Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build(deps): bump org.apache.velocity:velocity-engine-core from 2.4 to 2.4.1 #3090

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Oct 21, 2024

Bumps org.apache.velocity:velocity-engine-core from 2.4 to 2.4.1.

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps org.apache.velocity:velocity-engine-core from 2.4 to 2.4.1.

---
updated-dependencies:
- dependency-name: org.apache.velocity:velocity-engine-core
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Oct 21, 2024
@strehle strehle merged commit 9f8094e into develop Oct 22, 2024
22 checks passed
@strehle strehle deleted the dependabot/gradle/org.apache.velocity-velocity-engine-core-2.4.1 branch October 22, 2024 04:35
duanemay pushed a commit that referenced this pull request Oct 28, 2024
Bumps org.apache.velocity:velocity-engine-core from 2.4 to 2.4.1.

---
updated-dependencies:
- dependency-name: org.apache.velocity:velocity-engine-core
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
strehle added a commit that referenced this pull request Nov 26, 2024
* remove: SAML extension library dependency

Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
Co-authored-by: Bruce Ricard <bruce.ricard@broadcom.com>
Co-authored-by: Danny Faught <danny.faught@broadcom.com>

* Ignore non-functioning SAML tests

* Instead of calling fail(). We have a suspicion that there is a bug in
  the way the tests are running (most of them are somehow not running
  with "./gradlew test" and we have a theory that a combination of mixing
  junit4 imports and the junit5 fail() might be contributing.
* I was careful to use @Ignore for tests importing the junit4 @Test, and
  @Disabled for tests using the junit5 @Test.
* These annotations were added, with the idea that you can search for
  '@Ignore("SAML' and '@Disabled("SAML' to find the tests that need
  attention before we finish the SAML library conversion.
@Ignore("SAML test fails")
@Ignore("SAML test doesn't compile")
@Ignore("SAML test setup doesn't compile")
@Disabled("SAML test fails")
@Disabled("SAML test doesn't compile")
* A few tests are set to ignore because they're failing for the right
  reasons, but more work is needed to finish that and get back to green.
  The goal is to start tracking these annotations instead of failing
  tests, so we can stay green.
* Tests now running:
    server module: 3,435 (in IntelliJ) (98 total ignored)
    uaa module: 67 (command line run of "./gradlew test" for all tests
    - still needs troubleshooting)

Co-authored-by: Danny Faught <danny.faught@broadcom.com>

* update @Ignore - test now compiles

Co-authored-by: Hongchol Sinn <hongchol.sinn@broadcom.com>

* feat: switch to new Spring Security SAML library

* Removed commented-out references to the outdated SAML extension library

Co-authored-by: Duane May <duane.may@broadcom.com>

* feat: Supply metadata through /saml/metadata

- Adds back endpoint and incorporates forwarding for new pattern saml2 endpoints, Still has some wip elements WithHttpsNotRequired > samlMetadataReturnsOk still red RelyingPartyRegistration is hardcoded in xml, /saml/metadata/ with trailing slash not working missing parity with develop

[#186986697]

Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>

* fix: handle case when Servlet Path is null  and ensures test WithHttpsNotRequired -> samlMetadataReturnsOk is green

- fixed one test but still WithHttpsRequired > samlMetadataReturnsOk is red after fixing this test -
HealthzShouldNotBeProtectedMockMvcTests > WithHttpsRequired > samlMetadataRedirects() FAILED
    java.lang.AssertionError: Range for response status value 200 expected:<REDIRECTION> but was:<SUCCESSFUL>

[#186986697]

Co-authored-by: Duane May <duane.may@broadcom.com>

* remove: SAML extension library dependency

Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
Co-authored-by: Bruce Ricard <bruce.ricard@broadcom.com>
Co-authored-by: Danny Faught <danny.faught@broadcom.com>

* Ignore non-functioning SAML tests

* Instead of calling fail(). We have a suspicion that there is a bug in
  the way the tests are running (most of them are somehow not running
  with "./gradlew test" and we have a theory that a combination of mixing
  junit4 imports and the junit5 fail() might be contributing.
* I was careful to use @Ignore for tests importing the junit4 @Test, and
  @Disabled for tests using the junit5 @Test.
* These annotations were added, with the idea that you can search for
  '@Ignore("SAML' and '@Disabled("SAML' to find the tests that need
  attention before we finish the SAML library conversion.
@Ignore("SAML test fails")
@Ignore("SAML test doesn't compile")
@Ignore("SAML test setup doesn't compile")
@Disabled("SAML test fails")
@Disabled("SAML test doesn't compile")
* A few tests are set to ignore because they're failing for the right
  reasons, but more work is needed to finish that and get back to green.
  The goal is to start tracking these annotations instead of failing
  tests, so we can stay green.
* Tests now running:
    server module: 3,435 (in IntelliJ) (98 total ignored)
    uaa module: 67 (command line run of "./gradlew test" for all tests
    - still needs troubleshooting)

Co-authored-by: Danny Faught <danny.faught@broadcom.com>

* feat: Supply metadata through /saml/metadata

- Adds back endpoint and incorporates forwarding for new pattern saml2 endpoints, Still has some wip elements WithHttpsNotRequired > samlMetadataReturnsOk still red RelyingPartyRegistration is hardcoded in xml, /saml/metadata/ with trailing slash not working missing parity with develop

[#186986697]

Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>

* fix: handle case when Servlet Path is null  and ensures test WithHttpsNotRequired -> samlMetadataReturnsOk is green

- fixed one test but still WithHttpsRequired > samlMetadataReturnsOk is red after fixing this test -
HealthzShouldNotBeProtectedMockMvcTests > WithHttpsRequired > samlMetadataRedirects() FAILED
    java.lang.AssertionError: Range for response status value 200 expected:<REDIRECTION> but was:<SUCCESSFUL>

[#186986697]

Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>

* feat: reliably serve SAML SP metadata

- With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration,
which requires a valid SAML IDP
metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP
metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML
IDPs might require you to supply the SAML SP metadata first before you can obtain the
SAML IDP metadata. See relevant issue: https://github.com/spring-projects/spring-security/issues/11369
- Previously, to solve this problem, the SAML SP metadata generation relies
on relyingPartyRegistration values in saml-providers.xml, which
hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance);
this means that UAA's SP metadata generation relies on the
example Okta SAML instance to be running.
- This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML
SP metadata generation, at the advice of Spring Security team, so that UAA's functioning
does not rely on some external running Okta instance.
- code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62

[#186986697]

Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>

* Ignore failing SAML test

- A continuation of https://github.com/cloudfoundry/uaa/commit/65d1f0f8d2ad538c5670277ae15e9964cfc16af1
- This test is failing as early as
  e7beec7a5aa53fa761ca1d752d647f930ebcc6b7 due to the removal of SAML
  code, as this test is related the SAML feature

[#186986697]

Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>

* disable docs test that shouldn't be running

* Has to be commented out of the erb file even when the test method used @Disabled.

Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>

* Ignore failing SAML test

- A continuation of https://github.com/cloudfoundry/uaa/commit/65d1f0f8d2ad538c5670277ae15e9964cfc16af1
- This is a test recently added to develop branch, so
ignoring this here because the SAML feature is still being
built.

[#186986697]

Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>

* refactor: shorten the dummy IDP metadata

- to reflect the fact that this IDP metadata just needs
to exist in its bare minimal form, where the specific fields
in it do not affect the SP metadata generation

[#186986697]

Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>

* fix: "invalid XML" error in tests

- previously some tests error with:
```
net.shibboleth.utilities.java.support.xml.XMLParserException: Unable to parse inputstream, it contained invalid XML
```
- this issue is fixed once we switch to loading
the idp saml metadata via a file (instead of an InputStream)

[186822654]

Co-authored-by: Danny Faught <danny.faught@broadcom.com>

* wip: configure some metadata params

Co-authored-by: Danny Faught <danny.faught@broadcom.com>

* disable failing test

* We're reprioritizing the test to get this test to pass.

Co-authored-by: Bruce Ricard <bruce.ricard@broadcom.com>

* WIP

Co-authored-by: Duane May <duane.may@broadcom.com>

* wip

Co-authored-by: Duane May <duane.may@broadcom.com>

* wip: ensuring the endpoint for metadata works both in forward and direct request

- Tests are failing but they are behaving as expected with curl and browser for /saml/metadata /saml/metadata/example and /saml/metadata/example/

- /saml/metadata/ is not returning xml

- The dispatcher ordering along with position in the filter-mapping must be set properly.

[#186986697]

Co-authored-by: Bruce Ricard <bruce.ricard@broadcom.com>

* add metadata redirect test

Co-authored-by: Duane May <duane.may@broadcom.com>

* wip: ensuring the saml metadata endpoint for metadata works in Mock MVC Tests

- /saml/metadata/ is not returning xml

[#186986697]

Co-authored-by: Filip Hanik <fhanik@vmware.com>

* wip: entityID assertion works in testSamlMetadataDefault

Co-authored-by: Alicia Yingling <alicia.yingling@broadcom.com>
Co-authored-by: Duane May <duane.may@broadcom.com>

* feat: entity_id assertion passes

Co-authored-by: Alicia Yingling <alicia.yingling@broadcom.com>
Co-authored-by: Duane May <duane.may@broadcom.com>

* wip: use working metadata path temporarily

* Must be changed back to /saml/metadata later, removing "example".

Co-authored-by: Alicia Yingling <alicia.yingling@broadcom.com>
Co-authored-by: Duane May <duane.may@broadcom.com>

* wip: xml refactor

Co-authored-by: Alicia Yingling <alicia.yingling@broadcom.com>
Co-authored-by: Duane May <duane.may@broadcom.com>

* wip: updating to non forwarding for /saml/metadata to the example default

- Updated to use direct GetMapping

[#186986697]

Co-authored-by: Filip Hanik <fhanik@vmware.com>

* wip: Ensuring the WantsAssertionSigned and AuthnRequestsSigned are populated in SPSSODescriptor

- Building out EntityDescriptor in the RelyingPartyRegistration which contains the SPSSODescriptor picked up by the resolve method

[#186986697]

Co-authored-by: Duane May <duane.may@broadcom.com>

* wip: Adding in signature elements for SAML metadata.xml endpoint payload

- Need to fix credential type being empty

Caused by: java.lang.IllegalArgumentException: credentials types cannot be empty
....(SamlRelyingPartyRegistrationRepository.java:84)
[#186986697]

Co-authored-by: Duane May <duane.may@broadcom.com>

* wip: Adding in signature elements for SAML metadata.xml endpoint payload

- Signature is not positioned correctly. It should be a child of EntityDescriptor, but the singingX509Credential.signing call positions it in SPSODescriptor

[#186986697]

Co-authored-by: Duane May <duane.may@broadcom.com>

* feat: populate SAMP SP metadata fields: entityID, NameIDFormat, AuthnRequestsSigned

- correctly reads off UAA configs to populate these fields, instead
of using hardcoded values
- refactor to directly reading `login.saml.NameID` config (a more modern approach) instead
of constructing a bean in xml (a more legacy approach)
- side note: update the UAA config used in mock mvc tests (/uaa/src/test/resources/integration_test_properties.yml)
to use a non-default option of `login.saml.nameID` so that we can test
that the correct value is being piped through

Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>

* refactor: clean up commented out code

- there are many commented out codes from
prior wip commits (which at this point, I decided, are
too hard to fix or tidy up). Hence, in this commit,
clean them up

[186822654]

Co-authored-by: Duane May <duane.may@broadcom.com>

* Ignore non-functioning SAML tests

- the SAML SP metadata is still WIP, so this IT will fail. Ignoring
it for now so that "CI" is green along with all other SAML tests
currently failing / non-functional due to the WIP state of the SAML
feature.
- see defails of this approach in https://github.com/cloudfoundry/uaa/commit/73520d92499f481929e2b666bfbded83aaaa3148

