Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
build(deps): Replace SAML Library (#2908)
* remove: SAML extension library dependency Co-authored-by: Peter Chen <[email protected]> Co-authored-by: Bruce Ricard <[email protected]> Co-authored-by: Danny Faught <[email protected]> * Ignore non-functioning SAML tests * Instead of calling fail(). We have a suspicion that there is a bug in the way the tests are running (most of them are somehow not running with "./gradlew test" and we have a theory that a combination of mixing junit4 imports and the junit5 fail() might be contributing. * I was careful to use @Ignore for tests importing the junit4 @Test, and @Disabled for tests using the junit5 @Test. * These annotations were added, with the idea that you can search for '@Ignore("SAML' and '@Disabled("SAML' to find the tests that need attention before we finish the SAML library conversion. @Ignore("SAML test fails") @Ignore("SAML test doesn't compile") @Ignore("SAML test setup doesn't compile") @Disabled("SAML test fails") @Disabled("SAML test doesn't compile") * A few tests are set to ignore because they're failing for the right reasons, but more work is needed to finish that and get back to green. The goal is to start tracking these annotations instead of failing tests, so we can stay green. * Tests now running: server module: 3,435 (in IntelliJ) (98 total ignored) uaa module: 67 (command line run of "./gradlew test" for all tests - still needs troubleshooting) Co-authored-by: Danny Faught <[email protected]> * update @Ignore - test now compiles Co-authored-by: Hongchol Sinn <[email protected]> * feat: switch to new Spring Security SAML library * Removed commented-out references to the outdated SAML extension library Co-authored-by: Duane May <[email protected]> * feat: Supply metadata through /saml/metadata - Adds back endpoint and incorporates forwarding for new pattern saml2 endpoints, Still has some wip elements WithHttpsNotRequired > samlMetadataReturnsOk still red RelyingPartyRegistration is hardcoded in xml, /saml/metadata/ with trailing slash not working missing parity with develop [#186986697] Co-authored-by: Peter Chen <[email protected]> * fix: handle case when Servlet Path is null and ensures test WithHttpsNotRequired -> samlMetadataReturnsOk is green - fixed one test but still WithHttpsRequired > samlMetadataReturnsOk is red after fixing this test - HealthzShouldNotBeProtectedMockMvcTests > WithHttpsRequired > samlMetadataRedirects() FAILED java.lang.AssertionError: Range for response status value 200 expected:<REDIRECTION> but was:<SUCCESSFUL> [#186986697] Co-authored-by: Duane May <[email protected]> * remove: SAML extension library dependency Co-authored-by: Peter Chen <[email protected]> Co-authored-by: Bruce Ricard <[email protected]> Co-authored-by: Danny Faught <[email protected]> * Ignore non-functioning SAML tests * Instead of calling fail(). We have a suspicion that there is a bug in the way the tests are running (most of them are somehow not running with "./gradlew test" and we have a theory that a combination of mixing junit4 imports and the junit5 fail() might be contributing. * I was careful to use @Ignore for tests importing the junit4 @Test, and @Disabled for tests using the junit5 @Test. * These annotations were added, with the idea that you can search for '@Ignore("SAML' and '@Disabled("SAML' to find the tests that need attention before we finish the SAML library conversion. @Ignore("SAML test fails") @Ignore("SAML test doesn't compile") @Ignore("SAML test setup doesn't compile") @Disabled("SAML test fails") @Disabled("SAML test doesn't compile") * A few tests are set to ignore because they're failing for the right reasons, but more work is needed to finish that and get back to green. The goal is to start tracking these annotations instead of failing tests, so we can stay green. * Tests now running: server module: 3,435 (in IntelliJ) (98 total ignored) uaa module: 67 (command line run of "./gradlew test" for all tests - still needs troubleshooting) Co-authored-by: Danny Faught <[email protected]> * feat: Supply metadata through /saml/metadata - Adds back endpoint and incorporates forwarding for new pattern saml2 endpoints, Still has some wip elements WithHttpsNotRequired > samlMetadataReturnsOk still red RelyingPartyRegistration is hardcoded in xml, /saml/metadata/ with trailing slash not working missing parity with develop [#186986697] Co-authored-by: Peter Chen <[email protected]> * fix: handle case when Servlet Path is null and ensures test WithHttpsNotRequired -> samlMetadataReturnsOk is green - fixed one test but still WithHttpsRequired > samlMetadataReturnsOk is red after fixing this test - HealthzShouldNotBeProtectedMockMvcTests > WithHttpsRequired > samlMetadataRedirects() FAILED java.lang.AssertionError: Range for response status value 200 expected:<REDIRECTION> but was:<SUCCESSFUL> [#186986697] Co-authored-by: Peter Chen <[email protected]> * feat: reliably serve SAML SP metadata - With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration, which requires a valid SAML IDP metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML IDPs might require you to supply the SAML SP metadata first before you can obtain the SAML IDP metadata. See relevant issue: https://github.com/spring-projects/spring-security/issues/11369 - Previously, to solve this problem, the SAML SP metadata generation relies on relyingPartyRegistration values in saml-providers.xml, which hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance); this means that UAA's SP metadata generation relies on the example Okta SAML instance to be running. - This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML SP metadata generation, at the advice of Spring Security team, so that UAA's functioning does not rely on some external running Okta instance. - code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62 [#186986697] Co-authored-by: Peter Chen <[email protected]> * Ignore failing SAML test - A continuation of https://github.com/cloudfoundry/uaa/commit/65d1f0f8d2ad538c5670277ae15e9964cfc16af1 - This test is failing as early as e7beec7a5aa53fa761ca1d752d647f930ebcc6b7 due to the removal of SAML code, as this test is related the SAML feature [#186986697] Co-authored-by: Peter Chen <[email protected]> * disable docs test that shouldn't be running * Has to be commented out of the erb file even when the test method used @Disabled. Co-authored-by: Peter Chen <[email protected]> * Ignore failing SAML test - A continuation of https://github.com/cloudfoundry/uaa/commit/65d1f0f8d2ad538c5670277ae15e9964cfc16af1 - This is a test recently added to develop branch, so ignoring this here because the SAML feature is still being built. [#186986697] Co-authored-by: Peter Chen <[email protected]> * refactor: shorten the dummy IDP metadata - to reflect the fact that this IDP metadata just needs to exist in its bare minimal form, where the specific fields in it do not affect the SP metadata generation [#186986697] Co-authored-by: Peter Chen <[email protected]> * fix: "invalid XML" error in tests - previously some tests error with: ``` net.shibboleth.utilities.java.support.xml.XMLParserException: Unable to parse inputstream, it contained invalid XML ``` - this issue is fixed once we switch to loading the idp saml metadata via a file (instead of an InputStream) [186822654] Co-authored-by: Danny Faught <[email protected]> * wip: configure some metadata params Co-authored-by: Danny Faught <[email protected]> * disable failing test * We're reprioritizing the test to get this test to pass. Co-authored-by: Bruce Ricard <[email protected]> * WIP Co-authored-by: Duane May <[email protected]> * wip Co-authored-by: Duane May <[email protected]> * wip: ensuring the endpoint for metadata works both in forward and direct request - Tests are failing but they are behaving as expected with curl and browser for /saml/metadata /saml/metadata/example and /saml/metadata/example/ - /saml/metadata/ is not returning xml - The dispatcher ordering along with position in the filter-mapping must be set properly. [#186986697] Co-authored-by: Bruce Ricard <[email protected]> * add metadata redirect test Co-authored-by: Duane May <[email protected]> * wip: ensuring the saml metadata endpoint for metadata works in Mock MVC Tests - /saml/metadata/ is not returning xml [#186986697] Co-authored-by: Filip Hanik <[email protected]> * wip: entityID assertion works in testSamlMetadataDefault Co-authored-by: Alicia Yingling <[email protected]> Co-authored-by: Duane May <[email protected]> * feat: entity_id assertion passes Co-authored-by: Alicia Yingling <[email protected]> Co-authored-by: Duane May <[email protected]> * wip: use working metadata path temporarily * Must be changed back to /saml/metadata later, removing "example". Co-authored-by: Alicia Yingling <[email protected]> Co-authored-by: Duane May <[email protected]> * wip: xml refactor Co-authored-by: Alicia Yingling <[email protected]> Co-authored-by: Duane May <[email protected]> * wip: updating to non forwarding for /saml/metadata to the example default - Updated to use direct GetMapping [#186986697] Co-authored-by: Filip Hanik <[email protected]> * wip: Ensuring the WantsAssertionSigned and AuthnRequestsSigned are populated in SPSSODescriptor - Building out EntityDescriptor in the RelyingPartyRegistration which contains the SPSSODescriptor picked up by the resolve method [#186986697] Co-authored-by: Duane May <[email protected]> * wip: Adding in signature elements for SAML metadata.xml endpoint payload - Need to fix credential type being empty Caused by: java.lang.IllegalArgumentException: credentials types cannot be empty ....(SamlRelyingPartyRegistrationRepository.java:84) [#186986697] Co-authored-by: Duane May <[email protected]> * wip: Adding in signature elements for SAML metadata.xml endpoint payload - Signature is not positioned correctly. It should be a child of EntityDescriptor, but the singingX509Credential.signing call positions it in SPSODescriptor [#186986697] Co-authored-by: Duane May <[email protected]> * feat: populate SAMP SP metadata fields: entityID, NameIDFormat, AuthnRequestsSigned - correctly reads off UAA configs to populate these fields, instead of using hardcoded values - refactor to directly reading `login.saml.NameID` config (a more modern approach) instead of constructing a bean in xml (a more legacy approach) - side note: update the UAA config used in mock mvc tests (/uaa/src/test/resources/integration_test_properties.yml) to use a non-default option of `login.saml.nameID` so that we can test that the correct value is being piped through Co-authored-by: Peter Chen <[email protected]> * refactor: clean up commented out code - there are many commented out codes from prior wip commits (which at this point, I decided, are too hard to fix or tidy up). Hence, in this commit, clean them up [186822654] Co-authored-by: Duane May <[email protected]> * Ignore non-functioning SAML tests - the SAML SP metadata is still WIP, so this IT will fail. Ignoring it for now so that "CI" is green along with all other SAML tests currently failing / non-functional due to the WIP state of the SAML feature. - see defails of this approach in https://github.com/cloudfoundry/uaa/commit/73520d92499f481929e2b666bfbded83aaaa3148 [186822654] Co-authored-by: Duane May <[email