Merge branch 'releases/4.0.0'

.travis.yml

@@ -4,6 +4,14 @@ env:
 
 matrix:
   include:
+    - os: linux
+      dist: trusty
+      jdk: oraclejdk8
+      sudo: required
+      language: java
+      env:
+        - TESTENV=default
+        - TEST_COMMAND=generateDocs
     - os: linux
       dist: trusty
       jdk: oraclejdk8
@@ -141,11 +149,13 @@ install:
 - ./scripts/travis/install-ldap-certs.sh
 - ./scripts/ldap/install-ldap.sh ssl
 - if [ "$TESTENV" = "keystone,default" ]; then ./scripts/keystone/install-keystone.sh; fi
-- $TRAVIS_BUILD_DIR/scripts/travis/apply_spring_profiles_to_uaa_yaml.sh $TESTENV
 - if [ "$TESTENV" = "ldap,default" ]; then ./scripts/ldap/configure-manifest.sh; fi
 - if [ "$TESTENV" = "keystone,default" ]; then ./scripts/keystone/configure-manifest.sh; fi
 - mkdir -p $HOME/build/cloudfoundry/uaa/uaa/build/reports/tests
+- sudo apt-get -qy install lsof
 script:
+- sudo lsof -i :33389 || echo "Nothing listening on port 33389"
+- sudo lsof -i :33636 || echo "Nothing listening on port 33636"
 - echo "Test env $TESTENV"
 - echo "Test cmd $TEST_COMMAND"
 - ./gradlew "-Dspring.profiles.active=$TESTENV" "$TEST_COMMAND"

NOTICE

@@ -1,10 +1,12 @@
-User Account and Authentication
+Copyright (c) 2015-Present CloudFoundry.org Foundation, Inc. All Rights Reserved.
 
-Copyright (c) 2012-2016 Pivotal Software, Inc. All Rights Reserved.
+This project contains software that is Copyright (c) 2012-2015 Pivotal Software, Inc.
 
-This product is licensed to you under the Apache License, Version 2.0 (the "License").  
-You may not use this product except in compliance with the License.  
+This project is licensed to you under the Apache License, Version 2.0 (the "License").
 
-This product may include a number of subcomponents with separate copyright notices 
+You may not use this project except in compliance with the License.
+
+This project may include a number of subcomponents with separate copyright notices
 and license terms. Your use of these subcomponents is subject to the terms and 
 conditions of the subcomponent's license, as noted in the LICENSE file.
+Contact GitHub API Training Shop Blog About

README.md

@@ -1,5 +1,4 @@
 <link href="https://raw.github.com/clownfart/Markdown-CSS/master/markdown.css" rel="stylesheet"></link>
-
 # CloudFoundry User Account and Authentication (UAA) Server
 
 [![Build Status](https://travis-ci.org/cloudfoundry/uaa.svg?branch=develop)](https://travis-ci.org/cloudfoundry/uaa)

build.gradle

@@ -1,3 +1,5 @@
+import org.apache.tools.ant.filters.ReplaceTokens
+
 import java.nio.file.Files
 import java.nio.file.Paths
 
@@ -8,7 +10,7 @@ buildscript {
     mavenCentral()
     jcenter()
     maven {
-      url 'http://repo.spring.io/plugins-release'
+      url 'https://repo.spring.io/plugins-release'
     }
     maven {
       url 'https://plugins.gradle.org/m2/'
@@ -66,6 +68,9 @@ allprojects {
 
   repositories {
     mavenCentral()
+    maven {
+        url 'https://build.shibboleth.net/nexus/content/repositories/releases/'
+    }
   }
 }
 
@@ -121,7 +126,6 @@ cargoRunLocal.dependsOn cleanCargoConfDir, assemble
 
 task run(dependsOn: cargoRunLocal)
 
