Upgrade to OpenSAML 4.3.0 (shadowed) (elastic#98199)

This commit upgrades to OpenSAML v4.3.0 Versions of OpenSAML ≥ 4.1 have a hard dependency on the non-FIPS release of BouncyCastle. This would prevent ES from being able to run in a JVM where BC-FIPS is configured as the security provider. Closes: elastic#71983 Co-authored-by: Tim Vernum [email protected]
albertzaharovits · Aug 23, 2023 · 88b7e84 · 88b7e84
1 parent 0321e82
commit 88b7e84
Show file tree

Hide file tree

Showing 11 changed files with 376 additions and 37 deletions.
diff --git a/build-tools-internal/version.properties b/build-tools-internal/version.properties
@@ -26,7 +26,7 @@ antlr4            = 4.11.1
 #  - x-pack/plugin/security
 bouncycastle=1.64
 # used by security and idp (need to be in sync due to cross-dependency in testing)
-opensaml = 4.0.1
+opensaml = 4.3.0
 
 # client dependencies
 httpclient        = 4.5.13

diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
@@ -1554,6 +1554,11 @@
             <sha256 value="f2b3736df2c425e146d38ce66511318d3dfbc631a9cc58102ed5e574aae5a994" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="net.shibboleth.utilities" name="java-support" version="8.4.0">
+         <artifact name="java-support-8.4.0.jar">
+            <sha256 value="12e5e24259a642eb978ab08388b86b1e566fc99f6aba2b4e1dc5ffcba933708a" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="net.sourceforge.csvjdbc" name="csvjdbc" version="1.0.34">
          <artifact name="csvjdbc-1.0.34.jar">
             <sha256 value="0a4aa0f2606bd6292a7ccd7d67a0db914bf5874dfb8a6184df3e6d63cdc93702" origin="Generated by Gradle"/>
@@ -2693,6 +2698,11 @@
             <sha256 value="75b6f42147bc8e8718a764821439937fee224a8322ac43ff0b2b406edd7f5c2b" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.apache.santuario" name="xmlsec" version="2.3.2">
+         <artifact name="xmlsec-2.3.2.jar">
+            <sha256 value="cbb3298af5d128cf3a200f09cfaaa045507ed57a61692589f9f52f81839dc800" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.apache.servicemix.bundles" name="org.apache.servicemix.bundles.antlr" version="2.7.7_5">
          <artifact name="org.apache.servicemix.bundles.antlr-2.7.7_5.jar">
             <sha256 value="3902794d36d9b81da1b7e697f21ed04ccae276cc116eecc640a4cd0fff2691f2" origin="Generated by Gradle"/>
@@ -2946,6 +2956,11 @@
             <sha256 value="97feff80494a54f1b5001f6f4bbdbd45cb64ccbb2dffeb679da9da9be0434b07" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.cryptacular" name="cryptacular" version="1.2.5">
+         <artifact name="cryptacular-1.2.5.jar">
+            <sha256 value="c600d1ae61b5b0ff1391e00eb6fb390201e4612c3aaf2dc1b94050c8784840be" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.eclipse.jdt" name="ecj" version="3.33.0">
          <artifact name="ecj-3.33.0.jar">
             <sha256 value="f7686c4960cf70c2ebc5c500a73a8cfc04541b730c18f1c5c21329889b137f45" origin="Generated by Gradle"/>
@@ -3466,76 +3481,151 @@
             <sha256 value="27cb366feea67ed897ab01db931403b0413a2de81b930058615e354636c6a14d" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.opensaml" name="opensaml-core" version="4.3.0">
+         <artifact name="opensaml-core-4.3.0.jar">
+            <sha256 value="baf7a322faa0fbf99b33543cde8fe7a73c2f00f5ee121703b098179e53c3ce62" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.opensaml" name="opensaml-messaging-api" version="4.0.1">
          <artifact name="opensaml-messaging-api-4.0.1.jar">
             <sha256 value="6cf18a9f442d4b2de49141cc59ffcd43270e8997d42f5205f0da1af820b957c6" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.opensaml" name="opensaml-messaging-api" version="4.3.0">
+         <artifact name="opensaml-messaging-api-4.3.0.jar">
+            <sha256 value="70edf41e14e312299a69b651c02d306f8f04f0e5b8f46b6488379e49deee9056" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.opensaml" name="opensaml-messaging-impl" version="4.0.1">
          <artifact name="opensaml-messaging-impl-4.0.1.jar">
             <sha256 value="c38ae97fcdc2c34117fbe9be50bd3137f2cc135310c122dc873d24a103781068" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.opensaml" name="opensaml-messaging-impl" version="4.3.0">
+         <artifact name="opensaml-messaging-impl-4.3.0.jar">
+            <sha256 value="b646d6d2be07dab5d2ce4d53b615be1d2ca01f98ab947d39e803e02500f0dbab" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.opensaml" name="opensaml-profile-api" version="4.0.1">
          <artifact name="opensaml-profile-api-4.0.1.jar">
             <sha256 value="8f17feced30d1eada279e38efe644748a99261e0559a52e3ec29d037b2ed053e" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.opensaml" name="opensaml-profile-api" version="4.3.0">
+         <artifact name="opensaml-profile-api-4.3.0.jar">
+            <sha256 value="4c7b3e526b2d7b3cb00150b23e72c51d11e64dd3d0abe5bc9c126e018214edfb" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.opensaml" name="opensaml-profile-impl" version="4.0.1">
          <artifact name="opensaml-profile-impl-4.0.1.jar">
             <sha256 value="998e253b940f0609e865e6229c6371f8cca8bfa5695ef98f223e3914acd9a2c7" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.opensaml" name="opensaml-profile-impl" version="4.3.0">
+         <artifact name="opensaml-profile-impl-4.3.0.jar">
+            <sha256 value="65082e1269e9ddd315365be75e526f6476b83738980836a63227ebd8551b0586" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.opensaml" name="opensaml-saml-api" version="4.0.1">
