Merge branch 'wso2:master' into master

modules/api-resources/api-resources-full/pom.xml

@@ -23,12 +23,12 @@
     <parent>
         <groupId>org.wso2.is</groupId>
         <artifactId>api-resources</artifactId>
-        <version>7.0.0-beta4-SNAPSHOT</version>
+        <version>7.0.0-beta5-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 
     <artifactId>api-resources-full</artifactId>
-    <version>7.0.0-beta4-SNAPSHOT</version>
+    <version>7.0.0-beta5-SNAPSHOT</version>
     <packaging>war</packaging>
 
     <name>WSO2 Identity Server - All Rest API</name>

modules/api-resources/pom.xml

@@ -23,12 +23,12 @@
     <parent>
         <groupId>org.wso2.is</groupId>
         <artifactId>identity-server-parent</artifactId>
-        <version>7.0.0-beta4-SNAPSHOT</version>
+        <version>7.0.0-beta5-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
     <artifactId>api-resources</artifactId>
-    <version>7.0.0-beta4-SNAPSHOT</version>
+    <version>7.0.0-beta5-SNAPSHOT</version>
     <packaging>pom</packaging>
 
     <name>WSO2 Identity Server - Rest API</name>

modules/authenticators/pom.xml

@@ -19,7 +19,7 @@
     <parent>
         <groupId>org.wso2.is</groupId>
         <artifactId>identity-server-parent</artifactId>
-        <version>7.0.0-beta4-SNAPSHOT</version>
+        <version>7.0.0-beta5-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

modules/connectors/pom.xml

@@ -19,7 +19,7 @@
     <parent>
         <groupId>org.wso2.is</groupId>
         <artifactId>identity-server-parent</artifactId>
-        <version>7.0.0-beta4-SNAPSHOT</version>
+        <version>7.0.0-beta5-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

modules/distribution/pom.xml

@@ -19,7 +19,7 @@
     <parent>
         <groupId>org.wso2.is</groupId>
         <artifactId>identity-server-parent</artifactId>
-        <version>7.0.0-beta4-SNAPSHOT</version>
+        <version>7.0.0-beta5-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

modules/features/org.wso2.identity.styles.feature/pom.xml

@@ -20,7 +20,7 @@
 	<parent>
 		<groupId>org.wso2.is</groupId>
 		<artifactId>identity-features</artifactId>
-		<version>7.0.0-beta4-SNAPSHOT</version>
+		<version>7.0.0-beta5-SNAPSHOT</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 

modules/features/org.wso2.identity.ui.feature/pom.xml

@@ -20,7 +20,7 @@
 	<parent>
 		<groupId>org.wso2.is</groupId>
 		<artifactId>identity-features</artifactId>
-		<version>7.0.0-beta4-SNAPSHOT</version>
+		<version>7.0.0-beta5-SNAPSHOT</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 

modules/features/org.wso2.identity.utils.feature/pom.xml

@@ -20,7 +20,7 @@
 	<parent>
 		<groupId>org.wso2.is</groupId>
 		<artifactId>identity-features</artifactId>
-		<version>7.0.0-beta4-SNAPSHOT</version>
+		<version>7.0.0-beta5-SNAPSHOT</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 

modules/features/pom.xml

@@ -17,7 +17,7 @@
 	<parent>
     	<groupId>org.wso2.is</groupId>
     	<artifactId>identity-server-parent</artifactId>
-    	<version>7.0.0-beta4-SNAPSHOT</version>
+    	<version>7.0.0-beta5-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

modules/integration/pom.xml

@@ -19,7 +19,7 @@
     <parent>
         <groupId>org.wso2.is</groupId>
         <artifactId>identity-server-parent</artifactId>
-        <version>7.0.0-beta4-SNAPSHOT</version>
+        <version>7.0.0-beta5-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

