Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump Spring Dependencies #1611

Merged
merged 1 commit into from
Jul 22, 2021
Merged

Bump Spring Dependencies #1611

merged 1 commit into from
Jul 22, 2021

Conversation

strehle
Copy link
Member

@strehle strehle commented Jul 22, 2021

spring boot 2.4.9
spring framework 5.3.9
tomcat 9.0.50

Related bump with spring boot
🔨 Dependency Upgrades
• Upgrade to AppEngine SDK 1.9.90 #27377
• Upgrade to AspectJ 1.9.7 #27238
• Upgrade to DB2 JDBC 11.5.6.0 #27239
• Upgrade to Dropwizard Metrics 4.1.25 #27378
• Upgrade to Jetty 9.4.43.v20210629 #27241
• Upgrade to Jetty Reactive HTTPClient 1.1.10 #27240
• Upgrade to Johnzon 1.2.14 #27242
• Upgrade to jOOQ 3.14.13 #27379
• Upgrade to Lettuce 6.0.7.RELEASE #27339
• Upgrade to Logback 1.2.4 #27380
• Upgrade to Micrometer 1.6.9 #27340
• Upgrade to MySQL 8.0.26 #27444
• Upgrade to Netty 4.1.66.Final #27381
• Upgrade to Postgresql 42.2.23 #27244
• Upgrade to Reactor 2020.0.9 #27159
• Upgrade to SLF4J 1.7.32 #27445
• Upgrade to Spring AMQP 2.3.10 #27391
• Upgrade to Spring Data 2020.0.11 #27161
• Upgrade to Spring Framework 5.3.9 #27160
• Upgrade to Spring HATEOAS 1.2.8 #27183
• Upgrade to Tomcat 9.0.50 #27245
• Upgrade to Undertow 2.2.9.Final #27446

spring boot 2.4.9
spring framework 5.3.9
tomcat 9.0.50

Related bump with spring boot
🔨 Dependency Upgrades
•	Upgrade to AppEngine SDK 1.9.90 #27377
•	Upgrade to AspectJ 1.9.7 #27238
•	Upgrade to DB2 JDBC 11.5.6.0 #27239
•	Upgrade to Dropwizard Metrics 4.1.25 #27378
•	Upgrade to Jetty 9.4.43.v20210629 #27241
•	Upgrade to Jetty Reactive HTTPClient 1.1.10 #27240
•	Upgrade to Johnzon 1.2.14 #27242
•	Upgrade to jOOQ 3.14.13 #27379
•	Upgrade to Lettuce 6.0.7.RELEASE #27339
•	Upgrade to Logback 1.2.4 #27380
•	Upgrade to Micrometer 1.6.9 #27340
•	Upgrade to MySQL 8.0.26 #27444
•	Upgrade to Netty 4.1.66.Final #27381
•	Upgrade to Postgresql 42.2.23 #27244
•	Upgrade to Reactor 2020.0.9 #27159
•	Upgrade to SLF4J 1.7.32 #27445
•	Upgrade to Spring AMQP 2.3.10 #27391
•	Upgrade to Spring Data 2020.0.11 #27161
•	Upgrade to Spring Framework 5.3.9 #27160
•	Upgrade to Spring HATEOAS 1.2.8 #27183
•	Upgrade to Tomcat 9.0.50 #27245
•	Upgrade to Undertow 2.2.9.Final #27446
@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/178973453

The labels on this github issue will be updated when the story is started.

@strehle strehle added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Jul 22, 2021
@strehle strehle merged commit a2462e9 into develop Jul 22, 2021
@strehle strehle deleted the spring_249 branch July 22, 2021 11:54
strehle added a commit that referenced this pull request Jul 26, 2021
…direct_uri_path_traversal

# By Joshua Casey (417) and others
# Via GitHub (170) and others
* 'develop' of github.com:cloudfoundry/uaa: (1592 commits)
  Bump passay version 1.6.1 (#1612)
  Bump Spring Dependencies (#1611)
  Bump k8s.io/client-go from 0.21.2 to 0.21.3 in /k8s (#1609)
  Bump k8s.io/apimachinery from 0.21.2 to 0.21.3 in /k8s (#1608)
  Add workaround for revoke access dialog from issue #1036 (#1254)
  Bump spring oauth2 version to 2.5.1.RELEASE (#1601)
  Bump addressable from 2.5.0 to 2.8.0 in /uaa/slate (#1603)
  Add property option for mail.smtp.ssl.protocols (#1605)
  Add property option for mail.smtp.ssl.protocols (#1604)
  Fix CF-UAA version number
  Bump maven dependencies (#1600)
  Bump Tomcat dependency
  Bump github.com/onsi/gomega from 1.13.0 to 1.14.0 in /k8s (#1599)
  cleanup code from sonar findings and add additional tests
  cleanup code from sonar findings and add additional tests
  More test parameters for UaaUrlUtils.findMatchingRedirectUri() tests
  fix: Open Redirect Security Issue via some UAA endpoints, including logout.do
  BigInteger encoding fixed (#1579)
  Set startStopTimeout to be configurable (#1594)
  switch to StaleUrlCache
  ...

