Fix incorrect behavior when the token is revoked by OAuth backend and add connection timeout configuration (#12583)

* Fix incorrect behavior when the token is revoked by OAuth backend and add connection timeout configurations

* Removed unnecessary lines from unit tests

Author: thisaltennakoon

components/apimgt/org.wso2.carbon.apimgt.api/src/main/java/org/wso2/carbon/apimgt/api/model/EndpointSecurity.java

@@ -48,6 +48,12 @@ public class EndpointSecurity {
 
     private Map additionalProperties = new HashMap();
 
+    private int connectionTimeoutDuration = -1;
+
+    private int connectionRequestTimeoutDuration = -1;
+
+    private int socketTimeoutDuration = -1;
+
     public EndpointSecurity(EndpointSecurity endpointSecurity) {
 
         this.uniqueIdentifier = endpointSecurity.uniqueIdentifier;
@@ -61,7 +67,9 @@ public EndpointSecurity(EndpointSecurity endpointSecurity) {
         this.clientSecret = endpointSecurity.clientSecret;
         this.customParameters = endpointSecurity.customParameters;
         this.additionalProperties = endpointSecurity.additionalProperties;
-
+        this.connectionTimeoutDuration = endpointSecurity.connectionTimeoutDuration;
+        this.connectionRequestTimeoutDuration = endpointSecurity.connectionRequestTimeoutDuration;
+        this.socketTimeoutDuration = endpointSecurity.socketTimeoutDuration;
     }
 
     public EndpointSecurity() {
@@ -197,6 +205,30 @@ public void setApiKeyValue(String apiKeyValue) {
         this.apiKeyValue = apiKeyValue;
     }
 
+    public int getConnectionTimeoutDuration() {
+        return connectionTimeoutDuration;
+    }
+
+    public void setConnectionTimeoutDuration(int connectionTimeoutDuration) {
+        this.connectionTimeoutDuration = connectionTimeoutDuration;
+    }
+
+    public int getConnectionRequestTimeoutDuration() {
+        return connectionRequestTimeoutDuration;
+    }
+
+    public void setConnectionRequestTimeoutDuration(int connectionRequestTimeoutDuration) {
+        this.connectionRequestTimeoutDuration = connectionRequestTimeoutDuration;
+    }
+
+    public int getSocketTimeoutDuration() {
+        return socketTimeoutDuration;
+    }
+
+    public void setSocketTimeoutDuration(int socketTimeoutDuration) {
+        this.socketTimeoutDuration = socketTimeoutDuration;
+    }
+
     @Override
     public String toString() {
 
@@ -214,6 +246,9 @@ public String toString() {
                 ", apiKeyValue='" + apiKeyValue + '\'' +
                 ", customParameters='" + customParameters + '\'' +
                 ", additionalProperties=" + additionalProperties +
+                ", connectionTimeoutDuration=" + connectionTimeoutDuration +
+                ", connectionRequestTimeoutDuration=" + connectionRequestTimeoutDuration +
+                ", socketTimeoutDuration=" + socketTimeoutDuration +
                 '}';
     }
 }

components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/mediators/oauth/RedisTokenCache.java

