build(deps): bump k8s.io/client-go from 0.31.1 to 0.31.2 in /k8s #3096
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.31.1 to 0.31.2. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.31.1...v0.31.2) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
duanemay
pushed a commit
that referenced
this pull request
Oct 28, 2024
Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.31.1 to 0.31.2. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.31.1...v0.31.2) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
strehle
added a commit
that referenced
this pull request
Nov 26, 2024
* remove: SAML extension library dependency
Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
Co-authored-by: Bruce Ricard <bruce.ricard@broadcom.com>
Co-authored-by: Danny Faught <danny.faught@broadcom.com>
* Ignore non-functioning SAML tests
* Instead of calling fail(). We have a suspicion that there is a bug in
the way the tests are running (most of them are somehow not running
with "./gradlew test" and we have a theory that a combination of mixing
junit4 imports and the junit5 fail() might be contributing.
* I was careful to use @Ignore for tests importing the junit4 @Test, and
@Disabled for tests using the junit5 @Test.
* These annotations were added, with the idea that you can search for
'@Ignore("SAML' and '@Disabled("SAML' to find the tests that need
attention before we finish the SAML library conversion.
@Ignore("SAML test fails")
@Ignore("SAML test doesn't compile")
@Ignore("SAML test setup doesn't compile")
@Disabled("SAML test fails")
@Disabled("SAML test doesn't compile")
* A few tests are set to ignore because they're failing for the right
reasons, but more work is needed to finish that and get back to green.
The goal is to start tracking these annotations instead of failing
tests, so we can stay green.
* Tests now running:
server module: 3,435 (in IntelliJ) (98 total ignored)
uaa module: 67 (command line run of "./gradlew test" for all tests
- still needs troubleshooting)
Co-authored-by: Danny Faught <danny.faught@broadcom.com>
* update @Ignore - test now compiles
Co-authored-by: Hongchol Sinn <hongchol.sinn@broadcom.com>
* feat: switch to new Spring Security SAML library
* Removed commented-out references to the outdated SAML extension library
Co-authored-by: Duane May <duane.may@broadcom.com>
* feat: Supply metadata through /saml/metadata
- Adds back endpoint and incorporates forwarding for new pattern saml2 endpoints, Still has some wip elements WithHttpsNotRequired > samlMetadataReturnsOk still red RelyingPartyRegistration is hardcoded in xml, /saml/metadata/ with trailing slash not working missing parity with develop
[#186986697]
Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
* fix: handle case when Servlet Path is null and ensures test WithHttpsNotRequired -> samlMetadataReturnsOk is green
- fixed one test but still WithHttpsRequired > samlMetadataReturnsOk is red after fixing this test -
HealthzShouldNotBeProtectedMockMvcTests > WithHttpsRequired > samlMetadataRedirects() FAILED
java.lang.AssertionError: Range for response status value 200 expected:<REDIRECTION> but was:<SUCCESSFUL>
[#186986697]
Co-authored-by: Duane May <duane.may@broadcom.com>
* remove: SAML extension library dependency
Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
Co-authored-by: Bruce Ricard <bruce.ricard@broadcom.com>
Co-authored-by: Danny Faught <danny.faught@broadcom.com>
* Ignore non-functioning SAML tests
* Instead of calling fail(). We have a suspicion that there is a bug in
the way the tests are running (most of them are somehow not running
with "./gradlew test" and we have a theory that a combination of mixing
junit4 imports and the junit5 fail() might be contributing.
* I was careful to use @Ignore for tests importing the junit4 @Test, and
@Disabled for tests using the junit5 @Test.
* These annotations were added, with the idea that you can search for
'@Ignore("SAML' and '@Disabled("SAML' to find the tests that need
attention before we finish the SAML library conversion.
@Ignore("SAML test fails")
@Ignore("SAML test doesn't compile")
@Ignore("SAML test setup doesn't compile")
@Disabled("SAML test fails")
@Disabled("SAML test doesn't compile")
* A few tests are set to ignore because they're failing for the right
reasons, but more work is needed to finish that and get back to green.
The goal is to start tracking these annotations instead of failing
tests, so we can stay green.
* Tests now running:
server module: 3,435 (in IntelliJ) (98 total ignored)
uaa module: 67 (command line run of "./gradlew test" for all tests
- still needs troubleshooting)
Co-authored-by: Danny Faught <danny.faught@broadcom.com>
* feat: Supply metadata through /saml/metadata
- Adds back endpoint and incorporates forwarding for new pattern saml2 endpoints, Still has some wip elements WithHttpsNotRequired > samlMetadataReturnsOk still red RelyingPartyRegistration is hardcoded in xml, /saml/metadata/ with trailing slash not working missing parity with develop
[#186986697]
Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
* fix: handle case when Servlet Path is null and ensures test WithHttpsNotRequired -> samlMetadataReturnsOk is green
- fixed one test but still WithHttpsRequired > samlMetadataReturnsOk is red after fixing this test -
HealthzShouldNotBeProtectedMockMvcTests > WithHttpsRequired > samlMetadataRedirects() FAILED
java.lang.AssertionError: Range for response status value 200 expected:<REDIRECTION> but was:<SUCCESSFUL>
[#186986697]
Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
* feat: reliably serve SAML SP metadata
- With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration,
which requires a valid SAML IDP
metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP
metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML
IDPs might require you to supply the SAML SP metadata first before you can obtain the
SAML IDP metadata. See relevant issue: https://github.com/spring-projects/spring-security/issues/11369
- Previously, to solve this problem, the SAML SP metadata generation relies
on relyingPartyRegistration values in saml-providers.xml, which
hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance);
this means that UAA's SP metadata generation relies on the
example Okta SAML instance to be running.
- This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML
SP metadata generation, at the advice of Spring Security team, so that UAA's functioning
does not rely on some external running Okta instance.