modules/integration/tests-common/admin-clients/pom.xml

@@ -19,7 +19,7 @@
     <parent>
         <groupId>org.wso2.is</groupId>
         <artifactId>identity-integration-tests</artifactId>
-        <version>7.0.0-beta4-SNAPSHOT</version>
+        <version>7.0.0-beta5-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

modules/integration/tests-common/extensions/pom.xml

@@ -22,7 +22,7 @@
     <parent>
         <groupId>org.wso2.is</groupId>
         <artifactId>identity-integration-tests</artifactId>
-        <version>7.0.0-beta4-SNAPSHOT</version>
+        <version>7.0.0-beta5-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

modules/integration/tests-common/integration-test-utils/pom.xml

@@ -19,7 +19,7 @@
     <parent>
         <groupId>org.wso2.is</groupId>
         <artifactId>identity-integration-tests</artifactId>
-        <version>7.0.0-beta4-SNAPSHOT</version>
+        <version>7.0.0-beta5-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

modules/integration/tests-common/pom.xml

@@ -19,7 +19,7 @@
     <parent>
         <groupId>org.wso2.is</groupId>
         <artifactId>identity-integration-tests</artifactId>
-        <version>7.0.0-beta4-SNAPSHOT</version>
+        <version>7.0.0-beta5-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 

modules/integration/tests-common/ui-pages/pom.xml

@@ -19,7 +19,7 @@
     <parent>
         <groupId>org.wso2.is</groupId>
         <artifactId>identity-integration-tests</artifactId>
-        <version>7.0.0-beta4-SNAPSHOT</version>
+        <version>7.0.0-beta5-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

modules/integration/tests-integration/pom.xml

@@ -19,7 +19,7 @@
     <parent>
         <groupId>org.wso2.is</groupId>
         <artifactId>identity-integration-tests</artifactId>
-        <version>7.0.0-beta4-SNAPSHOT</version>
+        <version>7.0.0-beta5-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 

modules/integration/tests-integration/tests-backend/pom.xml

@@ -18,7 +18,7 @@
     <parent>
         <groupId>org.wso2.is</groupId>
         <artifactId>identity-integration-tests</artifactId>
-        <version>7.0.0-beta4-SNAPSHOT</version>
+        <version>7.0.0-beta5-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/auth/SecondaryStoreUserLoginTestCase.java

@@ -175,7 +175,7 @@ private void sendAuthorizedPost() throws Exception {
         urlParameters.add(new BasicNameValuePair("callbackurl", PLAYGROUND_APP_CALLBACK_URI));
         urlParameters.add(new BasicNameValuePair("authorizeEndpoint", OAuth2Constant.APPROVAL_URL));
         urlParameters.add(new BasicNameValuePair("authorize", OAuth2Constant.AUTHORIZE_PARAM));
-        urlParameters.add(new BasicNameValuePair("scope", ""));
+        urlParameters.add(new BasicNameValuePair("scope", "device_01"));
         HttpResponse response = sendPostRequestWithParameters(client, urlParameters,
                 OAuth2Constant.AUTHORIZED_USER_URL);
         Assert.assertNotNull(response, "Authorized response is null");

modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/OAuth2DeviceFlowTestCase.java

@@ -134,7 +134,7 @@ public void testSendDeviceAuthorize() throws Exception {
 
         List<NameValuePair> urlParameters = new ArrayList<>();
         urlParameters.add(new BasicNameValuePair(CLIENT_ID_PARAM, consumerKey));
-        urlParameters.add(new BasicNameValuePair(SCOPE_PLAYGROUND_NAME, "device"));
+        urlParameters.add(new BasicNameValuePair(SCOPE_PLAYGROUND_NAME, "device_01"));
         AutomationContext automationContext = new AutomationContext("IDENTITY",
                 TestUserMode.SUPER_TENANT_ADMIN);
         String deviceAuthEndpoint = automationContext.getContextUrls().getBackEndUrl()

modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/OAuth2ServiceClientCredentialTestCase.java