@@ -0,0 +1,103 @@
+/*
+ * Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com/).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.apimgt.gateway.mediators.oauth;
+
+import org.apache.synapse.endpoints.auth.oauth.TokenCacheProvider;
+import org.wso2.carbon.apimgt.gateway.internal.ServiceReferenceHolder;
+import org.wso2.carbon.apimgt.gateway.utils.redis.RedisCacheUtils;
+
+import java.util.Set;
+
+/**
+ * Singleton class implementing TokenCacheProvider for caching OAuth tokens using Redis.
+ * This class allows storing, retrieving, and removing tokens from Redis via RedisCacheUtils
+ * and is utilized by OAuthHandler in Synapse for OAuth token caching.
+ */
+public class RedisTokenCache implements TokenCacheProvider {
+
+    // Singleton instance of RedisTokenCache
+    private static final RedisTokenCache instance = new RedisTokenCache();
+    private static final RedisCacheUtils redisCacheUtils = new RedisCacheUtils(ServiceReferenceHolder.getInstance().
+            getRedisPool());
+
+    private RedisTokenCache() {
+    }
+
+    /**
+     * Provides the singleton instance of RedisTokenCache.
+     * If no instance exists, a new one is created.
+     *
+     * @return the singleton instance of RedisTokenCache
+     */
+    public static RedisTokenCache getInstance() {
+        return instance;
+    }
+
+    /**
+     * Stores a token in the Redis cache with the given identifier as the key.
+     *
+     * @param id    the identifier (key) for the token in the cache
+     * @param token the token to be cached
+     */
+    @Override
+    public void putToken(String id, String token) {
+        redisCacheUtils.setValue(id, token);
+    }
+
+    /**
+     * Retrieves a token from the Redis cache for the given identifier.
+     *
+     * @param id the identifier (key) of the token in the cache
+     * @return the token associated with the given identifier, or null if not found
+     */
+    @Override
+    public String getToken(String id) {
+        return redisCacheUtils.getValue(id);
+    }
+
+    /**
+     * Removes the token associated with the given identifier from the Redis cache.
+     *
+     * @param id the identifier (key) of the token to be removed
+     */
+    @Override
+    public void removeToken(String id) {
+        redisCacheUtils.deleteKey(id);
+    }
+
+    /**
+     * This method is called to remove all tokens from the Redis cache when the endpoint is destroyed that are
+     * associated with a specific OAuth handler. The keys of the tokens that need to be removed should start with the
+     * provided oauthHandlerId.
+     *
+     * @param oauthHandlerId the ID of the OAuth handler whose tokens should be removed
+     */
+    @Override
+    public void removeTokens(String oauthHandlerId) {
+        if (redisCacheUtils.isRedisCacheSessionActive()) {
+            // Retrieve all keys that match the given pattern
+            Set<String> keys = redisCacheUtils.getKeys(oauthHandlerId + "*");
+
+            // Remove all tokens with keys that match the pattern
+            for (String key : keys) {
+                redisCacheUtils.deleteKey(key);
+            }
+        }
+    }
+}

components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/utils/redis/RedisCacheUtils.java

@@ -29,6 +29,7 @@
 
 import java.io.IOException;
 import java.util.Map;
+import java.util.Set;
 
 /**
  * Utility class singleton to connect to Redis Server, and perform general operations
@@ -244,4 +245,24 @@ public Object getObject(String key, Class objectType) {
         return null;
     }
 
+    /**
+     * Retrieves a set of keys from Redis that match the specified pattern.
+     *
+     * @param pattern the pattern to match keys (e.g., "oauth_*" to match all keys starting with "oauth_")
+     * @return a set of matching keys from Redis, or an empty set if no keys match
+     */
+    public Set<String> getKeys(String pattern) {
+        try (Jedis jedis = jedisPool.getResource()) {
+            return jedis.keys(pattern);
+        }
+    }
+
+    /**
+     * Checks if the Redis cache session is active.
+     *
+     * @return true if the Redis cache session (Jedis pool) is initialized and open, false otherwise.
+     */
+    public boolean isRedisCacheSessionActive() {
+        return jedisPool != null && !jedisPool.isClosed();
+    }
 }

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIConstants.java

@@ -1476,6 +1476,7 @@ public static class OAuthConstants {
         public static final String TOKEN_TYPE = "token_type";
         public static final String EXPIRES_IN = "expires_in";
         public static final String EXPIRES_IN_CONFIG = "ExpiresIn";
+        public static final String ENABLE_RETRY_CALL_WITH_NEW_TOKEN = "EnableRetryCallWithNewToken";
 
         // Properties in Endpoint Config
         public static final String ENDPOINT_SECURITY_PRODUCTION = "production";
@@ -1817,6 +1818,7 @@ private ConfigParameters() {
     public static final String ENDPOINT_SPECIFIC_CONFIG = "config";
     public static final String ENDPOINT_CONFIG_ACTION_DURATION = "actionDuration";
     public static final String ENDPOINT_TYPE_GRAPHQL = "graphql";
+    public static final String ENABLE_RETRY_CALL_WITH_NEW_OAUTH_TOKEN = "enableRetryCallWithNewOauthToken";
 
     public static final String API_ENDPOINT_CONFIG_TIMEOUT = "timeout";
     public static final String API_ENDPOINT_CONFIG_PROTOCOL_TYPE = "endpoint_type";

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/utils/APIUtil.java

@@ -2072,6 +2072,19 @@ public static boolean isPortalConfigurationOnlyModeEnabled() {
         return false;
     }
 
