Merge branch '3.0.0' into ciba-weblink-authenticator

open-banking-accelerator/accelerators/ob-is/carbon-home/repository/resources/conf/templates/repository/conf/open-banking.xml.j2

@@ -1021,6 +1021,11 @@
     {% else %}
         <RequestUriSubString>ietf:params:oauth:request_uri</RequestUriSubString>
     {% endif %}
+    {% if open_banking.push_authorisation.mandate_openid_scope_for_regulatory_apps is defined %}
+        <MandateOpenidScopeForRegulatoryApps>{{open_banking.push_authorisation.mandate_openid_scope_for_regulatory_apps}}</MandateOpenidScopeForRegulatoryApps>
+    {% else %}
+        <MandateOpenidScopeForRegulatoryApps>true</MandateOpenidScopeForRegulatoryApps>
+    {% endif %}
     </PushAuthorisation>
     <ServiceActivator>
         <Subscribers>

open-banking-accelerator/components/account-metadata/com.wso2.openbanking.accelerator.account.metadata.service/pom.xml

@@ -19,7 +19,7 @@
     <parent>
         <artifactId>open-banking-accelerator</artifactId>
         <groupId>com.wso2.openbanking.accelerator</groupId>
-        <version>3.2.25-SNAPSHOT</version>
+        <version>3.2.26-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/pom.xml

@@ -23,7 +23,7 @@
     <parent>
         <artifactId>open-banking-accelerator</artifactId>
         <groupId>com.wso2.openbanking.accelerator</groupId>
-        <version>3.2.25-SNAPSHOT</version>
+        <version>3.2.26-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/config/OpenBankingConfigParser.java

@@ -1489,6 +1489,16 @@ public boolean isNbfClaimMandatory() {
                 getConfigElementFromKey(OpenBankingConstants.MANDATE_NBF_CLAIM)).trim());
     }
 
+    /**
+     * Method to get mandate/optional openid scope for regulatory apps.
+     * @return isOpenIdScopeMandatoryForRegulatoryApps
+     */
+    public boolean isOpenIdScopeMandatoryForRegulatoryApps() {
+        return getConfigElementFromKey(OpenBankingConstants.PUSH_AUTH_MANDATE_OPENID_SCOPE_FOR_REGULATORY_APPS) == null
+                || Boolean.parseBoolean(((String) getConfigElementFromKey(OpenBankingConstants
+                        .PUSH_AUTH_MANDATE_OPENID_SCOPE_FOR_REGULATORY_APPS)).trim());
+    }
+
     /**
      * Method to get the CIBA authentication redirect endpoint configuration.
      *

open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/constant/OpenBankingConstants.java

@@ -155,6 +155,8 @@ public class OpenBankingConstants {
     public static final String CONNECTION_POOL_MAX_CONNECTIONS_PER_ROUTE = "HTTPConnectionPool.MaxConnectionsPerRoute";
     public static final String PUSH_AUTH_EXPIRY_TIME = "PushAuthorisation.ExpiryTime";
     public static final String PUSH_AUTH_REQUEST_URI_SUBSTRING = "PushAuthorisation.RequestUriSubString";
+    public static final String PUSH_AUTH_MANDATE_OPENID_SCOPE_FOR_REGULATORY_APPS = "PushAuthorisation" +
+            ".MandateOpenidScopeForRegulatoryApps";
 
     public static final String CONSENT_PERIODICAL_EXPIRATION_CRON = "Consent.PeriodicalExpiration.CronValue";
     public static final String STATUS_FOR_EXPIRED_CONSENT = "Consent.PeriodicalExpiration.ExpiredConsentStatusValue";

open-banking-accelerator/components/com.wso2.openbanking.accelerator.data.publisher/com.wso2.openbanking.accelerator.authentication.data.publisher/pom.xml

