Merge branch 'releases/4.10.0'

.gitignore

@@ -30,6 +30,7 @@ build/
 bin
 phantomjsdriver.log
 
+uaa/node_modules
 # Docs
 uaa/slate/package-lock.json
 uaa/slate/node_modules

.travis.yml

@@ -22,6 +22,15 @@ matrix:
       env:
         - TESTENV=sqlserver,default
         - TEST_COMMAND=cloudfoundry-identity-server:test
+    - os: linux
+      dist: trusty
+      jdk: oraclejdk8
+      sudo: required
+      group: deprecated-2017Q4
+      language: java
+      env:
+        - TESTENV=default
+        - TEST_COMMAND=jasmineTest
     - os: linux
       dist: trusty
       jdk: oraclejdk8
@@ -167,6 +176,8 @@ install:
 - if [ "$TESTENV" = "keystone,default" ]; then ./scripts/keystone/configure-manifest.sh; fi
 - mkdir -p $HOME/build/cloudfoundry/uaa/uaa/build/reports/tests
 - sudo apt-get -qy install lsof
+- nvm install node
+- nvm use node
 script:
 - sudo lsof -i :33389 || echo "Nothing listening on port 33389"
 - sudo lsof -i :33636 || echo "Nothing listening on port 33636"
@@ -178,18 +189,6 @@ after_success:
 - for i in $(find $HOME/build/cloudfoundry/uaa/ -name reports -type d); do rm -rf $i; done
 - /bin/df -h
 - /usr/bin/du -sh *
-#- python scripts/travis/travis_after_all.py
-#- export $(cat .to_export_back)
-#- ! "if [ \"$BUILD_LEADER\" = \"YES\" ]; then\n  if [ \"$BUILD_AGGREGATE_STATUS\"
-#  = \"others_succeeded\" ]; then\n    echo \"All Succeeded!\"\n else\n    echo \"Some Failed\"\n  fi\nfi\n"
-#after_failure:
-#- python scripts/travis/travis_after_all.py
-#- export $(cat .to_export_back)
-#- ! "if [ \"$BUILD_LEADER\" = \"YES\" ]; then\n  if [ \"$BUILD_AGGREGATE_STATUS\"
-#  = \"others_failed\" ]; then\n    echo \"All Failed\"\n  else\n    echo \"Some Failed\"\n
-#  \ fi\nfi\n"
-#after_script:
-#- echo leader=$BUILD_LEADER status=$BUILD_AGGREGATE_STATUS
 
 after_failure:
 - /bin/df -h

docs/UAA-Audit.rst

@@ -74,7 +74,7 @@ Authentication and Password Events
     - Happens: When a user successfully authenticates for the password login
     - Data Recorded: User ID and Username
 
-* PasswordVerificationFailure
+* IdentityProviderAuthenticationFailure
     - Happens: When a user authentication fails for the password login, and user exists
     - Data Recorded: User ID
     - Notes: Followed by a UserAuthenticationFailureEvent and PrincipalAuthenticationFailureEvent

gradle.properties

@@ -1 +1 @@
-version=4.9.0
+version=4.10.0

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
-#Mon Dec 14 13:52:13 PST 2015
+#Mon Feb 05 09:03:30 PST 2018
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-4.4.1-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-4.4.1-all.zip

metrics-data/build.gradle

@@ -17,9 +17,9 @@ description = 'CloudFoundry Identity Metrics Data Jar'
 
 dependencies {
   compile group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: parent.jacksonVersion
+  compile group: 'com.fasterxml.jackson.core', name: 'jackson-annotations', version: parent.jacksonVersion
   testCompile group: 'junit', name: 'junit', version: parent.junitVersion
   testCompile group: 'org.hamcrest', name: 'hamcrest-all', version: parent.hamcrestVersion
-
 }
 
 processResources {

server/build.gradle

@@ -34,6 +34,7 @@ dependencies {
     exclude(group: 'ca.juliusdavies', module: 'not-yet-commons-ssl')
     exclude(group: "org.apache.velocity", module: 'velocity')
   }
+  compile group: 'org.apache.santuario', name: 'xmlsec', version: parent.openSamlXmlSec
   compile group: 'org.apache.velocity', name: 'velocity-engine-core', version: '2.0'
 
   compile (group:'org.owasp.esapi', name:'esapi', version:parent.esapiVersion) {
@@ -124,4 +125,4 @@ processResources {
 
 integrationTest {}.onlyIf { //disable since we don't have any
   true == false
-}
+}

server/src/main/java/org/cloudfoundry/identity/uaa/audit/AuditEvent.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- *     Cloud Foundry 
+ *     Cloud Foundry
  *     Copyright (c) [2009-2016] Pivotal Software, Inc. All Rights Reserved.
  *
  *     This product is licensed to you under the Apache License, Version 2.0 (the "License").
@@ -23,14 +23,18 @@ public class AuditEvent {
     private final long time;
     private final String data;
     private final String identityZoneId;
+    private final String description;
+    private final String authenticationType;
 
