Merge pull request #666 from indigo-iam/develop

INDIGO IAM v1.8.3 release

.github/workflows/sonar.yaml

@@ -1,6 +1,9 @@
 name: Sonar analysis
 
-on: 
+on:
+  push:
+    branches:
+      - develop
   pull_request:
     types: [opened, edited, reopened, synchronize]
 
@@ -28,7 +31,7 @@ jobs:
     - name: Sonar analysis
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN_VIANELLO }}
       run: mvn -B -U install sonar:sonar 
             -Dsonar.projectKey=indigo-iam_iam 
             -Dsonar.organization=indigo-iam 

CHANGELOG.md

@@ -1,5 +1,103 @@
 # Changelog
 
+## 1.8.3 (2023-10-30)
+
+### Recommendations
+It is **strongly** recommended to **make a backup of your database** before upgrading to v1.8.3 because several migrations are planned. Also, remember that for updates from versions prior to v1.7.2 you **must** first upgrade to v1.7.2.
+The migration to v1.8.3 will take an amount of time which will be proportional to the amount of currently active access tokens. This means that if you are deploying IAM with some kind of liveness and readiness probes, it's probably better to **switch them off** before upgrading. This migration may take a long **time.**
+
+### Changed
+* Save access token value as an hash in order to use lighter db indexes and avoid conflicts by @rmiccoli in https://github.com/indigo-iam/iam/pull/613
+* Avoid upper case characters into VO names by @SteDev2 in https://github.com/indigo-iam/iam/pull/616
+* Enable Redis scope matchers and well-known endpoint caching by @federicaagostini in https://github.com/indigo-iam/iam/pull/633
+* Consider scope matcher based on string equality for custom scopes by @rmiccoli in https://github.com/indigo-iam/iam/pull/642
+
+### Added
+* Add SCIM endpoint entry to well-known endpoint by @federicaagostini in https://github.com/indigo-iam/iam/pull/631
+* Update account AUP signature time via API by @rmiccoli in https://github.com/indigo-iam/iam/pull/608
+* Add new JWT profile that rename 'groups' claim with 'roles' by @enricovianello in https://github.com/indigo-iam/iam/pull/637
+* Add support for displaying specific language name in federation Metadata by @Sae126V in https://github.com/indigo-iam/iam/pull/640
+* Add missing "Reuse refresh token" box within client management page  by @rmiccoli in https://github.com/indigo-iam/iam/pull/650
+* Add missing foreign keys to the database by @enricovianello, @rmiccoli in https://github.com/indigo-iam/iam/pull/632, https://github.com/indigo-iam/iam/pull/659
+* Add OpenID Connect standard claims in ATs for WLCG JWT profile by @rmiccoli in https://github.com/indigo-iam/iam/pull/651
+
+### Fixed
+* Allow to add certificates with the same subject DN by @rmiccoli in https://github.com/indigo-iam/iam/pull/624
+* Delete unsupported response types by @rmiccoli in https://github.com/indigo-iam/iam/pull/610
+* Fix management of tokens lifetime following RFC9068 by @federicaagostini in https://github.com/indigo-iam/iam/pull/620
+* Fix CERN Restore workflow by @hannahshort in https://github.com/indigo-iam/iam/pull/645
+* Fix authz code flow with PKCE for IAM test client application by @rmiccoli in https://github.com/indigo-iam/iam/pull/653
+* Fix authorization on IAM APIs such to avoid cases where access is granted to already approved scopes instead of effective token scopes by @enricovianello in https://github.com/indigo-iam/iam/pull/664
