Merge branch 'master' into fix-user-store-domain-issue

components/org.wso2.carbon.identity.api.server.dcr/pom.xml

@@ -23,12 +23,12 @@
     <parent>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
     <artifactId>org.wso2.carbon.identity.api.server.dcr</artifactId>
-    <version>7.0.212-SNAPSHOT</version>
+    <version>7.0.215-SNAPSHOT</version>
     <name>WSO2 Carbon -  User DCR Rest API</name>
     <description>WSO2 Carbon - User DCR Rest API</description>
 

components/org.wso2.carbon.identity.api.server.oauth.scope/pom.xml

@@ -23,12 +23,12 @@
     <parent>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
         <relativePath>../..</relativePath>
     </parent>
 
     <artifactId>org.wso2.carbon.identity.api.server.oauth.scope</artifactId>
-    <version>7.0.212-SNAPSHOT</version>
+    <version>7.0.215-SNAPSHOT</version>
 
     <name>WSO2 Carbon - Identity OAuth 2.0 Scope Rest APIs</name>
     <description>Rest APIs for OAuth 2.0 Scope Handling</description>

components/org.wso2.carbon.identity.client.attestation.filter/pom.xml

@@ -22,7 +22,7 @@
     <parent>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

components/org.wso2.carbon.identity.discovery/pom.xml

@@ -21,7 +21,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.ciba/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

components/org.wso2.carbon.identity.oauth.client.authn.filter/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.common/pom.xml

@@ -23,7 +23,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.dcr.endpoint/pom.xml

@@ -6,7 +6,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.dcr/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/service/DCRMService.java

@@ -310,13 +310,24 @@ public Application updateApplication(ApplicationUpdateRequest updateRequest, Str
                 sp.setJwksUri(updateRequest.getJwksURI());
             }
             // Todo: validate version input. Create a function at app mgt.
-            sp.setApplicationVersion(applicationVersion);
-            // Need to create a deep clone, since modifying the fields of the original object,
-            // will modify the cached SP object.
-            ServiceProvider clonedSP = cloneServiceProvider(sp);
+            if (StringUtils.isNotBlank(applicationVersion)) {
+                sp.setApplicationVersion(applicationVersion);
+            }
+        }
+        if (StringUtils.isNotEmpty(updateRequest.getExtAllowedAudience()) &&
+                (updateRequest.getExtAllowedAudience().equalsIgnoreCase(ORG_ROLE_AUDIENCE)
+                        || updateRequest.getExtAllowedAudience().equalsIgnoreCase(APP_ROLE_AUDIENCE))) {
+            AssociatedRolesConfig associatedRolesConfig = new AssociatedRolesConfig();
+            associatedRolesConfig.setAllowedAudience(updateRequest.getExtAllowedAudience().toLowerCase());
+            sp.setAssociatedRolesConfig(associatedRolesConfig);
+        }
+        // Need to create a deep clone, since modifying the fields of the original object,
+        // will modify the cached SP object.
+        ServiceProvider clonedSP = cloneServiceProvider(sp);
+        if (StringUtils.isNotEmpty(clientName)) {
             clonedSP.setApplicationName(clientName);
-            updateServiceProvider(clonedSP, tenantDomain, applicationOwner);
         }
+        updateServiceProvider(clonedSP, tenantDomain, applicationOwner);
 
         // Update application
         try {
@@ -413,14 +424,6 @@ public Application updateApplication(ApplicationUpdateRequest updateRequest, Str
             appDTO.setPkceSupportPlain(updateRequest.isExtPkceSupportPlain());
             appDTO.setBypassClientCredentials(updateRequest.isExtPublicClient());
             oAuthAdminService.updateConsumerApplication(appDTO);
-
-            if (StringUtils.isNotEmpty(updateRequest.getExtAllowedAudience()) &&
-                    (updateRequest.getExtAllowedAudience().equalsIgnoreCase(ORG_ROLE_AUDIENCE)
-                            || updateRequest.getExtAllowedAudience().equalsIgnoreCase(APP_ROLE_AUDIENCE))) {
-                AssociatedRolesConfig associatedRolesConfig = new AssociatedRolesConfig();
-                associatedRolesConfig.setAllowedAudience(updateRequest.getExtAllowedAudience().toLowerCase());
-                sp.setAssociatedRolesConfig(associatedRolesConfig);
-            }
         } catch (IdentityOAuthClientException e) {
             throw new DCRMClientException(DCRMConstants.ErrorCodes.INVALID_CLIENT_METADATA, e.getMessage(), e);
         } catch (IdentityOAuthAdminException e) {

components/org.wso2.carbon.identity.oauth.dcr/src/test/java/org/wso2/carbon/identity/oauth/dcr/service/DCRMServiceTest.java

