MOSIP-31134

Signed-off-by: ase-101 <sunkadaeanusha@gmail.com>

esignet-core/src/main/java/io/mosip/esignet/core/constants/Constants.java

@@ -23,6 +23,8 @@ public class Constants {
     public static final String LINKED_SESSION_CACHE = "linked";
     public static final String LINKED_CODE_CACHE = "linkedcode";
     public static final String AUTH_CODE_GENERATED_CACHE = "authcodegenerated";
+    public static final String RATE_LIMIT_CACHE = "apiRateLimit";
+    public static final String BLOCKED_CACHE = "blocked";
 
     public static final String ROOT_KEY = "ROOT";
     public static final String OIDC_PARTNER_APP_ID = "OIDC_PARTNER";

esignet-core/src/main/java/io/mosip/esignet/core/constants/ErrorConstants.java

@@ -84,4 +84,6 @@ public class ErrorConstants {
     public static final String PROOF_HEADER_INVALID_ALG = "proof_header_invalid_alg";
     public static final String PROOF_HEADER_INVALID_KEY = "proof_header_invalid_key";
     public static final String PROOF_HEADER_AMBIGUOUS_KEY = "proof_header_ambiguous_key";
+    public static final String NO_ATTEMPTS_LEFT = "no_attempts_left";
+    public static final String INDIVIDUAL_ID_BLOCKED = "individual_id_blocked";
 }

esignet-core/src/main/java/io/mosip/esignet/core/dto/ApiRateLimit.java

@@ -0,0 +1,23 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+package io.mosip.esignet.core.dto;
+
+import lombok.Data;
+
+import java.io.Serializable;
+import java.util.concurrent.ConcurrentHashMap;
+
+@Data
+public class ApiRateLimit implements Serializable {
+
+    ConcurrentHashMap<Integer, Integer> count = new ConcurrentHashMap<>();
+    ConcurrentHashMap<Integer, Long> lastInvocation = new ConcurrentHashMap<>();
+
+    public void increment(int apiCode) {
+        count.compute(apiCode, (k, v) -> (v == null) ? 1 : v + 1);
+        lastInvocation.compute(apiCode, (k, v) -> System.currentTimeMillis());
+    }
+}

esignet-core/src/main/java/io/mosip/esignet/core/dto/OIDCTransaction.java

@@ -50,6 +50,7 @@ public class OIDCTransaction implements Serializable {
     String state;
 
     String individualId;
+    String individualIdHash;
 
     String oauthDetailsHash;
     ConsentAction consentAction;

esignet-service/src/main/java/io/mosip/esignet/advice/HeaderValidationFilter.java

@@ -2,12 +2,15 @@
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import io.mosip.esignet.core.constants.ErrorConstants;
 import io.mosip.esignet.core.dto.Error;
 import io.mosip.esignet.core.dto.OIDCTransaction;
+import io.mosip.esignet.core.dto.ApiRateLimit;
 import io.mosip.esignet.core.dto.ResponseWrapper;
 import io.mosip.esignet.core.exception.EsignetException;
 import io.mosip.esignet.core.exception.InvalidTransactionException;
 import io.mosip.esignet.core.util.IdentityProviderUtil;
+import io.mosip.esignet.services.AuthorizationHelperService;
 import io.mosip.esignet.services.CacheUtilService;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -39,6 +42,12 @@ public class HeaderValidationFilter extends OncePerRequestFilter {
     @Value("#{${mosip.esignet.header-filter.paths-to-validate}}")
     private List<String> pathsToValidate;
 
+    @Value("${mosip.esignet.send-otp.attempts:3}")
+    private int sendOtpAttempts;
+
+    @Value("${mosip.esignet.authenticate.attempts:3}")
+    private int authenticateAttempts;
+
     @Autowired
     private CacheUtilService cacheUtilService;
 
@@ -48,6 +57,7 @@ public class HeaderValidationFilter extends OncePerRequestFilter {
     @Autowired
     private MessageSource messageSource;
 
