INDIGO IAM v1.11.0 release

.github/workflows/sonar.yaml

@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - develop
+
   pull_request:
     types: [opened, edited, reopened, synchronize]
 

CHANGELOG.md

@@ -1,16 +1,52 @@
 # Changelog
 
+## 1.11.0 (2024-12-19)
+
+### What's Changed
+
+* Add confirmation before rotate client secret by @SteDev2 in https://github.com/indigo-iam/iam/pull/875
+* Fix account mapping in VOMS AA by @rmiccoli in https://github.com/indigo-iam/iam/pull/872
+* Add POST endpoint for registration requests confirmation by @enricovianello in https://github.com/indigo-iam/iam/pull/881
+* Fix CERN lifecycle handler by @enricovianello in https://github.com/indigo-iam/iam/pull/871, https://github.com/indigo-iam/iam/pull/896
+* Grant admin scopes to admin-approved clients only by @rmiccoli in https://github.com/indigo-iam/iam/commit/6bbaccd4e85cc1dc1659ea10fa31dd5307b2dc62
+* Client-credentials flow won't create a refresh token by @rmiccoli in https://github.com/indigo-iam/OpenID-Connect-Java-Spring-Server/pull/22
+* Redirect to login page when signing AUP by @federicaagostini in https://github.com/indigo-iam/iam/commit/5acde91cd333d139991e2ba1ee6d5fe062d986a0
+* Fix missing update of matchingPolicy by @garaimanoj in https://github.com/indigo-iam/iam/commit/f15ef57b1e11f3f08e1b5cb2462520efd3c1108d
+* Find account by certificate sub and iss in VOMS AA by @rmiccoli in https://github.com/indigo-iam/iam/pull/897
+* Exclude IAM optional groups from VOMS AC by @rmiccoli in https://github.com/indigo-iam/iam/pull/894
+* Find account by certificate sub and iss in VOMS AA by @rmiccoli in https://github.com/indigo-iam/iam/pull/897
+* Prevent the issue of broken SAML login flow by @DonaldChung-HK in https://github.com/indigo-iam/iam/pull/885
+
+### Added
+
+* (_Experimental_*) Implement MFA by @sam-glendenning, @rmiccoli, @garaimanoj, @Sae126V in https://github.com/indigo-iam/iam/pull/733
+
+(*) This initial release featuring Multi-Factor Authentication is experimental and will be enhanced and expanded with new features in future releases, based also on user feedback.
+
+### MFA experimental feature summary
+
+* Each authenticated user can enable/disable MFA through a button in their homepage
+  * user will use an authenticator, as it is required to generate the time-based one-time passwords (TOTPs) necessary for authentication
+* If issues arise with the authenticator, the IAM administrator can disable MFA for a user
+* Authenticator working for local authentication only
+  * integration with X.509 certificates and external providers not yet supported
+* Encryption and decryption of MFA secrets
+
+#### Configuration
+
+The `mfa` Spring profile is used to enable MFA functionality. By default, MFA is disabled for all users.
+
 ## 1.10.2 (2024-09-30)
 
-## What's Changed
+### What's Changed
 
 * Add devcontainer configuration https://github.com/indigo-iam/iam/pull/835
 * Track refresh tokens in access token AUDIT logs https://github.com/indigo-iam/iam/pull/838
 * Combine CERN HR logic with internal life-cycle https://github.com/indigo-iam/iam/pull/844
 
 ## 1.10.1 (2024-08-22)
 
-## What's Fixed
+### What's Fixed
 
 * Fix repeated suspensions https://github.com/indigo-iam/iam/pull/831
 * Fix typo in AUDIT log for suspended accounts https://github.com/indigo-iam/iam/pull/832
@@ -259,7 +295,6 @@ fixes several bugs for the IAM login service.
 ## 1.7.2 (2021-12-03)
 
 This release provides a single dependency change for the IAM login service
-application.
 
 ### Added
 
@@ -271,6 +306,10 @@ This release provides changes and bug fixes to the IAM test client application.
 
 ### Added
 
+This release provides changes and bug fixes to the IAM test client application.
+
+### Added
+
 - The IAM test client application, in its default configuration, no longer
   exposes tokens, but only the claims contained in tokens. It's possible to
   revert to the previous behavior by setting the `IAM_CLIENT_HIDE_TOKENS=false`

Jenkinsfile

@@ -90,7 +90,7 @@ pipeline {
           post {
             always {
               script {
-                maybeArchiveJUnitReports()
+                maybeArchiveJUnitReportsWithJacoco()
               }
             }
           }

compose/custom-nginx/iam.conf

@@ -38,6 +38,8 @@ server {
     proxy_set_header        X-SSL-Client-Verify  $ssl_client_verify;
     proxy_set_header        X-SSL-Protocol $ssl_protocol;
     proxy_set_header        X-SSL-Server-Name $ssl_server_name;
+
+    proxy_cookie_flags ~ secure samesite=none;
   }
 
   location /iam-test-client {

iam-common/pom.xml

@@ -5,7 +5,7 @@
   <parent>
     <groupId>it.infn.mw.iam-parent</groupId>
     <artifactId>iam-parent</artifactId>
-    <version>1.10.2</version>
+    <version>1.11.0</version>
   </parent>
 
