SHIBUI-2271

Updating the libraries used in the project. Major updates:
* pac4j security: 7.0.3
* pac4J: 5.4.3
* spring 5.3.18 and (5.5.5) [mostly as a related to updating spring boot]
* boot: 2.5.12
* shib: 4.2.1
* opensaml 4.2.0

backend/build.gradle

@@ -1,7 +1,7 @@
 plugins {
     id 'groovy'
     id 'war'
-    id 'org.springframework.boot' version '2.4.2'
+    id 'org.springframework.boot' version '2.5.12'
     id 'com.gorylenko.gradle-git-properties' version '1.4.21'
     id 'io.freefair.lombok' version '5.3.0'
     id 'com.palantir.docker' version '0.28.0'
@@ -21,6 +21,7 @@ repositories {
         artifactUrls = ['https://build.shibboleth.net/nexus/content/repositories/thirdparty-snapshots']
     }
     mavenLocal()
+    mavenCentral()
 }
 
 configurations.all {
@@ -117,11 +118,10 @@ dependencies {
         compile "org.opensaml:${it}:${project.'opensaml.version'}"
     }
 
-//    Left here to save time later - when pac4j is/was updated, I needed all of these to get the runtime right with the SAML2 client
-//    runtimeOnly "org.bouncycastle:bcprov-jdk15on:1.69"
-//    runtimeOnly "org.bouncycastle:bcprov-ext-jdk15on:1.69"
-//    runtimeOnly "org.bouncycastle:bcutil-jdk15on:1.69"
-//    runtimeOnly "org.bouncycastle:bcpkix-jdk15on:1.69"
+    runtimeOnly "org.bouncycastle:bcprov-jdk15on:1.70"
+    runtimeOnly "org.bouncycastle:bcprov-ext-jdk15on:1.70"
+    runtimeOnly "org.bouncycastle:bcutil-jdk15on:1.70"
+    runtimeOnly "org.bouncycastle:bcpkix-jdk15on:1.70"
 
 
     // shibboleth idp deps
@@ -139,14 +139,14 @@ dependencies {
         compile "org.springframework.boot:spring-boot-${it}"
     }
     // To override older version with security issue - https://www.lunasec.io/docs/blog/log4j-zero-day/
-    implementation 'org.apache.logging.log4j:log4j-to-slf4j:2.15.0'
-    implementation 'org.apache.logging.log4j:log4j-api:2.15.0'
+    implementation 'org.apache.logging.log4j:log4j-to-slf4j:2.17.2'
+    implementation 'org.apache.logging.log4j:log4j-api:2.17.2'
 
     // TODO: figure out what this should really be
-    runtimeOnly 'org.springframework.boot:spring-boot-starter-tomcat'
+    runtimeOnly 'org.springframework.boot:spring-boot-starter-tomcat:2.6.7'
 
     //Spring Configuration Annotation Processor - makes IntelliJ happy about @ConfigurationProperties
-    compileOnly "org.springframework.boot:spring-boot-configuration-processor"
+    compileOnly 'org.springframework.boot:spring-boot-configuration-processor:2.6.7'
 
     // lucene deps
     ['core', 'analyzers-common', 'queryparser'].each {
@@ -167,22 +167,22 @@ dependencies {
     runtimeOnly 'org.glassfish.jaxb:jaxb-runtime:2.3.0'
 
     compile "com.h2database:h2"
-    runtimeOnly "org.postgresql:postgresql:42.2.20"
+    runtimeOnly 'org.postgresql:postgresql:42.3.4'
     runtimeOnly 'org.mariadb.jdbc:mariadb-java-client:2.2.0'
     runtimeOnly 'mysql:mysql-connector-java:5.1.48'
 
     //Swagger
     compile 'io.springfox:springfox-swagger2:2.9.2'
     compile 'io.springfox:springfox-swagger-ui:2.9.2'
 
