Throttling is not working when invoking the API with MTLS authentication - CC 1.0.0

[Sumudu-Sahan]

Description

The request will not get throttle out based on the policy that selected when configuring the MTLS authentication through the publisher portal.

Steps to Reproduce

• Configure an APIM with the Choreo Connect.
• Configure the MTLS by referring to the documentation [1].
• Start the APIM node and go to the admin portal.
• Create a new subscription throttling policy (1 request per minute) to assign when uploading the certificate.
• Then go to the publisher portal and create an API (TEST_API).
• Configure the MTLS authentication for the API as a mandatory one and uploaded the CRT certificate. When configuring the MTLS, select the created subscription throttling policy (1 request per minute).

• Deploy the API to the Choreo Connect.
• Invoke the API in the Choreo Connect multiple times and be able to see the backend response without throttling out the request.
• Furthermore, able to see that the enforcer is taking the Unlimited tier (which is used to subscribe the API with the application) and the MTLS throttling tier will not get apply in this case.

enforcer_1  | [2023-06-21 07:55:18,569][5337e64c-9c65-43ab-b720-ef2074970c6d] DEBUG - {org.wso2.choreo.connect.enforcer.api.APIFactory} - Looking for matching API with basepath: /test/1.0.0 and version: 1.0.0
enforcer_1  | [2023-06-21 07:55:18,570][5337e64c-9c65-43ab-b720-ef2074970c6d] DEBUG - {org.wso2.choreo.connect.enforcer.server.RequestHandler} - API /test/1.0.0/1.0.0 found in the cache
enforcer_1  | [2023-06-21 07:55:18,570][5337e64c-9c65-43ab-b720-ef2074970c6d] DEBUG - {org.wso2.choreo.connect.enforcer.cors.CorsFilter} - Cors Filter (enforcer) is applied.
enforcer_1  | [2023-06-21 07:55:18,570][5337e64c-9c65-43ab-b720-ef2074970c6d] DEBUG - {org.wso2.choreo.connect.enforcer.security.AuthFilter} - mTLS authentication was passed for the request: /* , API: TEST_API:1.0.0 
enforcer_1  | [2023-06-21 07:55:18,571][5337e64c-9c65-43ab-b720-ef2074970c6d] DEBUG - {org.wso2.choreo.connect.enforcer.security.jwt.JWTAuthenticator} - No subscription information found in the token.
enforcer_1  | [2023-06-21 07:55:18,571][5337e64c-9c65-43ab-b720-ef2074970c6d] DEBUG - {org.wso2.choreo.connect.enforcer.security.jwt.JWTAuthenticator} - Begin subscription validation via Key Manager: Resident Key Manager
enforcer_1  | [2023-06-21 07:55:18,571][5337e64c-9c65-43ab-b720-ef2074970c6d] DEBUG - {org.wso2.choreo.connect.enforcer.security.KeyValidator} - Before validating subscriptions
enforcer_1  | [2023-06-21 07:55:18,571][5337e64c-9c65-43ab-b720-ef2074970c6d] DEBUG - {org.wso2.choreo.connect.enforcer.security.KeyValidator} - Validation Info : { uuid : e4e8bb1d-03d1-45cb-b78c-b113c0e091d7, context : /test/1.0.0, version : 1.0.0, consumerKey : hXfz08tSX0hv5ZxLRMlxqbbPHTIa }
enforcer_1  | [2023-06-21 07:55:18,571][5337e64c-9c65-43ab-b720-ef2074970c6d] DEBUG - {org.wso2.choreo.connect.enforcer.security.KeyValidator} - All information is retrieved from the inmemory data store.
enforcer_1  | [2023-06-21 07:55:18,571][5337e64c-9c65-43ab-b720-ef2074970c6d] DEBUG - {org.wso2.choreo.connect.enforcer.security.KeyValidator} - After validating subscriptions
enforcer_1  | [2023-06-21 07:55:18,571][5337e64c-9c65-43ab-b720-ef2074970c6d] DEBUG - {org.wso2.choreo.connect.enforcer.security.jwt.JWTAuthenticator} - Subscription validation via Key Manager. Status: true
