Merge remote-tracking branch 'origin/develop' into klaus-rebase

.github/workflows/gradle.yml

@@ -19,7 +19,7 @@ jobs:
         java: [ '17' ]
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@v4
         with:
           distribution: 'liberica'
           java-version: ${{ matrix.java }}

.github/workflows/sonarcloud.yml

@@ -16,7 +16,7 @@ jobs:
     if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]'
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@v4
         with:
           distribution: 'liberica'
           java-version: '17'

dependencies.gradle

@@ -41,11 +41,11 @@ libraries.bouncyCastlePkix = "org.bouncycastle:bcpkix-jdk18on:${versions.bouncyC
 libraries.bouncyCastleProv = "org.bouncycastle:bcprov-jdk18on:${versions.bouncyCastleVersion}"
 libraries.braveInstrumentationSpringWebmvc = "io.zipkin.brave:brave-instrumentation-spring-webmvc:${versions.braveVersion}"
 libraries.braveContextSlf4j = "io.zipkin.brave:brave-context-slf4j:${versions.braveVersion}"
-libraries.commonsIo = "commons-io:commons-io:2.15.0"
+libraries.commonsIo = "commons-io:commons-io:2.15.1"
 libraries.dumbster = "dumbster:dumbster:1.6"
-libraries.eclipseJgit = "org.eclipse.jgit:org.eclipse.jgit:6.7.0.202309050840-r"
+libraries.eclipseJgit = "org.eclipse.jgit:org.eclipse.jgit:6.8.0.202311291450-r"
 libraries.flywayCore = "org.flywaydb:flyway-core"
-libraries.greenmail = "com.icegreen:greenmail:1.6.14"
+libraries.greenmail = "com.icegreen:greenmail:1.6.15"
 libraries.googleAuth = "com.warrenstrange:googleauth:1.5.0"
 libraries.guava = "com.google.guava:guava:${versions.guavaVersion}"
 libraries.guavaTestLib = "com.google.guava:guava-testlib:${versions.guavaVersion}"
@@ -73,7 +73,7 @@ libraries.mariaJdbcDriver = "org.mariadb.jdbc:mariadb-java-client"
 libraries.mockito = "org.mockito:mockito-core"
 libraries.mockitoJunit5 = "org.mockito:mockito-junit-jupiter"
 libraries.passay = "org.passay:passay:1.6.4"
-libraries.postgresql = "org.postgresql:postgresql:42.7.0"
+libraries.postgresql = "org.postgresql:postgresql:42.7.1"
 libraries.selenium = "org.seleniumhq.selenium:selenium-java:${versions.seleniumVersion}"
 libraries.seleniumHttp = "org.seleniumhq.selenium:selenium-http-jdk-client:${versions.seleniumVersion}"
 libraries.slf4jApi = "org.slf4j:slf4j-api"
@@ -122,13 +122,13 @@ libraries.unboundIdScimSdk = "com.unboundid.product.scim:scim-sdk:1.8.26"
 libraries.velocity = "org.apache.velocity:velocity-engine-core:2.3"
 libraries.xerces = "xerces:xercesImpl:2.12.2"
 libraries.zxing = "com.google.zxing:javase:3.5.2"
-libraries.nimbusJwt = "com.nimbusds:nimbus-jose-jwt:9.37.1"
-libraries.xmlSecurity = "org.apache.santuario:xmlsec:4.0.0"
+libraries.nimbusJwt = "com.nimbusds:nimbus-jose-jwt:9.37.3"
+libraries.xmlSecurity = "org.apache.santuario:xmlsec:4.0.1"
 libraries.orgJson = "org.json:json:20231013"
-libraries.spingSamlEsapiDependencyVersion = "org.owasp.esapi:esapi:2.5.2.0"
+libraries.spingSamlEsapiDependencyVersion = "org.owasp.esapi:esapi:2.5.3.1"
 
