Merge branch 'wso2:master' into master

modules/distribution/product/src/main/assembly/bin.xml

@@ -470,6 +470,7 @@
             <excludes>
                 <!--Need to remove after GA-->
                 <exclude>authenticationendpoint/basicauth.jsp</exclude>
+                <exclude>authenticationendpoint/EndpointConfig.properties</exclude>
                 <exclude>authenticationendpoint/identifierauth.jsp</exclude>
                 <exclude>authenticationendpoint/includes/cookie-policy-content.jsp</exclude>
                 <exclude>authenticationendpoint/includes/header.jsp</exclude>
@@ -526,6 +527,7 @@
             </includes>
             <!--Need to remove after GA-->
             <excludes>
+                <exclude>accountrecoveryendpoint/RecoveryEndpointConfig.properties</exclude>
                 <exclude>accountrecoveryendpoint/self-registration-complete.jsp</exclude>
                 <exclude>accountrecoveryendpoint/password-recovery.jsp</exclude>
                 <exclude>accountrecoveryendpoint/includes/header.jsp</exclude>

modules/distribution/product/src/main/extensions/basicauth.jsp

@@ -293,7 +293,7 @@
                 data-size="invisible"
                 data-callback="onCompleted"
                 data-action="login"
-                                data-sitekey="<%=Encode.forHtmlContent(request.getParameter("reCaptchaKey"))%>"
+                data-sitekey="<%=Encode.forHtmlContent(reCaptchaKey)%>">
         </div>
     <%
         }

modules/distribution/product/src/main/extensions/self-registration-username-request.jsp

@@ -18,17 +18,25 @@
 <%@ page contentType="text/html;charset=UTF-8" language="java" %>
 
 <%@ page import="org.owasp.encoder.Encode" %>
+<%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.client.ApiException" %>
 <%@ page import="org.wso2.carbon.identity.mgt.constants.SelfRegistrationStatusCodes" %>
+<%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.client.api.ReCaptchaApi" %>
+<%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.client.model.ReCaptchaProperties" %>
 <%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.IdentityManagementEndpointConstants" %>
 <%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.IdentityManagementServiceUtil" %>
 <%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.client.model.User" %>
 <%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.IdentityManagementEndpointUtil" %>
+<%@ page import="org.wso2.carbon.identity.captcha.util.CaptchaUtil" %>
+<%@ page import="java.util.Arrays" %>
+<%@ page import="java.util.HashMap" %>
 <%@ page import="java.io.File" %>
+<%@ page import="java.util.List" %>
 <%@ page import="java.util.Map" %>
 <%@ page import="java.util.Enumeration" %>
 <%@ taglib prefix="layout" uri="org.wso2.identity.apps.taglibs.layout.controller" %>
 
 <jsp:directive.include file="includes/localize.jsp"/>
+<jsp:directive.include file="tenant-resolve.jsp"/>
 <jsp:directive.include file="includes/layout-resolver.jsp"/>
 
 <%
@@ -67,6 +75,23 @@
     } else if (errorMsgObj != null) {
         errorMsg = errorMsgObj.toString();
     }
+    ReCaptchaApi reCaptchaApi = new ReCaptchaApi();
+    try {
+        ReCaptchaProperties reCaptchaProperties = reCaptchaApi.getReCaptcha(tenantDomain, true, "ReCaptcha",
+                "self-registration");
+        if (reCaptchaProperties.getReCaptchaEnabled()) {
+            Map<String, List<String>> headers = new HashMap<>();
+            headers.put("reCaptcha", Arrays.asList(String.valueOf(true)));
+            headers.put("reCaptchaAPI", Arrays.asList(reCaptchaProperties.getReCaptchaAPI()));
+            headers.put("reCaptchaKey", Arrays.asList(reCaptchaProperties.getReCaptchaKey()));
+            IdentityManagementEndpointUtil.addReCaptchaHeaders(request, headers);
+        }
+    } catch (ApiException e) {
+        request.setAttribute("error", true);
+        request.setAttribute("errorMsg", e.getMessage());
+        request.getRequestDispatcher("error.jsp").forward(request, response);
+        return;
+    }
     boolean skipSignUpEnableCheck = Boolean.parseBoolean(request.getParameter("skipsignupenablecheck"));
 %>
 
