[#171053583] Bump UAA to v74.13.0 #15
Commits on Nov 20, 2019
-
Excluded JSON libraries from gradle
- Because they conflict with org.json.JSONObject from SCIM libraries [#169854769] Signed-off-by: Andrew Wittrock <awittrock@pivotal.io>
-
Test Refactor - move file from server/ to uaa/
[#169854769] Signed-off-by: Andrew Wittrock <awittrock@pivotal.io>
-
Test Refactor - ScimUserEndpointsTests
- Use @DefaultTestContext instead of @WithSpring [#169854769] Signed-off-by: Andrew Wittrock <awittrock@pivotal.io>
-
Test Refactor - move file from server/ to uaa/
[#169854769] Signed-off-by: Andrew Wittrock <awittrock@pivotal.io>
-
Test Refactor - UaaTokenServicesTests
- Apply IntelliJ sanitizations [#169854769]
-
-
Replace @WithSpring with @DefaultTestContext
[finishes #169854769] Signed-off-by: Andrew Edstrom <aedstrom@pivotal.io>
Commits on Nov 21, 2019
-
Test Refactor - LimitedModeUaaFilterTests
- Apply IntelliJ suggestions and refactor [nostory]
-
Test Refactor - LimitedModeUaaFilterTests
- Use JUnit5 [nostory]
-
Refactor - LimitedModeUaaFilter
- Apply IntelliJ sanitizations [nostory]
Commits on Nov 27, 2019
-
-
Test Refactor - BootstrapTests
- Use Extensions for cleanup [#169991138]
-
Test Refactor - BootstrapTests
- Inline params with only one value [#169991138]
-
Test Refactor - BootstrapTests
- Use callbacks to reset system properties [#169991138]
-
Test Refactor - BootstrapTests
- Inline hardcoded parameters [#169991138]
-
Test Refactor - BootstrapTests
- Simplify how the context is built [#169991138]
-
Test Refactor - BootstrapTests
- Remove reference to non-existent file login.yml [#169991138]
Commits on Dec 2, 2019
-
-
Purge expired session from in memory map
Prior to this commit, configuring the UAA to manage sessions in memory resulted in the use of `MapSessionRepository` to manage sessions. `MapSessionRepository` does not automatically remove expired sessions from it's backing map. And neither did the UAA, resulting in a memory leak. Now, register a scheduled task to remove expired sessions. The tasks frequency can be configured via the `servlet.session-purge-delay` property. [#170035178]
Commits on Dec 3, 2019
-
Add DB index on revocable tokens
Signed-off-by: Florian Tack <florian.tack@sap.com>
-
Bump spring-framework-bom from 5.2.1.RELEASE to 5.2.2.RELEASE
Bumps [spring-framework-bom](https://github.com/spring-projects/spring-framework) from 5.2.1.RELEASE to 5.2.2.RELEASE. - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v5.2.1.RELEASE...v5.2.2.RELEASE) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
-
Merge pull request cloudfoundry#1153 from cloudfoundry/dependabot/gra…
…dle/org.springframework-spring-framework-bom-5.2.2.RELEASE
-
Test Refactor - IdentityZoneResolvingFilterTests
- Apply IntelliJ sanitizations [#170083097]
-
Test Refactor - IdentityZoneResolvingFilterTests
- Use WithDatabaseContext - Use JUnit5 [#170083097]
-
Test Refactor - UserInfoTableTest
- Apply IntelliJ sanitizations [#170083097]
-
Test Refactor - UserInfoTableTest
- Use WithDatabaseContext - Use JUnit5 [#170083097]
-
Test Refactor - TableAndColumnNormalizationTest
- Apply IntelliJ sanitizations [#170083097]
-
Test Refactor - TableAndColumnNormalizationTest
- Can't use WithDatabaseContext - Has custom Spring context :( - Use JUnit5 [#170083097]
-
Test Refactor - IdentityProviderBootstrapTest
- Apply IntelliJ sanitizations [#170083097]
-
Test Refactor - JdbcMfaProviderProvisioningTest
- Apply IntelliJ sanitizations [#170083097]
-
Test Refactor - JdbcMfaProviderProvisioningTest
- Use WithDatabaseContext - Use JUnit5 [#170083097]
-
Test Refactor - LimitSqlAdapterTests
- Apply IntelliJ sanitizations [#170083097]
-
Test Refactor - LimitSqlAdapterTests
- Use WithDatabaseContext - Use JUnit5 [#170083097]
-
Test Refactor - ScimExternalGroupBootstrapTests
- Apply IntelliJ sanitizations - Also remove unused import from IdentityZoneResolvingFilterTests [#170083097]
-
Test Refactor - ScimExternalGroupBootstrapTests
- Use WithDatabaseContext - Use JUnit5 [#170083097]
-
Test Refactor - UaaTokenStoreTests
- Apply IntelliJ sanitizations [#170083097]
-
Test Refactor - UaaTokenStoreTests
- Use WithDatabaseContext - Use JUnit5 [#170083097]
-
Test Refactor - ClientDetailsHasRequiredUserScopes
- Turns out this class wasn't Parameterized - Hardcode all the parameterized stuff - Apply IntelliJ sanitizations [#170083097]
-
Test Refactor - ClientDetailsHasRequiredUserScopes