# Conflicts:
#	dependencies.gradle
#	model/build.gradle
#	server/build.gradle
#	server/src/main/java/org/cloudfoundry/identity/uaa/oauth/beans/LegacyRedirectResolver.java
#	uaa/build.gradle
akarollil added a commit to GESoftware-CF/uaa that referenced this pull request Aug 5, 2021
* tag 'v75.6.0':
  Update UAA image reference in k8s deployment template to 75.6.0
  Bump k8s.io/client-go from 0.21.3 to 0.22.0 in /k8s (cloudfoundry#1639)
  Bump k8s.io/api from 0.21.3 to 0.22.0 in /k8s (cloudfoundry#1638)
  fix generateDocs
  PKCE support in IDP (OIDC) proxy authorization flow (cloudfoundry#1606)
  fix: upgrade org.springframework.security.oauth:spring-security-oauth2 from 2.4.0.RELEASE to 2.5.1.RELEASE (cloudfoundry#1632)
  fix: upgrade org.passay:passay from 1.2.0 to 1.6.0 (cloudfoundry#1633)
  Do not expire invitations on GET requests (cloudfoundry#1128)
  revert back
  revert to last working
  fix bundle install
  update (cloudfoundry#1627)
  update kramdown 2.3.1 (cloudfoundry#1626)
  Fix bug with origin chooser and selected allowed provider configuration
  update activesupport 5.2.4.3 (cloudfoundry#1625)
  update jquery (cloudfoundry#1618)
  Update Font-Awesome (cloudfoundry#1617)
  Bump commons-io from 2.10.0 to 2.11.0 (cloudfoundry#1616)
  rebase
  rebase
  merge develop
  Bump passay version 1.6.1 (cloudfoundry#1612)
  Bump Spring Dependencies (cloudfoundry#1611)
  Bump k8s.io/client-go from 0.21.2 to 0.21.3 in /k8s (cloudfoundry#1609)
  Bump k8s.io/apimachinery from 0.21.2 to 0.21.3 in /k8s (cloudfoundry#1608)
  Add workaround for revoke access dialog from issue cloudfoundry#1036 (cloudfoundry#1254)
  Bump spring oauth2 version to 2.5.1.RELEASE (cloudfoundry#1601)
  Bump addressable from 2.5.0 to 2.8.0 in /uaa/slate (cloudfoundry#1603)
  Add property option for mail.smtp.ssl.protocols (cloudfoundry#1605)
  Add property option for mail.smtp.ssl.protocols (cloudfoundry#1604)
  Fix CF-UAA version number
  Bump maven dependencies (cloudfoundry#1600)
  Bump Tomcat dependency
  Bump github.com/onsi/gomega from 1.13.0 to 1.14.0 in /k8s (cloudfoundry#1599)
  cleanup code from sonar findings and add additional tests
  cleanup code from sonar findings and add additional tests
  More test parameters for UaaUrlUtils.findMatchingRedirectUri() tests
  fix: Open Redirect Security Issue via some UAA endpoints, including logout.do
  BigInteger encoding fixed (cloudfoundry#1579)
  Set startStopTimeout to be configurable (cloudfoundry#1594)
  switch to StaleUrlCache
  origin sync
  Bump jasmine-core from 3.7.1 to 3.8.0 in /uaa (cloudfoundry#1598)
  Bump jasmine from 3.7.0 to 3.8.0 in /uaa (cloudfoundry#1597)
  Bump dependency (cloudfoundry#1596)
  Performance optimation: Prevent expensive duplicate key exception and use upsert instead (cloudfoundry#1562)
  Refactor: query minimal user information everywhere authorities not needed (cloudfoundry#1322)
  Allow to use Account Chooser without Idp Discovery (cloudfoundry#1550)
  Bump k8s.io/client-go from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1586)
  Bump commons-io from 2.7 to 2.10.0 (cloudfoundry#1582)
  Update dependencies.gradle
  update
  Create dependencies.gradle
  cleanup PR - remove orphan class - use new class in all tests - dependency cosmetics
  Bump k8s.io/api from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1585)
  Bump github.com/onsi/gomega from 1.11.0 to 1.13.0 in /k8s (cloudfoundry#1573)
  Bump github.com/onsi/ginkgo from 1.16.1 to 1.16.4 in /k8s (cloudfoundry#1575)
  Bump k8s.io/apimachinery from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1587)
  Github userUserInfo from local configuration (cloudfoundry#1595)
  Add '-Xdebug' jvm args to application container run in cargo if '-Dxdebug=true' option is sepcified for 'gradle run'. (cloudfoundry#1592)
  Bump Guava Dependencies (cloudfoundry#1581)
  Document the 'userInfoUrl' property for OAuth identity provider config
  Bump Spring Dependencies (cloudfoundry#1591)
  Fix issue 1584
  Test that we redirect when client allows only SAML
  Backfill test cases for using refresh token value that was created with refresh_token_validity seconds specified [#178076368]
  Bump Spring Dependencies (cloudfoundry#1580)
  fix: test token audience claim in an unordered way
  Bump Spring Dependencies (cloudfoundry#1577)
  Bump bouncyCastleVersion from 1.68 to 1.69
  Small improvements for the consent form (cloudfoundry#1561)
  Use Claims class to desrialize the token string.
  feat: output message when DB cannot be initialized
  refactor: extract variable
  formatting: whitespaces
  do not sleep more than 1 minute
  fix: test runner flakes
  fix: authTime can be later than 2037
  Bump nokogiri from 1.11.0 to 1.11.4 in /uaa/slate
  Backfilled unit test
  Make Java 11 our minimum
  Additional test cases to verify that ldap bindSecret is not included in the response for the CVE issue where the delete-identity-provider response contained sensitive data #178139149 (cloudfoundry#1572)
  Adjust unit test to new constructor signature, after rebasing on top of the 'develop' branch
  Share common 'userInfoUrl' property between OIDC and OAuth2 config + Use it to fetch OAuth2 user info
  Various code/spaces improvements
  Implement support for Github OAuth 2.0 provider
  feat: error log on internal error
  feat: validate java version
  Fixed the CVE issue where the delete-identity-provider response contains relyingPartySecret value #178139149
  Fix comment
  Include passcode prompt in json response if discovery or account chooser are enabled
  Bump bcprov-jdk15on from 1.66 to 1.67 in /server (cloudfoundry#1564)
  Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:4c7f2d881bc9c4a075232064e906d032c9512b03b87c06cbb2501560cb2f14e4
