fix(jans-auth-server): dynamic registration - assign to client only s…

…copes which are explicitly in request #4426 (#4577)

jans-auth-server/server/src/main/java/io/jans/as/server/register/ws/rs/RegisterService.java

@@ -41,6 +41,7 @@
 import java.util.stream.Collectors;
 
 import static io.jans.as.model.util.StringUtils.toList;
+import static org.apache.commons.lang3.BooleanUtils.isFalse;
 import static org.apache.commons.lang3.BooleanUtils.isTrue;
 
 /**
@@ -375,29 +376,7 @@ public void updateClientFromRequestObject(Client client, RegisterRequest request
             client.setAuthorizedOrigins(listAsArrayWithoutDuplicates(authorizedOrigins));
         }
 
-        List<String> scopes = requestObject.getScope();
-        if (Arrays.asList(client.getGrantTypes()).contains(GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS) && !appConfiguration.getDynamicRegistrationAllowedPasswordGrantScopes().isEmpty()) {
-            scopes = Lists.newArrayList(scopes);
-            scopes.retainAll(appConfiguration.getDynamicRegistrationAllowedPasswordGrantScopes());
-        }
-        List<String> scopesDn;
-        if (scopes != null && !scopes.isEmpty() && isTrue(appConfiguration.getDynamicRegistrationScopesParamEnabled())) {
-            List<String> defaultScopes = scopeService.getDefaultScopesDn();
-            List<String> requestedScopes = scopeService.getScopesDn(scopes);
-            Set<String> allowedScopes = new HashSet<>();
-
-            for (String requestedScope : requestedScopes) {
-                if (defaultScopes.contains(requestedScope)) {
-                    allowedScopes.add(requestedScope);
-                }
-            }
-
-            scopesDn = new ArrayList<>(allowedScopes);
-            client.setScopes(scopesDn.toArray(new String[scopesDn.size()]));
-        } else {
-            scopesDn = scopeService.getDefaultScopesDn();
-            client.setScopes(scopesDn.toArray(new String[scopesDn.size()]));
-        }
+        assignScopes(client, requestObject);
 
         List<String> claims = requestObject.getClaims();
         if (claims != null && !claims.isEmpty()) {
@@ -454,6 +433,38 @@ public void updateClientFromRequestObject(Client client, RegisterRequest request
                 requestObject.getBackchannelUserCodeParameter());
     }
 
+    public void assignScopes(Client client, RegisterRequest requestObject) {
+        if (isFalse(appConfiguration.getDynamicRegistrationScopesParamEnabled())) {
+            log.debug("Skip scopes update. Reason - configuration dynamicRegistrationScopesParamEnabled=false");
+            return;
+        }
+
+        List<String> requestScopes = requestObject.getScope();
+        if (requestScopes == null || requestScopes.isEmpty()) {
+            log.trace("No scopes in request");
+            return;
+        }
+
+        // apply ROPC restriction
+        if (Arrays.asList(client.getGrantTypes()).contains(GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS) && !appConfiguration.getDynamicRegistrationAllowedPasswordGrantScopes().isEmpty()) {
+            requestScopes = Lists.newArrayList(requestScopes);
+            requestScopes.retainAll(appConfiguration.getDynamicRegistrationAllowedPasswordGrantScopes());
+        }
+
+        List<String> defaultScopes = scopeService.getDefaultScopesDn();
+        List<String> requestedScopes = scopeService.getScopesDn(requestScopes);
+        Set<String> allowedScopes = new HashSet<>();
+
+        for (String requestedScope : requestedScopes) {
+            if (defaultScopes.contains(requestedScope)) {
+                allowedScopes.add(requestedScope);
+            }
+        }
+
+        log.trace("Allowed scopes: {}, requested scopes: {}, default scopes: {}", allowedScopes, requestedScopes, defaultScopes);
+        client.setScopes(allowedScopes.toArray(new String[0]));
+    }
+
     /**
      * Puts custom object class and custom attributes in client object for persistence.
      *

jans-auth-server/server/src/test/java/io/jans/as/server/register/ws/rs/RegisterServiceTest.java