- Use WithDatabaseContext - Use JUnit5 [#170083097]
-
Test Refactor - OauthCodeIndexTest
- Apply IntelliJ sanitizations [#170083097]
-
Test Refactor - OauthCodeIndexTest
- Use WithDatabaseContext - Use JUnit5 - Turns out there's only one @test method. Parameterize it instead of the class [#170083097]
-
Test Refactor - StoreSubDomainAsLowerCase_V2_7_3_Tests
- Apply IntelliJ sanitizations - Make methods static if they can be static [#170083097]
-
Test Refactor - StoreSubDomainAsLowerCase_V2_7_3_Tests
- Use @WithDatabaseContext - Use JUnit5 [#170083097]
Commits on Dec 4, 2019
Commits on Dec 5, 2019
-
use source compatibility in parent project instead
Signed-off-by: Fan Shang Xiang <fanshangxiang@gmail.com>
-
[nostory] Signed-off-by: Andrew Wittrock <awittrock@pivotal.io>
-
Test refactor - ClientInfoEndpointTests
- Bump to Junit5 - Stop using init block for setup - Generally prettify Signed-off-by: Andrew Wittrock <awittrock@pivotal.io>
-
Refactor - ClientInfoEndpoint uses IdentityZoneManager
Signed-off-by: Andrew Wittrock <awittrock@pivotal.io>
-
Using
./gradlew runnow uses ROOT context path- Unit tests pass [#170107012]
Commits on Dec 6, 2019
-
Merge pull request cloudfoundry#1154 from phschon/revocaable_tokens
Add DB index on revocable tokens table
-
Revert "Run UAA at ROOT context - Fix TokenEndpointDocs"
This reverts commit e292390.
-
Revert "Using
./gradlew runnow uses ROOT context path"This reverts commit 46c4762.
Commits on Dec 9, 2019
-
Bump versions.springBootVersion from 2.2.1.RELEASE to 2.2.2.RELEASE
Bumps `versions.springBootVersion` from 2.2.1.RELEASE to 2.2.2.RELEASE. Updates `spring-boot-dependencies` from 2.2.1.RELEASE to 2.2.2.RELEASE - [Release notes](https://github.com/spring-projects/spring-boot/releases) - [Commits](spring-projects/spring-boot@v2.2.1.RELEASE...v2.2.2.RELEASE) Updates `spring-boot-gradle-plugin` from 2.2.1.RELEASE to 2.2.2.RELEASE - [Release notes](https://github.com/spring-projects/spring-boot/releases) - [Commits](spring-projects/spring-boot@v2.2.1.RELEASE...v2.2.2.RELEASE) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
-
Merge pull request cloudfoundry#1158 from cloudfoundry/dependabot/gra…
…dle/versions.springBootVersion-2.2.2.RELEASE
Commits on Dec 10, 2019
-
reintroduce set-version.sh script
[#169720342] Signed-off-by: Stephane Jolicoeur <sjolicoeur@pivotal.io> Co-authored-by: Stephane Jolicoeur <sjolicoeur@pivotal.io>
-
add more properties to dynamic configuration. Set default for new properties
-
Minimal server.xml for UAA image
This server.xml should represent the minimal configuration necessary for the UAA to successfully run. Tomcat behavior cannot be configured yet and logging will go to the console for now. Configuration of the UAA, however, is possible by providing the location of the UAA config file via one of the supported environment variables. [#169713142] Signed-off-by: Jeremy Morony <jmorony@pivotal.io>
-
Merge pull request cloudfoundry#1162 from cloudfoundry/features/uaa-i…
…mage-169713142 Minimal server.xml for UAA image
Commits on Dec 11, 2019
-
Bump org.eclipse.jgit from 5.5.1.201910021850-r to 5.6.0.201912101111-r
Bumps org.eclipse.jgit from 5.5.1.201910021850-r to 5.6.0.201912101111-r. Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
-
Merge pull request cloudfoundry#1163 from cloudfoundry/dependabot/gra…
…dle/org.eclipse.jgit-org.eclipse.jgit-5.6.0.201912101111-r
-
Add logging to YamlServletProfileInitializer
- To make it easier to know what's happening in K8s [#169718245] Signed-off-by: Joshua Casey <jcasey@pivotal.io>
-
- Deploys a pinned identity/uaa image digest - No templating / configuration options (yet) [#169718245] Signed-off-by: Joshua Casey <jcasey@pivotal.io> Co-authored-by: Joshua Casey <jcasey@pivotal.io>
-
Do not report tomcat internals in access logs
[#170193262] Signed-off-by: Andrew Wittrock <awittrock@pivotal.io>
-
Named the service port for istio compatibility
- renamed the service [#169718451] Signed-off-by: Joshua Casey <jcasey@pivotal.io> Co-authored-by: Joshua Casey <jcasey@pivotal.io>
Commits on Dec 12, 2019
-
Refactor - YamlServletProfileInitializer
- Use Java Set directly instead of parsing a hardcoded string [#170136573]
-
Refactor - YamlServletProfileInitializer
- Use Streams and Lambdas over imperative - Also - last commit did not preserve order! [#170136573]
-
Refactor - YamlServletProfileInitializer
- Use newlines to make string legible [#170136573]
