Improve Testing of SAML Request/Response

- Improve Testing of SAML Request/Response with Saml2TestUtils
- Configure assertionConsumerServiceLocation in one location.

- Attempted move to OpenSaml4AuthenticationProvider
requires a shadow dependency on opensaml to remove the need for non-FIPS compliant security provider. Not yet in place

Signed-off-by: Duane May <duane.may@broadcom.com>
Signed-off-by: Alicia Yingling <alicia.yingling@broadcom.com>

build.gradle

@@ -21,6 +21,7 @@ buildscript {
         classpath(libraries.testRetryPlugin)
         classpath(libraries.gradleJcocoPlugin)
         classpath(libraries.sonarqubePlugin)
+        //classpath(libraries.shadowPlugin)
     }
 }
 
@@ -66,6 +67,14 @@ subprojects {
         exclude(group: "com.vaadin.external.google", module: "android-json")
         exclude(group: "com.unboundid.components", module: "json")
 
+        // Exclude opensaml-security-api and non-FIPS bouncycastle libs, and use Shadow library for FIPS compliance
+        exclude(group: "org.bouncycastle", module: "bcpkix-jdk15on")
+        exclude(group: "org.bouncycastle", module: "bcprov-jdk15on")
+        exclude(group: "org.bouncycastle", module: "bcutil-jdk15on")
+        exclude(group: "org.bouncycastle", module: "bcprov-jdk18on")
+        exclude(group: "org.bouncycastle", module: "bcpkix-jdk18on")
+        exclude(group: "org.bouncycastle", module: "bcutil-jdk18on")
+
         resolutionStrategy {
             resolutionStrategy.eachDependency { DependencyResolveDetails details ->
                 if (details.requested.group == 'org.opensaml' && details.requested.name.startsWith("opensaml-")) {

dependencies.gradle

@@ -6,7 +6,9 @@ ext {
 // Versions shared between multiple dependencies
 versions.aspectJVersion = "1.9.4"
 versions.apacheDsVersion = "2.0.0.AM27"
-versions.bouncyCastleVersion = "1.0.2.5"
+versions.bouncyCastleFipsVersion = "1.0.2.5"
+versions.bouncyCastlePkixFipsVersion = "1.0.7"
+versions.bouncyCastleTlsFipsVersion = "1.0.19"
 versions.hamcrestVersion = "2.2"
 versions.springBootVersion = "2.7.18"
 versions.springFrameworkVersion = "5.3.36"
@@ -43,8 +45,9 @@ libraries.apacheDsProtocolLdap = "org.apache.directory.server:apacheds-protocol-
 libraries.apacheLdapApi = "org.apache.directory.api:api-ldap-model:2.1.6"
 libraries.aspectJRt = "org.aspectj:aspectjrt"
 libraries.aspectJWeaver = "org.aspectj:aspectjweaver"
-libraries.bouncyCastlePkix = "org.bouncycastle:bcpkix-fips:1.0.7"
-libraries.bouncyCastleProv = "org.bouncycastle:bc-fips:${versions.bouncyCastleVersion}"
+libraries.bouncyCastlePkixFips = "org.bouncycastle:bcpkix-fips:${versions.bouncyCastlePkixFipsVersion}"
+libraries.bouncyCastleFipsProv = "org.bouncycastle:bc-fips:${versions.bouncyCastleFipsVersion}"
+libraries.bouncyCastleTlsFips = "org.bouncycastle:bctls-fips:${versions.bouncyCastleTlsFipsVersion}"
 libraries.braveInstrumentationSpringWebmvc = "io.zipkin.brave:brave-instrumentation-spring-webmvc:${versions.braveVersion}"
 libraries.braveContextSlf4j = "io.zipkin.brave:brave-context-slf4j:${versions.braveVersion}"
 libraries.commonsCodec = "commons-codec:commons-codec:1.17.0"
@@ -78,6 +81,7 @@ libraries.lombok = "org.projectlombok:lombok"
 libraries.mariaJdbcDriver = "org.mariadb.jdbc:mariadb-java-client"
 libraries.mockito = "org.mockito:mockito-core"
 libraries.mockitoJunit5 = "org.mockito:mockito-junit-jupiter"
+libraries.openSamlApi = "org.opensaml:opensaml-saml-api:${versions.opensaml}"
 libraries.passay = "org.passay:passay:1.6.4"
 libraries.postgresql = "org.postgresql:postgresql:42.7.3"
 libraries.selenium = "org.seleniumhq.selenium:selenium-java:${versions.seleniumVersion}"
@@ -127,6 +131,7 @@ libraries.velocity = "org.apache.velocity:velocity-engine-core:2.3"
 libraries.xerces = "xerces:xercesImpl:2.12.2"
 libraries.nimbusJwt = "com.nimbusds:nimbus-jose-jwt:9.40"
 libraries.xmlSecurity = "org.apache.santuario:xmlsec:4.0.2"
+libraries.xmlUnit = "org.xmlunit:xmlunit-assertj:2.10.0"
 libraries.orgJson = "org.json:json:20240303"
 libraries.owaspEsapi = "org.owasp.esapi:esapi:2.5.4.0"
 libraries.jodaTime = "joda-time:joda-time:2.12.7"
@@ -139,3 +144,4 @@ libraries.springBootGradlePlugin = "org.springframework.boot:spring-boot-gradle-
 libraries.springDependencyMangementGradlePlugin = "io.spring.gradle:dependency-management-plugin"
 libraries.gradleJcocoPlugin = "org.barfuin.gradle.jacocolog:gradle-jacoco-log:3.1.0"
 libraries.sonarqubePlugin = "org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:5.0.0.4638"
+//libraries.shadowPlugin = "com.github.johnrengelman:shadow:8.1.1"