- code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62
[#186986697]
Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
* Ignore failing SAML test
- A continuation of https://github.com/cloudfoundry/uaa/commit/65d1f0f8d2ad538c5670277ae15e9964cfc16af1
- This test is failing as early as
e7beec7a5aa53fa761ca1d752d647f930ebcc6b7 due to the removal of SAML
code, as this test is related the SAML feature
[#186986697]
Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
* disable docs test that shouldn't be running
* Has to be commented out of the erb file even when the test method used @Disabled.
Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
* Ignore failing SAML test
- A continuation of https://github.com/cloudfoundry/uaa/commit/65d1f0f8d2ad538c5670277ae15e9964cfc16af1
- This is a test recently added to develop branch, so
ignoring this here because the SAML feature is still being
built.
[#186986697]
Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
* refactor: shorten the dummy IDP metadata
- to reflect the fact that this IDP metadata just needs
to exist in its bare minimal form, where the specific fields
in it do not affect the SP metadata generation
[#186986697]
Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
* fix: "invalid XML" error in tests
- previously some tests error with:
```
net.shibboleth.utilities.java.support.xml.XMLParserException: Unable to parse inputstream, it contained invalid XML
```
- this issue is fixed once we switch to loading
the idp saml metadata via a file (instead of an InputStream)
[186822654]
Co-authored-by: Danny Faught <danny.faught@broadcom.com>
* wip: configure some metadata params
Co-authored-by: Danny Faught <danny.faught@broadcom.com>
* disable failing test
* We're reprioritizing the test to get this test to pass.
Co-authored-by: Bruce Ricard <bruce.ricard@broadcom.com>
* WIP
Co-authored-by: Duane May <duane.may@broadcom.com>
* wip
Co-authored-by: Duane May <duane.may@broadcom.com>
* wip: ensuring the endpoint for metadata works both in forward and direct request
- Tests are failing but they are behaving as expected with curl and browser for /saml/metadata /saml/metadata/example and /saml/metadata/example/
- /saml/metadata/ is not returning xml
- The dispatcher ordering along with position in the filter-mapping must be set properly.
[#186986697]
Co-authored-by: Bruce Ricard <bruce.ricard@broadcom.com>
* add metadata redirect test
Co-authored-by: Duane May <duane.may@broadcom.com>
* wip: ensuring the saml metadata endpoint for metadata works in Mock MVC Tests
- /saml/metadata/ is not returning xml
[#186986697]
Co-authored-by: Filip Hanik <fhanik@vmware.com>
* wip: entityID assertion works in testSamlMetadataDefault
Co-authored-by: Alicia Yingling <alicia.yingling@broadcom.com>
Co-authored-by: Duane May <duane.may@broadcom.com>
* feat: entity_id assertion passes
Co-authored-by: Alicia Yingling <alicia.yingling@broadcom.com>
Co-authored-by: Duane May <duane.may@broadcom.com>
* wip: use working metadata path temporarily
* Must be changed back to /saml/metadata later, removing "example".
Co-authored-by: Alicia Yingling <alicia.yingling@broadcom.com>
Co-authored-by: Duane May <duane.may@broadcom.com>
* wip: xml refactor
Co-authored-by: Alicia Yingling <alicia.yingling@broadcom.com>
Co-authored-by: Duane May <duane.may@broadcom.com>
* wip: updating to non forwarding for /saml/metadata to the example default
- Updated to use direct GetMapping
[#186986697]
Co-authored-by: Filip Hanik <fhanik@vmware.com>
* wip: Ensuring the WantsAssertionSigned and AuthnRequestsSigned are populated in SPSSODescriptor
- Building out EntityDescriptor in the RelyingPartyRegistration which contains the SPSSODescriptor picked up by the resolve method
[#186986697]
Co-authored-by: Duane May <duane.may@broadcom.com>
* wip: Adding in signature elements for SAML metadata.xml endpoint payload
- Need to fix credential type being empty
Caused by: java.lang.IllegalArgumentException: credentials types cannot be empty
....(SamlRelyingPartyRegistrationRepository.java:84)
[#186986697]
Co-authored-by: Duane May <duane.may@broadcom.com>
* wip: Adding in signature elements for SAML metadata.xml endpoint payload
- Signature is not positioned correctly. It should be a child of EntityDescriptor, but the singingX509Credential.signing call positions it in SPSODescriptor
[#186986697]
Co-authored-by: Duane May <duane.may@broadcom.com>
* feat: populate SAMP SP metadata fields: entityID, NameIDFormat, AuthnRequestsSigned
- correctly reads off UAA configs to populate these fields, instead
of using hardcoded values
- refactor to directly reading `login.saml.NameID` config (a more modern approach) instead
of constructing a bean in xml (a more legacy approach)
- side note: update the UAA config used in mock mvc tests (/uaa/src/test/resources/integration_test_properties.yml)
to use a non-default option of `login.saml.nameID` so that we can test
that the correct value is being piped through
Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
* refactor: clean up commented out code
- there are many commented out codes from
prior wip commits (which at this point, I decided, are
too hard to fix or tidy up). Hence, in this commit,
clean them up
[186822654]
Co-authored-by: Duane May <duane.may@broadcom.com>
* Ignore non-functioning SAML tests
- the SAML SP metadata is still WIP, so this IT will fail. Ignoring
it for now so that "CI" is green along with all other SAML tests
currently failing / non-functional due to the WIP state of the SAML
feature.
- see defails of this approach in https://github.com/cloudfoundry/uaa/commit/73520d92499f481929e2b666bfbded83aaaa3148
[186822654]
Co-authored-by: Duane May <duane.may@broadcom.com>
* Update opensaml libraries to 4.x
https: //docs.spring.io/spring-security/reference/5.8/migration/servlet/saml2.html
Co-authored-by: Duane May <duane.may@broadcom.com>
* Refactor annotations and formatting
Use RestController, Slf4j, Getter
Use textblocks
Co-authored-by: Duane May <duane.may@broadcom.com>
* Refactor tests: formatting, andExpectAll and assertThat
Use assertThat
Use textblocks
Co-authored-by: Duane May <duane.may@broadcom.com>
* Change from SAML XML to Java Config
Co-authored-by: Duane May <duane.may@broadcom.com>
* feat: populate sp metadata field WantAssertionsSigned
[#186986697]
Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
* feat: saml sp metadata field - signing cert
- also: refactor the UAA config used in mock mvc tests
(/uaa/src/test/resources/integration_test_properties.yml)
from the deprecated saml key fields (eg: login.serviceProviderKey)
to the new ones (eg: login.saml.keys), so that we test for the
new fields.