@@ -23,7 +23,7 @@
     <parent>
         <artifactId>com.wso2.openbanking.accelerator.data.publisher</artifactId>
         <groupId>com.wso2.openbanking.accelerator</groupId>
-        <version>3.2.25-SNAPSHOT</version>
+        <version>3.2.26-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 

open-banking-accelerator/components/com.wso2.openbanking.accelerator.data.publisher/com.wso2.openbanking.accelerator.data.publisher.common/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>open-banking-accelerator</artifactId>
         <groupId>com.wso2.openbanking.accelerator</groupId>
-        <version>3.2.25-SNAPSHOT</version>
+        <version>3.2.26-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

open-banking-accelerator/components/com.wso2.openbanking.accelerator.data.publisher/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>open-banking-accelerator</artifactId>
         <groupId>com.wso2.openbanking.accelerator</groupId>
-        <version>3.2.25-SNAPSHOT</version>
+        <version>3.2.26-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

open-banking-accelerator/components/com.wso2.openbanking.accelerator.gateway/pom.xml

@@ -23,7 +23,7 @@
     <parent>
         <artifactId>open-banking-accelerator</artifactId>
         <groupId>com.wso2.openbanking.accelerator</groupId>
-        <version>3.2.25-SNAPSHOT</version>
+        <version>3.2.26-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>open-banking-accelerator</artifactId>
         <groupId>com.wso2.openbanking.accelerator</groupId>
-        <version>3.2.25-SNAPSHOT</version>
+        <version>3.2.26-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/push/auth/extension/request/validator/util/PushAuthRequestValidatorUtils.java

@@ -26,6 +26,7 @@
 import com.nimbusds.jwt.EncryptedJWT;
 import com.nimbusds.jwt.PlainJWT;
 import com.nimbusds.jwt.SignedJWT;
+import com.wso2.openbanking.accelerator.common.config.OpenBankingConfigParser;
 import com.wso2.openbanking.accelerator.common.constant.OpenBankingConstants;
 import com.wso2.openbanking.accelerator.common.exception.OpenBankingException;
 import com.wso2.openbanking.accelerator.common.util.Generated;
@@ -34,6 +35,7 @@
 import com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.exception.PushAuthRequestValidatorException;
 import com.wso2.openbanking.accelerator.identity.util.IdentityCommonConstants;
 import com.wso2.openbanking.accelerator.identity.util.IdentityCommonHelper;
+import com.wso2.openbanking.accelerator.identity.util.IdentityCommonUtil;
 import net.minidev.json.JSONArray;
 import net.minidev.json.JSONObject;
 import org.apache.commons.lang3.StringUtils;
@@ -217,17 +219,32 @@ public static void validateScope(JSONObject requestBodyJson) throws PushAuthRequ
             List<String> requestedScopes = Arrays.asList(requestBodyJson.getAsString(PushAuthRequestConstants.SCOPE)
                     .split("\\s+"));
 
+            boolean isRegulatory;
             List<String> allowedScopes;
             try {
+                String clientId = requestBodyJson.getAsString(PushAuthRequestConstants.CLIENT_ID);
+                isRegulatory = IdentityCommonUtil.getRegulatoryFromSPMetaData(clientId);
                 allowedScopes = Arrays.asList(new IdentityCommonHelper()
-                        .getAppPropertyFromSPMetaData(requestBodyJson.getAsString(PushAuthRequestConstants.CLIENT_ID),
-                                IdentityCommonConstants.SCOPE).split("\\s+"));
+                        .getAppPropertyFromSPMetaData(clientId, IdentityCommonConstants.SCOPE).split("\\s+"));
             } catch (OpenBankingException e) {
                 log.error("Error while retrieving sp meta data", e);
                 throw new PushAuthRequestValidatorException(HttpStatus.SC_INTERNAL_SERVER_ERROR,
                         PushAuthRequestConstants.SERVER_ERROR, "Error while retrieving sp meta data", e);
             }
 