+
+## 1.8.2p2 (2023-09-21)
+
+This release fixes a privilege escalation present in all previous IAM releases. See https://advisories.egi.eu/Advisory-EGI-SVG-2023-53.
+
+## 1.8.2p1 (2023-07-04)
+
+### Fixes
+
+This release fixes an XSS vulnerability in 1.8.2. See https://advisories.egi.eu/Advisory-EGI-SVG-2023-20.
+
+## 1.8.2 (2023-05-31)
+
+### Added
+
+* Introduced new admin scopes in order to access IAM API endpoints #562
+    * **Note**: From this release, an administrator access token is not enough to have full access to IAM API endpoints. The added scopes (`iam:admin.read` and `iam:admin.write`) are now needed.
+* Bump Spring-Boot version to 2.6.14 #593 
+
+### Fixed
+
+* Fix refresh token lifetime value in case of client credentials or implicit grant types #582
+* Add missing check on challenge code method for PKCE #583 
+* Fix lifecycle end-time for suspended account #585
+* Cosmetic Group Manager dashboard fix #587
+* Properly update OAuth scope list in model after scope policies evaluation #588
+
+
+## 1.8.1p2 (2023-09-21)
+
+This release fixes a privilege escalation present in all previous IAM releases. See https://advisories.egi.eu/Advisory-EGI-SVG-2023-53.
+
+## 1.8.1p1 (2023-07-04)
+
+### Fixes
+
+This release fixes an XSS vulnerability in 1.8.1. See https://advisories.egi.eu/Advisory-EGI-SVG-2023-20.
+
+## 1.8.1 (2023-02-28)
+
+### Added
+
+* Add scope management to IAM dashboard https://github.com/indigo-iam/iam/pull/500
+* Add the groups view for the group managers https://github.com/indigo-iam/iam/pull/536
+* Support for AARC-G069 guideline https://github.com/indigo-iam/iam/pull/553
+
+### Fixed
+
+* Fix /devicecode endpoint in cors endpoint matchers https://github.com/indigo-iam/iam/pull/535
+* Do not raise exception when incorrect scope policy https://github.com/indigo-iam/iam/pull/526
+* Fix bug when updating user fields https://github.com/indigo-iam/iam/pull/512
+* Do not allow IAM to issue RT to users with expired AUP https://github.com/indigo-iam/iam/pull/503
+* Remove orphans from database https://github.com/indigo-iam/iam/pull/547
+* Prevent VOMS aa from issuing ACs when AUP has expired https://github.com/indigo-iam/iam/pull/552
+* Do not allow token refresh for disabled users https://github.com/indigo-iam/iam/pull/570
+* Do not allow disabled users to log in with x509 certificate https://github.com/indigo-iam/iam/pull/571
+* Apply the UsernameValidator whenever a username can be updated (e.g. SCIM API) https://github.com/indigo-iam/iam/pull/572
+* Fix unnamed clients and add missing edit button into clients view https://github.com/indigo-iam/iam/pull/573
+
+### Changed
+
+* Remove health endpoints forward https://github.com/indigo-iam/iam/pull/567
+* Disable register MITREid endpoint for Dynamic Client Registration https://github.com/indigo-iam/iam/pull/567
+* Change default refresh token lifetime from infinity to 30 days https://github.com/indigo-iam/iam/pull/567
+* Add '@' and '.' as allowed characters for a registered username https://github.com/indigo-iam/iam/pull/572
+
+### Notes
+
+The `/health` endpoint and its children have been moved to `/actuator/health` base path since IAM v1.8.0. Since IAM v1.8.1 the forward to the old endpoints has been removed.
+
 ## 1.8.0 (2022-09-08)
 