+
     @Override
     protected boolean shouldNotFilter(HttpServletRequest request) throws ServletException {
         final String path = request.getRequestURI();
@@ -59,15 +69,21 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
         final String path = request.getRequestURI();
 
         try {
-            log.info("Started to validate {} for oauth-details headers", path);
+            log.debug("Started to validate {} for oauth-details headers", path);
             final String transactionId = request.getHeader(HEADER_OAUTH_DETAILS_KEY);
             final String hashValue = request.getHeader(HEADER_OAUTH_DETAILS_HASH);
             OIDCTransaction transaction = path.endsWith("auth-code") ? cacheUtilService.getAuthenticatedTransaction(transactionId) :
                     cacheUtilService.getPreAuthTransaction(transactionId);
             if(transaction == null) {
                 throw new InvalidTransactionException();
             }
+
+            //For the first attempt individualId will be null, hence blocked check is not required
+            if(transaction.getIndividualIdHash() != null && cacheUtilService.isIndividualIdBlocked(transaction.getIndividualIdHash()))
+                throw new EsignetException(ErrorConstants.INDIVIDUAL_ID_BLOCKED);
+
             if(transaction.getOauthDetailsHash().equals(hashValue)) {
+                validateApiRateLimits(path, transactionId, transaction.getIndividualIdHash());
                 filterChain.doFilter(request, response);
                 return;
             }
@@ -101,4 +117,38 @@ private String getMessage(String errorCode) {
         }
         return errorCode;
     }
+
+    private void validateApiRateLimits(String path, String transactionId, String individualIdHash) {
+        int apiCode = path.endsWith("send-otp") ? 1 : path.endsWith("authenticate")? 2 : 3;
+
+        switch (apiCode) {
+            case 1:
+                ApiRateLimit sendOtpLimit = cacheUtilService.getApiRateLimitTransaction(transactionId);
+                checkCountLimit(1, sendOtpLimit, sendOtpAttempts, individualIdHash);
+                cacheUtilService.saveApiRateLimit(transactionId, sendOtpLimit);
+                break;
+            case 2:
+                ApiRateLimit authenticateLimit = cacheUtilService.getApiRateLimitTransaction(transactionId);
+                checkCountLimit(2, authenticateLimit, authenticateAttempts, individualIdHash);
+                cacheUtilService.saveApiRateLimit(transactionId, authenticateLimit);
+                break;
+        }
+    }
+
+    private void checkCountLimit(int apiCode, ApiRateLimit apiRateLimit, int attemptsLimit, String individualId) {
+        if(apiRateLimit == null) {
+            apiRateLimit = new ApiRateLimit();
+        }
+        apiRateLimit.increment(apiCode);
+        if(apiRateLimit.getCount().get(apiCode) > attemptsLimit) {
+            blockIndividualId(individualId);
+            throw new EsignetException(ErrorConstants.NO_ATTEMPTS_LEFT);
+        }
+    }
+
+    private void blockIndividualId(String individualIdHash) {
+        if(individualIdHash != null) {
+            cacheUtilService.blockIndividualId(individualIdHash);
+        }
+    }
 }

oidc-service-impl/src/main/java/io/mosip/esignet/services/AuthorizationServiceImpl.java

@@ -145,6 +145,7 @@ public OtpResponse sendOtp(OtpRequest otpRequest) throws EsignetException {
         if(transaction == null)
             throw new InvalidTransactionException();
 
+        cacheUtilService.updateIndividualIdHashInPreAuthCache(otpRequest.getTransactionId(), otpRequest.getIndividualId());
         SendOtpResult sendOtpResult = authorizationHelperService.delegateSendOtpRequest(otpRequest, transaction);
         OtpResponse otpResponse = new OtpResponse();
         otpResponse.setTransactionId(otpRequest.getTransactionId());
@@ -226,6 +227,7 @@ private OIDCTransaction authenticate(AuthRequest authRequest, boolean checkConse
         if(transaction == null)
             throw new InvalidTransactionException();
 