   <groupId>it.infn.mw.iam-common</groupId>

iam-login-service/docker/Dockerfile.prod

@@ -1,4 +1,5 @@
 FROM eclipse-temurin:17 as builder
+
 RUN mkdir /indigo-iam
 WORKDIR /indigo-iam
 COPY iam-login-service.war /indigo-iam/

iam-login-service/pom.xml

@@ -22,7 +22,7 @@
   <parent>
     <groupId>it.infn.mw.iam-parent</groupId>
     <artifactId>iam-parent</artifactId>
-    <version>1.10.2</version>
+    <version>1.11.0</version>
   </parent>
 
   <groupId>it.infn.mw.iam-login-service</groupId>
@@ -92,7 +92,6 @@
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-data-redis</artifactId>
     </dependency>
-
 
     <!-- Web Jars -->
     <dependency>
@@ -221,6 +220,11 @@
       <artifactId>spring-security-oauth2</artifactId>
     </dependency>
 
+    <dependency>
+      <groupId>org.springframework.security</groupId>
+      <artifactId>spring-security-oauth2-client</artifactId>
+    </dependency>
+
     <dependency>
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-test</artifactId>
@@ -406,6 +410,13 @@
       <artifactId>jaxb-runtime</artifactId>
     </dependency>
 
+    <!-- Secret, TOTP, QR code generator for multi-factor authentication -->
+    <dependency>
+      <groupId>dev.samstevens.totp</groupId>
+      <artifactId>totp</artifactId>
+      <version>1.7.1</version>
+    </dependency>
+
   </dependencies>
 
   <build>

iam-login-service/src/main/java/it/infn/mw/iam/api/account/AccountUtils.java

@@ -15,18 +15,16 @@
  */
 package it.infn.mw.iam.api.account;
 
-import static java.util.Objects.isNull;
-
 import java.util.Optional;
 
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.stereotype.Component;
 
 import it.infn.mw.iam.authn.util.Authorities;
+import it.infn.mw.iam.core.ExtendedAuthenticationToken;
 import it.infn.mw.iam.persistence.model.IamAccount;
 import it.infn.mw.iam.persistence.repository.IamAccountRepository;
 
@@ -35,35 +33,43 @@
 public class AccountUtils {
   IamAccountRepository accountRepo;
 
-  @Autowired
   public AccountUtils(IamAccountRepository accountRepo) {
     this.accountRepo = accountRepo;
   }
 
   public boolean isRegisteredUser(Authentication auth) {
-    if (auth == null || auth.getAuthorities() == null) {
+    if (auth == null || auth.getAuthorities().isEmpty()) {
       return false;
     }
 
     return auth.getAuthorities().contains(Authorities.ROLE_USER);
   }
 
   public boolean isAdmin(Authentication auth) {
-    if (auth == null || auth.getAuthorities() == null) {
+    if (auth == null || auth.getAuthorities().isEmpty()) {
       return false;
     }
 
     return auth.getAuthorities().contains(Authorities.ROLE_ADMIN);
   }
 
+  public boolean isPreAuthenticated(Authentication auth) {
+    if (auth == null || auth.getAuthorities().isEmpty()) {
+      return false;
+    }
+
+    return auth.getAuthorities().contains(Authorities.ROLE_PRE_AUTHENTICATED);
+  }
+
   public boolean isAuthenticated() {
     Authentication auth = SecurityContextHolder.getContext().getAuthentication();
 
     return isAuthenticated(auth);
   }
 
   public boolean isAuthenticated(Authentication auth) {
-    return !(isNull(auth) || auth instanceof AnonymousAuthenticationToken);
+    return auth != null && !(auth instanceof AnonymousAuthenticationToken)
+        && (!(auth instanceof ExtendedAuthenticationToken) || auth.isAuthenticated());
   }
 
   public Optional<IamAccount> getAuthenticatedUserAccount(Authentication authn) {
@@ -72,7 +78,7 @@ public Optional<IamAccount> getAuthenticatedUserAccount(Authentication authn) {
     }
 
     Authentication userAuthn = authn;
-    
+
     if (authn instanceof OAuth2Authentication) {
       OAuth2Authentication oauth = (OAuth2Authentication) authn;
       if (oauth.getUserAuthentication() == null) {
@@ -86,13 +92,13 @@ public Optional<IamAccount> getAuthenticatedUserAccount(Authentication authn) {
   }
 
   public Optional<IamAccount> getAuthenticatedUserAccount() {
-    
+
     Authentication auth = SecurityContextHolder.getContext().getAuthentication();
- 
+
     return getAuthenticatedUserAccount(auth);
   }
-  
-  public Optional<IamAccount> getByAccountId(String accountId){
+
+  public Optional<IamAccount> getByAccountId(String accountId) {
     return accountRepo.findByUuid(accountId);
   }
 }

iam-login-service/src/main/java/it/infn/mw/iam/api/account/attributes/AccountAttributesController.java

