-
Notifications
You must be signed in to change notification settings - Fork 827
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build(deps): bump org.apache.velocity:velocity-engine-core from 2.4 to 2.4.1 #3090
Merged
strehle
merged 1 commit into
develop
from
dependabot/gradle/org.apache.velocity-velocity-engine-core-2.4.1
Oct 22, 2024
Merged
build(deps): bump org.apache.velocity:velocity-engine-core from 2.4 to 2.4.1 #3090
strehle
merged 1 commit into
develop
from
dependabot/gradle/org.apache.velocity-velocity-engine-core-2.4.1
Oct 22, 2024
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Bumps org.apache.velocity:velocity-engine-core from 2.4 to 2.4.1. --- updated-dependencies: - dependency-name: org.apache.velocity:velocity-engine-core dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
Pull requests that update a dependency file
java
Pull requests that update Java code
labels
Oct 21, 2024
strehle
deleted the
dependabot/gradle/org.apache.velocity-velocity-engine-core-2.4.1
branch
October 22, 2024 04:35
duanemay
pushed a commit
that referenced
this pull request
Oct 28, 2024
Bumps org.apache.velocity:velocity-engine-core from 2.4 to 2.4.1. --- updated-dependencies: - dependency-name: org.apache.velocity:velocity-engine-core dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
strehle
added a commit
that referenced
this pull request
Nov 26, 2024
* remove: SAML extension library dependency Co-authored-by: Peter Chen <peter-h.chen@broadcom.com> Co-authored-by: Bruce Ricard <bruce.ricard@broadcom.com> Co-authored-by: Danny Faught <danny.faught@broadcom.com> * Ignore non-functioning SAML tests * Instead of calling fail(). We have a suspicion that there is a bug in the way the tests are running (most of them are somehow not running with "./gradlew test" and we have a theory that a combination of mixing junit4 imports and the junit5 fail() might be contributing. * I was careful to use @Ignore for tests importing the junit4 @Test, and @Disabled for tests using the junit5 @Test. * These annotations were added, with the idea that you can search for '@Ignore("SAML' and '@Disabled("SAML' to find the tests that need attention before we finish the SAML library conversion. @Ignore("SAML test fails") @Ignore("SAML test doesn't compile") @Ignore("SAML test setup doesn't compile") @Disabled("SAML test fails") @Disabled("SAML test doesn't compile") * A few tests are set to ignore because they're failing for the right reasons, but more work is needed to finish that and get back to green. The goal is to start tracking these annotations instead of failing tests, so we can stay green. * Tests now running: server module: 3,435 (in IntelliJ) (98 total ignored) uaa module: 67 (command line run of "./gradlew test" for all tests - still needs troubleshooting) Co-authored-by: Danny Faught <danny.faught@broadcom.com> * update @Ignore - test now compiles Co-authored-by: Hongchol Sinn <hongchol.sinn@broadcom.com> * feat: switch to new Spring Security SAML library * Removed commented-out references to the outdated SAML extension library Co-authored-by: Duane May <duane.may@broadcom.com> * feat: Supply metadata through /saml/metadata - Adds back endpoint and incorporates forwarding for new pattern saml2 endpoints, Still has some wip elements WithHttpsNotRequired > samlMetadataReturnsOk still red RelyingPartyRegistration is hardcoded in xml, /saml/metadata/ with trailing slash not working missing parity with develop [#186986697] Co-authored-by: Peter Chen <peter-h.chen@broadcom.com> * fix: handle case when Servlet Path is null and ensures test WithHttpsNotRequired -> samlMetadataReturnsOk is green - fixed one test but still WithHttpsRequired > samlMetadataReturnsOk is red after fixing this test - HealthzShouldNotBeProtectedMockMvcTests > WithHttpsRequired > samlMetadataRedirects() FAILED java.lang.AssertionError: Range for response status value 200 expected:<REDIRECTION> but was:<SUCCESSFUL> [#186986697] Co-authored-by: Duane May <duane.may@broadcom.com> * remove: SAML extension library dependency Co-authored-by: Peter Chen <peter-h.chen@broadcom.com> Co-authored-by: Bruce Ricard <bruce.ricard@broadcom.com> Co-authored-by: Danny Faught <danny.faught@broadcom.com> * Ignore non-functioning SAML tests * Instead of calling fail(). We have a suspicion that there is a bug in the way the tests are running (most of them are somehow not running with "./gradlew test" and we have a theory that a combination of mixing junit4 imports and the junit5 fail() might be contributing. * I was careful to use @Ignore for tests importing the junit4 @Test, and @Disabled for tests using the junit5 @Test. * These annotations were added, with the idea that you can search for '@Ignore("SAML' and '@Disabled("SAML' to find the tests that need attention before we finish the SAML library conversion. @Ignore("SAML test fails") @Ignore("SAML test doesn't compile") @Ignore("SAML test setup doesn't compile") @Disabled("SAML test fails") @Disabled("SAML test doesn't compile") * A few tests are set to ignore because they're failing for the right reasons, but more work is needed to finish that and get back to green. The goal is to start tracking these annotations instead of failing tests, so we can stay green. * Tests now running: server module: 3,435 (in IntelliJ) (98 total ignored) uaa module: 67 (command line run of "./gradlew test" for all tests - still needs troubleshooting) Co-authored-by: Danny Faught <danny.faught@broadcom.com> * feat: Supply metadata through /saml/metadata - Adds back endpoint and incorporates forwarding for new pattern saml2 endpoints, Still has some wip elements WithHttpsNotRequired > samlMetadataReturnsOk still red RelyingPartyRegistration is hardcoded in xml, /saml/metadata/ with trailing slash not working missing parity with develop [#186986697] Co-authored-by: Peter Chen <peter-h.chen@broadcom.com> * fix: handle case when Servlet Path is null and ensures test WithHttpsNotRequired -> samlMetadataReturnsOk is green - fixed one test but still WithHttpsRequired > samlMetadataReturnsOk is red after fixing this test - HealthzShouldNotBeProtectedMockMvcTests > WithHttpsRequired > samlMetadataRedirects() FAILED java.lang.AssertionError: Range for response status value 200 expected:<REDIRECTION> but was:<SUCCESSFUL> [#186986697] Co-authored-by: Peter Chen <peter-h.chen@broadcom.com> * feat: reliably serve SAML SP metadata - With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration, which requires a valid SAML IDP metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML IDPs might require you to supply the SAML SP metadata first before you can obtain the SAML IDP metadata. See relevant issue: https://github.com/spring-projects/spring-security/issues/11369 - Previously, to solve this problem, the SAML SP metadata generation relies on relyingPartyRegistration values in saml-providers.xml, which hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance); this means that UAA's SP metadata generation relies on the example Okta SAML instance to be running. - This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML SP metadata generation, at the advice of Spring Security team, so that UAA's functioning does not rely on some external running Okta instance. - code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62 [#186986697] Co-authored-by: Peter Chen <peter-h.chen@broadcom.com> * Ignore failing SAML test - A continuation of https://github.com/cloudfoundry/uaa/commit/65d1f0f8d2ad538c5670277ae15e9964cfc16af1 - This test is failing as early as e7beec7a5aa53fa761ca1d752d647f930ebcc6b7 due to the removal of SAML code, as this test is related the SAML feature [#186986697] Co-authored-by: Peter Chen <peter-h.chen@broadcom.com> * disable docs test that shouldn't be running * Has to be commented out of the erb file even when the test method used @Disabled. Co-authored-by: Peter Chen <peter-h.chen@broadcom.com> * Ignore failing SAML test - A continuation of https://github.com/cloudfoundry/uaa/commit/65d1f0f8d2ad538c5670277ae15e9964cfc16af1 - This is a test recently added to develop branch, so ignoring this here because the SAML feature is still being built. [#186986697] Co-authored-by: Peter Chen <peter-h.chen@broadcom.com> * refactor: shorten the dummy IDP metadata - to reflect the fact that this IDP metadata just needs to exist in its bare minimal form, where the specific fields in it do not affect the SP metadata generation [#186986697] Co-authored-by: Peter Chen <peter-h.chen@broadcom.com> * fix: "invalid XML" error in tests - previously some tests error with: ``` net.shibboleth.utilities.java.support.xml.XMLParserException: Unable to parse inputstream, it contained invalid XML ``` - this issue is fixed once we switch to loading the idp saml metadata via a file (instead of an InputStream) [186822654] Co-authored-by: Danny Faught <danny.faught@broadcom.com> * wip: configure some metadata params Co-authored-by: Danny Faught <danny.faught@broadcom.com> * disable failing test * We're reprioritizing the test to get this test to pass. Co-authored-by: Bruce Ricard <bruce.ricard@broadcom.com> * WIP Co-authored-by: Duane May <duane.may@broadcom.com> * wip Co-authored-by: Duane May <duane.may@broadcom.com> * wip: ensuring the endpoint for metadata works both in forward and direct request - Tests are failing but they are behaving as expected with curl and browser for /saml/metadata /saml/metadata/example and /saml/metadata/example/ - /saml/metadata/ is not returning xml - The dispatcher ordering along with position in the filter-mapping must be set properly. [#186986697] Co-authored-by: Bruce Ricard <bruce.ricard@broadcom.com> * add metadata redirect test Co-authored-by: Duane May <duane.may@broadcom.com> * wip: ensuring the saml metadata endpoint for metadata works in Mock MVC Tests - /saml/metadata/ is not returning xml [#186986697] Co-authored-by: Filip Hanik <fhanik@vmware.com> * wip: entityID assertion works in testSamlMetadataDefault Co-authored-by: Alicia Yingling <alicia.yingling@broadcom.com> Co-authored-by: Duane May <duane.may@broadcom.com> * feat: entity_id assertion passes Co-authored-by: Alicia Yingling <alicia.yingling@broadcom.com> Co-authored-by: Duane May <duane.may@broadcom.com> * wip: use working metadata path temporarily * Must be changed back to /saml/metadata later, removing "example". Co-authored-by: Alicia Yingling <alicia.yingling@broadcom.com> Co-authored-by: Duane May <duane.may@broadcom.com> * wip: xml refactor Co-authored-by: Alicia Yingling <alicia.yingling@broadcom.com> Co-authored-by: Duane May <duane.may@broadcom.com> * wip: updating to non forwarding for /saml/metadata to the example default - Updated to use direct GetMapping [#186986697] Co-authored-by: Filip Hanik <fhanik@vmware.com> * wip: Ensuring the WantsAssertionSigned and AuthnRequestsSigned are populated in SPSSODescriptor - Building out EntityDescriptor in the RelyingPartyRegistration which contains the SPSSODescriptor picked up by the resolve method [#186986697] Co-authored-by: Duane May <duane.may@broadcom.com> * wip: Adding in signature elements for SAML metadata.xml endpoint payload - Need to fix credential type being empty Caused by: java.lang.IllegalArgumentException: credentials types cannot be empty ....