-    testCompile "org.springframework.boot:spring-boot-starter-test"
-    testCompile "org.springframework.security:spring-security-test"
-    testCompile "org.spockframework:spock-core:1.3-groovy-2.5"
-    testCompile "org.spockframework:spock-spring:1.3-groovy-2.5"
+    testCompile 'org.springframework.boot:spring-boot-starter-test:2.6.7'
+    testCompile 'org.springframework.security:spring-security-test:5.6.3'
+    testCompile "org.spockframework:spock-core:2.1-groovy-2.5"
+    testCompile "org.spockframework:spock-spring:2.1-groovy-2.5"
     testCompile "org.xmlunit:xmlunit-core:2.5.1"
     testRuntime 'cglib:cglib-nodep:3.2.5'
 
-    compile "net.shibboleth.ext:spring-extensions:5.4.0"
+    compile "net.shibboleth.ext:spring-extensions:6.2.0"
 
     //JSON schema generator
     testCompile 'com.kjetland:mbknor-jackson-jsonschema_2.12:1.0.29'
@@ -196,10 +196,10 @@ dependencies {
     integrationTestCompile configurations.compile
     integrationTestCompile 'com.saucelabs:sebuilder-interpreter:1.0.6'
     integrationTestCompile 'jp.vmi:selenese-runner-java:3.20.0'
-    integrationTestCompile "org.springframework.boot:spring-boot-starter-test"
-    integrationTestCompile "org.springframework.security:spring-security-test"
-    integrationTestCompile "org.spockframework:spock-core:1.3-groovy-2.5"
-    integrationTestCompile "org.spockframework:spock-spring:1.3-groovy-2.5"
+    integrationTestCompile 'org.springframework.boot:spring-boot-starter-test:2.6.7'
+    integrationTestCompile 'org.springframework.security:spring-security-test:5.6.3'
+    integrationTestCompile 'org.spockframework:spock-core:2.1-groovy-2.5'
+    integrationTestCompile 'org.spockframework:spock-spring:2.1-groovy-2.5'
 
     // CSV file support
     compile 'com.opencsv:opencsv:4.4'

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersController.java

@@ -29,7 +29,6 @@
 import edu.internet2.tier.shibboleth.admin.ui.security.repository.UserRepository;
 import edu.internet2.tier.shibboleth.admin.ui.security.service.UserService;
 import groovy.util.logging.Slf4j;
-import jline.internal.Log;
 
 /**
  * Implementation of the REST resource endpoints exposing system users.
@@ -76,7 +75,7 @@ public List<User> getAll() {
             return results;
         }
         catch (Exception e) {
-            Log.error("Unable to fetch users because: {}", e.getMessage());
+            log.error("Unable to fetch users because: {}", e.getMessage());
             throw e;
         }
     }
@@ -149,4 +148,4 @@ ResponseEntity<?> updateOne(@PathVariable(value = "username") String username, @
         User savedUser = userService.save(persistedUser);
         return ResponseEntity.ok(savedUser);
     }
- }
+ }

beacon/core/build.gradle

@@ -1,7 +1,7 @@
 import org.springframework.boot.gradle.plugin.SpringBootPlugin
 
 plugins {
-    id 'org.springframework.boot' version '2.4.2' apply false
+    id 'org.springframework.boot' version '2.5.12' apply false
     id 'io.spring.dependency-management' version '1.0.6.RELEASE'
 }
 
@@ -20,14 +20,14 @@ dependencyManagement {
 }
 
 dependencies {
-    testCompile "org.springframework.boot:spring-boot-starter-test"
-    testCompile "org.spockframework:spock-core:1.3-groovy-2.5"
-    testCompile "org.spockframework:spock-spring:1.3-groovy-2.5"
+    testCompile "org.springframework.boot:spring-boot-starter-test:2.6.7"
+    testCompile "org.spockframework:spock-core:2.1-groovy-2.5"
+    testCompile "org.spockframework:spock-spring:2.1-groovy-2.5"
 
