Merge branch 'wso2:master' into master

wso2 · Oct 18, 2023 · 3a8a98c · 3a8a98c
2 parents c1231e1 + fa4423e
commit 3a8a98c
Show file tree

Hide file tree

Showing 16 changed files with 231 additions and 20 deletions.
diff --git a/modules/distribution/product/src/main/resources/conf/default.json b/modules/distribution/product/src/main/resources/conf/default.json
@@ -458,5 +458,6 @@
   "apim.analytics.properties.keystore_password": "$ref{keystore.primary.password}",
   "apim.analytics.properties.truststore_location": "${carbon.home}/repository/resources/security/$ref{truststore.file_name}",
   "apim.analytics.properties.truststore_password": "$ref{truststore.password}",
-  "tenant_mgt.disable_email_domain_validation": true
+  "tenant_mgt.disable_email_domain_validation": true,
+  "apim.jwt.use_kid_property": true
 }
diff --git a/modules/distribution/product/src/main/resources/conf/templates/repository/conf/broker.xml.j2 b/modules/distribution/product/src/main/resources/conf/templates/repository/conf/broker.xml.j2
@@ -101,6 +101,10 @@ This file is ciphertool compliant. Refer PRODUCT_HOME/repository/conf/security/c
             <allowSharedTopicSubscriptions>{{broker.transport.amqp.allow_shared_topic_subscriptions}}</allowSharedTopicSubscriptions>
             <allowStrictNameValidation>{{broker.transport.amqp.allow_strict_name_validation}}</allowStrictNameValidation>
 
+            <security>
+                <authorization>{{broker.transport.amqp.authorization}}</authorization>
+            </security>
+
             <!-- Refer repository/conf/advanced/qpid-config.xml for further AMQP-specific configurations.-->
         </amqp>
         <mqtt enabled="false">

diff --git a/...n/product/src/main/resources/conf/templates/repository/conf/tomcat/catalina-server.xml.j2 b/...n/product/src/main/resources/conf/templates/repository/conf/tomcat/catalina-server.xml.j2
@@ -94,7 +94,6 @@
                 <Valve className="org.wso2.carbon.tomcat.ext.valves.SameSiteCookieValve"/>
                 <Valve className="org.wso2.carbon.identity.context.rewrite.valve.OrganizationContextRewriteValve"/>
                 <Valve className="org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve"/>
-                <Valve className="org.wso2.carbon.identity.cors.valve.CORSValve"/>
                 <!--Error pages -->
                 <Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false" showReport="false"/>
                 {% for valve in catalina.valves %}

diff --git a/modules/distribution/product/src/main/startup-scripts/api-manager.bat b/modules/distribution/product/src/main/startup-scripts/api-manager.bat
@@ -203,7 +203,7 @@ set CARBON_CLASSPATH=".\lib\*";%CARBON_CLASSPATH%
 if %JAVA_VERSION% GEQ 110 set CARBON_CLASSPATH=".\lib\endorsed\*";%CARBON_CLASSPATH%
 
 if %JAVA_VERSION% LEQ 18 set JAVA_VER_BASED_OPTS=-Djava.endorsed.dirs=".\lib\endorsed";"%JAVA_HOME%\jre\lib\endorsed";"%JAVA_HOME%\lib\endorsed"
-if %JAVA_VERSION% GEQ 110 set JAVA_VER_BASED_OPTS=--add-opens=java.naming/com.sun.jndi.ldap=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens java.rmi/sun.rmi.transport=ALL-UNNAMED  --add-opens=java.base/java.io=ALL-UNNAMED
+if %JAVA_VERSION% GEQ 110 set JAVA_VER_BASED_OPTS=--add-opens=java.base/sun.security.x509=ALL-UNNAMED --add-opens=java.naming/com.sun.jndi.ldap=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens java.rmi/sun.rmi.transport=ALL-UNNAMED  --add-opens=java.base/java.io=ALL-UNNAMED
 
