Merge branch 'master' of https://github.com/Evolveum/midpoint

custom/pom.xml

@@ -1,12 +1,13 @@
-<?xml version="1.0" encoding="UTF-8"?>
+<?xml version="1.0"?>
 <!--
-  ~ Copyright (c) 2010-2017 Evolveum and contributors
+  ~ Copyright (C) 2010-2021 Evolveum and contributors
   ~
   ~ This work is dual-licensed under the Apache License 2.0
   ~ and European Union Public License. See LICENSE file for details.
   -->
 
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
 
     <parent>

dist/javadoc/pom.xml

@@ -7,7 +7,7 @@
   -->
 
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
 
     <parent>

dist/midpoint-api/pom.xml

@@ -7,7 +7,7 @@
   -->
 
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
 
     <parent>

dist/pom.xml

@@ -1,12 +1,13 @@
-<?xml version="1.0" encoding="UTF-8"?>
+<?xml version="1.0"?>
 <!--
-  ~ Copyright (c) 2010-2019 Evolveum and contributors
+  ~ Copyright (C) 2010-2021 Evolveum and contributors
   ~
   ~ This work is dual-licensed under the Apache License 2.0
   ~ and European Union Public License. See LICENSE file for details.
   -->
 
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
 
     <parent>

gui/admin-gui/pom.xml

@@ -1,11 +1,13 @@
+<?xml version="1.0"?>
 <!--
   ~ Copyright (C) 2010-2021 Evolveum and contributors
   ~
   ~ This work is dual-licensed under the Apache License 2.0
   ~ and European Union Public License. See LICENSE file for details.
   -->
 
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
 
     <parent>

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/login/AbstractPageLogin.java

@@ -132,7 +132,10 @@ protected void createBreadcrumb() {
     @Override
     protected void onBeforeRender() {
         super.onBeforeRender();
+        confirmUserPrincipal();
+    }
 
+    protected void confirmUserPrincipal() {
         if (SecurityUtils.getPrincipalUser() != null) {
             MidPointApplication app = getMidpointApplication();
             throw new RestartResponseException(app.getHomePage());

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/login/PageLogin.java

@@ -193,6 +193,6 @@ private String getUrlProcessingLogin() {
             }
         }
 
-        return "/midpoint/spring_security_login";
+        return "./spring_security_login";
     }
 }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/login/PageSamlSelect.html

@@ -12,9 +12,17 @@
 <body>
 <wicket:extend>
     <h4><wicket:message key="PageSamlSelect.select.identity.provider"/></h4>
-    <div wicket:id="providers">
+    <div wicket:id="providers" class="col-md-12">
         <a wicket:id="provider"/>
     </div>
+    <div class="pull-right">
+        <form method="post" wicket:id="logoutForm">
+
+            <div wicket:id="csrfField"/>
+
+            <input type="submit" wicket:message="value:UserMenuPanel.logout"/>
+        </form>
+    </div>
 </wicket:extend>
 
 </body>

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/login/PageSamlSelect.java

@@ -10,9 +10,17 @@
 import java.util.ArrayList;
 import java.util.List;
 
+import com.evolveum.midpoint.gui.api.util.WebComponentUtil;
+import com.evolveum.midpoint.web.component.form.MidpointForm;
+import com.evolveum.midpoint.web.component.util.VisibleBehaviour;
+import com.evolveum.midpoint.web.security.util.SecurityUtils;
+
+import org.apache.wicket.AttributeModifier;
+import org.apache.wicket.markup.html.WebMarkupContainer;
 import org.apache.wicket.markup.html.link.ExternalLink;
 import org.apache.wicket.markup.html.list.ListItem;
 import org.apache.wicket.markup.html.list.ListView;
+import org.apache.wicket.model.IModel;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 
@@ -23,6 +31,8 @@
 import com.evolveum.midpoint.web.security.module.authentication.Saml2ModuleAuthentication;
 import com.evolveum.midpoint.web.security.util.IdentityProvider;
 
+import org.springframework.security.saml.SamlAuthentication;
+
 /**
  * @author skublik
  */
@@ -32,18 +42,38 @@
 public class PageSamlSelect extends AbstractPageLogin implements Serializable {
     private static final long serialVersionUID = 1L;
 
+    private static final String ID_PROVIDERS = "providers";
+    private static final String ID_PROVIDER = "provider";
+    private static final String ID_LOGOUT_FORM = "logoutForm";
+    private static final String ID_CSRF_FIELD = "csrfField";
+
     public PageSamlSelect() {
     }
 
