Modify the tests to work with drop_unregistered_scopes config

With #17551, we will enable the drop_unregistered_scopes by default [1]. If we did that, the above tests will get failed and we need to modify them accordingly to work with the newest changes

[1] - wso2/carbon-identity-framework#5284

modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/auth/SecondaryStoreUserLoginTestCase.java

@@ -175,7 +175,7 @@ private void sendAuthorizedPost() throws Exception {
         urlParameters.add(new BasicNameValuePair("callbackurl", PLAYGROUND_APP_CALLBACK_URI));
         urlParameters.add(new BasicNameValuePair("authorizeEndpoint", OAuth2Constant.APPROVAL_URL));
         urlParameters.add(new BasicNameValuePair("authorize", OAuth2Constant.AUTHORIZE_PARAM));
-        urlParameters.add(new BasicNameValuePair("scope", ""));
+        urlParameters.add(new BasicNameValuePair("scope", "device_01"));
         HttpResponse response = sendPostRequestWithParameters(client, urlParameters,
                 OAuth2Constant.AUTHORIZED_USER_URL);
         Assert.assertNotNull(response, "Authorized response is null");

modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/OAuth2DeviceFlowTestCase.java

@@ -134,7 +134,7 @@ public void testSendDeviceAuthorize() throws Exception {
 
         List<NameValuePair> urlParameters = new ArrayList<>();
         urlParameters.add(new BasicNameValuePair(CLIENT_ID_PARAM, consumerKey));
-        urlParameters.add(new BasicNameValuePair(SCOPE_PLAYGROUND_NAME, "device"));
+        urlParameters.add(new BasicNameValuePair(SCOPE_PLAYGROUND_NAME, "device_01"));
         AutomationContext automationContext = new AutomationContext("IDENTITY",
                 TestUserMode.SUPER_TENANT_ADMIN);
         String deviceAuthEndpoint = automationContext.getContextUrls().getBackEndUrl()

modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/OAuth2ServiceClientCredentialTestCase.java

@@ -66,6 +66,8 @@ public class OAuth2ServiceClientCredentialTestCase extends OAuth2ServiceAbstract
 
     private CloseableHttpClient client;
 
+    private static final String VALID_RANDOM_SCOPE = "device_01";
+
     @DataProvider(name = "configProvider")
     public static Object[][] configProvider() {
 
@@ -125,7 +127,7 @@ public void testGetTokenUsingClientCredentialsGrant() throws Exception {
         ClientID clientID = new ClientID(consumerKey);
         Secret clientSecret = new Secret(consumerSecret);
         ClientAuthentication clientAuth = new ClientSecretBasic(clientID, clientSecret);
-        Scope scope = new Scope(OAUTH2_SCOPE_OPENID, "xyz");
+        Scope scope = new Scope(OAUTH2_SCOPE_OPENID, "xyz", VALID_RANDOM_SCOPE);
 
         URI tokenEndpoint = new URI(getTenantQualifiedURL(OAuth2Constant.ACCESS_TOKEN_ENDPOINT, tenantInfo.getDomain()));
         TokenRequest request = new TokenRequest(tokenEndpoint, clientAuth, clientCredentialsGrant, scope);
@@ -143,7 +145,10 @@ public void testGetTokenUsingClientCredentialsGrant() throws Exception {
         Assert.assertNotNull(accessToken, "Access Token is null in the token response.");
 
         Scope scopesInResponse = accessTokenResponse.getTokens().getAccessToken().getScope();
-        Assert.assertTrue(scopesInResponse.contains("xyz"), "Requested scope is missing in the token response");
+        Assert.assertFalse(scopesInResponse.contains("xyz"), "Not allowed random scope is issued for client credential " +
+                "grant type.");
+        Assert.assertTrue(scopesInResponse.contains(VALID_RANDOM_SCOPE), "Allowed random scope is not issued for " +
+                "client credential grant type.");
 