          <artifact name="opensaml-saml-api-4.0.1.jar">
             <sha256 value="378814892eab03403350b7e710d0d5c0d15bb40e16f8e3ac97332479c4645b95" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.opensaml" name="opensaml-saml-api" version="4.3.0">
+         <artifact name="opensaml-saml-api-4.3.0.jar">
+            <sha256 value="63adb283408134d179711fed24c90aa70561f7f1bfa2e399dc04270a7aaaa588" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.opensaml" name="opensaml-saml-impl" version="4.0.1">
          <artifact name="opensaml-saml-impl-4.0.1.jar">
             <sha256 value="0dabbffb98a904a90fe3f7b90e1ae0a9a0999df98bca464635ba16d8114e565d" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.opensaml" name="opensaml-saml-impl" version="4.3.0">
+         <artifact name="opensaml-saml-impl-4.3.0.jar">
+            <sha256 value="94c0d58d85298c8f3e8bc2f71cbf8a34ff2895f6b8f6b5983fee052480dca4ca" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.opensaml" name="opensaml-security-api" version="4.0.1">
          <artifact name="opensaml-security-api-4.0.1.jar">
             <sha256 value="a2f4b98e6adba6cfdfc59480a2f9ba2744f879fc3e0c960a006be51e8ebf9a07" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.opensaml" name="opensaml-security-api" version="4.3.0">
+         <artifact name="opensaml-security-api-4.3.0.jar">
+            <sha256 value="77024cf8aa54e5e7321befe99efc618d47cd476756024d3a028ab9b2fcebf5d0" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.opensaml" name="opensaml-security-impl" version="4.0.1">
          <artifact name="opensaml-security-impl-4.0.1.jar">
             <sha256 value="e0c93010064548e2b03883802c0dc76ffe56da16dbf45710db47cef4f9e42a9b" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.opensaml" name="opensaml-security-impl" version="4.3.0">
+         <artifact name="opensaml-security-impl-4.3.0.jar">
+            <sha256 value="566f93514c3c966bb5d22907030c66943cf4bb75923177f73922f9da341d5542" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.opensaml" name="opensaml-soap-api" version="4.0.1">
          <artifact name="opensaml-soap-api-4.0.1.jar">
             <sha256 value="e02843ec8e4790a0291c560361ad657e5069a3c1a7b9b187bd0febd565a6d13e" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.opensaml" name="opensaml-soap-api" version="4.3.0">
+         <artifact name="opensaml-soap-api-4.3.0.jar">
+            <sha256 value="1cf4a5892172161e959898e43b44554a6aecd479fff6ef5e95ad7f20f2cffe02" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.opensaml" name="opensaml-soap-impl" version="4.0.1">
          <artifact name="opensaml-soap-impl-4.0.1.jar">
             <sha256 value="a42c0f6043e11b905b262e3f5d08ebf76804f074078c3d217584cfe82380d3f1" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.opensaml" name="opensaml-soap-impl" version="4.3.0">
+         <artifact name="opensaml-soap-impl-4.3.0.jar">
+            <sha256 value="b95692888edd5637fd1285bc60a5826fe925a615146a5ce92178b0ba6d1ddce1" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.opensaml" name="opensaml-storage-api" version="4.0.1">
          <artifact name="opensaml-storage-api-4.0.1.jar">
             <sha256 value="d5f1126381c72bf8285e33ebaf392855cd7e64ca2093122f48c4ee696f4e675f" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.opensaml" name="opensaml-storage-api" version="4.3.0">
+         <artifact name="opensaml-storage-api-4.3.0.jar">
+            <sha256 value="60278a401c1aa30792ae19da7c51c68c7d1f5fe007723224d0934661a2bd986b" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.opensaml" name="opensaml-storage-impl" version="4.0.1">
          <artifact name="opensaml-storage-impl-4.0.1.jar">
             <sha256 value="79ee04bc3deb41589b5ac9238ffa7e5c1ae48613eb70f45007f912febb1689f9" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.opensaml" name="opensaml-storage-impl" version="4.3.0">
+         <artifact name="opensaml-storage-impl-4.3.0.jar">
+            <sha256 value="2a362462a935641887493bda429783c4cdf52fc827c050083aece3c3131942eb" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.opensaml" name="opensaml-xmlsec-api" version="4.0.1">
          <artifact name="opensaml-xmlsec-api-4.0.1.jar">
             <sha256 value="2a5b45bf218917a0bd3314ff4d02ccd95aec815cac2f1a8c597c843486ea8cc1" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.opensaml" name="opensaml-xmlsec-api" version="4.3.0">
+         <artifact name="opensaml-xmlsec-api-4.3.0.jar">
+            <sha256 value="db60d224ae7b0740c38bca1bfb3ada0e87ba0e680ebc2f5fe5b16ea863d3f2ca" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.opensaml" name="opensaml-xmlsec-impl" version="4.0.1">
          <artifact name="opensaml-xmlsec-impl-4.0.1.jar">
             <sha256 value="ed223bb4fc989466836bac5686050d4cb2707db25c9f629c7aca5723b6cca8e8" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.opensaml" name="opensaml-xmlsec-impl" version="4.3.0">
+         <artifact name="opensaml-xmlsec-impl-4.3.0.jar">
+            <sha256 value="da3b2b2aed7a3182edd0d006b685c729ed8beb04b3304667d9fcd62975446611" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.opentest4j" name="opentest4j" version="1.2.0">
          <artifact name="opentest4j-1.2.0.jar">
             <sha256 value="58812de60898d976fb81ef3b62da05c6604c18fd4a249f5044282479fc286af2" origin="Generated by Gradle"/>

