Merged in feature/shibui-2510 (pull request #665)

Feature/shibui 2510 Approved-by: Mark McCoy
TIER · Nov 29, 2023 · fb5608a · fb5608a
2 parents 89a378c + a04a4fa
commit fb5608a
Show file tree

Hide file tree

Showing 99 changed files with 6,012 additions and 32,531 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 ## Requirements_
 
-* Java 11 (note that ONLY Java 11 is supported at this time; other later versions might work)
+* Java 17 (note that ONLY Java 17 is supported at this time; other later versions might work)
 
 ## Running
 
@@ -114,4 +114,54 @@ springdoc.pathsToMatch=/entities, /api/**
 # This property enables the openapi and swagger-ui endpoints to be exposed beneath the actuator base path.
 management.endpoints.web.exposure.include=openapi, swagger-ui
 management.server.port=9090
+```
+
+## Random SQL
+### Get Release attributes for a given entity id
+```sql
+select xs_stringvalue
+from xsstring
+where id in (select attribute_values_id
+             from attribute_abstractxmlobject
+             where attribute_id = (select id
+                                   from attribute
+                                   where id in (select attributes_id
+                                                from entity_attributes_attribute
+                                                where entity_attributes_id = (select unknownxmlobjects_id
+                                                                              from abstract_element_extensiblexmlobject_abstractxmlobject
+                                                                              where abstract_element_extensiblexmlobject_id =
+                                                                                    (select extensions_id from entity_descriptor where entityid = 'someentityid')))
+                                     and name = 'http://shibboleth.net/ns/attributes/releaseAllValues'))
+```
+
+### Get Relying Party Overrides by entity id
+```sql
+with join_table as (select rpo.id1,
+                           rpo.id2
+                    from (select attribute_id id1, attribute_values_id id2
+                          from attribute_abstractxmlobject
+                          where attribute_id in (select id
+                                                 from attribute
+                                                 where id in (select attributes_id
+                                                              from entity_attributes_attribute
+                                                              where entity_attributes_id = (select unknownxmlobjects_id
+                                                                                            from abstract_element_extensiblexmlobject_abstractxmlobject
+                                                                                            where abstract_element_extensiblexmlobject_id =
+                                                                                                  (select extensions_id from entity_descriptor where entityid = 'someentityid'))))) as rpo)
+select attribute_1.name relying_party_override,
+       attribute_2.value
+from join_table
+         inner join
+     attribute as attribute_1
+     on join_table.id1 = attribute_1.id
+         inner join
+     (select id, stored_value value from xsboolean
+      UNION
+      select id, CAST(int_value AS varchar) value from xsinteger
+      UNION
+      select id, xs_stringvalue value from xsstring
+      UNION
+      select id, text_context value from xsany) as attribute_2
+     on join_table.id2 = attribute_2.id
+where value is not null and value != ''
 ```
diff --git a/backend/Dockerfile b/backend/Dockerfile
@@ -1,3 +1,4 @@
+#FROM --platform=linux/arm64 gcr.io/distroless/java17-debian11  ## for macs
 FROM gcr.io/distroless/java17-debian11
 
 ARG JAR_FILE

diff --git a/backend/build.gradle b/backend/build.gradle
@@ -19,7 +19,6 @@ test {
 }
 
 repositories {
-    jcenter()
     maven {
         url 'https://build.shibboleth.net/nexus/content/groups/public'
         artifactUrls = ['https://build.shibboleth.net/nexus/content/repositories/thirdparty-snapshots']
@@ -143,10 +142,12 @@ dependencies {
     //Spring Configuration Annotation Processor - makes IntelliJ happy about @SpringBootConfigurationProperties
     compileOnly "org.springframework.boot:spring-boot-configuration-processor:${project.'springbootVersion'}"
 
-    runtimeOnly "org.bouncycastle:bcprov-jdk15on:1.70"
-    runtimeOnly "org.bouncycastle:bcprov-ext-jdk15on:1.70"
-    runtimeOnly "org.bouncycastle:bcutil-jdk15on:1.70"
-    runtimeOnly "org.bouncycastle:bcpkix-jdk15on:1.70"
+    // signature and encryption
+    runtimeOnly "org.bouncycastle:bcprov-jdk18on:1.72"
+    runtimeOnly "org.bouncycastle:bcprov-ext-jdk18on:1.72"
+    runtimeOnly "org.bouncycastle:bcutil-jdk18on:1.72"
+    runtimeOnly "org.bouncycastle:bcpkix-jdk18on:1.72"
+
     // DB drivers
     runtimeOnly "org.postgresql:postgresql:${project.'postgresVersion'}"
     runtimeOnly "org.mariadb.jdbc:mariadb-java-client:${project.'mariadbVersion'}"
@@ -165,12 +166,14 @@ dependencies {
     }
 
     // shibboleth idp deps
-    ['idp-profile-spring', 'idp-profile-api'].each {
+    ['idp-profile-impl', 'idp-profile-api'].each {
         implementation "net.shibboleth.idp:${it}:${project.'shibbolethVersion'}"
         integrationTestImplementation "net.shibboleth.idp:${it}:${project.'shibbolethVersion'}"
     }
 
+    implementation "net.shibboleth.ext:spring-extensions:${project.'shibExtSpringExtensionsVersion'}"
     implementation "net.shibboleth.oidc:oidc-common-saml-api:${project.'shibOIDCVersion'}"
+    implementation "net.shibboleth.utilities:java-support:${project.'shibUtilitiesJavaSupportVersion'}"
 
     // hibernate deps
     ['hibernate-core'].each {
@@ -186,9 +189,9 @@ dependencies {
     implementation "net.shibboleth.ext:spring-extensions:6.2.0"
 
     // Spring Web classes requires Apache HttpComponents 5.1 or higher, as of Spring 6.0.