  Return existing records on update failure
  Restore explicit imports.
  login_hint should not automatically bypass discovery logic
  Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /samples/api (cloudfoundry#1544)
  Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /samples/app (cloudfoundry#1546)
  Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /server (cloudfoundry#1545)
  Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /statsd (cloudfoundry#1547)
  Bump jasmine-core from 3.6.0 to 3.7.1 in /uaa
  Bump jasmine from 3.6.4 to 3.7.0 in /uaa
  Bump k8s.io/client-go from 0.20.5 to 0.21.0 in /k8s
  Bump k8s.io/apimachinery from 0.20.5 to 0.21.0 in /k8s
  Bump github.com/onsi/ginkgo from 1.15.2 to 1.16.1 in /k8s
  Bump Spring Dependencies (cloudfoundry#1559)
  refactor: extract shared code into helper methods
  Rename variable and test case for clarity
  Invert boolean method to have a more intuitive naming
  Add additional tests
  Only update user if token not issued by UAA
  Fix wrong username mapping on jwt Bearer with UAA token
  Bump tomcat-embed-core from 9.0.37 to 9.0.44 in /uaa (cloudfoundry#1548)
  Bump k8s.io/client-go from 0.20.2 to 0.20.5 in /k8s (cloudfoundry#1541)
  Bump github.com/onsi/ginkgo from 1.14.2 to 1.15.2 in /k8s (cloudfoundry#1535)
  Bump k8s.io/api from 0.20.2 to 0.20.5 in /k8s (cloudfoundry#1542)
  refactor: rename
  Bump github.com/onsi/gomega from 1.10.4 to 1.11.0 in /k8s (cloudfoundry#1532)
  Dependeny Updagtes (cloudfoundry#1538)
  refactor: implement recommendation from thymeleaf (cloudfoundry#1512)
  Fix typo
  feat: for unit tests, add time out to waiting for DB to start
  Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:7fd48f08134e279a4fe2b8a200ecfdca8cda847175df38f1293e9818d7dd53cc
  Bump dependency
  Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:c1d54700f1e6b8fabe49917a8e4ca59f381a11c69982439525f9af8a08f29e0c
  Add MockMvc Test to show performance improvement
  Fix bug with invalid login_hint on login page
  Move read configurations and parameters to allow earlier decisions
  Restructure login method to not read all IdentityProviders on login_hint
  Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:37fcf63a156b75174fbc7be0e3809d64cda6851de0bfe6fa7f12793d919de96a
  Added "final" modifier for method-local constant
  better name for matches function
  capitilize first letter of log sentence
  meaningful name for number of url-decode attempts
  javadoc explaining integrity bypass fix
  fix double dot path traversal integrity check bypass
  redirect resolver tests should cover path traversal bypass for both registered paths containing wildcards and those that do not
  unit tests for redirect_uri path integrity check bypass
  add lombok dependency
  Add PKCE support
akarollil added a commit to GESoftware-CF/uaa that referenced this pull request Aug 5, 2021
* tag 'v75.6.0':
  Update UAA image reference in k8s deployment template to 75.6.0
  Bump k8s.io/client-go from 0.21.3 to 0.22.0 in /k8s (cloudfoundry#1639)
  Bump k8s.io/api from 0.21.3 to 0.22.0 in /k8s (cloudfoundry#1638)
  fix generateDocs
  PKCE support in IDP (OIDC) proxy authorization flow (cloudfoundry#1606)
  fix: upgrade org.springframework.security.oauth:spring-security-oauth2 from 2.4.0.RELEASE to 2.5.1.RELEASE (cloudfoundry#1632)
  fix: upgrade org.passay:passay from 1.2.0 to 1.6.0 (cloudfoundry#1633)
  Do not expire invitations on GET requests (cloudfoundry#1128)
  revert back
  revert to last working
  fix bundle install
  update (cloudfoundry#1627)
  update kramdown 2.3.1 (cloudfoundry#1626)
  Fix bug with origin chooser and selected allowed provider configuration
  update activesupport 5.2.4.3 (cloudfoundry#1625)
  update jquery (cloudfoundry#1618)
  Update Font-Awesome (cloudfoundry#1617)
  Bump commons-io from 2.10.0 to 2.11.0 (cloudfoundry#1616)
  rebase
  rebase
  merge develop
  Bump passay version 1.6.1 (cloudfoundry#1612)
  Bump Spring Dependencies (cloudfoundry#1611)
  Bump k8s.io/client-go from 0.21.2 to 0.21.3 in /k8s (cloudfoundry#1609)
  Bump k8s.io/apimachinery from 0.21.2 to 0.21.3 in /k8s (cloudfoundry#1608)
  Add workaround for revoke access dialog from issue cloudfoundry#1036 (cloudfoundry#1254)
  Bump spring oauth2 version to 2.5.1.RELEASE (cloudfoundry#1601)
  Bump addressable from 2.5.0 to 2.8.0 in /uaa/slate (cloudfoundry#1603)
  Add property option for mail.smtp.ssl.protocols (cloudfoundry#1605)
  Add property option for mail.smtp.ssl.protocols (cloudfoundry#1604)
  Fix CF-UAA version number
  Bump maven dependencies (cloudfoundry#1600)
  Bump Tomcat dependency
  Bump github.com/onsi/gomega from 1.13.0 to 1.14.0 in /k8s (cloudfoundry#1599)
  cleanup code from sonar findings and add additional tests
  cleanup code from sonar findings and add additional tests
  More test parameters for UaaUrlUtils.findMatchingRedirectUri() tests
  fix: Open Redirect Security Issue via some UAA endpoints, including logout.do
  BigInteger encoding fixed (cloudfoundry#1579)
  Set startStopTimeout to be configurable (cloudfoundry#1594)
  switch to StaleUrlCache
  origin sync
  Bump jasmine-core from 3.7.1 to 3.8.0 in /uaa (cloudfoundry#1598)
  Bump jasmine from 3.7.0 to 3.8.0 in /uaa (cloudfoundry#1597)
  Bump dependency (cloudfoundry#1596)
  Performance optimation: Prevent expensive duplicate key exception and use upsert instead (cloudfoundry#1562)
  Refactor: query minimal user information everywhere authorities not needed (cloudfoundry#1322)
  Allow to use Account Chooser without Idp Discovery (cloudfoundry#1550)
  Bump k8s.io/client-go from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1586)