protected]> * Update opensaml libraries to 4.x https: //docs.spring.io/spring-security/reference/5.8/migration/servlet/saml2.html Co-authored-by: Duane May <[email protected]> * Refactor annotations and formatting Use RestController, Slf4j, Getter Use textblocks Co-authored-by: Duane May <[email protected]> * Refactor tests: formatting, andExpectAll and assertThat Use assertThat Use textblocks Co-authored-by: Duane May <[email protected]> * Change from SAML XML to Java Config Co-authored-by: Duane May <[email protected]> * feat: populate sp metadata field WantAssertionsSigned [#186986697] Co-authored-by: Peter Chen <[email protected]> * feat: saml sp metadata field - signing cert - also: refactor the UAA config used in mock mvc tests (/uaa/src/test/resources/integration_test_properties.yml) from the deprecated saml key fields (eg: login.serviceProviderKey) to the new ones (eg: login.saml.keys), so that we test for the new fields. - also fix the api docs test so that it now correctly marks the retrieve id zones response's `config.samlConfig.certificate` as optional (this field is only returned if you use the deprecated saml key config fields) [#186986697] Co-authored-by: Duane May <[email protected]> * feat: saml sp metadata encryption cert - populate saml sp metadata field for use='encryption' cert - might be counter-intuitive that the setting on rp registration that controls this is "decryptionX509Credentials", but the resulting sp metadata indeed includes use='encryption' which matches develop branch [186822654] Co-authored-by: Duane May <[email protected]> * refactor: consolidate saml sp configs - to be processed by a single class "SamlConfiguration" where the @ConfigurationProperties(prefix="login.saml") annotation has the ability to process all fields under the login.saml section of UAA.yml - this is helpful because we can now centrally read, process, even validate all saml config fields under "login.saml" - pay attention to @ConfigurationProperties annotation's various requirements though: such as the private field names need to match the actually UAA.yml field name (e.g.: login.saml.fooBar -> private String fooBar); and that there need to be public setters and getters for each field - see: https://docs.spring.io/spring-boot/docs/current/reference/html/features.html#features.external-config.typesafe-configuration-properties.using-annotated-types - the exception of the saml entity id, which in UAA.yml is somehow outside of the login.saml context (set by login.entityID) so that field stays under class SamlEntityIdConfiguration Co-authored-by: Duane May <[email protected]> * refactor: use lombok - these getters and setters are required for @ConfigurationProperties annotation to work; use lombok so that we don't need to explicitly define them [186822654] Co-authored-by: Duane May <[email protected]> * refactor: simplify lombok annotation - as @Data covers the getters and setters Co-authored-by: Duane May <[email protected]> * fix: maintain existing saml sp metadata file name - configure the file name of the saml sp metadata (the downloaded xml file name when accessing the metadata endpoint: http://localhost:8080/uaa/saml/metadata) to match the status quo on develop branch: "saml-sp.xml" - This file name likely do not matter, but out of caution, we should maintain the same file name as before [186822654] Co-authored-by: Duane May <[email protected]> * fix: saml sp metadata test set up - now that the metadata is being provided at the correct location: /saml/metadata, we can correct the test expectation to reflect that (hence matching the develop branch) [#186986697] Co-authored-by: Duane May <[email protected]> * fix: SAML SP metadata endpoint and its https redirect - Removed forwarding of `/saml/metadata` endpoint to `/saml/metadata/example`. It is not necessary because `/saml/metadata` endpoint method already calls `/saml/metadata/{registrationId}` with `example` as the default registrationId. (See class `SamlMetadataEndpoint`.) - Made `HttpsEnforcementFilter` to be added to the top of the `SecurityFilterChainPostProcessor`'s `SecurityFilterChain`. - Added `secFilterOpen06SAMLMetadata` to `SecurityFilterChainPostProcessor`'s `redirectToHttps` list. [#186986697] Co-authored-by: Duane May <[email protected]> Co-authored-by: Peter Chen <[email protected]> * Clean up unnecssary codes - Removed SamlExtensionUrlForwardingFilter. Just commented out for now in case we need it later. - Removed unneeded comments in test code. [#186986697] Co-authored-by: Duane May <[email protected]> * Load the Saml Provider Data [#187084275] Co-authored-by: Duane May <[email protected]> * refactor: Spring Annotations on SamlRelyingPartyRegistrationRepository - Change SamlRelyingPartyRegistrationRepository to Configuration - Use constructor args instead of Autowired Co-authored-by: Duane May <[email protected]> * fix: multiple versions of the opensaml library still had opensaml 3.4.6 Co-authored-by: Duane May <[email protected]> * feat: send SAML authn request to IDP - when SAML IDP is configured via uaa.yml, when the user goes to "/uaa/saml2/authenticate/{saml-idp-alias}", they will get sent to the configured SAML IDP with a SAML authn request. Specifically, spring-security will do the following: - when the IDP's Binding mode is "HTTP-Redirect", the user is redirected to the IDP - when the IDP's Binding mode is "HTTP-POST", the user's browser is triggered to POST to the IDP. For this to work, the ContentSecurityPolicyFilter needs to updated to exempt "/saml2" from policy enforcement, such that the script that initiates the POST can be executed in the browser. Similar to how this filter exempts /saml (the existing saml-related