-    implementation "org.apache.httpcomponents.client5:httpclient5:5.1.4"
-    implementation "org.apache.httpcomponents.core5:httpcore5:5.1.5"
-    implementation "org.apache.httpcomponents.core5:httpcore5-h2:5.1.5"
+    implementation "org.apache.httpcomponents.client5:httpclient5:5.2.1"
+    implementation "org.apache.httpcomponents.core5:httpcore5:5.2.2"
+    implementation "org.apache.httpcomponents.core5:httpcore5-h2:5.2.2"
 
     // To override older version with security issue - https://www.lunasec.io/docs/blog/log4j-zero-day/
     implementation "org.apache.logging.log4j:log4j-to-slf4j:${project.'log4JVersion'}"
@@ -277,12 +280,14 @@ dependencies {
 
     integrationTestImplementation sourceSets.main.output
     integrationTestImplementation configurations.compile
+    integrationTestImplementation "net.shibboleth.ext:spring-extensions:${project.'shibExtSpringExtensionsVersion'}"
     integrationTestImplementation "net.shibboleth.oidc:oidc-common-saml-api:${project.'shibOIDCVersion'}"
+    integrationTestImplementation "net.shibboleth.utilities:java-support:${project.'shibUtilitiesJavaSupportVersion'}"
     integrationTestImplementation "org.hibernate:hibernate-envers:${project.'hibernateVersion'}"
     integrationTestImplementation "com.opencsv:opencsv:${project.'opencsvVersion'}", {
         exclude group: 'commons-collections'
     }
-    integrationTestImplementation 'com.saucelabs:sebuilder-interpreter:1.0.6'
+    integrationTestImplementation "com.saucelabs:sebuilder-interpreter:1.0.6"
     integrationTestImplementation "jp.vmi:selenese-runner-java:${project.'seleneseRunnerVersion'}"
     integrationTestImplementation "org.seleniumhq.selenium:selenium-http-jdk-client:4.8.3"
 

diff --git a/...2/tier/shibboleth/admin/ui/repository/envers/EntityDescriptorEnversVersioningTests.groovy b/...2/tier/shibboleth/admin/ui/repository/envers/EntityDescriptorEnversVersioningTests.groovy
@@ -104,9 +104,9 @@ class EntityDescriptorEnversVersioningTests extends Specification {
 
         then:
         entityDescriptorHistory.size() == 1
-        getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).contactPersons[0].givenName.name == 'name'
+        getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).contactPersons[0].givenName.value == 'name'
         getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).contactPersons[0].type == org.opensaml.saml.saml2.metadata.ContactPersonTypeEnumeration.ADMINISTRATIVE
-        getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).contactPersons[0].emailAddresses[0].address == 'test@test'
+        getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).contactPersons[0].emailAddresses[0].uri == 'test@test'
         getRevisionEntityForRevisionIndex(entityDescriptorHistory, 0).principalUserName == 'anonymousUser'
         getRevisionEntityForRevisionIndex(entityDescriptorHistory, 0).timestamp > 0L
         getModifiedEntityNames(entityDescriptorHistory, 0).sort() == expectedModifiedPersistentEntities.sort()
@@ -122,9 +122,9 @@ class EntityDescriptorEnversVersioningTests extends Specification {
                 entityManager)
         then:
         entityDescriptorHistory.size() == 2
-        getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).contactPersons[0].givenName.name == 'nameUPDATED'
+        getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).contactPersons[0].givenName.value == 'nameUPDATED'
         getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).contactPersons[0].type == org.opensaml.saml.saml2.metadata.ContactPersonTypeEnumeration.ADMINISTRATIVE
-        getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).contactPersons[0].emailAddresses[0].address == 'test@test'
+        getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).contactPersons[0].emailAddresses[0].uri == 'test@test'
         getRevisionEntityForRevisionIndex(entityDescriptorHistory, 1).principalUserName == 'anonymousUser'
         getRevisionEntityForRevisionIndex(entityDescriptorHistory, 1).timestamp > 0L
         getModifiedEntityNames(entityDescriptorHistory, 1).sort() == expectedModifiedPersistentEntities.sort()
@@ -142,17 +142,17 @@ class EntityDescriptorEnversVersioningTests extends Specification {
 
         then:
         entityDescriptorHistory.size() == 3
-        getTargetEntityForRevisionIndex(entityDescriptorHistory, 2).contactPersons[0].givenName.name == 'nameUPDATED2'
+        getTargetEntityForRevisionIndex(entityDescriptorHistory, 2).contactPersons[0].givenName.value == 'nameUPDATED2'
         getTargetEntityForRevisionIndex(entityDescriptorHistory, 2).contactPersons[0].type == org.opensaml.saml.saml2.metadata.ContactPersonTypeEnumeration.OTHER
-        getTargetEntityForRevisionIndex(entityDescriptorHistory, 2).contactPersons[0].emailAddresses[0].address == 'test@test.com'
+        getTargetEntityForRevisionIndex(entityDescriptorHistory, 2).contactPersons[0].emailAddresses[0].uri == 'test@test.com'
         getRevisionEntityForRevisionIndex(entityDescriptorHistory, 2).principalUserName == 'anonymousUser'
         getRevisionEntityForRevisionIndex(entityDescriptorHistory, 2).timestamp > 0L
         getModifiedEntityNames(entityDescriptorHistory, 2).sort() == expectedModifiedPersistentEntities.sort()
 
         //Also make sure we have our original revision
-        getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).contactPersons[0].givenName.name == 'nameUPDATED'
+        getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).contactPersons[0].givenName.value == 'nameUPDATED'
         getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).contactPersons[0].type == org.opensaml.saml.saml2.metadata.ContactPersonTypeEnumeration.ADMINISTRATIVE
-        getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).contactPersons[0].emailAddresses[0].address == 'test@test'
+        getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).contactPersons[0].emailAddresses[0].uri == 'test@test'
         getRevisionEntityForRevisionIndex(entityDescriptorHistory, 1).principalUserName == 'anonymousUser'
         getRevisionEntityForRevisionIndex(entityDescriptorHistory, 1).timestamp > 0L
 
@@ -180,7 +180,7 @@ class EntityDescriptorEnversVersioningTests extends Specification {
         entityDescriptorHistory.size() == 1
         getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).organization.organizationNames[0].value == 'org'
         getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).organization.displayNames[0].value == 'display org'
-        getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).organization.URLs[0].value == 'http://org.edu'
+        getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).organization.URLs[0].uri == 'http://org.edu'
         getRevisionEntityForRevisionIndex(entityDescriptorHistory, 0).principalUserName == 'anonymousUser'
         getRevisionEntityForRevisionIndex(entityDescriptorHistory, 0).timestamp > 0L
         getModifiedEntityNames(entityDescriptorHistory, 0).sort() == expectedModifiedPersistentEntities.sort()
@@ -202,15 +202,15 @@ class EntityDescriptorEnversVersioningTests extends Specification {
         entityDescriptorHistory.size() == 2
         getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).organization.organizationNames[0].value == 'orgUpdated'
         getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).organization.displayNames[0].value == 'display org Updated'
-        getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).organization.URLs[0].value == 'http://org2.edu'
+        getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).organization.URLs[0].uri == 'http://org2.edu'
         getRevisionEntityForRevisionIndex(entityDescriptorHistory, 0).principalUserName == 'anonymousUser'
         getRevisionEntityForRevisionIndex(entityDescriptorHistory, 0).timestamp > 0L
         getModifiedEntityNames(entityDescriptorHistory, 1).sort() == expectedModifiedPersistentEntities.sort()
 
         //Check the original revision is intact
         getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).organization.organizationNames[0].value == 'org'
         getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).organization.displayNames[0].value == 'display org'
-        getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).organization.URLs[0].value == 'http://org.edu'
+        getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).organization.URLs[0].uri == 'http://org.edu'
         getRevisionEntityForRevisionIndex(entityDescriptorHistory, 1).principalUserName == 'anonymousUser'
         getRevisionEntityForRevisionIndex(entityDescriptorHistory, 1).timestamp > 0L
     }
@@ -237,7 +237,7 @@ class EntityDescriptorEnversVersioningTests extends Specification {
 
         then:
         entityDescriptorHistory.size() == 1
-        getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).roleDescriptors[0].nameIDFormats[0].format == 'format'
+        getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).roleDescriptors[0].nameIDFormats[0].uri == 'format'
         getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).roleDescriptors[0].supportedProtocols[0] == 'urn:oasis:names:tc:SAML:1.1:protocol'
         getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).roleDescriptors[0].supportedProtocols[1] == null
         getRevisionEntityForRevisionIndex(entityDescriptorHistory, 0).principalUserName == 'anonymousUser'
@@ -261,15 +261,15 @@ class EntityDescriptorEnversVersioningTests extends Specification {
 
         then:
         entityDescriptorHistory.size() == 2
-        getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).roleDescriptors[0].nameIDFormats[0].format == 'formatUPDATED'
+        getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).roleDescriptors[0].nameIDFormats[0].uri == 'formatUPDATED'
         getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).roleDescriptors[0].supportedProtocols[0] == 'urn:oasis:names:tc:SAML:1.1:protocol'
         getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).roleDescriptors[0].supportedProtocols[1] == 'urn:oasis:names:tc:SAML:2.0:protocol'
         getRevisionEntityForRevisionIndex(entityDescriptorHistory, 1).principalUserName == 'anonymousUser'
         getRevisionEntityForRevisionIndex(entityDescriptorHistory, 1).timestamp > 0L
         getModifiedEntityNames(entityDescriptorHistory, 1).sort() == expectedModifiedPersistentEntities.sort()
 
         //Check the original revision is intact
-        getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).roleDescriptors[0].nameIDFormats[0].format == 'format'
+        getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).roleDescriptors[0].nameIDFormats[0].uri == 'format'
         getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).roleDescriptors[0].supportedProtocols[0] == 'urn:oasis:names:tc:SAML:1.1:protocol'
         getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).roleDescriptors[0].supportedProtocols[1] == null
         getRevisionEntityForRevisionIndex(entityDescriptorHistory, 0).principalUserName == 'anonymousUser'
@@ -314,10 +314,10 @@ class EntityDescriptorEnversVersioningTests extends Specification {
         then:
         entityDescriptorHistory.size() == 1
         uiinfo.displayNames[0].value == 'Initial display name'
-        uiinfo.informationURLs[0].value == 'http://info'
-        uiinfo.privacyStatementURLs[0].value == 'http://privacy'
+        uiinfo.informationURLs[0].URI == 'http://info'
+        uiinfo.privacyStatementURLs[0].URI == 'http://privacy'
         uiinfo.descriptions[0].value == 'Initial desc'
-        uiinfo.logos[0].URL == 'http://logo'
+        uiinfo.logos[0].URI == 'http://logo'
         uiinfo.logos[0].height == 20
         uiinfo.logos[0].width == 30
         getModifiedEntityNames(entityDescriptorHistory, 0).sort() == expectedModifiedPersistentEntities.sort()
@@ -349,20 +349,20 @@ class EntityDescriptorEnversVersioningTests extends Specification {
         then:
         entityDescriptorHistory.size() == 2
         uiinfo.displayNames[0].value == 'Display name UPDATED'
-        uiinfo.informationURLs[0].value == 'http://info.updated'
-        uiinfo.privacyStatementURLs[0].value == 'http://privacy.updated'
+        uiinfo.informationURLs[0].URI == 'http://info.updated'
+        uiinfo.privacyStatementURLs[0].URI == 'http://privacy.updated'
         uiinfo.descriptions[0].value == 'Desc UPDATED'
-        uiinfo.logos[0].URL == 'http://logo.updated'
+        uiinfo.logos[0].URI == 'http://logo.updated'
         uiinfo.logos[0].height == 30
         uiinfo.logos[0].width == 40
         getModifiedEntityNames(entityDescriptorHistory, 1).sort() == expectedModifiedPersistentEntities.sort()
 
         //Check the initial revision is still intact
         uiinfoInitialRevision.displayNames[0].value == 'Initial display name'
-        uiinfoInitialRevision.informationURLs[0].value == 'http://info'
-        uiinfoInitialRevision.privacyStatementURLs[0].value == 'http://privacy'
+        uiinfoInitialRevision.informationURLs[0].URI == 'http://info'
+        uiinfoInitialRevision.privacyStatementURLs[0].URI == 'http://privacy'
         uiinfoInitialRevision.descriptions[0].value == 'Initial desc'
-        uiinfoInitialRevision.logos[0].URL == 'http://logo'
+        uiinfoInitialRevision.logos[0].URI == 'http://logo'
         uiinfoInitialRevision.logos[0].height == 20
         uiinfoInitialRevision.logos[0].width == 30
     }