[186822654]

Co-authored-by: Duane May <duane.may@broadcom.com>

* Update opensaml libraries to 4.x

https: //docs.spring.io/spring-security/reference/5.8/migration/servlet/saml2.html
Co-authored-by: Duane May <duane.may@broadcom.com>

* Refactor annotations and formatting

Use RestController, Slf4j, Getter
Use textblocks

Co-authored-by: Duane May <duane.may@broadcom.com>

* Refactor tests: formatting, andExpectAll and assertThat

Use assertThat
Use textblocks

Co-authored-by: Duane May <duane.may@broadcom.com>

* Change from SAML XML to Java Config

Co-authored-by: Duane May <duane.may@broadcom.com>

* feat: populate sp metadata field WantAssertionsSigned

[#186986697]

Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>

* feat: saml sp metadata field - signing cert

- also: refactor the UAA config used in mock mvc tests
(/uaa/src/test/resources/integration_test_properties.yml)
from the deprecated saml key fields (eg: login.serviceProviderKey)
to the new ones (eg: login.saml.keys), so that we test for the
new fields.
  - also fix the api docs test so that it now correctly marks
  the retrieve id zones response's `config.samlConfig.certificate`
  as optional (this field is only returned if you use the
  deprecated saml key config fields)

[#186986697]

Co-authored-by: Duane May <duane.may@broadcom.com>

* feat: saml sp metadata encryption cert

- populate saml sp metadata field for use='encryption' cert
- might be counter-intuitive that the setting on rp registration
that controls this is "decryptionX509Credentials", but the resulting
sp metadata indeed includes use='encryption' which matches
develop branch

[186822654]

Co-authored-by: Duane May <duane.may@broadcom.com>

* refactor: consolidate saml sp configs

- to be processed by a single class "SamlConfiguration" where
the @ConfigurationProperties(prefix="login.saml") annotation
has the ability to process all fields under the login.saml section
of UAA.yml
  - this is helpful because we can now centrally read, process,
  even validate all saml config fields under "login.saml"
  - pay attention to @ConfigurationProperties annotation's various
  requirements though: such as the private field names need to match
  the actually UAA.yml field name (e.g.: login.saml.fooBar -> private
  String fooBar); and that there need to be public setters and getters
  for each field
  - see: https://docs.spring.io/spring-boot/docs/current/reference/html/features.html#features.external-config.typesafe-configuration-properties.using-annotated-types
- the exception of the saml entity id, which in UAA.yml is somehow
outside of the login.saml context (set by login.entityID) so that
field stays under class SamlEntityIdConfiguration

Co-authored-by: Duane May <duane.may@broadcom.com>

* refactor: use lombok

- these getters and setters are required
for @ConfigurationProperties annotation to work; use
lombok so that we don't need to explicitly
define them

[186822654]

Co-authored-by: Duane May <duane.may@broadcom.com>

* refactor: simplify lombok annotation

- as @Data covers the getters and setters

Co-authored-by: Duane May <duane.may@broadcom.com>

* fix: maintain existing saml sp metadata file name

- configure the file name of the saml sp metadata (the downloaded
xml file name when accessing the metadata endpoint: http://localhost:8080/uaa/saml/metadata)
to match the status quo on develop branch: "saml-sp.xml"
- This file name likely do not matter, but out of caution, we should
maintain the same file name as before

[186822654]

Co-authored-by: Duane May <duane.may@broadcom.com>

* fix: saml sp metadata test set up

- now that the metadata is being provided at
the correct location: /saml/metadata, we can correct
the test expectation to reflect that (hence matching
the develop branch)

[#186986697]

Co-authored-by: Duane May <duane.may@broadcom.com>

* fix: SAML SP metadata endpoint and its https redirect

- Removed forwarding of `/saml/metadata` endpoint to `/saml/metadata/example`. It is not necessary because `/saml/metadata` endpoint method already calls `/saml/metadata/{registrationId}` with `example` as the default registrationId. (See class `SamlMetadataEndpoint`.)
- Made `HttpsEnforcementFilter` to be added to the top of the `SecurityFilterChainPostProcessor`'s `SecurityFilterChain`.
- Added `secFilterOpen06SAMLMetadata` to `SecurityFilterChainPostProcessor`'s  `redirectToHttps` list.

[#186986697]

Co-authored-by: Duane May <duane.may@broadcom.com>
Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>

* Clean up unnecssary codes

- Removed SamlExtensionUrlForwardingFilter. Just commented out for now in case we need it later.
- Removed unneeded comments in test code.

[#186986697]

Co-authored-by: Duane May <duane.may@broadcom.com>

* Load the Saml Provider Data

[#187084275]

Co-authored-by: Duane May <duane.may@broadcom.com>

* refactor: Spring Annotations on SamlRelyingPartyRegistrationRepository

- Change SamlRelyingPartyRegistrationRepository to Configuration
- Use constructor args instead of Autowired

Co-authored-by: Duane May <duane.may@broadcom.com>

* fix: multiple versions of the opensaml library

still had opensaml 3.4.6

Co-authored-by: Duane May <duane.may@broadcom.com>

* feat: send SAML authn request to IDP

- when SAML IDP is configured via uaa.yml, when
the user goes to "/uaa/saml2/authenticate/{saml-idp-alias}",
they will get sent to the configured SAML IDP with
a SAML authn request. Specifically, spring-security will do
the following:
 - when the IDP's Binding mode is "HTTP-Redirect", the
 user is redirected to the IDP
 - when the IDP's Binding mode is "HTTP-POST", the user's
 browser is triggered to POST to the IDP. For this to work,
 the ContentSecurityPolicyFilter needs to updated to exempt
 "/saml2" from policy enforcement, such that the script that
 initiates the POST can be executed in the browser. Similar
 to how this filter exempts /saml (the existing saml-related
 path on develop branch).