@@ -5,6 +5,8 @@
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.collect.Sets;
+import io.jans.as.client.RegisterRequest;
+import io.jans.as.common.model.registration.Client;
 import io.jans.as.common.service.AttributeService;
 import io.jans.as.model.common.GrantType;
 import io.jans.as.model.common.ResponseType;
@@ -22,10 +24,11 @@
 import org.testng.annotations.Test;
 
 import java.util.ArrayList;
+import java.util.List;
 import java.util.Set;
 
 import static org.mockito.Mockito.when;
-import static org.testng.Assert.assertTrue;
+import static org.testng.Assert.*;
 
 /**
  * @author Yuriy Z
@@ -55,6 +58,73 @@ public class RegisterServiceTest {
     @Mock
     private CIBARegisterClientMetadataService cibaRegisterClientMetadataService;
 
+    @Test
+    public void assignScopes_whenCalled_shouldAssignOnlyAllowedScopes() {
+        final List<String> requestScopes = Lists.newArrayList("s1", "s2", "s3");
+
+        when(appConfiguration.getDynamicRegistrationScopesParamEnabled()).thenReturn(true);
+        when(scopeService.getDefaultScopesDn()).thenReturn(Lists.newArrayList("s1_dn", "s2_dn"));
+        when(scopeService.getScopesDn(requestScopes)).thenReturn(Lists.newArrayList("s1_dn", "s2_dn", "s3_dn"));
+
+        Client client = new Client();
+
+        RegisterRequest registerRequest = new RegisterRequest();
+        registerRequest.setScope(requestScopes);
+
+        registerService.assignScopes(client, registerRequest);
+        assertEqualsNoOrder(client.getScopes(), new String[]{"s1_dn", "s2_dn"});
+    }
+
+    @Test
+    public void assignScopes_whenDynamicRegistrationScopesAreNotAllowed_shouldAssignNothing() {
+        final List<String> requestScopes = Lists.newArrayList("s1", "s2", "s3");
+
+        when(appConfiguration.getDynamicRegistrationScopesParamEnabled()).thenReturn(false);
+
+        Client client = new Client();
+
+        RegisterRequest registerRequest = new RegisterRequest();
+        registerRequest.setScope(requestScopes);
+
+        registerService.assignScopes(client, registerRequest);
+        assertNull(client.getScopes());
+    }
+
+    @Test
+    public void assignScopes_whenScopesAreNotRequested_shouldAssignNothing() {
+        final List<String> requestScopes = Lists.newArrayList();
+
+        when(appConfiguration.getDynamicRegistrationScopesParamEnabled()).thenReturn(true);
+
+        Client client = new Client();
+
+        RegisterRequest registerRequest = new RegisterRequest();
+        registerRequest.setScope(requestScopes);
+
+        registerService.assignScopes(client, registerRequest);
+        assertNull(client.getScopes());
+    }
+
+    @Test
+    public void assignScopes_forROPC_shouldAssignOnlyAllowedScopes() {
+        final List<String> requestScopes = Lists.newArrayList("s1", "s2", "s3");
+        final List<String> allowedForRopc = Lists.newArrayList("s2");
+
+        when(appConfiguration.getDynamicRegistrationScopesParamEnabled()).thenReturn(true);
+        when(appConfiguration.getDynamicRegistrationAllowedPasswordGrantScopes()).thenReturn(allowedForRopc);
+        when(scopeService.getDefaultScopesDn()).thenReturn(Lists.newArrayList("s1_dn", "s2_dn"));
+        when(scopeService.getScopesDn(allowedForRopc)).thenReturn(Lists.newArrayList("s2_dn"));
+
+        Client client = new Client();
+        client.setGrantTypes(new GrantType[]{GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS});
+
+        RegisterRequest registerRequest = new RegisterRequest();
+        registerRequest.setScope(requestScopes);
+
+        registerService.assignScopes(client, registerRequest);
+        assertEqualsNoOrder(client.getScopes(), new String[]{"s2_dn"});
+    }
+
     @Test
     public void identifyResponseType_whenResponseTypeIsBlank_shouldFallbackToCodeValue() {
         when(appConfiguration.getAllResponseTypesSupported()).thenReturn(Sets.newHashSet(ResponseType.values()));