@@ -66,6 +66,8 @@ public class OAuth2ServiceClientCredentialTestCase extends OAuth2ServiceAbstract
 
     private CloseableHttpClient client;
 
+    private static final String VALID_RANDOM_SCOPE = "device_01";
+
     @DataProvider(name = "configProvider")
     public static Object[][] configProvider() {
 
@@ -125,7 +127,7 @@ public void testGetTokenUsingClientCredentialsGrant() throws Exception {
         ClientID clientID = new ClientID(consumerKey);
         Secret clientSecret = new Secret(consumerSecret);
         ClientAuthentication clientAuth = new ClientSecretBasic(clientID, clientSecret);
-        Scope scope = new Scope(OAUTH2_SCOPE_OPENID, "xyz");
+        Scope scope = new Scope(OAUTH2_SCOPE_OPENID, "xyz", VALID_RANDOM_SCOPE);
 
         URI tokenEndpoint = new URI(getTenantQualifiedURL(OAuth2Constant.ACCESS_TOKEN_ENDPOINT, tenantInfo.getDomain()));
         TokenRequest request = new TokenRequest(tokenEndpoint, clientAuth, clientCredentialsGrant, scope);
@@ -143,7 +145,10 @@ public void testGetTokenUsingClientCredentialsGrant() throws Exception {
         Assert.assertNotNull(accessToken, "Access Token is null in the token response.");
 
         Scope scopesInResponse = accessTokenResponse.getTokens().getAccessToken().getScope();
-        Assert.assertTrue(scopesInResponse.contains("xyz"), "Requested scope is missing in the token response");
+        Assert.assertFalse(scopesInResponse.contains("xyz"), "Not allowed random scope is issued for client credential " +
+                "grant type.");
+        Assert.assertTrue(scopesInResponse.contains(VALID_RANDOM_SCOPE), "Allowed random scope is not issued for " +
+                "client credential grant type.");
 
         // This ensures that openid scopes are not issued for client credential grant type.
         Assert.assertFalse(accessTokenResponse instanceof OIDCTokenResponse, "Client credential grant type cannot " +

modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/OAuth2ServiceImplicitGrantTestCase.java

@@ -18,6 +18,7 @@
 
 package org.wso2.identity.integration.test.oauth2;
 
+import org.apache.commons.lang.StringUtils;
 import org.apache.http.Header;
 import org.apache.http.HttpResponse;
 import org.apache.http.NameValuePair;
@@ -73,6 +74,7 @@ public class OAuth2ServiceImplicitGrantTestCase extends OAuth2ServiceAbstractInt
 	private final AutomationContext context;
 	private Tenant tenantInfo;
 	private String applicationId;
+	private static final String VALID_SCOPES = "device_01";
 
 	@DataProvider(name = "configProvider")
 	public static Object[][] configProvider() {
@@ -104,7 +106,7 @@ public void testInit() throws Exception {
 				.setDefaultRequestConfig(requestConfig)
 				.setDefaultCookieSpecRegistry(cookieSpecRegistry)
 				.build();
-		scopes = "abc";
+		scopes = "abc " + VALID_SCOPES;
 	}
 
 	@AfterClass(alwaysRun = true)
@@ -223,7 +225,7 @@ public void testSendApprovalPost() throws Exception {
 		String urlScopes = DataExtractUtil.extractParamFromURIFragment(locationHeader.getValue(),
 				OAuth2Constant.OAUTH2_SCOPE);
 		Assert.assertNotNull(accessToken, "Access token is null.");
-		Assert.assertEquals(urlScopes, scopes, "Scopes are not equal.");
+		Assert.assertEquals(urlScopes, VALID_SCOPES, "Scopes are not equal.");
 		EntityUtils.consume(response.getEntity());
 	}
 