 // gradle plugins
-libraries.testRetryPlugin = "org.gradle:test-retry-gradle-plugin:1.5.6"
+libraries.testRetryPlugin = "org.gradle:test-retry-gradle-plugin:1.5.8"
 libraries.cargoGradlePlugin = "com.bmuschko:gradle-cargo-plugin:2.9.0"
 libraries.springBootGradlePlugin = "org.springframework.boot:spring-boot-gradle-plugin:${versions.springBootVersion}"
 libraries.springDependencyMangementGradlePlugin = "io.spring.gradle:dependency-management-plugin"

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.4-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.5-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

server/src/main/java/org/cloudfoundry/identity/uaa/scim/jdbc/JdbcScimGroupProvisioning.java

@@ -166,6 +166,7 @@ void createAndIgnoreDuplicate(final String name, final String zoneId) {
         try {
             create(new ScimGroup(null, name, zoneId), zoneId);
         } catch (ScimResourceAlreadyExistsException ignore) {
+            // ignore
         }
     }
 
@@ -194,14 +195,11 @@ public ScimGroup getByName(String displayName, String zoneId) {
 
     @Override
     public void onApplicationEvent(AbstractUaaEvent event) {
-        if (event instanceof IdentityZoneModifiedEvent) {
-            IdentityZoneModifiedEvent zevent = (IdentityZoneModifiedEvent) event;
-            if (zevent.getEventType() == AuditEventType.IdentityZoneCreatedEvent) {
-                final String zoneId = ((IdentityZone) event.getSource()).getId();
-                getSystemScopes().forEach(
-                        scope -> createAndIgnoreDuplicate(scope, zoneId)
-                );
-            }
+        if (event instanceof IdentityZoneModifiedEvent zevent && zevent.getEventType() == AuditEventType.IdentityZoneCreatedEvent) {
+            final String zoneId = ((IdentityZone) event.getSource()).getId();
+            getSystemScopes().forEach(
+                    scope -> createAndIgnoreDuplicate(scope, zoneId)
+            );
         }
         SystemDeletable.super.onApplicationEvent(event);
     }
@@ -247,6 +245,7 @@ private Set<String> getAllowedUserGroups(String zoneId) {
 
     @Override
     public ScimGroup create(final ScimGroup group, final String zoneId) throws InvalidScimResourceException {
+        validateZoneId(zoneId);
         validateAllowedUserGroups(zoneId, group);
         final String id = UUID.randomUUID().toString();
         logger.debug("creating new group with id: {}", id);
@@ -274,6 +273,7 @@ public ScimGroup update(final String id, final ScimGroup group, final String zon
             ScimResourceNotFoundException {
         validateAllowedUserGroups(zoneId, group);
         try {
+            validateZoneId(zoneId);
             validateGroup(group);
 
             int updated = jdbcTemplate.update(updateGroupSql, ps -> {
@@ -298,6 +298,7 @@ public ScimGroup update(final String id, final ScimGroup group, final String zon
 
     @Override
     public ScimGroup delete(String id, int version, String zoneId) throws ScimResourceNotFoundException {
+        validateZoneId(zoneId);
         ScimGroup group = retrieve(id, zoneId);
         jdbcScimGroupMembershipManager.removeMembersByGroupId(id, zoneId);
         jdbcScimGroupExternalMembershipManager.unmapAll(id, zoneId);
@@ -313,6 +314,7 @@ public ScimGroup delete(String id, int version, String zoneId) throws ScimResour
         return group;
     }
 
+    @Override
     public int deleteByIdentityZone(String zoneId) {
         jdbcTemplate.update(deleteZoneAdminMembershipByZone, IdentityZone.getUaaZoneId(), "zones." + zoneId + ".%");
         jdbcTemplate.update(deleteZoneAdminGroupsByZone, IdentityZone.getUaaZoneId(), "zones." + zoneId + ".%");
@@ -321,6 +323,7 @@ public int deleteByIdentityZone(String zoneId) {
         return jdbcTemplate.update(deleteGroupByZone, zoneId);
     }
 