+            boolean isOpenIdScopeMandatoryForRegulatoryApps = OpenBankingConfigParser.getInstance()
+                    .isOpenIdScopeMandatoryForRegulatoryApps();
+            if (isRegulatory && isOpenIdScopeMandatoryForRegulatoryApps) {
+                if (!requestedScopes.contains(OAuthConstants.Scope.OPENID)) {
+                    log.error("Invalid scope: openid scope not present");
+                    throw new PushAuthRequestValidatorException(HttpStatus.SC_BAD_REQUEST,
+                            PushAuthRequestConstants.INVALID_REQUEST,
+                            "Invalid scope: openid scope not present");
+                }
+            }
+
+            StringBuilder stringBuilder = new StringBuilder();
+            // ignore unsupported scopes as per the OpenID standards
             for (String scope : requestedScopes) {
                 if (!allowedScopes.contains(scope)) {
                     log.error("Invalid scopes in the request");

open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/push/auth/extension/request/validator/PushAuthRequestValidatorTest.java

@@ -18,13 +18,15 @@
 
 package com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator;
 
+import com.wso2.openbanking.accelerator.common.config.OpenBankingConfigParser;
 import com.wso2.openbanking.accelerator.common.exception.OpenBankingException;
 import com.wso2.openbanking.accelerator.common.util.ServiceProviderUtils;
 import com.wso2.openbanking.accelerator.identity.internal.IdentityExtensionsDataHolder;
 import com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.constants.PushAuthRequestConstants;
 import com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.exception.PushAuthRequestValidatorException;
 import com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.model.PushAuthErrorResponse;
 import com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.util.test.jwt.builder.TestJwtBuilder;
+import com.wso2.openbanking.accelerator.identity.util.IdentityCommonUtil;
 import net.minidev.json.JSONObject;
 import org.junit.Assert;
 import org.mockito.Mockito;
@@ -64,9 +66,9 @@
 /**
  * Test for push authorization request validator.
  */
-@PowerMockIgnore("jdk.internal.reflect.*")
 @PrepareForTest({IdentityExtensionsDataHolder.class, OAuth2Util.class, OAuthServerConfiguration.class,
-        IdentityUtil.class, ServiceProviderUtils.class})
+        IdentityUtil.class, ServiceProviderUtils.class, IdentityCommonUtil.class, OpenBankingConfigParser.class})
+@PowerMockIgnore("jdk.internal.reflect.*")
 public class PushAuthRequestValidatorTest extends PowerMockTestCase {
 
     private Map<String, List<String>> parameterMap;
@@ -102,16 +104,23 @@ public void initMethods() throws OpenBankingException, IdentityApplicationManage
 
         IdentityExtensionsDataHolder identityExtensionsDataHolderMock = mock(IdentityExtensionsDataHolder.class);
         ApplicationManagementService applicationManagementServiceMock = mock(ApplicationManagementService.class);
+        OpenBankingConfigParser openBankingConfigParserMock = mock(OpenBankingConfigParser.class);
 
         mockStatic(IdentityExtensionsDataHolder.class);
         mockStatic(ServiceProviderUtils.class);
+        mockStatic(IdentityCommonUtil.class);
+        mockStatic(OpenBankingConfigParser.class);
         when(IdentityExtensionsDataHolder.getInstance()).thenReturn(identityExtensionsDataHolderMock);
         when(identityExtensionsDataHolderMock.getConfigurationMap()).thenReturn(configMap);
         when(identityExtensionsDataHolderMock.getApplicationManagementService())
                 .thenReturn(applicationManagementServiceMock);
         when(ServiceProviderUtils.getSpTenantDomain(Mockito.anyString())).thenReturn("dummyTenantDomain");
         when(applicationManagementServiceMock.getServiceProviderByClientId(Mockito.anyString(),
                 Mockito.anyString(), Mockito.anyString())).thenReturn(serviceProviderMock);
+        when(IdentityCommonUtil.getRegulatoryFromSPMetaData(Mockito.anyString())).thenReturn(true);
+        when(OpenBankingConfigParser.getInstance()).thenReturn(openBankingConfigParserMock);
+        when(openBankingConfigParserMock.isOpenIdScopeMandatoryForRegulatoryApps())
+                .thenReturn(true);
 
