Upgrading Spring Boot, Wicket and friends, Swagger UI, MySQL JDBC dri…

…ver and PDFBox

client/idrepo/common-ui/src/main/java/org/apache/syncope/client/ui/commons/markup/html/form/preview/BinaryPDFPreviewer.java

@@ -21,14 +21,11 @@
 import java.awt.Graphics2D;
 import java.awt.RenderingHints;
 import java.awt.image.BufferedImage;
-import java.io.ByteArrayInputStream;
 import java.io.IOException;
-import java.io.InputStream;
 import java.io.Serializable;
 import java.time.Instant;
 import org.apache.pdfbox.Loader;
 import org.apache.pdfbox.cos.COSObject;
-import org.apache.pdfbox.io.MemoryUsageSetting;
 import org.apache.pdfbox.pdmodel.DefaultResourceCache;
 import org.apache.pdfbox.pdmodel.PDDocument;
 import org.apache.pdfbox.pdmodel.graphics.PDXObject;
@@ -63,15 +60,13 @@ public BinaryPDFPreviewer(final String mimeType) {
     public Component preview(final byte[] uploadedBytes) {
         firstPage = null;
 
-        try (InputStream bais = new ByteArrayInputStream(uploadedBytes);
-             PDDocument document = Loader.loadPDF(bais, MemoryUsageSetting.setupTempFileOnly())) {
-
+        try (PDDocument document = Loader.loadPDF(uploadedBytes)) {
             document.setResourceCache(new DefaultResourceCache() {
 
                 @Override
-                public void put(final COSObject indirect, final PDXObject xobject) throws IOException {
+                public void put(final COSObject indirect, final PDXObject xobject) {
+                    // no cache
                 }
-
             });
             if (document.isEncrypted()) {
                 LOG.info("Document is encrypted, no preview is possible");
@@ -96,15 +91,15 @@ public void put(final COSObject indirect, final PDXObject xobject) throws IOExce
         return this.addOrReplace(previewContainer);
     }
 
-    private static class ThumbnailImageResource extends DynamicImageResource implements Serializable {
+    protected static class ThumbnailImageResource extends DynamicImageResource implements Serializable {
 
         private static final long serialVersionUID = 923201517955737928L;
 
-        private final transient BufferedImage image;
+        protected final transient BufferedImage image;
 
-        private transient byte[] thumbnail;
+        protected transient byte[] thumbnail;
 
-        ThumbnailImageResource(final BufferedImage image) {
+        protected ThumbnailImageResource(final BufferedImage image) {
             this.image = image;
         }
 
@@ -117,7 +112,7 @@ protected byte[] getImageData(final IResource.Attributes attributes) {
             return thumbnail;
         }
 
-        private BufferedImage getScaledImageInstance() {
+        protected BufferedImage getScaledImageInstance() {
             int originalWidth = image.getWidth();
             int originalHeight = image.getHeight();
 

core/self-keymaster-starter/src/main/java/org/apache/syncope/core/logic/NetworkServiceLogic.java

@@ -74,19 +74,19 @@ public NetworkService get(final NetworkService.Type serviceType) {
 
     @PreAuthorize("@environment.getProperty('keymaster.username') == authentication.name")
     public void register(final NetworkService networkService) {
-        unregister(networkService);
+        if (serviceDAO.findAll(networkService.getType()).stream().
+                noneMatch(s -> s.getAddress().equals(networkService.getAddress()))) {
 
-        NetworkServiceEntity service = entityFactory.newNetworkService();
-        service.setType(networkService.getType());
-        service.setAddress(networkService.getAddress());
-        serviceDAO.save(service);
+            NetworkServiceEntity service = entityFactory.newNetworkService();
+            service.setType(networkService.getType());
+            service.setAddress(networkService.getAddress());
+            serviceDAO.save(service);
+        }
     }
 
     @PreAuthorize("@environment.getProperty('keymaster.username') == authentication.name")
     public void unregister(final NetworkService networkService) {
-        serviceDAO.findAll(networkService.getType()).stream().
-                filter(service -> service.getAddress().equals(networkService.getAddress())).
-                forEach(service -> serviceDAO.delete(service));
+        serviceDAO.deleteAll(networkService);
     }
 
     @Override

core/self-keymaster-starter/src/main/java/org/apache/syncope/core/persistence/api/dao/NetworkServiceDAO.java

@@ -29,4 +29,6 @@ public interface NetworkServiceDAO extends DAO<NetworkServiceEntity> {
     NetworkServiceEntity save(NetworkServiceEntity service);
 
     void delete(NetworkServiceEntity service);
+
+    int deleteAll(NetworkService service);
 }

core/self-keymaster-starter/src/main/java/org/apache/syncope/core/persistence/jpa/dao/JPANetworkServiceDAO.java

@@ -18,6 +18,7 @@
  */
 package org.apache.syncope.core.persistence.jpa.dao;
 