+    /**
+     * Check if Retry Call With New OAuth Token is enabled
+     *
+     * @return True if Retry Call With New OAuth Token is enabled
+     */
+    public static boolean isRetryCallWithNewOAuthTokenEnabled() {
+        String property = ServiceReferenceHolder.getInstance().getAPIManagerConfigurationService().
+                getAPIManagerConfiguration().getFirstProperty(APIConstants.MEDIATOR_CONFIG + APIConstants.
+                        OAuthConstants.OAUTH_MEDIATION_CONFIG + APIConstants.OAuthConstants.
+                        ENABLE_RETRY_CALL_WITH_NEW_TOKEN);
+        return Boolean.parseBoolean(property);
+    }
+
     /**
      * Check if an issuer for internal keys has been defined
      *

components/apimgt/org.wso2.carbon.apimgt.rest.api.common/src/main/resources/publisher-api.yaml

@@ -13183,6 +13183,12 @@ components:
             Is Portal Configuration Only Mode enabled
           example: false
           default: false
+        retryCallWithNewOAuthTokenEnabled:
+          type: boolean
+          description: |
+            Is Retry Call With New OAuth Token Enabled
+          example: true
+          default: true
         crossTenantSubscriptionEnabled:
           type: boolean
           description: |

components/apimgt/org.wso2.carbon.apimgt.rest.api.publisher.v1.common/pom.xml

@@ -224,6 +224,8 @@
                             ${project.artifactId}
                         </Bundle-SymbolicName>
                         <Import-Package>
+                            org.osgi.framework.*;version="${imp.package.version.osgi.framework}",
+                            org.osgi.service.*;version="${imp.package.version.osgi.service}",
                             org.apache.commons.logging.*; version="${import.package.version.commons.logging}",
                             javax.validation.*; version="1.1.0.Final",
                             *;resolution:=optional

components/apimgt/org.wso2.carbon.apimgt.rest.api.publisher.v1.common/src/gen/java/org/wso2/carbon/apimgt/rest/api/publisher/v1/dto/SettingsDTO.java

@@ -36,6 +36,7 @@ public class SettingsDTO   {
     private Boolean externalStoresEnabled = null;
     private Boolean docVisibilityEnabled = null;
     private Boolean portalConfigurationOnlyModeEnabled = false;
+    private Boolean retryCallWithNewOAuthTokenEnabled = true;
     private Boolean crossTenantSubscriptionEnabled = false;
     private String defaultAdvancePolicy = null;
     private String defaultSubscriptionPolicy = null;
@@ -222,6 +223,24 @@ public void setPortalConfigurationOnlyModeEnabled(Boolean portalConfigurationOnl
     this.portalConfigurationOnlyModeEnabled = portalConfigurationOnlyModeEnabled;
   }
 
+  /**
+   * Is Retry Call With New OAuth Token Enabled 
+   **/
+  public SettingsDTO retryCallWithNewOAuthTokenEnabled(Boolean retryCallWithNewOAuthTokenEnabled) {
+    this.retryCallWithNewOAuthTokenEnabled = retryCallWithNewOAuthTokenEnabled;
+    return this;
+  }
+
+  
+  @ApiModelProperty(example = "true", value = "Is Retry Call With New OAuth Token Enabled ")
+  @JsonProperty("retryCallWithNewOAuthTokenEnabled")
+  public Boolean isRetryCallWithNewOAuthTokenEnabled() {
+    return retryCallWithNewOAuthTokenEnabled;
+  }
+  public void setRetryCallWithNewOAuthTokenEnabled(Boolean retryCallWithNewOAuthTokenEnabled) {
+    this.retryCallWithNewOAuthTokenEnabled = retryCallWithNewOAuthTokenEnabled;
+  }
+
   /**
    * Is Cross Tenant Subscriptions Enabled 
    **/
@@ -367,6 +386,7 @@ public boolean equals(java.lang.Object o) {
         Objects.equals(externalStoresEnabled, settings.externalStoresEnabled) &&
         Objects.equals(docVisibilityEnabled, settings.docVisibilityEnabled) &&
         Objects.equals(portalConfigurationOnlyModeEnabled, settings.portalConfigurationOnlyModeEnabled) &&
+        Objects.equals(retryCallWithNewOAuthTokenEnabled, settings.retryCallWithNewOAuthTokenEnabled) &&
         Objects.equals(crossTenantSubscriptionEnabled, settings.crossTenantSubscriptionEnabled) &&
         Objects.equals(defaultAdvancePolicy, settings.defaultAdvancePolicy) &&
         Objects.equals(defaultSubscriptionPolicy, settings.defaultSubscriptionPolicy) &&
@@ -378,7 +398,7 @@ public boolean equals(java.lang.Object o) {
 
