Merge branch 'master' into 4.3.0-kernel-upgrade

modules/distribution/product/src/main/assembly/bin.xml

@@ -1249,6 +1249,20 @@
  <fileMode>644</fileMode>
  </file>
 
+ <file>
+ <source>src/main/startup-scripts/fips.sh</source>
+ <outputDirectory>wso2am-${pom.version}/bin/</outputDirectory>
+ <filtered>true</filtered>
+ <fileMode>755</fileMode>
+ </file>
+
+ <file>
+ <source>src/main/startup-scripts/fips.bat</source>
+ <outputDirectory>wso2am-${pom.version}/bin/</outputDirectory>
+ <filtered>true</filtered>
+ <fileMode>755</fileMode>
+ </file>
+
  <file>
  <source>src/main/startup-scripts/profileSetup.sh</source>
  <outputDirectory>wso2am-${pom.version}/bin/</outputDirectory>

modules/distribution/product/src/main/conf/deployment.toml

@@ -52,6 +52,7 @@ key_password = "wso2carbon"
 [[apim.gateway.environment]]
 name = "Default"
 type = "hybrid"
+gateway_type = "Regular"
 provider = "wso2"
 display_in_api_console = true
 description = "This is a hybrid gateway that handles both production and sandbox token traffic."

modules/distribution/product/src/main/resources/conf/deployment-templates/control-plane.toml

@@ -49,6 +49,7 @@ key_password = "wso2carbon"
 [[apim.gateway.environment]]
 name = "Default"
 type = "hybrid"
+gateway_type = "Regular"
 provider = "wso2"
 display_in_api_console = true
 description = "This is a hybrid gateway that handles both production and sandbox token traffic."

modules/distribution/resources/operation_policies/definitions/jwtClaimBasedAccessValidator_v1.j2

@@ -0,0 +1,6 @@
+<class name="org.wso2.carbon.apimgt.gateway.mediators.ClaimBasedResourceAccessValidationMediator">
+ <property name="accessVerificationClaim" value = "{{accessVerificationClaim}}"/>
+ <property name="accessVerificationClaimValue" value="{{accessVerificationClaimValue}}"/>
+ <property name="accessVerificationClaimValueRegex" value="{{accessVerificationClaimValueRegex}}"/>
+ <property name="shouldAllowValidation" value="{{shouldAllowValidation}}"/>
+</class>

modules/distribution/resources/operation_policies/specifications/jwtClaimBasedAccessValidator_v1.json

@@ -0,0 +1,51 @@
+{
+ "category": "Mediation",
+ "name": "jwtClaimBasedAccessValidator",
+ "version": "v1",
+ "displayName": "JWT claim based access validator",
+ "description": "This policy validates configured claim name and value in this policy with the claim name and value sent in the JWT access token to grant access to the API resource.",
+ "applicableFlows": [
+ "request"
+ ],
+ "supportedGateways": [
+ "Synapse"
+ ],
+ "supportedApiTypes": [
+ "HTTP"
+ ],
+ "policyAttributes": [
+ {
+ "name": "accessVerificationClaim",
+ "displayName": "Access verification claim name",
+ "description": "This should be the name the custom claim which is expected in the JWT access token.",
+ "validationRegex": "^[a-zA-Z_]+$",
+ "type": "String",
+ "defaultValue": "aut",
+ "required": true
+ },
+ {
+ "name": "accessVerificationClaimValue",
+ "displayName": "Access verification claim value",
+ "description": "This should be the value of a custom claim which is expected in the JWT access token.",
+ "type": "String",
+ "defaultValue": "APPLICATION",
+ "required": true
+ },
+ {
+ "name": "accessVerificationClaimValueRegex",
+ "displayName": "Access verification claim value regex",
+ "description": "If a regex is provided, the claim values will be matched using this regex. Otherwise they will be checked for equality.",
+ "type": "String",
+ "defaultValue": "",
+ "required": false
+ },
+ {
+ "name": "shouldAllowValidation",
+ "displayName": "Allow flow when claims are not matching",
+ "description": "Tick this to allow the flow when the claims are not matching. Keeping this un-ticked will allow the flow only when the claims are matched.",
+ "type": "Boolean",
+ "defaultValue": "false",
+ "required": false
+ }
+ ]
+ }

modules/integration/tests-common/clients/admin/.openapi-generator/admin-api.yaml.sha256