model/src/main/java/org/cloudfoundry/identity/uaa/provider/IdentityProvider.java

@@ -23,7 +23,7 @@
 import com.fasterxml.jackson.databind.SerializerProvider;
 import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 import com.fasterxml.jackson.databind.annotation.JsonSerialize;
-
+import lombok.Getter;
 import org.cloudfoundry.identity.uaa.EntityWithAlias;
 import org.cloudfoundry.identity.uaa.util.JsonUtils;
 import org.springframework.util.StringUtils;
@@ -44,6 +44,7 @@
 import static org.cloudfoundry.identity.uaa.util.JsonUtils.getNodeAsInt;
 import static org.cloudfoundry.identity.uaa.util.JsonUtils.getNodeAsString;
 
+@Getter
 @JsonSerialize(using = IdentityProvider.IdentityProviderSerializer.class)
 @JsonDeserialize(using = IdentityProvider.IdentityProviderDeserializer.class)
 public class IdentityProvider<T extends AbstractIdentityProviderDefinition> implements EntityWithAlias {
@@ -78,62 +79,40 @@ public class IdentityProvider<T extends AbstractIdentityProviderDefinition> impl
     private String identityZoneId;
     private String aliasId;
     private String aliasZid;
-    public Date getCreated() {
-        return created;
-    }
+    @JsonIgnore
+    private boolean serializeConfigRaw;
 
-    public IdentityProvider setCreated(Date created) {
+    public IdentityProvider<T> setCreated(Date created) {
         this.created = created;
         return this;
     }
 
-    public Date getLastModified() {
-        return lastModified;
-    }
-
-    public IdentityProvider setLastModified(Date lastModified) {
+    public IdentityProvider<T> setLastModified(Date lastModified) {
         this.lastModified = lastModified;
         return this;
     }
 
-    public IdentityProvider setVersion(int version) {
+    public IdentityProvider<T> setVersion(int version) {
         this.version = version;
         return this;
     }
 
-    public int getVersion() {
-        return version;
-    }
-
-    public String getName() {
-        return name;
-    }
-
-    public IdentityProvider setName(String name) {
+    public IdentityProvider<T> setName(String name) {
         this.name = name;
         return this;
     }
 
-    @Override
-    public String getId() {
-        return id;
+    public IdentityProvider<T> setId(String id) {
+        this.id = id;
+        return this;
     }
 