-    testCompile 'org.junit.jupiter:junit-jupiter-api:5.5.2'
-    testCompile 'org.junit.jupiter:junit-jupiter-engine:5.5.2'
+    testCompile 'org.junit.jupiter:junit-jupiter-api:5.7.2'
+    testCompile 'org.junit.jupiter:junit-jupiter-engine:5.7.2'
 }
 
 jar {
     archiveName = "beacon-core-${version}.jar"
-}
+}

beacon/spring/build.gradle

@@ -1,7 +1,7 @@
 import org.springframework.boot.gradle.plugin.SpringBootPlugin
 
 plugins {
-    id 'org.springframework.boot' version '2.0.0.RELEASE' apply false
+    id 'org.springframework.boot' version '2.5.12' apply false
     id 'io.spring.dependency-management' version '1.0.6.RELEASE'
 }
 

gradle.properties

@@ -2,10 +2,10 @@ name=shibui
 group=edu.internet2.tier.shibboleth.admin.ui
 version=1.11.0-SNAPSHOT
 
-shibboleth.version=3.4.4
-opensaml.version=3.4.3
+shibboleth.version=4.2.1
+opensaml.version=4.2.0
 
-spring-boot.version=2.4.2
+spring-boot.version=2.5.12
 
 hibernate.version=5.5.0.Final
 
@@ -17,5 +17,4 @@ org.gradle.jvmargs=-Xmx1g -XX:-UseGCOverheadLimit
 i2.github.token=
 i2.github.owner=TIER
 i2.github.repo=shib-idp-ui
-i2.github.apiEndpoint=https://github.internet2.edu/api/v3
-
+i2.github.apiEndpoint=https://github.internet2.edu/api/v3

pac4j-module/build.gradle

@@ -1,7 +1,7 @@
 plugins {
     id 'groovy'
     id 'jacoco'
-    id 'org.springframework.boot' version '2.4.2' apply false
+    id 'org.springframework.boot' version '2.5.12' apply false
     id 'io.spring.dependency-management' version '1.0.7.RELEASE'
     id 'io.freefair.lombok' version '5.3.0'
 }
@@ -10,7 +10,7 @@ sourceCompatibility = 11
 targetCompatibility = 11
 
 repositories {
-    jcenter()
+    mavenCentral()
     maven {
         url 'https://build.shibboleth.net/nexus/content/groups/public'
         artifactUrls = ['https://build.shibboleth.net/nexus/content/repositories/thirdparty-snapshots']
@@ -28,27 +28,19 @@ generateLombokConfig.enabled = false
 dependencies {
     compileOnly project(':backend')
 
-    compile "org.pac4j:spring-security-pac4j:4.0.0"
-    compile "org.pac4j:pac4j-core:3.3.0"
-    compile "org.pac4j:pac4j-http:3.3.0"
-    compile "org.pac4j:pac4j-saml:3.3.0", {
+    compile 'org.pac4j:spring-security-pac4j:7.0.3'
+    // pac4j is "off" - spring security 7.0.3 here uses the pac4j 5.4.3 core, thus differences in versions
+    compile 'org.pac4j:pac4j-core:5.4.3'
+    compile 'org.pac4j:pac4j-http:5.4.3'
+    compile 'org.pac4j:pac4j-saml:5.4.3', {
         // opensaml libraries are provided
         exclude group: 'org.opensaml'
     }
 
-// These updated versions don't play well with the opensaml 3.4.6 version - until we can update openSAML....
-//    compile "org.pac4j:spring-security-pac4j:6.0.0" // pac4j is "off" - spring 6.0.0 here uses 5.1 core, thus differences in versions
-//    compile "org.pac4j:pac4j-core:5.1.0"
-//    compile "org.pac4j:pac4j-http:5.1.0"
-//    compile "org.pac4j:pac4j-saml:5.1.0", {
-//        // opensaml libraries are provided
-//        exclude group: 'org.opensaml'
-//    }
-
     testCompile project(':backend')
-    testCompile "org.springframework.boot:spring-boot-starter-test"
-    testCompile "org.spockframework:spock-core:1.3-groovy-2.5"
-    testCompile "org.spockframework:spock-spring:1.3-groovy-2.5"
+    testCompile 'org.springframework.boot:spring-boot-starter-test:2.6.7'
+    testCompile 'org.spockframework:spock-core:2.1-groovy-2.5'
+    testCompile 'org.spockframework:spock-spring:2.1-groovy-2.5'
 