         OAuthServerConfiguration oAuthServerConfigurationMock = mock(OAuthServerConfiguration.class);
         mockStatic(OAuthServerConfiguration.class);
@@ -204,6 +213,34 @@ public void validateScopeParameter() throws Exception {
         pushAuthRequestValidatorMockClass.validateParams(httpServletRequestMock, parameterMap);
     }
 
+    @Test(expectedExceptions = PushAuthRequestValidatorException.class)
+    public void validateScopeParameterWithoutOpenIdScopeForRegulatoryApps() throws Exception {
+
+        parameterMap.put("request",
+                Arrays.asList(TestJwtBuilder.getValidSignedJWTWithoutOpenIdScope()));
+        PushAuthRequestValidatorMockClass pushAuthRequestValidatorMockClass = new PushAuthRequestValidatorMockClass();
+
+        pushAuthRequestValidatorMockClass.validateParams(httpServletRequestMock, parameterMap);
+    }
+
+    @Test
+    public void validateScopeParameterWithoutOpenIdScopeForNonRegulatoryApps() throws Exception {
+
+        // remove previous invalid parameters
+        parameterMap.remove("request_uri");
+
+        when(IdentityCommonUtil.getRegulatoryFromSPMetaData(Mockito.anyString())).thenReturn(false);
+
+        parameterMap.put("request",
+                Arrays.asList(TestJwtBuilder.getValidSignedJWTWithoutOpenIdScope()));
+        PushAuthRequestValidatorMockClass pushAuthRequestValidatorMockClass = new PushAuthRequestValidatorMockClass();
+
+        ServiceProviderProperty[] serviceProviderProperties = serviceProviderMock.getSpProperties();
+        serviceProviderProperties[0].setValue("accounts payments openid");
+
+        pushAuthRequestValidatorMockClass.validateParams(httpServletRequestMock, parameterMap);
+    }
+
     @Test(expectedExceptions = PushAuthRequestValidatorException.class,
             dependsOnMethods = "validateNonceInRequestObject")
     public void validateUnsupportedClaimsInSignedJWT() throws Exception {

open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/push/auth/extension/request/validator/util/test/jwt/builder/TestJwtBuilder.java

@@ -60,6 +60,7 @@ public class TestJwtBuilder {
     private static String audience = "https://localhost:9443/oauth2/token";
     private static String scope = "bank:accounts.basic:read bank:transactions:read " +
             "common:customer.detail:read openid";
+    private static String scopeWithoutOpenId = "accounts payments";
     private static String redirectUri = "https://www.google.com/redirects/redirect1";
     private static String state = "0pN0NBTHcv";
     private static String codeChallenge = "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM";
@@ -89,6 +90,19 @@ public static String getValidSignedJWT() throws Exception {
         return signedJWT.serialize();
     }
 
+    /**
+     * This method is used to get a valid signed JWT without the openid scope.
+     *
+     * @return String
+     * @throws Exception if an error occurs
+     */
+    public static String getValidSignedJWTWithoutOpenIdScope() throws Exception {
+        JWTClaimsSet.Builder builder = getValidJWTClaimsSetBuilder();
+        JWTClaimsSet claimSet = builder.claim(TestJwtBuilderConstants.SCOPE, scopeWithoutOpenId).build();
+        SignedJWT signedJWT = getSignedJWT(JWSAlgorithm.PS256, claimSet);
+        return signedJWT.serialize();
+    }
+
     /**
      * This method is used to get a valid encrypted JWT with signature algorithm PS256,
      * encryption algorithm RSA-OAEP-256 and encryption method A256GCM.

open-banking-accelerator/components/com.wso2.openbanking.accelerator.keymanager/pom.xml

