Merge branch 'bump-75.1.0' into gds_master

dependencies.gradle

@@ -10,15 +10,15 @@ ext["flyway.version"] = "5.2.4"
 // Versions shared between multiple dependencies
 versions.aspectJVersion = "1.9.4"
 versions.apacheDsVersion = "2.0.0.AM26"
-versions.bouncyCastleVersion = "1.67"
+versions.bouncyCastleVersion = "1.68"
 versions.hamcrestVersion = "2.2"
-versions.springBootVersion = "2.3.7.RELEASE"
+versions.springBootVersion = "2.4.4"
 versions.springSecurityJwtVersion = "1.1.1.RELEASE"
-versions.springSecurityOAuthVersion = "2.4.0.RELEASE"
+versions.springSecurityOAuthVersion = "2.5.0.RELEASE"
 versions.springSecuritySamlVersion = "1.0.10.RELEASE"
-versions.springVersion = "5.2.12.RELEASE"
+versions.springVersion = "5.3.5"
 versions.xmlBind = "2.3.0.1"
-versions.tomcatCargoVersion = "9.0.41"
+versions.tomcatCargoVersion = "9.0.44"
 
 // Dependencies (some rely on shared versions, some are shared between projects)
 libraries.apacheCommonsRngCore = "org.apache.commons:commons-rng-core:1.3"
@@ -28,6 +28,7 @@ libraries.apacheDsProtocolLdap = "org.apache.directory.server:apacheds-protocol-
 libraries.apacheLdapApi = "org.apache.directory.api:api-ldap-model:1.0.3"
 libraries.aspectJRt = "org.aspectj:aspectjrt"
 libraries.aspectJWeaver = "org.aspectj:aspectjweaver"
+libraries.beanutils = "commons-beanutils:commons-beanutils:1.9.4"
 libraries.bouncyCastlePkix = "org.bouncycastle:bcpkix-jdk15on:${versions.bouncyCastleVersion}"
 libraries.bouncyCastleProv = "org.bouncycastle:bcprov-jdk15on:${versions.bouncyCastleVersion}"
 libraries.commonsIo = "commons-io:commons-io:2.7"
@@ -63,7 +64,6 @@ libraries.mariaJdbcDriver = "org.mariadb.jdbc:mariadb-java-client"
 libraries.mockito = "org.mockito:mockito-core"
 libraries.mockitoJunit5 = "org.mockito:mockito-junit-jupiter"
 libraries.passay = "org.passay:passay:1.6.0"
-libraries.beanutils = "commons-beanutils:commons-beanutils:1.9.4"
 libraries.postgresql = "org.postgresql:postgresql"
 libraries.selenium = "org.seleniumhq.selenium:selenium-java"
 libraries.slf4jApi = "org.slf4j:slf4j-api"
@@ -108,6 +108,7 @@ libraries.tomcatJasperEl = "org.apache.tomcat.embed:tomcat-embed-jasper"
 libraries.tomcatJdbc = "org.apache.tomcat:tomcat-jdbc"
 libraries.unboundIdLdapSdk = "com.unboundid:unboundid-ldapsdk"
 libraries.unboundIdScimSdk = "com.unboundid.product.scim:scim-sdk:1.8.24"
+libraries.velocity = "org.apache.velocity:velocity-engine-core:2.2"
 libraries.zxing = "com.google.zxing:javase:3.4.0"
 
 // gradle plugins

k8s/README.md

@@ -16,33 +16,33 @@ The UAA uses the driver provided by mariadb (`org.mariadb.jdbc:mariadb-java-clie
 
 The typical structure will look like `database.url=jdbc:mysql://<HOST>:<PORT>/<DB-NAME>?useSSL=false|true`, with whatever other params you may need to use.
 
-## Testing image `cfidentity/uaa` 
+## Testing image `cloudfoundry/uaa` 
 
 To switch between the minikube docker daemon and the local docker daemon, use these commands:
 
 For minikube's docker daemon: `eval "$(minikube docker-env)"`
 
 For the local docker daemon: `eval "$(minikube docker-env --unset=true)"`
 
-To test image `cfidentity/uaa`, you can make use of these sample docker commands:
+To test image `cloudfoundry/uaa`, you can make use of these sample docker commands:
 