- refactor: update the dummy IDP metadata file
dummy-saml-idp-metadata.xml to not point
to example.com, but to https://www.cloudfoundry.org
(which is more of a known destination)

- refactor: use constant DEFAULT_REGISTRATION_ID

[#187084275]

Co-authored-by: Duane May <duane.may@broadcom.com>

* update saml link on login page

* fix: issue with 2 JsonObjects imported

* Merge SamlConfigProps to single class

prefix="login.saml" was in 2 ConfigProps classes before merged into 1

* Update SamlLoginIT

* feat: Saml Login redirects to IDP

Reads provider info from database
Passes the registrationId as relayState

Signed-off-by: Prateek Gangwal <prateek.gangwal@broadcom.com>

* fix: click first saml link matching text

when running multiple IT tests, the simplesamlphp2 link was also listed, and causing a conflict with url matcher

Signed-off-by: Duane May <duane.may@broadcom.com>

* feat: AssertionConsumerService SAML user login

Signed-off-by: Duane May <duane.may@broadcom.com>
Signed-off-by: Ivan Protsiuk <ivan.protsiuk@broadcom.com>

#187106956

* Clean up and reenable tests

Signed-off-by: Ivan Protsiuk <ivan.protsiuk@broadcom.com>

* Improve Testing of SAML Request/Response

- Improve Testing of SAML Request/Response with Saml2TestUtils
- Configure assertionConsumerServiceLocation in one location.

- Attempted move to OpenSaml4AuthenticationProvider
requires a shadow dependency on opensaml to remove the need for non-FIPS compliant security provider. Not yet in place

Signed-off-by: Duane May <duane.may@broadcom.com>
Signed-off-by: Alicia Yingling <alicia.yingling@broadcom.com>

* Break up AuthProvider

Move user shadowing, attribute processing, and authorities processing to their own classes.

Enable Authorities

Signed-off-by: Ivan Protsiuk <ivan.protsiuk@broadcom.com>

* Pull in OpenSaml4AuthenticationProvider

This provides general response validation.

Signed-off-by: Prateek Gangwal <prateek.gangwal@broadcom.com>

* Verify user attributes, roles, user name, email extraction

Signed-off-by: Prateek Gangwal <prateek.gangwal@broadcom.com>

#187809240

* Add editor and lombok config

Signed-off-by: Duane May <duane.may@broadcom.com>

* Run kill_uaa as part of integrationTests

Signed-off-by: Duane May <duane.may@broadcom.com>
Signed-off-by: Hongchol Sinn <hongchol.sinn@broadcom.com>

* Annotate Disabled tests with more information

Signed-off-by: Hongchol Sinn <hongchol.sinn@broadcom.com>

* feat: SAML Logout

- Main logout flows are working
- IDP Initiated logout is working
- Handle metadata XML passed in instead of metadata location for both bootstrap and SamlIdentityProviderConfigurator

Signed-off-by: Duane May <duane.may@broadcom.com>

* fix Selenium HomePage can be one of two urls.

- clean up the rest of the pageObjects package

Signed-off-by: Duane May <duane.may@broadcom.com>

* Update BootstrapTests

- now attempts to retrieve the non-existent url https://simplesamlphp.uaa.com/saml2/idp/metadata.php

Signed-off-by: Duane May <duane.may@broadcom.com>

* feature: Zone-aware SAML SP metadata

- Implemented to the same level as the default IdenityZone's SP metadata generation.
- Minus `NameIDFormat` value populaition and registration-ID specific implementation.

[#187846376]

* Disable `findByRegistrationIdWhenNoneFound` test as the assertion is not valid anymore.

* Update counter script

- No longer have Ignored tests only Disabled

Signed-off-by: Duane May <duane.may@broadcom.com>

* Update IdentityZone related classes and tests

Signed-off-by: Duane May <duane.may@broadcom.com>

* feat: basic SAML SP metadata for non-default ID zone

- correctly populates the basic fields of non-default zone SAML SP metadata (such as
WantAssertionsSigned and AuthnRequestsSigned), so that for default vs. non-default zones, the
SP metadatas have feature parity.

[#187846376]

Signed-off-by: Duane May <duane.may@broadcom.com>
Signed-off-by: Peter Chen <peter-h.chen@broadcom.com>

* wip: zoned metadata fixes and zoned login

Signed-off-by: Peter Chen <peter-h.chen@broadcom.com>

* rebase and revert entiyID checks

* Enable some passing SamlLoginIT tests

Co-authored-by: Duane May <duane.may@broadcom.com>

* refactor entityId and entityIdAlias resolution

- created a base class BaseUaaRelyingPartyRegistrationRepository, used by ConfiguratorRelyingPartyRegistrationRepository and DefaultRelyingPartyRegistrationRepository.
- moved getZoneEntityId and getZoneEntityIdAlias to base class

Co-authored-by: Duane May <duane.may@broadcom.com>
Signed-off-by: Peter Chen <peter-h.chen@broadcom.com>

* backfill some SAML tests

* Enable SAML Automatic Redirect

Requires changing from discovery URL to the authentication request URL.

Enable the following tests in SamlLoginIT:
- samlInvitationAutomaticRedirectInZone2
- samlLoginClientIDPAuthorizationAutomaticRedirect
- samlLoginClientIDPAuthorizationAutomaticRedirectInZone1
- samlLoginMapGroupsInZone1

Co-authored-by: Duane May <duane.may@broadcom.com>
Signed-off-by: Peter Chen <peter-h.chen@broadcom.com>

* build(deps): bump org.gradle:test-retry-gradle-plugin

Bumps org.gradle:test-retry-gradle-plugin from 1.5.9 to 1.5.10.

Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>

---
updated-dependencies:
- dependency-name: org.gradle:test-retry-gradle-plugin
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Fix regression in identity-provider endpoint (#2962)

* Fix regression in identity-provider endpoint

Issue:
If existing entries in identity-provider with new external_key the field is null, which is expected.
If external_key is null, this must not overwrite the issuer in rest endpoint, but it does

For SAML there is no issue, because here the entityId is really new in REST output and in DB.
For OIDC and OAuth2 the issuer was used in REST already and there was no check before overwrite it from external_key.

