New saml 20240430 - Not to merge but just for SAML feature branch testing

build.gradle

@@ -64,6 +64,16 @@ subprojects {
         exclude(group: "org.apache.directory.server", module: "apacheds-protocol-ldap")
         exclude(group: "org.skyscreamer", module: "jsonassert")
         exclude(group: "com.vaadin.external.google", module: "android-json")
+        exclude(group: "com.unboundid.components", module: "json")
+
+        resolutionStrategy {
+            resolutionStrategy.eachDependency { DependencyResolveDetails details ->
+                if (details.requested.group == 'org.opensaml' && details.requested.name.startsWith("opensaml-")) {
+                    details.useVersion "${versions.opensaml}"
+                    details.because 'Spring Security 5.8.x allows OpenSAML 3 or 4. OpenSAML 3 has reached its end-of-life. Spring Security 6 drops support for 3, using 4.'
+                }
+            }
+        }
     }
 
     dependencies {

dependencies.gradle

@@ -18,6 +18,7 @@ versions.seleniumVersion = "4.18.1"
 versions.braveVersion = "6.0.3"
 versions.jacksonVersion = "2.17.1"
 versions.jsonPathVersion = "2.9.0"
+versions.opensaml = "4.0.1" // Spring Security 5.8.x allows OpenSAML 3 or 4. OpenSAML 3 has reached its end-of-life. Spring Security 6 drops support for 3, using 4.
 
 // Versions we're overriding from the Spring Boot Bom (Dependabot does not issue PRs to bump these versions, so we need to manually bump them)
 ext["mariadb.version"] = "2.7.12" // Bumping to v3 breaks some pipeline jobs (and compatibility with Amazon Aurora MySQL), so pinning to v2 for now. v2 (current version) is stable and will be supported until about September 2025 (https://mariadb.com/kb/en/about-mariadb-connector-j/).
@@ -103,7 +104,7 @@ libraries.springRetry = "org.springframework.retry:spring-retry"
 libraries.springSecurityConfig = "org.springframework.security:spring-security-config:${versions.springSecurityVersion}"
 libraries.springSecurityCore = "org.springframework.security:spring-security-core:${versions.springSecurityVersion}"
 libraries.springSecurityLdap = "org.springframework.security:spring-security-ldap:${versions.springSecurityVersion}"
-libraries.springSecuritySaml = "org.springframework.security.extensions:spring-security-saml2-core:${versions.springSecuritySamlVersion}"
+libraries.springSecuritySamlServiceProvider = "org.springframework.security:spring-security-saml2-service-provider:${versions.springSecurityVersion}"
 libraries.springSecurityTaglibs = "org.springframework.security:spring-security-taglibs:${versions.springSecurityVersion}"
 libraries.springSecurityTest = "org.springframework.security:spring-security-test:${versions.springSecurityVersion}"
 libraries.springSecurityWeb = "org.springframework.security:spring-security-web:${versions.springSecurityVersion}"
@@ -125,7 +126,7 @@ libraries.unboundIdLdapSdk = "com.unboundid:unboundid-ldapsdk"
 libraries.unboundIdScimSdk = "com.unboundid.product.scim:scim-sdk:1.8.26"
 libraries.velocity = "org.apache.velocity:velocity-engine-core:2.3"
 libraries.xerces = "xerces:xercesImpl:2.12.2"
-libraries.nimbusJwt = "com.nimbusds:nimbus-jose-jwt:9.39"
+libraries.nimbusJwt = "com.nimbusds:nimbus-jose-jwt:9.39.1"
 libraries.xmlSecurity = "org.apache.santuario:xmlsec:4.0.2"
 libraries.orgJson = "org.json:json:20240303"
 libraries.owaspEsapi = "org.owasp.esapi:esapi:2.5.3.1"

k8s/go.mod

@@ -8,9 +8,9 @@ require (
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.33.1
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.30.0
-	k8s.io/apimachinery v0.30.0
-	k8s.io/client-go v0.30.0
+	k8s.io/api v0.30.1
+	k8s.io/apimachinery v0.30.1
+	k8s.io/client-go v0.30.1
 )
 