-import org.apache.tools.ant.filters.ReplaceTokens
 task manifests(dependsOn: assemble, type: Copy) {
   from('uaa/src/test/resources/sample-manifests') {
     include '**/*.yml'
@@ -172,12 +176,11 @@ subprojects {
     archives javadocJar
   }
   repositories {
-    maven { url "http://maven.springframework.org/release" }
-    maven { url "http://maven.springframework.org/milestone" }
-    maven { url "http://maven.springframework.org/snapshot" }
-    maven { url "http://objectstyle.org/maven2/" }
-    maven { url "http://repo.springsource.org/ext-release-local" }
-    maven { url "http://repo.maven.apache.org/maven2" }
+    maven { url "https://repo.spring.io/release" }
+    maven { url "https://repo.spring.io/milestone" }
+    maven { url "https://repo.spring.io/snapshot" }
+    maven { url "https://repo.spring.io/ext-release-local" }
+    maven { url "https://repo.maven.apache.org/maven2" }
   }
 
   install {
@@ -271,7 +274,7 @@ cargo {
     }
 
     installer {
-      installUrl = 'http://repo2.maven.org/maven2/org/apache/tomcat/tomcat/' + tomcatVersion + '/tomcat-' + tomcatVersion + '.tar.gz'
+      installUrl = 'https://repo1.maven.org/maven2/org/apache/tomcat/tomcat/' + tomcatVersion + '/tomcat-' + tomcatVersion + '.tar.gz'
       downloadDir = file("$buildDir/download")
       extractDir = file("$buildDir/extract")
     }
@@ -286,7 +289,7 @@ project.gradle.taskGraph.whenReady { TaskExecutionGraph graph ->
     }
 
     local {
-//      jvmArgs = "-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=5005"
+//      jvmArgs = jvmArgs + " -agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=5005"
 
       systemProperties {
           //property 'uaa.allowUnverifiedUsers', 'false'

docs/UAA-Audit.rst

@@ -122,11 +122,11 @@ Client Administration Events
 
 * ClientCreateSuccess
     - Happens: When a client is created
-    - Data Recorded: Client ID
+    - Data Recorded: Client ID, Scopes, Authorities
 
 * ClientUpdateSuccess
     - Happens: When a client is updated
-    - Data Recorded: Client ID
+    - Data Recorded: Client ID, Scopes, Authorities
 
 * SecretChangeFailure
     - Happens: When a client secret fails to change

docs/google-oidc-provider.md

@@ -16,6 +16,7 @@ Please refer to 'https://accounts.google.com/.well-known/openid-configuration' f
           type: oidc1.0
           authUrl: https://accounts.google.com/o/oauth2/v2/auth
           tokenUrl: https://www.googleapis.com/oauth2/v4/token
+          tokenKeyUrl: https://www.googleapis.com/oauth2/v3/certs
           issuer: https://accounts.google.com
           redirectUrl: http://localhost:8080/uaa
           scopes:

gradle.properties

@@ -1 +1 @@
-version=3.16.0
+version=4.0.0

model/src/main/java/org/cloudfoundry/identity/uaa/oauth/client/ClientConstants.java

@@ -19,4 +19,5 @@ public class ClientConstants {
     public static final String CLIENT_NAME = "name";
     public static final String APPROVALS_DELETED = "approvals_deleted";
     public static final String TOKEN_SALT = "token_salt";
+    public static final String REQUIRED_USER_GROUPS = "required_user_groups";
 }

model/src/main/java/org/cloudfoundry/identity/uaa/oauth/jwk/JsonWebKeyDeserializer.java

@@ -23,6 +23,7 @@
 import org.cloudfoundry.identity.uaa.util.JsonUtils;
 
 import java.io.IOException;
+import java.util.Arrays;
 
 /**
  * See https://tools.ietf.org/html/rfc7517
@@ -31,6 +32,10 @@ public class JsonWebKeyDeserializer extends JsonDeserializer<JsonWebKey> {
     @Override
     public JsonWebKey deserialize(JsonParser p, DeserializationContext ctxt) throws IOException, JsonProcessingException {
         JsonNode node = JsonUtils.readTree(p);
+        String kty = node.get("kty").asText("Unknown");
+        if(Arrays.stream(JsonWebKey.KeyType.values()).noneMatch(knownKeyType -> knownKeyType.name().equals(kty))) {
+            return null;
+        }
         return new JsonWebKey(JsonUtils.getNodeAsMap(node));
     }
 }

model/src/main/java/org/cloudfoundry/identity/uaa/oauth/jwk/JsonWebKeySet.java

@@ -16,10 +16,7 @@
 package org.cloudfoundry.identity.uaa.oauth.jwk;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
-import com.fasterxml.jackson.core.type.TypeReference;
-import org.cloudfoundry.identity.uaa.util.JsonUtils;
 