(SamlRelyingPartyRegistrationRepository.java:84) [#186986697] Co-authored-by: Duane May <duane.may@broadcom.com> * wip: Adding in signature elements for SAML metadata.xml endpoint payload - Signature is not positioned correctly. It should be a child of EntityDescriptor, but the singingX509Credential.signing call positions it in SPSODescriptor [#186986697] Co-authored-by: Duane May <duane.may@broadcom.com> * feat: populate SAMP SP metadata fields: entityID, NameIDFormat, AuthnRequestsSigned - correctly reads off UAA configs to populate these fields, instead of using hardcoded values - refactor to directly reading `login.saml.NameID` config (a more modern approach) instead of constructing a bean in xml (a more legacy approach) - side note: update the UAA config used in mock mvc tests (/uaa/src/test/resources/integration_test_properties.yml) to use a non-default option of `login.saml.nameID` so that we can test that the correct value is being piped through Co-authored-by: Peter Chen <peter-h.chen@broadcom.com> * refactor: clean up commented out code - there are many commented out codes from prior wip commits (which at this point, I decided, are too hard to fix or tidy up). Hence, in this commit, clean them up [186822654] Co-authored-by: Duane May <duane.may@broadcom.com> * Ignore non-functioning SAML tests - the SAML SP metadata is still WIP, so this IT will fail. Ignoring it for now so that "CI" is green along with all other SAML tests currently failing / non-functional due to the WIP state of the SAML feature. - see defails of this approach in https://github.com/cloudfoundry/uaa/commit/73520d92499f481929e2b666bfbded83aaaa3148 [186822654] Co-authored-by: Duane May <duane.may@broadcom.com> * Update opensaml libraries to 4.x https: //docs.spring.io/spring-security/reference/5.8/migration/servlet/saml2.html Co-authored-by: Duane May <duane.may@broadcom.com> * Refactor annotations and formatting Use RestController, Slf4j, Getter Use textblocks Co-authored-by: Duane May <duane.may@broadcom.com> * Refactor tests: formatting, andExpectAll and assertThat Use assertThat Use textblocks Co-authored-by: Duane May <duane.may@broadcom.com> * Change from SAML XML to Java Config Co-authored-by: Duane May <duane.may@broadcom.com> * feat: populate sp metadata field WantAssertionsSigned [#186986697] Co-authored-by: Peter Chen <peter-h.chen@broadcom.com> * feat: saml sp metadata field - signing cert - also: refactor the UAA config used in mock mvc tests (/uaa/src/test/resources/integration_test_properties.yml) from the deprecated saml key fields (eg: login.serviceProviderKey) to the new ones (eg: login.saml.keys), so that we test for the new fields. - also fix the api docs test so that it now correctly marks the retrieve id zones response's `config.samlConfig.certificate` as optional (this field is only returned if you use the deprecated saml key config fields) [#186986697] Co-authored-by: Duane May <duane.may@broadcom.com> * feat: saml sp metadata encryption cert - populate saml sp metadata field for use='encryption' cert - might be counter-intuitive that the setting on rp registration that controls this is "decryptionX509Credentials", but the resulting sp metadata indeed includes use='encryption' which matches develop branch [186822654] Co-authored-by: Duane May <duane.may@broadcom.com> * refactor: consolidate saml sp configs - to be processed by a single class "SamlConfiguration" where the @ConfigurationProperties(prefix="login.saml") annotation has the ability to process all fields under the login.saml section of UAA.yml - this is helpful because we can now centrally read, process, even validate all saml config fields under "login.saml" - pay attention to @ConfigurationProperties annotation's various requirements though: such as the private field names need to match the actually UAA.yml field name (e.g.: login.saml.fooBar -> private String fooBar); and that there need to be public setters and getters for each field - see: https://docs.spring.io/spring-boot/docs/current/reference/html/features.html#features.external-config.typesafe-configuration-properties.using-annotated-types - the exception of the saml entity id, which in UAA.yml is somehow outside of the login.saml context (set by login.entityID) so that field stays under class SamlEntityIdConfiguration Co-authored-by: Duane May <duane.may@broadcom.com> * refactor: use lombok - these getters and setters are required for @ConfigurationProperties annotation to work; use lombok so that we don't need to explicitly define them [186822654] Co-authored-by: Duane May <duane.may@broadcom.com> * refactor: simplify lombok annotation - as @Data covers the getters and setters Co-authored-by: Duane May <duane.may@broadcom.com> * fix: maintain existing saml sp metadata file name - configure the file name of the saml sp metadata (the downloaded xml file name when accessing the metadata endpoint: http://localhost:8080/uaa/saml/metadata) to match the status quo on develop branch: "saml-sp.xml" - This file name likely do not matter, but out of caution, we should maintain the same file name as before [186822654] Co-authored-by: Duane May <duane.may@broadcom.com> * fix: saml sp metadata test set up - now that the metadata is being provided at the correct location: /saml/metadata, we can correct the test expectation to reflect that (hence matching the develop branch) [#186986697] Co-authored-by: Duane May <duane.may@broadcom.com> * fix: SAML SP metadata endpoint and its https redirect - Removed forwarding of `/saml/metadata` endpoint to `/saml/metadata/example`. It is not necessary because `/saml/metadata` endpoint method already calls `/saml/metadata/{registrationId}` with `example` as the default registrationId. (See class `SamlMetadataEndpoint`.) - Made `HttpsEnforcementFilter` to be added to the top of the `SecurityFilterChainPostProcessor`'s `SecurityFilterChain`. - Added `secFilterOpen06SAMLMetadata` to `SecurityFilterChainPostProcessor`'s `redirectToHttps` list. [#186986697] Co-authored-by: Duane May <duane.may@broadcom.com> Co-authored-by: Peter Chen <peter-h.chen@broadcom.com> * Clean up unnecssary codes - Removed SamlExtensionUrlForwardingFilter. Just commented out for now in case we need it later. - Removed unneeded comments in test code. [#186986697] Co-authored-by: Duane May <duane.may@broadcom.com> * Load the Saml Provider Data [#187084275] Co-authored-by: Duane May <duane.may@broadcom.com> * refactor: Spring Annotations on SamlRelyingPartyRegistrationRepository - Change SamlRelyingPartyRegistrationRepository to Configuration - Use constructor args instead of Autowired Co-authored-by: Duane May <duane.may@broadcom.com> * fix: multiple versions of the opensaml library still had opensaml 3.4.6 Co-authored-by: Duane May <duane.may@broadcom.com> * feat: send SAML authn request to IDP - when SAML