* review

* add case if issuer is null from config, allowed for oauth2 IdP

* spelling

* revert the logic of external key, stay with issuer

* set entityId on update

* test coverage

Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>

* build(deps): bump k8s.io/client-go from 0.30.2 to 0.30.3 in /k8s (#2964)

Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.30.2 to 0.30.3.
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.30.2...v0.30.3)

---
updated-dependencies:
- dependency-name: k8s.io/client-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Replace SamlLegacyAliasResponseForwardingFilter

- Added a RelayStateRelyingPartyRegistrationResolver which looks for the Registration Id from the RelayState, instead of the last part of the URL.
- The url contains entity id, for backward compatibility, instead of the registration Id.
- The filter required redirect filter processing, which broke the CSRF Filter (noticed on LoginServerSecurityIntegrationTests)

Co-authored-by: Duane May <duane.may@broadcom.com>
Signed-off-by: Peter Chen <peter-h.chen@broadcom.com>

* fix: correct test expectation

- the saml assertion consumer endpoint should end with
the configured login.entityID in UAA.yml (when login.saml.entityIDAlias is not set)

* Update test classes

- DefaultIntegrationTestConfig: use Durations
- IdentityZoneEndpointsMockMvcTests sonar, asserts
- LdapIntegrationTests: junit5, sonar, asserts

Signed-off-by: Duane May <duane.may@broadcom.com>

* Update scripts for testing

- kill_uaa: make port aware
- debug_uaa: for running uaa in debug or suspended debug mode
- create_test_providers: adds providers to running UAA via API
- create_test_zones: adds zones and providers to running UAA via API

Signed-off-by: Duane May <duane.may@broadcom.com>

* check entityId in validate SAML (#2970)

* WIP: replace SamlLegacyAliasResponseForwardingFilter

- the receiveAuthnResponseFromIdpToLegacyAliasUrl test still failing, see
comments within this test

Co-authored-by: Duane May <duane.may@broadcom.com>

* WIP: check entityId in validate SAML

* WIP: re-establish validation of metadata in /identity-providers endpoint

* WIP: test fix

---------

Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
Co-authored-by: Duane May <duane.may@broadcom.com>

* feat: Handle Multiple SAML keys

- Rotation Tests working
- Uses keys from SamlConfig for each zone
- Fall back to default keys if none set

[#187994938]

Signed-off-by: Duane May <duane.may@broadcom.com>

* fix: Couple of failing test cases due to `500 INTERNAL_SERVER_ERROR` from `/oauth/token` endpoint

- Stepping through the server code revealed that an exception was thrown as follows:
```
org.cloudfoundry.identity.uaa.util.JsonUtils$JsonUtilException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "relyingPartyRegistrationId" (class org.cloudfoundry.identity.uaa.authentication.UaaPrincipal), not marked as ignorable (6 known properties: "origin", "zoneId", "id", "email", "externalId", "name"])
at [Source: REDACTED (StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION disabled); line: 1, column: 205] (through reference chain: org.cloudfoundry.identity.uaa.authentication.UaaPrincipal["relyingPartyRegistrationId"])
```
- Added a `jackson` annotation to ignore the 3 properties in UaaSamlPrincipal that were causing the `UnrecognizedPropertyException`.
- Added back a line that sets zoneId in a test case, which apparently had been removed by mistake.

[#187986233]
[#187986220]

* Clean up and reimplement SamlKeyManager and SamlKeyManagerFactory

- added these methods back to IdentityZoneHolder, even though that has been Deprecated
- Migrate BouncyCastle Setup and IdentityZoneHolderInitializer from XML to Java
- Removed some of the old classes that were in this area

Signed-off-by: Duane May <duane.may@broadcom.com>

* Migrate tests from ZoneAwareMetadataGeneratorTests

- Moved tests for rotation to SamlMetadataEndpointKeyRotationTests
- Moved tests related to SamlRedirectUtils to SamlRedirectUtilsTest

Signed-off-by: Duane May <duane.may@broadcom.com>

* feature: Handle icorrect SAML response

- Set the `Saml2WebSsoAuthenticationFilter`'s `AuthenticationFailureHandler` to the custom failure handler.
- Updated the test case's page source validation condition to check for the string that is based on the new exception message.

[#187986112]

* Remove duplicate tests

Various calls to metadata endpoint with and without trailing / and /example in HealthzShouldNotBeProtectedMockMvcTests were duplicated in SamlMetadataMockMvcTests

Signed-off-by: Duane May <duane.may@broadcom.com>

* Add signatures to Metadata and AuthnRequest

Includes:
- getting configured SignatureAlgorithm
- getting configured signMetadata
- Add Signature Algorithm and Digest Algorithm to Metadata
- Generate Signature Value and Digest Value to Metadata
- Add SignatureAlgorithm and keys to the RelyingPartyRegistration
- Sign the AuthnRequest

TPCF-6869
TPCF-6938

Signed-off-by: Duane May <duane.may@broadcom.com>

* Add tests for alternate config of signRequest and signMetaData

TPCF-6869
TPCF-6938

Signed-off-by: Duane May <duane.may@broadcom.com>

* Enable tests in BootstrapSamlIdentityProviderDataTests

Signed-off-by: Duane May <duane.may@broadcom.com>

* Enable test in HomeControllerViewTests

- Removed commented out Disabled annotation in SamlIdentityProviderConfiguratorTests
- TestClassNullifier moved to junit5

Signed-off-by: Duane May <duane.may@broadcom.com>

* feat: Allow InResponseTo checking to be configured

TPCF-6873

* feat: Add NameIdFormat to AuthnRequest

This comes from the property, login.saml.nameID

Also refactored the RelyingPartyRegistrationBuilder to use a Params object with builder since the param list was 8 items

TPCF-6874

Signed-off-by: Duane May <duane.may@broadcom.com>

* Support for login.saml.socket.* settings

TPCF-6882

Signed-off-by: Duane May <duane.may@broadcom.com>

* Only show failed tests

make it easier to find the failed tests in output

Signed-off-by: Duane May <duane.may@broadcom.com>

* Caffeine Caching

Guava Cache recommends moving to Caffeine
Mostly a drop in replacement
Although the refreshAfterWrite works a little different

Signed-off-by: Duane May <duane.may@broadcom.com>

* Log Malformed Saml Responses

The mechanism to achieve this in the old SAML library is no longer there. Added this in to the SamlLoginAuthenticationFailureHandler.