-import java.util.Arrays;
 import java.util.Collections;
 import java.util.LinkedHashSet;
 import java.util.LinkedList;
@@ -36,9 +33,10 @@ public class JsonWebKeySet<T extends JsonWebKey> {
     public JsonWebKeySet(@JsonProperty("keys") List<T> keys) {
         Set<T> set = new LinkedHashSet<>();
         //rules for how to override duplicates
-        for (T t : keys) {
-            set.remove(t);
-            set.add(t);
+        for (T key : keys) {
+            if(key == null) continue;
+            set.remove(key);
+            set.add(key);
         }
         this.keys = new LinkedList(set);
     }

model/src/main/java/org/cloudfoundry/identity/uaa/provider/AbstractXOAuthIdentityProviderDefinition.java

@@ -15,6 +15,7 @@
 
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
 
 import java.lang.reflect.ParameterizedType;
 import java.net.URL;
@@ -98,6 +99,7 @@ public T setRelyingPartyId(String relyingPartyId) {
         return (T) this;
     }
 
+    @JsonInclude(JsonInclude.Include.NON_NULL)
     public String getRelyingPartySecret() {
         return relyingPartySecret;
     }

model/src/main/java/org/cloudfoundry/identity/uaa/provider/ExternalIdentityProviderDefinition.java

@@ -1,6 +1,19 @@
+/*******************************************************************************
+ * Cloud Foundry
+ * Copyright (c) [2009-2015] Pivotal Software, Inc. All Rights Reserved.
+ * <p>
+ * This product is licensed to you under the Apache License, Version 2.0 (the "License").
+ * You may not use this product except in compliance with the License.
+ * <p>
+ * This product includes a number of subcomponents with
+ * separate copyright notices and license terms. Your use of these
+ * subcomponents is subject to the terms and conditions of the
+ * subcomponent's license, as noted in the LICENSE file.
+ *******************************************************************************/
 package org.cloudfoundry.identity.uaa.provider;
 
 import com.fasterxml.jackson.annotation.JsonIgnore;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 
 import java.util.Collections;
 import java.util.HashMap;
@@ -11,18 +24,7 @@
 import static java.util.Collections.emptyList;
 import static java.util.Collections.emptyMap;
 
-/*******************************************************************************
- * Cloud Foundry
- * Copyright (c) [2009-2015] Pivotal Software, Inc. All Rights Reserved.
- * <p>
- * This product is licensed to you under the Apache License, Version 2.0 (the "License").
- * You may not use this product except in compliance with the License.
- * <p>
- * This product includes a number of subcomponents with
- * separate copyright notices and license terms. Your use of these
- * subcomponents is subject to the terms and conditions of the
- * subcomponent's license, as noted in the LICENSE file.
- *******************************************************************************/
+@JsonIgnoreProperties(ignoreUnknown = true)
 public class ExternalIdentityProviderDefinition extends AbstractIdentityProviderDefinition {
     public static final String GROUP_ATTRIBUTE_NAME = "external_groups"; //can be a string or a list of strings
     public static final String EMAIL_ATTRIBUTE_NAME = "email"; //can be a string
@@ -32,6 +34,8 @@ public class ExternalIdentityProviderDefinition extends AbstractIdentityProvider
     public static final String USER_ATTRIBUTE_PREFIX = "user.attribute.";
     public static final String USER_NAME_ATTRIBUTE_NAME = "user_name";
 
+    public static final String STORE_CUSTOM_ATTRIBUTES_NAME = "storeCustomAttributes";
+
     public static final String EXTERNAL_GROUPS_WHITELIST = "externalGroupsWhitelist";
     public static final String ATTRIBUTE_MAPPINGS = "attributeMappings";