Release INDIGO IAM v1.10.2

.devcontainer/h2/devcontainer.json

@@ -0,0 +1,40 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/java
+{
+    "name": "IAM Dev Container - H2",
+    // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+    "image": "mcr.microsoft.com/devcontainers/java:1-17-bookworm",
+    "features": {
+        "ghcr.io/devcontainers/features/java:1": {
+            "version": "none",
+            "installMaven": "true",
+            "installGradle": "false"
+        }
+    },
+    // Use 'forwardPorts' to make a list of ports inside the container available locally.
+    "forwardPorts": [
+        8080
+    ],
+    // Use 'postCreateCommand' to run commands after the container is created.
+    // "postCreateCommand": "java -version",
+    // Configure tool-specific properties.
+    "customizations": {
+        "vscode": {
+            "settings": {
+                "java.configuration.updateBuildConfiguration": "automatic",
+                "java.format.settings.url": "https://raw.githubusercontent.com/italiangrid/codestyle/master/eclipse-google-java-codestyle-formatter.xml",
+                "java.format.settings.profile": "GoogleStyle (CNAF)",
+                "maven.settingsFile": ".mvn/cnaf-mirror-settings.xml",
+                "java.configuration.maven.userSettings": ".mvn/cnaf-mirror-settings.xml"
+            },
+            "extensions": [
+                "vmware.vscode-boot-dev-pack"
+            ]
+        }
+    },
+    "containerEnv": {
+        "SPRING_PROFILES_ACTIVE": "h2-test,dev"
+    },
+    // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+    // "remoteUser": "root"
+}

.devcontainer/mysql/compose.yaml

@@ -0,0 +1,25 @@
+services:
+  devcontainer:
+    image: mcr.microsoft.com/devcontainers/java:1-17-bookworm
+    volumes:
+      - ../..:/workspaces/iam
+    network_mode: service:db
+    user: vscode
+    depends_on:
+      - db
+    environment:
+      IAM_DB_HOST: db
+      IAM_DB_NAME: iam
+      IAM_DB_USERNAME: iam
+      IAM_DB_PASSWORD: pwd
+      SPRING_PROFILES_ACTIVE: mysql-test,dev
+    command: sleep infinity
+
+  db:
+    image: mariadb:latest
+    restart: unless-stopped
+    environment:
+      MYSQL_ROOT_PASSWORD: dev
+      MYSQL_DATABASE: iam
+      MYSQL_USER: iam
+      MYSQL_PASSWORD: pwd

.devcontainer/mysql/devcontainer.json

@@ -0,0 +1,40 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/java
+{
+    "name": "IAM Dev Container - MySQL",
+    // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+    "dockerComposeFile": "compose.yaml",
+    "service": "devcontainer",
+    "workspaceFolder": "/workspaces/iam",
+    "shutdownAction": "stopCompose",
+    "features": {
+        "ghcr.io/devcontainers/features/java:1": {
+            "version": "none",
+            "installMaven": "true",
+            "installGradle": "false"
+        }
+    },
+    // Use 'forwardPorts' to make a list of ports inside the container available locally.
+    "forwardPorts": [
+        8080
+    ],
+    // Use 'postCreateCommand' to run commands after the container is created.
+    // "postCreateCommand": "java -version",
+    // Configure tool-specific properties.
+    "customizations": {
+        "vscode": {
+            "settings": {
+                "java.configuration.updateBuildConfiguration": "automatic",
+                "java.format.settings.url": "https://raw.githubusercontent.com/italiangrid/codestyle/master/eclipse-google-java-codestyle-formatter.xml",
+                "java.format.settings.profile": "GoogleStyle (CNAF)",
+                "maven.settingsFile": ".mvn/cnaf-mirror-settings.xml",
+                "java.configuration.maven.userSettings": ".mvn/cnaf-mirror-settings.xml"
+            },
+            "extensions": [
+                "vmware.vscode-boot-dev-pack"
+            ]
+        }
+    },
+    // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+    // "remoteUser": "root"
+}