Left the logger name as SamlResponseLoggerBinding for backward compatibility, for jobs looking for the messages.

[TPCF-25429]

Signed-off-by: Duane May <duane.may@broadcom.com>

* Clean up and Sonar

Signed-off-by: Duane May <duane.may@broadcom.com>

* Update to LoginInfoEndpoint

Signed-off-by: Duane May <duane.may@broadcom.com>

* Add Oauth Token endpoint to metadata

maintains existing functionality

Signed-off-by: Duane May <duane.may@broadcom.com>

* Update tests

SamlLoginIT.springSamlEndpointsWithEmptyContext - functionality changed redirects
ZoneAwareKeyManagerTest - was 0 coverage, all calls are proxied to SamlKeyManager in the ThreadLocal managed by IdentityZoneHolder.

Signed-off-by: Duane May <duane.may@broadcom.com>

* Resolve Sonar security hotspots

Replace the //NOSONAR comment with a error specific SuppressWarnings annotation

* Correct malformed property placeholder.

* Update JavaPluginExtension settings

Signed-off-by: Duane May <duane.may@broadcom.com>

* Implement Saml2 Bearer Grants

Signed-off-by: Duane May <duane.may@broadcom.com>

* Unjava-doc-ify the copyright notices

Signed-off-by: Duane May <duane.may@broadcom.com>

* Fix tests for Invitations and Passcodes

Signed-off-by: Duane May <duane.may@broadcom.com>

* Sonar fixes

Signed-off-by: Duane May <duane.may@broadcom.com>

* Update tests with awaitility

Signed-off-by: Duane May <duane.may@broadcom.com>

* Update discovery urls to authenticate

Signed-off-by: Duane May <duane.may@broadcom.com>

* Enable tests and update disabled reasons for remaining

Signed-off-by: Duane May <duane.may@broadcom.com>

* Enable RelayState as a redirect target

- Remove the existing code to store registrationId on request in the relaystate, it is stored with the request.
- Also enable IDP initiated login, we don't get the registrationId in this case

Signed-off-by: Duane May <duane.may@broadcom.com>

* Update selenium page objects to use assert notation

- Uses assertj and awaitility
- Rename methods to include assert where applicable
- Tests should include assertions java:S2699

Signed-off-by: Duane May <duane.may@broadcom.com>

* Fix Sonar Issues

Signed-off-by: Duane May <duane.may@broadcom.com>

* doc: Update the comment for `login.entityBaseURL` property.

* build(deps): bump versions.springSecurityVersion from 5.8.14 to 5.8.15 (#3089)

Bumps `versions.springSecurityVersion` from 5.8.14 to 5.8.15.

Updates `org.springframework.security:spring-security-config` from 5.8.14 to 5.8.15
- [Release notes](https://github.com/spring-projects/spring-security/releases)
- [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc)
- [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15)

Updates `org.springframework.security:spring-security-core` from 5.8.14 to 5.8.15
- [Release notes](https://github.com/spring-projects/spring-security/releases)
- [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc)
- [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15)

Updates `org.springframework.security:spring-security-ldap` from 5.8.14 to 5.8.15
- [Release notes](https://github.com/spring-projects/spring-security/releases)
- [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc)
- [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15)

Updates `org.springframework.security:spring-security-taglibs` from 5.8.14 to 5.8.15
- [Release notes](https://github.com/spring-projects/spring-security/releases)
- [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc)
- [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15)

Updates `org.springframework.security:spring-security-test` from 5.8.14 to 5.8.15
- [Release notes](https://github.com/spring-projects/spring-security/releases)
- [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc)
- [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15)

Updates `org.springframework.security:spring-security-web` from 5.8.14 to 5.8.15
- [Release notes](https://github.com/spring-projects/spring-security/releases)
- [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc)
- [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15)

---
updated-dependencies:
- dependency-name: org.springframework.security:spring-security-config
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.springframework.security:spring-security-core
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.springframework.security:spring-security-ldap
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.springframework.security:spring-security-taglibs
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.springframework.security:spring-security-test
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.springframework.security:spring-security-web
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump org.apache.velocity:velocity-engine-core (#3090)

Bumps org.apache.velocity:velocity-engine-core from 2.4 to 2.4.1.

---
updated-dependencies:
- dependency-name: org.apache.velocity:velocity-engine-core
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* pr/upgrade docs slate gems take 2 (#3091)

* In an attempt to upgrade Slate, and have successful builds

on both Mac and Linux using Ruby 3.3.5

Step 1 - Upgrade dependencies

* Fix jasmine-test script

* build(deps): bump k8s.io/client-go from 0.31.1 to 0.31.2 in /k8s (#3096)

Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.31.1 to 0.31.2.
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.31.1...v0.31.2)

---
updated-dependencies:
- dependency-name: k8s.io/client-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Fix Sonar Issues

Signed-off-by: Duane May <duane.may@broadcom.com>

* Improve test coverage

Signed-off-by: Duane May <duane.may@broadcom.com>

* Cleanup and test coverage

Signed-off-by: Duane May <duane.may@broadcom.com>

* fix(k8s): fix `JAVA_HOME`

Updates the `JAVA_HOME` env var for the `build-uaa-truststore` init contianer to match the updated path used by the Paketo buildpack.

fixes: https://github.com/cloudfoundry/uaa/issues/2388
Signed-off-by: Rifa Achrinza <25147899+achrinza@users.noreply.github.com>

* build(deps): bump rexml from 3.3.8 to 3.3.9 in /uaa/slate (#3100)

Bumps [rexml](https://github.com/ruby/rexml) from 3.3.8 to 3.3.9.
- [Release notes](https://github.com/ruby/rexml/releases)
- [Changelog](https://github.com/ruby/rexml/blob/master/NEWS.md)
- [Commits](https://github.com/ruby/rexml/compare/v3.3.8...v3.3.9)

---
updated-dependencies:
- dependency-name: rexml
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump versions.jacksonVersion from 2.18.0 to 2.18.1 (#3101)

Bumps `versions.jacksonVersion` from 2.18.0 to 2.18.1.