 set CMD_LINE_ARGS=-Xbootclasspath/a:%CARBON_XBOOTCLASSPATH% -Xms256m -Xmx1024m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath="%CARBON_HOME%\repository\logs\heap-dump.hprof"
 set CMD_LINE_ARGS=%CMD_LINE_ARGS% -Dcom.sun.management.jmxremote -classpath %CARBON_CLASSPATH% %JAVA_OPTS% %JAVA_VER_BASED_OPTS%

diff --git a/modules/distribution/product/src/main/startup-scripts/api-manager.sh b/modules/distribution/product/src/main/startup-scripts/api-manager.sh
@@ -310,7 +310,7 @@ echo "Using Java memory options: $JVM_MEM_OPTS"
 JAVA_VER_BASED_OPTS="--add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens java.rmi/sun.rmi.transport=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED"
 
 if [ $java_version_formatted -ge 1700 ]; then
-    JAVA_VER_BASED_OPTS="$JAVA_VER_BASED_OPTS --add-opens=java.naming/com.sun.jndi.ldap=ALL-UNNAMED"
+    JAVA_VER_BASED_OPTS="$JAVA_VER_BASED_OPTS --add-opens=java.naming/com.sun.jndi.ldap=ALL-UNNAMED --add-opens=java.base/sun.security.x509=ALL-UNNAMED"
 fi
 
 while [ "$status" = "$START_EXIT_STATUS" ]

diff --git a/...egration-test-utils/src/main/java/org/wso2/am/integration/test/impl/RestAPIStoreImpl.java b/...egration-test-utils/src/main/java/org/wso2/am/integration/test/impl/RestAPIStoreImpl.java
@@ -1737,6 +1737,35 @@ public SubscriptionDTO subscribeToAPI(String apiID, String appID, String tier,St
         return subscriptionResponse.getData();
     }
 
+    /**
+     * Update subscription to an API of a specific tenant
+     *
+     * @param apiID        API ID
+     * @param appID        Application ID
+     * @param existingTier      Existing subscription Tier
+     * @param requestedTier     Requested subscription Tier
+     * @param subscriptionStatus subscription status
+     * @param subscriptionId Subscription ID
+     * @param xWso2Tenant Tenant Domain
+     * @return SubscriptionDTO
+     * @throws ApiException If an API exception occurs.
+     */
+    public SubscriptionDTO updateSubscriptionToAPI(String apiID, String appID, String existingTier,
+               String requestedTier, SubscriptionDTO.StatusEnum subscriptionStatus, String subscriptionId,
+               String xWso2Tenant) throws ApiException, APIManagerIntegrationTestException {
+
+        SubscriptionDTO subscription = new SubscriptionDTO();
+        subscription.setApplicationId(appID);
+        subscription.setApiId(apiID);
+        subscription.setThrottlingPolicy(existingTier);
+        subscription.setRequestedThrottlingPolicy(requestedTier);
+        subscription.setStatus(subscriptionStatus);
+        SubscriptionDTO subscriptionUpdate = subscriptionIndividualApi.subscriptionsSubscriptionIdPut(
+                subscriptionId, subscription, xWso2Tenant);
+        waitUntilSubscriptionAvailableInGateway(subscriptionUpdate);
+        return subscriptionUpdate;
+    }
+
     private void waitUntilSubscriptionAvailableInGateway(SubscriptionDTO subscribedDto)
             throws APIManagerIntegrationTestException {
         if (Boolean.parseBoolean(disableVerification)){