 ### Docker Run
 
 ```shell script
-docker pull cfidentity/uaa:latest \
+docker pull cloudfoundry/uaa:latest \
 	&& docker run \
 		--detach \
 		--publish 8080:8080 \
 		--mount type=bind,source=${PWD}/../scripts/cargo/uaa.yml,target=/uaa.yml \
 		--env CLOUDFOUNDRY_CONFIG_PATH= \
 		--env spring_profiles=default,hsqldb \
-		cfidentity/uaa:latest
+		cloudfoundry/uaa:latest
 ```
 
 ### Docker Debug
 
 ```shell script
-docker pull cfidentity/uaa:latest \
+docker pull cloudfoundry/uaa:latest \
    	&& docker run \
 		--detach \
 		--publish 8080:8080 \
@@ -51,5 +51,5 @@ docker pull cfidentity/uaa:latest \
 		--env CLOUDFOUNDRY_CONFIG_PATH= \
 		--env spring_profiles=default,hsqldb \
 		--env JAVA_OPTS="-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005 -Djava.security.egd=file:/dev/./urandom" \
-		cfidentity/uaa:latest
+		cloudfoundry/uaa:latest
 ```

k8s/go.mod

@@ -3,10 +3,10 @@ module github.com/cloudfoundry/uaa
 go 1.15
 
 require (
-	github.com/onsi/ginkgo v1.14.2
-	github.com/onsi/gomega v1.10.4
+	github.com/onsi/ginkgo v1.15.2
+	github.com/onsi/gomega v1.11.0
 	gopkg.in/yaml.v2 v2.4.0
-	k8s.io/api v0.20.1
-	k8s.io/apimachinery v0.20.1
-	k8s.io/client-go v0.20.1
+	k8s.io/api v0.20.5
+	k8s.io/apimachinery v0.20.5
+	k8s.io/client-go v0.20.5
 )

k8s/templates/log4j2.properties

@@ -2,7 +2,7 @@ status = error
 dest = err
 name = UaaLog
 
-property.log_pattern=[%d{yyyy-MM-dd HH:mm:ss.SSS}] uaa%X{context} - %pid [%t] .... %5p --- %c{1}: %replace{%m}{(?<=password=|client_secret=)([^&]*)}{<redacted>}%n
+property.log_pattern=[%d{yyyy-MM-dd'T'HH:mm:ss.nnnnnn}{GMT+0}Z] uaa%X{context} - %pid [%t] .... %5p --- %c{1}: %replace{%m}{(?<=password=|client_secret=)([^&]*)}{<redacted>}%n
 
 appender.uaaDefaultAppender.type = Console
 appender.uaaDefaultAppender.name = UaaDefaultAppender

k8s/templates/values/image.yml

@@ -1,3 +1,3 @@
 #@data/values
 ---
-image: "index.docker.io/cfidentity/uaa@sha256:7a3ded9ec4d090ae2450a4259ab402e64ef1401d711895259fea4bbf59304069"
+image: "index.docker.io/cloudfoundry/uaa@sha256:125fe387c0d722d78968707738e9daa09be04688f3cb4445f941bdfe939aabf1"

k8s/test/config_map_test.go

@@ -71,7 +71,7 @@ var _ = Describe("Uaa ConfigMap", func() {
 dest = err
 name = UaaLog
 
-property.log_pattern=[%d{yyyy-MM-dd HH:mm:ss.SSS}] uaa%X{context} - %pid [%t] .... %5p --- %c{1}: %replace{%m}{(?<=password=|client_secret=)([^&]*)}{<redacted>}%n
+property.log_pattern=[%d{yyyy-MM-dd'T'HH:mm:ss.nnnnnn}{GMT+0}Z] uaa%X{context} - %pid [%t] .... %5p --- %c{1}: %replace{%m}{(?<=password=|client_secret=)([^&]*)}{<redacted>}%n
 
 appender.uaaDefaultAppender.type = Console
 appender.uaaDefaultAppender.name = UaaDefaultAppender

k8s/test/deployment_test.go

@@ -152,7 +152,7 @@ var _ = Describe("Deployment", func() {
 					pod.WithServiceAccountMatching("uaa")
 					pod.WithContainerMatching(func(container *ContainerMatcher) {
 						container.WithName("uaa")
-						container.WithImageContaining("cfidentity/uaa@sha256:")
+						container.WithImageContaining("cloudfoundry/uaa@sha256:")
 						container.WithEnvVar("BPL_TOMCAT_ACCESS_LOGGING", "y")
 						container.WithEnvVar("JAVA_OPTS", strings.Join(expectedJavaOpts, " "))
 						container.WithVolumeMount("uaa-config", Not(BeNil()))

model/src/main/java/org/cloudfoundry/identity/uaa/oauth/token/ClaimConstants.java