Updates `com.fasterxml.jackson.core:jackson-annotations` from 2.18.0 to 2.18.1
- [Commits](https://github.com/FasterXML/jackson/commits)

Updates `com.fasterxml.jackson.core:jackson-databind` from 2.18.0 to 2.18.1
- [Commits](https://github.com/FasterXML/jackson/commits)

Updates `com.fasterxml.jackson.dataformat:jackson-dataformat-yaml` from 2.18.0 to 2.18.1
- [Commits](https://github.com/FasterXML/jackson-dataformats-text/compare/jackson-dataformats-text-2.18.0...jackson-dataformats-text-2.18.1)

---
updated-dependencies:
- dependency-name: com.fasterxml.jackson.core:jackson-annotations
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: com.fasterxml.jackson.core:jackson-databind
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: com.fasterxml.jackson.dataformat:jackson-dataformat-yaml
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump versions.seleniumVersion from 4.25.0 to 4.26.0

Bumps `versions.seleniumVersion` from 4.25.0 to 4.26.0.

Updates `org.seleniumhq.selenium:selenium-java` from 4.25.0 to 4.26.0
- [Release notes](https://github.com/SeleniumHQ/selenium/releases)
- [Commits](https://github.com/SeleniumHQ/selenium/compare/selenium-4.25.0...selenium-4.26.0)

Updates `org.seleniumhq.selenium:selenium-remote-driver` from 4.25.0 to 4.26.0
- [Release notes](https://github.com/SeleniumHQ/selenium/releases)
- [Commits](https://github.com/SeleniumHQ/selenium/compare/selenium-4.25.0...selenium-4.26.0)

---
updated-dependencies:
- dependency-name: org.seleniumhq.selenium:selenium-java
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: org.seleniumhq.selenium:selenium-remote-driver
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump github.com/onsi/gomega from 1.34.2 to 1.35.0 in /k8s

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.34.2 to 1.35.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.34.2...v1.35.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump github.com/onsi/gomega from 1.35.0 to 1.35.1 in /k8s (#3105)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.35.0 to 1.35.1.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.35.0...v1.35.1)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Cleanup not used comments and fragments

* Delete server/src/test/java/org/cloudfoundry/identity/uaa/login/AddBcProvider.java

* Delete server/src/test/java/org/cloudfoundry/identity/uaa/login/SamlLoginServerKeyManagerTests.java

* Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SPWebSSOProfileImpl.java

* Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlEntryPoint.java

* Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlDiscovery.java

* Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationToken.java

* Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/FilesystemMetadataProvider.java

* Enable simpleSamlLoginWithAddShadowUserOnLoginFalse

Signed-off-by: Duane May <duane.may@broadcom.com>

* Add coverage for UaaSavedRequestAwareAuthenticationSuccessHandler

Signed-off-by: Duane May <duane.may@broadcom.com>

* Fix Sonar issues

Signed-off-by: Duane May <duane.may@broadcom.com>

* sonar recommendation

* sonar recommendation

* sonar says not in use

* Remove duplicates in New-saml-0530  (#3117)

* renovate: : update dependency webrick to v1.9.0

* Refactor and fix duplicate

found by sonar in https://sonarcloud.io/component_measures?metric=new_duplicated_lines_density&selected=cloudfoundry-identity-parent%3Aserver%2Fsrc%2Fmain%2Fjava%2Forg%2Fcloudfoundry%2Fidentity%2Fuaa%2Fauthentication%2FPasscodeAuthenticationFilter.java&view=list&pullRequest=2908&id=cloudfoundry-identity-parent

* Only show failed tests

make it easier to find the failed tests in output

Signed-off-by: Duane May <duane.may@broadcom.com>

* reduce duplicates

* rebase

* reduce duplicates

* Refactor and fix duplicate (#3112)

found by sonar in https://sonarcloud.io/component_measures?metric=new_duplicated_lines_density&selected=cloudfoundry-identity-parent%3Aserver%2Fsrc%2Fmain%2Fjava%2Forg%2Fcloudfoundry%2Fidentity%2Fuaa%2Fauthentication%2FPasscodeAuthenticationFilter.java&view=list&pullRequest=2908&id=cloudfoundry-identity-parent

* cleanup

* refactor saml bearer usage

* Migrate to Caffeine Caching (#3114)

* Migrate to Caffeine Caching

Guava Cache recommends moving to Caffeine
Mostly a drop-in replacement
Although the refreshAfterWrite works a little different

* more test coverage

* again more test coverage

* sonar

* sonar

---------

Co-authored-by: strehle <markus.strehle@sap.com>

* fix rebase

* fix rebase

---------

Signed-off-by: Duane May <duane.may@broadcom.com>
Co-authored-by: Duane May <duane.may@broadcom.com>
Co-authored-by: Duane May <duanemay@users.noreply.github.com>

* fix rebase

* Store saml session index in UaaSamlPrincipal

needed later for SLO

* return plain error message (#3119)

in case of decryption issue (wrong key) do not show
class internals

* Disable csrf check in SAML-SLO (#3123)

Found in manual test with SAML SLO , POST Binding

* fix integration test

* fix integration test

* Add acr value into User Authentication (#3127)

re-establish IT

see former retrieval
https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProvider.java#L292-L298

* Cleanup shadow library (#3130)