.mvn/cnaf-mirror-settings.xml

@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+<settings xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0  http://maven.apache.org/xsd/settings-1.0.0.xsd">
+    <!--<localRepository>/tmp/m2-repository</localRepository>-->
+    <interactiveMode>false</interactiveMode>
+    <mirrors>
+        <mirror>
+            <id>nexus</id>
+            <name>CNAF maven mirror</name>
+            <url>https://repo.cloud.cnaf.infn.it/repository/maven-public</url>
+            <mirrorOf>*</mirrorOf>
+        </mirror>
+    </mirrors>
+    <profiles>
+    <profile>
+      <id>nexus</id>
+      <repositories>
+        <repository>
+          <id>central</id>
+          <url>http://central</url>
+          <releases><enabled>true</enabled></releases>
+          <snapshots><enabled>true</enabled></snapshots>
+        </repository>
+      </repositories>
+    </profile>
+    </profiles>
+    <activeProfiles>
+        <activeProfile>nexus</activeProfile>
+    </activeProfiles>
+</settings>

.mvn/maven.config

@@ -0,0 +1 @@
+--settings=./.mvn/cnaf-mirror-settings.xml

CHANGELOG.md

@@ -1,5 +1,103 @@
 # Changelog
 
+## 1.10.2 (2024-09-30)
+
+## What's Changed
+
+* Add devcontainer configuration https://github.com/indigo-iam/iam/pull/835
+* Track refresh tokens in access token AUDIT logs https://github.com/indigo-iam/iam/pull/838
+* Combine CERN HR logic with internal life-cycle https://github.com/indigo-iam/iam/pull/844
+
+## 1.10.1 (2024-08-22)
+
+## What's Fixed
+
+* Fix repeated suspensions https://github.com/indigo-iam/iam/pull/831
+* Fix typo in AUDIT log for suspended accounts https://github.com/indigo-iam/iam/pull/832
+* Upgrade AngularJS version https://github.com/indigo-iam/iam/pull/820
+* Fix AUP signature validity https://github.com/indigo-iam/iam/pull/834
+
+## 1.10.0 (2024-08-05)
+
+### What's Changed
+
+* Send an email when client status changes https://github.com/indigo-iam/iam/pull/802
+* Add a statistical anonymous endpoint https://github.com/indigo-iam/iam/pull/790
+* PATCH to change AUP signature time works also for client credentials https://github.com/indigo-iam/iam/pull/804
+* Add AUP and user's lifecycle missing email notifications https://github.com/indigo-iam/iam/pull/787
+* Add groups enrollment logic to be applied after users registration https://github.com/indigo-iam/iam/pull/793
+* Add the organization name in all email notifications subjects https://github.com/indigo-iam/iam/pull/810
+* Improve password quality check https://github.com/indigo-iam/iam/pull/719
+* Allow to totally disable cache https://github.com/indigo-iam/iam/pull/778
+
+### Bug Fixes
+
+* Refresh token flow not allowed for suspended clients https://github.com/indigo-iam/iam/pull/814
+* Update angular-jwt script link https://github.com/indigo-iam/iam/pull/822
+* Fix error 500 on old mitreId user interface https://github.com/indigo-iam/iam/pull/808
+
+### Configuration Fixes
+
+* Prefix all necessary env variables with IAM_ https://github.com/indigo-iam/iam/pull/807
+    * As described into #807, the environment variables `DEFAULT_ACCESS_TOKEN_VALIDITY_SECONDS`, `DEFAULT_DEVICE_CODE_VALIDITY_SECONDS`, `DEFAULT_ID_TOKEN_VALIDITY_SECONDS` and `DEFAULT_REFRESH_TOKEN_VALIDITY_SECONDS` have been renamed with `IAM_` prefix.
+* Fix client track-last-used setting location in .yaml https://github.com/indigo-iam/iam/pull/795
+    * The client's "last-used" tracking has been disabled by default. You can turn it on by setting `IAM_CLIENT_TRACK_LAST_USED` as true. This feature allows administrators to see how many days have last since last token was issued for each client.
+* The `redis-cache.enabled` property has been moved to `cache.redis.enabled`. This property is set by the same environment variable `IAM_REDIS_CACHE_ENABLED` so configurations that relies on this variable are not affected.
+
+### Documentation Fixes
+
+* VOMS-AA replica deployment example provided https://github.com/indigo-iam/iam/pull/729
+
+## 1.9.0 (2024-06-06)
+
+### What's Changed
+
+* Show unrestricted scopes into well-known endpoint https://github.com/indigo-iam/iam/pull/628
+* Fix account lifecycle workflow https://github.com/indigo-iam/iam/pull/746
+* Administrators can disable a client https://github.com/indigo-iam/iam/pull/747
+* Change VOMS warning message when requesting a too long proxy https://github.com/indigo-iam/iam/pull/756
+* VO members can re-sign the AUP at any time https://github.com/indigo-iam/iam/pull/757
+* Add delete signature and sign on behalf https://github.com/indigo-iam/iam/pull/777
+* Increase SAML response skew from 60 to 300 secs https://github.com/indigo-iam/iam/pull/780
+* Multiplatform docker https://github.com/indigo-iam/iam/pull/761
+* (_Experimental_\*) Fix audit log for issued access tokens and add refresh token event https://github.com/indigo-iam/iam/pull/774
+* Fix authorization on SCIM me endpoint https://github.com/indigo-iam/iam/pull/764
+* (_Experimental_\*) Add attributes and managed groups to the SCIM user https://github.com/indigo-iam/iam/pull/764
+* (_Experimental_\*) Add authorities list to SCIM user https://github.com/indigo-iam/iam/pull/788
+* Add last used property to clients https://github.com/indigo-iam/iam/pull/675
+* Display how much time is left to AUP expiry https://github.com/indigo-iam/iam/pull/783
+* Allow to add nickname as attribute during a registration request https://github.com/indigo-iam/iam/pull/789
+
+\* The introduced AUDIT messages and info to the SCIM user must be considered as experimental and they may be changed in next RC/releases in a backward incompatible way
+
+### Notes
+
+SCIM users response can now be extended in order to list also:
+- user's attributes
+- user's authorities
+- user's managed groups
+
+In order to include authorities and|or managed groups into SCIM users details you need to enable them through the following properties:
+
+```
+scim:
+  include_authorities: true
+  include_managed_groups: true
+```
+or through the environment variables:
+
+```
+IAM_SCIM_INCLUDE_AUTHORITIES=true
+IAM_SCIM_INCLUDE_MANAGED_GROUPS=true
+```
+
+Attributes can be included into SCIM user response in the same way the labels are:
+
+```
+scim.include_attributes[0].name=attribute-name
+scim.include_attributes[1].name=another-attribute-name
+```
+
 ## 1.8.4 (2024-03-25)
 