  Bump commons-io from 2.7 to 2.10.0 (cloudfoundry#1582)
  Update dependencies.gradle
  update
  Create dependencies.gradle
  cleanup PR - remove orphan class - use new class in all tests - dependency cosmetics
  Bump k8s.io/api from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1585)
  Bump github.com/onsi/gomega from 1.11.0 to 1.13.0 in /k8s (cloudfoundry#1573)
  Bump github.com/onsi/ginkgo from 1.16.1 to 1.16.4 in /k8s (cloudfoundry#1575)
  Bump k8s.io/apimachinery from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1587)
  Github userUserInfo from local configuration (cloudfoundry#1595)
  Add '-Xdebug' jvm args to application container run in cargo if '-Dxdebug=true' option is sepcified for 'gradle run'. (cloudfoundry#1592)
  Bump Guava Dependencies (cloudfoundry#1581)
  Document the 'userInfoUrl' property for OAuth identity provider config
  Bump Spring Dependencies (cloudfoundry#1591)
  Fix issue 1584
  Test that we redirect when client allows only SAML
  Backfill test cases for using refresh token value that was created with refresh_token_validity seconds specified [#178076368]
  Bump Spring Dependencies (cloudfoundry#1580)
  fix: test token audience claim in an unordered way
  Bump Spring Dependencies (cloudfoundry#1577)
  Bump bouncyCastleVersion from 1.68 to 1.69
  Small improvements for the consent form (cloudfoundry#1561)
  Use Claims class to desrialize the token string.
  feat: output message when DB cannot be initialized
  refactor: extract variable
  formatting: whitespaces
  do not sleep more than 1 minute
  fix: test runner flakes
  fix: authTime can be later than 2037
  Bump nokogiri from 1.11.0 to 1.11.4 in /uaa/slate
  Backfilled unit test
  Make Java 11 our minimum
  Additional test cases to verify that ldap bindSecret is not included in the response for the CVE issue where the delete-identity-provider response contained sensitive data #178139149 (cloudfoundry#1572)
  Adjust unit test to new constructor signature, after rebasing on top of the 'develop' branch
  Share common 'userInfoUrl' property between OIDC and OAuth2 config + Use it to fetch OAuth2 user info
  Various code/spaces improvements
  Implement support for Github OAuth 2.0 provider
  feat: error log on internal error
  feat: validate java version
  Fixed the CVE issue where the delete-identity-provider response contains relyingPartySecret value #178139149
  Fix comment
  Include passcode prompt in json response if discovery or account chooser are enabled
  Bump bcprov-jdk15on from 1.66 to 1.67 in /server (cloudfoundry#1564)
  Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:4c7f2d881bc9c4a075232064e906d032c9512b03b87c06cbb2501560cb2f14e4
  Return existing records on update failure
  Restore explicit imports.
  login_hint should not automatically bypass discovery logic
  Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /samples/api (cloudfoundry#1544)
  Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /samples/app (cloudfoundry#1546)
  Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /server (cloudfoundry#1545)
  Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /statsd (cloudfoundry#1547)
  Bump jasmine-core from 3.6.0 to 3.7.1 in /uaa
  Bump jasmine from 3.6.4 to 3.7.0 in /uaa
  Bump k8s.io/client-go from 0.20.5 to 0.21.0 in /k8s
  Bump k8s.io/apimachinery from 0.20.5 to 0.21.0 in /k8s
  Bump github.com/onsi/ginkgo from 1.15.2 to 1.16.1 in /k8s
  Bump Spring Dependencies (cloudfoundry#1559)
  refactor: extract shared code into helper methods
  Rename variable and test case for clarity
  Invert boolean method to have a more intuitive naming
  Add additional tests
  Only update user if token not issued by UAA
  Fix wrong username mapping on jwt Bearer with UAA token
  Bump tomcat-embed-core from 9.0.37 to 9.0.44 in /uaa (cloudfoundry#1548)
  Bump k8s.io/client-go from 0.20.2 to 0.20.5 in /k8s (cloudfoundry#1541)
  Bump github.com/onsi/ginkgo from 1.14.2 to 1.15.2 in /k8s (cloudfoundry#1535)
  Bump k8s.io/api from 0.20.2 to 0.20.5 in /k8s (cloudfoundry#1542)
  refactor: rename
  Bump github.com/onsi/gomega from 1.10.4 to 1.11.0 in /k8s (cloudfoundry#1532)
  Dependeny Updagtes (cloudfoundry#1538)
  refactor: implement recommendation from thymeleaf (cloudfoundry#1512)
  Fix typo
  feat: for unit tests, add time out to waiting for DB to start
  Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:7fd48f08134e279a4fe2b8a200ecfdca8cda847175df38f1293e9818d7dd53cc
  Bump dependency
  Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:c1d54700f1e6b8fabe49917a8e4ca59f381a11c69982439525f9af8a08f29e0c
  Add MockMvc Test to show performance improvement
  Fix bug with invalid login_hint on login page
  Move read configurations and parameters to allow earlier decisions
  Restructure login method to not read all IdentityProviders on login_hint
  Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:37fcf63a156b75174fbc7be0e3809d64cda6851de0bfe6fa7f12793d919de96a
  Added "final" modifier for method-local constant
  better name for matches function
  capitilize first letter of log sentence
  meaningful name for number of url-decode attempts
  javadoc explaining integrity bypass fix
  fix double dot path traversal integrity check bypass
  redirect resolver tests should cover path traversal bypass for both registered paths containing wildcards and those that do not
  unit tests for redirect_uri path integrity check bypass
  add lombok dependency
  Add PKCE support
akarollil added a commit to GESoftware-CF/uaa that referenced this pull request Aug 11, 2021
Conflicts resolved in a gradle build and dependency files, a bunch of
template files, and a couple of tests:

UU dependencies.gradle
UU k8s/templates/values/image.yml
UU server/build.gradle
UU server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java
UU server/src/main/resources/templates/web/accounts/email_sent.html
UU server/src/main/resources/templates/web/accounts/new_activation_email.html
UU server/src/main/resources/templates/web/home.html
UU server/src/main/resources/templates/web/idp_discovery/account_chooser.html
UU server/src/main/resources/templates/web/idp_discovery/password.html
UU server/src/test/java/org/cloudfoundry/identity/uaa/oauth/beans/LegacyRedirectResolverTest.java
UU uaa/src/test/java/org/cloudfoundry/identity/uaa/login/LoginMockMvcTests.java

* master:
  Update UAA image reference in k8s deployment template to 75.6.0
  Bump k8s.io/client-go from 0.21.3 to 0.22.0 in /k8s (cloudfoundry#1639)
  Bump k8s.io/api from 0.21.3 to 0.22.0 in /k8s (cloudfoundry#1638)
  fix generateDocs
  PKCE support in IDP (OIDC) proxy authorization flow (cloudfoundry#1606)
  fix: upgrade org.springframework.security.oauth:spring-security-oauth2 from 2.4.0.RELEASE to 2.5.1.RELEASE (cloudfoundry#1632)
  fix: upgrade org.passay:passay from 1.2.0 to 1.6.0 (cloudfoundry#1633)
  Do not expire invitations on GET requests (cloudfoundry#1128)
  revert back
  revert to last working
  fix bundle install
  update (cloudfoundry#1627)
  update kramdown 2.3.1 (cloudfoundry#1626)
  Fix bug with origin chooser and selected allowed provider configuration
  update activesupport 5.2.4.3 (cloudfoundry#1625)
  update jquery (cloudfoundry#1618)
  Update Font-Awesome (cloudfoundry#1617)
  Bump commons-io from 2.10.0 to 2.11.0 (cloudfoundry#1616)
  rebase
  rebase
  merge develop
  Bump passay version 1.6.1 (cloudfoundry#1612)
  Bump Spring Dependencies (cloudfoundry#1611)
  Bump k8s.io/client-go from 0.21.2 to 0.21.3 in /k8s (cloudfoundry#1609)
  Bump k8s.io/apimachinery from 0.21.2 to 0.21.3 in /k8s (cloudfoundry#1608)
  Add workaround for revoke access dialog from issue cloudfoundry#1036 (cloudfoundry#1254)
  Bump spring oauth2 version to 2.5.1.RELEASE (cloudfoundry#1601)
  Bump addressable from 2.5.0 to 2.8.0 in /uaa/slate (cloudfoundry#1603)
  Add property option for mail.smtp.ssl.protocols (cloudfoundry#1605)
  Add property option for mail.smtp.ssl.protocols (cloudfoundry#1604)
  Fix CF-UAA version number
  Bump maven dependencies (cloudfoundry#1600)
  Bump Tomcat dependency
  Bump github.com/onsi/gomega from 1.13.0 to 1.14.0 in /k8s (cloudfoundry#1599)
  cleanup code from sonar findings and add additional tests
  cleanup code from sonar findings and add additional tests
  More test parameters for UaaUrlUtils.findMatchingRedirectUri() tests
  fix: Open Redirect Security Issue via some UAA endpoints, including logout.do
  BigInteger encoding fixed (cloudfoundry#1579)
  Set startStopTimeout to be configurable (cloudfoundry#1594)
  switch to StaleUrlCache
  origin sync
  Bump jasmine-core from 3.7.1 to 3.8.0 in /uaa (cloudfoundry#1598)
  Bump jasmine from 3.7.0 to 3.8.0 in /uaa (cloudfoundry#1597)
  Bump dependency (cloudfoundry#1596)
  Performance optimation: Prevent expensive duplicate key exception and use upsert instead (cloudfoundry#1562)
  Refactor: query minimal user information everywhere authorities not needed (cloudfoundry#1322)
  Allow to use Account Chooser without Idp Discovery (cloudfoundry#1550)
  Bump k8s.io/client-go from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1586)
  Bump commons-io from 2.7 to 2.10.0 (cloudfoundry#1582)
  Update dependencies.gradle
  update
  Create dependencies.gradle
  cleanup PR - remove orphan class - use new class in all tests - dependency cosmetics
  Bump k8s.io/api from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1585)
  Bump github.com/onsi/gomega from 1.11.0 to 1.13.0 in /k8s (cloudfoundry#1573)
  Bump github.com/onsi/ginkgo from 1.16.1 to 1.16.4 in /k8s (cloudfoundry#1575)
  Bump k8s.io/apimachinery from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1587)
  Github userUserInfo from local configuration (cloudfoundry#1595)
  Add '-Xdebug' jvm args to application container run in cargo if '-Dxdebug=true' option is sepcified for 'gradle run'. (cloudfoundry#1592)
  Bump Guava Dependencies (cloudfoundry#1581)
  Document the 'userInfoUrl' property for OAuth identity provider config
  Bump Spring Dependencies (cloudfoundry#1591)
  Fix issue 1584
  Test that we redirect when client allows only SAML
  Backfill test cases for using refresh token value that was created with refresh_token_validity seconds specified [#178076368]