         // This ensures that openid scopes are not issued for client credential grant type.
         Assert.assertFalse(accessTokenResponse instanceof OIDCTokenResponse, "Client credential grant type cannot " +

modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/OAuth2ServiceImplicitGrantTestCase.java

@@ -18,6 +18,7 @@
 
 package org.wso2.identity.integration.test.oauth2;
 
+import org.apache.commons.lang.StringUtils;
 import org.apache.http.Header;
 import org.apache.http.HttpResponse;
 import org.apache.http.NameValuePair;
@@ -73,6 +74,7 @@ public class OAuth2ServiceImplicitGrantTestCase extends OAuth2ServiceAbstractInt
 	private final AutomationContext context;
 	private Tenant tenantInfo;
 	private String applicationId;
+	private static final String VALID_SCOPES = "device_01";
 
 	@DataProvider(name = "configProvider")
 	public static Object[][] configProvider() {
@@ -104,7 +106,7 @@ public void testInit() throws Exception {
 				.setDefaultRequestConfig(requestConfig)
 				.setDefaultCookieSpecRegistry(cookieSpecRegistry)
 				.build();
-		scopes = "abc";
+		scopes = "abc " + VALID_SCOPES;
 	}
 
 	@AfterClass(alwaysRun = true)
@@ -223,7 +225,7 @@ public void testSendApprovalPost() throws Exception {
 		String urlScopes = DataExtractUtil.extractParamFromURIFragment(locationHeader.getValue(),
 				OAuth2Constant.OAUTH2_SCOPE);
 		Assert.assertNotNull(accessToken, "Access token is null.");
-		Assert.assertEquals(urlScopes, scopes, "Scopes are not equal.");
+		Assert.assertEquals(urlScopes, VALID_SCOPES, "Scopes are not equal.");
 		EntityUtils.consume(response.getEntity());
 	}
 
@@ -236,5 +238,7 @@ public void testValidateAccessToken() throws Exception {
 				username, userPassword);
 		Assert.assertNotNull(responseObj, "Validate access token failed. response is invalid.");
 		Assert.assertEquals(responseObj.get("active"), true, "Token Validation failed");
+		// Only the allowed scopes should be returned and Random Scope should not be returned.
+		Assert.assertTrue(StringUtils.equals((String) responseObj.get("scope"), VALID_SCOPES), "Token Validation failed");
 	}
 }

modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/OAuth2ServiceRegexCallbackUrlTestCase.java

@@ -119,6 +119,7 @@ public void testSendAuthorozedPost() throws Exception {
 		urlParameters.add(new BasicNameValuePair("authorizeEndpoint", OAuth2Constant.APPROVAL_URL));
 		urlParameters.add(new BasicNameValuePair("authorize", OAuth2Constant.AUTHORIZE_PARAM));
 		urlParameters.add(new BasicNameValuePair("consumerSecret", consumerSecret));
+		urlParameters.add(new BasicNameValuePair("scope", "device_01"));
 
 		HttpResponse response =
 				sendPostRequestWithParameters(client, urlParameters, OAuth2Constant.AUTHORIZED_USER_URL);

modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/OAuth2TokenRevocationWithMultipleSessionTerminationTestCase.java

@@ -137,7 +137,7 @@ public void testMultipleOIDCLogins() throws Exception {
 
     private void testLoginToFirstSession() throws Exception {
 
-        initiateAuthorizationRequest(httpClientForFirstSession, OAuth2Constant.OAUTH2_SCOPE_OPENID + " " + "random");
+        initiateAuthorizationRequest(httpClientForFirstSession, OAuth2Constant.OAUTH2_SCOPE_OPENID + " " + "device_01");
         authenticateUser(httpClientForFirstSession);
         String authorizationCode = performConsentApproval(httpClientForFirstSession);
         accessTokenInFirstSession = generateAuthzCodeAccessToken(authorizationCode, httpClientForFirstSession);

modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/OAuth2XACMLScopeValidatorTestCase.java