@@ -108,6 +108,7 @@ public class DCRMServiceTest {
     private String dummyCallbackUrl = "dummyCallbackUrl";
     private final String dummyTemplateName = "dummyTemplateName";
     private final String dummyBackchannelLogoutUri = "http://backchannel.com/";
+    private static final String ORG_ROLE_AUDIENCE = "organization";
 
     @Mock
     private OAuthConsumerAppDTO dto;
@@ -1007,6 +1008,7 @@ public void updateApplicationTest(List<String> redirectUri1, String roleAudience
         assertEquals(application.getClientId(), dummyConsumerKey);
         assertEquals(application.getClientName(), dummyClientName);
         assertEquals(application.getClientSecret(), dummyConsumerSecret);
+        assertEquals(application.getExtAllowedAudience(), roleAudience);
     }
 
     @Test

components/org.wso2.carbon.identity.oauth.endpoint/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.extension/pom.xml

@@ -19,7 +19,7 @@
     <parent>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.par/pom.xml

@@ -23,7 +23,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.scope.endpoint/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.stub/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.ui/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth/pom.xml

@@ -23,7 +23,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java

@@ -1045,7 +1045,8 @@ public static boolean revokeTokens(String username, UserStoreManager userStoreMa
                             .getTokenManagementDAO().getAllTimeAuthorizedClientIds(authenticatedUser);
 
                 if (role != null && RoleConstants.ORGANIZATION.equals(role.getAudience())) {
-                    clientIds = filterClientIdsWithOrganizationAudience(new ArrayList<>(clientIds), tenantDomain);
+                    clientIds = filterClientIdsWithOrganizationAudience(new ArrayList<>(clientIds),
+                            authenticatedUser.getTenantDomain());
                 }
 
             } catch (IdentityOAuth2Exception e) {

components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth/OAuthUtilTest.java

@@ -44,6 +44,7 @@
 import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
 import org.wso2.carbon.identity.oauth2.dao.AccessTokenDAO;
 import org.wso2.carbon.identity.oauth2.dao.OAuthTokenPersistenceFactory;
+import org.wso2.carbon.identity.oauth2.dao.TokenManagementDAO;
 import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
 import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
 import org.wso2.carbon.identity.organization.management.service.util.OrganizationManagementUtil;
@@ -323,6 +324,80 @@ public void testRevokeTokensForApplicationAudienceRoles() throws Exception {
         assertTrue(result, "Token revocation failed.");
     }
 