  Bump Spring Dependencies (cloudfoundry#1580)
  fix: test token audience claim in an unordered way
  Bump Spring Dependencies (cloudfoundry#1577)
  Bump bouncyCastleVersion from 1.68 to 1.69
  Small improvements for the consent form (cloudfoundry#1561)
  Use Claims class to desrialize the token string.
  feat: output message when DB cannot be initialized
  refactor: extract variable
  formatting: whitespaces
  do not sleep more than 1 minute
  fix: test runner flakes
  fix: authTime can be later than 2037
  Bump nokogiri from 1.11.0 to 1.11.4 in /uaa/slate
  Backfilled unit test
  Make Java 11 our minimum
  Additional test cases to verify that ldap bindSecret is not included in the response for the CVE issue where the delete-identity-provider response contained sensitive data #178139149 (cloudfoundry#1572)
  Adjust unit test to new constructor signature, after rebasing on top of the 'develop' branch
  Share common 'userInfoUrl' property between OIDC and OAuth2 config + Use it to fetch OAuth2 user info
  Various code/spaces improvements
  Implement support for Github OAuth 2.0 provider
  feat: error log on internal error
  feat: validate java version
  Fixed the CVE issue where the delete-identity-provider response contains relyingPartySecret value #178139149
  Fix comment
  Include passcode prompt in json response if discovery or account chooser are enabled
  Bump bcprov-jdk15on from 1.66 to 1.67 in /server (cloudfoundry#1564)
  Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:4c7f2d881bc9c4a075232064e906d032c9512b03b87c06cbb2501560cb2f14e4
  Return existing records on update failure
  Restore explicit imports.
  login_hint should not automatically bypass discovery logic
  Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /samples/api (cloudfoundry#1544)
  Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /samples/app (cloudfoundry#1546)
  Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /server (cloudfoundry#1545)
  Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /statsd (cloudfoundry#1547)
  Bump jasmine-core from 3.6.0 to 3.7.1 in /uaa
  Bump jasmine from 3.6.4 to 3.7.0 in /uaa
  Bump k8s.io/client-go from 0.20.5 to 0.21.0 in /k8s
  Bump k8s.io/apimachinery from 0.20.5 to 0.21.0 in /k8s
  Bump github.com/onsi/ginkgo from 1.15.2 to 1.16.1 in /k8s
  Bump Spring Dependencies (cloudfoundry#1559)
  refactor: extract shared code into helper methods
  Rename variable and test case for clarity
  Invert boolean method to have a more intuitive naming
  Add additional tests
  Only update user if token not issued by UAA
  Fix wrong username mapping on jwt Bearer with UAA token
  Bump tomcat-embed-core from 9.0.37 to 9.0.44 in /uaa (cloudfoundry#1548)
  Bump k8s.io/client-go from 0.20.2 to 0.20.5 in /k8s (cloudfoundry#1541)
  Bump github.com/onsi/ginkgo from 1.14.2 to 1.15.2 in /k8s (cloudfoundry#1535)
  Bump k8s.io/api from 0.20.2 to 0.20.5 in /k8s (cloudfoundry#1542)
  refactor: rename
  Bump github.com/onsi/gomega from 1.10.4 to 1.11.0 in /k8s (cloudfoundry#1532)
  Dependeny Updagtes (cloudfoundry#1538)
  refactor: implement recommendation from thymeleaf (cloudfoundry#1512)
  Fix typo
  feat: for unit tests, add time out to waiting for DB to start
  Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:7fd48f08134e279a4fe2b8a200ecfdca8cda847175df38f1293e9818d7dd53cc
  Bump dependency
  Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:c1d54700f1e6b8fabe49917a8e4ca59f381a11c69982439525f9af8a08f29e0c
  Add MockMvc Test to show performance improvement
  Fix bug with invalid login_hint on login page
  Move read configurations and parameters to allow earlier decisions
  Restructure login method to not read all IdentityProviders on login_hint
  Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:37fcf63a156b75174fbc7be0e3809d64cda6851de0bfe6fa7f12793d919de96a
  Added "final" modifier for method-local constant
  better name for matches function
  capitilize first letter of log sentence
  meaningful name for number of url-decode attempts
  javadoc explaining integrity bypass fix
  fix double dot path traversal integrity check bypass
  redirect resolver tests should cover path traversal bypass for both registered paths containing wildcards and those that do not
  unit tests for redirect_uri path integrity check bypass
  add lombok dependency
  Add PKCE support
akarollil added a commit to GESoftware-CF/uaa that referenced this pull request Aug 12, 2021
Merge conflicts fixed in the following:

UU uaa/src/main/webapp/WEB-INF/spring/oauth-endpoints.xml
UU uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/JwtBearerGrantMockMvcTests.java

* master:
  Update UAA image reference in k8s deployment template to 75.6.0
  Bump k8s.io/client-go from 0.21.3 to 0.22.0 in /k8s (cloudfoundry#1639)
  Bump k8s.io/api from 0.21.3 to 0.22.0 in /k8s (cloudfoundry#1638)
  fix generateDocs
  PKCE support in IDP (OIDC) proxy authorization flow (cloudfoundry#1606)
  fix: upgrade org.springframework.security.oauth:spring-security-oauth2 from 2.4.0.RELEASE to 2.5.1.RELEASE (cloudfoundry#1632)
  fix: upgrade org.passay:passay from 1.2.0 to 1.6.0 (cloudfoundry#1633)
  Do not expire invitations on GET requests (cloudfoundry#1128)
  revert back
  revert to last working
  fix bundle install
  update (cloudfoundry#1627)
  update kramdown 2.3.1 (cloudfoundry#1626)
  Fix bug with origin chooser and selected allowed provider configuration
  update activesupport 5.2.4.3 (cloudfoundry#1625)
  update jquery (cloudfoundry#1618)
  Update Font-Awesome (cloudfoundry#1617)
  Bump commons-io from 2.10.0 to 2.11.0 (cloudfoundry#1616)
  rebase
  rebase
  merge develop
  Bump passay version 1.6.1 (cloudfoundry#1612)
  Bump Spring Dependencies (cloudfoundry#1611)
  Bump k8s.io/client-go from 0.21.2 to 0.21.3 in /k8s (cloudfoundry#1609)
  Bump k8s.io/apimachinery from 0.21.2 to 0.21.3 in /k8s (cloudfoundry#1608)
  Add workaround for revoke access dialog from issue cloudfoundry#1036 (cloudfoundry#1254)
  Bump spring oauth2 version to 2.5.1.RELEASE (cloudfoundry#1601)
  Bump addressable from 2.5.0 to 2.8.0 in /uaa/slate (cloudfoundry#1603)
  Add property option for mail.smtp.ssl.protocols (cloudfoundry#1605)
  Add property option for mail.smtp.ssl.protocols (cloudfoundry#1604)
  Fix CF-UAA version number
  Bump maven dependencies (cloudfoundry#1600)
  Bump Tomcat dependency
  Bump github.com/onsi/gomega from 1.13.0 to 1.14.0 in /k8s (cloudfoundry#1599)
  cleanup code from sonar findings and add additional tests
  cleanup code from sonar findings and add additional tests
  More test parameters for UaaUrlUtils.findMatchingRedirectUri() tests
  fix: Open Redirect Security Issue via some UAA endpoints, including logout.do
  BigInteger encoding fixed (cloudfoundry#1579)
  Set startStopTimeout to be configurable (cloudfoundry#1594)
  switch to StaleUrlCache
  origin sync
  Bump jasmine-core from 3.7.1 to 3.8.0 in /uaa (cloudfoundry#1598)
  Bump jasmine from 3.7.0 to 3.8.0 in /uaa (cloudfoundry#1597)
  Bump dependency (cloudfoundry#1596)
  Performance optimation: Prevent expensive duplicate key exception and use upsert instead (cloudfoundry#1562)
  Refactor: query minimal user information everywhere authorities not needed (cloudfoundry#1322)
  Allow to use Account Chooser without Idp Discovery (cloudfoundry#1550)
  Bump k8s.io/client-go from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1586)
  Bump commons-io from 2.7 to 2.10.0 (cloudfoundry#1582)
  Update dependencies.gradle
  update
  Create dependencies.gradle
  cleanup PR - remove orphan class - use new class in all tests - dependency cosmetics
  Bump k8s.io/api from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1585)
  Bump github.com/onsi/gomega from 1.11.0 to 1.13.0 in /k8s (cloudfoundry#1573)
  Bump github.com/onsi/ginkgo from 1.16.1 to 1.16.4 in /k8s (cloudfoundry#1575)
  Bump k8s.io/apimachinery from 0.21.0 to 0.21.2 in /k8s (cloudfoundry#1587)
  Github userUserInfo from local configuration (cloudfoundry#1595)
  Add '-Xdebug' jvm args to application container run in cargo if '-Dxdebug=true' option is sepcified for 'gradle run'. (cloudfoundry#1592)
  Bump Guava Dependencies (cloudfoundry#1581)
  Document the 'userInfoUrl' property for OAuth identity provider config
  Bump Spring Dependencies (cloudfoundry#1591)
  Fix issue 1584
  Test that we redirect when client allows only SAML
  Backfill test cases for using refresh token value that was created with refresh_token_validity seconds specified [#178076368]
  Bump Spring Dependencies (cloudfoundry#1580)
  fix: test token audience claim in an unordered way
  Bump Spring Dependencies (cloudfoundry#1577)
  Bump bouncyCastleVersion from 1.68 to 1.69
  Small improvements for the consent form (cloudfoundry#1561)
  Use Claims class to desrialize the token string.
  feat: output message when DB cannot be initialized