     @Override
     protected void initCustomLayer() {
         List<IdentityProvider> providers = getProviders();
-        add(new ListView<IdentityProvider>("providers", providers) {
+        add(new ListView<IdentityProvider>(ID_PROVIDERS, providers) {
             @Override
             protected void populateItem(ListItem<IdentityProvider> item) {
-                item.add(new ExternalLink("provider", item.getModelObject().getRedirectLink(), item.getModelObject().getLinkText()));
+                item.add(new ExternalLink(ID_PROVIDER, item.getModelObject().getRedirectLink(), item.getModelObject().getLinkText()));
             }
         });
+        MidpointForm<?> form = new MidpointForm<>(ID_LOGOUT_FORM);
+        ModuleAuthentication actualModule = SecurityUtils.getProcessingModule(false);
+        form.add(new VisibleBehaviour(() -> existSamlAuthentication(actualModule)));
+        form.add(AttributeModifier.replace("action",
+                (IModel<String>) () -> existSamlAuthentication(actualModule) ?
+                        SecurityUtils.getPathForLogoutWithContextPath(getRequest().getContextPath(), actualModule) : ""));
+        add(form);
+
+        WebMarkupContainer csrfField = SecurityUtils.createHiddenInputForCsrf(ID_CSRF_FIELD);
+        form.add(csrfField);
+    }
+
+    private boolean existSamlAuthentication(ModuleAuthentication actualModule) {
+        return actualModule instanceof Saml2ModuleAuthentication
+                && actualModule.getAuthentication() instanceof SamlAuthentication;
     }
 
     private List<IdentityProvider> getProviders() {
@@ -68,4 +98,8 @@ private List<IdentityProvider> getProviders() {
         error(getString(key));
         return providers;
     }
+
+    @Override
+    protected void confirmUserPrincipal() {
+    }
 }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/SamlAuthenticationEntryPoint.java

@@ -13,6 +13,9 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import com.evolveum.midpoint.model.api.authentication.StateOfModule;
+import com.evolveum.midpoint.web.security.module.SamlModuleWebSecurityConfig;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -40,9 +43,13 @@ public void commence(HttpServletRequest request, HttpServletResponse response, A
             ModuleAuthentication moduleAuthentication = mpAuthentication.getProcessingModuleAuthentication();
             if (moduleAuthentication instanceof Saml2ModuleAuthentication) {
                 providers = ((Saml2ModuleAuthentication) moduleAuthentication).getProviders();
-                if (providers.size() == 1
-                        && request.getSession().getAttribute("SPRING_SECURITY_LAST_EXCEPTION") == null) {
-                    response.sendRedirect(providers.get(0).getRedirectLink());
+                if (request.getSession().getAttribute("SPRING_SECURITY_LAST_EXCEPTION") == null) {
+                    if (providers.size() == 1) {
+                        response.sendRedirect(providers.get(0).getRedirectLink());
+                        return;
+                    }
+                } else if (SamlModuleWebSecurityConfig.SAML_LOGIN_PATH.equals(request.getServletPath())
+                        && StateOfModule.LOGIN_PROCESSING.equals(moduleAuthentication.getState())) {
                     return;
                 }
             }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/filter/MidpointAuthFilter.java

@@ -243,12 +243,12 @@ private int restartAuthFlow(HttpServletRequest httpRequest, AuthenticationSequen
     }
 
     private void createMpAuthentication(HttpServletRequest httpRequest, AuthenticationSequenceType sequence, List<AuthModule> authModules) {
-        SecurityContextHolder.getContext().setAuthentication(null);
-        SecurityContextHolder.getContext().setAuthentication(new MidpointAuthentication(sequence));
-        MidpointAuthentication mpAuthentication = (MidpointAuthentication) SecurityContextHolder.getContext().getAuthentication();
+        MidpointAuthentication mpAuthentication = new MidpointAuthentication(sequence);
         mpAuthentication.setAuthModules(authModules);
         mpAuthentication.setSessionId(httpRequest.getSession(false) != null ? httpRequest.getSession(false).getId() : RandomStringUtils.random(30, true, true).toUpperCase());
         mpAuthentication.addAuthentications(authModules.get(0).getBaseModuleAuthentication());
+        SecurityContextHolder.getContext().setAuthentication(null);
+        SecurityContextHolder.getContext().setAuthentication(mpAuthentication);
     }
 
     private void resolveErrorWithMoreModules(MidpointAuthentication mpAuthentication, HttpServletRequest httpRequest) {

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/SamlModuleWebSecurityConfig.java

@@ -59,6 +59,7 @@
 public class SamlModuleWebSecurityConfig<C extends SamlModuleWebSecurityConfiguration> extends ModuleWebSecurityConfig<C> {
 
     private static final Trace LOGGER = TraceManager.getTrace(SamlModuleWebSecurityConfig.class);
+    public static final String SAML_LOGIN_PATH = "/saml2/select";
 
     @Autowired
     private ModelAuditRecorder auditProvider;
@@ -79,7 +80,7 @@ protected void configure(HttpSecurity http) throws Exception {
         http.csrf().disable();
 
         getOrApply(http, new MidpointExceptionHandlingConfigurer())
-                .authenticationEntryPoint(new SamlAuthenticationEntryPoint("/saml2/select"));
+                .authenticationEntryPoint(new SamlAuthenticationEntryPoint(SAML_LOGIN_PATH));
 
         http.addFilterAfter(
                 getBeanConfiguration().samlConfigurationFilter(),

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/authentication/CredentialModuleAuthentication.java