+    @Override
     public int deleteByOrigin(String origin, String zoneId) {
         jdbcTemplate.update(deleteExternalGroupByProvider, zoneId, origin);
         return jdbcTemplate.update(deleteGroupMembershipByProvider, zoneId, origin);
@@ -332,7 +335,11 @@ public int deleteByUser(String userId, String zoneId) {
     }
 
     private void validateGroup(ScimGroup group) throws ScimResourceConstraintFailedException {
-        if (!hasText(group.getZoneId())) {
+        validateZoneId(group.getZoneId());
+    }
+
+    private void validateZoneId(String zoneId) throws ScimResourceConstraintFailedException {
+        if (!hasText(zoneId)) {
             throw new ScimResourceConstraintFailedException("zoneId is a required field");
         }
     }

server/src/main/java/org/cloudfoundry/identity/uaa/zone/JdbcIdentityZoneProvisioning.java

@@ -50,6 +50,9 @@ public JdbcIdentityZoneProvisioning(final JdbcTemplate jdbcTemplate) {
 
     @Override
     public IdentityZone retrieve(String id) {
+        if (id == null) {
+            throw new ZoneDoesNotExistsException("Zone id cannot be null");
+        }
         try {
             return jdbcTemplate.queryForObject(IDENTITY_ZONE_BY_ID_QUERY_ACTIVE, mapper, id, true);
         } catch (EmptyResultDataAccessException x) {
@@ -59,6 +62,9 @@ public IdentityZone retrieve(String id) {
 
     @Override
     public IdentityZone retrieveIgnoreActiveFlag(String id) {
+        if (id == null) {
+            throw new ZoneDoesNotExistsException("Zone id cannot be null");
+        }
         try {
             return jdbcTemplate.queryForObject(IDENTITY_ZONE_BY_ID_QUERY, mapper, id);
         } catch (EmptyResultDataAccessException x) {
@@ -91,11 +97,7 @@ public IdentityZone create(final IdentityZone identityZone) {
                 ps.setString(5, identityZone.getName());
                 ps.setString(6, identityZone.getSubdomain().toLowerCase());
                 ps.setString(7, identityZone.getDescription());
-                ps.setString(8,
-                        identityZone.getConfig() != null ?
-                                JsonUtils.writeValueAsString(identityZone.getConfig()) :
-                                null
-                );
+                ps.setString(8,identityZone.getConfig() != null ? JsonUtils.writeValueAsString(identityZone.getConfig()) : null);
                 ps.setBoolean(9, identityZone.isActive());
             });
         } catch (DuplicateKeyException e) {
@@ -115,11 +117,7 @@ public IdentityZone update(final IdentityZone identityZone) {
                 ps.setString(3, identityZone.getName());
                 ps.setString(4, identityZone.getSubdomain().toLowerCase());
                 ps.setString(5, identityZone.getDescription());
-                ps.setString(6,
-                        identityZone.getConfig() != null ?
-                                JsonUtils.writeValueAsString(identityZone.getConfig()) :
-                                null
-                );
+                ps.setString(6, identityZone.getConfig() != null ? JsonUtils.writeValueAsString(identityZone.getConfig()) : null);
                 ps.setBoolean(7, identityZone.isActive());
                 ps.setString(8, identityZone.getId().trim());
             });
@@ -163,8 +161,6 @@ public IdentityZone mapRow(ResultSet rs, int rowNum) throws SQLException {
                 }
             }
             identityZone.setActive(rs.getBoolean(9));
-
-
             return identityZone;
         }
     }

server/src/main/resources/templates/web/nav.html

@@ -10,11 +10,11 @@
 </head>
 <th:block layout:fragment="nav">
     <div class="nav">
-        <div class="dropdown-trigger">
+        <button type="button" class="dropdown-trigger" aria-expanded="false" aria-controls="nav-dropdown-content">
             <span sec:authentication="name">user@example.com</span>
             <i class="fa fa-chevron-down"></i>
-        </div>
-        <ul class="dropdown-content">
+        </button>
+        <ul class="dropdown-content" id="nav-dropdown-content">
             <li><a href="/profile" th:href="@{/profile}">Account Settings</a></li>
             <li><a href="/logout.do" th:href="@{/logout.do}">Sign Out</a></li>
         </ul>

server/src/test/java/org/cloudfoundry/identity/uaa/scim/jdbc/JdbcScimGroupProvisioningTests.java