@@ -19,20 +19,19 @@
 import static java.lang.String.format;
 import static org.springframework.http.HttpStatus.NO_CONTENT;
 import static org.springframework.web.bind.annotation.RequestMethod.DELETE;
-import static org.springframework.web.bind.annotation.RequestMethod.PUT;
 
 import java.util.List;
 
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.validation.BindingResult;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.ExceptionHandler;
+import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.ResponseStatus;
 import org.springframework.web.bind.annotation.RestController;
@@ -57,7 +56,6 @@ public class AccountAttributesController {
   final IamAccountService accountService;
   final AttributeDTOConverter converter;
 
-  @Autowired
   public AccountAttributesController(IamAccountService accountService,
       AttributeDTOConverter converter) {
     this.converter = converter;
@@ -71,7 +69,7 @@ private void handleValidationError(BindingResult result) {
     }
   }
 
-  @RequestMapping(value = "/iam/account/{id}/attributes", method = RequestMethod.GET)
+  @GetMapping(value = "/iam/account/{id}/attributes")
   @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.isUser(#id) or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')")
   public List<AttributeDTO> getAttributes(@PathVariable String id) {
 
@@ -84,7 +82,7 @@ public List<AttributeDTO> getAttributes(@PathVariable String id) {
     return results;
   }
 
-  @RequestMapping(value = "/iam/account/{id}/attributes", method = PUT)
+  @PutMapping(value = "/iam/account/{id}/attributes")
   @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   public void setAttribute(@PathVariable String id, @RequestBody @Validated AttributeDTO attribute,
       final BindingResult validationResult) {

iam-login-service/src/main/java/it/infn/mw/iam/api/account/group_manager/AccountGroupManagerController.java

@@ -20,13 +20,13 @@
 
 import javax.servlet.http.HttpServletRequest;
 
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.ExceptionHandler;
+import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseStatus;
 import org.springframework.web.bind.annotation.RestController;
 
@@ -50,7 +50,6 @@ public class AccountGroupManagerController {
   final IamGroupRepository groupRepository;
   final UserConverter userConverter;
 
-  @Autowired
   public AccountGroupManagerController(AccountGroupManagerService service,
       IamAccountRepository accountRepo, IamGroupRepository groupRepository,
       UserConverter userConverter) {
@@ -60,9 +59,7 @@ public AccountGroupManagerController(AccountGroupManagerService service,
     this.userConverter = userConverter;
   }
 
-
-
-  @RequestMapping(value = "/iam/account/{accountId}/managed-groups", method = RequestMethod.GET)
+  @GetMapping(value = "/iam/account/{accountId}/managed-groups")
   @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isUser(#accountId)")
   public AccountManagedGroupsDTO getAccountManagedGroupsInformation(
       @PathVariable String accountId) {
@@ -72,8 +69,7 @@ public AccountManagedGroupsDTO getAccountManagedGroupsInformation(
     return service.getManagedGroupInfoForAccount(account);
   }
 
-  @RequestMapping(value = "/iam/account/{accountId}/managed-groups/{groupId}",
-      method = RequestMethod.POST)
+  @PostMapping(value = "/iam/account/{accountId}/managed-groups/{groupId}")
   @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   @ResponseStatus(value = HttpStatus.CREATED)
   public void addManagedGroupToAccount(@PathVariable String accountId,
@@ -88,8 +84,7 @@ public void addManagedGroupToAccount(@PathVariable String accountId,
     service.addManagedGroupForAccount(account, group);
   }
 
-  @RequestMapping(value = "/iam/account/{accountId}/managed-groups/{groupId}",
-      method = RequestMethod.DELETE)
+  @DeleteMapping(value = "/iam/account/{accountId}/managed-groups/{groupId}")
   @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   @ResponseStatus(value = HttpStatus.NO_CONTENT)
   public void removeManagedGroupFromAccount(@PathVariable String accountId,
@@ -104,7 +99,7 @@ public void removeManagedGroupFromAccount(@PathVariable String accountId,
     service.removeManagedGroupForAccount(account, group);
   }
 
-  @RequestMapping(value = "/iam/group/{groupId}/group-managers", method=RequestMethod.GET)
+  @GetMapping(value = "/iam/group/{groupId}/group-managers")
   @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isGroupManager(#groupId)")
   public List<ScimUser> getGroupManagersForGroup(@PathVariable String groupId) {
     IamGroup group = groupRepository.findByUuid(groupId)