enforcer_1  | [2023-06-21 07:55:18,571][5337e64c-9c65-43ab-b720-ef2074970c6d] DEBUG - {org.wso2.choreo.connect.enforcer.security.KeyValidator} - Scopes allowed for token : eyJ4NXQiOiJOVGRtWmpNNFpEazNOalkwWXpjNU1tWm1PRGd3TVRFM01XWXdOREU1TVdSbFpEZzROemM0WkEiLCJraWQiOiJNell4TW1Ga09HWXdNV0kwWldObU5EY3hOR1l3WW1NNFpUQTNNV0kyTkRBelpHUXpOR00wWkdSbE5qSmtPREZrWkRSaU9URmtNV0ZoTXpVMlpHVmxOZ19SUzI1NiIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImF1dCI6IkFQUExJQ0FUSU9OIiwiYXVkIjoiaFhmejA4dFNYMGh2NVp4TFJNbHhxYmJQSFRJYSIsIm5iZiI6MTY4NzMzNDA2MywiYXpwIjoiaFhmejA4dFNYMGh2NVp4TFJNbHhxYmJQSFRJYSIsInNjb3BlIjoiZGVmYXVsdCIsImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTQ0M1wvb2F1dGgyXC90b2tlbiIsImV4cCI6MTY4NzMzNzY2MywiaWF0IjoxNjg3MzM0MDYzLCJqdGkiOiJiYTIzODZmOC1iOTI3LTQ2M2YtOWE5Yy1hNWI5ZmZjZTg1ZTAifQ.xXTRqEbVA12eMuCyR2SJ9h-4RChmDmJgJifUs8FTDu4PSbOb7LLWUtExNn4LgeLgqbu-7Dtzpu5JVT_S3bcz5f6tMp_pyrYPu-_WTS4270hx9Xp3Iqo2cKxryspWohkHF6GCmPrhhCLtu9IO82MD6CTISJ5Uofw6mRxd7d_wwShsRRsNYSP4fwgkSCYjdZOZmMNLb3C2apcnj4dYJbmV4JIXYfTNBmNIh1bBwVZRRZPTqaZE_7Z4489y_kmkM0CCRzcsw1m3b2ovgOMsPy6V6vpX3xGssCb1ET33lxHm-U1Vkkq8MrLBWm17vgtykio6BIp-o94gfQ0Bm3lK2ktnrQ : default
enforcer_1  | [2023-06-21 07:55:18,572][5337e64c-9c65-43ab-b720-ef2074970c6d] DEBUG - {org.wso2.choreo.connect.enforcer.security.jwt.JWTAuthenticator} - Scope validation successful for the resource: /*
enforcer_1  | [2023-06-21 07:55:18,572][5337e64c-9c65-43ab-b720-ef2074970c6d] DEBUG - {org.wso2.choreo.connect.enforcer.security.jwt.JWTAuthenticator} - JWT authentication successful.
enforcer_1  | [2023-06-21 07:55:18,572][5337e64c-9c65-43ab-b720-ef2074970c6d] DEBUG - {org.wso2.choreo.connect.enforcer.throttle.ThrottleFilter} - Throttle filter received the request
enforcer_1  | [2023-06-21 07:55:18,572][5337e64c-9c65-43ab-b720-ef2074970c6d] DEBUG - {org.wso2.choreo.connect.enforcer.throttle.ThrottleFilter} - Found AuthenticationContext for the request
enforcer_1  | [2023-06-21 07:55:18,572][5337e64c-9c65-43ab-b720-ef2074970c6d] DEBUG - {org.wso2.choreo.connect.enforcer.throttle.ThrottleFilter} - Checking if request is throttled at API/Resource level for tier: Unlimited, key: /test/1.0.0/1.0.0/*:GET
enforcer_1  | [2023-06-21 07:55:18,572][5337e64c-9c65-43ab-b720-ef2074970c6d] DEBUG - {org.wso2.choreo.connect.enforcer.throttle.ThrottleFilter} - Subscription Level throttle decision is false for key:tier 1:/test/1.0.0:1.0.0:Unlimited
enforcer_1  | [2023-06-21 07:55:18,572][5337e64c-9c65-43ab-b720-ef2074970c6d] DEBUG - {org.wso2.choreo.connect.enforcer.throttle.ThrottleFilter} - Application Level throttle decision is false for key:tier 1:[email protected]:Unlimited
enforcer_1  | [2023-06-21 07:55:18,572][5337e64c-9c65-43ab-b720-ef2074970c6d] DEBUG - {org.wso2.choreo.connect.enforcer.throttle.ThrottleFilter} - Custom policy throttle decision is false
enforcer_1  | [2023-06-21 07:55:18,573][5337e64c-9c65-43ab-b720-ef2074970c6d] DEBUG - {org.wso2.choreo.connect.enforcer.throttle.databridge.publisher.ThrottleDataPublisher} - Publishing throttle data from gateway to traffic-manager for: /test/1.0.0 with ID: 15164779232742333913 started at [2023.06.21 07:55:18,573 GMT]
enforcer_1  | [2023-06-21 07:55:18,573][5337e64c-9c65-43ab-b720-ef2074970c6d] DEBUG - {org.wso2.choreo.connect.enforcer.throttle.databridge.publisher.ThrottleDataPublisher} - Publishing throttle data from gateway to traffic-manager for: /test/1.0.0 with ID: 15164779232742333913 ended at [2023.06.21 07:55:18,573 GMT]
enforcer_1  | [2023-06-21 07:55:18,574][] DEBUG - {org.wso2.choreo.connect.enforcer.throttle.databridge.agent.endpoint.DataEndpoint} - Current threads count is : 1, maxPoolSize is : 1, therefore state is now : ACTIVE at time : 19178749182683

[1] https://apim.docs.wso2.com/en/4.0.0/deploy-and-publish/deploy-on-gateway/choreo-connect/security/api-authentication/mutual-ssl-authentication/

Version

Choreo Connect - 1.0.0

Environment Details (with versions)

No response

Relevant Log Output

No response

Related Issues

No response

Suggested Labels

No response