@@ -7,6 +7,7 @@
 import org.cloudfoundry.identity.uaa.scim.ScimGroupMember;
 import org.cloudfoundry.identity.uaa.scim.ScimUser;
 import org.cloudfoundry.identity.uaa.scim.ScimUserProvisioning;
+import org.cloudfoundry.identity.uaa.scim.exception.ScimResourceConstraintFailedException;
 import org.cloudfoundry.identity.uaa.scim.exception.InvalidScimResourceException;
 import org.cloudfoundry.identity.uaa.scim.exception.ScimResourceNotFoundException;
 import org.cloudfoundry.identity.uaa.scim.test.TestUtils;
@@ -45,6 +46,7 @@
 import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.core.Is.is;
 import static org.junit.jupiter.api.Assertions.*;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.mockito.Mockito.*;
 import static org.springframework.util.StringUtils.hasText;
 
@@ -474,6 +476,36 @@ void sqlInjectionAttack5Fails() {
         );
     }
 
+    @Test
+    void createGroupNullZoneId() {
+        ScimGroup g = new ScimGroup(null, "null", null);
+        g.setDescription("description-create");
+        ScimGroupMember m1 = new ScimGroupMember("m1", ScimGroupMember.Type.USER);
+        ScimGroupMember m2 = new ScimGroupMember("m2", ScimGroupMember.Type.USER);
+        g.setMembers(Arrays.asList(m1, m2));
+        ScimGroup errorGroup = g;
+        assertThrows(ScimResourceConstraintFailedException.class, () -> dao.create(errorGroup, null));
+        g.setZoneId(zoneId);
+        assertThrows(ScimResourceConstraintFailedException.class, () -> dao.create(errorGroup, null));
+        g = dao.create(g, zoneId);
+        assertNotNull(g);
+        assertEquals(zoneId, g.getZoneId());
+    }
+
+    @Test
+    void deleteGroupByOrigin() {
+        ScimGroup g = new ScimGroup(UUID.randomUUID().toString(), "null", zoneId);
+        g.setDescription("description-create");
+        ScimGroupMember m1 = new ScimGroupMember("m1", ScimGroupMember.Type.GROUP);
+        m1.setOrigin("custom-origin");
+        ScimGroupMember m2 = new ScimGroupMember("m2", ScimGroupMember.Type.GROUP);
+        m2.setOrigin("custom-origin");
+        g.setMembers(Arrays.asList(m1, m2));
+        g = dao.create(g, zoneId);
+        dao.deleteByOrigin("custom-origin", zoneId);
+        assertEquals(0, memberships.getMembers(g.getId(), true, zoneId).size());
+    }
+
     private void validateGroupCountInZone(int expected, String zoneId) {
         int existingGroupCount = jdbcTemplate.queryForObject("select count(id) from groups where identity_zone_id='" + zoneId + "'", Integer.class);
         assertEquals(expected, existingGroupCount);

server/src/test/java/org/cloudfoundry/identity/uaa/zone/JdbcIdentityZoneProvisioningTests.java

@@ -16,6 +16,8 @@
 import static org.hamcrest.core.Is.is;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assertions.fail;
@@ -185,7 +187,7 @@ void testUpdateNonExistentIdentityZone() {
         IdentityZone identityZone = MultitenancyFixture.identityZone(randomValueStringGenerator.generate(), randomValueStringGenerator.generate());
         identityZone.setId(randomValueStringGenerator.generate());
         assertThrows(ZoneDoesNotExistsException.class,
-                () -> jdbcIdentityZoneProvisioning.update(identityZone));
+            () -> jdbcIdentityZoneProvisioning.update(identityZone));
     }
 