diff --git a/...rg/wso2/am/integration/tests/crossSubscription/CrossTenantSubscriptionUpdateTestCase.java b/...rg/wso2/am/integration/tests/crossSubscription/CrossTenantSubscriptionUpdateTestCase.java
@@ -0,0 +1,157 @@
+/*
+ *Copyright (c) 2023, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
+ *
+ *WSO2 LLC. licenses this file to you under the Apache License,
+ *Version 2.0 (the "License"); you may not use this file except
+ *in compliance with the License.
+ *You may obtain a copy of the License at
+ *
+ *http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *Unless required by applicable law or agreed to in writing,
+ *software distributed under the License is distributed on an
+ *"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *KIND, either express or implied.  See the License for the
+ *specific language governing permissions and limitations
+ *under the License.
+ */
+package org.wso2.am.integration.tests.crossSubscription;
+
+import org.apache.commons.lang3.StringUtils;
+import org.json.JSONArray;
+import org.json.JSONException;
+import org.json.JSONObject;
+import org.testng.Assert;
+import org.testng.annotations.AfterClass;
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.Test;
+import org.wso2.am.integration.clients.admin.ApiException;
+import org.wso2.am.integration.clients.store.api.v1.dto.*;
+import org.wso2.am.integration.test.utils.base.APIMIntegrationConstants;
+import org.wso2.am.integration.test.utils.bean.APILifeCycleAction;
+import org.wso2.am.integration.test.utils.bean.APIRequest;
+import org.wso2.am.integration.tests.api.lifecycle.APIManagerLifecycleBaseTest;
+import org.wso2.carbon.automation.engine.annotations.ExecutionEnvironment;
+import org.wso2.carbon.automation.engine.annotations.SetEnvironment;
+import org.wso2.carbon.automation.engine.context.TestUserMode;
+import org.wso2.carbon.automation.test.utils.http.client.HttpResponse;
+import org.wso2.carbon.integration.common.utils.mgt.ServerConfigurationManager;
+import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
+
+import java.io.File;
+import java.net.URL;
+import java.util.ArrayList;
+
+import static org.wso2.am.integration.clients.publisher.api.v1.dto.APIDTO.SubscriptionAvailabilityEnum.ALL_TENANTS;
+
+@SetEnvironment(executionEnvironments = { ExecutionEnvironment.STANDALONE })
+public class CrossTenantSubscriptionUpdateTestCase extends APIManagerLifecycleBaseTest {
+    private ServerConfigurationManager serverConfigurationManager;
+    private String apiId1;
+    private final String apiName1 = "Test1";
+    private final String apiVersion1 = "1.0.0";
+    private final String apiContext1 = "/test1";
+    private String apiId2;
+    private final String apiName2 = "Test2";
+    private final String apiVersion2 = "1.0.0";
+    private final String apiContext2 = "/test2";
+
+    private final String apiEndpoint1 = "http://localhost:9443";
+    private final String apiEndpoint2 = "http://localhost:9444";
+    private final String tenant3ApplicationName = "TestApp";
+    private ApplicationDTO tenant3Application;
+    private ApplicationKeyDTO tenant3AppTenant3Store;
+    private String tenant1Domain;
+    private String tenant2Domain;
+    private final String errorMessageKeyGeneration = "Error occurred while generating keys";
+
+    @BeforeClass(alwaysRun = true)
+    public void setEnvironment() throws Exception {