 ### Added
@@ -441,8 +539,6 @@ the interface back as soon as these issues are resolved (#211).
 
 - IAM now depends on MitreID connect v. 1.3.2.cnaf.rc0 (#180)
 
-[iam-docs]: https://indigo-iam.github.io/docs
-
 ## 1.1.0 (2017-9-29)
 
 ### Added
@@ -583,6 +679,7 @@ Dockerhub.
 Documentation on how to build and run the service can be found in the [IAM
 GitBook manual][gitbook-manual] or on [Github][github-doc].
 
+[iam-docs]: https://indigo-iam.github.io/docs
 [iam-image]: https://hub.docker.com/r/indigodatacloud/iam-login-service
 [mitre]: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
 [scim]: http://www.simplecloud.info

iam-common/pom.xml

@@ -5,7 +5,7 @@
   <parent>
     <groupId>it.infn.mw.iam-parent</groupId>
     <artifactId>iam-parent</artifactId>
-    <version>1.10.1</version>
+    <version>1.10.2</version>
   </parent>
 
   <groupId>it.infn.mw.iam-common</groupId>

iam-login-service/pom.xml

@@ -22,7 +22,7 @@
   <parent>
     <groupId>it.infn.mw.iam-parent</groupId>
     <artifactId>iam-parent</artifactId>
-    <version>1.10.1</version>
+    <version>1.10.2</version>
   </parent>
 
   <groupId>it.infn.mw.iam-login-service</groupId>

iam-login-service/src/main/java/it/infn/mw/iam/api/account/labels/AccountLabelsController.java