- also fix the api docs test so that it now correctly marks
the retrieve id zones response's `config.samlConfig.certificate`
as optional (this field is only returned if you use the
deprecated saml key config fields)
[#186986697]
Co-authored-by: Duane May <duane.may@broadcom.com>
* feat: saml sp metadata encryption cert
- populate saml sp metadata field for use='encryption' cert
- might be counter-intuitive that the setting on rp registration
that controls this is "decryptionX509Credentials", but the resulting
sp metadata indeed includes use='encryption' which matches
develop branch
[186822654]
Co-authored-by: Duane May <duane.may@broadcom.com>
* refactor: consolidate saml sp configs
- to be processed by a single class "SamlConfiguration" where
the @ConfigurationProperties(prefix="login.saml") annotation
has the ability to process all fields under the login.saml section
of UAA.yml
- this is helpful because we can now centrally read, process,
even validate all saml config fields under "login.saml"
- pay attention to @ConfigurationProperties annotation's various
requirements though: such as the private field names need to match
the actually UAA.yml field name (e.g.: login.saml.fooBar -> private
String fooBar); and that there need to be public setters and getters
for each field
- see: https://docs.spring.io/spring-boot/docs/current/reference/html/features.html#features.external-config.typesafe-configuration-properties.using-annotated-types
- the exception of the saml entity id, which in UAA.yml is somehow
outside of the login.saml context (set by login.entityID) so that
field stays under class SamlEntityIdConfiguration
Co-authored-by: Duane May <duane.may@broadcom.com>
* refactor: use lombok
- these getters and setters are required
for @ConfigurationProperties annotation to work; use
lombok so that we don't need to explicitly
define them
[186822654]
Co-authored-by: Duane May <duane.may@broadcom.com>
* refactor: simplify lombok annotation
- as @Data covers the getters and setters
Co-authored-by: Duane May <duane.may@broadcom.com>
* fix: maintain existing saml sp metadata file name
- configure the file name of the saml sp metadata (the downloaded
xml file name when accessing the metadata endpoint: http://localhost:8080/uaa/saml/metadata)
to match the status quo on develop branch: "saml-sp.xml"
- This file name likely do not matter, but out of caution, we should
maintain the same file name as before
[186822654]
Co-authored-by: Duane May <duane.may@broadcom.com>
* fix: saml sp metadata test set up
- now that the metadata is being provided at
the correct location: /saml/metadata, we can correct
the test expectation to reflect that (hence matching
the develop branch)
[#186986697]
Co-authored-by: Duane May <duane.may@broadcom.com>
* fix: SAML SP metadata endpoint and its https redirect
- Removed forwarding of `/saml/metadata` endpoint to `/saml/metadata/example`. It is not necessary because `/saml/metadata` endpoint method already calls `/saml/metadata/{registrationId}` with `example` as the default registrationId. (See class `SamlMetadataEndpoint`.)
- Made `HttpsEnforcementFilter` to be added to the top of the `SecurityFilterChainPostProcessor`'s `SecurityFilterChain`.
- Added `secFilterOpen06SAMLMetadata` to `SecurityFilterChainPostProcessor`'s `redirectToHttps` list.
[#186986697]
Co-authored-by: Duane May <duane.may@broadcom.com>
Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
* Clean up unnecssary codes
- Removed SamlExtensionUrlForwardingFilter. Just commented out for now in case we need it later.
- Removed unneeded comments in test code.
[#186986697]
Co-authored-by: Duane May <duane.may@broadcom.com>
* Load the Saml Provider Data
[#187084275]
Co-authored-by: Duane May <duane.may@broadcom.com>
* refactor: Spring Annotations on SamlRelyingPartyRegistrationRepository
- Change SamlRelyingPartyRegistrationRepository to Configuration
- Use constructor args instead of Autowired
Co-authored-by: Duane May <duane.may@broadcom.com>
* fix: multiple versions of the opensaml library
still had opensaml 3.4.6
Co-authored-by: Duane May <duane.may@broadcom.com>
* feat: send SAML authn request to IDP
- when SAML IDP is configured via uaa.yml, when
the user goes to "/uaa/saml2/authenticate/{saml-idp-alias}",
they will get sent to the configured SAML IDP with
a SAML authn request. Specifically, spring-security will do
the following:
- when the IDP's Binding mode is "HTTP-Redirect", the
user is redirected to the IDP
- when the IDP's Binding mode is "HTTP-POST", the user's
browser is triggered to POST to the IDP. For this to work,
the ContentSecurityPolicyFilter needs to updated to exempt
"/saml2" from policy enforcement, such that the script that
initiates the POST can be executed in the browser. Similar
to how this filter exempts /saml (the existing saml-related
path on develop branch).
- refactor: update the dummy IDP metadata file
dummy-saml-idp-metadata.xml to not point
to example.com, but to https://www.cloudfoundry.org
(which is more of a known destination)
- refactor: use constant DEFAULT_REGISTRATION_ID
[#187084275]
Co-authored-by: Duane May <duane.may@broadcom.com>
* update saml link on login page
* fix: issue with 2 JsonObjects imported
* Merge SamlConfigProps to single class
prefix="login.saml" was in 2 ConfigProps classes before merged into 1
* Update SamlLoginIT
* feat: Saml Login redirects to IDP
Reads provider info from database
Passes the registrationId as relayState
Signed-off-by: Prateek Gangwal <prateek.gangwal@broadcom.com>
* fix: click first saml link matching text
when running multiple IT tests, the simplesamlphp2 link was also listed, and causing a conflict with url matcher
Signed-off-by: Duane May <duane.may@broadcom.com>
* feat: AssertionConsumerService SAML user login
Signed-off-by: Duane May <duane.may@broadcom.com>
Signed-off-by: Ivan Protsiuk <ivan.protsiuk@broadcom.com>
#187106956
* Clean up and reenable tests
Signed-off-by: Ivan Protsiuk <ivan.protsiuk@broadcom.com>
* Improve Testing of SAML Request/Response
- Improve Testing of SAML Request/Response with Saml2TestUtils
- Configure assertionConsumerServiceLocation in one location.