@@ -43,12 +43,15 @@
 import org.wso2.carbon.identity.application.common.model.xsd.ServiceProvider;
 import org.wso2.carbon.identity.entitlement.stub.dto.PolicyDTO;
 import org.wso2.carbon.identity.oauth.stub.dto.OAuthConsumerAppDTO;
+import org.wso2.carbon.integration.common.utils.mgt.ServerConfigurationManager;
 import org.wso2.identity.integration.common.clients.entitlement.EntitlementPolicyServiceClient;
 import org.wso2.identity.integration.test.rest.api.server.application.management.v1.model.ApplicationPatchModel;
 import org.wso2.identity.integration.test.rest.api.server.application.management.v1.model.AssociatedRolesConfig;
+import org.wso2.identity.integration.test.util.Utils;
 import org.wso2.identity.integration.test.utils.CarbonUtils;
 import org.wso2.identity.integration.test.utils.OAuth2Constant;
 
+import java.io.File;
 import java.net.URI;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -58,6 +61,7 @@
  */
 public class OAuth2XACMLScopeValidatorTestCase extends OAuth2ServiceAbstractIntegrationTest {
 
+    private ServerConfigurationManager serverConfigurationManager;
     private static final String VALIDATE_SCOPE_BASED_POLICY_ID = "validate_scope_based_policy_template";
     private static final String VALID_SCOPE = "SCOPE1";
     private static final String INTROSPECT_SCOPE = "internal_application_mgt_view";
@@ -116,6 +120,16 @@ public class OAuth2XACMLScopeValidatorTestCase extends OAuth2ServiceAbstractInte
     @BeforeClass(alwaysRun = true)
     public void testInit() throws Exception {
 
+        super.init(TestUserMode.SUPER_TENANT_USER);
+        String carbonHome = Utils.getResidentCarbonHome();
+        // Disabling dropping unregistered scopes to avoid scope validation failure.
+        File defaultTomlFile = getDeploymentTomlFile(carbonHome);
+        File configuredTomlFile = new File(getISResourceLocation() + File.separator
+                + "xacml_scope_validator.toml");
+
+        serverConfigurationManager = new ServerConfigurationManager(isServer);
+        serverConfigurationManager.applyConfigurationWithoutRestart(configuredTomlFile, defaultTomlFile, true);
+        serverConfigurationManager.restartGracefully();
         super.init(TestUserMode.SUPER_TENANT_USER);
         isLegacyRuntimeEnabled = CarbonUtils.isLegacyAuthzRuntimeEnabled();
         entitlementPolicyClient = new EntitlementPolicyServiceClient(backendURL, sessionCookie);
@@ -126,6 +140,7 @@ public void atEnd() throws Exception {
 
         deleteApplication();
         removeOAuthApplicationData();
+        serverConfigurationManager.restoreToLastConfiguration(false);
         consumerKey = null;
         consumerSecret = null;
         entitlementPolicyClient.removePolicy(VALIDATE_SCOPE_BASED_POLICY_ID);

modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/Oauth2HashAlgorithmTestCase.java

@@ -57,7 +57,6 @@
 public class Oauth2HashAlgorithmTestCase extends OAuth2ServiceAbstractIntegrationTest {
 
     private String accessToken;
-    private String sessionDataKeyConsent;
     private String sessionDataKey;
     private String consumerKey;
     private String consumerSecret;
@@ -163,32 +162,6 @@ public void testSendLoginPost() throws Exception {
         EntityUtils.consume(response.getEntity());
 