@@ -94,7 +94,7 @@ public void setLabel(@PathVariable String id, @RequestBody @Validated LabelDTO l
     handleValidationError(validationResult);
     IamAccount account = service.findByUuid(id).orElseThrow(noSuchAccountError(id));
 
-    service.setLabel(account, converter.entityFromDto(label));
+    service.addLabel(account, converter.entityFromDto(label));
   }
 
   @RequestMapping(method = DELETE)

iam-login-service/src/main/java/it/infn/mw/iam/api/account/lifecycle/AccountLifecycleController.java

@@ -17,18 +17,17 @@
 
 import static it.infn.mw.iam.api.utils.ValidationErrorUtils.stringifyValidationError;
 import static java.lang.String.format;
-import static org.springframework.web.bind.annotation.RequestMethod.PUT;
 
 import java.util.function.Supplier;
 
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.converter.HttpMessageNotReadableException;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.validation.BindingResult;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseStatus;
@@ -53,7 +52,6 @@ public class AccountLifecycleController {
   private final IamAccountService service;
   private final LifecycleProperties properties;
 
-  @Autowired
   public AccountLifecycleController(IamAccountService accountService,
       LifecycleProperties properties) {
     this.service = accountService;
@@ -71,7 +69,7 @@ private void handleValidationError(BindingResult result) {
     }
   }
 
-  @RequestMapping(method = PUT)
+  @PutMapping
   public void setEndTime(@PathVariable String id, @RequestBody @Validated AccountLifecycleDTO dto,
       BindingResult validationResult) {
 

iam-login-service/src/main/java/it/infn/mw/iam/api/aup/AupSignatureController.java

@@ -29,12 +29,14 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.transaction.annotation.Transactional;
+import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PatchMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.ResponseStatus;
 import org.springframework.web.bind.annotation.RestController;
 
@@ -43,6 +45,7 @@
 import it.infn.mw.iam.api.aup.error.AupSignatureNotFoundError;
 import it.infn.mw.iam.api.aup.model.AupSignatureConverter;
 import it.infn.mw.iam.api.aup.model.AupSignatureDTO;
+import it.infn.mw.iam.api.aup.model.AupSignaturePatchRequestDTO;
 import it.infn.mw.iam.api.common.ErrorDTO;
 import it.infn.mw.iam.audit.events.aup.AupSignatureDeletedEvent;
 import it.infn.mw.iam.audit.events.aup.AupSignedEvent;
@@ -71,6 +74,7 @@ public class AupSignatureController {
   private final TimeProvider timeProvider;
   private final ApplicationEventPublisher eventPublisher;
   private final NotificationFactory notificationFactory;
+
   public AupSignatureController(AupSignatureConverter conv, AccountUtils utils,
       IamAupSignatureRepository signatureRepo, IamAupRepository aupRepo, TimeProvider timeProvider,
       ApplicationEventPublisher publisher, NotificationFactory notificationFactory) {
@@ -141,16 +145,19 @@ public AupSignatureDTO getSignatureForAccount(@PathVariable String accountId)
   @ResponseStatus(value = HttpStatus.CREATED)
   @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   public AupSignatureDTO updateSignatureForAccount(@PathVariable String accountId,
+      @RequestBody(required = false) @Validated AupSignaturePatchRequestDTO dto,
       Authentication authentication) throws AccountNotFoundException {
 
     Optional<IamAccount> updaterAccount = accountUtils.getAuthenticatedUserAccount();
 
     IamAccount account = accountUtils.getByAccountId(accountId)
       .orElseThrow(accountNotFoundException(format(ACCOUNT_NOT_FOUND_FOR_ID_MESSAGE, accountId)));
     IamAup aup = aupRepo.findDefaultAup().orElseThrow(aupNotFoundException());
-    Date now = new Date(timeProvider.currentTimeMillis());
 
-    IamAupSignature signature = signatureRepo.createSignatureForAccount(aup, account, now);
+    Date signatureTime =
+        dto == null ? new Date(timeProvider.currentTimeMillis()) : dto.getSignatureTime();
+    IamAupSignature signature =
+        signatureRepo.createSignatureForAccount(aup, account, signatureTime);
 
     String principal = null;