     @Override
     public String getZoneId() {
         return getIdentityZoneId();
     }
 
-    public IdentityProvider setId(String id) {
-        this.id = id;
-        return this;
-    }
-
-    public T getConfig() {
-        return config;
-    }
-
-    public IdentityProvider setConfig(T config) {
+    public IdentityProvider<T> setConfig(T config) {
         if (config == null) {
             this.type = UNKNOWN;
         } else {
@@ -166,11 +145,7 @@ public IdentityProvider setConfig(T config) {
         return this;
     }
 
-    public String getOriginKey() {
-        return originKey;
-    }
-
-    public IdentityProvider setOriginKey(String originKey) {
+    public IdentityProvider<T> setOriginKey(String originKey) {
         this.originKey = originKey;
         if (config != null && config instanceof SamlIdentityProviderDefinition) {
             ((SamlIdentityProviderDefinition) config).setIdpEntityAlias(originKey);
@@ -179,51 +154,29 @@ public IdentityProvider setOriginKey(String originKey) {
         return this;
     }
 
-    public String getType() {
-        return type;
-    }
-
-    public IdentityProvider setType(String type) {
+    public IdentityProvider<T> setType(String type) {
         this.type = type;
         return this;
     }
 
-    public boolean isActive() {
-        return active;
-    }
-
-    public IdentityProvider setActive(boolean active) {
+    public IdentityProvider<T> setActive(boolean active) {
         this.active = active;
         return this;
     }
 
-    public String getIdentityZoneId() {
-        return identityZoneId;
-    }
-
-    public IdentityProvider setIdentityZoneId(String identityZoneId) {
+    public IdentityProvider<T> setIdentityZoneId(String identityZoneId) {
         this.identityZoneId = identityZoneId;
         if (config != null && config instanceof SamlIdentityProviderDefinition) {
             ((SamlIdentityProviderDefinition) config).setZoneId(identityZoneId);
         }
         return this;
     }
 
-    @Override
-    public String getAliasId() {
-        return aliasId;
-    }
-
     @Override
     public void setAliasId(String aliasId) {
         this.aliasId = aliasId;
     }
 
-    @Override
-    public String getAliasZid() {
-        return aliasZid;
-    }
-
     @Override
     public void setAliasZid(String aliasZid) {
         this.aliasZid = aliasZid;
@@ -304,9 +257,7 @@ public boolean equals(Object obj) {
         } else if (!aliasZid.equals(other.aliasZid)) {
             return false;
         }
-        if (version != other.version)
-            return false;
-        return true;
+        return version == other.version;
     }
 
     @Override
@@ -344,13 +295,6 @@ public String toString() {
         return sb.toString();
     }
 
-    private boolean serializeConfigRaw;
-
-    @JsonIgnore
-    public boolean isSerializeConfigRaw() {
-        return serializeConfigRaw;
-    }
-
     @JsonIgnore
     public void setSerializeConfigRaw(boolean serializeConfigRaw) {
         this.serializeConfigRaw = serializeConfigRaw;
@@ -446,8 +390,5 @@ public IdentityProvider deserialize(JsonParser jp, DeserializationContext ctxt)
             result.setAliasZid(getNodeAsString(node, FIELD_ALIAS_ZID, null));
             return result;
         }
-
-
     }
-
 }