 require (

k8s/go.sum

@@ -137,12 +137,12 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA=
-k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE=
-k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA=
-k8s.io/apimachinery v0.30.0/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
-k8s.io/client-go v0.30.0 h1:sB1AGGlhY/o7KCyCEQ0bPWzYDL0pwOZO4vAtTSh/gJQ=
-k8s.io/client-go v0.30.0/go.mod h1:g7li5O5256qe6TYdAMyX/otJqMhIiGgTapdLchhmOaY=
+k8s.io/api v0.30.1 h1:kCm/6mADMdbAxmIh0LBjS54nQBE+U4KmbCfIkF5CpJY=
+k8s.io/api v0.30.1/go.mod h1:ddbN2C0+0DIiPntan/bye3SW3PdwLa11/0yqwvuRrJM=
+k8s.io/apimachinery v0.30.1 h1:ZQStsEfo4n65yAdlGTfP/uSHMQSoYzU/oeEbkmF7P2U=
+k8s.io/apimachinery v0.30.1/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
+k8s.io/client-go v0.30.1 h1:uC/Ir6A3R46wdkgCV3vbLyNOYyCJ8oZnjtJGKfytl/Q=
+k8s.io/client-go v0.30.1/go.mod h1:wrAqLNs2trwiCH/wxxmT/x3hKVH9PuV0GGW0oDoHVqc=
 k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
 k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=

model/src/main/java/org/cloudfoundry/identity/uaa/provider/SamlIdentityProviderDefinition.java

@@ -14,6 +14,7 @@
 
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import lombok.Data;
 import org.cloudfoundry.identity.uaa.util.ObjectUtils;
 import org.springframework.util.StringUtils;
 import org.xml.sax.InputSource;
@@ -25,25 +26,12 @@
 import java.io.StringReader;
 import java.net.MalformedURLException;
 import java.net.URL;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Objects;
+import java.util.*;
+
 @JsonIgnoreProperties(ignoreUnknown = true)
+@Data
 public class SamlIdentityProviderDefinition extends ExternalIdentityProviderDefinition {
 
-    public enum MetadataLocation {
-        URL,
-        DATA,
-        UNKNOWN
-    }
-
-    public enum ExternalGroupMappingMode {
-        EXPLICITLY_MAPPED,
-        AS_SCOPES
-    }
-
     private String metaDataLocation;
     private String idpEntityAlias;
     private String zoneId;
@@ -57,7 +45,8 @@ public enum ExternalGroupMappingMode {
     private boolean skipSslValidation = false;
     private List<String> authnContext;
 
-    public SamlIdentityProviderDefinition() {}
+    public SamlIdentityProviderDefinition() {
+    }
 
     public SamlIdentityProviderDefinition clone() {
         List<String> emailDomain = getEmailDomain() != null ? new ArrayList<>(getEmailDomain()) : null;
@@ -92,9 +81,9 @@ public SamlIdentityProviderDefinition clone() {
     public MetadataLocation getType() {
         String trimmedLocation = metaDataLocation.trim();
         if (trimmedLocation.startsWith("<?xml") ||
-            trimmedLocation.startsWith("<md:EntityDescriptor") ||
-            trimmedLocation.startsWith("<EntityDescriptor")) {
-            if(validateXml(trimmedLocation)) {
+                trimmedLocation.startsWith("<md:EntityDescriptor") ||
+                trimmedLocation.startsWith("<EntityDescriptor")) {
+            if (validateXml(trimmedLocation)) {
                 return MetadataLocation.DATA;
             }
         } else if (trimmedLocation.startsWith("http")) {
@@ -109,7 +98,7 @@ public MetadataLocation getType() {
     }
 
     private boolean validateXml(String xml) {
-        if (xml==null || xml.toUpperCase().contains("<!DOCTYPE")) {
+        if (xml == null || xml.toUpperCase().contains("<!DOCTYPE")) {
             return false;
         }
         try {
@@ -122,77 +111,41 @@ private boolean validateXml(String xml) {
         return true;
     }
 
-    public String getMetaDataLocation() {
-        return metaDataLocation;
-    }
-
     public SamlIdentityProviderDefinition setMetaDataLocation(String metaDataLocation) {
         this.metaDataLocation = metaDataLocation;
         return this;
     }
 
-    public String getIdpEntityAlias() {
-        return idpEntityAlias;
-    }
-
     public SamlIdentityProviderDefinition setIdpEntityAlias(String idpEntityAlias) {
         this.idpEntityAlias = idpEntityAlias;
         return this;
     }
 
-    public String getNameID() {
-        return nameID;
-    }
-
     public SamlIdentityProviderDefinition setNameID(String nameID) {
         this.nameID = nameID;
         return this;
     }
 