@@ -1 +1 @@
-913b0f99d03f27dee037609be7975aca8be768047cea3b7c8598dd11a5a89a6a
+79b51370beba8f507666fe239fea0c86a211fc9f1f8dbf97264d13f09f0c147a

modules/integration/tests-common/clients/admin/api/openapi.yaml

@@ -7962,6 +7962,18 @@ components:
  - type
  title: Throttle Limit
  type: object
+ BurstLimit:
+ properties:
+ rateLimitCount:
+ description: Burst control request count
+ example: 10
+ type: integer
+ rateLimitTimeUnit:
+ description: Burst control time unit
+ example: min
+ type: string
+ title: Burst Limit object
+ type: object
  MonetizationInfo:
  properties:
  monetizationPlan:
@@ -8346,6 +8358,7 @@ components:
  endpointURI: default
  - protocol: default
  endpointURI: default
+ gatewayType: Regular
  isReadOnly: false
  provider: wso2
  displayName: US Region
@@ -8393,6 +8406,10 @@ components:
  provider:
  example: wso2
  type: string
+ gatewayType:
+ default: Regular
+ example: Regular
+ type: string
  isReadOnly:
  example: false
  readOnly: true
@@ -8424,6 +8441,7 @@ components:
  endpointURI: default
  - protocol: default
  endpointURI: default
+ gatewayType: Regular
  isReadOnly: false
  provider: wso2
  displayName: US Region
@@ -8453,6 +8471,7 @@ components:
  endpointURI: default
  - protocol: default
  endpointURI: default
+ gatewayType: Regular
  isReadOnly: false
  provider: wso2
  displayName: US Region
@@ -8786,6 +8805,9 @@ components:
  mask: true
  defaultScopesClaim: scope
  type: default
+ gatewayTypes:
+ - gatewayTypes
+ - gatewayTypes
  scopes:
  - scopes
  - scopes
@@ -8794,6 +8816,10 @@ components:
  items:
  type: string
  type: array
+ gatewayTypes:
+ items:
+ type: string
+ type: array
  keyManagerConfiguration:
  items:
  $ref: '#/components/schemas/Settings_keyManagerConfiguration'
@@ -8884,6 +8910,11 @@ components:
  tokenEndpoint: https://localhost:9444/oauth2/token
  consumerKeyClaim: azp
  scopesClaim: scp
+ permissions:
+ permissionType: ALLOW
+ roles:
+ - Internal/subscriber
+ - Internal/subscriber
  alias: https://localhost:9443/oauth2/token
  id: 01234567-0123-0123-0123-012345678901
  userInfoEndpoint: https://localhost:9444/oauth2/userinfo?schema=openid
@@ -8946,6 +8977,11 @@ components:
  tokenEndpoint: https://localhost:9444/oauth2/token
  consumerKeyClaim: azp
  scopesClaim: scp
+ permissions:
+ permissionType: ALLOW
+ roles:
+ - Internal/subscriber
+ - Internal/subscriber
  alias: https://localhost:9443/oauth2/token
  id: 01234567-0123-0123-0123-012345678901
  userInfoEndpoint: https://localhost:9444/oauth2/userinfo?schema=openid
@@ -9104,6 +9140,8 @@ components:
  Password: admin
  properties: {}
  type: object
+ permissions:
+ $ref: '#/components/schemas/KeyManager_permissions'
  tokenType:
  default: DIRECT
  description: The type of the tokens to be used (exchanged or without exchanged).
@@ -9628,6 +9666,8 @@ components:
  properties:
  defaultLimit:
  $ref: '#/components/schemas/ThrottleLimit'
+ burstLimit:
+ $ref: '#/components/schemas/BurstLimit'
  required:
  - defaultLimit
  SubscriptionThrottlePolicy_allOf:
@@ -9783,6 +9823,26 @@ components:
  type: string
  value:
  type: string
+ KeyManager_permissions:
+ example:
+ permissionType: ALLOW
+ roles:
+ - Internal/subscriber
+ - Internal/subscriber
+ properties:
+ permissionType:
+ default: PUBLIC
+ enum:
+ - PUBLIC
+ - ALLOW
+ - DENY
+ example: ALLOW
+ type: string
+ roles:
+ items:
+ example: Internal/subscriber
+ type: string
+ type: array
  securitySchemes:
  OAuth2Security:
  flows:

modules/integration/tests-common/clients/admin/src/gen/java/org/wso2/am/integration/clients/admin/api/dto/EnvironmentDTO.java

@@ -54,6 +54,10 @@ public class EnvironmentDTO {
  @SerializedName(SERIALIZED_NAME_PROVIDER)
  private String provider;
 
+ public static final String SERIALIZED_NAME_GATEWAY_TYPE = "gatewayType";
+ @SerializedName(SERIALIZED_NAME_GATEWAY_TYPE)
+ private String gatewayType = "Regular";
+
  public static final String SERIALIZED_NAME_IS_READ_ONLY = "isReadOnly";
  @SerializedName(SERIALIZED_NAME_IS_READ_ONLY)
  private Boolean isReadOnly;
@@ -185,6 +189,29 @@ public void setProvider(String provider) {
  }
 