@@ -75,6 +100,15 @@
     layoutData.put("containerSize", "medium");
 %>
 
+<%
+    boolean reCaptchaEnabled = false;
+    if (request.getAttribute("reCaptcha") != null && "TRUE".equalsIgnoreCase((String) request.getAttribute("reCaptcha"))) {
+        reCaptchaEnabled = true;
+    } else if (request.getParameter("reCaptcha") != null && Boolean.parseBoolean(request.getParameter("reCaptcha"))) {
+        reCaptchaEnabled = true;
+    }
+%>
+
 <!doctype html>
 <html>
 <head>
@@ -87,6 +121,14 @@
     <% } else { %>
     <jsp:directive.include file="includes/header.jsp"/>
     <% } %>
+    <%
+        if (reCaptchaEnabled) {
+            String reCaptchaAPI = CaptchaUtil.reCaptchaAPIURL();
+    %>
+    <script src='<%=(reCaptchaAPI)%>'></script>
+    <%
+        }
+    %>
 </head>
 <body class="login-portal layout recovery-layout">
      <layout:main layoutName="<%= layout %>" layoutFileRelativePath="<%= layoutFileRelativePath %>" data="<%= layoutData %>" >
@@ -151,6 +193,23 @@
                         </div>
                         <% } %>
 
+                        <%
+                            if (reCaptchaEnabled) {
+                                String reCaptchaKey = CaptchaUtil.reCaptchaSiteKey();
+                        %>
+                        <div class="field">
+                            <div class="g-recaptcha"
+                                data-size="invisible"
+                                data-callback="onCompleted"
+                                data-action="register"
+                                data-sitekey="<%=Encode.forHtmlContent(reCaptchaKey)%>"
+                            >
+                            </div>
+                        </div>
+                        <%
+                            }
+                        %>
+
                         <div class="ui divider hidden"></div>
 
                         <div class="align-right buttons">
@@ -209,6 +268,9 @@
                 }
             }
         });
+        function onCompleted() {
+            $('#register').submit();
+         }
         function goBack() {
             window.history.back();
         }
@@ -226,6 +288,16 @@
                         console.warn("Prevented a possible double submit event");
                     } else {
                         e.preventDefault();
+                        <%
+                            if (reCaptchaEnabled) {
+                        %>
+                        if (!grecaptcha.getResponse()) {
+                            grecaptcha.execute();
+                            return;
+                        }
+                        <%
+                            }
+                        %>
                         var userName = document.getElementById("username");
                         var normalizedUsername = userName.value.trim();
                         userName.value = normalizedUsername;

modules/distribution/product/src/main/resources/conf/default.json

@@ -458,5 +458,6 @@
   "apim.analytics.properties.keystore_password": "$ref{keystore.primary.password}",
   "apim.analytics.properties.truststore_location": "${carbon.home}/repository/resources/security/$ref{truststore.file_name}",
   "apim.analytics.properties.truststore_password": "$ref{truststore.password}",
-  "tenant_mgt.disable_email_domain_validation": true
+  "tenant_mgt.disable_email_domain_validation": true,
+  "apim.jwt.use_kid_property": true
 }

modules/distribution/product/src/main/resources/conf/templates/repository/conf/broker.xml.j2

@@ -101,6 +101,10 @@ This file is ciphertool compliant. Refer PRODUCT_HOME/repository/conf/security/c
             <allowSharedTopicSubscriptions>{{broker.transport.amqp.allow_shared_topic_subscriptions}}</allowSharedTopicSubscriptions>
             <allowStrictNameValidation>{{broker.transport.amqp.allow_strict_name_validation}}</allowStrictNameValidation>
 
+            <security>
+                <authorization>{{broker.transport.amqp.authorization}}</authorization>
+            </security>
+
             <!-- Refer repository/conf/advanced/qpid-config.xml for further AMQP-specific configurations.-->
         </amqp>
         <mqtt enabled="false">

modules/distribution/product/src/main/resources/conf/templates/repository/conf/tomcat/catalina-server.xml.j2

@@ -94,7 +94,6 @@
                 <Valve className="org.wso2.carbon.tomcat.ext.valves.SameSiteCookieValve"/>
                 <Valve className="org.wso2.carbon.identity.context.rewrite.valve.OrganizationContextRewriteValve"/>
                 <Valve className="org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve"/>
-                <Valve className="org.wso2.carbon.identity.cors.valve.CORSValve"/>
                 <!--Error pages -->
                 <Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false" showReport="false"/>
                 {% for valve in catalina.valves %}

modules/distribution/product/src/main/resources/conf/templates/repository/conf/tomcat/context.xml.j2