-    public AuditEvent(AuditEventType type, String principalId, String origin, String data, long time, String identityZoneId) {
+    public AuditEvent(AuditEventType type, String principalId, String origin, String data, long time, String identityZoneId, String authenticationType, String description) {
         this.type = type;
         this.data = data;
         this.origin = origin;
         this.time = time;
         this.principalId = principalId;
         this.identityZoneId = identityZoneId;
+        this.description = description;
+        this.authenticationType = authenticationType;
     }
 
     public AuditEventType getType() {
@@ -57,4 +61,7 @@ public String getIdentityZoneId() {
         return identityZoneId;
     }
 
+    public String getDescription() { return description; }
+
+    public String getAuthenticationType() { return authenticationType; }
 }

server/src/main/java/org/cloudfoundry/identity/uaa/audit/AuditEventType.java

@@ -59,7 +59,7 @@ public enum AuditEventType {
     UserAccountUnlockedEvent(35),
     TokenRevocationEvent(36),
     IdentityProviderAuthenticationSuccess(37),
-    PasswordAuthenticationFailure(38),
+    IdentityProviderAuthenticationFailure(38),
     MfaAuthenticationSuccess(39),
     MfaAuthenticationFailure(40);
 

server/src/main/java/org/cloudfoundry/identity/uaa/audit/JdbcAuditService.java

@@ -63,7 +63,7 @@ public AuditEvent mapRow(ResultSet rs, int rowNum) throws SQLException {
             long time = rs.getTimestamp(5).getTime();
             String identityZoneId = nullSafeTrim(rs.getString(6));
             return new AuditEvent(eventType, principalId, origin,
-                            data, time, identityZoneId);
+                            data, time, identityZoneId, null, null);
         }
     }
 

server/src/main/java/org/cloudfoundry/identity/uaa/audit/LoggingAuditService.java

@@ -111,8 +111,8 @@ public List<AuditEvent> find(String principal, long after, String zoneId) {
     @Override
     public void log(AuditEvent auditEvent, String zoneId) {
         updateCounters(auditEvent);
-        log(String.format("%s ('%s'): principal=%s, origin=[%s], identityZoneId=[%s]", auditEvent.getType().name(), auditEvent.getData(),
-                        auditEvent.getPrincipalId(), auditEvent.getOrigin(), auditEvent.getIdentityZoneId()));
+        log(String.format("%s ('%s'): principal=%s, origin=[%s], identityZoneId=[%s], authenticationType=[%s]", auditEvent.getType().name(), auditEvent.getData(),
+                        auditEvent.getPrincipalId(), auditEvent.getOrigin(), auditEvent.getIdentityZoneId(), auditEvent.getAuthenticationType()));
     }
 
     private void updateCounters(AuditEvent auditEvent) {

server/src/main/java/org/cloudfoundry/identity/uaa/audit/event/AbstractUaaEvent.java

@@ -69,11 +69,15 @@ public void process(UaaAuditService auditor) {
     }
 
     protected AuditEvent createAuditRecord(String principalId, AuditEventType type, String origin) {
-        return new AuditEvent(type, principalId, origin, null, System.currentTimeMillis(), identityZone.getId());
+        return new AuditEvent(type, principalId, origin, null, System.currentTimeMillis(), identityZone.getId(), "unknown", null);
     }
 
     protected AuditEvent createAuditRecord(String principalId, AuditEventType type, String origin, String data) {
-        return new AuditEvent(type, principalId, origin, data, System.currentTimeMillis(), identityZone.getId());
+        return new AuditEvent(type, principalId, origin, data, System.currentTimeMillis(), identityZone.getId(), "unknown", null);
+    }
+
+    protected AuditEvent createAuditRecord(String principalId, AuditEventType type, String origin, String data, String authenticationType, String message) {
+        return new AuditEvent(type, principalId, origin, data, System.currentTimeMillis(), identityZone.getId(), authenticationType, message);
     }
 
     public Authentication getAuthentication() {

server/src/main/java/org/cloudfoundry/identity/uaa/authentication/event/IdentityProviderAuthenticationFailureEvent.java