Commits on Dec 13, 2019
-
Refactor - YamlServletProfileInitializer
- Pull Locations into static final - Because it doesn't change [#170136573]
-
Hardcode reference to env var UAA_CONFIG_YAML
- There's no way to change or set it [#170136573]
-
Fix postgres migration test failure
Using `CREATE INDEX CONCURRENTLY` in our new migration causes flyway to automatically run the migration in `autocommit` mode. `connection.commit()` is only supposed to be called when autocommit mode is off. This change makes our migration test runner able to handle migrations that run in `autocommit` mode. [#169775896] Signed-off-by: Andrew Edstrom <aedstrom@pivotal.io> Co-authored-by: Andrew Edstrom <aedstrom@pivotal.io> Signed-off-by: Andrew Edstrom <aedstrom@pivotal.io>
-
Refactor - SamlServiceProviderEndpoints
- Use inline @qualifier instead of XML definition [nostory]
-
Refactor - @ContextConfiguration
- spring/env.xml works just fine - list can end with "," [nostory]
-
Refactor - YamlServletProfileInitializer
- Remove Dead Code - Not a behavioral change! - ${APPLICATION_CONFIG_URL} and file:${APPLICATION_CONFIG_FILE} would never be checked because the ternary would shortcircuit to true - resources.isEmpty() would always be false because classpath:uaa.yml always exists [#170136573] -
Refactor - YamlServletProfileInitializer
- Use collections and streams instead of CSV and imperative [#170136573]
-
Test Refactor - remove unnecessary @configuration
- @configuration annotation is unnecessary when the class is brought into the Spring Context using @ContextConfiguration [#170295071]
-
Refactor - EncryptionKeyService
- Inline @value for cleaner XML [nostory]
-
Refactor - Remove duplicated @bean Definition
- AccountsController will be brought into the context already via component-scan on line https://github.com/cloudfoundry/uaa/blob/c25774eac882f6c78855f9a56632b2d2bae4add2/server/src/main/resources/spring/login-ui.xml#L516 [nostory]
Commits on Dec 14, 2019
-
Test Refactor - Clean up Test Setup
- Because this will make it easier to Boot [nostory]
Commits on Dec 16, 2019
-
Bump gradle-cargo-plugin from 2.6.1 to 2.6.2
Bumps [gradle-cargo-plugin](https://github.com/bmuschko/gradle-cargo-plugin) from 2.6.1 to 2.6.2. - [Release notes](https://github.com/bmuschko/gradle-cargo-plugin/releases) - [Changelog](https://github.com/bmuschko/gradle-cargo-plugin/blob/master/RELEASE_NOTES.md) - [Commits](https://github.com/bmuschko/gradle-cargo-plugin/commits/2.6.2) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
-
Merge pull request cloudfoundry#1168 from cloudfoundry/dependabot/gra…
…dle/com.bmuschko-gradle-cargo-plugin-2.6.2
-
- Remove Copyright notices - Put in Test dir if applicable [nostory]
-
- Simplify XML files - Prep for Spring Boot [#170299042]
-
- https://hush-house.pivotal.io/teams/cf-uaa/pipelines/uaa-acceptance-gcp/jobs/integration-tests-mysql/builds/36 - One test creates a group that's deleted in the @after, meaning that the group is deleted three times - Something related to b51b55a means that no longer works, but it shouldn't have worked anyways [nostory]
Commits on Dec 17, 2019
-
- Required properties should be put in the constructor [nostory]
-
- Use TimeServiceBean - Mark internals as final and init them in c'tor [nostory]
-
Test Refactor - XFrameOptionsTheories
- Use @DefaultTestContext [nostory]
-
Test Refactor - PollutionPreventionExtensionTests
- Use @DefaultTestContext [nostory][
-
Test Refactor - DefaultTestContext
- Bring helper classes into same file - Reinforces that @DefaultTestContext is what to use [nostory]
Commits on Dec 19, 2019
-
Bump rack from 2.0.1 to 2.0.8 in /uaa/slate
Bumps [rack](https://github.com/rack/rack) from 2.0.1 to 2.0.8. - [Release notes](https://github.com/rack/rack/releases) - [Changelog](https://github.com/rack/rack/blob/master/CHANGELOG.md) - [Commits](rack/rack@2.0.1...2.0.8) Signed-off-by: dependabot[bot] <support@github.com>
Commits on Dec 20, 2019
-
allow wildcard in port (cloudfoundry#1140)
* allow wildcard in port - during URI normalize the port wildcard info is lost and then laster in match it fails - check therefore only for clientRedirect if port is wildcard and store the info - in match adjust URis with port wildcard * test for default port * do not match if default port * remove space
Commits on Dec 27, 2019
-
Bump guava from 28.1-jre to 28.2-jre