@@ -0,0 +1,46 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<!-- The contents of this file will be loaded for each web application -->
+<Context useHttpOnly="true" useRelativeRedirects="false">
+
+    <!-- Default set of monitored resources -->
+
+    <Loader className="org.wso2.carbon.webapp.mgt.loader.CarbonWebappLoader"
+            loaderClass="org.wso2.carbon.webapp.mgt.loader.CarbonWebappClassLoader"/>
+
+    <!-- Uncomment this to disable session persistence across Tomcat restarts -->
+    <Manager className="org.wso2.carbon.webapp.mgt.CarbonTomcatSessionManager">
+        <SessionIdGenerator sessionIdLength="128"/>
+    </Manager>
+
+    <!-- Uncomment this to enable Comet connection tacking (provides events
+         on session expiration as well as webapp lifecycle) -->
+    <!--
+    <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" />
+    -->
+
+    {% if web_app.control_access.enable is sameas true %}
+    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
+      allow="{% for ip in web_app.control_access.allow %}{{ip}}{{ "|" if not loop.last}}{% endfor %}"/>
+    {% endif %}
+
+    {% for class_name in web_app.listener.class_name %}
+    <Listener className="{{class_name}}" />
+    {% endfor %}
+
+</Context>

modules/distribution/product/src/main/startup-scripts/api-manager.bat

@@ -203,7 +203,7 @@ set CARBON_CLASSPATH=".\lib\*";%CARBON_CLASSPATH%
 if %JAVA_VERSION% GEQ 110 set CARBON_CLASSPATH=".\lib\endorsed\*";%CARBON_CLASSPATH%
 
 if %JAVA_VERSION% LEQ 18 set JAVA_VER_BASED_OPTS=-Djava.endorsed.dirs=".\lib\endorsed";"%JAVA_HOME%\jre\lib\endorsed";"%JAVA_HOME%\lib\endorsed"
-if %JAVA_VERSION% GEQ 110 set JAVA_VER_BASED_OPTS=--add-opens=java.naming/com.sun.jndi.ldap=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens java.rmi/sun.rmi.transport=ALL-UNNAMED  --add-opens=java.base/java.io=ALL-UNNAMED
+if %JAVA_VERSION% GEQ 110 set JAVA_VER_BASED_OPTS=--add-opens=java.base/sun.security.x509=ALL-UNNAMED --add-opens=java.naming/com.sun.jndi.ldap=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens java.rmi/sun.rmi.transport=ALL-UNNAMED  --add-opens=java.base/java.io=ALL-UNNAMED
 
 set CMD_LINE_ARGS=-Xbootclasspath/a:%CARBON_XBOOTCLASSPATH% -Xms256m -Xmx1024m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath="%CARBON_HOME%\repository\logs\heap-dump.hprof"
 set CMD_LINE_ARGS=%CMD_LINE_ARGS% -Dcom.sun.management.jmxremote -classpath %CARBON_CLASSPATH% %JAVA_OPTS% %JAVA_VER_BASED_OPTS%

modules/distribution/product/src/main/startup-scripts/api-manager.sh

@@ -310,7 +310,7 @@ echo "Using Java memory options: $JVM_MEM_OPTS"
 JAVA_VER_BASED_OPTS="--add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens java.rmi/sun.rmi.transport=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED"
 
 if [ $java_version_formatted -ge 1700 ]; then
-    JAVA_VER_BASED_OPTS="$JAVA_VER_BASED_OPTS --add-opens=java.naming/com.sun.jndi.ldap=ALL-UNNAMED"
+    JAVA_VER_BASED_OPTS="$JAVA_VER_BASED_OPTS --add-opens=java.naming/com.sun.jndi.ldap=ALL-UNNAMED --add-opens=java.base/sun.security.x509=ALL-UNNAMED"
 fi
 
 while [ "$status" = "$START_EXIT_STATUS" ]

modules/distribution/resources/api_templates/operation_policy_template.j2

@@ -1,6 +1,12 @@
 <?xml version=\"1.0\" encoding=\"UTF-8\"?>
 <sequence xmlns=\"http://ws.apache.org/ns/synapse\" name=\"{{sequence_name}}\">
-<property name="switchExpression" expression="fn:concat($ctx:REST_METHOD,'_',$ctx:API_ELECTED_RESOURCE)" />
+{% if api_level_policies is defined %}
+{% for policy in api_level_policies %}
+    {{policy}}
+{% endfor %}
+{% endif %}
+{% if case_list is defined %}
+    <property name="switchExpression" expression="fn:concat($ctx:REST_METHOD,'_',$ctx:API_ELECTED_RESOURCE)" />
     <switch source=\"$ctx:switchExpression\">
     {% for case in case_list %}
         <case regex=\"{{case.case_regex}}\">
@@ -9,10 +15,9 @@
         {% endfor %}
         </case>
     {% endfor %}
-    {% if fault_sequence %}
-        <default>
-            <sequence xmlns="http://ws.apache.org/ns/synapse" name="fault"/>
-        </default>
-    {% endif %}
     </switch>
+{% endif %}
+{% if fault_sequence %}
+    <sequence xmlns="http://ws.apache.org/ns/synapse" name="fault"/>
+{% endif %}
 </sequence>