   @Override
   public int hashCode() {
-    return Objects.hash(devportalUrl, environment, gatewayTypes, scopes, monetizationAttributes, subscriberContactAttributes, securityAuditProperties, externalStoresEnabled, docVisibilityEnabled, portalConfigurationOnlyModeEnabled, crossTenantSubscriptionEnabled, defaultAdvancePolicy, defaultSubscriptionPolicy, authorizationHeader, isJWTEnabledForLoginTokens, allowSubscriptionValidationDisabling, customProperties);
+    return Objects.hash(devportalUrl, environment, gatewayTypes, scopes, monetizationAttributes, subscriberContactAttributes, securityAuditProperties, externalStoresEnabled, docVisibilityEnabled, portalConfigurationOnlyModeEnabled, retryCallWithNewOAuthTokenEnabled, crossTenantSubscriptionEnabled, defaultAdvancePolicy, defaultSubscriptionPolicy, authorizationHeader, isJWTEnabledForLoginTokens, allowSubscriptionValidationDisabling, customProperties);
   }
 
   @Override
@@ -396,6 +416,7 @@ public String toString() {
     sb.append("    externalStoresEnabled: ").append(toIndentedString(externalStoresEnabled)).append("\n");
     sb.append("    docVisibilityEnabled: ").append(toIndentedString(docVisibilityEnabled)).append("\n");
     sb.append("    portalConfigurationOnlyModeEnabled: ").append(toIndentedString(portalConfigurationOnlyModeEnabled)).append("\n");
+    sb.append("    retryCallWithNewOAuthTokenEnabled: ").append(toIndentedString(retryCallWithNewOAuthTokenEnabled)).append("\n");
     sb.append("    crossTenantSubscriptionEnabled: ").append(toIndentedString(crossTenantSubscriptionEnabled)).append("\n");
     sb.append("    defaultAdvancePolicy: ").append(toIndentedString(defaultAdvancePolicy)).append("\n");
     sb.append("    defaultSubscriptionPolicy: ").append(toIndentedString(defaultSubscriptionPolicy)).append("\n");

components/apimgt/org.wso2.carbon.apimgt.rest.api.publisher.v1.common/src/main/java/org/wso2/carbon/apimgt/rest/api/publisher/v1/common/TemplateBuilderUtil.java

@@ -56,12 +56,12 @@
 import org.wso2.carbon.apimgt.impl.definitions.GraphQLSchemaDefinition;
 import org.wso2.carbon.apimgt.impl.dto.SoapToRestMediationDto;
 import org.wso2.carbon.apimgt.impl.importexport.ImportExportConstants;
-import org.wso2.carbon.apimgt.impl.internal.ServiceReferenceHolder;
 import org.wso2.carbon.apimgt.impl.template.APITemplateBuilder;
 import org.wso2.carbon.apimgt.impl.template.APITemplateException;
 import org.wso2.carbon.apimgt.impl.utils.APIUtil;
 import org.wso2.carbon.apimgt.impl.utils.CertificateMgtUtils;
 import org.wso2.carbon.apimgt.impl.utils.GatewayUtils;
+import org.wso2.carbon.apimgt.rest.api.publisher.v1.common.internal.ServiceReferenceHolder;
 import org.wso2.carbon.apimgt.rest.api.publisher.v1.common.mappings.APIMappingUtil;
 import org.wso2.carbon.apimgt.rest.api.publisher.v1.common.mappings.ImportUtils;
 import org.wso2.carbon.apimgt.rest.api.publisher.v1.common.template.APITemplateBuilderImpl;
@@ -1270,9 +1270,8 @@ private static String getEndpointName(String endpointConfig) throws XMLStreamExc
 
     private static void setSecureVaultPropertyToBeAdded(String prefix, API api, GatewayAPIDTO gatewayAPIDTO) {
 
-        boolean isSecureVaultEnabled =
-                Boolean.parseBoolean(ServiceReferenceHolder.getInstance().getAPIManagerConfigurationService().
-                        getAPIManagerConfiguration().getFirstProperty(APIConstants.API_SECUREVAULT_ENABLE));
+        boolean isSecureVaultEnabled = Boolean.parseBoolean(ServiceReferenceHolder.getInstance().
+                getAPIManagerConfiguration().getFirstProperty(APIConstants.API_SECUREVAULT_ENABLE));
 
         if (isSecureVaultEnabled) {
             org.json.JSONObject endpointConfig = new org.json.JSONObject(api.getEndpointConfig());