         response = sendGetRequest(client, locationHeader.getValue());
-        Map<String, Integer> keyPositionMap = new HashMap<>(1);
-        keyPositionMap.put("name=\"" + OAuth2Constant.SESSION_DATA_KEY_CONSENT + "\"", 1);
-        List<DataExtractUtil.KeyValue> keyValues =
-                DataExtractUtil.extractSessionConsentDataFromResponse(response,
-                        keyPositionMap);
-        Assert.assertNotNull(keyValues, "SessionDataKeyConsent key value is null");
-        sessionDataKeyConsent = keyValues.get(0).getValue();
-        EntityUtils.consume(response.getEntity());
-
-        Assert.assertNotNull(sessionDataKeyConsent, "Invalid session key consent.");
-    }
-
-    @Test(groups = "wso2.is", description = "Send approval post request", dependsOnMethods = "testSendLoginPost")
-    public void testSendApprovalPost() throws Exception {
-
-        HttpResponse response = sendApprovalPost(client, sessionDataKeyConsent);
-        Assert.assertNotNull(response, "Approval response is invalid.");
-
-        Header locationHeader =
-                response.getFirstHeader(OAuth2Constant.HTTP_RESPONSE_HEADER_LOCATION);
-        Assert.assertNotNull(locationHeader, "Approval Location header is null.");
-        EntityUtils.consume(response.getEntity());
-
-        response = sendPostRequest(client, locationHeader.getValue());
-        Assert.assertNotNull(response, "Get Activation response is invalid.");
-
         Map<String, Integer> keyPositionMap = new HashMap<>(1);
         keyPositionMap.put("Authorization Code", 1);
         List<DataExtractUtil.KeyValue> keyValues =
@@ -201,10 +174,9 @@ public void testSendApprovalPost() throws Exception {
         }
         Assert.assertNotNull(authorizationCode, "Authorization code is null.");
         EntityUtils.consume(response.getEntity());
-
     }
 
-    @Test(groups = "wso2.is", description = "Get access token", dependsOnMethods = "testSendApprovalPost")
+    @Test(groups = "wso2.is", description = "Get access token", dependsOnMethods = "testSendLoginPost")
     public void testGetAccessToken() throws Exception {
 
         HttpResponse response = sendGetAccessTokenPost(client, consumerSecret);

modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/Oauth2PersistenceProcessorInsertTokenTestCase.java

@@ -56,7 +56,6 @@
 public class Oauth2PersistenceProcessorInsertTokenTestCase extends OAuth2ServiceAbstractIntegrationTest {
 
     private String accessToken;
-    private String sessionDataKeyConsent;
     private String sessionDataKey;
     private String consumerKey;
     private String consumerSecret;
@@ -163,32 +162,6 @@ public void testSendLoginPost() throws Exception {
         EntityUtils.consume(response.getEntity());
 
         response = sendGetRequest(client, locationHeader.getValue());
-        Map<String, Integer> keyPositionMap = new HashMap<>(1);
-        keyPositionMap.put("name=\"" + OAuth2Constant.SESSION_DATA_KEY_CONSENT + "\"", 1);
-        List<DataExtractUtil.KeyValue> keyValues =
-                DataExtractUtil.extractSessionConsentDataFromResponse(response,
-                        keyPositionMap);
-        Assert.assertNotNull(keyValues, "SessionDataKeyConsent key value is null");
-        sessionDataKeyConsent = keyValues.get(0).getValue();
-        EntityUtils.consume(response.getEntity());
-
-        Assert.assertNotNull(sessionDataKeyConsent, "Invalid session key consent.");
-    }
-
-    @Test(groups = "wso2.is", description = "Send approval post request", dependsOnMethods = "testSendLoginPost")
-    public void testSendApprovalPost() throws Exception {
-
-        HttpResponse response = sendApprovalPost(client, sessionDataKeyConsent);
-        Assert.assertNotNull(response, "Approval response is invalid.");
-
-        Header locationHeader =
-                response.getFirstHeader(OAuth2Constant.HTTP_RESPONSE_HEADER_LOCATION);
-        Assert.assertNotNull(locationHeader, "Approval Location header is null.");
-        EntityUtils.consume(response.getEntity());
-
-        response = sendPostRequest(client, locationHeader.getValue());
-        Assert.assertNotNull(response, "Get Activation response is invalid.");
-
         Map<String, Integer> keyPositionMap = new HashMap<>(1);
         keyPositionMap.put("Authorization Code", 1);
         List<DataExtractUtil.KeyValue> keyValues =
@@ -201,10 +174,9 @@ public void testSendApprovalPost() throws Exception {
         }
         Assert.assertNotNull(authorizationCode, "Authorization code is null.");
         EntityUtils.consume(response.getEntity());
-
     }
 