 
+ public EnvironmentDTO gatewayType(String gatewayType) {
+
+ this.gatewayType = gatewayType;
+ return this;
+ }
+
+ /**
+ * Get gatewayType
+ * @return gatewayType
+ **/
+ @javax.annotation.Nullable
+ @ApiModelProperty(example = "Regular", value = "")
+
+ public String getGatewayType() {
+ return gatewayType;
+ }
+
+
+ public void setGatewayType(String gatewayType) {
+ this.gatewayType = gatewayType;
+ }
+
+
  public EnvironmentDTO isReadOnly(Boolean isReadOnly) {
 
  this.isReadOnly = isReadOnly;
@@ -290,6 +317,7 @@ public boolean equals(Object o) {
  Objects.equals(this.displayName, environment.displayName) &&
  Objects.equals(this.description, environment.description) &&
  Objects.equals(this.provider, environment.provider) &&
+ Objects.equals(this.gatewayType, environment.gatewayType) &&
  Objects.equals(this.isReadOnly, environment.isReadOnly) &&
  Objects.equals(this.vhosts, environment.vhosts) &&
  Objects.equals(this.endpointURIs, environment.endpointURIs) &&
@@ -298,7 +326,7 @@ public boolean equals(Object o) {
 
  @Override
  public int hashCode() {
- return Objects.hash(id, name, displayName, description, provider, isReadOnly, vhosts, endpointURIs, additionalProperties);
+ return Objects.hash(id, name, displayName, description, provider, gatewayType, isReadOnly, vhosts, endpointURIs, additionalProperties);
  }
 
 
@@ -311,6 +339,7 @@ public String toString() {
  sb.append(" displayName: ").append(toIndentedString(displayName)).append("\n");
  sb.append(" description: ").append(toIndentedString(description)).append("\n");
  sb.append(" provider: ").append(toIndentedString(provider)).append("\n");
+ sb.append(" gatewayType: ").append(toIndentedString(gatewayType)).append("\n");
  sb.append(" isReadOnly: ").append(toIndentedString(isReadOnly)).append("\n");
  sb.append(" vhosts: ").append(toIndentedString(vhosts)).append("\n");
  sb.append(" endpointURIs: ").append(toIndentedString(endpointURIs)).append("\n");

modules/integration/tests-common/clients/admin/src/gen/java/org/wso2/am/integration/clients/admin/api/dto/SettingsDTO.java

@@ -36,6 +36,10 @@ public class SettingsDTO {
  @SerializedName(SERIALIZED_NAME_SCOPES)
  private List<String> scopes = null;
 
+ public static final String SERIALIZED_NAME_GATEWAY_TYPES = "gatewayTypes";
+ @SerializedName(SERIALIZED_NAME_GATEWAY_TYPES)
+ private List<String> gatewayTypes = null;
+
  public static final String SERIALIZED_NAME_KEY_MANAGER_CONFIGURATION = "keyManagerConfiguration";
  @SerializedName(SERIALIZED_NAME_KEY_MANAGER_CONFIGURATION)
  private List<SettingsKeyManagerConfigurationDTO> keyManagerConfiguration = null;
@@ -68,6 +72,29 @@ public void setScopes(List<String> scopes) {
  }
 
 
+ public SettingsDTO gatewayTypes(List<String> gatewayTypes) {
+
+ this.gatewayTypes = gatewayTypes;
+ return this;
+ }
+
+ /**
+ * Get gatewayTypes
+ * @return gatewayTypes
+ **/
+ @javax.annotation.Nullable
+ @ApiModelProperty(value = "")
+
+ public List<String> getGatewayTypes() {
+ return gatewayTypes;
+ }
+
+
+ public void setGatewayTypes(List<String> gatewayTypes) {
+ this.gatewayTypes = gatewayTypes;
+ }
+
+
  public SettingsDTO keyManagerConfiguration(List<SettingsKeyManagerConfigurationDTO> keyManagerConfiguration) {
 
  this.keyManagerConfiguration = keyManagerConfiguration;
@@ -124,13 +151,14 @@ public boolean equals(Object o) {
  }
  SettingsDTO settings = (SettingsDTO) o;
  return Objects.equals(this.scopes, settings.scopes) &&
+ Objects.equals(this.gatewayTypes, settings.gatewayTypes) &&
  Objects.equals(this.keyManagerConfiguration, settings.keyManagerConfiguration) &&
  Objects.equals(this.analyticsEnabled, settings.analyticsEnabled);
  }
 
  @Override
  public int hashCode() {
- return Objects.hash(scopes, keyManagerConfiguration, analyticsEnabled);
+ return Objects.hash(scopes, gatewayTypes, keyManagerConfiguration, analyticsEnabled);
  }
 
 
@@ -139,6 +167,7 @@ public String toString() {
 StringBuilder sb = new StringBuilder();
 sb.append("class SettingsDTO {\n");
  sb.append(" scopes: ").append(toIndentedString(scopes)).append("\n");
+ sb.append(" gatewayTypes: ").append(toIndentedString(gatewayTypes)).append("\n");
  sb.append(" keyManagerConfiguration: ").append(toIndentedString(keyManagerConfiguration)).append("\n");
  sb.append(" analyticsEnabled: ").append(toIndentedString(analyticsEnabled)).append("\n");
 sb.append("}");