@@ -236,5 +238,7 @@ public void testValidateAccessToken() throws Exception {
 				username, userPassword);
 		Assert.assertNotNull(responseObj, "Validate access token failed. response is invalid.");
 		Assert.assertEquals(responseObj.get("active"), true, "Token Validation failed");
+		// Only the allowed scopes should be returned and Random Scope should not be returned.
+		Assert.assertTrue(StringUtils.equals((String) responseObj.get("scope"), VALID_SCOPES), "Scope Validation failed");
 	}
 }

modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/OAuth2ServiceRegexCallbackUrlTestCase.java

@@ -119,6 +119,7 @@ public void testSendAuthorozedPost() throws Exception {
 		urlParameters.add(new BasicNameValuePair("authorizeEndpoint", OAuth2Constant.APPROVAL_URL));
 		urlParameters.add(new BasicNameValuePair("authorize", OAuth2Constant.AUTHORIZE_PARAM));
 		urlParameters.add(new BasicNameValuePair("consumerSecret", consumerSecret));
+		urlParameters.add(new BasicNameValuePair("scope", "device_01"));
 
 		HttpResponse response =
 				sendPostRequestWithParameters(client, urlParameters, OAuth2Constant.AUTHORIZED_USER_URL);

modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/OAuth2TokenRevocationWithMultipleSessionTerminationTestCase.java

@@ -137,7 +137,7 @@ public void testMultipleOIDCLogins() throws Exception {
 
     private void testLoginToFirstSession() throws Exception {
 
-        initiateAuthorizationRequest(httpClientForFirstSession, OAuth2Constant.OAUTH2_SCOPE_OPENID + " " + "random");
+        initiateAuthorizationRequest(httpClientForFirstSession, OAuth2Constant.OAUTH2_SCOPE_OPENID + " " + "device_01");
         authenticateUser(httpClientForFirstSession);
         String authorizationCode = performConsentApproval(httpClientForFirstSession);
         accessTokenInFirstSession = generateAuthzCodeAccessToken(authorizationCode, httpClientForFirstSession);

modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/OAuth2XACMLScopeValidatorTestCase.java

@@ -43,12 +43,15 @@
 import org.wso2.carbon.identity.application.common.model.xsd.ServiceProvider;
 import org.wso2.carbon.identity.entitlement.stub.dto.PolicyDTO;
 import org.wso2.carbon.identity.oauth.stub.dto.OAuthConsumerAppDTO;
+import org.wso2.carbon.integration.common.utils.mgt.ServerConfigurationManager;
 import org.wso2.identity.integration.common.clients.entitlement.EntitlementPolicyServiceClient;
 import org.wso2.identity.integration.test.rest.api.server.application.management.v1.model.ApplicationPatchModel;
 import org.wso2.identity.integration.test.rest.api.server.application.management.v1.model.AssociatedRolesConfig;
+import org.wso2.identity.integration.test.util.Utils;
 import org.wso2.identity.integration.test.utils.CarbonUtils;
 import org.wso2.identity.integration.test.utils.OAuth2Constant;
 
+import java.io.File;
 import java.net.URI;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -58,6 +61,7 @@
  */
 public class OAuth2XACMLScopeValidatorTestCase extends OAuth2ServiceAbstractIntegrationTest {
 
+    private ServerConfigurationManager serverConfigurationManager;
     private static final String VALIDATE_SCOPE_BASED_POLICY_ID = "validate_scope_based_policy_template";
     private static final String VALID_SCOPE = "SCOPE1";
     private static final String INTROSPECT_SCOPE = "internal_application_mgt_view";
@@ -116,6 +120,16 @@ public class OAuth2XACMLScopeValidatorTestCase extends OAuth2ServiceAbstractInte
     @BeforeClass(alwaysRun = true)
     public void testInit() throws Exception {
 
