diff --git a/backend/build.gradle b/backend/build.gradle index f41778d28..3b82ec98e 100644 --- a/backend/build.gradle +++ b/backend/build.gradle @@ -1,7 +1,7 @@ plugins { id 'groovy' id 'war' - id 'org.springframework.boot' version '2.4.2' + id 'org.springframework.boot' version '2.5.12' id 'com.gorylenko.gradle-git-properties' version '1.4.21' id 'io.freefair.lombok' version '5.3.0' id 'com.palantir.docker' version '0.28.0' @@ -21,6 +21,7 @@ repositories { artifactUrls = ['https://build.shibboleth.net/nexus/content/repositories/thirdparty-snapshots'] } mavenLocal() + mavenCentral() } configurations.all { @@ -117,11 +118,10 @@ dependencies { compile "org.opensaml:${it}:${project.'opensaml.version'}" } -// Left here to save time later - when pac4j is/was updated, I needed all of these to get the runtime right with the SAML2 client -// runtimeOnly "org.bouncycastle:bcprov-jdk15on:1.69" -// runtimeOnly "org.bouncycastle:bcprov-ext-jdk15on:1.69" -// runtimeOnly "org.bouncycastle:bcutil-jdk15on:1.69" -// runtimeOnly "org.bouncycastle:bcpkix-jdk15on:1.69" + runtimeOnly "org.bouncycastle:bcprov-jdk15on:1.70" + runtimeOnly "org.bouncycastle:bcprov-ext-jdk15on:1.70" + runtimeOnly "org.bouncycastle:bcutil-jdk15on:1.70" + runtimeOnly "org.bouncycastle:bcpkix-jdk15on:1.70" // shibboleth idp deps @@ -139,14 +139,14 @@ dependencies { compile "org.springframework.boot:spring-boot-${it}" } // To override older version with security issue - https://www.lunasec.io/docs/blog/log4j-zero-day/ - implementation 'org.apache.logging.log4j:log4j-to-slf4j:2.15.0' - implementation 'org.apache.logging.log4j:log4j-api:2.15.0' + implementation 'org.apache.logging.log4j:log4j-to-slf4j:2.17.2' + implementation 'org.apache.logging.log4j:log4j-api:2.17.2' // TODO: figure out what this should really be - runtimeOnly 'org.springframework.boot:spring-boot-starter-tomcat' + runtimeOnly 'org.springframework.boot:spring-boot-starter-tomcat:2.6.7' //Spring Configuration Annotation Processor - makes IntelliJ happy about @ConfigurationProperties - compileOnly "org.springframework.boot:spring-boot-configuration-processor" + compileOnly 'org.springframework.boot:spring-boot-configuration-processor:2.6.7' // lucene deps ['core', 'analyzers-common', 'queryparser'].each { @@ -167,7 +167,7 @@ dependencies { runtimeOnly 'org.glassfish.jaxb:jaxb-runtime:2.3.0' compile "com.h2database:h2" - runtimeOnly "org.postgresql:postgresql:42.2.20" + runtimeOnly 'org.postgresql:postgresql:42.3.4' runtimeOnly 'org.mariadb.jdbc:mariadb-java-client:2.2.0' runtimeOnly 'mysql:mysql-connector-java:5.1.48' @@ -175,14 +175,14 @@ dependencies { compile 'io.springfox:springfox-swagger2:2.9.2' compile 'io.springfox:springfox-swagger-ui:2.9.2' - testCompile "org.springframework.boot:spring-boot-starter-test" - testCompile "org.springframework.security:spring-security-test" - testCompile "org.spockframework:spock-core:1.3-groovy-2.5" - testCompile "org.spockframework:spock-spring:1.3-groovy-2.5" + testCompile 'org.springframework.boot:spring-boot-starter-test:2.6.7' + testCompile 'org.springframework.security:spring-security-test:5.6.3' + testCompile "org.spockframework:spock-core:2.1-groovy-2.5" + testCompile "org.spockframework:spock-spring:2.1-groovy-2.5" testCompile "org.xmlunit:xmlunit-core:2.5.1" testRuntime 'cglib:cglib-nodep:3.2.5' - compile "net.shibboleth.ext:spring-extensions:5.4.0" + compile "net.shibboleth.ext:spring-extensions:6.2.0" //JSON schema generator testCompile 'com.kjetland:mbknor-jackson-jsonschema_2.12:1.0.29' @@ -196,10 +196,10 @@ dependencies { integrationTestCompile configurations.compile integrationTestCompile 'com.saucelabs:sebuilder-interpreter:1.0.6' integrationTestCompile 'jp.vmi:selenese-runner-java:3.20.0' - integrationTestCompile "org.springframework.boot:spring-boot-starter-test" - integrationTestCompile "org.springframework.security:spring-security-test" - integrationTestCompile "org.spockframework:spock-core:1.3-groovy-2.5" - integrationTestCompile "org.spockframework:spock-spring:1.3-groovy-2.5" + integrationTestCompile 'org.springframework.boot:spring-boot-starter-test:2.6.7' + integrationTestCompile 'org.springframework.security:spring-security-test:5.6.3' + integrationTestCompile 'org.spockframework:spock-core:2.1-groovy-2.5' + integrationTestCompile 'org.spockframework:spock-spring:2.1-groovy-2.5' // CSV file support compile 'com.opencsv:opencsv:4.4' diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersController.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersController.java index 93fec88aa..ab06243b8 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersController.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersController.java @@ -29,7 +29,6 @@ import edu.internet2.tier.shibboleth.admin.ui.security.repository.UserRepository; import edu.internet2.tier.shibboleth.admin.ui.security.service.UserService; import groovy.util.logging.Slf4j; -import jline.internal.Log; /** * Implementation of the REST resource endpoints exposing system users. @@ -76,7 +75,7 @@ public List getAll() { return results; } catch (Exception e) { - Log.error("Unable to fetch users because: {}", e.getMessage()); + log.error("Unable to fetch users because: {}", e.getMessage()); throw e; } } @@ -149,4 +148,4 @@ ResponseEntity updateOne(@PathVariable(value = "username") String username, @ User savedUser = userService.save(persistedUser); return ResponseEntity.ok(savedUser); } - } + } \ No newline at end of file diff --git a/beacon/core/build.gradle b/beacon/core/build.gradle index c80df0931..467726066 100644 --- a/beacon/core/build.gradle +++ b/beacon/core/build.gradle @@ -1,7 +1,7 @@ import org.springframework.boot.gradle.plugin.SpringBootPlugin plugins { - id 'org.springframework.boot' version '2.4.2' apply false + id 'org.springframework.boot' version '2.5.12' apply false id 'io.spring.dependency-management' version '1.0.6.RELEASE' } @@ -20,14 +20,14 @@ dependencyManagement { } dependencies { - testCompile "org.springframework.boot:spring-boot-starter-test" - testCompile "org.spockframework:spock-core:1.3-groovy-2.5" - testCompile "org.spockframework:spock-spring:1.3-groovy-2.5" + testCompile "org.springframework.boot:spring-boot-starter-test:2.6.7" + testCompile "org.spockframework:spock-core:2.1-groovy-2.5" + testCompile "org.spockframework:spock-spring:2.1-groovy-2.5" - testCompile 'org.junit.jupiter:junit-jupiter-api:5.5.2' - testCompile 'org.junit.jupiter:junit-jupiter-engine:5.5.2' + testCompile 'org.junit.jupiter:junit-jupiter-api:5.7.2' + testCompile 'org.junit.jupiter:junit-jupiter-engine:5.7.2' } jar { archiveName = "beacon-core-${version}.jar" -} +} \ No newline at end of file diff --git a/beacon/spring/build.gradle b/beacon/spring/build.gradle index 61ab07be5..f6ce16192 100644 --- a/beacon/spring/build.gradle +++ b/beacon/spring/build.gradle @@ -1,7 +1,7 @@ import org.springframework.boot.gradle.plugin.SpringBootPlugin plugins { - id 'org.springframework.boot' version '2.0.0.RELEASE' apply false + id 'org.springframework.boot' version '2.5.12' apply false id 'io.spring.dependency-management' version '1.0.6.RELEASE' } diff --git a/gradle.properties b/gradle.properties index 79bee945d..a1dc8806d 100644 --- a/gradle.properties +++ b/gradle.properties @@ -2,10 +2,10 @@ name=shibui group=edu.internet2.tier.shibboleth.admin.ui version=1.11.0-SNAPSHOT -shibboleth.version=3.4.4 -opensaml.version=3.4.3 +shibboleth.version=4.2.1 +opensaml.version=4.2.0 -spring-boot.version=2.4.2 +spring-boot.version=2.5.12 hibernate.version=5.5.0.Final @@ -17,5 +17,4 @@ org.gradle.jvmargs=-Xmx1g -XX:-UseGCOverheadLimit i2.github.token= i2.github.owner=TIER i2.github.repo=shib-idp-ui -i2.github.apiEndpoint=https://github.internet2.edu/api/v3 - +i2.github.apiEndpoint=https://github.internet2.edu/api/v3 \ No newline at end of file diff --git a/pac4j-module/build.gradle b/pac4j-module/build.gradle index 8803d22c9..41eebfdce 100644 --- a/pac4j-module/build.gradle +++ b/pac4j-module/build.gradle @@ -1,7 +1,7 @@ plugins { id 'groovy' id 'jacoco' - id 'org.springframework.boot' version '2.4.2' apply false + id 'org.springframework.boot' version '2.5.12' apply false id 'io.spring.dependency-management' version '1.0.7.RELEASE' id 'io.freefair.lombok' version '5.3.0' } @@ -10,7 +10,7 @@ sourceCompatibility = 11 targetCompatibility = 11 repositories { - jcenter() + mavenCentral() maven { url 'https://build.shibboleth.net/nexus/content/groups/public' artifactUrls = ['https://build.shibboleth.net/nexus/content/repositories/thirdparty-snapshots'] @@ -28,27 +28,19 @@ generateLombokConfig.enabled = false dependencies { compileOnly project(':backend') - compile "org.pac4j:spring-security-pac4j:4.0.0" - compile "org.pac4j:pac4j-core:3.3.0" - compile "org.pac4j:pac4j-http:3.3.0" - compile "org.pac4j:pac4j-saml:3.3.0", { + compile 'org.pac4j:spring-security-pac4j:7.0.3' + // pac4j is "off" - spring security 7.0.3 here uses the pac4j 5.4.3 core, thus differences in versions + compile 'org.pac4j:pac4j-core:5.4.3' + compile 'org.pac4j:pac4j-http:5.4.3' + compile 'org.pac4j:pac4j-saml:5.4.3', { // opensaml libraries are provided exclude group: 'org.opensaml' } -// These updated versions don't play well with the opensaml 3.4.6 version - until we can update openSAML.... -// compile "org.pac4j:spring-security-pac4j:6.0.0" // pac4j is "off" - spring 6.0.0 here uses 5.1 core, thus differences in versions -// compile "org.pac4j:pac4j-core:5.1.0" -// compile "org.pac4j:pac4j-http:5.1.0" -// compile "org.pac4j:pac4j-saml:5.1.0", { -// // opensaml libraries are provided -// exclude group: 'org.opensaml' -// } - testCompile project(':backend') - testCompile "org.springframework.boot:spring-boot-starter-test" - testCompile "org.spockframework:spock-core:1.3-groovy-2.5" - testCompile "org.spockframework:spock-spring:1.3-groovy-2.5" + testCompile 'org.springframework.boot:spring-boot-starter-test:2.6.7' + testCompile 'org.spockframework:spock-core:2.1-groovy-2.5' + testCompile 'org.spockframework:spock-spring:2.1-groovy-2.5' - annotationProcessor "org.springframework.boot:spring-boot-configuration-processor" + annotationProcessor 'org.springframework.boot:spring-boot-configuration-processor:2.6.7' } \ No newline at end of file diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AddNewUserFilter.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AddNewUserFilter.java index c0c9048fa..a9527e0f5 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AddNewUserFilter.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AddNewUserFilter.java @@ -11,9 +11,11 @@ import edu.internet2.tier.shibboleth.admin.ui.service.EmailService; import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang3.RandomStringUtils; -import org.pac4j.core.context.J2EContext; +import org.pac4j.core.context.JEEContext; import org.pac4j.core.context.WebContext; -import org.pac4j.core.matching.Matcher; +import org.pac4j.core.context.session.JEESessionStore; +import org.pac4j.core.context.session.SessionStore; +import org.pac4j.core.matching.matcher.Matcher; import org.pac4j.core.profile.CommonProfile; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; @@ -103,8 +105,10 @@ public void destroy() { @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { - WebContext context = new J2EContext((HttpServletRequest)request, (HttpServletResponse)response); - if (!matcher.matches(context)) { + WebContext context = new JEEContext((HttpServletRequest)request, (HttpServletResponse)response); + Optional optionalSession = JEESessionStore.INSTANCE.buildFromTrackableSession(context, ((HttpServletRequest) request).getSession()); + SessionStore session = optionalSession.isPresent() ? (SessionStore) optionalSession.get() : null; + if (!matcher.matches(context, session)) { return; } Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/LocalUserProfileAuthorizationGenerator.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/LocalUserProfileAuthorizationGenerator.java index 5d9642409..4ec901998 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/LocalUserProfileAuthorizationGenerator.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/LocalUserProfileAuthorizationGenerator.java @@ -4,7 +4,8 @@ import edu.internet2.tier.shibboleth.admin.ui.security.repository.UserRepository; import org.pac4j.core.authorization.generator.AuthorizationGenerator; import org.pac4j.core.context.WebContext; -import org.pac4j.core.profile.CommonProfile; +import org.pac4j.core.context.session.SessionStore; +import org.pac4j.core.profile.UserProfile; import java.util.Optional; @@ -16,9 +17,9 @@ public LocalUserProfileAuthorizationGenerator(UserRepository userRepository) { } @Override - public CommonProfile generate(WebContext context, CommonProfile profile) { + public Optional generate(WebContext context, SessionStore sessionStore, UserProfile profile) { Optional user = userRepository.findByUsername(profile.getUsername()); user.ifPresent(u -> profile.addRole(u.getRole())); - return profile; + return Optional.of(profile); } } \ No newline at end of file diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfiguration.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfiguration.java index 26d32708f..fd018d4b6 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfiguration.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfiguration.java @@ -8,11 +8,11 @@ import net.unicon.shibui.pac4j.authenticator.ShibuiSAML2Authenticator; import org.pac4j.core.client.Clients; import org.pac4j.core.config.Config; -import org.pac4j.core.matching.PathMatcher; +import org.pac4j.core.matching.matcher.PathMatcher; import org.pac4j.core.profile.definition.CommonProfileDefinition; import org.pac4j.http.client.direct.HeaderClient; import org.pac4j.saml.client.SAML2Client; -import org.pac4j.saml.client.SAML2ClientConfiguration; +import org.pac4j.saml.config.SAML2Configuration; import org.pac4j.saml.credentials.authenticator.SAML2Authenticator; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; @@ -69,7 +69,7 @@ public Config config(final Pac4jConfigurationProperties pac4jConfigProps, case "SAML2": default: log.info("**** Configuring PAC4J SAML2"); - final SAML2ClientConfiguration saml2Config = new SAML2ClientConfiguration(); + final SAML2Configuration saml2Config = new SAML2Configuration(); saml2Config.setKeystorePath(pac4jConfigProps.getKeystorePath()); saml2Config.setKeystorePassword(pac4jConfigProps.getKeystorePassword()); saml2Config.setPrivateKeyPassword(pac4jConfigProps.getPrivateKeyPassword()); diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java index 17bc554ff..a67bf4a96 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java @@ -7,7 +7,7 @@ import edu.internet2.tier.shibboleth.admin.ui.service.EmailService; import static net.unicon.shibui.pac4j.Pac4jConfiguration.PAC4J_CLIENT_NAME; import org.pac4j.core.config.Config; -import org.pac4j.core.matching.Matcher; +import org.pac4j.core.matching.matcher.Matcher; import org.pac4j.springframework.security.web.CallbackFilter; import org.pac4j.springframework.security.web.SecurityFilter; import org.springframework.boot.autoconfigure.AutoConfigureAfter; diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/authenticator/ShibuiPac4JHeaderClientAuthenticator.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/authenticator/ShibuiPac4JHeaderClientAuthenticator.java index 1109b5d72..0c1a9e084 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/authenticator/ShibuiPac4JHeaderClientAuthenticator.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/authenticator/ShibuiPac4JHeaderClientAuthenticator.java @@ -4,6 +4,7 @@ import lombok.AllArgsConstructor; import org.apache.commons.lang3.StringUtils; import org.pac4j.core.context.WebContext; +import org.pac4j.core.context.session.SessionStore; import org.pac4j.core.credentials.Credentials; import org.pac4j.core.credentials.TokenCredentials; import org.pac4j.core.credentials.authenticator.Authenticator; @@ -18,7 +19,7 @@ public class ShibuiPac4JHeaderClientAuthenticator implements Authenticator { private UserService userService; @Override - public void validate(Credentials credentials, WebContext context) { + public void validate(Credentials credentials, WebContext context, SessionStore sessionStore) { { if (credentials instanceof TokenCredentials) { TokenCredentials creds = (TokenCredentials) credentials; diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/authenticator/ShibuiSAML2Authenticator.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/authenticator/ShibuiSAML2Authenticator.java index c5eb8f18b..f2d2738e0 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/authenticator/ShibuiSAML2Authenticator.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/authenticator/ShibuiSAML2Authenticator.java @@ -1,10 +1,10 @@ package net.unicon.shibui.pac4j.authenticator; import edu.internet2.tier.shibboleth.admin.ui.security.service.UserService; -import lombok.AllArgsConstructor; import org.pac4j.core.context.WebContext; +import org.pac4j.core.context.session.SessionStore; +import org.pac4j.core.credentials.Credentials; import org.pac4j.core.profile.CommonProfile; -import org.pac4j.saml.credentials.SAML2Credentials; import org.pac4j.saml.credentials.authenticator.SAML2Authenticator; import java.util.Map; @@ -23,9 +23,9 @@ public ShibuiSAML2Authenticator(final String attributeAsId, final Map