fix(config-api): scope validation issue #9426 (#9428)

* fix(config-api): asset mgt endpoint fixes

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): asset upload mgt ehancement and fido

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): asset upload mgt ehancement and fido

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): asset upload mgt ehancement and fido

Signed-off-by: pujavs <pujas.works@gmail.com>

* fix(config-api): asset upload

Signed-off-by: pujavs <pujas.works@gmail.com>

* fix(config-api): lock review comments

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): lock code review comments

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): lock master renamed to lock server

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): lock master renamed to lock server

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): lock master renamed to lock server

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): lock master renamed to lock server

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): fido2 delete functionality

Signed-off-by: pujavs <pujas.works@gmail.com>

* fix(config-api): acr validation

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): doc(config-api): IDP schema attribute descriptions #9187

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): sync with main

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): uploading assets via API generates 2 entries #9178

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): asset mgt, fido and IDP changes

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): fido2 device endpoint

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): fido2 endpoint

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): fido2 endpoint

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): sync with main

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): sync with main

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): sync with main

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): resolved sonar review issues

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): sonar review comment fix

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): swagger spec

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): saml config attribute description

Signed-off-by: pujavs <pujas.works@gmail.com>

* doc(config-api): added SAML attribute description

Signed-off-by: pujavs <pujas.works@gmail.com>

* doc(config-api): added SAML attribute description

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): sync with main

Signed-off-by: pujavs <pujas.works@gmail.com>

* fix(jans-lock): code review comment fix isssue#9305

Signed-off-by: pujavs <pujas.works@gmail.com>

* fix(jans-lock): code review comment fix isssue#9305

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): lock review point

Signed-off-by: pujavs <pujas.works@gmail.com>

* fix(lock): code review comment

Signed-off-by: pujavs <pujas.works@gmail.com>

* fix(lock): code review comment

Signed-off-by: pujavs <pujas.works@gmail.com>

* fix(config-api): sync with main

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): lock endpoint fixes and SAML IDP NPE

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): asset enhancement

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): implement timer for asset mgt to fetch and deploy assets forconfig-api #9403

Signed-off-by: pujavs <pujas.works@gmail.com>

* fix(config-api): scope validation issue #9426

Signed-off-by: pujavs <pujas.works@gmail.com>

---------

Signed-off-by: pujavs <pujas.works@gmail.com>
Former-commit-id: 386b72c

jans-config-api/docs/jans-config-api-swagger.yaml

@@ -8372,17 +8372,17 @@ components:
           type: boolean
         whitePagesCanView:
           type: boolean
-        adminCanEdit:
+        userCanAccess:
+          type: boolean
+        adminCanAccess:
           type: boolean
         userCanEdit:
           type: boolean
-        adminCanView:
+        adminCanEdit:
           type: boolean
         userCanView:
           type: boolean
-        userCanAccess:
-          type: boolean
-        adminCanAccess:
+        adminCanView:
           type: boolean
         baseDn:
           type: string
@@ -9228,8 +9228,6 @@ components:
           type: boolean
         lockMessageConfig:
           $ref: '#/components/schemas/LockMessageConfig'
-        fapi:
-          type: boolean
         allResponseTypesSupported:
           uniqueItems: true
           type: array
@@ -9239,6 +9237,8 @@ components:
             - code
             - token
             - id_token
+        fapi:
+          type: boolean
     AuthenticationFilter:
       required:
       - baseDn

jans-config-api/server/src/main/java/io/jans/configapi/security/service/OpenIdAuthorizationService.java

@@ -207,37 +207,49 @@ private boolean externalAuthorization(String token, String issuer, String method
 
     private List<String> findMissingScopes(Map<ProtectionScopeType, List<String>> scopeMap, List<String> tokenScopes) {
         logger.info("Check scopeMap:{}, tokenScopes:{}", scopeMap, tokenScopes);
-
         List<String> scopeList = new ArrayList<>();
-        List<String> missingScopes = null;
         if (scopeMap == null || scopeMap.isEmpty()) {
             return scopeList;
         }
 
         // Super scope
-        scopeList.addAll(scopeMap.get(ProtectionScopeType.SUPER));
+        scopeList = scopeMap.get(ProtectionScopeType.SUPER);
         logger.debug("SUPER Scopes:{}", scopeList);
+        List<String> missingScopes = null;
+        boolean containsScope = false;
+        if (scopeList != null && !scopeList.isEmpty()) {
+            // check if token contains any of the super scopes
+            containsScope = containsAnyElement(scopeList, tokenScopes);
+            logger.debug("Token contains SUPER scopes?:{}", containsScope);
+
+            // Super scope present so no need to check other types of scope
+            if (containsScope) {
+                return missingScopes;
+            }
+        }
 
         // Group scope present so no need to check normal scope presence
-        scopeList.addAll(scopeMap.get(ProtectionScopeType.GROUP));
+        scopeList = scopeMap.get(ProtectionScopeType.GROUP);
         logger.debug("GROUP Scopes:{}", scopeList);
+        if (scopeList != null && !scopeList.isEmpty()) {
+            // check if token contains any of the group scopes
+            containsScope = containsAnyElement(scopeList, tokenScopes);
+            logger.debug("Token contains GROUP scopes?:{}", containsScope);
+
+            // Group scope present so no need to check normal scope
+            if (containsScope) {
+                return missingScopes;
+            }
+        }
 
         // Normal scope
-        scopeList.addAll(scopeMap.get(ProtectionScopeType.SCOPE));
+        scopeList = scopeMap.get(ProtectionScopeType.SCOPE);
         logger.debug("SCOPE Scopes:{}", scopeList);
-        if (scopeList.isEmpty()) {
-            return missingScopes;
-        }
-
-        // scopeList not empty but token scope is null
-        if (tokenScopes == null || tokenScopes.isEmpty()) {
-            return scopeMap.get(ProtectionScopeType.SCOPE);
+        if (scopeList != null && !scopeList.isEmpty()) {
+            // check if token contains all the required scopes
+            missingScopes = findMissingElements(scopeList, tokenScopes);
+            logger.debug("SCOPE Missing Scopes:{}", missingScopes);
         }
-
-        // check if token contains all the required scopes
-        missingScopes = findMissingElements(scopeList, tokenScopes);
-        logger.debug("SCOPE Missing Scopes:{}", missingScopes);
-
         return missingScopes;
     }