+    @Test
+    public void testRevokeTokensForOrganizationAudienceRoles() throws Exception {
+
+        String username = "testUser";
+        String roleId = "testRoleId";
+        String roleName = "testRole";
+        String appId = "testAppId";
+        String clientId = "testClientId";
+        String accessToken = "testAccessToken";
+
+        UserStoreManager userStoreManager = mock(UserStoreManager.class);
+        when(userStoreManager.getTenantId()).thenReturn(-1234);
+        when(userStoreManager.getRealmConfiguration()).thenReturn(mock(RealmConfiguration.class));
+        when(userStoreManager.getRealmConfiguration().getUserStoreProperty(anyString())).thenReturn("PRIMARY");
+
+        when(OrganizationManagementUtil.isOrganization(anyString())).thenReturn(false);
+        when(OAuth2Util.getTenantId(anyString())).thenReturn(-1234);
+
+        OAuthComponentServiceHolder mockOAuthComponentServiceHolder = mock(OAuthComponentServiceHolder.class);
+        when(OAuthComponentServiceHolder.getInstance()).thenReturn(mockOAuthComponentServiceHolder);
+
+        when(mockOAuthComponentServiceHolder.getRoleV2ManagementService()).thenReturn(roleManagementService);
+        RoleBasicInfo roleBasicInfo = new RoleBasicInfo();
+        roleBasicInfo.setId(roleId);
+        roleBasicInfo.setAudience(RoleConstants.ORGANIZATION);
+        roleBasicInfo.setAudienceId(appId);
+        roleBasicInfo.setName(roleName);
+        when(roleManagementService.getRoleBasicInfoById(roleId, MultitenantConstants.SUPER_TENANT_DOMAIN_NAME))
+                .thenReturn(roleBasicInfo);
+
+        when(mockOAuthComponentServiceHolder.getApplicationManagementService())
+                .thenReturn(applicationManagementService);
+        ServiceProvider serviceProvider = new ServiceProvider();
+        InboundAuthenticationConfig inboundAuthenticationConfig = new InboundAuthenticationConfig();
+        InboundAuthenticationRequestConfig[] inboundAuthenticationRequestConfigs =
+                new InboundAuthenticationRequestConfig[1];
+        InboundAuthenticationRequestConfig inboundAuthenticationRequestConfig =
+                new InboundAuthenticationRequestConfig();
+        inboundAuthenticationRequestConfig.setInboundAuthKey(clientId);
+        inboundAuthenticationRequestConfig.setInboundAuthType(ApplicationConstants.StandardInboundProtocols.OAUTH2);
+        inboundAuthenticationRequestConfigs[0] = inboundAuthenticationRequestConfig;
+        inboundAuthenticationConfig.setInboundAuthenticationRequestConfigs(inboundAuthenticationRequestConfigs);
+        serviceProvider.setInboundAuthenticationConfig(inboundAuthenticationConfig);
+        when(applicationManagementService.getApplicationByResourceId(
+                appId, MultitenantConstants.SUPER_TENANT_DOMAIN_NAME)).thenReturn(serviceProvider);
+        when(applicationManagementService.getApplicationResourceIDByInboundKey(anyString(), anyString(), anyString())).
+                thenReturn(appId);
+        when(applicationManagementService.getAllowedAudienceForRoleAssociation(anyString(), anyString())).
+                thenReturn(RoleConstants.ORGANIZATION);
+        OAuthTokenPersistenceFactory mockOAuthTokenPersistenceFactory = mock(OAuthTokenPersistenceFactory.class);
+        when(OAuthTokenPersistenceFactory.getInstance()).thenReturn(mockOAuthTokenPersistenceFactory);
+        AccessTokenDAO mockAccessTokenDAO = mock(AccessTokenDAO.class);
+        when(mockOAuthTokenPersistenceFactory.getAccessTokenDAO()).thenReturn(mockAccessTokenDAO);
+        Set<AccessTokenDO> accessTokens = new HashSet<>();
+        AccessTokenDO accessTokenDO = new AccessTokenDO();
+        accessTokenDO.setAccessToken(accessToken);
+        accessTokenDO.setConsumerKey(clientId);
+        accessTokenDO.setScope(new String[]{"default"});
+        accessTokenDO.setAuthzUser(new AuthenticatedUser());
+        accessTokens.add(accessTokenDO);
+        when(mockAccessTokenDAO.getAccessTokens(anyString(),
+                any(AuthenticatedUser.class), nullable(String.class), anyBoolean())).thenReturn(accessTokens);
+
+        TokenManagementDAO mockTokenManagementDao = mock(TokenManagementDAO.class);
+        when(mockOAuthTokenPersistenceFactory.getTokenManagementDAO()).thenReturn(mockTokenManagementDao);
+        Set<String> clientIds = new HashSet<>();
+        clientIds.add(clientId);
+        when(mockTokenManagementDao.getAllTimeAuthorizedClientIds(any())).thenReturn(clientIds);
+
+        boolean result = OAuthUtil.revokeTokens(username, userStoreManager, roleId);
+        verify(mockAccessTokenDAO, times(1)).revokeAccessTokens(any(), anyBoolean());
+        assertTrue(result, "Token revocation failed.");
+    }
+
     @Test
     public void testRevokeTokensInSharedUserFlow() throws Exception {
 

components/org.wso2.carbon.identity.oidc.dcr/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oidc.session/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.webfinger/pom.xml

@@ -21,7 +21,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

features/org.wso2.carbon.identity.oauth.common.feature/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

features/org.wso2.carbon.identity.oauth.dcr.server.feature/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

features/org.wso2.carbon.identity.oauth.feature/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

features/org.wso2.carbon.identity.oauth.server.feature/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

features/org.wso2.carbon.identity.oauth.ui.feature/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.212-SNAPSHOT</version>
+        <version>7.0.215-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

pom.xml

@@ -28,7 +28,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
     <artifactId>identity-inbound-auth-oauth</artifactId>
-    <version>7.0.212-SNAPSHOT</version>
+    <version>7.0.215-SNAPSHOT</version>
     <packaging>pom</packaging>
     <name>WSO2 Carbon OAuth module</name>
     <url>http://wso2.org</url>