path on develop branch). - refactor: update the dummy IDP metadata file dummy-saml-idp-metadata.xml to not point to example.com, but to https://www.cloudfoundry.org (which is more of a known destination) - refactor: use constant DEFAULT_REGISTRATION_ID [#187084275] Co-authored-by: Duane May <[email protected]> * update saml link on login page * fix: issue with 2 JsonObjects imported * Merge SamlConfigProps to single class prefix="login.saml" was in 2 ConfigProps classes before merged into 1 * Update SamlLoginIT * feat: Saml Login redirects to IDP Reads provider info from database Passes the registrationId as relayState Signed-off-by: Prateek Gangwal <[email protected]> * fix: click first saml link matching text when running multiple IT tests, the simplesamlphp2 link was also listed, and causing a conflict with url matcher Signed-off-by: Duane May <[email protected]> * feat: AssertionConsumerService SAML user login Signed-off-by: Duane May <[email protected]> Signed-off-by: Ivan Protsiuk <[email protected]> #187106956 * Clean up and reenable tests Signed-off-by: Ivan Protsiuk <[email protected]> * Improve Testing of SAML Request/Response - Improve Testing of SAML Request/Response with Saml2TestUtils - Configure assertionConsumerServiceLocation in one location. - Attempted move to OpenSaml4AuthenticationProvider requires a shadow dependency on opensaml to remove the need for non-FIPS compliant security provider. Not yet in place Signed-off-by: Duane May <[email protected]> Signed-off-by: Alicia Yingling <[email protected]> * Break up AuthProvider Move user shadowing, attribute processing, and authorities processing to their own classes. Enable Authorities Signed-off-by: Ivan Protsiuk <[email protected]> * Pull in OpenSaml4AuthenticationProvider This provides general response validation. Signed-off-by: Prateek Gangwal <[email protected]> * Verify user attributes, roles, user name, email extraction Signed-off-by: Prateek Gangwal <[email protected]> #187809240 * Add editor and lombok config Signed-off-by: Duane May <[email protected]> * Run kill_uaa as part of integrationTests Signed-off-by: Duane May <[email protected]> Signed-off-by: Hongchol Sinn <[email protected]> * Annotate Disabled tests with more information Signed-off-by: Hongchol Sinn <[email protected]> * feat: SAML Logout - Main logout flows are working - IDP Initiated logout is working - Handle metadata XML passed in instead of metadata location for both bootstrap and SamlIdentityProviderConfigurator Signed-off-by: Duane May <[email protected]> * fix Selenium HomePage can be one of two urls. - clean up the rest of the pageObjects package Signed-off-by: Duane May <[email protected]> * Update BootstrapTests - now attempts to retrieve the non-existent url https://simplesamlphp.uaa.com/saml2/idp/metadata.php Signed-off-by: Duane May <[email protected]> * feature: Zone-aware SAML SP metadata - Implemented to the same level as the default IdenityZone's SP metadata generation. - Minus `NameIDFormat` value populaition and registration-ID specific implementation. [#187846376] * Disable `findByRegistrationIdWhenNoneFound` test as the assertion is not valid anymore. * Update counter script - No longer have Ignored tests only Disabled Signed-off-by: Duane May <[email protected]> * Update IdentityZone related classes and tests Signed-off-by: Duane May <[email protected]> * feat: basic SAML SP metadata for non-default ID zone - correctly populates the basic fields of non-default zone SAML SP metadata (such as WantAssertionsSigned and AuthnRequestsSigned), so that for default vs. non-default zones, the SP metadatas have feature parity. [#187846376] Signed-off-by: Duane May <[email protected]> Signed-off-by: Peter Chen <[email protected]> * wip: zoned metadata fixes and zoned login Signed-off-by: Peter Chen <[email protected]> * rebase and revert entiyID checks * Enable some passing SamlLoginIT tests Co-authored-by: Duane May <[email protected]> * refactor entityId and entityIdAlias resolution - created a base class BaseUaaRelyingPartyRegistrationRepository, used by ConfiguratorRelyingPartyRegistrationRepository and DefaultRelyingPartyRegistrationRepository. - moved getZoneEntityId and getZoneEntityIdAlias to base class Co-authored-by: Duane May <[email protected]> Signed-off-by: Peter Chen <[email protected]> * backfill some SAML tests * Enable SAML Automatic Redirect Requires changing from discovery URL to the authentication request URL. Enable the following tests in SamlLoginIT: - samlInvitationAutomaticRedirectInZone2 - samlLoginClientIDPAuthorizationAutomaticRedirect - samlLoginClientIDPAuthorizationAutomaticRedirectInZone1 - samlLoginMapGroupsInZone1 Co-authored-by: Duane May <[email protected]> Signed-off-by: Peter Chen <[email protected]> * build(deps): bump org.gradle:test-retry-gradle-plugin Bumps org.gradle:test-retry-gradle-plugin from 1.5.9 to 1.5.10. Co-authored-by: Peter Chen <[email protected]> --- updated-dependencies: - dependency-name: org.gradle:test-retry-gradle-plugin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Fix regression in identity-provider endpoint (#2962) * Fix regression in identity-provider endpoint Issue: If existing entries in identity-provider with new external_key the field is null, which is expected. If external_key is null, this must not overwrite the issuer in rest endpoint, but it does For SAML there is no issue, because here the entityId is really new in REST output and in DB. For OIDC and OAuth2 the issuer was used in REST already and there was no check before overwrite it from external_key. * review * add case if issuer is null from config, allowed for oauth2 IdP * spelling * revert the logic of external key, stay with issuer * set entityId on update * test coverage Co-authored-by: Peter Chen <[email protected]> * build(deps): bump k8s.io/client-go from 0.30.2 to 0.30.3 in /k8s (#2964) Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.30.2 to 0.30.3. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes/client-go/compare/v0.30.2...v0.30.3) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Replace SamlLegacyAliasResponseForwardingFilter - Added a RelayStateRelyingPartyRegistrationResolver which looks for the Registration Id from the RelayState, instead of the last part of the URL. - The url contains entity id, for backward compatibility, instead of the registration Id. - The filter required redirect filter processing, which broke the CSRF Filter (noticed on LoginServerSecurityIntegrationTests) Co-authored-by: Duane May <[email protected]> Signed-off-by: Peter Chen <[email protected]> * fix: correct test expectation - the saml assertion consumer endpoint should end with the configured login.entityID in UAA.yml (when login.saml.entityIDAlias is not set) * Update test classes - DefaultIntegrationTestConfig: use Durations - IdentityZoneEndpointsMockMvcTests sonar, asserts - LdapIntegrationTests: junit5, sonar, asserts Signed-off-by: Duane May <[email protected]> * Update scripts for testing - kill_uaa: make port aware - debug_uaa: for running uaa in debug or suspended debug mode - create_test_providers: adds providers to running UAA via API - create_test_zones: adds zones and providers to running UAA via API Signed-off-by: Duane May <[email protected]> * check entityId in validate SAML (#2970) * WIP: replace SamlLegacyAliasResponseForwardingFilter - the receiveAuthnResponseFromIdpToLegacyAliasUrl test still failing, see comments within this test Co-authored-by: Duane May <[email protected]> * WIP: check entityId in validate SAML * WIP: re-establish validation of metadata in /identity-providers endpoint * WIP: test fix --------- Co-authored-by: Peter Chen <[email protected]> Co-authored-by: Duane May <[email protected]> * feat: Handle Multiple SAML keys - Rotation Tests working - Uses keys from SamlConfig for each zone - Fall back to default keys if none set [#187994938] Signed-off-by: Duane May <[email protected]> * fix: Couple of failing test cases due to `500 INTERNAL_SERVER_ERROR` from `/oauth/token` endpoint - Stepping through the server code revealed that an exception was thrown as follows: ``` org.cloudfoundry.identity.uaa.util.JsonUtils$JsonUtilException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "relyingPartyRegistrationId" (class org.cloudfoundry.identity.uaa.authentication.UaaPrincipal), not marked as ignorable (6 known properties: "origin", "zoneId", "id", "email", "externalId", "name"]) at [Source: REDACTED (StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION disabled); line: 1, column: 205] (through reference chain: org.cloudfoundry.identity.uaa.authentication.UaaPrincipal["relyingPartyRegistrationId"]) ``` - Added a `jackson` annotation to ignore the 3 properties in UaaSamlPrincipal that were causing the `UnrecognizedPropertyException`. - Added back a line that sets zoneId in a test case, which apparently had been removed by mistake. [#187986233] [#187986220] * Clean up and reimplement SamlKeyManager and SamlKeyManagerFactory - added these methods back to IdentityZoneHolder, even though that has been Deprecated - Migrate BouncyCastle Setup and IdentityZoneHolderInitializer from XML to Java - Removed some of the old classes that were in this area Signed-off-by: Duane May <[email protected]> * Migrate tests from ZoneAwareMetadataGeneratorTests - Moved tests for rotation to SamlMetadataEndpointKeyRotationTests - Moved tests related to SamlRedirectUtils to SamlRedirectUtilsTest Signed-off-by: Duane May <[email protected]> * feature: Handle icorrect SAML response - Set the `Saml2WebSsoAuthenticationFilter`'s `AuthenticationFailureHandler` to the custom failure handler. - Updated the test case's page source validation condition to check for the string that is based on the new exception message. [#187986112] * Remove duplicate tests Various calls to metadata endpoint with and without trailing / and /example in HealthzShouldNotBeProtectedMockMvcTests were duplicated in SamlMetadataMockMvcTests Signed-off-by: Duane May <[email protected]> * Add signatures to Metadata and AuthnRequest Includes: - getting configured SignatureAlgorithm - getting configured signMetadata - Add Signature Algorithm and Digest Algorithm to Metadata - Generate Signature Value and Digest Value to Metadata - Add SignatureAlgorithm and keys to the RelyingPartyRegistration - Sign the AuthnRequest TPCF-6869 TPCF-6938 Signed-off-by: Duane May <[email protected]> * Add tests for alternate config of signRequest and signMetaData TPCF-6869 TPCF-6938 Signed-off-by: Duane May <[email protected]> * Enable tests in BootstrapSamlIdentityProviderDataTests Signed-off-by: Duane May <[email protected]> * Enable test in HomeControllerViewTests - Removed commented out Disabled annotation in SamlIdentityProviderConfiguratorTests - TestClassNullifier moved to junit5 Signed-off-by: Duane May <[email protected]> * feat: Allow InResponseTo checking to be configured TPCF-6873 * feat: Add NameIdFormat to AuthnRequest This comes from the property, login.saml.nameID Also refactored the RelyingPartyRegistrationBuilder to use a Params object with builder since the param list was 8 items TPCF-6874 Signed-off-by: Duane May <[email protected]> * Support for login.saml.socket.