 This release introduces several new supported features and

CONTRIBUTING.md

@@ -0,0 +1,112 @@
+# INDIGO IAM developer guide
+
+Thank you for investing your time in contributing to our project!
+
+In this guide you will get an overview of the contribution workflow from opening an issue, creating a PR, reviewing, and merging the PR.
+
+## Development environment
+
+The INDIGO IAM service is a [Maven][maven] project built with Java 17.  
+To download the necessary dependencies from the [CNAF Repository platform][repo] (e.g. to include the patched version of [MitreID][mitre]), add the maven [settings file][mvn-settings] locally, at `~/.m2/settings.xml`.
+
+Run
+
+```
+$ mvn package
+```
+
+to build the project, or
+
+```
+$ mvn package -DskipTests
+```
+to skip tests execution.
+
+You can use your favorite IDE for development.  
+In case you are using Eclipse:
+
+- install the `Spring Tools 4` plugin to use Spring buttons and configurations
+- import the Java Google style
+formatter (available [here][formatter]) to format your code.
+
+Visual Studio Code has a similar extension that needs to be installed.
+
+### Run the app
+
+The main package is __iam-login-service__, listening by default on http://localhost:8080. To run it
+
+- enable the `h2` and `dev` Spring profiles: these profiles allow to run the app in developer mode, where an in-memory database is enabled and populated with test users, clients, groups, etc. A web interface of the database is available at http://localhost:8080/h2-console. A test administrator can login into IAM with _admin/password_ credentials, while a test user with _test/password_. Connection to the database is possible by inserting the following parameters:
+  - Driver Class: org.h2.Driver
+  - JDBC URL: jdbc:h2:mem:iam
+  - User Name: sa
+  - Password: <empty>
+- the main class to be run is `it.infn.mw.iam.IamLoginService`.
+
+The __iam-test-client__ package is a simple web application used to showcase an authorization code flow where `iam-login-service` is the OAuth Authorization Server. It listens by default on http://localhost:9090/iam-test-client. The main class to be run is `it.infn.mw.tc.IamTestClientApplication`.
+
+The __voms-aa__ package is a micro-service which provides backward-compatible VOMS support for a Virtual Organization managed by `iam-login-service`. It listens by default on http://localhost:15000. The main class to be run is `it.infn.mw.voms.VomsService`.
+
+
+## Repository workflow
+
+There are few rules that we want to follow during our development phase to make the history of this repository as clean as possible:
+
+- the `master` branch is the one containing the latest official release
+- the `develop` branch is a branch with a successful build, ready for next release
+- when you want to develop some feature, create a new branch starting from `develop`
+  - if you spot a problem within IAM, search if an issue already exists. If not, create a new issue
+  - create a new branch named `issue-<number>`
+  - develop your own solution
+  - when you are satisfied with your work, create a Pull Request from branch `issue-<number>` to `develop`
+  - wait for the [GitHub workflow](.github/workflows/sonar.yaml) to finish running. If the build succeeds, a [Sonar analysis][sonar] for code quality runs. Please fix spotted problems, if any. We want to keep as much code coverage as possible (a lower threshold is set to 85%), so add JUnit tests to the uncovered parts of your code.
+
+
+### Pull Request workflow
+
+When you are finished with the changes, create a pull request, also known as a PR, and
+
+- add someone of the team as reviewer
+- link the PR to [related issue](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue)
+- once you submit your PR, a team member will review your proposal
+  - we may ask questions or request additional information
+  - we may ask for changes to be made before a PR can be merged, either using [suggested changes](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/incorporating-feedback-in-your-pull-request) or pull request comments
+  - as you update your PR and apply changes, mark each conversation as [resolved](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/commenting-on-a-pull-request#resolving-conversations).
+
+
+### Commits
+
+Even tough we will squash all commits of a PR into an inclusive, long commit, we invite you to follow few [best practices][git-commit]:
+
+- fist letter of the commit must be capital
+- tenses in the commit must not be past-like
+- the first line of the commit must be included within 50 characters. Add a new blank line if you want to add more explanation of your commit (this will make more readable a `git log --oneline` command output, for instance).
+
+
+## Useful references
+
+### OAuth standard
+
+- JSON Web Token ([RFC 7519](https://www.rfc-editor.org/rfc/rfc7519))
+- Bearer Token Usage ([RFC 6750](https://www.rfc-editor.org/rfc/rfc6750))
+- The OAuth 2.0 Authorization Framework ([RFC 6749](https://www.rfc-editor.org/rfc/rfc6749))
+- Device Code Grant ([RFC 8628](https://www.rfc-editor.org/rfc/rfc8628))
+- Token Exchange ([RFC 8693](https://www.rfc-editor.org/rfc/rfc8693))
+- Proof of Key Code Exchange ([RFC 7636](https://www.rfc-editor.org/rfc/rfc7636))
+
+### Presentations
+
+- [INDIGO IAM: current status & future developments](https://indico.stfc.ac.uk/event/763/sessions/510/attachments/1764/3125/INDIGO%20IAM%20Hackathon%202023.pdf)
+- [INDIGO IAM: future developments and OIDC federations](https://agenda.infn.it/event/34683/contributions/197358/attachments/105521/148354/INDIGO-IAM_%20sviluppi_futuri_e_fed_OIDC.pdf)
+- [Introduction to OAuth and its applications](https://agenda.infn.it/event/34111/attachments/100897/140421/Introduction-to-OAuth.pdf)
+- [INDIGO IAM - status and evolution plans](https://indico.cern.ch/event/1185598/contributions/5043270/subcontributions/396287/attachments/2525106/4342827/October%202022%20Pre-GDB%20Authz%20and%20IAM%20workshop.pdf)
+- [Status and prospects of WLCG transition to tokens](https://agenda.infn.it/event/30202/contributions/168567/attachments/91356/124066/Status%20and%20prospects%20of%20WLCG%20transition%20to%20tokens.pdf)
+
+
+
+[maven]: https://maven.apache.org/
+[repo]: https://repo.cloud.cnaf.infn.it/
+[mitre]: https://github.com/indigo-iam/OpenID-Connect-Java-Spring-Server
+[mvn-settings]: https://github.com/italiangrid/build-settings/blob/master/maven/cnaf-mirror-settings.xml
+[formatter]: https://github.com/italiangrid/codestyle/blob/master/eclipse-google-java-codestyle-formatter.xml
+[sonar]: https://docs.sonarcloud.io/
+[git-commit]: https://cbea.ms/git-commit/