scripts/count-disabled-tests.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+#
+# Gives counts of Disabled/Ignored Unit/Integration tests in the project
+# Usage: count-disabled-tests.sh [-l]
+# -l: List the disabled/ignored tests
+
+function main() {
+  local tempFile
+  local searchFor
+  local disableCount
+  local ignoreCount
+  local total
+  local unitTestsCount
+  local integrationTestsCount
+
+  tempFile=$(mktemp)
+  searchFor='Disabled'
+  find . -type f \( ! -wholename '*/target/*' ! -wholename './node_modules/*' ! -wholename '*/tmp/*' ! -wholename './out/*' ! -wholename '*/.gradle/*' ! -wholename '*/build/*' ! -wholename './.idea/*' ! -wholename './.git/*' \) -exec grep -H -A 1 "@$searchFor" {} \; | sed -e "s/^\.\///" | sed "/^--$/d; /\@${searchFor}/d" >"$tempFile"
+  disableCount=$(wc -l <"$tempFile")
+
+  searchFor='Ignore'
+  find . -type f \( ! -wholename '*/target/*' ! -wholename './node_modules/*' ! -wholename '*/tmp/*' ! -wholename './out/*' ! -wholename '*/.gradle/*' ! -wholename '*/build/*' ! -wholename './.idea/*' ! -wholename './.git/*' \) -exec grep -H -A 1 "@$searchFor" {} \; | sed -e "s/^\.\///" | sed "/^--$/d; /\@${searchFor}/d" >>"$tempFile"
+  total=$(wc -l <"$tempFile")
+  ignoreCount=$(($total - $disableCount))
+
+  echo "Disabled: $disableCount"
+  echo "Ignored:  $ignoreCount"
+  echo "Total:    $total"
+  echo
+
+  unitTestsCount=$(cat "$tempFile" | grep -v "IT.java" | wc -l)
+  integrationTestsCount=$(cat "$tempFile" | grep "IT.java" | wc -l)
+  echo "Unit Tests:        $unitTestsCount"
+  echo "Integration Tests: $integrationTestsCount"
+  echo "Total:             $total"
+
+  if [[ "$1" -eq "-l" ]]; then
+    echo
+    echo Unit Tests:
+    echo
+    cat "$tempFile" | grep -v "IT.java" | sort
+
+    echo
+    echo Integration Tests:
+    echo
+    cat "$tempFile" | grep "IT.java" | sort
+
+  fi
+
+  rm "$tempFile"
+}
+
+main "$@"

server/build.gradle

@@ -5,6 +5,8 @@ description = "CloudFoundry Identity Server JAR"
 dependencies {
     implementation(project(":cloudfoundry-identity-metrics-data"))
     implementation(project(":cloudfoundry-identity-model"))
+    // Shadow library is needed for FIPS compliance, as opensaml-security-api relies on non-FIPS compliant libraries
+    //implementation(project(path: ':cloudfoundry-identity-shadow-opensaml-security-api', configuration: 'shadow'))
 
     implementation(libraries.tomcatJdbc)
     providedCompile(libraries.tomcatEmbed)
@@ -31,8 +33,9 @@ dependencies {
     implementation(libraries.xmlSecurity)
     implementation(libraries.springSessionJdbc)
 
-    implementation(libraries.bouncyCastleProv)
-    implementation(libraries.bouncyCastlePkix)
+    implementation(libraries.bouncyCastleFipsProv)
+    implementation(libraries.bouncyCastleTlsFips)
+    implementation(libraries.bouncyCastlePkixFips)
 
     implementation(libraries.guava)
 
@@ -116,11 +119,18 @@ dependencies {
 configurations.all {
     exclude(group: "org.beanshell", module: "bsh-core")
     exclude(group: "org.apache-extras.beanshell", module: "bsh")
-    exclude(group: "org.bouncycastle", module: "bcpkix-jdk15on")
-    exclude(group: "org.bouncycastle", module: "bcprov-jdk15on")
     exclude(group: "com.fasterxml.woodstox", module: "woodstox-core")
     exclude(group: "commons-beanutils", module: "commons-beanutils")
     exclude(group: "commons-collections", module: "commons-collections")
+
+    // Exclude opensaml-security-api and non-FIPS bouncycastle libs, and use Shadow library for FIPS compliance
+    //exclude(group: "org.opensaml", module: "opensaml-security-api")
+    exclude(group: "org.bouncycastle", module: "bcpkix-jdk15on")
+    exclude(group: "org.bouncycastle", module: "bcprov-jdk15on")
+    exclude(group: "org.bouncycastle", module: "bcutil-jdk15on")
+    exclude(group: "org.bouncycastle", module: "bcprov-jdk18on")
+    exclude(group: "org.bouncycastle", module: "bcpkix-jdk18on")
+    exclude(group: "org.bouncycastle", module: "bcutil-jdk18on")
 }
 
 jar {