-    @Test(groups = "wso2.is", description = "Get access token", dependsOnMethods = "testSendApprovalPost")
+    @Test(groups = "wso2.is", description = "Get access token", dependsOnMethods = "testSendLoginPost")
     public void testGetAccessToken() throws Exception {
 
         HttpResponse response = sendGetAccessTokenPost(client, consumerSecret);

modules/integration/tests-integration/tests-backend/src/test/resources/artifacts/IS/oauth/add_scope_deployment.toml

@@ -39,4 +39,5 @@ hash = "66cd9688a2ae068244ea01e70f0e230f5623b7fa4cdecb65070a09ec06452262"
 app_password = "dashboard"
 
 [oauth]
+drop_unregistered_scopes = false
 allowed_scopes = ["internal_test", "test"]

modules/integration/tests-integration/tests-backend/src/test/resources/artifacts/IS/xacml_scope_validator.toml

@@ -0,0 +1,32 @@
+[server]
+hostname = "localhost"
+node_ip = "127.0.0.1"
+base_path = "https://$ref{server.hostname}:${carbon.management.port}"
+
+[super_admin]
+username = "admin"
+password = "admin"
+create_admin_account = true
+
+[user_store]
+type = "database_unique_id"
+
+[database.identity_db]
+driver = "$env{IDENTITY_DATABASE_DRIVER}"
+url = "$env{IDENTITY_DATABASE_URL}"
+username = "$env{IDENTITY_DATABASE_USERNAME}"
+password = "$env{IDENTITY_DATABASE_PASSWORD}"
+
+[database.shared_db]
+driver = "$env{SHARED_DATABASE_DRIVER}"
+url = "$env{SHARED_DATABASE_URL}"
+username = "$env{SHARED_DATABASE_USERNAME}"
+password = "$env{SHARED_DATABASE_PASSWORD}"
+
+[keystore.primary]
+file_name = "wso2carbon.jks"
+password = "wso2carbon"
+
+[oauth]
+drop_unregistered_scopes= false
+allowed_scopes= []

modules/integration/tests-integration/tests-backend/src/test/resources/testng.xml

@@ -68,7 +68,6 @@
             <class name="org.wso2.identity.integration.test.oauth2.OAuth2ServiceRefreshTokenGrantTestCase"/>
             <class name="org.wso2.identity.integration.test.oauth2.OAuth2RoleClaimTestCase"/>
             <class name="org.wso2.identity.integration.test.oauth2.OAuth2ScopesTestCase"/>
-            <class name="org.wso2.identity.integration.test.oauth2.OAuth2XACMLScopeValidatorTestCase"/>
             <class name="org.wso2.identity.integration.test.oauth2.PermissionBasedScopeValidatorTestCase"/>
             <class name="org.wso2.identity.integration.test.oidc.OIDCAuthzCodeIdTokenValidationTestCase"/>
             <class name="org.wso2.identity.integration.test.oidc.OIDCSPWiseSkipLoginConsentTestCase"/>
@@ -343,6 +342,7 @@
             <class name="org.wso2.identity.integration.test.identity.mgt.UserInformationRecoveryServiceTenantEmailUserTestCase"/>
             <class name="org.wso2.identity.integration.test.oauth2.Oauth2HashAlgorithmTestCase"/>
             <class name="org.wso2.identity.integration.test.oauth2.Oauth2PersistenceProcessorInsertTokenTestCase"/>
+            <class name="org.wso2.identity.integration.test.oauth2.OAuth2XACMLScopeValidatorTestCase"/>
             <class name="org.wso2.identity.integration.test.oauth2.Oauth2PersistenceProcessorTestCase"/>
             <class name="org.wso2.identity.integration.test.oauth2.OAuth2ServiceJWTGrantTestCase"/>
             <class name="org.wso2.identity.integration.test.oauth2.Oauth2TokenRenewalPerRequestTestCase"/>