-    annotationProcessor "org.springframework.boot:spring-boot-configuration-processor"
+    annotationProcessor 'org.springframework.boot:spring-boot-configuration-processor:2.6.7'
 }

pac4j-module/src/main/java/net/unicon/shibui/pac4j/AddNewUserFilter.java

@@ -11,9 +11,11 @@
 import edu.internet2.tier.shibboleth.admin.ui.service.EmailService;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.RandomStringUtils;
-import org.pac4j.core.context.J2EContext;
+import org.pac4j.core.context.JEEContext;
 import org.pac4j.core.context.WebContext;
-import org.pac4j.core.matching.Matcher;
+import org.pac4j.core.context.session.JEESessionStore;
+import org.pac4j.core.context.session.SessionStore;
+import org.pac4j.core.matching.matcher.Matcher;
 import org.pac4j.core.profile.CommonProfile;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -103,8 +105,10 @@ public void destroy() {
 
     @Override
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
-        WebContext context = new J2EContext((HttpServletRequest)request, (HttpServletResponse)response);
-        if (!matcher.matches(context)) {
+        WebContext context = new JEEContext((HttpServletRequest)request, (HttpServletResponse)response);
+        Optional optionalSession = JEESessionStore.INSTANCE.buildFromTrackableSession(context, ((HttpServletRequest) request).getSession());
+        SessionStore session = optionalSession.isPresent() ? (SessionStore) optionalSession.get() : null;
+        if (!matcher.matches(context, session)) {
             return;
         }
         Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

pac4j-module/src/main/java/net/unicon/shibui/pac4j/LocalUserProfileAuthorizationGenerator.java

@@ -4,7 +4,8 @@
 import edu.internet2.tier.shibboleth.admin.ui.security.repository.UserRepository;
 import org.pac4j.core.authorization.generator.AuthorizationGenerator;
 import org.pac4j.core.context.WebContext;
-import org.pac4j.core.profile.CommonProfile;
+import org.pac4j.core.context.session.SessionStore;
+import org.pac4j.core.profile.UserProfile;
 
 import java.util.Optional;
 
@@ -16,9 +17,9 @@ public LocalUserProfileAuthorizationGenerator(UserRepository userRepository) {
     }
 
     @Override
-    public CommonProfile generate(WebContext context, CommonProfile profile) {
+    public Optional<UserProfile> generate(WebContext context, SessionStore sessionStore, UserProfile profile) {
         Optional<User> user = userRepository.findByUsername(profile.getUsername());
         user.ifPresent(u -> profile.addRole(u.getRole()));
-        return profile;
+        return Optional.of(profile);
     }
 }

pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfiguration.java

@@ -8,11 +8,11 @@
 import net.unicon.shibui.pac4j.authenticator.ShibuiSAML2Authenticator;
 import org.pac4j.core.client.Clients;
 import org.pac4j.core.config.Config;
-import org.pac4j.core.matching.PathMatcher;
+import org.pac4j.core.matching.matcher.PathMatcher;
 import org.pac4j.core.profile.definition.CommonProfileDefinition;
 import org.pac4j.http.client.direct.HeaderClient;
 import org.pac4j.saml.client.SAML2Client;
-import org.pac4j.saml.client.SAML2ClientConfiguration;
+import org.pac4j.saml.config.SAML2Configuration;
 import org.pac4j.saml.credentials.authenticator.SAML2Authenticator;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
@@ -69,7 +69,7 @@ public Config config(final Pac4jConfigurationProperties pac4jConfigProps,
         case "SAML2":
         default:
             log.info("**** Configuring PAC4J SAML2");
-            final SAML2ClientConfiguration saml2Config = new SAML2ClientConfiguration();
+            final SAML2Configuration saml2Config = new SAML2Configuration();
             saml2Config.setKeystorePath(pac4jConfigProps.getKeystorePath());
             saml2Config.setKeystorePassword(pac4jConfigProps.getKeystorePassword());
             saml2Config.setPrivateKeyPassword(pac4jConfigProps.getPrivateKeyPassword());

pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java

@@ -7,7 +7,7 @@
 import edu.internet2.tier.shibboleth.admin.ui.service.EmailService;
 import static net.unicon.shibui.pac4j.Pac4jConfiguration.PAC4J_CLIENT_NAME;
 import org.pac4j.core.config.Config;
-import org.pac4j.core.matching.Matcher;
+import org.pac4j.core.matching.matcher.Matcher;
 import org.pac4j.springframework.security.web.CallbackFilter;
 import org.pac4j.springframework.security.web.SecurityFilter;
 import org.springframework.boot.autoconfigure.AutoConfigureAfter;

pac4j-module/src/main/java/net/unicon/shibui/pac4j/authenticator/ShibuiPac4JHeaderClientAuthenticator.java