@@ -0,0 +1,33 @@
+package org.cloudfoundry.identity.uaa.authentication.event;
+
+import org.cloudfoundry.identity.uaa.audit.AuditEvent;
+import org.cloudfoundry.identity.uaa.audit.AuditEventType;
+import org.springframework.security.core.Authentication;
+import org.springframework.util.Assert;
+
+public class IdentityProviderAuthenticationFailureEvent extends AbstractUaaAuthenticationEvent {
+
+    private String username;
+    private String authenticationType;
+
+    public String getUsername() {
+        return username;
+    }
+
+    public String getAuthenticationType() {
+        return authenticationType;
+    }
+
+    public IdentityProviderAuthenticationFailureEvent(Authentication authentication, String username, String authenticationType) {
+        super(authentication);
+        this.username = username;
+        this.authenticationType = authenticationType;
+    }
+
+    @Override
+    public AuditEvent getAuditEvent() {
+        Assert.notNull(username, "UaaUser cannot be null");
+        return createAuditRecord(null, AuditEventType.IdentityProviderAuthenticationFailure,
+                getOrigin(getAuthenticationDetails()), username, authenticationType, null);
+    }
+}

server/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/AuthzAuthenticationManager.java

@@ -12,18 +12,13 @@
  *******************************************************************************/
 package org.cloudfoundry.identity.uaa.authentication.manager;
 
-import java.util.Calendar;
-import java.util.Collections;
-import java.util.Date;
-import java.util.Locale;
-
 import org.cloudfoundry.identity.uaa.authentication.AccountNotVerifiedException;
 import org.cloudfoundry.identity.uaa.authentication.AuthenticationPolicyRejectionException;
 import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
 import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationDetails;
 import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
+import org.cloudfoundry.identity.uaa.authentication.event.IdentityProviderAuthenticationFailureEvent;
 import org.cloudfoundry.identity.uaa.authentication.event.IdentityProviderAuthenticationSuccessEvent;
-import org.cloudfoundry.identity.uaa.authentication.event.PasswordAuthenticationFailureEvent;
 import org.cloudfoundry.identity.uaa.authentication.event.UnverifiedUserAuthenticationEvent;
 import org.cloudfoundry.identity.uaa.authentication.event.UserAuthenticationFailureEvent;
 import org.cloudfoundry.identity.uaa.authentication.event.UserNotFoundEvent;
@@ -36,7 +31,6 @@
 import org.cloudfoundry.identity.uaa.user.UaaUserDatabase;
 import org.cloudfoundry.identity.uaa.util.ObjectUtils;
 import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
-
 import org.springframework.context.ApplicationEvent;
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.ApplicationEventPublisherAware;
@@ -49,6 +43,11 @@
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.crypto.password.PasswordEncoder;
 
+import java.util.Calendar;
+import java.util.Collections;
+import java.util.Date;
+import java.util.Locale;
+
 public class AuthzAuthenticationManager implements AuthenticationManager, ApplicationEventPublisherAware {
 
     private final SanitizedLogFactory.SanitizedLog logger = SanitizedLogFactory.getLog(getClass());
@@ -95,7 +94,7 @@ public Authentication authenticate(Authentication req) throws AuthenticationExce
 
             if (!passwordMatches) {
                 logger.debug("Password did not match for user " + req.getName());
-                publish(new PasswordAuthenticationFailureEvent(user, req));
+                publish(new IdentityProviderAuthenticationFailureEvent(req, req.getName(), OriginKeys.UAA));
                 publish(new UserAuthenticationFailureEvent(user, req));
             } else {
                 logger.debug("Password successfully matched for userId["+user.getUsername()+"]:"+user.getId());

server/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/DynamicLdapAuthenticationManager.java

@@ -1,17 +1,22 @@
 package org.cloudfoundry.identity.uaa.authentication.manager;
 