- Attempted move to OpenSaml4AuthenticationProvider
requires a shadow dependency on opensaml to remove the need for non-FIPS compliant security provider. Not yet in place
Signed-off-by: Duane May <duane.may@broadcom.com>
Signed-off-by: Alicia Yingling <alicia.yingling@broadcom.com>
* Break up AuthProvider
Move user shadowing, attribute processing, and authorities processing to their own classes.
Enable Authorities
Signed-off-by: Ivan Protsiuk <ivan.protsiuk@broadcom.com>
* Pull in OpenSaml4AuthenticationProvider
This provides general response validation.
Signed-off-by: Prateek Gangwal <prateek.gangwal@broadcom.com>
* Verify user attributes, roles, user name, email extraction
Signed-off-by: Prateek Gangwal <prateek.gangwal@broadcom.com>
#187809240
* Add editor and lombok config
Signed-off-by: Duane May <duane.may@broadcom.com>
* Run kill_uaa as part of integrationTests
Signed-off-by: Duane May <duane.may@broadcom.com>
Signed-off-by: Hongchol Sinn <hongchol.sinn@broadcom.com>
* Annotate Disabled tests with more information
Signed-off-by: Hongchol Sinn <hongchol.sinn@broadcom.com>
* feat: SAML Logout
- Main logout flows are working
- IDP Initiated logout is working
- Handle metadata XML passed in instead of metadata location for both bootstrap and SamlIdentityProviderConfigurator
Signed-off-by: Duane May <duane.may@broadcom.com>
* fix Selenium HomePage can be one of two urls.
- clean up the rest of the pageObjects package
Signed-off-by: Duane May <duane.may@broadcom.com>
* Update BootstrapTests
- now attempts to retrieve the non-existent url https://simplesamlphp.uaa.com/saml2/idp/metadata.php
Signed-off-by: Duane May <duane.may@broadcom.com>
* feature: Zone-aware SAML SP metadata
- Implemented to the same level as the default IdenityZone's SP metadata generation.
- Minus `NameIDFormat` value populaition and registration-ID specific implementation.
[#187846376]
* Disable `findByRegistrationIdWhenNoneFound` test as the assertion is not valid anymore.
* Update counter script
- No longer have Ignored tests only Disabled
Signed-off-by: Duane May <duane.may@broadcom.com>
* Update IdentityZone related classes and tests
Signed-off-by: Duane May <duane.may@broadcom.com>
* feat: basic SAML SP metadata for non-default ID zone
- correctly populates the basic fields of non-default zone SAML SP metadata (such as
WantAssertionsSigned and AuthnRequestsSigned), so that for default vs. non-default zones, the
SP metadatas have feature parity.
[#187846376]
Signed-off-by: Duane May <duane.may@broadcom.com>
Signed-off-by: Peter Chen <peter-h.chen@broadcom.com>
* wip: zoned metadata fixes and zoned login
Signed-off-by: Peter Chen <peter-h.chen@broadcom.com>
* rebase and revert entiyID checks
* Enable some passing SamlLoginIT tests
Co-authored-by: Duane May <duane.may@broadcom.com>
* refactor entityId and entityIdAlias resolution
- created a base class BaseUaaRelyingPartyRegistrationRepository, used by ConfiguratorRelyingPartyRegistrationRepository and DefaultRelyingPartyRegistrationRepository.
- moved getZoneEntityId and getZoneEntityIdAlias to base class
Co-authored-by: Duane May <duane.may@broadcom.com>
Signed-off-by: Peter Chen <peter-h.chen@broadcom.com>
* backfill some SAML tests
* Enable SAML Automatic Redirect
Requires changing from discovery URL to the authentication request URL.
Enable the following tests in SamlLoginIT:
- samlInvitationAutomaticRedirectInZone2
- samlLoginClientIDPAuthorizationAutomaticRedirect
- samlLoginClientIDPAuthorizationAutomaticRedirectInZone1
- samlLoginMapGroupsInZone1
Co-authored-by: Duane May <duane.may@broadcom.com>
Signed-off-by: Peter Chen <peter-h.chen@broadcom.com>
* build(deps): bump org.gradle:test-retry-gradle-plugin
Bumps org.gradle:test-retry-gradle-plugin from 1.5.9 to 1.5.10.
Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
---
updated-dependencies:
- dependency-name: org.gradle:test-retry-gradle-plugin
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* Fix regression in identity-provider endpoint (#2962)
* Fix regression in identity-provider endpoint
Issue:
If existing entries in identity-provider with new external_key the field is null, which is expected.
If external_key is null, this must not overwrite the issuer in rest endpoint, but it does
For SAML there is no issue, because here the entityId is really new in REST output and in DB.
For OIDC and OAuth2 the issuer was used in REST already and there was no check before overwrite it from external_key.
* review
* add case if issuer is null from config, allowed for oauth2 IdP
* spelling
* revert the logic of external key, stay with issuer
* set entityId on update
* test coverage
Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
* build(deps): bump k8s.io/client-go from 0.30.2 to 0.30.3 in /k8s (#2964)
Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.30.2 to 0.30.3.
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.30.2...v0.30.3)
---
updated-dependencies:
- dependency-name: k8s.io/client-go
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Replace SamlLegacyAliasResponseForwardingFilter
- Added a RelayStateRelyingPartyRegistrationResolver which looks for the Registration Id from the RelayState, instead of the last part of the URL.