Bumps [guava](https://github.com/google/guava) from 28.1-jre to 28.2-jre. - [Release notes](https://github.com/google/guava/releases) - [Commits](https://github.com/google/guava/commits) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
-
Merge pull request cloudfoundry#1176 from cloudfoundry/dependabot/gra…
…dle/com.google.guava-guava-28.2-jre
-
Commits on Jan 3, 2020
-
Do not report tomcat internals in error messages
We put the Valve in the wrong spot in our first attempt. Coincidentally, since then the same change was made in the tomcat-cnb's server.xml: https://github.com/cloudfoundry/tomcat-cnb/blob/8ef1890ae95ad5a84adb288bd7cb739001bdcb96/server.xml#L31 [#170193262] Signed-off-by: Andrew Edstrom <aedstrom@pivotal.io> Co-authored-by: Andrew Edstrom <aedstrom@pivotal.io>
-
Format server.xml to match tomcat-cnb's server.xml
We want to keep these two as in-sync as possible: https://github.com/cloudfoundry/tomcat-cnb/blob/master/server.xml [#170193262] Signed-off-by: Andrew Edstrom <aedstrom@pivotal.io> Co-authored-by: Andrew Edstrom <aedstrom@pivotal.io>
Commits on Jan 10, 2020
-
This commit provides a set of matchers to facilitate - shelling out to YTT to generate k8s templates as - parsing the resulting yaml into k8s API structs - matchers for interacting with those structs. [#169718758] Signed-off-by: Joshua Casey <jcasey@pivotal.io>
Commits on Jan 11, 2020
Commits on Jan 12, 2020
-
Touch templates/values/values.yml
This file is required for the tests to pass.
Commits on Jan 13, 2020
-
Bringing the matchers closer to the underlying structure of the parsed YAML. This should ease both the extension of the matchers and their expressiveness.
-
Merge pull request cloudfoundry#1181 from cloudfoundry/chores/matcher…
…-cleanup Chores/matcher cleanup
Commits on Feb 10, 2020
-
Implement multiple modes of issuer claim validation
Some IDPs (e.g. Microsoft) create tokens whose `iss` claim can vary from user to user. Under the current version, UAA was unable to integrate with these providers because it requires a single, specific issuer value to be present. To enable UAA to integrate with providers who do this, we implement different modes for validating the `iss` claim, under the `issuerValidationMode` configuration property for OIDC providers The modes are STRICT The default behaviour. The string in the `iss` claim and the configured issuer URL must match exactly. DOMAIN_ONLY The value of the `iss` claim and the configured issuer URL must be URLs. They are considered to match if their domains match. Subdomains are not considered to match a parent domain.
-
Do not expire invitations on GET requests
At the moment, when the user visits: ``` /invitations/accept?code=some-code ``` the invitation code from their email is immediately expired and replaced with a newly generated code which is put in a hidden input in the HTML form. Each time the user submits the form, the code is expired and (if necessary - e.g. if there's a validation issue) replaced with a new one. This is fine so long as the user fills the form in immediately, but there are a number of edge cases where this approach causes usability problems: 1) If the user refreshes the page it will tell them their invitation has expired. 2) If the user closes the tab without submitting the form, and then follows the invitation link from their email later it will show as expired. 3) If the user's email client or web browser pre-fetches the link for any reason (e.g. virus scanning / spam detection / performance optimisation) then the link will not work when they follow it for real. The third issue is the most serious. We (GOV.UK PaaS) have had some very users working in places that pre-fetch links in emails (for some reason or other), and this means they're completely unable to accept invitations. Judging from the irate support tickets we've had from these users the experience is pretty frustrating. This commit changes the GET request to /invitations/accept so that it does not expire the token (unless the invitation is being auto-accepted). The POST handler is unchanged, so if the user actually submits the form then the token will change (as it did before), even if there's a validation issue that prevents the invitation being accepted. This change fixes the usability issues, and makes the behaviour more consistent with HTTP's semantics (in the sense that GET requests should be "safe" - should not modify the state of the server).