* settings TPCF-6882 Signed-off-by: Duane May <[email protected]> * Only show failed tests make it easier to find the failed tests in output Signed-off-by: Duane May <[email protected]> * Caffeine Caching Guava Cache recommends moving to Caffeine Mostly a drop in replacement Although the refreshAfterWrite works a little different Signed-off-by: Duane May <[email protected]> * Log Malformed Saml Responses The mechanism to achieve this in the old SAML library is no longer there. Added this in to the SamlLoginAuthenticationFailureHandler. Left the logger name as SamlResponseLoggerBinding for backward compatibility, for jobs looking for the messages. [TPCF-25429] Signed-off-by: Duane May <[email protected]> * Clean up and Sonar Signed-off-by: Duane May <[email protected]> * Update to LoginInfoEndpoint Signed-off-by: Duane May <[email protected]> * Add Oauth Token endpoint to metadata maintains existing functionality Signed-off-by: Duane May <[email protected]> * Update tests SamlLoginIT.springSamlEndpointsWithEmptyContext - functionality changed redirects ZoneAwareKeyManagerTest - was 0 coverage, all calls are proxied to SamlKeyManager in the ThreadLocal managed by IdentityZoneHolder. Signed-off-by: Duane May <[email protected]> * Resolve Sonar security hotspots Replace the //NOSONAR comment with a error specific SuppressWarnings annotation * Correct malformed property placeholder. * Update JavaPluginExtension settings Signed-off-by: Duane May <[email protected]> * Implement Saml2 Bearer Grants Signed-off-by: Duane May <[email protected]> * Unjava-doc-ify the copyright notices Signed-off-by: Duane May <[email protected]> * Fix tests for Invitations and Passcodes Signed-off-by: Duane May <[email protected]> * Sonar fixes Signed-off-by: Duane May <[email protected]> * Update tests with awaitility Signed-off-by: Duane May <[email protected]> * Update discovery urls to authenticate Signed-off-by: Duane May <[email protected]> * Enable tests and update disabled reasons for remaining Signed-off-by: Duane May <[email protected]> * Enable RelayState as a redirect target - Remove the existing code to store registrationId on request in the relaystate, it is stored with the request. - Also enable IDP initiated login, we don't get the registrationId in this case Signed-off-by: Duane May <[email protected]> * Update selenium page objects to use assert notation - Uses assertj and awaitility - Rename methods to include assert where applicable - Tests should include assertions java:S2699 Signed-off-by: Duane May <[email protected]> * Fix Sonar Issues Signed-off-by: Duane May <[email protected]> * doc: Update the comment for `login.entityBaseURL` property. * build(deps): bump versions.springSecurityVersion from 5.8.14 to 5.8.15 (#3089) Bumps `versions.springSecurityVersion` from 5.8.14 to 5.8.15. Updates `org.springframework.security:spring-security-config` from 5.8.14 to 5.8.15 - [Release notes](https://github.com/spring-projects/spring-security/releases) - [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc) - [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15) Updates `org.springframework.security:spring-security-core` from 5.8.14 to 5.8.15 - [Release notes](https://github.com/spring-projects/spring-security/releases) - [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc) - [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15) Updates `org.springframework.security:spring-security-ldap` from 5.8.14 to 5.8.15 - [Release notes](https://github.com/spring-projects/spring-security/releases) - [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc) - [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15) Updates `org.springframework.security:spring-security-taglibs` from 5.8.14 to 5.8.15 - [Release notes](https://github.com/spring-projects/spring-security/releases) - [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc) - [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15) Updates `org.springframework.security:spring-security-test` from 5.8.14 to 5.8.15 - [Release notes](https://github.com/spring-projects/spring-security/releases) - [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc) - [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15) Updates `org.springframework.security:spring-security-web` from 5.8.14 to 5.8.15 - [Release notes](https://github.com/spring-projects/spring-security/releases) - [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc) - [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15) --- updated-dependencies: - dependency-name: org.springframework.security:spring-security-config dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.springframework.security:spring-security-core dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.springframework.security:spring-security-ldap dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.springframework.security:spring-security-taglibs dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.springframework.security:spring-security-test dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.springframework.security:spring-security-web dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump org.apache.velocity:velocity-engine-core (#3090) Bumps org.apache.velocity:velocity-engine-core from 2.4 to 2.4.1. --- updated-dependencies: - dependency-name: org.apache.velocity:velocity-engine-core dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * pr/upgrade docs slate gems take 2 (#3091) * In an attempt to upgrade Slate, and have successful builds on both Mac and Linux using Ruby 3.3.5 Step 1 - Upgrade dependencies * Fix jasmine-test script * build(deps): bump k8s.io/client-go from 0.31.1 to 0.31.2 in /k8s (#3096) Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.31.1 to 0.31.2. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes/client-go/compare/v0.31.1...v0.31.2) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Fix Sonar Issues Signed-off-by: Duane May <[email protected]> * Improve test coverage Signed-off-by: Duane May <[email protected]> * Cleanup and test coverage Signed-off-by: Duane May <[email protected]> * fix(k8s): fix `JAVA_HOME` Updates the `JAVA_HOME` env var for the `build-uaa-truststore` init contianer to match the updated path used by the Paketo buildpack. fixes: https://github.com/cloudfoundry/uaa/issues/2388 Signed-off-by: Rifa Achrinza <[email protected]> * build(deps): bump rexml from 3.3.8 to 3.3.9 in /uaa/slate (#3100) Bumps [rexml](https://github.com/ruby/rexml) from 3.3.8 to 3.3.9. - [Release notes](https://github.com/ruby/rexml/releases) - [Changelog](https://github.com/ruby/rexml/blob/master/NEWS.md) - [Commits](https://github.com/ruby/rexml/compare/v3.3.8...v3.3.9) --- updated-dependencies: - dependency-name: rexml dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump versions.jacksonVersion from 2.18.0 to 2.18.1 (#3101) Bumps `versions.jacksonVersion` from 2.18.0 to 2.18.1. Updates `com.fasterxml.jackson.core:jackson-annotations` from 2.18.0 to 2.18.1 - [Commits](https://github.com/FasterXML/jackson/commits) Updates `com.fasterxml.jackson.core:jackson-databind` from 2.18.0 to 2.18.1 - [Commits](https://github.com/FasterXML/jackson/commits) Updates `com.fasterxml.jackson.dataformat:jackson-dataformat-yaml` from 2.18.0 to 2.18.1 - [Commits](https://github.com/FasterXML/jackson-dataformats-text/compare/jackson-dataformats-text-2.18.0...jackson-dataformats-text-2.18.1) --- updated-dependencies: - dependency-name: com.fasterxml.jackson.core:jackson-annotations dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: com.fasterxml.jackson.core:jackson-databind dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: com.fasterxml.jackson.dataformat:jackson-dataformat-yaml dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump versions.seleniumVersion from 4.25.0 to 4.26.0 Bumps `versions.seleniumVersion` from 4.25.0 to 4.26.0. Updates `org.seleniumhq.selenium:selenium-java` from 4.25.0 to 4.26.0 - [Release notes](https://github.com/SeleniumHQ/selenium/releases) - [Commits](https://github.com/SeleniumHQ/selenium/compare/selenium-4.25.0...selenium-4.26.0) Updates `org.seleniumhq.selenium:selenium-remote-driver` from 4.25.0 to 4.26.0 - [Release notes](https://github.com/SeleniumHQ/selenium/releases) - [Commits](https://github.com/SeleniumHQ/selenium/compare/selenium-4.25.0...selenium-4.26.0) --- updated-dependencies: - dependency-name: org.seleniumhq.selenium:selenium-java dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: org.seleniumhq.selenium:selenium-remote-driver dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump github.com/onsi/gomega from 1.34.2 to 1.35.0 in /k8s Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.34.2 to 1.35.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.34.2...v1.35.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump github.com/onsi/gomega from 1.35.0 to 1.35.1 in /k8s (#3105) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.35.0 to 1.35.1. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.35.0...v1.35.1) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Cleanup not used comments and fragments * Delete server/src/test/java/org/cloudfoundry/identity/uaa/login/AddBcProvider.java * Delete server/src/test/java/org/cloudfoundry/identity/uaa/login/SamlLoginServerKeyManagerTests.java * Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SPWebSSOProfileImpl.java * Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlEntryPoint.java * Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlDiscovery.java * Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationToken.java * Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/FilesystemMetadataProvider.java * Enable simpleSamlLoginWithAddShadowUserOnLoginFalse Signed-off-by: Duane May <[email protected]> * Add coverage for UaaSavedRequestAwareAuthenticationSuccessHandler Signed-off-by: Duane May <[email protected]> * Fix Sonar issues Signed-off-by: Duane May <[email protected]> * sonar recommendation * sonar recommendation * sonar says not in use * Remove duplicates in New-saml-0530 (#3117) * renovate: : update dependency webrick to v1.9.0 * Refactor and fix duplicate found by sonar in https://sonarcloud.io/component_measures?metric=new_duplicated_lines_density&selected=cloudfoundry-identity-parent%3Aserver%2Fsrc%2Fmain%2Fjava%2Forg%2Fcloudfoundry%2Fidentity%2Fuaa%2Fauthentication%2FPasscodeAuthenticationFilter.java&view=list&pullRequest=2908&id=cloudfoundry-identity-parent * Only show failed tests make it easier to find the failed tests in output Signed-off-by: Duane May <[email protected]> * reduce duplicates * rebase * reduce duplicates * Refactor and fix duplicate (#3112) found by sonar in https://sonarcloud.io/component_measures?metric=new_duplicated_lines_density&selected=cloudfoundry-identity-parent%3Aserver%2Fsrc%2Fmain%2Fjava%2Forg%2Fcloudfoundry%2Fidentity%2Fuaa%2Fauthentication%2FPasscodeAuthenticationFilter.java&view=list&pullRequest=2908&id=cloudfoundry-identity-parent * cleanup * refactor saml bearer usage * Migrate to Caffeine Caching (#3114) * Migrate to Caffeine Caching Guava Cache recommends moving to Caffeine Mostly a drop-in replacement Although the refreshAfterWrite works a little different * more test coverage * again more test coverage * sonar * sonar --------- Co-authored-by: strehle <[email protected]> * fix rebase * fix rebase --------- Signed-off-by: Duane May <[email protected]> Co-authored-by: Duane May <[email protected]> Co-authored-by: Duane May <[email protected]> * fix rebase * Store saml session index in