@@ -4,6 +4,7 @@
 import lombok.AllArgsConstructor;
 import org.apache.commons.lang3.StringUtils;
 import org.pac4j.core.context.WebContext;
+import org.pac4j.core.context.session.SessionStore;
 import org.pac4j.core.credentials.Credentials;
 import org.pac4j.core.credentials.TokenCredentials;
 import org.pac4j.core.credentials.authenticator.Authenticator;
@@ -18,7 +19,7 @@ public class ShibuiPac4JHeaderClientAuthenticator implements Authenticator {
     private UserService userService;
 
     @Override
-    public void validate(Credentials credentials, WebContext context) {
+    public void validate(Credentials credentials, WebContext context, SessionStore sessionStore) {
         {
             if (credentials instanceof TokenCredentials) {
                 TokenCredentials creds = (TokenCredentials) credentials;

pac4j-module/src/main/java/net/unicon/shibui/pac4j/authenticator/ShibuiSAML2Authenticator.java

@@ -1,10 +1,10 @@
 package net.unicon.shibui.pac4j.authenticator;
 
 import edu.internet2.tier.shibboleth.admin.ui.security.service.UserService;
-import lombok.AllArgsConstructor;
 import org.pac4j.core.context.WebContext;
+import org.pac4j.core.context.session.SessionStore;
+import org.pac4j.core.credentials.Credentials;
 import org.pac4j.core.profile.CommonProfile;
-import org.pac4j.saml.credentials.SAML2Credentials;
 import org.pac4j.saml.credentials.authenticator.SAML2Authenticator;
 
 import java.util.Map;
@@ -23,9 +23,9 @@ public ShibuiSAML2Authenticator(final String attributeAsId, final Map<String, St
      * @param context
      */
     @Override
-    public void validate(final SAML2Credentials credentials, final WebContext context) {
-        super.validate(credentials, context);
-        CommonProfile profile = credentials.getUserProfile();
+    public void validate(final Credentials credentials, final WebContext context, final SessionStore sessionStore) {
+        super.validate(credentials, context, sessionStore);
+        CommonProfile profile = (CommonProfile) credentials.getUserProfile();
         profile.setRoles(userService.getUserRoles(profile.getUsername()));
         credentials.setUserProfile(profile);
     }

pac4j-module/src/test/groovy/net/unicon/shibui/pac4j/AddNewUserFilterMockTests.groovy

@@ -7,7 +7,7 @@ import edu.internet2.tier.shibboleth.admin.ui.security.service.IGroupService
 import edu.internet2.tier.shibboleth.admin.ui.security.service.RolesServiceImpl
 import edu.internet2.tier.shibboleth.admin.ui.security.service.UserService
 import edu.internet2.tier.shibboleth.admin.ui.service.EmailService
-import org.pac4j.core.matching.PathMatcher
+import org.pac4j.core.matching.matcher.PathMatcher
 import org.pac4j.saml.profile.SAML2Profile
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.boot.context.properties.EnableConfigurationProperties

pac4j-module/src/test/groovy/net/unicon/shibui/pac4j/AddNewUserFilterTests.groovy

@@ -9,7 +9,7 @@ import edu.internet2.tier.shibboleth.admin.ui.security.service.GroupServiceForTe
 import edu.internet2.tier.shibboleth.admin.ui.security.service.IRolesService
 import edu.internet2.tier.shibboleth.admin.ui.security.service.RolesServiceImpl
 import edu.internet2.tier.shibboleth.admin.ui.security.service.UserService
-import org.pac4j.core.matching.PathMatcher
+import org.pac4j.core.matching.matcher.PathMatcher
 import org.pac4j.saml.profile.SAML2Profile
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.boot.autoconfigure.domain.EntityScan