- The url contains entity id, for backward compatibility, instead of the registration Id.
- The filter required redirect filter processing, which broke the CSRF Filter (noticed on LoginServerSecurityIntegrationTests)
Co-authored-by: Duane May <duane.may@broadcom.com>
Signed-off-by: Peter Chen <peter-h.chen@broadcom.com>
* fix: correct test expectation
- the saml assertion consumer endpoint should end with
the configured login.entityID in UAA.yml (when login.saml.entityIDAlias is not set)
* Update test classes
- DefaultIntegrationTestConfig: use Durations
- IdentityZoneEndpointsMockMvcTests sonar, asserts
- LdapIntegrationTests: junit5, sonar, asserts
Signed-off-by: Duane May <duane.may@broadcom.com>
* Update scripts for testing
- kill_uaa: make port aware
- debug_uaa: for running uaa in debug or suspended debug mode
- create_test_providers: adds providers to running UAA via API
- create_test_zones: adds zones and providers to running UAA via API
Signed-off-by: Duane May <duane.may@broadcom.com>
* check entityId in validate SAML (#2970)
* WIP: replace SamlLegacyAliasResponseForwardingFilter
- the receiveAuthnResponseFromIdpToLegacyAliasUrl test still failing, see
comments within this test
Co-authored-by: Duane May <duane.may@broadcom.com>
* WIP: check entityId in validate SAML
* WIP: re-establish validation of metadata in /identity-providers endpoint
* WIP: test fix
---------
Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
Co-authored-by: Duane May <duane.may@broadcom.com>
* feat: Handle Multiple SAML keys
- Rotation Tests working
- Uses keys from SamlConfig for each zone
- Fall back to default keys if none set
[#187994938]
Signed-off-by: Duane May <duane.may@broadcom.com>
* fix: Couple of failing test cases due to `500 INTERNAL_SERVER_ERROR` from `/oauth/token` endpoint
- Stepping through the server code revealed that an exception was thrown as follows:
```
org.cloudfoundry.identity.uaa.util.JsonUtils$JsonUtilException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "relyingPartyRegistrationId" (class org.cloudfoundry.identity.uaa.authentication.UaaPrincipal), not marked as ignorable (6 known properties: "origin", "zoneId", "id", "email", "externalId", "name"])
at [Source: REDACTED (StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION disabled); line: 1, column: 205] (through reference chain: org.cloudfoundry.identity.uaa.authentication.UaaPrincipal["relyingPartyRegistrationId"])
```
- Added a `jackson` annotation to ignore the 3 properties in UaaSamlPrincipal that were causing the `UnrecognizedPropertyException`.
- Added back a line that sets zoneId in a test case, which apparently had been removed by mistake.
[#187986233]
[#187986220]
* Clean up and reimplement SamlKeyManager and SamlKeyManagerFactory
- added these methods back to IdentityZoneHolder, even though that has been Deprecated
- Migrate BouncyCastle Setup and IdentityZoneHolderInitializer from XML to Java
- Removed some of the old classes that were in this area
Signed-off-by: Duane May <duane.may@broadcom.com>
* Migrate tests from ZoneAwareMetadataGeneratorTests
- Moved tests for rotation to SamlMetadataEndpointKeyRotationTests
- Moved tests related to SamlRedirectUtils to SamlRedirectUtilsTest
Signed-off-by: Duane May <duane.may@broadcom.com>
* feature: Handle icorrect SAML response
- Set the `Saml2WebSsoAuthenticationFilter`'s `AuthenticationFailureHandler` to the custom failure handler.
- Updated the test case's page source validation condition to check for the string that is based on the new exception message.
[#187986112]
* Remove duplicate tests
Various calls to metadata endpoint with and without trailing / and /example in HealthzShouldNotBeProtectedMockMvcTests were duplicated in SamlMetadataMockMvcTests
Signed-off-by: Duane May <duane.may@broadcom.com>
* Add signatures to Metadata and AuthnRequest
Includes:
- getting configured SignatureAlgorithm
- getting configured signMetadata
- Add Signature Algorithm and Digest Algorithm to Metadata
- Generate Signature Value and Digest Value to Metadata
- Add SignatureAlgorithm and keys to the RelyingPartyRegistration
- Sign the AuthnRequest
TPCF-6869
TPCF-6938
Signed-off-by: Duane May <duane.may@broadcom.com>
* Add tests for alternate config of signRequest and signMetaData
TPCF-6869
TPCF-6938
Signed-off-by: Duane May <duane.may@broadcom.com>
* Enable tests in BootstrapSamlIdentityProviderDataTests
Signed-off-by: Duane May <duane.may@broadcom.com>
* Enable test in HomeControllerViewTests
- Removed commented out Disabled annotation in SamlIdentityProviderConfiguratorTests
- TestClassNullifier moved to junit5
Signed-off-by: Duane May <duane.may@broadcom.com>
* feat: Allow InResponseTo checking to be configured
TPCF-6873
* feat: Add NameIdFormat to AuthnRequest
This comes from the property, login.saml.nameID
Also refactored the RelyingPartyRegistrationBuilder to use a Params object with builder since the param list was 8 items
TPCF-6874
Signed-off-by: Duane May <duane.may@broadcom.com>
* Support for login.saml.socket.* settings
TPCF-6882
Signed-off-by: Duane May <duane.may@broadcom.com>
* Only show failed tests
make it easier to find the failed tests in output
Signed-off-by: Duane May <duane.may@broadcom.com>
* Caffeine Caching
Guava Cache recommends moving to Caffeine
Mostly a drop in replacement
Although the refreshAfterWrite works a little different
Signed-off-by: Duane May <duane.may@broadcom.com>
* Log Malformed Saml Responses
The mechanism to achieve this in the old SAML library is no longer there. Added this in to the SamlLoginAuthenticationFailureHandler.
Left the logger name as SamlResponseLoggerBinding for backward compatibility, for jobs looking for the messages.