diff --git a/settings.gradle b/settings.gradle
@@ -147,6 +147,7 @@ addSubProjects('', new File(rootProject.projectDir, 'plugins'))
 addSubProjects('', new File(rootProject.projectDir, 'qa'))
 addSubProjects('test', new File(rootProject.projectDir, 'test/external-modules'))
 addSubProjects('', new File(rootProject.projectDir, 'x-pack'))
+addSubProjects('', new File(rootProject.projectDir, 'x-pack/libs'))
 
 include projects.toArray(new String[0])
 

diff --git a/x-pack/libs/build.gradle b/x-pack/libs/build.gradle
diff --git a/x-pack/libs/es-opensaml-security-api/build.gradle b/x-pack/libs/es-opensaml-security-api/build.gradle
@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+apply plugin: 'elasticsearch.build'
+apply plugin: 'com.github.johnrengelman.shadow'
+
+dependencies {
+  implementation "org.opensaml:opensaml-security-api:${versions.opensaml}"
+  compileOnly "org.opensaml:opensaml-core:${versions.opensaml}"
+}
+
+['jarHell', 'thirdPartyAudit', 'splitPackagesAudit', 'forbiddenApisMain', 'licenseHeaders' ].each {
+  tasks.named(it).configure {
+    enabled = false
+  }
+}
+
+tasks.named("dependencyLicenses").configure {
+  mapping from: /opensaml-.*/, to: 'shibboleth'
+}
+
+tasks.named("shadowJar").configure {
+  manifest {
+    attributes 'Automatic-Module-Name': 'org.opensaml.security'
+  }
+  exclude 'META-INF/services/org.opensaml.security.crypto.ec.NamedCurve'
+}