modules/distribution/resources/api_templates/velocity_template.xml

@@ -253,6 +253,7 @@ $in_sequences.get("$resource.getUriTemplate()").get($uri)
                     #set( $roleRegion = $!{endpoint_config.get("amznRoleRegion")} )
                     #set( $resourceName = $!{resource.getAmznResourceName()} )
                     #set( $resourceTimeout = $!{resource.getAmznResourceTimeout()} )
+                    #set( $isContentEncodingEnabled = $!{resource.isAmznResourceContentEncoded()} )
 <class name="org.wso2.carbon.apimgt.gateway.mediators.AWSLambdaMediator">
                     #if( $accessKey != '' )
     <property name="accessKey" value="$accessKey"/>
@@ -282,6 +283,9 @@ $in_sequences.get("$resource.getUriTemplate()").get($uri)
                     #if( $resourceTimeout != '' )
     <property name="resourceTimeout" value="$resourceTimeout"/>
                     #end
+                    #if( $isContentEncodingEnabled != '' )
+    <property name="isContentEncodingEnabled" value="$isContentEncodingEnabled"/>
+                    #end
 </class>
 <loopback />
                 ## AWS Lambda: end

modules/integration/tests-common/clients/publisher/.openapi-generator/publisher-api.yaml.sha256

@@ -1 +1 @@
-da57e250c3772815419f3056fa0a9bf10bcb15fec37c7bed5676497509e04f78
+e8e65082ff752153ae78c9fa8bbb657df3d59b3273fb70c9dcac53fc4f8915b3

modules/integration/tests-common/clients/publisher/api/openapi.yaml

@@ -16059,6 +16059,40 @@ components:
           value: value
         lifeCycleStatus: CREATED
         accessControl: NONE
+        apiPolicies:
+          request:
+          - policyVersion: v1
+            policyId: policyId
+            policyName: policyName
+            parameters:
+              key: '{}'
+          - policyVersion: v1
+            policyId: policyId
+            policyName: policyName
+            parameters:
+              key: '{}'
+          response:
+          - policyVersion: v1
+            policyId: policyId
+            policyName: policyName
+            parameters:
+              key: '{}'
+          - policyVersion: v1
+            policyId: policyId
+            policyName: policyName
+            parameters:
+              key: '{}'
+          fault:
+          - policyVersion: v1
+            policyId: policyId
+            policyName: policyName
+            parameters:
+              key: '{}'
+          - policyVersion: v1
+            policyId: policyId
+            policyName: policyName
+            parameters:
+              key: '{}'
         monetization:
           enabled: true
           properties:
@@ -16349,6 +16383,8 @@ components:
           items:
             $ref: '#/components/schemas/MediationPolicy'
           type: array
+        apiPolicies:
+          $ref: '#/components/schemas/APIOperationPolicies'
         subscriptionAvailability:
           default: CURRENT_TENANT
           description: The subscription availability. Accepts one of the following.

modules/integration/tests-common/clients/publisher/docs/APIDTO.md

@@ -37,6 +37,7 @@ Name | Type | Description | Notes
 **visibleRoles** | **List<String>** | The user roles that are able to access the API in Developer Portal |  [optional]
 **visibleTenants** | **List<String>** |  |  [optional]
 **mediationPolicies** | [**List<MediationPolicyDTO>**](MediationPolicyDTO.md) |  |  [optional]
+**apiPolicies** | [**APIOperationPoliciesDTO**](APIOperationPoliciesDTO.md) |  |  [optional]
 **subscriptionAvailability** | [**SubscriptionAvailabilityEnum**](#SubscriptionAvailabilityEnum) | The subscription availability. Accepts one of the following. CURRENT_TENANT, ALL_TENANTS or SPECIFIC_TENANTS. |  [optional]
 **subscriptionAvailableTenants** | **List<String>** |  |  [optional]
 **additionalProperties** | [**List<APIInfoAdditionalPropertiesDTO>**](APIInfoAdditionalPropertiesDTO.md) | Map of custom properties of API |  [optional]