[TPCF-25429]
Signed-off-by: Duane May <duane.may@broadcom.com>
* Clean up and Sonar
Signed-off-by: Duane May <duane.may@broadcom.com>
* Update to LoginInfoEndpoint
Signed-off-by: Duane May <duane.may@broadcom.com>
* Add Oauth Token endpoint to metadata
maintains existing functionality
Signed-off-by: Duane May <duane.may@broadcom.com>
* Update tests
SamlLoginIT.springSamlEndpointsWithEmptyContext - functionality changed redirects
ZoneAwareKeyManagerTest - was 0 coverage, all calls are proxied to SamlKeyManager in the ThreadLocal managed by IdentityZoneHolder.
Signed-off-by: Duane May <duane.may@broadcom.com>
* Resolve Sonar security hotspots
Replace the //NOSONAR comment with a error specific SuppressWarnings annotation
* Correct malformed property placeholder.
* Update JavaPluginExtension settings
Signed-off-by: Duane May <duane.may@broadcom.com>
* Implement Saml2 Bearer Grants
Signed-off-by: Duane May <duane.may@broadcom.com>
* Unjava-doc-ify the copyright notices
Signed-off-by: Duane May <duane.may@broadcom.com>
* Fix tests for Invitations and Passcodes
Signed-off-by: Duane May <duane.may@broadcom.com>
* Sonar fixes
Signed-off-by: Duane May <duane.may@broadcom.com>
* Update tests with awaitility
Signed-off-by: Duane May <duane.may@broadcom.com>
* Update discovery urls to authenticate
Signed-off-by: Duane May <duane.may@broadcom.com>
* Enable tests and update disabled reasons for remaining
Signed-off-by: Duane May <duane.may@broadcom.com>
* Enable RelayState as a redirect target
- Remove the existing code to store registrationId on request in the relaystate, it is stored with the request.
- Also enable IDP initiated login, we don't get the registrationId in this case
Signed-off-by: Duane May <duane.may@broadcom.com>
* Update selenium page objects to use assert notation
- Uses assertj and awaitility
- Rename methods to include assert where applicable
- Tests should include assertions java:S2699
Signed-off-by: Duane May <duane.may@broadcom.com>
* Fix Sonar Issues
Signed-off-by: Duane May <duane.may@broadcom.com>
* doc: Update the comment for `login.entityBaseURL` property.
* build(deps): bump versions.springSecurityVersion from 5.8.14 to 5.8.15 (#3089)
Bumps `versions.springSecurityVersion` from 5.8.14 to 5.8.15.
Updates `org.springframework.security:spring-security-config` from 5.8.14 to 5.8.15
- [Release notes](https://github.com/spring-projects/spring-security/releases)
- [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc)
- [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15)
Updates `org.springframework.security:spring-security-core` from 5.8.14 to 5.8.15
- [Release notes](https://github.com/spring-projects/spring-security/releases)
- [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc)
- [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15)
Updates `org.springframework.security:spring-security-ldap` from 5.8.14 to 5.8.15
- [Release notes](https://github.com/spring-projects/spring-security/releases)
- [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc)
- [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15)
Updates `org.springframework.security:spring-security-taglibs` from 5.8.14 to 5.8.15
- [Release notes](https://github.com/spring-projects/spring-security/releases)
- [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc)
- [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15)
Updates `org.springframework.security:spring-security-test` from 5.8.14 to 5.8.15
- [Release notes](https://github.com/spring-projects/spring-security/releases)
- [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc)
- [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15)
Updates `org.springframework.security:spring-security-web` from 5.8.14 to 5.8.15
- [Release notes](https://github.com/spring-projects/spring-security/releases)
- [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc)
- [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15)
---
updated-dependencies:
- dependency-name: org.springframework.security:spring-security-config
dependency-type: direct:production
update-type: version-update:semver-patch
- dependency-name: org.springframework.security:spring-security-core
dependency-type: direct:production
update-type: version-update:semver-patch
- dependency-name: org.springframework.security:spring-security-ldap
dependency-type: direct:production
update-type: version-update:semver-patch
- dependency-name: org.springframework.security:spring-security-taglibs
dependency-type: direct:production
update-type: version-update:semver-patch
- dependency-name: org.springframework.security:spring-security-test
dependency-type: direct:production
update-type: version-update:semver-patch
- dependency-name: org.springframework.security:spring-security-web
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump org.apache.velocity:velocity-engine-core (#3090)
Bumps org.apache.velocity:velocity-engine-core from 2.4 to 2.4.1.
---
updated-dependencies:
- dependency-name: org.apache.velocity:velocity-engine-core
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* pr/upgrade docs slate gems take 2 (#3091)
* In an attempt to upgrade Slate, and have successful builds
on both Mac and Linux using Ruby 3.3.5
Step 1 - Upgrade dependencies
* Fix jasmine-test script
* build(deps): bump k8s.io/client-go from 0.31.1 to 0.31.2 in /k8s (#3096)
Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.31.1 to 0.31.2.
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.31.1...v0.31.2)
---
updated-dependencies:
- dependency-name: k8s.io/client-go
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Fix Sonar Issues
Signed-off-by: Duane May <duane.may@broadcom.com>
* Improve test coverage
Signed-off-by: Duane May <duane.may@broadcom.com>
* Cleanup and test coverage
Signed-off-by: Duane May <duane.may@broadcom.com>
* fix(k8s): fix `JAVA_HOME`
Updates the `JAVA_HOME` env var for the `build-uaa-truststore` init contianer to match the updated path used by the Paketo buildpack.
fixes: https://github.com/cloudfoundry/uaa/issues/2388
Signed-off-by: Rifa Achrinza <25147899+achrinza@users.noreply.github.com>
* build(deps): bump rexml from 3.3.8 to 3.3.9 in /uaa/slate (#3100)
Bumps [rexml](https://github.com/ruby/rexml) from 3.3.8 to 3.3.9.