+import jakarta.persistence.Query;
 import jakarta.persistence.TypedQuery;
 import java.util.List;
 import org.apache.syncope.common.keymaster.client.api.model.NetworkService;
@@ -47,4 +48,15 @@ public NetworkServiceEntity save(final NetworkServiceEntity service) {
     public void delete(final NetworkServiceEntity service) {
         entityManager().remove(service);
     }
+
+    @Override
+    public int deleteAll(final NetworkService service) {
+        Query query = entityManager().createQuery(
+                "DELETE FROM " + JPANetworkService.class.getSimpleName()
+                + " e WHERE e.type=:serviceType AND e.address=:address");
+        query.setParameter("serviceType", service.getType());
+        query.setParameter("address", service.getAddress());
+
+        return query.executeUpdate();
+    }
 }

core/self-keymaster-starter/src/main/java/org/apache/syncope/core/persistence/jpa/entity/JPANetworkService.java

@@ -22,12 +22,14 @@
 import jakarta.persistence.EnumType;
 import jakarta.persistence.Enumerated;
 import jakarta.persistence.Table;
+import jakarta.persistence.UniqueConstraint;
 import jakarta.validation.constraints.NotNull;
 import org.apache.syncope.common.keymaster.client.api.model.NetworkService;
 import org.apache.syncope.core.persistence.api.entity.NetworkServiceEntity;
 
 @Entity
-@Table(name = JPANetworkService.TABLE)
+@Table(name = JPANetworkService.TABLE, uniqueConstraints =
+        @UniqueConstraint(columnNames = { "type", "address" }))
 public class JPANetworkService extends AbstractGeneratedKeyEntity implements NetworkServiceEntity {
 
     private static final long serialVersionUID = 8742750097008236475L;

core/spring/src/main/java/org/apache/syncope/core/spring/security/WebSecurityContext.java

@@ -49,6 +49,7 @@
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.security.web.firewall.DefaultHttpFirewall;
 import org.springframework.security.web.firewall.HttpFirewall;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
 @EnableWebSecurity
 @EnableMethodSecurity(prePostEnabled = true)
@@ -103,8 +104,9 @@ public SecurityFilterChain filterChain(
         http.addFilterBefore(mustChangePasswordFilter, AuthorizationFilter.class);
 
         http.authorizeHttpRequests(customizer -> customizer.
-                requestMatchers("/actuator/**").hasAuthority(IdRepoEntitlement.ANONYMOUS).
-                requestMatchers("/**").permitAll());
+                requestMatchers(AntPathRequestMatcher.antMatcher("/actuator/**")).
+                hasAuthority(IdRepoEntitlement.ANONYMOUS).
+                requestMatchers(AntPathRequestMatcher.antMatcher("/**")).permitAll());
         http.securityContext(AbstractHttpConfigurer::disable);
         http.sessionManagement(AbstractHttpConfigurer::disable);
         http.headers(AbstractHttpConfigurer::disable);

pom.xml

@@ -413,7 +413,7 @@ under the License.
     <bouncycastle.version>1.75</bouncycastle.version>
     <nimbus-jose-jwt.version>9.31</nimbus-jose-jwt.version>
 
-    <spring-boot.version>3.1.1</spring-boot.version>
+    <spring-boot.version>3.1.2</spring-boot.version>
     <spring-cloud-gateway.version>4.0.6</spring-cloud-gateway.version>
 
     <openjpa.version>4.0.0-SNAPSHOT</openjpa.version>
@@ -438,7 +438,7 @@ under the License.
     <h2.version>2.2.220</h2.version>
 
     <swagger-core.version>2.2.15</swagger-core.version>
-    <swagger-ui.version>5.1.0</swagger-ui.version>
+    <swagger-ui.version>5.1.3</swagger-ui.version>
 
     <jquery-slimscroll.version>1.3.8</jquery-slimscroll.version>
     <jquery-cookie.version>1.4.1-1</jquery-cookie.version>
@@ -452,10 +452,10 @@ under the License.
     <chartjs.version>4.1.2</chartjs.version>
 
     <wicket.version>10.0.0-M1</wicket.version>
-    <wicketstuff.version>10.0.0-SNAPSHOT</wicketstuff.version>
-    <wicket-jqueryui.version>10.0.0-SNAPSHOT</wicket-jqueryui.version>
-    <wicket-bootstrap.version>7.0.0-SNAPSHOT</wicket-bootstrap.version>
-    <wicket-spring-boot.version>4.0.0-SNAPSHOT</wicket-spring-boot.version>
+    <wicketstuff.version>10.0.0-M1</wicketstuff.version>
+    <wicket-jqueryui.version>10.0.0-M1</wicket-jqueryui.version>
+    <wicket-bootstrap.version>7.0.0</wicket-bootstrap.version>
+    <wicket-spring-boot.version>4.0.0-M1</wicket-spring-boot.version>
 
     <antlr4.version>4.13.0</antlr4.version>
 
@@ -496,7 +496,7 @@ under the License.
     <docker.mariadb.version>11</docker.mariadb.version>
 
