Merge branch 'releases/2.7.0'

Author: pivotal

build.gradle

@@ -231,8 +231,12 @@ task resetCoverage(type: Delete) {
 
 apply plugin: 'cargo'
 
+task cleanCargoConfDir {
+  delete file(System.getenv('TMPDIR') + '/cargo/conf')
+}
+
 cargoStartLocal.dependsOn assemble, prepareDatabase
-cargoRunLocal.dependsOn assemble
+cargoRunLocal.dependsOn cleanCargoConfDir, assemble
 
 task flushCoverageData(type: Exec) {
   commandLine "curl", "-s", "-v", "-X", "POST", "http://localhost:8080/uaa/healthz/coverage/flush"

common/src/main/java/org/cloudfoundry/identity/uaa/AbstractIdentityProviderDefinition.java

@@ -0,0 +1,32 @@
+/*
+ * *****************************************************************************
+ *      Cloud Foundry
+ *      Copyright (c) [2009-2015] Pivotal Software, Inc. All Rights Reserved.
+ *      This product is licensed to you under the Apache License, Version 2.0 (the "License").
+ *      You may not use this product except in compliance with the License.
+ *
+ *      This product includes a number of subcomponents with
+ *      separate copyright notices and license terms. Your use of these
+ *      subcomponents is subject to the terms and conditions of the
+ *      subcomponent's license, as noted in the LICENSE file.
+ * *****************************************************************************
+ */
+
+package org.cloudfoundry.identity.uaa;
+
+import java.util.List;
+
+public abstract class AbstractIdentityProviderDefinition {
+    public static final String EMAIL_DOMAIN_ATTR = "emailDomain";
+
+    private List<String> emailDomain;
+
+    public List<String> getEmailDomain() {
+        return emailDomain;
+    }
+
+    public AbstractIdentityProviderDefinition setEmailDomain(List<String> emailDomain) {
+        this.emailDomain = emailDomain;
+        return this;
+    }
+}

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/Origin.java

@@ -1,3 +1,15 @@
+/*******************************************************************************
+ *     Cloud Foundry
+ *     Copyright (c) [2009-2015] Pivotal Software, Inc. All Rights Reserved.
+ *
+ *     This product is licensed to you under the Apache License, Version 2.0 (the "License").
+ *     You may not use this product except in compliance with the License.
+ *
+ *     This product includes a number of subcomponents with
+ *     separate copyright notices and license terms. Your use of these
+ *     subcomponents is subject to the terms and conditions of the
+ *     subcomponent's license, as noted in the LICENSE file.
+ *******************************************************************************/
 package org.cloudfoundry.identity.uaa.authentication;
 
 import org.cloudfoundry.identity.uaa.oauth.RemoteUserAuthentication;
@@ -7,9 +19,6 @@
 
 import java.lang.reflect.Method;
 
-/**
- * Created by fhanik on 6/4/14.
- */
 public class Origin {
 
     public static final String ORIGIN = "origin";
@@ -19,6 +28,7 @@ public class Origin {
     public static final String KEYSTONE = "keystone";
     public static final String SAML = "saml";
     public static final String NotANumber = "NaN";
+    public static final String UNKNOWN = "unknown";
 
 
     public static String getUserId(Authentication authentication) {

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/login/LoginInfoEndpoint.java