+        super.init(TestUserMode.SUPER_TENANT_ADMIN);
+        serverConfigurationManager = new ServerConfigurationManager(gatewayContextWrk);
+        serverConfigurationManager.applyConfiguration(new File(getAMResourceLocation()
+                + File.separator + "configFiles" + File.separator + "cross-tenant" + File.separator + "deployment.toml"));
+        APIRequest apiRequest1 = new APIRequest(apiName1, apiContext1, new URL(apiEndpoint1));
+        apiRequest1.setVersion(apiVersion1);
+        apiRequest1.setTier(APIMIntegrationConstants.API_TIER.GOLD);
+        apiRequest1.setTiersCollection(APIMIntegrationConstants.API_TIER.GOLD + "," + APIMIntegrationConstants.API_TIER.BRONZE);
+        apiRequest1.setSubscriptionAvailability(ALL_TENANTS.toString());
+        HttpResponse response = restAPIPublisher.addAPI(apiRequest1);
+        apiId1 = response.getData();
+        restAPIPublisher.changeAPILifeCycleStatus(apiId1, APILifeCycleAction.PUBLISH.getAction());
+        tenant1Domain = MultitenantUtils.getTenantDomain(user.getUserName());
+
+        super.init(TestUserMode.TENANT_ADMIN);
+
+        APIRequest apiRequest2 = new APIRequest(apiName2, apiContext2, new URL(apiEndpoint2));
+        apiRequest2.setVersion(apiVersion2);
+        apiRequest2.setTier(APIMIntegrationConstants.API_TIER.GOLD);
+        apiRequest2.setTiersCollection(APIMIntegrationConstants.API_TIER.GOLD + "," + APIMIntegrationConstants.API_TIER.BRONZE);
+        apiRequest2.setSubscriptionAvailability(ALL_TENANTS.toString());
+        apiRequest2.setProvider(user.getUserName());
+        HttpResponse response2 = restAPIPublisher.addAPI(apiRequest2);
+        apiId2 = response2.getData();
+        restAPIPublisher.changeAPILifeCycleStatus(apiId2, APILifeCycleAction.PUBLISH.getAction());
+        tenant2Domain = MultitenantUtils.getTenantDomain(user.getUserName());
+        // tenant1 :carbon.super, tenant2 :wso2.com
+        Assert.assertNotEquals(tenant1Domain, tenant2Domain);
+    }
+
+    @Test(description = "Create new application and generate access token using an already subscribed application")
+    public void testCreateNewApplicationAndGenerateTokenSubscribedApplication() throws Exception {
+
+        super.init(TestUserMode.TENANT_EMAIL_USER);
+
+        tenant3Application = restAPIStore.addApplication(tenant3ApplicationName,
+                APIMIntegrationConstants.APPLICATION_TIER.UNLIMITED,
+                StringUtils.EMPTY, StringUtils.EMPTY);
+        SubscriptionDTO subscriptionDTO1 = restAPIStore.subscribeToAPI(apiId1, tenant3Application.getApplicationId(),
+                APIMIntegrationConstants.API_TIER.GOLD, tenant1Domain);
+        ArrayList<String> grantTypes = new ArrayList<>();
+        grantTypes.add(APIMIntegrationConstants.GRANT_TYPE.PASSWORD);
+        grantTypes.add(APIMIntegrationConstants.GRANT_TYPE.CLIENT_CREDENTIAL);
+        restAPIAdmin.getKeyManagers();  // Due to the issue: https://github.com/wso2/product-apim/issues/12634
+        tenant3AppTenant3Store = restAPIStore.generateKeys(tenant3Application.getApplicationId(),
+                APIMIntegrationConstants.DEFAULT_TOKEN_VALIDITY_TIME,
+                StringUtils.EMPTY,
+                ApplicationKeyGenerateRequestDTO.KeyTypeEnum.PRODUCTION,
+                null, grantTypes);
+        Assert.assertNotNull(tenant3AppTenant3Store, errorMessageKeyGeneration);
+
+        // subscribe to the other API