IDP is configured via uaa.yml, when the user goes to "/uaa/saml2/authenticate/{saml-idp-alias}", they will get sent to the configured SAML IDP with a SAML authn request. Specifically, spring-security will do the following: - when the IDP's Binding mode is "HTTP-Redirect", the user is redirected to the IDP - when the IDP's Binding mode is "HTTP-POST", the user's browser is triggered to POST to the IDP. For this to work, the ContentSecurityPolicyFilter needs to updated to exempt "/saml2" from policy enforcement, such that the script that initiates the POST can be executed in the browser. Similar to how this filter exempts /saml (the existing saml-related path on develop branch). - refactor: update the dummy IDP metadata file dummy-saml-idp-metadata.xml to not point to example.com, but to https://www.cloudfoundry.org (which is more of a known destination) - refactor: use constant DEFAULT_REGISTRATION_ID [#187084275] Co-authored-by: Duane May <duane.may@broadcom.com> * update saml link on login page * fix: issue with 2 JsonObjects imported * Merge SamlConfigProps to single class prefix="login.saml" was in 2 ConfigProps classes before merged into 1 * Update SamlLoginIT * feat: Saml Login redirects to IDP Reads provider info from database Passes the registrationId as relayState Signed-off-by: Prateek Gangwal <prateek.gangwal@broadcom.com> * fix: click first saml link matching text when running multiple IT tests, the simplesamlphp2 link was also listed, and causing a conflict with url matcher Signed-off-by: Duane May <duane.may@broadcom.com> * feat: AssertionConsumerService SAML user login Signed-off-by: Duane May <duane.may@broadcom.com> Signed-off-by: Ivan Protsiuk <ivan.protsiuk@broadcom.com> #187106956 * Clean up and reenable tests Signed-off-by: Ivan Protsiuk <ivan.protsiuk@broadcom.com> * Improve Testing of SAML Request/Response - Improve Testing of SAML Request/Response with Saml2TestUtils - Configure assertionConsumerServiceLocation in one location. - Attempted move to OpenSaml4AuthenticationProvider requires a shadow dependency on opensaml to remove the need for non-FIPS compliant security provider. Not yet in place Signed-off-by: Duane May <duane.may@broadcom.com> Signed-off-by: Alicia Yingling <alicia.yingling@broadcom.com> * Break up AuthProvider Move user shadowing, attribute processing, and authorities processing to their own classes. Enable Authorities Signed-off-by: Ivan Protsiuk <ivan.protsiuk@broadcom.com> * Pull in OpenSaml4AuthenticationProvider This provides general response validation. Signed-off-by: Prateek Gangwal <prateek.gangwal@broadcom.com> * Verify user attributes, roles, user name, email extraction Signed-off-by: Prateek Gangwal <prateek.gangwal@broadcom.com> #187809240 * Add editor and lombok config Signed-off-by: Duane May <duane.may@broadcom.com> * Run kill_uaa as part of integrationTests Signed-off-by: Duane May <duane.may@broadcom.com> Signed-off-by: Hongchol Sinn <hongchol.sinn@broadcom.com> * Annotate Disabled tests with more information Signed-off-by: Hongchol Sinn <hongchol.sinn@broadcom.com> * feat: SAML Logout - Main logout flows are working - IDP Initiated logout is working - Handle metadata XML passed in instead of metadata location for both bootstrap and SamlIdentityProviderConfigurator Signed-off-by: Duane May <duane.may@broadcom.com> * fix Selenium HomePage can be one of two urls. - clean up the rest of the pageObjects package Signed-off-by: Duane May <duane.may@broadcom.com> * Update BootstrapTests - now attempts to retrieve the non-existent url https://simplesamlphp.uaa.com/saml2/idp/metadata.php Signed-off-by: Duane May <duane.may@broadcom.com> * feature: Zone-aware SAML SP metadata - Implemented to the same level as the default IdenityZone's SP metadata generation. - Minus `NameIDFormat` value populaition and registration-ID specific implementation. [#187846376] * Disable `findByRegistrationIdWhenNoneFound` test as the assertion is not valid anymore. * Update counter script - No longer have Ignored tests only Disabled Signed-off-by: Duane May <duane.may@broadcom.com> * Update IdentityZone related classes and tests Signed-off-by: Duane May <duane.may@broadcom.com> * feat: basic SAML SP metadata for non-default ID zone - correctly populates the basic fields of non-default zone SAML SP metadata (such as WantAssertionsSigned and AuthnRequestsSigned), so that for default vs. non-default zones, the SP metadatas have feature parity. [#187846376] Signed-off-by: Duane May <duane.may@broadcom.com> Signed-off-by: Peter Chen <peter-h.chen@broadcom.com> * wip: zoned metadata fixes and zoned login Signed-off-by: Peter Chen <peter-h.chen@broadcom.com> * rebase and revert entiyID checks * Enable some passing SamlLoginIT tests Co-authored-by: Duane May <duane.may@broadcom.com> * refactor entityId and entityIdAlias resolution - created a base class BaseUaaRelyingPartyRegistrationRepository, used by ConfiguratorRelyingPartyRegistrationRepository and DefaultRelyingPartyRegistrationRepository. - moved getZoneEntityId and getZoneEntityIdAlias to base class Co-authored-by: Duane May <duane.may@broadcom.com> Signed-off-by: Peter Chen <peter-h.chen@broadcom.com> * backfill some SAML tests * Enable SAML Automatic Redirect Requires changing from discovery URL to the authentication request URL. Enable the following tests in SamlLoginIT: - samlInvitationAutomaticRedirectInZone2 - samlLoginClientIDPAuthorizationAutomaticRedirect - samlLoginClientIDPAuthorizationAutomaticRedirectInZone1 - samlLoginMapGroupsInZone1 Co-authored-by: Duane May <duane.may@broadcom.com> Signed-off-by: Peter Chen <peter-h.chen@broadcom.com> * build(deps): bump org.gradle:test-retry-gradle-plugin Bumps org.gradle:test-retry-gradle-plugin from 1.5.9 to 1.5.10. Co-authored-by: Peter Chen <peter-h.chen@broadcom.com> --- updated-dependencies: - dependency-name: org.gradle:test-retry-gradle-plugin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Fix regression in identity-provider endpoint (#2962) * Fix regression in identity-provider endpoint Issue: If existing entries in identity-provider with new external_key the field is null, which is expected. If external_key is null, this must not overwrite the issuer in rest endpoint, but it does For SAML there is no issue, because here the entityId is really new in REST output and in DB. For OIDC and OAuth2 the issuer was used in REST already and there was no check before overwrite it from external_key. * review * add case if issuer is null from config, allowed for oauth2 IdP * spelling * revert the logic of external key, stay with issuer * set entityId on update * test coverage Co-authored-by: Peter Chen <peter-h.chen@broadcom.com> * build(deps): bump k8s.io/client-go from 0.30.2 to 0.30.3 in /k8s (#2964) Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.30.2 to 0.30.3. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes/client-go/compare/v0.30.2...v0.30.3) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Replace SamlLegacyAliasResponseForwardingFilter - Added a RelayStateRelyingPartyRegistrationResolver which looks for the Registration Id from the RelayState, instead of the last part of the URL. - The url contains entity id, for backward compatibility, instead of the registration Id. - The filter required redirect filter processing, which broke the CSRF Filter (noticed on LoginServerSecurityIntegrationTests) Co-authored-by: Duane May <duane.may@broadcom.com> Signed-off-by: Peter Chen <peter-h.chen@broadcom.com> * fix: correct test expectation - the saml assertion consumer endpoint should end with the configured login.entityID in UAA.yml (when login.saml.entityIDAlias is not set) * Update test classes - DefaultIntegrationTestConfig: use Durations - IdentityZoneEndpointsMockMvcTests sonar, asserts - LdapIntegrationTests: junit5, sonar, asserts Signed-off-by: Duane May <duane.may@broadcom.com> * Update scripts for testing - kill_uaa: make port aware - debug_uaa: for running uaa in debug or suspended debug mode - create_test_providers: adds providers to running UAA via API - create_test_zones: adds zones and providers to running UAA via API Signed-off-by: Duane May <duane.may@broadcom.com> * check entityId in validate SAML (#2970) * WIP: replace SamlLegacyAliasResponseForwardingFilter - the receiveAuthnResponseFromIdpToLegacyAliasUrl test still failing, see comments within this test Co-authored-by: Duane May <duane.may@broadcom.com> * WIP: check entityId in validate SAML * WIP: re-establish validation of metadata in /identity-providers endpoint * WIP: test fix --------- Co-authored-by: Peter Chen <peter-h.chen@broadcom.com> Co-authored-by: Duane May <duane.may@broadcom.com> * feat: Handle Multiple SAML keys - Rotation Tests working - Uses keys from SamlConfig for each zone - Fall back to default keys if none set [#187994938] Signed-off-by: Duane May <duane.may@broadcom.com> * fix: Couple of failing test cases due to `500 INTERNAL_SERVER_ERROR` from `/oauth/token` endpoint - Stepping through the server code revealed that an exception was thrown as follows: ``` org.cloudfoundry.identity.uaa.util.JsonUtils$JsonUtilException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "relyingPartyRegistrationId" (class org.cloudfoundry.identity.uaa.authentication.UaaPrincipal), not marked as ignorable (6 known properties: "origin", "zoneId", "id", "email", "externalId", "name"]) at [Source: REDACTED (StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION disabled); line: 1, column: 205] (through reference chain: org.cloudfoundry.identity.uaa.authentication.UaaPrincipal["relyingPartyRegistrationId"]) ``` - Added a `jackson` annotation to ignore the 3 properties in UaaSamlPrincipal that were causing the `UnrecognizedPropertyException`. - Added back a line that sets zoneId in a test case, which apparently had been removed by mistake. [#187986233] [#187986220] * Clean up and reimplement SamlKeyManager and SamlKeyManagerFactory - added these methods back to IdentityZoneHolder, even though that has been Deprecated - Migrate BouncyCastle Setup and IdentityZoneHolderInitializer from XML to Java - Removed some of the old classes that were in this area Signed-off-by: Duane May <duane.may@broadcom.com> * Migrate tests from ZoneAwareMetadataGeneratorTests - Moved tests for rotation to SamlMetadataEndpointKeyRotationTests - Moved tests related to SamlRedirectUtils to SamlRedirectUtilsTest Signed-off-by: Duane May <duane.may@broadcom.com> * feature: Handle icorrect SAML response - Set the `Saml2WebSsoAuthenticationFilter`'s `AuthenticationFailureHandler` to the custom failure handler. - Updated the test case's page source validation condition to check for the string that is based on the new exception message. [#187986112] * Remove duplicate tests Various calls to metadata endpoint with and without trailing / and /example in HealthzShouldNotBeProtectedMockMvcTests were duplicated in SamlMetadataMockMvcTests Signed-off-by: Duane May <duane.may@broadcom.com> * Add signatures to Metadata and AuthnRequest Includes: - getting configured SignatureAlgorithm - getting configured signMetadata - Add Signature Algorithm and Digest Algorithm to Metadata - Generate Signature Value and Digest Value to Metadata - Add SignatureAlgorithm and keys to the RelyingPartyRegistration - Sign the AuthnRequest TPCF-6869 TPCF-6938 Signed-off-by: Duane May <duane.may@broadcom.com> * Add tests for alternate config of signRequest and signMetaData TPCF-6869 TPCF-6938 Signed-off-by: Duane May <duane.may@broadcom.com> * Enable tests in BootstrapSamlIdentityProviderDataTests Signed-off-by: Duane May <duane.may@broadcom.com> * Enable test in HomeControllerViewTests - Removed commented out Disabled annotation in SamlIdentityProviderConfiguratorTests - TestClassNullifier moved to junit5 Signed-off-by: Duane May <duane.may@broadcom.com> * feat: Allow InResponseTo checking to be configured TPCF-6873 * feat: Add NameIdFormat to AuthnRequest This comes from the property, login.saml.nameID Also refactored the RelyingPartyRegistrationBuilder to use a Params object with builder since the param list was 8 items TPCF-6874 Signed-off-by: Duane May <duane.may@broadcom.com> * Support for login.saml.socket.