposedSchemas)
         this.flattenInlineComposedSchemas = flattenInlineComposedSchemas;
         return this;
     }
+
+    public Options flattenInlineComposedSchemas(boolean flattenInlineComposedSchemas) {
+        this.flattenInlineComposedSchemas = flattenInlineComposedSchemas;
+        return this;
+    }
+
 }

modules/swagger-codegen/src/test/java/io/swagger/codegen/v3/service/GeneratorServiceTest.java

@@ -19,6 +19,7 @@
 
 public class GeneratorServiceTest {
 
+
     @Test(description = "test generator service with html2")
     public void testGeneratorService_HTML2_Bearer() throws IOException {