+        super.init(TestUserMode.SUPER_TENANT_USER);
+        String carbonHome = Utils.getResidentCarbonHome();
+        // Disabling dropping unregistered scopes to avoid scope validation failure.
+        File defaultTomlFile = getDeploymentTomlFile(carbonHome);
+        File configuredTomlFile = new File(getISResourceLocation() + File.separator
+                + "xacml_scope_validator.toml");
+
+        serverConfigurationManager = new ServerConfigurationManager(isServer);
+        serverConfigurationManager.applyConfigurationWithoutRestart(configuredTomlFile, defaultTomlFile, true);
+        serverConfigurationManager.restartGracefully();
         super.init(TestUserMode.SUPER_TENANT_USER);
         isLegacyRuntimeEnabled = CarbonUtils.isLegacyAuthzRuntimeEnabled();
         entitlementPolicyClient = new EntitlementPolicyServiceClient(backendURL, sessionCookie);
@@ -126,6 +140,7 @@ public void atEnd() throws Exception {
 
         deleteApplication();
         removeOAuthApplicationData();
+        serverConfigurationManager.restoreToLastConfiguration(false);
         consumerKey = null;
         consumerSecret = null;
         entitlementPolicyClient.removePolicy(VALIDATE_SCOPE_BASED_POLICY_ID);

modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/Oauth2HashAlgorithmTestCase.java

@@ -57,7 +57,6 @@
 public class Oauth2HashAlgorithmTestCase extends OAuth2ServiceAbstractIntegrationTest {
 
     private String accessToken;
-    private String sessionDataKeyConsent;
     private String sessionDataKey;
     private String consumerKey;
     private String consumerSecret;
@@ -163,32 +162,6 @@ public void testSendLoginPost() throws Exception {
         EntityUtils.consume(response.getEntity());
 
         response = sendGetRequest(client, locationHeader.getValue());
-        Map<String, Integer> keyPositionMap = new HashMap<>(1);
-        keyPositionMap.put("name=\"" + OAuth2Constant.SESSION_DATA_KEY_CONSENT + "\"", 1);
-        List<DataExtractUtil.KeyValue> keyValues =
-                DataExtractUtil.extractSessionConsentDataFromResponse(response,
-                        keyPositionMap);
-        Assert.assertNotNull(keyValues, "SessionDataKeyConsent key value is null");
-        sessionDataKeyConsent = keyValues.get(0).getValue();
-        EntityUtils.consume(response.getEntity());
-
-        Assert.assertNotNull(sessionDataKeyConsent, "Invalid session key consent.");
-    }
-
-    @Test(groups = "wso2.is", description = "Send approval post request", dependsOnMethods = "testSendLoginPost")
-    public void testSendApprovalPost() throws Exception {
-
-        HttpResponse response = sendApprovalPost(client, sessionDataKeyConsent);
-        Assert.assertNotNull(response, "Approval response is invalid.");
-
-        Header locationHeader =
-                response.getFirstHeader(OAuth2Constant.HTTP_RESPONSE_HEADER_LOCATION);
-        Assert.assertNotNull(locationHeader, "Approval Location header is null.");
-        EntityUtils.consume(response.getEntity());
-
-        response = sendPostRequest(client, locationHeader.getValue());
-        Assert.assertNotNull(response, "Get Activation response is invalid.");
-
         Map<String, Integer> keyPositionMap = new HashMap<>(1);
         keyPositionMap.put("Authorization Code", 1);
         List<DataExtractUtil.KeyValue> keyValues =
@@ -201,10 +174,9 @@ public void testSendApprovalPost() throws Exception {
         }
         Assert.assertNotNull(authorizationCode, "Authorization code is null.");
         EntityUtils.consume(response.getEntity());
-
     }
 
-    @Test(groups = "wso2.is", description = "Get access token", dependsOnMethods = "testSendApprovalPost")
+    @Test(groups = "wso2.is", description = "Get access token", dependsOnMethods = "testSendLoginPost")
     public void testGetAccessToken() throws Exception {
 
         HttpResponse response = sendGetAccessTokenPost(client, consumerSecret);