Merged in SHIBUI-808 (pull request #207)

SHIBUI-808

Approved-by: Bill Smith <wsmith@unicon.net>
Approved-by: Dmitriy Kopylenko <dkopylenko@unicon.net>

Jenkinsfile

@@ -36,7 +36,7 @@ pipeline {
       steps {
         sh '''
         docker stop shibui || true && docker rm shibui || true
-        docker run -d --restart always --name shibui -p 8080:8080 -v /etc/shibui/application.properties:/application.properties -m 3GB --memory-swap=3GB unicon/shibui:latest
+        docker run -d --restart always --name shibui -p 8080:8080 -v /etc/shibui:/conf -v /etc/shibui/application.yml:/application.yml -m 3GB --memory-swap=3GB unicon/shibui-pac4j:latest
         '''
       }
     }

backend/Dockerfile

@@ -3,7 +3,8 @@ FROM gcr.io/distroless/java
 ARG JAR_FILE
 
 COPY ${JAR_FILE} app.jar
+COPY loader.properties loader.properties
 
 EXPOSE 8080
 
-CMD ["app.jar"]
+ENTRYPOINT ["/usr/bin/java", "-jar", "app.jar"]

backend/build.gradle

@@ -34,16 +34,36 @@ processResources.dependsOn(':ui:npm_run_buildProd')
 bootWar.dependsOn(':ui:npm_run_buildProd')
 bootWar.baseName = 'shibui'
 bootWar {
-  manifest {
-       attributes("Manifest-Version" : "1.0", "Implementation-Version" : "${project.version}")
-   }
-   from(tasks.findByPath(':ui:npm_run_buildProd').outputs) {
+    manifest {
+        attributes(
+                "Manifest-Version" : "1.0",
+                "Implementation-Version" : "${project.version}"
+        )
+    }
+    from(tasks.findByPath(':ui:npm_run_buildProd').outputs) {
         // into '/'
         into '/public'
     }
     archiveName = "${baseName}.war"
 }
 
+bootJar.dependsOn ':ui:npm_run_buildProd'
+bootJar.baseName = 'shibui'
+bootJar {
+    manifest {
+        attributes(
+                "Manifest-Version" : "1.0",
+                "Implementation-Version" : "${project.version}",
+                'Main-Class': 'org.springframework.boot.loader.PropertiesLauncher'
+        )
+    }
+    from(tasks.findByPath(':ui:npm_run_buildProd').outputs) {
+        // into '/'
+        into '/public'
+    }
+    archiveName = "${baseName}.jar"
+}
+
 springBoot {
     mainClassName = 'edu.internet2.tier.shibboleth.admin.ui.ShibbolethUiApplication'
     buildInfo()
@@ -213,12 +233,13 @@ jacocoTestReport {
     }
 }
 
-tasks.docker.dependsOn tasks.build
+tasks.docker.dependsOn tasks.bootJar
 docker {
     name 'unicon/shibui'
     tags 'latest'
     pull true
     noCache true
-    files tasks.bootWar.outputs
-    buildArgs(['JAR_FILE': 'shibui.war'])
-}
+    files tasks.bootJar.outputs
+    files 'src/main/docker-files/loader.properties'
+    buildArgs(['JAR_FILE': 'shibui.jar'])
+}

backend/src/main/docker-files/loader.properties

@@ -0,0 +1 @@
+loader.path=libs/

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/ShibbolethUiApplication.java

@@ -3,21 +3,28 @@
 import edu.internet2.tier.shibboleth.admin.ui.repository.MetadataResolverRepository;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.autoconfigure.domain.EntityScan;
 import org.springframework.boot.builder.SpringApplicationBuilder;
 import org.springframework.boot.context.event.ApplicationStartedEvent;
 import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
+import org.springframework.context.annotation.ComponentScan;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.FilterType;
 import org.springframework.context.annotation.Profile;
 import org.springframework.context.event.EventListener;
 import org.springframework.data.jpa.repository.config.EnableJpaAuditing;
 import org.springframework.scheduling.annotation.EnableScheduling;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.stereotype.Component;
 
 @SpringBootApplication
+@ComponentScan(excludeFilters = @ComponentScan.Filter(type = FilterType.REGEX, pattern = "edu.internet2.tier.shibboleth.admin.ui.configuration.auto.*"))
 @EntityScan(basePackages = "edu.internet2.tier.shibboleth.admin.ui.domain")
 @EnableJpaAuditing
 @EnableScheduling
+@EnableWebSecurity
 public class ShibbolethUiApplication extends SpringBootServletInitializer {
 
     @Override

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/WebSecurityConfig.java → backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java

@@ -1,12 +1,15 @@
-package edu.internet2.tier.shibboleth.admin.ui.configuration;
+package edu.internet2.tier.shibboleth.admin.ui.configuration.auto;
 