-    public List<String> getAuthnContext() {
-        return authnContext;
-    }
-
     public SamlIdentityProviderDefinition setAuthnContext(List<String> authnContext) {
         this.authnContext = authnContext;
         return this;
     }
 
-    public int getAssertionConsumerIndex() {
-        return assertionConsumerIndex;
-    }
-
     public SamlIdentityProviderDefinition setAssertionConsumerIndex(int assertionConsumerIndex) {
         this.assertionConsumerIndex = assertionConsumerIndex;
         return this;
     }
 
-    public boolean isMetadataTrustCheck() {
-        return metadataTrustCheck;
-    }
-
     public SamlIdentityProviderDefinition setMetadataTrustCheck(boolean metadataTrustCheck) {
         this.metadataTrustCheck = metadataTrustCheck;
         return this;
     }
 
-    public boolean isShowSamlLink() {
-        return showSamlLink;
-    }
-
     public SamlIdentityProviderDefinition setShowSamlLink(boolean showSamlLink) {
         this.showSamlLink = showSamlLink;
         return this;
     }
 
-    public ExternalGroupMappingMode getGroupMappingMode() {
-        return groupMappingMode;
-    }
-
-    public void setGroupMappingMode(ExternalGroupMappingMode asScopes) {
-        this.groupMappingMode = asScopes;
-    }
-
     public String getSocketFactoryClassName() {
         return null;
     }
@@ -211,32 +164,16 @@ public SamlIdentityProviderDefinition setLinkText(String linkText) {
         return this;
     }
 
-    public String getIconUrl() {
-        return iconUrl;
-    }
-
     public SamlIdentityProviderDefinition setIconUrl(String iconUrl) {
         this.iconUrl = iconUrl;
         return this;
     }
 
-    public String getZoneId() {
-        return zoneId;
-    }
-
     public SamlIdentityProviderDefinition setZoneId(String zoneId) {
         this.zoneId = zoneId;
         return this;
     }
 
-    public boolean isSkipSslValidation() {
-        return skipSslValidation;
-    }
-
-    public void setSkipSslValidation(boolean skipSslValidation) {
-        this.skipSslValidation = skipSslValidation;
-    }
-
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;
@@ -251,30 +188,41 @@ public boolean equals(Object o) {
     @Override
     public int hashCode() {
         String alias = getUniqueAlias();
-        return alias==null ? 0 : alias.hashCode();
+        return alias == null ? 0 : alias.hashCode();
     }
 
     @JsonIgnore
     public String getUniqueAlias() {
-        return getIdpEntityAlias()+"###"+getZoneId();
+        return getIdpEntityAlias() + "###" + getZoneId();
     }
 
     @Override
     public String toString() {
         return "SamlIdentityProviderDefinition{" +
-            "idpEntityAlias='" + idpEntityAlias + '\'' +
-            ", metaDataLocation='" + metaDataLocation + '\'' +
-            ", nameID='" + nameID + '\'' +
-            ", assertionConsumerIndex=" + assertionConsumerIndex +
-            ", metadataTrustCheck=" + metadataTrustCheck +
-            ", showSamlLink=" + showSamlLink +
-            ", socketFactoryClassName='deprected-not used'" +
-            ", skipSslValidation=" + skipSslValidation +
-            ", linkText='" + linkText + '\'' +
-            ", iconUrl='" + iconUrl + '\'' +
-            ", zoneId='" + zoneId + '\'' +
-            ", addShadowUserOnLogin='" + isAddShadowUserOnLogin() + '\'' +
-            '}';
+                "idpEntityAlias='" + idpEntityAlias + '\'' +
+                ", metaDataLocation='" + metaDataLocation + '\'' +
+                ", nameID='" + nameID + '\'' +
+                ", assertionConsumerIndex=" + assertionConsumerIndex +
+                ", metadataTrustCheck=" + metadataTrustCheck +
+                ", showSamlLink=" + showSamlLink +
+                ", socketFactoryClassName='deprected-not used'" +
+                ", skipSslValidation=" + skipSslValidation +
+                ", linkText='" + linkText + '\'' +
+                ", iconUrl='" + iconUrl + '\'' +
+                ", zoneId='" + zoneId + '\'' +
+                ", addShadowUserOnLogin='" + isAddShadowUserOnLogin() + '\'' +
+                '}';
+    }
+
+    public enum MetadataLocation {
+        URL,
+        DATA,
+        UNKNOWN
+    }
+
+    public enum ExternalGroupMappingMode {
+        EXPLICITLY_MAPPED,
+        AS_SCOPES
     }
 
- }
+}

server/build.gradle

@@ -26,10 +26,7 @@ dependencies {
     implementation(libraries.owaspEsapi) {
         transitive = false
     }
-    implementation(libraries.springSecuritySaml) {
-        exclude(module: "bcprov-ext-jdk15on")
-        exclude(module: "xalan")
-    }
+    implementation(libraries.springSecuritySamlServiceProvider)
     implementation(libraries.jodaTime)
     implementation(libraries.xmlSecurity)
     implementation(libraries.springSessionJdbc)

server/src/main/java/org/cloudfoundry/identity/uaa/authentication/BackwardsCompatibleTokenEndpointAuthenticationFilter.java

@@ -36,7 +36,7 @@
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.cloudfoundry.identity.uaa.oauth.common.exceptions.OAuth2Exception;
-import org.springframework.security.saml.SAMLProcessingFilter;
+//import org.springframework.security.saml.SAMLProcessingFilter;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
 
@@ -75,25 +75,25 @@ public class BackwardsCompatibleTokenEndpointAuthenticationFilter implements Fil
 
     private final OAuth2RequestFactory oAuth2RequestFactory;
 
-    private final SAMLProcessingFilter samlAuthenticationFilter;
+//    private final SAMLProcessingFilter samlAuthenticationFilter;
 
     private final ExternalOAuthAuthenticationManager externalOAuthAuthenticationManager;
 
     public BackwardsCompatibleTokenEndpointAuthenticationFilter(AuthenticationManager authenticationManager,
                                                                 OAuth2RequestFactory oAuth2RequestFactory) {
-        this(authenticationManager, oAuth2RequestFactory, null, null);
+        this(authenticationManager, oAuth2RequestFactory, null);
     }
     /**
      * @param authenticationManager an AuthenticationManager for the incoming request
      */
     public BackwardsCompatibleTokenEndpointAuthenticationFilter(AuthenticationManager authenticationManager,
                                                                 OAuth2RequestFactory oAuth2RequestFactory,
-                                                                SAMLProcessingFilter samlAuthenticationFilter,
+//                                                                SAMLProcessingFilter samlAuthenticationFilter,
                                                                 ExternalOAuthAuthenticationManager externalOAuthAuthenticationManager) {
         super();
         this.authenticationManager = authenticationManager;
         this.oAuth2RequestFactory = oAuth2RequestFactory;
-        this.samlAuthenticationFilter = samlAuthenticationFilter;
+//        this.samlAuthenticationFilter = samlAuthenticationFilter;
         this.externalOAuthAuthenticationManager = externalOAuthAuthenticationManager;
     }
 
@@ -226,15 +226,15 @@ protected Authentication attemptTokenAuthentication(HttpServletRequest request,
 
             return authResult;
         } else if (GRANT_TYPE_SAML2_BEARER.equals(grantType)) {
-            logger.debug(GRANT_TYPE_SAML2_BEARER +" found. Attempting authentication with assertion");
-            String assertion = request.getParameter("assertion");
-            if (assertion != null && samlAuthenticationFilter != null) {
-                logger.debug("Attempting SAML authentication for token endpoint.");
-                authResult = samlAuthenticationFilter.attemptAuthentication(request, response);
-            } else {
-                logger.debug("No assertion or filter, not attempting SAML authentication for token endpoint.");
-                throw new InsufficientAuthenticationException("SAML Assertion is missing");
-            }
+//            logger.debug(GRANT_TYPE_SAML2_BEARER +" found. Attempting authentication with assertion");
+//            String assertion = request.getParameter("assertion");
+//            if (assertion != null && samlAuthenticationFilter != null) {
+//                logger.debug("Attempting SAML authentication for token endpoint.");
+//                authResult = samlAuthenticationFilter.attemptAuthentication(request, response);
+//            } else {
+//                logger.debug("No assertion or filter, not attempting SAML authentication for token endpoint.");
+//                throw new InsufficientAuthenticationException("SAML Assertion is missing");
+//            }
         } else if (GRANT_TYPE_JWT_BEARER.equals(grantType)) {
             logger.debug(GRANT_TYPE_JWT_BEARER +" found. Attempting authentication with assertion");
             String assertion = request.getParameter("assertion");