- [Release notes](https://github.com/ruby/rexml/releases)
- [Changelog](https://github.com/ruby/rexml/blob/master/NEWS.md)
- [Commits](https://github.com/ruby/rexml/compare/v3.3.8...v3.3.9)
---
updated-dependencies:
- dependency-name: rexml
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump versions.jacksonVersion from 2.18.0 to 2.18.1 (#3101)
Bumps `versions.jacksonVersion` from 2.18.0 to 2.18.1.
Updates `com.fasterxml.jackson.core:jackson-annotations` from 2.18.0 to 2.18.1
- [Commits](https://github.com/FasterXML/jackson/commits)
Updates `com.fasterxml.jackson.core:jackson-databind` from 2.18.0 to 2.18.1
- [Commits](https://github.com/FasterXML/jackson/commits)
Updates `com.fasterxml.jackson.dataformat:jackson-dataformat-yaml` from 2.18.0 to 2.18.1
- [Commits](https://github.com/FasterXML/jackson-dataformats-text/compare/jackson-dataformats-text-2.18.0...jackson-dataformats-text-2.18.1)
---
updated-dependencies:
- dependency-name: com.fasterxml.jackson.core:jackson-annotations
dependency-type: direct:production
update-type: version-update:semver-patch
- dependency-name: com.fasterxml.jackson.core:jackson-databind
dependency-type: direct:production
update-type: version-update:semver-patch
- dependency-name: com.fasterxml.jackson.dataformat:jackson-dataformat-yaml
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump versions.seleniumVersion from 4.25.0 to 4.26.0
Bumps `versions.seleniumVersion` from 4.25.0 to 4.26.0.
Updates `org.seleniumhq.selenium:selenium-java` from 4.25.0 to 4.26.0
- [Release notes](https://github.com/SeleniumHQ/selenium/releases)
- [Commits](https://github.com/SeleniumHQ/selenium/compare/selenium-4.25.0...selenium-4.26.0)
Updates `org.seleniumhq.selenium:selenium-remote-driver` from 4.25.0 to 4.26.0
- [Release notes](https://github.com/SeleniumHQ/selenium/releases)
- [Commits](https://github.com/SeleniumHQ/selenium/compare/selenium-4.25.0...selenium-4.26.0)
---
updated-dependencies:
- dependency-name: org.seleniumhq.selenium:selenium-java
dependency-type: direct:production
update-type: version-update:semver-minor
- dependency-name: org.seleniumhq.selenium:selenium-remote-driver
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* build(deps): bump github.com/onsi/gomega from 1.34.2 to 1.35.0 in /k8s
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.34.2 to 1.35.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.34.2...v1.35.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* build(deps): bump github.com/onsi/gomega from 1.35.0 to 1.35.1 in /k8s (#3105)
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.35.0 to 1.35.1.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.35.0...v1.35.1)
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Cleanup not used comments and fragments
* Delete server/src/test/java/org/cloudfoundry/identity/uaa/login/AddBcProvider.java
* Delete server/src/test/java/org/cloudfoundry/identity/uaa/login/SamlLoginServerKeyManagerTests.java
* Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SPWebSSOProfileImpl.java
* Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlEntryPoint.java
* Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlDiscovery.java
* Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationToken.java
* Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/FilesystemMetadataProvider.java
* Enable simpleSamlLoginWithAddShadowUserOnLoginFalse
Signed-off-by: Duane May <duane.may@broadcom.com>
* Add coverage for UaaSavedRequestAwareAuthenticationSuccessHandler
Signed-off-by: Duane May <duane.may@broadcom.com>
* Fix Sonar issues
Signed-off-by: Duane May <duane.may@broadcom.com>
* sonar recommendation
* sonar recommendation
* sonar says not in use
* Remove duplicates in New-saml-0530 (#3117)
* renovate: : update dependency webrick to v1.9.0
* Refactor and fix duplicate
found by sonar in https://sonarcloud.io/component_measures?metric=new_duplicated_lines_density&selected=cloudfoundry-identity-parent%3Aserver%2Fsrc%2Fmain%2Fjava%2Forg%2Fcloudfoundry%2Fidentity%2Fuaa%2Fauthentication%2FPasscodeAuthenticationFilter.java&view=list&pullRequest=2908&id=cloudfoundry-identity-parent
* Only show failed tests
make it easier to find the failed tests in output
Signed-off-by: Duane May <duane.may@broadcom.com>
* reduce duplicates
* rebase
* reduce duplicates
* Refactor and fix duplicate (#3112)
found by sonar in https://sonarcloud.io/component_measures?metric=new_duplicated_lines_density&selected=cloudfoundry-identity-parent%3Aserver%2Fsrc%2Fmain%2Fjava%2Forg%2Fcloudfoundry%2Fidentity%2Fuaa%2Fauthentication%2FPasscodeAuthenticationFilter.java&view=list&pullRequest=2908&id=cloudfoundry-identity-parent
* cleanup
* refactor saml bearer usage
* Migrate to Caffeine Caching (#3114)
* Migrate to Caffeine Caching
Guava Cache recommends moving to Caffeine
Mostly a drop-in replacement
Although the refreshAfterWrite works a little different
* more test coverage
* again more test coverage
* sonar
* sonar
---------
Co-authored-by: strehle <markus.strehle@sap.com>
* fix rebase
* fix rebase
---------
Signed-off-by: Duane May <duane.may@broadcom.com>
Co-authored-by: Duane May <duane.may@broadcom.com>
Co-authored-by: Duane May <duanemay@users.noreply.github.com>
* fix rebase
* Store saml session index in UaaSamlPrincipal
needed later for SLO
* return plain error message (#3119)
in case of decryption issue (wrong key) do not show
class internals
* Disable csrf check in SAML-SLO (#3123)
Found in manual test with SAML SLO , POST Binding
* fix integration test
* fix integration test
* Add acr value into User Authentication (#3127)
re-establish IT
see former retrieval
https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProvider.java#L292-L298
* Cleanup shadow library (#3130)
* Cleanup libraries not needed anymore (#3129)
* Cleanup libraries not needed anymore
bound to old opensaml
* Remove ESAPI finally
this dependency is only there because of old saml
* fix rebase
* sonar issue
https://sonarcloud.io/project/issues?impactSoftwareQualities=RELIABILITY&sinceLeakPeriod=true&issueStatuses=OPEN%2CCONFIRMED&pullRequest=2908&id=cloudfoundry-identity-parent
* remove not needed method
* Add test to run Authn with redirect binding
Will add more coverage in Saml2Utils
* minor sonar issue
* cleanup not used code
* sonar issue with unspecified type
* Fix Sonar issues
Signed-off-by: Duane May <duane.may@broadcom.com>
* Enhancements for SAML2 bearer flow (#3132)
* Test saml bearer
* Fixes for SAML2 bearer flow
* reverted test
* Enhancements for SAML2 bearer and IdP initiated SSO (#3136)
* Test saml bearer
* Fixes for SAML2 bearer flow
* reverted test
* Implement RelyingPartyRegistrationResolver
* support resolution of SAMLResponse from request
* remove default setting
* Use standard setting of metadata
the feature with classpath is new in this PR.