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.AutoConfigureBefore;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.security.servlet.SpringBootWebSecurityConfiguration;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 import org.springframework.security.web.firewall.HttpFirewall;
@@ -18,7 +21,9 @@
  *
  * Workaround for slashes in URL from [https://stackoverflow.com/questions/48453980/spring-5-0-3-requestrejectedexception-the-request-was-rejected-because-the-url]
  */
-@EnableWebSecurity
+@Configuration
+@AutoConfigureBefore(SpringBootWebSecurityConfiguration.class)
+@ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class)
 public class WebSecurityConfig {
 
     @Value("${shibui.logout-url:/dashboard}")
@@ -35,7 +40,7 @@ public HttpFirewall allowUrlEncodedSlashHttpFirewall() {
     }
 
     @Bean
-    @Profile("default")
+    @Profile("!no-auth")
     public WebSecurityConfigurerAdapter defaultAuth() {
         return new WebSecurityConfigurerAdapter() {
 

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/RequestInitiator.java

@@ -0,0 +1,50 @@
+package edu.internet2.tier.shibboleth.admin.ui.domain;
+
+import org.opensaml.core.xml.util.AttributeMap;
+
+import javax.annotation.Nonnull;
+
+public class RequestInitiator extends AbstractElementExtensibleXMLObject implements org.opensaml.saml.ext.saml2mdreqinit.RequestInitiator {
+    private String binding;
+    @Override
+    public String getBinding() {
+        return this.binding;
+    }
+
+    @Override
+    public void setBinding(String binding) {
+        this.binding = binding;
+    }
+
+    private String location;
+
+    @Override
+    public String getLocation() {
+        return location;
+    }
+
+    @Override
+    public void setLocation(String location) {
+        this.location = location;
+    }
+
+    private String responseLocation;
+
+    @Override
+    public String getResponseLocation() {
+        return this.responseLocation;
+    }
+
+    @Override
+    public void setResponseLocation(String location) {
+        this.responseLocation = location;
+    }
+
+    private AttributeMap attributeMap = new AttributeMap(this);
+
+    @Nonnull
+    @Override
+    public AttributeMap getUnknownAttributes() {
+        return this.attributeMap;
+    }
+}

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/RequestInitiatorBuilder.java

@@ -0,0 +1,43 @@
+package edu.internet2.tier.shibboleth.admin.ui.domain;
+
+import org.opensaml.saml.common.AbstractSAMLObjectBuilder;
+import org.opensaml.saml.common.xml.SAMLConstants;
+import org.w3c.dom.Element;
+
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import javax.xml.namespace.QName;
+
+public class RequestInitiatorBuilder extends AbstractSAMLObjectBuilder<RequestInitiator> {
+
+    /**
+     * Constructor.
+     */
+    public RequestInitiatorBuilder() {
+
+    }
+
+    /** {@inheritDoc} */
+    public RequestInitiator buildObject() {
+        return buildObject(SAMLConstants.SAML20MDRI_NS, org.opensaml.saml.ext.saml2mdreqinit.RequestInitiator.DEFAULT_ELEMENT_LOCAL_NAME,
+                SAMLConstants.SAML20MDRI_PREFIX);
+    }
+
+    /** {@inheritDoc} */
+    public RequestInitiator buildObject(final String namespaceURI, final String localName,
+                                        final String namespacePrefix) {
+        RequestInitiator o = new RequestInitiator();
+        o.setNamespaceURI(namespaceURI);
+        o.setElementLocalName(localName);
+        o.setNamespacePrefix(namespacePrefix);
+        return o;
+    }
+
+    @Nonnull
+    @Override
+    public RequestInitiator buildObject(@Nullable String namespaceURI, @Nonnull String localName, @Nullable String namespacePrefix, @Nullable QName schemaType) {
+        RequestInitiator requestInitiator = buildObject(namespaceURI, localName, namespacePrefix);
+        requestInitiator.setSchemaType(schemaType);
+        return requestInitiator;
+    }
+}

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/RoleDescriptor.java

@@ -83,11 +83,7 @@ public void setSupportedProtocols(List<String> supportedProtocols) {
 
     @Override
     public boolean isSupportedProtocol(String s) {
-        return isSupportedProtocol;
-    }
-
-    public void setIsSupportedProtocol(boolean isSupportedProtocol) {
-        this.isSupportedProtocol = isSupportedProtocol;
+        return this.supportedProtocols.contains(s);
     }
 
     @Override

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/SPSSODescriptor.java

@@ -32,7 +32,7 @@ public class SPSSODescriptor extends SSODescriptor implements org.opensaml.saml.
 
     @Override
     public Boolean isAuthnRequestsSigned() {
-        return isAuthnRequestsSigned;
+        return this.isAuthnRequestsSigned == null ? false : this.isAuthnRequestsSigned;
     }
 
     @Override
@@ -55,7 +55,7 @@ public void setAuthnRequestsSigned(XSBooleanValue xsBooleanValue) {
 
     @Override
     public Boolean getWantAssertionsSigned() {
-        return wantAssertionsSigned;
+        return wantAssertionsSigned == null ? false : wantAssertionsSigned;
     }
 
     @Override

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/X509Data.java

@@ -65,7 +65,7 @@ public List<X509SubjectName> getX509SubjectNames() {
     @Nonnull
     @Override
     public List<X509Certificate> getX509Certificates() {
-        return Arrays.asList(this.xmlObjects.stream().filter(i -> i instanceof org.opensaml.xmlsec.signature.X509Certificate).toArray(org.opensaml.xmlsec.signature.X509Certificate[]::new));
+        return new ArrayList<>(Arrays.asList(this.xmlObjects.stream().filter(i -> i instanceof org.opensaml.xmlsec.signature.X509Certificate).toArray(org.opensaml.xmlsec.signature.X509Certificate[]::new)));
     }
 
     public void addX509Certificate(edu.internet2.tier.shibboleth.admin.ui.domain.X509Certificate x509Certificate) {

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/opensaml/config/InitializationService.java

@@ -2,7 +2,6 @@
 
 import org.opensaml.core.config.InitializationException;
 import org.opensaml.core.config.Initializer;
-import org.opensaml.core.xml.config.XMLObjectProviderInitializer;
 
 import java.util.ServiceLoader;
 
@@ -15,7 +14,11 @@ protected InitializationService() {
     public static synchronized void initialize() throws InitializationException {
         final ServiceLoader<Initializer> serviceLoader = ServiceLoader.load(Initializer.class);
         for (Initializer initializer : serviceLoader) {
-            if (initializer.getClass().equals(org.opensaml.saml.config.impl.XMLObjectProviderInitializer.class) || initializer.getClass().equals(XMLObjectProviderInitializer.class) || initializer.getClass().equals(org.opensaml.xmlsec.config.impl.XMLObjectProviderInitializer.class)) {
+            if (
+                    initializer.getClass().equals(org.opensaml.saml.config.impl.XMLObjectProviderInitializer.class)
+                            || initializer.getClass().equals(org.opensaml.core.xml.config.XMLObjectProviderInitializer.class)
+                            || initializer.getClass().equals(org.opensaml.xmlsec.config.impl.XMLObjectProviderInitializer.class)
+            ) {
                 continue;
             }
             initializer.init();

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/opensaml/config/JPAXMLObjectProviderInitializer.java

@@ -13,7 +13,12 @@ protected String[] getConfigResources() {
                 "/jpa-saml2-assertion-config.xml",
                 "/jpa-schema-config.xml",
                 "/jpa-saml2-metadata-ui-config.xml",
-                "/jpa-signature-config.xml"
+                "/jpa-signature-config.xml",
+                "/encryption-config.xml",
+                "/saml2-metadata-algorithm-config.xml",
+                "/jpa-saml2-metadata-reqinit-config.xml",
+                "/saml2-protocol-config.xml",
+                "/modified-saml2-assertion-config.xml"
         };
     }
 }

backend/src/main/resources/META-INF/spring.factories

@@ -1,2 +1,4 @@
 org.springframework.boot.env.EnvironmentPostProcessor=\
-  edu.internet2.tier.shibboleth.admin.ui.configuration.postprocessors.IdpHomeValueSettingEnvironmentPostProcessor
+  edu.internet2.tier.shibboleth.admin.ui.configuration.postprocessors.IdpHomeValueSettingEnvironmentPostProcessor
+org.springframework.boot.autoconfigure.EnableAutoConfiguration=\
+    edu.internet2.tier.shibboleth.admin.ui.configuration.auto.WebSecurityConfig

backend/src/main/resources/application.properties

@@ -45,7 +45,7 @@ spring.jpa.hibernate.use-new-id-generator-mappings=true
 # shibui.metadata-dir=/opt/shibboleth-idp/metadata/generated
 shibui.logout-url=/dashboard
 
-spring.profiles.active=default
+# spring.profiles.active=default
 
 #shibui.default-password=
 

backend/src/main/resources/jpa-saml2-metadata-reqinit-config.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<XMLTooling xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" xmlns="http://www.opensaml.org/xmltooling-config" xsi:schemaLocation="http://www.opensaml.org/xmltooling-config ../../src/schema/xmltooling-config.xsd">
+
+	<!-- SAML 2.0 Metadata SSO Service Provider Request Initiation Extension. -->
+	<ObjectProviders>
+
+		<!-- RequestInitiator provider -->
+		<ObjectProvider qualifiedName="init:RequestInitiator">
+			<BuilderClass className="edu.internet2.tier.shibboleth.admin.ui.domain.RequestInitiatorBuilder"/>
+			<MarshallingClass className="org.opensaml.saml.ext.saml2mdreqinit.impl.RequestInitiatorMarshaller"/>
+			<UnmarshallingClass className="org.opensaml.saml.ext.saml2mdreqinit.impl.RequestInitiatorUnmarshaller"/>
+		</ObjectProvider>
+
+	</ObjectProviders>
+</XMLTooling>