UaaSamlPrincipal needed later for SLO * return plain error message (#3119) in case of decryption issue (wrong key) do not show class internals * Disable csrf check in SAML-SLO (#3123) Found in manual test with SAML SLO , POST Binding * fix integration test * fix integration test * Add acr value into User Authentication (#3127) re-establish IT see former retrieval https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProvider.java#L292-L298 * Cleanup shadow library (#3130) * Cleanup libraries not needed anymore (#3129) * Cleanup libraries not needed anymore bound to old opensaml * Remove ESAPI finally this dependency is only there because of old saml * fix rebase * sonar issue https://sonarcloud.io/project/issues?impactSoftwareQualities=RELIABILITY&sinceLeakPeriod=true&issueStatuses=OPEN%2CCONFIRMED&pullRequest=2908&id=cloudfoundry-identity-parent * remove not needed method * Add test to run Authn with redirect binding Will add more coverage in Saml2Utils * minor sonar issue * cleanup not used code * sonar issue with unspecified type * Fix Sonar issues Signed-off-by: Duane May <[email protected]> * Enhancements for SAML2 bearer flow (#3132) * Test saml bearer * Fixes for SAML2 bearer flow * reverted test * Enhancements for SAML2 bearer and IdP initiated SSO (#3136) * Test saml bearer * Fixes for SAML2 bearer flow * reverted test * Implement RelyingPartyRegistrationResolver * support resolution of SAMLResponse from request * remove default setting * Use standard setting of metadata the feature with classpath is new in this PR. * refactorings based on sonar * Replace dummy-saml-idp-metadata and create the data based on real key data Until now we do not deliver any keys in uaa.war. * Cleanup test failure Changed, because of hack with defaults. * Rename DefaultRelyingPartyRegistrationResolver to UaaRelyingPartyRegistrationResolver Signed-off-by: Duane May <[email protected]> * Refactor text blocks Signed-off-by: Duane May <[email protected]> --------- Signed-off-by: Duane May <[email protected]> Co-authored-by: Duane May <[email protected]> Co-authored-by: Duane May <[email protected]> * sonar: unused imports * sonar: recommendation * sonar: recommendation * sonar changes * sonar changes * omit hard coded example name (#3140) * build(deps): bump commons-io:commons-io from 2.17.0 to 2.18.0 (#3146) Bumps commons-io:commons-io from 2.17.0 to 2.18.0. --- updated-dependencies: - dependency-name: commons-io:commons-io dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feature: ingtegration test coverage - Modified `cargo.local` to run with jacoco agent if a system property is set. - Added a task to generate coverage report from the recorded jacoco data. * Add the kill_uaa step to ensure jacoco file is written * typo * Bump Gradle to 8.11.1 * fix: default values of custom zone's saml entityID and saml alias (when the configured entityID is a URL) - maintain the existing behavior where a custom identity zone's saml entityID is defaulted to either 1) `zoneSubdomain.uaaWideSamlEntityID` if `uaaWideSamlEntityID` is not a URL, or 2) if `uaaWideSamlEntityID` is a URL, integration the zoneSubdomain into the URL (see tests for example). - similar logic for saml entity alias (which is used in various saml sp urls, such as `AssertionConsumerService`) except that the alias should not include url scheme (aka without `https://`), so that the resulting saml sp urls are valid urls (e.g.: `https://zone1.uaa.com/saml/SSO/alias/[saml entity alias]`, see tests for examples). - reference on develop branch (old saml code): - doc: https://github.com/cloudfoundry/uaa/blob/65952b1b53b8d01cf93e68493a3f6ac85ad8a825/docs/login/Okta-README.md?plain=1#L73-L75 - code: https://github.com/cloudfoundry/uaa/blob/cc5f76fba495e5d1b3fd755ac3a6ff137fc91878/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareMetadataGenerator.java#L53-L54 - problem statement: without this commit, when * a custom zone is created without a `zone.config.samlConfig.entityID` specified * the default zone's `login.entityID` is configured to a URL, such as `https://uaa.com` * the default zone's `login.saml.entityIDAlias` is not set, aka default to `login.entityID` Then the resulting custom zone sp metadata has some discrepancies with the old saml code's metadata: For `AssertionConsumerService`: - old (correct) value is: https://test-zone-before.uaa.com/saml/SSO/alias/test-zone-before.uaa.com - new value is: https://test-zone.uaa.com/saml/SSO/alias/test-zone.http:/uaa.com For `entityID`: - old (correct) value is: http://test-zone-before.uaa.com - new value is: test-zone.http://uaa.com This results in the external SAML login for this zone not working. * clean version definition not needed anymore --------- Signed-off-by: Prateek Gangwal <[email protected]> Signed-off-by: Duane May <[email protected]> Signed-off-by: Ivan Protsiuk <[email protected]> Signed-off-by: Alicia Yingling <[email protected]> Signed-off-by: Hongchol Sinn <[email protected]> Signed-off-by: Peter Chen <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Rifa Achrinza <[email protected]> Co-authored-by: Danny Faught <[email protected]> Co-authored-by: Peter Chen <[email protected]> Co-authored-by: Bruce Ricard <[email protected]> Co-authored-by: Hongchol Sinn <[email protected]> Co-authored-by: Duane May <[email protected]> Co-authored-by: Bruce Ricard <[email protected]> Co-authored-by: Filip Hanik <[email protected]> Co-authored-by: Duane May <[email protected]> Co-authored-by: d036670 <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Markus Strehle <[email protected]> Co-authored-by: Duane May <[email protected]> Co-authored-by: Rifa Achrinza <[email protected]>
- Loading branch information