Disable authentication for DCR create via tenant-wise config

components/org.wso2.carbon.identity.auth.valve/pom.xml

@@ -80,6 +80,10 @@
             <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
             <artifactId>org.wso2.carbon.identity.oauth</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
+            <artifactId>org.wso2.carbon.identity.oauth.dcr</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.json.wso2</groupId>
             <artifactId>json</artifactId>

components/org.wso2.carbon.identity.auth.valve/src/main/java/org/wso2/carbon/identity/auth/valve/AuthenticationValve.java

@@ -43,6 +43,7 @@
 import org.wso2.carbon.identity.auth.service.module.ResourceConfigKey;
 import org.wso2.carbon.identity.auth.service.util.AuthConfigurationUtil;
 import org.wso2.carbon.identity.auth.service.util.Constants;
+import org.wso2.carbon.identity.auth.valve.factory.DCRMgtOGSiServiceFactory;
 import org.wso2.carbon.identity.auth.valve.internal.AuthenticationValveDataHolder;
 import org.wso2.carbon.identity.auth.valve.internal.AuthenticationValveServiceHolder;
 import org.wso2.carbon.identity.auth.valve.util.APIErrorResponseHandler;
@@ -51,6 +52,8 @@
 import org.wso2.carbon.identity.core.util.IdentityConfigParser;
 import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
 import org.wso2.carbon.identity.core.util.IdentityUtil;
+import org.wso2.carbon.identity.oauth.dcr.exception.DCRMException;
+import org.wso2.carbon.identity.oauth.dcr.model.DCRConfiguration;
 import org.wso2.carbon.user.api.UserStoreException;
 import org.wso2.carbon.user.core.tenant.TenantManager;
 
@@ -66,6 +69,7 @@
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletResponse;
+import javax.ws.rs.HttpMethod;
 
 import static org.wso2.carbon.identity.auth.service.util.Constants.AUTHENTICATED_WITH_BASIC_AUTH;
 
@@ -91,6 +95,8 @@ public class AuthenticationValve extends ValveBase {
 
     private static final Log log = LogFactory.getLog(AuthenticationValve.class);
 
+    private static final String DCR_REGISTER_ENDPOINT_PATH = "/api/identity/oauth2/dcr/v1.1/register";
+
     @Override
     public void invoke(Request request, Response response) throws IOException, ServletException {
 
@@ -107,6 +113,7 @@ public void invoke(Request request, Response response) throws IOException, Servl
             ResourceConfig securedResource = authenticationManager.getSecuredResource(
                     new ResourceConfigKey(normalizedRequestURI, request.getMethod()));
 
+            overrideSecuredResource(securedResource, normalizedRequestURI, request.getMethod());
 
             setRemoteAddressAndUserAgentToMDC(request);
 
@@ -173,6 +180,10 @@ public void invoke(Request request, Response response) throws IOException, Servl
         } catch (PatternSyntaxException e) {
             log.debug("Invalid pattern syntax of the request: ", e);
             APIErrorResponseHandler.handleErrorResponse(null, response, HttpServletResponse.SC_BAD_REQUEST, null);
+        } catch (DCRMException e) {
+            log.error("Error while getting DCR Configuration: ", e);
+            APIErrorResponseHandler.handleErrorResponse(null, response,
+                    HttpServletResponse.SC_SERVICE_UNAVAILABLE, e);
         } finally {
             // Clear 'IdentityError' thread local.
             if (IdentityUtil.getIdentityErrorMsg() != null) {
@@ -200,6 +211,35 @@ public void invoke(Request request, Response response) throws IOException, Servl
 
     }
 
+    /**
+     * This method is used to override the secured resource based on tenant-wise DCR api security configuration.
+     *
+     * @param securedResource securedResource object
+     * @param normalizedRequestURI request URL path
+     * @param httpMethod http method
+     * @throws DCRMException DCRMException
+     */
+    private void overrideSecuredResource(ResourceConfig securedResource, String normalizedRequestURI,
+                                         String httpMethod) throws DCRMException {
+
+        if (normalizedRequestURI.contains(DCR_REGISTER_ENDPOINT_PATH) && HttpMethod.POST.equals(httpMethod)) {
+
+            if (DCRMgtOGSiServiceFactory.getInstance() != null) {
+
+                DCRConfiguration dcrConfiguration = DCRMgtOGSiServiceFactory.getInstance().getDCRConfiguration();
+                Boolean isClientAuthenticationRequired = dcrConfiguration.getAuthenticationRequired();
+                if ((Boolean.TRUE).equals(isClientAuthenticationRequired)) {
+                    securedResource.setIsSecured(true);
+                } else if ((Boolean.FALSE).equals(isClientAuthenticationRequired)) {
+                    securedResource.setIsSecured(false);
+                }
+            } else {
+//                We do not throw an exception here to avoid breaking the flow and to have similar behaviour as before.
+                log.debug("DCRMgtOGSiServiceFactory is null. Cannot get DCR Configuration.");
+            }
+        }
+    }
+
     private void setRemoteAddressAndUserAgentToMDC(Request request) {
 
         String userAgent = request.getHeader(USER_AGENT);

components/org.wso2.carbon.identity.auth.valve/src/main/java/org/wso2/carbon/identity/auth/valve/factory/DCRMgtOGSiServiceFactory.java

@@ -0,0 +1,68 @@
+/*
+ * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.auth.valve.factory;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.context.PrivilegedCarbonContext;
+import org.wso2.carbon.identity.oauth.dcr.DCRConfigurationMgtService;
+
+/**
+ * Since this factory produces DCRConfigurationMgtService connector service,  there is a possibility that said
+ * connector not available in the distribution.
+ * So rather than designing as Factory Beans this class designed as Singleton.
+ */
+public class DCRMgtOGSiServiceFactory {
+
+    private static DCRConfigurationMgtService dcrConfigurationMgtService = null;
+    private static final Log log = LogFactory.getLog(DCRMgtOGSiServiceFactory.class);
+
+    /**
+     * This method return  the instance if the OSGi service exists.
+     * Else throw Null pointer Exception. We handle the exception gracefully.
+     *
+     * @return DCRConfigurationMgtService
+     */
+    public static DCRConfigurationMgtService getInstance() {
+
+        if (dcrConfigurationMgtService == null) {
+            /* Try catch statement is included due to a  NullPointerException which occurs at the server startup and
+            runtime when the DCRConfigurationMgtService is not available in the product. */
+
+            try {
+                // Call class for name to check the class is available in the run time.
+                // This method will call only once at the first api call.
+                Class.forName("org.wso2.carbon.identity.oauth.dcr.DCRConfigurationMgtService");
+                DCRConfigurationMgtService dcrConfigMgtService = (DCRConfigurationMgtService) PrivilegedCarbonContext
+                        .getThreadLocalCarbonContext().getOSGiService(DCRConfigurationMgtService.class, null);
+                if (dcrConfigMgtService != null) {
+                    dcrConfigurationMgtService = dcrConfigMgtService;
+                }
+
+            } catch (NullPointerException | ClassNotFoundException  e) {
+                /* Catch block without implementation so that the DCRConfigurationMgtService will be set to null
+                   in-turn helps in validating the rest API requests. */
+                log.error("Unable to find the DCRConfigurationMgtService. " +
+                            "DCRConfigurationMgtService is not available in the server.");
+            }
+        }
+
+        return dcrConfigurationMgtService;
+    }
+}

pom.xml

@@ -157,6 +157,11 @@
                 <artifactId>org.wso2.carbon.identity.oauth</artifactId>
                 <version>${org.wso2.carbon.identity.oauth.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
+                <artifactId>org.wso2.carbon.identity.oauth.dcr</artifactId>
+                <version>${org.wso2.carbon.identity.oauth.version}</version>
+            </dependency>
             <dependency>
                 <groupId>org.json.wso2</groupId>
                 <artifactId>json</artifactId>
@@ -353,7 +358,7 @@
         <identity.framework.version>5.25.652</identity.framework.version>
         <carbon.identity.package.import.version.range>[5.17.8, 8.0.0)</carbon.identity.package.import.version.range>
 
-        <org.wso2.carbon.identity.oauth.version>7.0.18</org.wso2.carbon.identity.oauth.version>
+        <org.wso2.carbon.identity.oauth.version>7.0.42-SNAPSHOT</org.wso2.carbon.identity.oauth.version>
         <org.wso2.carbon.identity.oauth.import.version.range>[6.2.18, 8.0.0)
         </org.wso2.carbon.identity.oauth.import.version.range>