README.md

@@ -1,7 +1,7 @@
 # INDIGO Identity and Access Management (IAM) service
 
 [![DOI](https://zenodo.org/badge/DOI/10.5281/zenodo.3496834.svg)](https://doi.org/10.5281/zenodo.3496834)
-[![github-build-status](https://github.com/indigo-iam/iam/actions/workflows/maven.yml/badge.svg)](https://github.com/indigo-iam/iam/actions/workflows/maven.yml)
+[![github-build-status](https://github.com/indigo-iam/iam/actions/workflows/maven.yml/badge.svg?branch=master&event=push)](https://github.com/indigo-iam/iam/actions/workflows/maven.yml)
 [![sonarqube-qg](https://sonarcloud.io/api/project_badges/measure?project=indigo-iam_iam&metric=alert_status)](https://sonarcloud.io/dashboard?id=indigo-iam_iam)
 [![sonarqube-coverage](https://sonarcloud.io/api/project_badges/measure?project=indigo-iam_iam&metric=coverage)](https://sonarcloud.io/dashboard?id=indigo-iam_iam)
 [![sonarqube-maintainability](https://sonarcloud.io/api/project_badges/measure?project=indigo-iam_iam&metric=sqale_rating)](https://sonarcloud.io/dashboard?id=indigo-iam_iam)
@@ -27,6 +27,10 @@ See the [changelog](CHANGELOG.md).
 
 See the [IAM documentation][iam-doc].
 
+## Developer guide
+
+See the [contributing](CONTRIBUTING.md) document.
+
 ## License
 
 [Apache License, Version 2.0](https://www.apache.org/licenses/LICENSE-2.0)

iam-common/pom.xml

@@ -1,14 +1,14 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns:ns="http://maven.apache.org/POM/4.0.0"
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
   <modelVersion>4.0.0</modelVersion>
+
   <parent>
-    <groupId>it.infn.mw</groupId>
+    <groupId>it.infn.mw.iam-parent</groupId>
     <artifactId>iam-parent</artifactId>
-    <version>1.8.2</version>
+    <version>1.8.3</version>
   </parent>
 
+  <groupId>it.infn.mw.iam-common</groupId>
   <artifactId>iam-common</artifactId>
   <packaging>jar</packaging>
 
@@ -18,8 +18,16 @@
   <properties>
    <spring-boot.build-image.skip>true</spring-boot.build-image.skip>
   </properties>
-  <build>
 
+  <dependencies>
+    <dependency>
+      <groupId>it.infn.mw.iam-persistence</groupId>
+      <artifactId>iam-persistence</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+  </dependencies>
+
+  <build>
     <pluginManagement>
       <plugins>
         <plugin>
@@ -32,12 +40,4 @@
       </plugins>
     </pluginManagement>
   </build>
-
-  <dependencies>
-    <dependency>
-      <groupId>${project.groupId}</groupId>
-      <artifactId>iam-persistence</artifactId>
-      <version>${project.version}</version>
-    </dependency>
-  </dependencies>
 </project>