@@ -23,13 +23,13 @@
 import org.cloudfoundry.identity.uaa.login.AutologinRequest;
 import org.cloudfoundry.identity.uaa.login.AutologinResponse;
 import org.cloudfoundry.identity.uaa.login.PasscodeInformation;
-import org.cloudfoundry.identity.uaa.login.saml.IdentityProviderConfigurator;
-import org.cloudfoundry.identity.uaa.login.saml.IdentityProviderDefinition;
 import org.cloudfoundry.identity.uaa.login.saml.LoginSamlAuthenticationToken;
+import org.cloudfoundry.identity.uaa.login.saml.SamlIdentityProviderConfigurator;
+import org.cloudfoundry.identity.uaa.login.saml.SamlIdentityProviderDefinition;
+import org.cloudfoundry.identity.uaa.login.saml.SamlRedirectUtils;
 import org.cloudfoundry.identity.uaa.user.UaaAuthority;
 import org.cloudfoundry.identity.uaa.util.JsonUtils;
 import org.cloudfoundry.identity.uaa.util.UaaStringUtils;
-import org.cloudfoundry.identity.uaa.util.UaaUrlUtils;
 import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
 import org.springframework.core.env.Environment;
 import org.springframework.core.io.support.PropertiesLoaderUtils;
@@ -40,6 +40,7 @@
 import org.springframework.security.crypto.codec.Base64;
 import org.springframework.security.oauth2.provider.ClientDetails;
 import org.springframework.security.oauth2.provider.ClientDetailsService;
+import org.springframework.security.oauth2.provider.NoSuchClientException;
 import org.springframework.security.web.savedrequest.SavedRequest;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
@@ -50,7 +51,6 @@
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.ResponseStatus;
-import org.springframework.web.util.UriComponentsBuilder;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
@@ -97,7 +97,7 @@ public class LoginInfoEndpoint {
 
     protected Environment environment;
 
-    private IdentityProviderConfigurator idpDefinitions;
+    private SamlIdentityProviderConfigurator idpDefinitions;
 
     private long codeExpirationMillis = 5 * 60 * 1000;
 
@@ -118,7 +118,7 @@ public void setCodeExpirationMillis(long codeExpirationMillis) {
         this.codeExpirationMillis = codeExpirationMillis;
     }
 
-    public void setIdpDefinitions(IdentityProviderConfigurator idpDefinitions) {
+    public void setIdpDefinitions(SamlIdentityProviderConfigurator idpDefinitions) {
         this.idpDefinitions = idpDefinitions;
     }
 
@@ -193,11 +193,7 @@ public String invalidRequest(HttpServletRequest request) {
     }
 
     protected String getZonifiedEntityId() {
-        if (UaaUrlUtils.isUrl(entityID)) {
-            return UaaUrlUtils.addSubdomainToUrl(entityID);
-        } else {
-            return UaaUrlUtils.getSubdomain()+entityID;
-        }
+        return SamlRedirectUtils.getZonifiedEntityId(entityID);
     }
 
     private String login(Model model, Principal principal, List<String> excludedPrompts, boolean nonHtml) {
@@ -208,7 +204,7 @@ private String login(Model model, Principal principal, List<String> excludedProm
         HttpSession session = request != null ? request.getSession(false) : null;
         List<String> allowedIdps = getAllowedIdps(session);
 
-        List<IdentityProviderDefinition> idps = getIdentityProviderDefinitions(allowedIdps);
+        List<SamlIdentityProviderDefinition> idps = getSamlIdentityProviderDefinitions(allowedIdps);
 
         boolean fieldUsernameShow = true;
 
@@ -218,12 +214,8 @@ private String login(Model model, Principal principal, List<String> excludedProm
             allowedIdps.contains(Origin.KEYSTONE)) {
             fieldUsernameShow = true;
         } else if (idps!=null && idps.size()==1) {
-            UriComponentsBuilder builder = UriComponentsBuilder.fromPath("saml/discovery");
-            builder.queryParam("returnIDParam", "idp");
-            builder.queryParam("entityID", getZonifiedEntityId());
-            builder.queryParam("idp", idps.get(0).getIdpEntityAlias());
-            builder.queryParam("isPassive", "true");
-            return "redirect:" + builder.build().toUriString();
+            String url = SamlRedirectUtils.getIdpRedirectUrl(idps.get(0), entityID);
+            return "redirect:" + url;
         } else {
             fieldUsernameShow = false;
         }
@@ -241,7 +233,7 @@ private String login(Model model, Principal principal, List<String> excludedProm
         // Entity ID to start the discovery
         model.addAttribute("entityID", getZonifiedEntityId());
         model.addAttribute("idpDefinitions", idps);
-        for (IdentityProviderDefinition idp : idps) {
+        for (SamlIdentityProviderDefinition idp : idps) {
             if(idp.isShowSamlLink()) {
                 model.addAttribute("showSamlLoginLinks", true);
                 noSamlIdpsPresent = false;
@@ -282,7 +274,7 @@ private String login(Model model, Principal principal, List<String> excludedProm
         return "home";
     }
 