+        SubscriptionDTO subscriptionDTO2 = restAPIStore.subscribeToAPI(apiId2, tenant3Application.getApplicationId(),
+                APIMIntegrationConstants.API_TIER.GOLD, tenant2Domain);
+
+        restAPIStore.updateSubscriptionToAPI(apiId2, tenant3Application.getApplicationId(), APIMIntegrationConstants.API_TIER.GOLD,
+                APIMIntegrationConstants.API_TIER.BRONZE, SubscriptionDTO.StatusEnum.UNBLOCKED, subscriptionDTO2.getSubscriptionId(), tenant2Domain);
+
+        verifyTenantDomainInWorkflowsTable(apiName2, tenant2Domain);
+
+        restAPIStore.updateSubscriptionToAPI(apiId1, tenant3Application.getApplicationId(), APIMIntegrationConstants.API_TIER.GOLD,
+                APIMIntegrationConstants.API_TIER.BRONZE, SubscriptionDTO.StatusEnum.UNBLOCKED, subscriptionDTO1.getSubscriptionId(), tenant1Domain);
+
+        verifyTenantDomainInWorkflowsTable(apiName1, tenant1Domain);
+    }
+
+    private void verifyTenantDomainInWorkflowsTable (String apiName, String tenantDomain) throws JSONException, ApiException {
+        org.wso2.am.integration.test.HttpResponse workflowsResponse = restAPIAdmin.getWorkflows(null);
+        Assert.assertNotNull(workflowsResponse);
+        JSONObject workflowRespObj = new JSONObject(workflowsResponse.getData());
+        JSONArray arr = (JSONArray) workflowRespObj.get("list");
+
+        for (int i = 0; i < arr.length(); i++) {
+            JSONObject listItem = (JSONObject) arr.get(i);
+            JSONObject properties = (JSONObject) listItem.get("properties");
+            if (properties.has("apiName") && apiName.equals(properties.get("apiName"))) {
+                Assert.assertEquals(listItem.get("tenantDomain"), tenantDomain);
+            }
+        }
+    }
+
+    @AfterClass(alwaysRun = true)
+    public void destroy() throws Exception {
+        restAPIStore.deleteApplication(tenant3Application.getApplicationId());
+        serverConfigurationManager.restoreToLastConfiguration();
+    }
+}
+
diff --git a/...gration/tests-backend/src/test/java/org/wso2/am/integration/tests/jwt/BackendJWTUtil.java b/...gration/tests-backend/src/test/java/org/wso2/am/integration/tests/jwt/BackendJWTUtil.java
@@ -49,13 +49,20 @@ public static void verifySignature(Header jwtheader) throws UnsupportedEncodingE
      * verify JWT Header
      *
      * @param decodedJWTHeaderString decoded JWT Header value
+     * @param jwksKidClaim           kid claim in JWKS endpoint
      * @throws JSONException if JSON payload is malformed
      */
-    public static void verifyJWTHeader(String decodedJWTHeaderString) throws JSONException {
+    public static void verifyJWTHeader(String decodedJWTHeaderString, String jwksKidClaim) throws JSONException {
         JSONObject jsonHeaderObject = new JSONObject(decodedJWTHeaderString);
         Assert.assertEquals(jsonHeaderObject.getString("typ"), "JWT");
         Assert.assertEquals(jsonHeaderObject.getString("alg"), "RS256");
-        Assert.assertFalse(jsonHeaderObject.has("kid"));
+
+        // Verify kid claim: check if kid claim in JWT header match with that of JWKS endpoint
+        Assert.assertTrue(jsonHeaderObject.has("kid"));
+        if (jwksKidClaim != null) {
+            Assert.assertEquals(jsonHeaderObject.getString("kid"), jwksKidClaim, "kid claim in JWT header " +
+                    "does not match with that of JWKS endpoint");
+        }
     }
 