+import org.cloudfoundry.identity.uaa.authentication.event.IdentityProviderAuthenticationFailureEvent;
+import org.cloudfoundry.identity.uaa.constants.OriginKeys;
 import org.cloudfoundry.identity.uaa.impl.config.EnvironmentPropertiesFactoryBean;
 import org.cloudfoundry.identity.uaa.provider.LdapIdentityProviderDefinition;
 import org.cloudfoundry.identity.uaa.scim.ScimGroupExternalMembershipManager;
 import org.cloudfoundry.identity.uaa.scim.ScimGroupProvisioning;
 import org.cloudfoundry.identity.uaa.util.LdapUtils;
 import org.springframework.beans.BeansException;
 import org.springframework.beans.factory.support.DefaultListableBeanFactory;
+import org.springframework.context.ApplicationEvent;
+import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.support.ClassPathXmlApplicationContext;
 import org.springframework.context.support.GenericApplicationContext;
 import org.springframework.context.support.PropertySourcesPlaceholderConfigurer;
 import org.springframework.core.env.ConfigurableEnvironment;
 import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 
@@ -25,6 +30,7 @@ public class DynamicLdapAuthenticationManager implements AuthenticationManager {
     private LdapLoginAuthenticationManager ldapLoginAuthenticationManager;
     private AuthenticationManager manager;
     private AuthenticationManager ldapManagerActual;
+    private ApplicationEventPublisher eventPublisher;
 
 
     public DynamicLdapAuthenticationManager(LdapIdentityProviderDefinition definition,
@@ -97,7 +103,12 @@ public LdapIdentityProviderDefinition getDefinition() {
     public Authentication authenticate(Authentication authentication) throws AuthenticationException {
         AuthenticationManager manager = getLdapAuthenticationManager();
         if (manager!=null) {
-            return manager.authenticate(authentication);
+            try {
+                return manager.authenticate(authentication);
+            } catch (BadCredentialsException e) {
+                publish(new IdentityProviderAuthenticationFailureEvent(authentication, authentication.getName(), OriginKeys.LDAP));
+                throw e;
+            }
         }
         throw new ProviderNotFoundException("LDAP provider not configured");
     }
@@ -109,4 +120,14 @@ public void destroy() {
             applicationContext.destroy();
         }
     }
+
+    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
+        this.eventPublisher = applicationEventPublisher;
+    }
+
+    protected void publish(ApplicationEvent event) {
+        if (eventPublisher != null) {
+            eventPublisher.publishEvent(event);
+        }
+    }
 }

server/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/DynamicZoneAwareAuthenticationManager.java

@@ -25,6 +25,8 @@
 import org.cloudfoundry.identity.uaa.util.ObjectUtils;
 import org.cloudfoundry.identity.uaa.zone.IdentityZone;
 import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
+import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.context.ApplicationEventPublisherAware;
 import org.springframework.dao.EmptyResultDataAccessException;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.core.Authentication;
@@ -36,14 +38,15 @@
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
 
-public class DynamicZoneAwareAuthenticationManager implements AuthenticationManager {
+public class DynamicZoneAwareAuthenticationManager implements AuthenticationManager, ApplicationEventPublisherAware {
 
     private final IdentityProviderProvisioning provisioning;
     private final AuthenticationManager internalUaaAuthenticationManager;
     private final ConcurrentMap<IdentityZone, DynamicLdapAuthenticationManager> ldapAuthManagers = new ConcurrentHashMap<>();
     private final ScimGroupExternalMembershipManager scimGroupExternalMembershipManager;
     private final ScimGroupProvisioning scimGroupProvisioning;
     private final LdapLoginAuthenticationManager ldapLoginAuthenticationManager;
+    private ApplicationEventPublisher eventPublisher;
 
     public DynamicZoneAwareAuthenticationManager(IdentityProviderProvisioning provisioning,
                                                  AuthenticationManager internalUaaAuthenticationManager,
@@ -126,6 +129,7 @@ public DynamicLdapAuthenticationManager getLdapAuthenticationManager(IdentityZon
             scimGroupExternalMembershipManager,
             scimGroupProvisioning,
             ldapLoginAuthenticationManager);
+        ldapMgr.setApplicationEventPublisher(eventPublisher);
         ldapAuthManagers.putIfAbsent(zone, ldapMgr);
         return ldapAuthManagers.get(zone);
     }
@@ -135,4 +139,9 @@ public void destroy() {
             entry.getValue().destroy();
         }
     }
+
+    @Override
+    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
+        this.eventPublisher = applicationEventPublisher;
+    }
 }