-    protected List<IdentityProviderDefinition> getIdentityProviderDefinitions(List<String> allowedIdps) {
+    protected List<SamlIdentityProviderDefinition> getSamlIdentityProviderDefinitions(List<String> allowedIdps) {
         return idpDefinitions.getIdentityProviderDefinitions(allowedIdps, IdentityZoneHolder.get());
     }
 
@@ -305,8 +297,12 @@ public List<String> getAllowedIdps(HttpSession session) {
         }
         SavedRequest savedRequest = (SavedRequest) session.getAttribute("SPRING_SECURITY_SAVED_REQUEST");
         String[] client_ids = savedRequest.getParameterValues("client_id");
-        ClientDetails clientDetails = clientDetailsService.loadClientByClientId(client_ids[0]);
-        return (List<String>) clientDetails.getAdditionalInformation().get(ClientConstants.ALLOWED_PROVIDERS);
+        try {
+            ClientDetails clientDetails = clientDetailsService.loadClientByClientId(client_ids[0]);
+            return (List<String>) clientDetails.getAdditionalInformation().get(ClientConstants.ALLOWED_PROVIDERS);
+        }catch (NoSuchClientException x) {
+            return null;
+        }
     }
 
     private void setCommitInfo(Model model) {

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/AuthEvent.java

@@ -19,11 +19,18 @@
  */
 abstract public class AuthEvent extends ApplicationEvent {
 
-    public AuthEvent(UaaUser user) {
+    private boolean userModified = true;
+
+    public AuthEvent(UaaUser user, boolean userUpdated) {
         super(user);
+        this.userModified = userUpdated;
     }
 
     public UaaUser getUser() {
         return (UaaUser) source;
     }
+
+    public boolean isUserModified() {
+        return userModified;
+    }
 }

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/ExternalGroupAuthorizationEvent.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- *     Cloud Foundry 
+ *     Cloud Foundry
  *     Copyright (c) [2009-2014] Pivotal Software, Inc. All Rights Reserved.
  *
  *     This product is licensed to you under the Apache License, Version 2.0 (the "License").
@@ -13,7 +13,6 @@
 
 package org.cloudfoundry.identity.uaa.authentication.manager;
 
-import org.cloudfoundry.identity.uaa.authentication.Origin;
 import org.cloudfoundry.identity.uaa.user.UaaUser;
 import org.springframework.security.core.GrantedAuthority;
 
@@ -29,8 +28,8 @@ public Collection<? extends GrantedAuthority> getExternalAuthorities() {
 
     private boolean addGroups = false;
 
-    public ExternalGroupAuthorizationEvent(UaaUser user, Collection<? extends GrantedAuthority> externalAuthorities, boolean addGroups) {
-        super(user);
+    public ExternalGroupAuthorizationEvent(UaaUser user, boolean userModified, Collection<? extends GrantedAuthority> externalAuthorities, boolean addGroups) {
+        super(user, userModified);
         this.addGroups = addGroups;
         this.externalAuthorities = externalAuthorities;
     }

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/ExternalLoginAuthenticationManager.java