@@ -29,7 +29,7 @@ public class ClaimConstants {
     public static final String EMAIL = "email";
     public static final String EMAIL_VERIFIED = "email_verified";
     public static final String CLIENT_ID = "client_id";
-    public static final String EXP = "exp";
+    public static final String EXPIRY_IN_SECONDS = "exp";
     public static final String AUTHORITIES = "authorities";
     public static final String SCOPE = "scope";
     public static final String GRANTED_SCOPES = "granted_scopes";

model/src/main/java/org/cloudfoundry/identity/uaa/oauth/token/Claims.java

@@ -41,7 +41,7 @@ public class Claims {
     private String email;
     @JsonProperty(ClaimConstants.CLIENT_ID)
     private String clientId;
-    @JsonProperty(ClaimConstants.EXP)
+    @JsonProperty(ClaimConstants.EXPIRY_IN_SECONDS)
     private Long exp;
     @JsonProperty(ClaimConstants.AUTHORITIES)
     private List<String> authorities;

model/src/test/java/org/cloudfoundry/identity/uaa/mfa/MfaProviderTest.java

@@ -1,12 +1,12 @@
 package org.cloudfoundry.identity.uaa.mfa;
 
 import com.fasterxml.jackson.databind.JsonNode;
+import org.cloudfoundry.identity.uaa.mfa.RandomValueStringGenerator;
 import org.cloudfoundry.identity.uaa.util.JsonUtils;
 import org.cloudfoundry.identity.uaa.zone.IdentityZone;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.ExpectedException;
-import org.springframework.security.oauth2.common.util.RandomValueStringGenerator;
 
 import java.util.Date;
 

model/src/test/java/org/cloudfoundry/identity/uaa/mfa/RandomValueStringGenerator.java

@@ -0,0 +1,77 @@
+package org.cloudfoundry.identity.uaa.mfa;
+
+import java.security.SecureRandom;
+import java.util.Random;
+
+/**
+ * Utility that generates a random-value ASCII string.
+ *
+ * @author Ryan Heaton
+ * @author Dave Syer
+ */
+public class RandomValueStringGenerator {
+
+  private static final char[] DEFAULT_CODEC = "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+      .toCharArray();
+
+  private Random random = new SecureRandom();
+
+  private int length;
+
+  /**
+   * Create a generator with the default length (6).
+   */
+  public RandomValueStringGenerator() {
+    this(6);
+  }
+
+  /**
+   * Create a generator of random strings of the length provided
+   *
+   * @param length the length of the strings generated
+   */
+  public RandomValueStringGenerator(int length) {
+    this.length = length;
+  }
+
+  public String generate() {
+    byte[] verifierBytes = new byte[length];
+    random.nextBytes(verifierBytes);
+    return getAuthorizationCodeString(verifierBytes);
+  }
+
+  /**
+   * Convert these random bytes to a verifier string. The length of the byte array can be
+   * {@link #setLength(int) configured}. The default implementation mods the bytes to fit into the
+   * ASCII letters 1-9, A-Z, a-z .
+   *
+   * @param verifierBytes The bytes.
+   * @return The string.
+   */
+  protected String getAuthorizationCodeString(byte[] verifierBytes) {
+    char[] chars = new char[verifierBytes.length];
+    for (int i = 0; i < verifierBytes.length; i++) {
+      chars[i] = DEFAULT_CODEC[((verifierBytes[i] & 0xFF) % DEFAULT_CODEC.length)];
+    }
+    return new String(chars);
+  }
+
+  /**
+   * The random value generator used to create token secrets.
+   *
+   * @param random The random value generator used to create token secrets.
+   */
+  public void setRandom(Random random) {
+    this.random = random;
+  }
+
+  /**
+   * The length of string to generate.
+   *
+   * @param length the length to set
+   */
+  public void setLength(int length) {
+    this.length = length;
+  }
+
+}

scripts/cargo/log4j2.properties

@@ -2,7 +2,7 @@ status = error
 dest = err
 name = UaaLog
 
-property.log_pattern=[%d{yyyy-MM-dd HH:mm:ss.SSS}] uaa%X{context} - %pid [%t] .... %5p --- %c{1}: %replace{%m}{(?<=password=|client_secret=)([^&]*)}{<redacted>}%n
+property.log_pattern=[%d{yyyy-MM-dd'T'HH:mm:ss.nnnnnn}{GMT+0}Z] uaa%X{context} - %pid [%t] .... %5p --- %c{1}: %replace{%m}{(?<=password=|client_secret=)([^&]*)}{<redacted>}%n
 