     <jdbc.postgresql.version>42.6.0</jdbc.postgresql.version>
-    <jdbc.mysql.version>8.0.33</jdbc.mysql.version>
+    <jdbc.mysql.version>8.1.0</jdbc.mysql.version>
     <jdbc.mariadb.version>3.1.4</jdbc.mariadb.version>
     <jdbc.mssql.version>12.2.0.jre</jdbc.mssql.version>
     <jdbc.oracle.version>23.2.0.0</jdbc.oracle.version>
@@ -1077,7 +1077,7 @@ under the License.
       <dependency>
         <groupId>org.apache.pdfbox</groupId>
         <artifactId>pdfbox</artifactId>
-        <version>3.0.0-alpha3</version>
+        <version>3.0.0-beta1</version>
       </dependency>
 
       <dependency>

wa/starter/pom.xml

@@ -123,6 +123,10 @@ under the License.
       <groupId>org.apereo.cas</groupId>
       <artifactId>cas-server-core-web</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.apereo.cas</groupId>
+      <artifactId>cas-server-core-web-api</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.apereo.cas</groupId>
       <artifactId>cas-server-core-webflow</artifactId>

wa/starter/src/main/java/org/apache/syncope/wa/starter/config/WAContext.java

@@ -21,6 +21,7 @@
 import com.github.benmanes.caffeine.cache.Cache;
 import com.github.benmanes.caffeine.cache.Caffeine;
 import com.github.benmanes.caffeine.cache.LoadingCache;
+import com.google.errorprone.annotations.CanIgnoreReturnValue;
 import com.warrenstrange.googleauth.IGoogleAuthenticator;
 import io.swagger.v3.oas.models.OpenAPI;
 import io.swagger.v3.oas.models.info.Contact;
@@ -100,8 +101,11 @@
 import org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner;
 import org.apereo.cas.util.DateTimeUtils;
 import org.apereo.cas.util.LdapUtils;
+import org.apereo.cas.util.RandomUtils;
 import org.apereo.cas.util.crypto.CipherExecutor;
+import org.apereo.cas.web.ProtocolEndpointWebSecurityConfigurer;
 import org.apereo.cas.webauthn.storage.WebAuthnCredentialRepository;
+import org.apereo.cas.webauthn.web.WebAuthnController;
 import org.ldaptive.ConnectionFactory;
 import org.opensaml.saml.metadata.resolver.MetadataResolver;
 import org.pac4j.core.client.Client;
@@ -117,6 +121,11 @@
 import org.springframework.context.annotation.Lazy;
 import org.springframework.context.annotation.ScopedProxyMode;
 import org.springframework.core.annotation.AnnotationAwareOrderComparator;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.access.expression.WebExpressionAuthorizationManager;
+import org.springframework.security.web.csrf.CsrfTokenRepository;
+import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
 @Configuration(proxyBeanMethods = false)
 public class WAContext {
@@ -422,6 +431,42 @@ public U2FDeviceRepository u2fDeviceRepository(
         return new WAU2FDeviceRepository(casProperties, requestStorage, waRestClient, expirationDate);
     }
 
+    @Bean
+    @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
+    public ProtocolEndpointWebSecurityConfigurer<HttpSecurity> webAuthnProtocolEndpointConfigurer(
+            @Qualifier("webAuthnCsrfTokenRepository")
+            final ObjectProvider<CsrfTokenRepository> webAuthnCsrfTokenRepository) {
+
+        return new ProtocolEndpointWebSecurityConfigurer<>() {
+
+            @Override
+            @CanIgnoreReturnValue
+            @SuppressWarnings("UnnecessaryMethodReference")
+            public ProtocolEndpointWebSecurityConfigurer<HttpSecurity> configure(final HttpSecurity http)
+                    throws Exception {
+
+                http.csrf(customizer -> webAuthnCsrfTokenRepository.ifAvailable(repository -> {
+                    var pattern = new AntPathRequestMatcher(WebAuthnController.BASE_ENDPOINT_WEBAUTHN + "/**");
+                    var delegate = new XorCsrfTokenRequestAttributeHandler();
+                    delegate.setSecureRandom(RandomUtils.getNativeInstance());
+                    customizer.requireCsrfProtectionMatcher(pattern)
+                            .csrfTokenRequestHandler(delegate::handle)
+                            .csrfTokenRepository(repository);
+
+                }));
+                http.authorizeHttpRequests(customizer -> {
+                    customizer.requestMatchers(new AntPathRequestMatcher(WebAuthnController.BASE_ENDPOINT_WEBAUTHN
+                            + WebAuthnController.WEBAUTHN_ENDPOINT_REGISTER + "/**"))
+                            .access(new WebExpressionAuthorizationManager("hasRole('USER') and isAuthenticated()"));
+                    customizer.requestMatchers(new AntPathRequestMatcher(WebAuthnController.BASE_ENDPOINT_WEBAUTHN
+                            + WebAuthnController.WEBAUTHN_ENDPOINT_AUTHENTICATE + "/**"))
+                            .permitAll();
+                });
+                return this;
+            }
+        };
+    }
+
     @Bean
     public SurrogateAuthenticationService surrogateAuthenticationService(final WARestClient waRestClient) {
         return new WASurrogateAuthenticationService(waRestClient);