@@ -17,6 +17,7 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.cloudfoundry.identity.uaa.authentication.Origin;
 import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
 import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationDetails;
 import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
@@ -34,6 +35,7 @@
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
@@ -106,7 +108,12 @@ public Authentication authenticate(Authentication request) throws Authentication
         }
         if (addnew) {
             // Register new users automatically
-            publish(new NewUserAuthenticatedEvent(user));
+            if (isInvite()) {
+                user = user.modifyId(((UaaPrincipal)SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getId());
+                publish(new InvitedUserAuthenticatedEvent(user));
+            } else {
+                publish(new NewUserAuthenticatedEvent(user));
+            }
             try {
                 user = userDatabase.retrieveUserByName(user.getUsername(), getOrigin());
             } catch (UsernameNotFoundException ex) {
@@ -127,6 +134,15 @@ public Authentication authenticate(Authentication request) throws Authentication
         return success;
     }
 
+    protected boolean isInvite() {
+        Authentication a = SecurityContextHolder.getContext().getAuthentication();
+        return (
+            a != null &&
+            a.getPrincipal() instanceof UaaPrincipal &&
+            Origin.UNKNOWN.equals(((UaaPrincipal)a.getPrincipal()).getOrigin())
+        );
+    }
+
     protected Map<String,String> getExtendedAuthorizationInfo(Authentication auth) {
         Object details = auth.getDetails();
         if (details!=null && details instanceof UaaAuthenticationDetails) {

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/InvitedUserAuthenticatedEvent.java

@@ -0,0 +1,24 @@
+/*
+ * *****************************************************************************
+ *      Cloud Foundry
+ *      Copyright (c) [2009-2015] Pivotal Software, Inc. All Rights Reserved.
+ *      This product is licensed to you under the Apache License, Version 2.0 (the "License").
+ *      You may not use this product except in compliance with the License.
+ *
+ *      This product includes a number of subcomponents with
+ *      separate copyright notices and license terms. Your use of these
+ *      subcomponents is subject to the terms and conditions of the
+ *      subcomponent's license, as noted in the LICENSE file.
+ * *****************************************************************************
+ */
+
+package org.cloudfoundry.identity.uaa.authentication.manager;
+
+import org.cloudfoundry.identity.uaa.user.UaaUser;
+
+public class InvitedUserAuthenticatedEvent extends AuthEvent {
+
+    public InvitedUserAuthenticatedEvent(UaaUser user) {
+        super(user, true);
+    }
+}

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/LdapLoginAuthenticationManager.java

@@ -70,15 +70,17 @@ protected String getEmail(UaaUser user, LdapUserDetails details) {
 
     @Override
     protected UaaUser userAuthenticated(Authentication request, UaaUser user) {
+        boolean userModified = false;
         //we must check and see if the email address has changed between authentications
         if (request.getPrincipal() !=null && request.getPrincipal() instanceof ExtendedLdapUserDetails) {
             ExtendedLdapUserDetails details = (ExtendedLdapUserDetails)request.getPrincipal();
             UaaUser fromRequest = getUser(details, getExtendedAuthorizationInfo(request));
             if (fromRequest.getEmail()!=null && !fromRequest.getEmail().equals(user.getEmail())) {
                 user = user.modifyEmail(fromRequest.getEmail());
+                userModified = true;
             }
         }
-        ExternalGroupAuthorizationEvent event = new ExternalGroupAuthorizationEvent(user, request.getAuthorities(), isAutoAddAuthorities());
+        ExternalGroupAuthorizationEvent event = new ExternalGroupAuthorizationEvent(user, userModified, request.getAuthorities(), isAutoAddAuthorities());
         publish(event);
         return getUserDatabase().retrieveUserById(user.getId());
     }
@@ -92,4 +94,4 @@ public void setAutoAddAuthorities(boolean autoAddAuthorities) {
     }
 
 
-}
+}

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/NewUserAuthenticatedEvent.java

@@ -22,6 +22,6 @@
 public class NewUserAuthenticatedEvent extends AuthEvent {
 
     public NewUserAuthenticatedEvent(UaaUser user) {
-        super(user);
+        super(user, true);
     }
 }