* Cleanup libraries not needed anymore (#3129)

* Cleanup libraries not needed anymore

bound to old opensaml

* Remove ESAPI finally

this dependency is only there because of old saml

* fix rebase

* sonar issue

https://sonarcloud.io/project/issues?impactSoftwareQualities=RELIABILITY&sinceLeakPeriod=true&issueStatuses=OPEN%2CCONFIRMED&pullRequest=2908&id=cloudfoundry-identity-parent

* remove not needed method

* Add test to run Authn with redirect binding

Will add more coverage in Saml2Utils

* minor sonar issue

* cleanup not used code

* sonar issue with unspecified type

* Fix Sonar issues

Signed-off-by: Duane May <duane.may@broadcom.com>

* Enhancements for SAML2 bearer flow (#3132)

* Test saml bearer

* Fixes for SAML2 bearer flow

* reverted test

* Enhancements for SAML2 bearer and IdP initiated SSO (#3136)

* Test saml bearer

* Fixes for SAML2 bearer flow

* reverted test

* Implement RelyingPartyRegistrationResolver

* support resolution of SAMLResponse from request
* remove default setting

* Use standard setting of metadata

the feature with classpath is new in this PR.

* refactorings based on sonar

* Replace dummy-saml-idp-metadata

and create the data based on real key data

Until now we do not deliver any keys in uaa.war.

* Cleanup test failure

Changed, because of hack with defaults.

* Rename DefaultRelyingPartyRegistrationResolver to UaaRelyingPartyRegistrationResolver

Signed-off-by: Duane May <duane.may@broadcom.com>

* Refactor text blocks

Signed-off-by: Duane May <duane.may@broadcom.com>

---------

Signed-off-by: Duane May <duane.may@broadcom.com>
Co-authored-by: Duane May <duane.may@broadcom.com>
Co-authored-by: Duane May <duanemay@users.noreply.github.com>

* sonar: unused imports

* sonar: recommendation

* sonar: recommendation

* sonar changes

* sonar changes

* omit hard coded example name (#3140)

* build(deps): bump commons-io:commons-io from 2.17.0 to 2.18.0 (#3146)

Bumps commons-io:commons-io from 2.17.0 to 2.18.0.

---
updated-dependencies:
- dependency-name: commons-io:commons-io
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feature: ingtegration test coverage

- Modified `cargo.local` to run with jacoco agent if a system property is set.
- Added a task to generate coverage report from the recorded jacoco data.

* Add the kill_uaa step to ensure jacoco file is written

* typo

* Bump Gradle to 8.11.1

* fix: default values of custom zone's saml entityID and saml alias (when the configured entityID is a URL)

- maintain the existing behavior where a custom identity zone's saml entityID is defaulted
to either 1) `zoneSubdomain.uaaWideSamlEntityID` if `uaaWideSamlEntityID` is not a URL, or
2) if `uaaWideSamlEntityID` is a URL, integration the zoneSubdomain into the URL
(see tests for example).

- similar logic for saml entity alias (which is used in various saml sp urls, such as `AssertionConsumerService`)
except that the alias should not include url scheme (aka without `https://`), so that
the resulting saml sp urls are valid urls (e.g.: `https://zone1.uaa.com/saml/SSO/alias/[saml entity alias]`,
see tests for examples).

- reference on develop branch (old saml code):
  - doc: https://github.com/cloudfoundry/uaa/blob/65952b1b53b8d01cf93e68493a3f6ac85ad8a825/docs/login/Okta-README.md?plain=1#L73-L75
  - code: https://github.com/cloudfoundry/uaa/blob/cc5f76fba495e5d1b3fd755ac3a6ff137fc91878/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareMetadataGenerator.java#L53-L54

- problem statement:
without this commit, when
* a custom zone is created without a `zone.config.samlConfig.entityID` specified
* the default zone's `login.entityID` is configured to a URL, such as `https://uaa.com`
* the default zone's `login.saml.entityIDAlias` is not set, aka default to `login.entityID`
Then the resulting custom zone sp metadata has some discrepancies with the old saml
code's metadata:

For `AssertionConsumerService`:
- old (correct) value is: https://test-zone-before.uaa.com/saml/SSO/alias/test-zone-before.uaa.com
- new value is: https://test-zone.uaa.com/saml/SSO/alias/test-zone.http:/uaa.com
For `entityID`:
- old (correct) value is: http://test-zone-before.uaa.com
- new value is: test-zone.http://uaa.com

This results in the external SAML login for this zone not working.

* clean version definition

not needed anymore

---------

Signed-off-by: Prateek Gangwal <prateek.gangwal@broadcom.com>
Signed-off-by: Duane May <duane.may@broadcom.com>
Signed-off-by: Ivan Protsiuk <ivan.protsiuk@broadcom.com>
Signed-off-by: Alicia Yingling <alicia.yingling@broadcom.com>
Signed-off-by: Hongchol Sinn <hongchol.sinn@broadcom.com>
Signed-off-by: Peter Chen <peter-h.chen@broadcom.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Rifa Achrinza <25147899+achrinza@users.noreply.github.com>
Co-authored-by: Danny Faught <danny.faught@broadcom.com>
Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
Co-authored-by: Bruce Ricard <bruce.ricard@broadcom.com>
Co-authored-by: Hongchol Sinn <hongchol.sinn@broadcom.com>
Co-authored-by: Duane May <duane.may@broadcom.com>
Co-authored-by: Bruce Ricard <bruce.ricard@gmail.com>
Co-authored-by: Filip Hanik <fhanik@vmware.com>
Co-authored-by: Duane May <duanemay@gmail.com>
Co-authored-by: d036670 <markus.strehle@sap.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Markus Strehle <11627201+strehle@users.noreply.github.com>
Co-authored-by: Duane May <duanemay@users.noreply.github.com>
Co-authored-by: Rifa Achrinza <25147899+achrinza@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file java Pull requests that update Java code
Projects
Development

Successfully merging this pull request may close these issues.

1 participant