     /**

diff --git a/...ntegration/tests-backend/src/test/java/org/wso2/am/integration/tests/jwt/JWTTestCase.java b/...ntegration/tests-backend/src/test/java/org/wso2/am/integration/tests/jwt/JWTTestCase.java
@@ -28,6 +28,7 @@
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.impl.client.HttpClientBuilder;
 import org.apache.http.message.BasicNameValuePair;
+import org.apache.http.util.EntityUtils;
 import org.json.JSONException;
 import org.json.JSONObject;
 import org.testng.Assert;
@@ -76,6 +77,7 @@
 
 import javax.ws.rs.core.Response;
 
+import static org.testng.Assert.assertEquals;
 import static org.testng.Assert.assertNotNull;
 import static org.testng.AssertJUnit.assertTrue;
 
@@ -107,6 +109,7 @@ public class JWTTestCase extends APIManagerLifecycleBaseTest {
     URL tokenEndpointURL;
     private String tokenURL;
     private String identityLoginURL;
+    private String jwksKidClaim;
     private final String CALLBACK_URL = "https://localhost:9443/store/";
 
     @BeforeClass(alwaysRun = true)
@@ -191,6 +194,16 @@ public void setEnvironment() throws Exception {
                 APIMIntegrationConstants.IS_API_EXISTS);
         waitForAPIDeploymentSync(user.getUserName(), api2Request.getName(), api2Request.getVersion(),
                 APIMIntegrationConstants.IS_API_EXISTS);
+
+        // Invoke JWKS endpoint and retrieve kid claim to validate backend JWT
+        HttpClient httpclient = HttpClientBuilder.create().build();
+        HttpGet jwksGet = new HttpGet(getAPIInvocationURLHttp("jwks"));
+        HttpResponse jwksResponse = httpclient.execute(jwksGet);
+        assertEquals(jwksResponse.getStatusLine().getStatusCode(), HTTP_RESPONSE_CODE_OK,
+                "Invocation fails for JWKS GET request");
+        String jwksResponseString = EntityUtils.toString(jwksResponse.getEntity(), "UTF-8");
+        JSONObject jwksResponseObject = new JSONObject(jwksResponseString);
+        jwksKidClaim = jwksResponseObject.getJSONArray("keys").getJSONObject(0).getString("kid");
     }
 
     @Test(groups = {"wso2.am"}, description = "Backend JWT Token Generation for Oauth Based App")
@@ -225,7 +238,7 @@ public void testEnableJWTAndClaimsForOauthApp() throws Exception {
             //Do the signature verification for super tenant as tenant key store not there accessible
             BackendJWTUtil.verifySignature(jwtheader);
             log.debug("Decoded JWT header String = " + decodedJWTHeaderString);
-            BackendJWTUtil.verifyJWTHeader(decodedJWTHeaderString);
+            BackendJWTUtil.verifyJWTHeader(decodedJWTHeaderString, jwksKidClaim);
             JSONObject jsonObject = new JSONObject(decodedJWTString);
             log.info("JWT Received ==" + jsonObject.toString());
             //Validate expiry time
@@ -273,7 +286,7 @@ public void testEnableJWTAndClaimsForJWTApp() throws Exception {
             //Do the signature verification
             BackendJWTUtil.verifySignature(jwtheader);
             log.debug("Decoded JWT header String = " + decodedJWTHeaderString);
-            BackendJWTUtil.verifyJWTHeader(decodedJWTHeaderString);
+            BackendJWTUtil.verifyJWTHeader(decodedJWTHeaderString, jwksKidClaim);
             JSONObject jsonObject = new JSONObject(decodedJWTString);
 
             // check default claims
@@ -341,7 +354,7 @@ public void testEnableJWTAndClaimsForAPIKeyApp() throws Exception {
         //Do the signature verification
         BackendJWTUtil.verifySignature(jwtheader);
         log.debug("Decoded JWT header String = " + decodedJWTHeaderString);
-        BackendJWTUtil.verifyJWTHeader(decodedJWTHeaderString);
+        BackendJWTUtil.verifyJWTHeader(decodedJWTHeaderString, jwksKidClaim);
         JSONObject jsonObject = new JSONObject(decodedJWTString);
 
         // check default claims
@@ -386,7 +399,7 @@ public void testBackendJWTWithClientCredentialsGrant() throws Exception {
         //Do the signature verification
         BackendJWTUtil.verifySignature(jwtheader);
         log.debug("Decoded JWT header String = " + decodedJWTHeaderString);
-        BackendJWTUtil.verifyJWTHeader(decodedJWTHeaderString);
+        BackendJWTUtil.verifyJWTHeader(decodedJWTHeaderString, jwksKidClaim);
         JSONObject jsonObject = new JSONObject(decodedJWTString);
 
         // check default claims
@@ -434,7 +447,7 @@ public void testBackendJWTWithAuthCodeGrant() throws Exception {
             //Do the signature verification
             BackendJWTUtil.verifySignature(jwtheader);
             log.debug("Decoded JWT header String = " + decodedJWTHeaderString);
-            BackendJWTUtil.verifyJWTHeader(decodedJWTHeaderString);
+            BackendJWTUtil.verifyJWTHeader(decodedJWTHeaderString, jwksKidClaim);
             JSONObject jsonObject = new JSONObject(decodedJWTString);
 
             // check default claims