@@ -18,7 +18,7 @@
     <parent>
         <artifactId>open-banking-accelerator</artifactId>
         <groupId>com.wso2.openbanking.accelerator</groupId>
-        <version>3.2.25-SNAPSHOT</version>
+        <version>3.2.26-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

open-banking-accelerator/components/com.wso2.openbanking.accelerator.runtime/com.wso2.openbanking.accelerator.runtime.identity.authn.filter/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>com.wso2.openbanking.accelerator.runtime</artifactId>
         <groupId>com.wso2.openbanking.accelerator</groupId>
-        <version>3.2.25-SNAPSHOT</version>
+        <version>3.2.26-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 

open-banking-accelerator/components/com.wso2.openbanking.accelerator.runtime/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>open-banking-accelerator</artifactId>
         <groupId>com.wso2.openbanking.accelerator</groupId>
-        <version>3.2.25-SNAPSHOT</version>
+        <version>3.2.26-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

open-banking-accelerator/components/com.wso2.openbanking.accelerator.service.activator/pom.xml

@@ -22,7 +22,7 @@
     <parent>
         <artifactId>open-banking-accelerator</artifactId>
         <groupId>com.wso2.openbanking.accelerator</groupId>
-        <version>3.2.25-SNAPSHOT</version>
+        <version>3.2.26-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/pom.xml

@@ -22,7 +22,7 @@
     <parent>
         <artifactId>open-banking-accelerator</artifactId>
         <groupId>com.wso2.openbanking.accelerator</groupId>
-        <version>3.2.25-SNAPSHOT</version>
+        <version>3.2.26-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 

open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.mgt.dao/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>open-banking-accelerator</artifactId>
         <groupId>com.wso2.openbanking.accelerator</groupId>
-        <version>3.2.25-SNAPSHOT</version>
+        <version>3.2.26-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.mgt.service/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <artifactId>open-banking-accelerator</artifactId>
         <groupId>com.wso2.openbanking.accelerator</groupId>
-        <version>3.2.25-SNAPSHOT</version>
+        <version>3.2.26-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

open-banking-accelerator/components/event-notifications/com.wso2.openbanking.accelerator.event.notifications.service/pom.xml

@@ -19,7 +19,7 @@
     <parent>
         <artifactId>open-banking-accelerator</artifactId>
         <groupId>com.wso2.openbanking.accelerator</groupId>
-        <version>3.2.25-SNAPSHOT</version>
+        <version>3.2.26-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

open-banking-accelerator/components/ob-throttler/com.wso2.openbanking.accelerator.throttler.dao/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>open-banking-accelerator</artifactId>
         <groupId>com.wso2.openbanking.accelerator</groupId>
-        <version>3.2.25-SNAPSHOT</version>
+        <version>3.2.26-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

open-banking-accelerator/components/ob-throttler/com.wso2.openbanking.accelerator.throttler.service/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>open-banking-accelerator</artifactId>
         <groupId>com.wso2.openbanking.accelerator</groupId>
-        <version>3.2.25-SNAPSHOT</version>
+        <version>3.2.26-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

open-banking-accelerator/internal-apis/internal-webapps/com.wso2.openbanking.accelerator.application.info.endpoint/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <artifactId>open-banking-accelerator</artifactId>
         <groupId>com.wso2.openbanking.accelerator</groupId>
-        <version>3.2.25-SNAPSHOT</version>
+        <version>3.2.26-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

open-banking-accelerator/internal-apis/internal-webapps/com.wso2.openbanking.accelerator.ciba.authentication.endpoint/pom.xml

@@ -18,7 +18,7 @@
     <parent>
         <artifactId>open-banking-accelerator</artifactId>
         <groupId>com.wso2.openbanking.accelerator</groupId>
-        <version>3.2.25-SNAPSHOT</version>
+        <version>3.2.26-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

open-banking-accelerator/internal-apis/internal-webapps/com.wso2.openbanking.accelerator.consent.endpoint/pom.xml

@@ -23,7 +23,7 @@
     <parent>
         <artifactId>open-banking-accelerator</artifactId>
         <groupId>com.wso2.openbanking.accelerator</groupId>
-        <version>3.2.25-SNAPSHOT</version>
+        <version>3.2.26-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 

open-banking-accelerator/internal-apis/internal-webapps/com.wso2.openbanking.accelerator.dcr.endpoint/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>open-banking-accelerator</artifactId>
         <groupId>com.wso2.openbanking.accelerator</groupId>
-        <version>3.2.25-SNAPSHOT</version>
+        <version>3.2.26-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>