* settings TPCF-6882 Signed-off-by: Duane May <duane.may@broadcom.com> * Only show failed tests make it easier to find the failed tests in output Signed-off-by: Duane May <duane.may@broadcom.com> * Caffeine Caching Guava Cache recommends moving to Caffeine Mostly a drop in replacement Although the refreshAfterWrite works a little different Signed-off-by: Duane May <duane.may@broadcom.com> * Log Malformed Saml Responses The mechanism to achieve this in the old SAML library is no longer there. Added this in to the SamlLoginAuthenticationFailureHandler. Left the logger name as SamlResponseLoggerBinding for backward compatibility, for jobs looking for the messages. [TPCF-25429] Signed-off-by: Duane May <duane.may@broadcom.com> * Clean up and Sonar Signed-off-by: Duane May <duane.may@broadcom.com> * Update to LoginInfoEndpoint Signed-off-by: Duane May <duane.may@broadcom.com> * Add Oauth Token endpoint to metadata maintains existing functionality Signed-off-by: Duane May <duane.may@broadcom.com> * Update tests SamlLoginIT.springSamlEndpointsWithEmptyContext - functionality changed redirects ZoneAwareKeyManagerTest - was 0 coverage, all calls are proxied to SamlKeyManager in the ThreadLocal managed by IdentityZoneHolder. Signed-off-by: Duane May <duane.may@broadcom.com> * Resolve Sonar security hotspots Replace the //NOSONAR comment with a error specific SuppressWarnings annotation * Correct malformed property placeholder. * Update JavaPluginExtension settings Signed-off-by: Duane May <duane.may@broadcom.com> * Implement Saml2 Bearer Grants Signed-off-by: Duane May <duane.may@broadcom.com> * Unjava-doc-ify the copyright notices Signed-off-by: Duane May <duane.may@broadcom.com> * Fix tests for Invitations and Passcodes Signed-off-by: Duane May <duane.may@broadcom.com> * Sonar fixes Signed-off-by: Duane May <duane.may@broadcom.com> * Update tests with awaitility Signed-off-by: Duane May <duane.may@broadcom.com> * Update discovery urls to authenticate Signed-off-by: Duane May <duane.may@broadcom.com> * Enable tests and update disabled reasons for remaining Signed-off-by: Duane May <duane.may@broadcom.com> * Enable RelayState as a redirect target - Remove the existing code to store registrationId on request in the relaystate, it is stored with the request. - Also enable IDP initiated login, we don't get the registrationId in this case Signed-off-by: Duane May <duane.may@broadcom.com> * Update selenium page objects to use assert notation - Uses assertj and awaitility - Rename methods to include assert where applicable - Tests should include assertions java:S2699 Signed-off-by: Duane May <duane.may@broadcom.com> * Fix Sonar Issues Signed-off-by: Duane May <duane.may@broadcom.com> * doc: Update the comment for `login.entityBaseURL` property. * build(deps): bump versions.springSecurityVersion from 5.8.14 to 5.8.15 (#3089) Bumps `versions.springSecurityVersion` from 5.8.14 to 5.8.15. Updates `org.springframework.security:spring-security-config` from 5.8.14 to 5.8.15 - [Release notes](https://github.com/spring-projects/spring-security/releases) - [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc) - [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15) Updates `org.springframework.security:spring-security-core` from 5.8.14 to 5.8.15 - [Release notes](https://github.com/spring-projects/spring-security/releases) - [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc) - [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15) Updates `org.springframework.security:spring-security-ldap` from 5.8.14 to 5.8.15 - [Release notes](https://github.com/spring-projects/spring-security/releases) - [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc) - [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15) Updates `org.springframework.security:spring-security-taglibs` from 5.8.14 to 5.8.15 - [Release notes](https://github.com/spring-projects/spring-security/releases) - [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc) - [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15) Updates `org.springframework.security:spring-security-test` from 5.8.14 to 5.8.15 - [Release notes](https://github.com/spring-projects/spring-security/releases) - [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc) - [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15) Updates `org.springframework.security:spring-security-web` from 5.8.14 to 5.8.15 - [Release notes](https://github.com/spring-projects/spring-security/releases) - [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc) - [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15) --- updated-dependencies: - dependency-name: org.springframework.security:spring-security-config dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.springframework.security:spring-security-core dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.springframework.security:spring-security-ldap dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.springframework.security:spring-security-taglibs dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.springframework.security:spring-security-test dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.springframework.security:spring-security-web dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump org.apache.velocity:velocity-engine-core (#3090) Bumps org.apache.velocity:velocity-engine-core from 2.4 to 2.4.1. --- updated-dependencies: - dependency-name: org.apache.velocity:velocity-engine-core dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * pr/upgrade docs slate gems take 2 (#3091) * In an attempt to upgrade Slate, and have successful builds on both Mac and Linux using Ruby 3.3.5 Step 1 - Upgrade dependencies * Fix jasmine-test script * build(deps): bump k8s.io/client-go from 0.31.1 to 0.31.2 in /k8s (#3096) Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.31.1 to 0.31.2. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes/client-go/compare/v0.31.1...v0.31.2) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Fix Sonar Issues Signed-off-by: Duane May <duane.may@broadcom.com> * Improve test coverage Signed-off-by: Duane May <duane.may@broadcom.com> * Cleanup and test coverage Signed-off-by: Duane May <duane.may@broadcom.com> * fix(k8s): fix `JAVA_HOME` Updates the `JAVA_HOME` env var for the `build-uaa-truststore` init contianer to match the updated path used by the Paketo buildpack. fixes: https://github.com/cloudfoundry/uaa/issues/2388 Signed-off-by: Rifa Achrinza <25147899+achrinza@users.noreply.github.com> * build(deps): bump rexml from 3.3.8 to 3.3.9 in /uaa/slate (#3100) Bumps [rexml](https://github.com/ruby/rexml) from 3.3.8 to 3.3.9. - [Release notes](https://github.com/ruby/rexml/releases) - [Changelog](https://github.com/ruby/rexml/blob/master/NEWS.md) - [Commits](https://github.com/ruby/rexml/compare/v3.3.8...v3.3.9) --- updated-dependencies: - dependency-name: rexml dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump versions.jacksonVersion from 2.18.0 to 2.18.1 (#3101) Bumps `versions.jacksonVersion` from 2.18.0 to 2.18.1. Updates `com.fasterxml.jackson.core:jackson-annotations` from 2.18.0 to 2.18.1 - [Commits](https://github.com/FasterXML/jackson/commits) Updates `com.fasterxml.jackson.core:jackson-databind` from 2.18.0 to 2.18.1 - [Commits](https://github.com/FasterXML/jackson/commits) Updates `com.fasterxml.jackson.dataformat:jackson-dataformat-yaml` from 2.18.0 to 2.18.1 - [Commits](https://github.com/FasterXML/jackson-dataformats-text/compare/jackson-dataformats-text-2.18.0...jackson-dataformats-text-2.18.1) --- updated-dependencies: - dependency-name: com.fasterxml.jackson.core:jackson-annotations dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: com.fasterxml.jackson.core:jackson-databind dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: com.fasterxml.jackson.dataformat:jackson-dataformat-yaml dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump versions.seleniumVersion from 4.25.0 to 4.26.0 Bumps `versions.seleniumVersion` from 4.25.0 to 4.26.0. Updates `org.seleniumhq.selenium:selenium-java` from 4.25.0 to 4.26.0 - [Release notes](https://github.com/SeleniumHQ/selenium/releases) - [Commits](https://github.com/SeleniumHQ/selenium/compare/selenium-4.25.0...selenium-4.26.0) Updates `org.seleniumhq.selenium:selenium-remote-driver` from 4.25.0 to 4.26.0 - [Release notes](https://github.com/SeleniumHQ/selenium/releases) - [Commits](https://github.com/SeleniumHQ/selenium/compare/selenium-4.25.0...selenium-4.26.0) --- updated-dependencies: - dependency-name: org.seleniumhq.selenium:selenium-java dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: org.seleniumhq.selenium:selenium-remote-driver dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * build(deps): bump github.com/onsi/gomega from 1.34.2 to 1.35.0 in /k8s Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.34.2 to 1.35.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.34.2...v1.35.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * build(deps): bump github.com/onsi/gomega from 1.35.0 to 1.35.1 in /k8s (#3105) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.35.0 to 1.35.1. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.35.0...v1.35.1) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Cleanup not used comments and fragments * Delete server/src/test/java/org/cloudfoundry/identity/uaa/login/AddBcProvider.java * Delete server/src/test/java/org/cloudfoundry/identity/uaa/login/SamlLoginServerKeyManagerTests.java * Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SPWebSSOProfileImpl.java * Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlEntryPoint.java * Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlDiscovery.java * Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationToken.java * Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/FilesystemMetadataProvider.java * Enable simpleSamlLoginWithAddShadowUserOnLoginFalse Signed-off-by: Duane May <duane.may@broadcom.com> * Add coverage for UaaSavedRequestAwareAuthenticationSuccessHandler Signed-off-by: Duane May <duane.may@broadcom.com> * Fix Sonar issues Signed-off-by: Duane May <duane.may@broadcom.com> * sonar recommendation * sonar recommendation * sonar says not in use * Remove duplicates in New-saml-0530 (#3117) * renovate: : update dependency webrick to v1.9.0 * Refactor and fix duplicate found by sonar in https://sonarcloud.io/component_measures?metric=new_duplicated_lines_density&selected=cloudfoundry-identity-parent%3Aserver%2Fsrc%2Fmain%2Fjava%2Forg%2Fcloudfoundry%2Fidentity%2Fuaa%2Fauthentication%2FPasscodeAuthenticationFilter.java&view=list&pullRequest=2908&id=cloudfoundry-identity-parent * Only show failed tests make it easier to find the failed tests in output Signed-off-by: Duane May <duane.may@broadcom.com> * reduce duplicates * rebase * reduce duplicates * Refactor and fix duplicate (#3112) found by sonar in https://sonarcloud.io/component_measures?metric=new_duplicated_lines_density&selected=cloudfoundry-identity-parent%3Aserver%2Fsrc%2Fmain%2Fjava%2Forg%2Fcloudfoundry%2Fidentity%2Fuaa%2Fauthentication%2FPasscodeAuthenticationFilter.java&view=list&pullRequest=2908&id=cloudfoundry-identity-parent * cleanup * refactor saml bearer usage * Migrate to Caffeine Caching (#3114) * Migrate to Caffeine Caching Guava Cache recommends moving to Caffeine Mostly a drop-in replacement Although the refreshAfterWrite works a little different * more test coverage * again more test coverage * sonar * sonar --------- Co-authored-by: strehle <markus.strehle@sap.com> * fix rebase * fix rebase --------- Signed-off-by: Duane May <duane.may@broadcom.com> Co-authored-by: Duane May <duane.may@broadcom.com> Co-authored-by: Duane May <duanemay@users.noreply.github.com> * fix rebase * Store saml session index in UaaSamlPrincipal needed later for SLO * return plain error message (#3119) in case of decryption issue (wrong key) do not show class internals * Disable csrf check in SAML-SLO (#3123) Found in manual test with SAML SLO , POST Binding * fix integration test * fix integration test * Add acr value into User Authentication (#3127) re-establish IT see former retrieval https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProvider.java#L292-L298 * Cleanup shadow library (#3130) * Cleanup libraries not needed anymore (#3129) * Cleanup libraries not needed anymore bound to old opensaml * Remove ESAPI finally this dependency is only there because of old saml * fix rebase * sonar issue https://sonarcloud.io/project/issues?impactSoftwareQualities=RELIABILITY&sinceLeakPeriod=true&issueStatuses=OPEN%2CCONFIRMED&pullRequest=2908&id=cloudfoundry-identity-parent * remove not needed method * Add test to run Authn with redirect binding Will add more coverage in Saml2Utils * minor sonar issue * cleanup not used code * sonar issue with unspecified type * Fix Sonar issues Signed-off-by: Duane May <duane.may@broadcom.com> * Enhancements for SAML2 bearer flow (#3132) * Test saml bearer * Fixes for SAML2 bearer flow * reverted test * Enhancements for SAML2 bearer and IdP initiated SSO (#3136) * Test saml bearer * Fixes for SAML2 bearer flow * reverted test * Implement RelyingPartyRegistrationResolver * support resolution of SAMLResponse from request * remove default setting * Use standard setting of metadata the feature with classpath is new in this PR. * refactorings based on sonar * Replace dummy-saml-idp-metadata and create the data based on real key data Until now we do not deliver any keys in uaa.war. * Cleanup test failure Changed, because of hack with defaults. * Rename DefaultRelyingPartyRegistrationResolver to UaaRelyingPartyRegistrationResolver Signed-off-by: Duane May <duane.may@broadcom.com> * Refactor text blocks Signed-off-by: Duane May <duane.may@broadcom.com> --------- Signed-off-by: Duane May <duane.may@broadcom.com> Co-authored-by: Duane May <duane.may@broadcom.com> Co-authored-by: Duane May <duanemay@users.noreply.github.com> * sonar: unused imports * sonar: recommendation * sonar: recommendation * sonar changes * sonar changes * omit hard coded example name (#3140) * build(deps): bump commons-io:commons-io from 2.17.0 to 2.18.0 (#3146) Bumps commons-io:commons-io from 2.17.0 to 2.18.0. --- updated-dependencies: - dependency-name: commons-io:commons-io dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feature: ingtegration test coverage - Modified `cargo.local` to run with jacoco agent if a system property is set. - Added a task to generate coverage report from the recorded jacoco data. * Add the kill_uaa step to ensure jacoco file is written * typo * Bump Gradle to 8.11.1 * fix: default values of custom zone's saml entityID and saml alias (when the configured entityID is a URL) - maintain the existing behavior where a custom identity zone's saml entityID is defaulted to either 1) `zoneSubdomain.uaaWideSamlEntityID` if `uaaWideSamlEntityID` is not a URL, or 2) if `uaaWideSamlEntityID` is a URL, integration the zoneSubdomain into the URL (see tests for example). - similar logic for saml entity alias (which is used in various saml sp urls, such as `AssertionConsumerService`) except that the alias should not include url scheme (aka without `https://`), so that the resulting saml sp urls are valid urls (e.g.: `https://zone1.uaa.com/saml/SSO/alias/[saml entity alias]`, see tests for examples). - reference on develop branch (old saml code): - doc: https://github.com/cloudfoundry/uaa/blob/65952b1b53b8d01cf93e68493a3f6ac85ad8a825/docs/login/Okta-README.md?plain=1#L73-L75 - code: https://github.com/cloudfoundry/uaa/blob/cc5f76fba495e5d1b3fd755ac3a6ff137fc91878/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareMetadataGenerator.java#L53-L54 - problem statement: without this commit, when * a custom zone is created without a `zone.config.samlConfig.entityID` specified * the default zone's `login.entityID` is configured to a URL, such as `https://uaa.com` * the default zone's `login.saml.entityIDAlias` is not set, aka default to `login.entityID` Then the resulting custom zone sp metadata has some discrepancies with the old saml code's metadata: For `AssertionConsumerService`: - old (correct) value is: https://test-zone-before.uaa.com/saml/SSO/alias/test-zone-before.uaa.com - new value is: https://test-zone.uaa.com/saml/SSO/alias/test-zone.http:/uaa.com For `entityID`: - old (correct) value is: http://test-zone-before.uaa.com - new value is: test-zone.http://uaa.com This results in the external SAML login for this zone not working. * clean version definition not needed anymore --------- Signed-off-by: Prateek Gangwal <prateek.gangwal@broadcom.com> Signed-off-by: Duane May <duane.may@broadcom.com> Signed-off-by: Ivan Protsiuk <ivan.protsiuk@broadcom.com> Signed-off-by: Alicia Yingling <alicia.yingling@broadcom.com> Signed-off-by: Hongchol Sinn <hongchol.sinn@broadcom.com> Signed-off-by: Peter Chen <peter-h.chen@broadcom.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Rifa Achrinza <25147899+achrinza@users.noreply.github.com> Co-authored-by: Danny Faught <danny.faught@broadcom.com> Co-authored-by: Peter Chen <peter-h.chen@broadcom.com> Co-authored-by: Bruce Ricard <bruce.ricard@broadcom.com> Co-authored-by: Hongchol Sinn <hongchol.sinn@broadcom.com> Co-authored-by: Duane May <duane.may@broadcom.com> Co-authored-by: Bruce Ricard <bruce.ricard@gmail.com> Co-authored-by: Filip Hanik <fhanik@vmware.com> Co-authored-by: Duane May <duanemay@gmail.com> Co-authored-by: d036670 <markus.strehle@sap.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Markus Strehle <11627201+strehle@users.noreply.github.com> Co-authored-by: Duane May <duanemay@users.noreply.github.com> Co-authored-by: Rifa Achrinza <25147899+achrinza@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bumps org.apache.velocity:velocity-engine-core from 2.4 to 2.4.1.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditions
will show all of the ignore conditions of the specified dependency@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)