  refactor: extract variable
  formatting: whitespaces
  do not sleep more than 1 minute
  fix: test runner flakes
  fix: authTime can be later than 2037
  Bump nokogiri from 1.11.0 to 1.11.4 in /uaa/slate
  Backfilled unit test
  Make Java 11 our minimum
  Additional test cases to verify that ldap bindSecret is not included in the response for the CVE issue where the delete-identity-provider response contained sensitive data #178139149 (cloudfoundry#1572)
  Adjust unit test to new constructor signature, after rebasing on top of the 'develop' branch
  Share common 'userInfoUrl' property between OIDC and OAuth2 config + Use it to fetch OAuth2 user info
  Various code/spaces improvements
  Implement support for Github OAuth 2.0 provider
  feat: error log on internal error
  feat: validate java version
  Fixed the CVE issue where the delete-identity-provider response contains relyingPartySecret value #178139149
  Fix comment
  Include passcode prompt in json response if discovery or account chooser are enabled
  Bump bcprov-jdk15on from 1.66 to 1.67 in /server (cloudfoundry#1564)
  Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:4c7f2d881bc9c4a075232064e906d032c9512b03b87c06cbb2501560cb2f14e4
  Return existing records on update failure
  Restore explicit imports.
  login_hint should not automatically bypass discovery logic
  Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /samples/api (cloudfoundry#1544)
  Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /samples/app (cloudfoundry#1546)
  Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /server (cloudfoundry#1545)
  Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /statsd (cloudfoundry#1547)
  Bump jasmine-core from 3.6.0 to 3.7.1 in /uaa
  Bump jasmine from 3.6.4 to 3.7.0 in /uaa
  Bump k8s.io/client-go from 0.20.5 to 0.21.0 in /k8s
  Bump k8s.io/apimachinery from 0.20.5 to 0.21.0 in /k8s
  Bump github.com/onsi/ginkgo from 1.15.2 to 1.16.1 in /k8s
  Bump Spring Dependencies (cloudfoundry#1559)
  refactor: extract shared code into helper methods
  Rename variable and test case for clarity
  Invert boolean method to have a more intuitive naming
  Add additional tests
  Only update user if token not issued by UAA
  Fix wrong username mapping on jwt Bearer with UAA token
  Bump tomcat-embed-core from 9.0.37 to 9.0.44 in /uaa (cloudfoundry#1548)
  Bump k8s.io/client-go from 0.20.2 to 0.20.5 in /k8s (cloudfoundry#1541)
  Bump github.com/onsi/ginkgo from 1.14.2 to 1.15.2 in /k8s (cloudfoundry#1535)
  Bump k8s.io/api from 0.20.2 to 0.20.5 in /k8s (cloudfoundry#1542)
  refactor: rename
  Bump github.com/onsi/gomega from 1.10.4 to 1.11.0 in /k8s (cloudfoundry#1532)
  Dependeny Updagtes (cloudfoundry#1538)
  refactor: implement recommendation from thymeleaf (cloudfoundry#1512)
  Fix typo
  feat: for unit tests, add time out to waiting for DB to start
  Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:7fd48f08134e279a4fe2b8a200ecfdca8cda847175df38f1293e9818d7dd53cc
  Bump dependency
  Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:c1d54700f1e6b8fabe49917a8e4ca59f381a11c69982439525f9af8a08f29e0c
  Add MockMvc Test to show performance improvement
  Fix bug with invalid login_hint on login page
  Move read configurations and parameters to allow earlier decisions
  Restructure login method to not read all IdentityProviders on login_hint
  Update UAA image reference in k8s deployment template to cloudfoundry/uaa@sha256:37fcf63a156b75174fbc7be0e3809d64cda6851de0bfe6fa7f12793d919de96a
  Added "final" modifier for method-local constant
  better name for matches function
  capitilize first letter of log sentence
  meaningful name for number of url-decode attempts
  javadoc explaining integrity bypass fix
  fix double dot path traversal integrity check bypass
  redirect resolver tests should cover path traversal bypass for both registered paths containing wildcards and those that do not
  unit tests for redirect_uri path integrity check bypass
  add lombok dependency
  Add PKCE support
@cf-gitbot cf-gitbot added delivered accepted Accepted the issue and removed delivered labels May 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
accepted Accepted the issue dependencies Pull requests that update a dependency file java Pull requests that update Java code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants