Merge remote-tracking branch 'origin/develop' into release/1.14.0

TIER · Oct 31, 2022 · 739226e · 739226e
2 parents 87c5590 + 928fc27
commit 739226e
Show file tree

Hide file tree

Showing 224 changed files with 11,098 additions and 3,512 deletions.
diff --git a/backend/build.gradle b/backend/build.gradle
@@ -135,6 +135,8 @@ dependencies {
         compile "net.shibboleth.idp:${it}:${project.'shibbolethVersion'}"
     }
 
+    implementation "net.shibboleth.oidc:oidc-common-saml-api:${project.'shibOIDCVersion'}"
+
     // hibernate deps
     ['hibernate-core'].each {
         compile "org.hibernate:${it}:${project.'hibernateVersion'}"
@@ -187,7 +189,8 @@ dependencies {
     testCompile "org.springframework.boot:spring-boot-starter-test:${project.'springbootVersion'}"
     testCompile "org.springframework.security:spring-security-test:${project.'springSecurityVersion'}"
     testCompile 'org.skyscreamer:jsonassert:1.5.0'
-    testCompile "org.xmlunit:xmlunit-core:2.5.1"
+    testImplementation "org.xmlunit:xmlunit-core:2.9.0"
+    testImplementation "org.xmlunit:xmlunit-assertj:2.9.0"
     testRuntime 'cglib:cglib-nodep:3.2.5'
 
     compile "net.shibboleth.ext:spring-extensions:6.2.0"
@@ -209,6 +212,7 @@ dependencies {
     integrationTestCompile platform("org.spockframework:spock-bom:2.1-groovy-3.0")
     integrationTestCompile "org.spockframework:spock-core"
     integrationTestCompile "org.spockframework:spock-spring"
+    integrationTestRuntime "net.shibboleth.oidc:oidc-common-saml-api:${project.'shibOIDCVersion'}"
 
     // CSV file support
     compile 'com.opencsv:opencsv:4.4', {
@@ -337,6 +341,12 @@ task generateSources {
                 processLine(it['@className'].toString(), 'src/main/templates/SignatureBuilderTemplate.java')
             }
         }
+
+        new XmlSlurper().parse(file('src/main/resources/jpa-shib-oidc-config.xml')).with { builders ->
+            builders.ObjectProviders.ObjectProvider.BuilderClass.each {
+                processLine(it['@className'].toString(), 'src/main/templates/OIDCBuilderTemplate.java')
+            }
+        }
     }
 }
 

diff --git a/...2/tier/shibboleth/admin/ui/repository/envers/EntityDescriptorEnversVersioningTests.groovy b/...2/tier/shibboleth/admin/ui/repository/envers/EntityDescriptorEnversVersioningTests.groovy
@@ -34,6 +34,7 @@ import edu.internet2.tier.shibboleth.admin.ui.domain.XSString
 import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.AssertionConsumerServiceRepresentation
 import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.ContactRepresentation
 import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.EntityDescriptorRepresentation
+import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.KeyDescriptorRepresentation
 import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.LogoutEndpointRepresentation
 import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.MduiRepresentation
 import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.OrganizationRepresentation
@@ -380,8 +381,7 @@ class EntityDescriptorEnversVersioningTests extends Specification {
         def representation = new EntityDescriptorRepresentation().with {
             it.securityInfo = new SecurityInfoRepresentation().with {
                 it.authenticationRequestsSigned = true
-                it.x509CertificateAvailable = true
-                it.x509Certificates = [new SecurityInfoRepresentation.X509CertificateRepresentation(name: 'sign', type: 'signing', value: 'signingValue')]
+                it.keyDescriptors = [new KeyDescriptorRepresentation(name: 'sign', type: 'signing', value: 'signingValue', elementType: 'X509Data')]
                 it
             }
             it
@@ -411,9 +411,8 @@ class EntityDescriptorEnversVersioningTests extends Specification {
         representation = new EntityDescriptorRepresentation().with {
             it.securityInfo = new SecurityInfoRepresentation().with {
                 it.authenticationRequestsSigned = false
-                it.x509CertificateAvailable = true
-                it.x509Certificates = [new SecurityInfoRepresentation.X509CertificateRepresentation(name: 'sign', type: 'signing', value: 'signingValue'),
-                                       new SecurityInfoRepresentation.X509CertificateRepresentation(name: 'encrypt', type: 'encryption', value: 'encryptionValue')]
+                it.keyDescriptors = [new KeyDescriptorRepresentation(name: 'sign', type: 'signing', value: 'signingValue', elementType: 'X509Data'),
+                                     new KeyDescriptorRepresentation(name: 'encrypt', type: 'encryption', value: 'encryptionValue', elementType: 'X509Data')]
                 it
             }
             it
@@ -655,4 +654,4 @@ class EntityDescriptorEnversVersioningTests extends Specification {
         attrs.attributes[1].attributeValues[0].xsStringvalue == 'attr1'
         attrs.attributes[1].attributeValues[1] == null
     }
-}
+}
diff --git a/backend/src/enversTest/resources/application.yml b/backend/src/enversTest/resources/application.yml
@@ -0,0 +1,166 @@
+#spring:
+#  jpa:
+#    show-sql: false
+#    properties:
+#      hibernate:
+#        format_sql: true
+#        dialect: org.hibernate.dialect.PostgreSQL95Dialect
+# OR SEE: https://access.redhat.com/webassets/avalon/d/red-hat-jboss-enterprise-application-platform/7.2/javadocs/org/hibernate/dialect/package-summary.html
+
+#shibui:
+## Default password must be set for the default user to be configured and setup
+#  default-rootuser:root
+## need to include the encoding for the password - be sure to quote the entire value as shown
+#  default-password: "{noop}foopassword"
+#  pac4j-enabled: true
+#  pac4j:
+#    keystorePath: "/etc/shibui/samlKeystore.jks"
+#    keystorePassword: "changeit"
+#    privateKeyPassword: "changeit"
+#    serviceProviderEntityId: "https://idp.example.com/shibui"
+#    serviceProviderMetadataPath: "/etc/shibui/sp-metadata.xml"
+#    identityProviderMetadataPath: "/etc/shibui/idp-metadata.xml"
+#    forceServiceProviderMetadataGeneration: false
+#    callbackUrl: "https://localhost:8443/callback"
+#    postLogoutURL: "https://idp.example.com/idp/profile/Logout"  # Must set this to get IDP logout
+#    maximumAuthenticationLifetime: 3600000
+#    requireAssertedRoleForNewUsers: false
+#    saml2ProfileMapping:
+#      username: urn:oid:0.9.2342.19200300.100.1.1
+#      firstname: urn:oid:2.5.4.42
+#      lastname: urn:oid:2.5.4.4
+#      email: urn:oid:0.9.2342.19200300.100.1.3
+#      groups: urn:oid:1.3.6.1.4.1.5923.1.5.1.1 # attributeId - isMemberOf
+#      roles: --define name of the attribute containing the incoming user roles--
+
+custom:
+  attributes:
+    # Default attributes
+    - name: eduPersonPrincipalName
+      displayName: label.attribute-eduPersonPrincipalName
+    - name: uid
+      displayName: label.attribute-uid
+    - name: mail
+      displayName: label.attribute-mail
+    - name: surname
+      displayName: label.attribute-surname
+    - name: givenName
+      displayName: label.attribute-givenName
+    - name: eduPersonAffiliation
+      displayName: label.attribute-eduPersonAffiliation
+    - name: eduPersonScopedAffiliation
+      displayName: label.attribute-eduPersonScopedAffiliation
+    - name: eduPersonPrimaryAffiliation
+      displayName: label.attribute-eduPersonPrimaryAffiliation
+    - name: eduPersonEntitlement
+      displayName: label.attribute-eduPersonEntitlement
+    - name: eduPersonAssurance
+      displayName: label.attribute-eduPersonAssurance
+    - name: eduPersonUniqueId
+      displayName: label.attribute-eduPersonUniqueId
+    - name: employeeNumber
+      displayName: label.attribute-employeeNumber
+  # Custom attributes
+
+  # The following contains a map of "relying party overrides".
+  # The structure of an entry is as follows:
+  # - name: The name of the entry. used to uniquely identify this entry.
+  #   displayName: This will normally be the label used when displaying this override in the UI
+  #   displayType: The type to use when displaying this option
+  #   helpText: This is the help-icon hover-over text
+  #   defaultValues: One or more values to be displayed as default options in the UI
+  #   persistType: Optional. If it is necessary to persist something different than the override's display type,
+  #                set that type here. For example, display a boolean, but persist a string.
+  #   persistValue: Required only when persistType is used. Defines the value to be persisted.
+  #   attributeName: This is the name of the attribute to be used in the xml. This is assumed to be a URI.
+  #   attributeFriendlyName: This is the friendly name associated with the above attributeName.
+  #
+  # It is imperative when defining these that the "displayType" and "persistType" are known types.
+  # Typos or unsupported values here will result in that override being skipped!
+  # Supported types are as follows: boolean, integer, string, set, list
+  # Note that "persistType" doesn't have to match "displayType". However, the only unmatching combination currently
+  # supported is a "displayType" of "boolean" and "persistType" of "string".
+  overrides:
+    # Default overrides
+    - name: signAssertion
+      displayName: label.sign-the-assertion
+      displayType: boolean
+      helpText: tooltip.sign-assertion
+      attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions
+      attributeFriendlyName: signAssertions
+    - name: dontSignResponse
+      displayName: label.dont-sign-the-response
+      displayType: boolean
+      helpText: tooltip.dont-sign-response
+      attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses
+      attributeFriendlyName: signResponses
+      invert: true
+    - name: turnOffEncryption
+      displayName: label.turn-off-encryption-of-response
+      displayType: boolean
+      helpText: tooltip.turn-off-encryption
+      attributeName: http://shibboleth.net/ns/profiles/encryptAssertions
+      attributeFriendlyName: encryptAssertions
+      invert: true
+    - name: useSha
+      displayName: label.use-sha1-signing-algorithm
+      displayType: boolean
+      helpText: tooltip.usa-sha-algorithm
+      persistType: string
+      persistValue: shibboleth.SecurityConfiguration.SHA1
+      attributeName: http://shibboleth.net/ns/profiles/securityConfiguration
+      attributeFriendlyName: securityConfiguration
+    - name: ignoreAuthenticationMethod
+      displayName: label.ignore-any-sp-requested-authentication-method
+      displayType: boolean
+      helpText: tooltip.ignore-auth-method
+      persistType: string
+      persistValue: 0x1
+      attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures
+      attributeFriendlyName: disallowedFeatures
+    - name: omitNotBefore
+      displayName: label.omit-not-before-condition
+      displayType: boolean
+      helpText: tooltip.omit-not-before-condition
+      attributeName: http://shibboleth.net/ns/profiles/includeConditionsNotBefore
+      attributeFriendlyName: includeConditionsNotBefore
+      invert: true
+    - name: responderId
+      displayName: label.responder-id
+      displayType: string
+      helpText: tooltip.responder-id
+      attributeName: http://shibboleth.net/ns/profiles/responderId
+      attributeFriendlyName: responderId
+    - name: nameIdFormats
+      displayName: label.nameid-format-to-send
+      displayType: set
+      helpText: tooltip.nameid-format
+      defaultValues:
+        - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+        - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+        - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+        - urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+      attributeName: http://shibboleth.net/ns/profiles/nameIDFormatPrecedence
+      attributeFriendlyName: nameIDFormatPrecedence
+    - name: authenticationMethods
+      displayName: label.authentication-methods-to-use
+      displayType: set
+      helpText: tooltip.authentication-methods-to-use
+      defaultValues:
+        - https://refeds.org/profile/mfa
+        - urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken
+        - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+      attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods
+      attributeFriendlyName: defaultAuthenticationMethods
+    - name: forceAuthn
+      displayName: label.force-authn
+      displayType: boolean
+      helpText: tooltip.force-authn
+      attributeName: http://shibboleth.net/ns/profiles/forceAuthn
+      attributeFriendlyName: forceAuthn
+    - name: ignoreRequestSignatures
+      displayName: label.ignore-request-signatures
+      displayType: boolean
+      helpText: tooltip.ignore-request-signatures
+      attributeName: http://shibboleth.net/ns/profiles/ignoreRequestSignatures
+      attributeFriendlyName: ignoreRequestSignatures
diff --git a/...end/src/integration/groovy/edu/internet2/tier/shibboleth/admin/ui/SeleniumSIDETest.groovy b/...end/src/integration/groovy/edu/internet2/tier/shibboleth/admin/ui/SeleniumSIDETest.groovy
@@ -154,6 +154,7 @@ class SeleniumSIDETest extends Specification {
         'SHIBUI-2052: Logged in user & role appear on dashboard'            | '/SHIBUI-2052.side'
         'SHIBUI-2116: Verify entity attribute bundle highlights'            | '/SHIBUI-2116.side' // Note that this script WILL NOT PASS in the Selenium IDE due to ${driver} not being set (it is provided by this groovy script).
         'SHIBUI-2267: Verify new RPO CRUD'                                  | '/SHIBUI-2267.side'
+        'SHIBUI-2380: OIDC metadata source CRUD'                            | '/SHIBUI-2380.side'
         'SHIBUI-1674: Verify metadata source tooltips'                      | '/SHIBUI-1674-1.side'
         'SHIBUI-1674: Verify metadata provider tooltips'                    | '/SHIBUI-1674-2.side'
         'SHIBUI-1674: Verify advanced menu tooltips'                        | '/SHIBUI-1674-3.side'