     @Test
@@ -296,4 +298,43 @@ void testGetInactiveIdentityZoneIgnoringActiveFlag() {
         assertFalse(retrievedIdZone.isActive());
     }
 
+    @Test
+    void testIdentityZoneRetrieveZoneIdNull() {
+        assertThrows(ZoneDoesNotExistsException.class, () -> jdbcIdentityZoneProvisioning.retrieve(null));
+        assertThrows(ZoneDoesNotExistsException.class, () -> jdbcIdentityZoneProvisioning.retrieveIgnoreActiveFlag(null));
+    }
+
+    @Test
+    void testIdentityZoneUpdateSubDomainSame() {
+        String subDomain = randomValueStringGenerator.generate();
+        IdentityZone identityZone = MultitenancyFixture.identityZone(randomValueStringGenerator.generate(), subDomain);
+        identityZone.setConfig(null);
+        IdentityZone identityZone2 = MultitenancyFixture.identityZone(randomValueStringGenerator.generate(), randomValueStringGenerator.generate());
+
+        IdentityZone createdIdZone = jdbcIdentityZoneProvisioning.create(identityZone);
+        IdentityZone createdIdZone2 = jdbcIdentityZoneProvisioning.create(identityZone2);
+
+        assertNotEquals(createdIdZone.getSubdomain(), createdIdZone2.getSubdomain());
+        createdIdZone2.setConfig(null);
+        createdIdZone2.setSubdomain(subDomain);
+        assertThrows(ZoneAlreadyExistsException.class, () -> jdbcIdentityZoneProvisioning.update(createdIdZone2));
+    }
+
+    @Test
+    void testCreateIdentityZoneInvalidZoneConfigResetConfigIntialValues() {
+        String zoneId = randomValueStringGenerator.generate();
+        IdentityZone identityZone = MultitenancyFixture.identityZone(randomValueStringGenerator.generate(), randomValueStringGenerator.generate());
+        identityZone.setConfig(new IdentityZoneConfiguration(new TokenPolicy(3600, 7200)));
+        IdentityZone createdIdZone = jdbcIdentityZoneProvisioning.create(identityZone);
+        assertNotNull(createdIdZone);
+        assertNotNull(createdIdZone.getConfig());
+        assertEquals(3600, createdIdZone.getConfig().getTokenPolicy().getAccessTokenValidity());
+        // corrupt the config entry
+        jdbcTemplate.update("update identity_zone set config=? where id=?", "invalid", identityZone.getId());
+        // retrieve zone again
+        createdIdZone = jdbcIdentityZoneProvisioning.retrieve(identityZone.getId());
+        assertNotNull(createdIdZone);
+        assertNotNull(createdIdZone.getConfig());
+        assertEquals(-1, createdIdZone.getConfig().getTokenPolicy().getAccessTokenValidity());
+    }
 }

uaa/src/main/webapp/resources/javascripts/nav.js

@@ -2,6 +2,7 @@ $(document).ready(function() {
   $(".dropdown-trigger").click(function() {
     var $el = $(this);
     $el.toggleClass("open");
+    $el.attr('aria-expanded', $el.hasClass("open"));
     $el.next(".dropdown-content").toggleClass("open");
   });
 });

uaa/src/main/webapp/resources/oss/stylesheets/application.css

@@ -8778,9 +8778,15 @@ input {
   color: #9faaad; }
 
 .dropdown-trigger {
+  background: transparent;
+  border: none;
+  color: inherit;
   cursor: pointer;
+  display: block;
   padding: 4px 24px 4px 8px;
-  position: relative; }
+  position: relative;
+  text-align: left;
+  width: 100%; }
 
 .dropdown-content {
   position: absolute;