* refactorings based on sonar
* Replace dummy-saml-idp-metadata
and create the data based on real key data
Until now we do not deliver any keys in uaa.war.
* Cleanup test failure
Changed, because of hack with defaults.
* Rename DefaultRelyingPartyRegistrationResolver to UaaRelyingPartyRegistrationResolver
Signed-off-by: Duane May <duane.may@broadcom.com>
* Refactor text blocks
Signed-off-by: Duane May <duane.may@broadcom.com>
---------
Signed-off-by: Duane May <duane.may@broadcom.com>
Co-authored-by: Duane May <duane.may@broadcom.com>
Co-authored-by: Duane May <duanemay@users.noreply.github.com>
* sonar: unused imports
* sonar: recommendation
* sonar: recommendation
* sonar changes
* sonar changes
* omit hard coded example name (#3140)
* build(deps): bump commons-io:commons-io from 2.17.0 to 2.18.0 (#3146)
Bumps commons-io:commons-io from 2.17.0 to 2.18.0.
---
updated-dependencies:
- dependency-name: commons-io:commons-io
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* feature: ingtegration test coverage
- Modified `cargo.local` to run with jacoco agent if a system property is set.
- Added a task to generate coverage report from the recorded jacoco data.
* Add the kill_uaa step to ensure jacoco file is written
* typo
* Bump Gradle to 8.11.1
* fix: default values of custom zone's saml entityID and saml alias (when the configured entityID is a URL)
- maintain the existing behavior where a custom identity zone's saml entityID is defaulted
to either 1) `zoneSubdomain.uaaWideSamlEntityID` if `uaaWideSamlEntityID` is not a URL, or
2) if `uaaWideSamlEntityID` is a URL, integration the zoneSubdomain into the URL
(see tests for example).
- similar logic for saml entity alias (which is used in various saml sp urls, such as `AssertionConsumerService`)
except that the alias should not include url scheme (aka without `https://`), so that
the resulting saml sp urls are valid urls (e.g.: `https://zone1.uaa.com/saml/SSO/alias/[saml entity alias]`,
see tests for examples).
- reference on develop branch (old saml code):
- doc: https://github.com/cloudfoundry/uaa/blob/65952b1b53b8d01cf93e68493a3f6ac85ad8a825/docs/login/Okta-README.md?plain=1#L73-L75
- code: https://github.com/cloudfoundry/uaa/blob/cc5f76fba495e5d1b3fd755ac3a6ff137fc91878/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareMetadataGenerator.java#L53-L54
- problem statement:
without this commit, when
* a custom zone is created without a `zone.config.samlConfig.entityID` specified
* the default zone's `login.entityID` is configured to a URL, such as `https://uaa.com`
* the default zone's `login.saml.entityIDAlias` is not set, aka default to `login.entityID`
Then the resulting custom zone sp metadata has some discrepancies with the old saml
code's metadata:
For `AssertionConsumerService`:
- old (correct) value is: https://test-zone-before.uaa.com/saml/SSO/alias/test-zone-before.uaa.com
- new value is: https://test-zone.uaa.com/saml/SSO/alias/test-zone.http:/uaa.com
For `entityID`:
- old (correct) value is: http://test-zone-before.uaa.com
- new value is: test-zone.http://uaa.com
This results in the external SAML login for this zone not working.
* clean version definition
not needed anymore
---------
Signed-off-by: Prateek Gangwal <prateek.gangwal@broadcom.com>
Signed-off-by: Duane May <duane.may@broadcom.com>
Signed-off-by: Ivan Protsiuk <ivan.protsiuk@broadcom.com>
Signed-off-by: Alicia Yingling <alicia.yingling@broadcom.com>
Signed-off-by: Hongchol Sinn <hongchol.sinn@broadcom.com>
Signed-off-by: Peter Chen <peter-h.chen@broadcom.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Rifa Achrinza <25147899+achrinza@users.noreply.github.com>
Co-authored-by: Danny Faught <danny.faught@broadcom.com>
Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
Co-authored-by: Bruce Ricard <bruce.ricard@broadcom.com>
Co-authored-by: Hongchol Sinn <hongchol.sinn@broadcom.com>
Co-authored-by: Duane May <duane.may@broadcom.com>
Co-authored-by: Bruce Ricard <bruce.ricard@gmail.com>
Co-authored-by: Filip Hanik <fhanik@vmware.com>
Co-authored-by: Duane May <duanemay@gmail.com>
Co-authored-by: d036670 <markus.strehle@sap.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Markus Strehle <11627201+strehle@users.noreply.github.com>
Co-authored-by: Duane May <duanemay@users.noreply.github.com>
Co-authored-by: Rifa Achrinza <25147899+achrinza@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bumps k8s.io/client-go from 0.31.1 to 0.31.2.
Commits
270e5abUpdate dependencies to v0.31.2 tagDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)