@@ -44,6 +44,7 @@ public void setCredentialType(Class<? extends CredentialPolicyType> credentialTy
 
     public ModuleAuthentication clone() {
         CredentialModuleAuthentication module = new CredentialModuleAuthentication(this.getNameOfModuleType());
+        module.setAuthentication(this.getAuthentication());
         clone(module);
         return module;
     }
@@ -54,6 +55,7 @@ protected void clone(ModuleAuthentication module) {
             ((CredentialModuleAuthentication)module).setCredentialName(getCredentialName());
             ((CredentialModuleAuthentication)module).setCredentialType(getCredentialType());
         }
+        module.setAuthentication(this.getAuthentication());
         super.clone(module);
     }
 }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/authentication/HttpHeaderModuleAuthentication.java

@@ -25,6 +25,7 @@ public HttpHeaderModuleAuthentication() {
 
     public ModuleAuthentication clone() {
         HttpHeaderModuleAuthentication module = new HttpHeaderModuleAuthentication();
+        module.setAuthentication(this.getAuthentication());
         clone(module);
         return module;
     }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/authentication/HttpModuleAuthentication.java

@@ -49,6 +49,7 @@ protected void clone(ModuleAuthentication module) {
             ((HttpModuleAuthentication)module).setProxyUserOid(this.getProxyUserOid());
             ((HttpModuleAuthentication)module).setRealm(this.getRealm());
         }
+        module.setAuthentication(this.getAuthentication());
         super.clone(module);
     }
 }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/authentication/LdapModuleAuthentication.java

@@ -28,6 +28,7 @@ public LdapModuleAuthentication() {
     public ModuleAuthentication clone() {
         LdapModuleAuthentication module = new LdapModuleAuthentication();
         module.setNamingAttribute(this.namingAttribute);
+        module.setAuthentication(this.getAuthentication());
         clone(module);
         return module;
     }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/authentication/LoginFormModuleAuthentication.java

@@ -21,6 +21,7 @@ public LoginFormModuleAuthentication() {
 
     public ModuleAuthentication clone() {
         LoginFormModuleAuthentication module = new LoginFormModuleAuthentication();
+        module.setAuthentication(this.getAuthentication());
         super.clone(module);
         return module;
     }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/authentication/MailNonceModuleAuthentication.java

@@ -21,6 +21,7 @@ public MailNonceModuleAuthentication() {
 
     public ModuleAuthentication clone() {
         MailNonceModuleAuthentication module = new MailNonceModuleAuthentication();
+        module.setAuthentication(this.getAuthentication());
         super.clone(module);
         return module;
     }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/authentication/OtherModuleAuthentication.java

@@ -36,6 +36,7 @@ public OtherModuleAuthentication() {
 
     public ModuleAuthentication clone() {
         OtherModuleAuthentication module = new OtherModuleAuthentication();
+        module.setAuthentication(this.getAuthentication());
         clone(module);
         return module;
     }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/authentication/Saml2ModuleAuthentication.java

@@ -6,12 +6,14 @@
  */
 package com.evolveum.midpoint.web.security.module.authentication;
 
-import com.evolveum.midpoint.model.api.authentication.ModuleAuthentication;
-import com.evolveum.midpoint.model.api.authentication.AuthenticationModuleNameConstants;
-import com.evolveum.midpoint.model.api.authentication.ModuleType;
-import com.evolveum.midpoint.model.api.authentication.StateOfModule;
+import com.evolveum.midpoint.model.api.authentication.*;
 import com.evolveum.midpoint.web.security.util.IdentityProvider;
 import com.evolveum.midpoint.web.security.util.RequestState;
+import com.evolveum.midpoint.web.security.util.SecurityUtils;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.saml.SamlAuthentication;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -62,6 +64,18 @@ public ModuleAuthentication clone() {
         Saml2ModuleAuthentication module = new Saml2ModuleAuthentication();
         module.setNamesOfUsernameAttributes(this.getNamesOfUsernameAttributes());
         module.setProviders(this.getProviders());
+        Authentication actualAuth = SecurityContextHolder.getContext().getAuthentication();
+        Authentication newAuthentication = this.getAuthentication();
+        if (actualAuth instanceof MidpointAuthentication
+                && ((MidpointAuthentication) actualAuth).getAuthentications() != null
+                && !((MidpointAuthentication) actualAuth).getAuthentications().isEmpty()) {
+            ModuleAuthentication actualModule = ((MidpointAuthentication) actualAuth).getAuthentications().get(0);
+            if (actualModule instanceof Saml2ModuleAuthentication
+                    && actualModule.getAuthentication() instanceof SamlAuthentication) {
+                newAuthentication = actualModule.getAuthentication();
+            }
+        }
+        module.setAuthentication(newAuthentication);
         super.clone(module);
         return module;
     }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/authentication/SecurityQuestionFormModuleAuthentication.java

@@ -21,6 +21,7 @@ public SecurityQuestionFormModuleAuthentication() {
 
     public ModuleAuthentication clone() {
         SecurityQuestionFormModuleAuthentication module = new SecurityQuestionFormModuleAuthentication();
+        module.setAuthentication(this.getAuthentication());
         super.clone(module);
         return module;
     }