+        cacheUtilService.updateIndividualIdHashInPreAuthCache(authRequest.getTransactionId(), authRequest.getIndividualId());
         //Validate provided challenge list auth-factors with resolved auth-factors for the transaction.
         Set<List<AuthenticationFactor>> providedAuthFactors = authorizationHelperService.getProvidedAuthFactors(transaction,
                 authRequest.getChallengeList());

oidc-service-impl/src/main/java/io/mosip/esignet/services/CacheUtilService.java

@@ -7,16 +7,21 @@
 
 import io.mosip.esignet.core.dto.OIDCTransaction;
 import io.mosip.esignet.core.dto.LinkTransactionMetadata;
+import io.mosip.esignet.core.dto.ApiRateLimit;
 import io.mosip.esignet.core.exception.DuplicateLinkCodeException;
 import io.mosip.esignet.core.constants.Constants;
+import io.mosip.esignet.core.util.IdentityProviderUtil;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.cache.CacheManager;
 import org.springframework.cache.annotation.CacheEvict;
+import org.springframework.cache.annotation.CachePut;
 import org.springframework.cache.annotation.Cacheable;
 import org.springframework.cache.annotation.Caching;
 import org.springframework.stereotype.Service;
 
+import static io.mosip.esignet.core.util.IdentityProviderUtil.ALGO_SHA3_256;
+
 
 @Slf4j
 @Service
@@ -104,6 +109,25 @@ public OIDCTransaction updateTransactionAndEvictLinkCode(String transactionId, S
         return oidcTransaction;
     }
 
+    @CachePut(value = Constants.RATE_LIMIT_CACHE, key = "#transactionId")
+    public ApiRateLimit saveApiRateLimit(String transactionId, ApiRateLimit apiRateLimit) {
+        return apiRateLimit;
+    }
+
+    @Cacheable(value = Constants.BLOCKED_CACHE, key = "#individualIdHash")
+    public String blockIndividualId(String individualIdHash) {
+        return individualIdHash;
+    }
+
+    @Cacheable(value = Constants.PRE_AUTH_SESSION_CACHE, key = "#transactionId")
+    public OIDCTransaction updateIndividualIdHashInPreAuthCache(String transactionId, String individualId) {
+        OIDCTransaction oidcTransaction = cacheManager.getCache(Constants.PRE_AUTH_SESSION_CACHE).get(transactionId, OIDCTransaction.class);//NOSONAR getCache() will not be returning null here.
+        if(oidcTransaction != null) {
+            oidcTransaction.setIndividualIdHash(IdentityProviderUtil.generateB64EncodedHash(ALGO_SHA3_256, individualId));
+        }
+        return oidcTransaction;
+    }
+
     //------------------------------------------------------------------------------------------------------------------
 
     public OIDCTransaction getPreAuthTransaction(String transactionId) {
@@ -141,4 +165,13 @@ public OIDCTransaction getLinkedSessionTransaction(String linkTransactionId) {
     public OIDCTransaction getLinkedAuthTransaction(String linkTransactionId) {
         return cacheManager.getCache(Constants.LINKED_AUTH_CACHE).get(linkTransactionId, OIDCTransaction.class);	//NOSONAR getCache() will not be returning null here.
     }
+
+    public ApiRateLimit getApiRateLimitTransaction(String transactionId) {
+        return cacheManager.getCache(Constants.RATE_LIMIT_CACHE).get(transactionId, ApiRateLimit.class); //NOSONAR getCache() will not be returning null here.
+    }
+
+    public boolean isIndividualIdBlocked(String individualIdHash) {
+        String idHash = cacheManager.getCache(Constants.BLOCKED_CACHE).get(individualIdHash, String.class); //NOSONAR getCache() will not be returning null here.
+        return idHash != null;
+    }
 }