 appender.uaaDefaultAppender.type = File
 appender.uaaDefaultAppender.name = UaaDefaultAppender

scripts/start_db_helper.sh

@@ -16,7 +16,8 @@ function bootDB {
   db=$1
 
   if [[ "${db}" = "postgresql" ]]; then
-    launchDB="(/docker-entrypoint.sh postgres -c 'max_connections=250' &> /var/log/postgres-boot.log) &"
+    bootLogLocation="/var/log/postgres-boot.log"
+    launchDB="(/docker-entrypoint.sh postgres -c 'max_connections=250' &> ${bootLogLocation}) &"
     testConnection="(! ps aux | grep docker-entrypoint | grep -v 'grep') && psql -h localhost -U postgres -c '\conninfo' &>/dev/null"
     initDB="psql -c 'drop database if exists uaa;' -U postgres; psql -c 'create database uaa;' -U postgres; psql -c 'drop user if exists root;' --dbname=uaa -U postgres; psql -c \"create user root with superuser password 'changeme';\" --dbname=uaa -U postgres; psql -c 'show max_connections;' --dbname=uaa -U postgres;"
 
@@ -27,7 +28,8 @@ function bootDB {
 
 
   elif [[ "${db}" = "mysql" ]]  || [[ "${db}" = "mysql-5.6" ]]; then
-    launchDB="(MYSQL_DATABASE=uaa MYSQL_ROOT_HOST=127.0.0.1 MYSQL_ROOT_PASSWORD='changeme' bash /entrypoint.sh mysqld &> /var/log/mysql-boot.log) &"
+    bootLogLocation="/var/log/mysql-boot.log"
+    launchDB="(MYSQL_DATABASE=uaa MYSQL_ROOT_HOST=127.0.0.1 MYSQL_ROOT_PASSWORD='changeme' bash /entrypoint.sh mysqld &> ${bootLogLocation}) &"
     testConnection="echo '\s;' | mysql -uroot -pchangeme &>/dev/null"
     initDB="mysql -uroot -pchangeme -e 'SET GLOBAL max_connections = 250; ALTER DATABASE uaa DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;';"
 
@@ -37,7 +39,8 @@ function bootDB {
     }
 
   elif [[ "${db}" = "percona" ]]; then
-    launchDB="bash /entrypoint.sh &> /var/log/mysql-boot.log"
+    bootLogLocation="/var/log/mysql-boot.log"
+    launchDB="bash /entrypoint.sh &> ${bootLogLocation}"
     testConnection="echo '\s;' | mysql &>/dev/null"
     initDB="mysql -e \"CREATE USER 'root'@'127.0.0.1' IDENTIFIED BY 'changeme' ;\";
          mysql -e \"GRANT ALL ON *.* TO 'root'@'127.0.0.1' WITH GRANT OPTION ;\";
@@ -60,7 +63,9 @@ function bootDB {
   echo -n "Booting $db"
   set -x
   eval "$launchDB"
-  while true; do
+
+  for i in {0..600} # wait at most 10 mins to the database to start
+  do
     set +ex
     eval "$testConnection"
     exitcode=$?
@@ -80,4 +85,8 @@ function bootDB {
     echo -n "."
     sleep 1
   done
+
+  echo "Printing database boot logs:"
+  cat "$bootLogLocation"
+  exit 1
 }

server/build.gradle

@@ -68,6 +68,7 @@ dependencies {
 
     implementation(libraries.passay)
     implementation(libraries.beanutils)
+    implementation(libraries.velocity)
 
     implementation(libraries.googleAuth)
 

server/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/ChainedAuthenticationManager.java

@@ -46,15 +46,15 @@ public void setDelegates(AuthenticationManagerConfiguration[] delegates) {
 
     @Override
     public Authentication authenticate(Authentication authentication) throws AuthenticationException {
-        if (authentication == null) {
-            return authentication;
+        if (!(authentication instanceof Authentication)) {
+            return null;
         }
         UsernamePasswordAuthenticationToken output = null;
         if (authentication instanceof UsernamePasswordAuthenticationToken) {
             output = (UsernamePasswordAuthenticationToken) authentication;
         } else {
             output = new UsernamePasswordAuthenticationToken(authentication.getPrincipal(),
-                                                             authentication.getCredentials(),
+                                                             (authentication.getCredentials() != null ? authentication.getCredentials().toString() : null),
                                                              authentication.getAuthorities());
             output.setDetails(authentication.getDetails());
         }