Merge branch 'develop' into issue-794-role-reader

indigo-iam · Dec 19, 2024 · 3c53809 · 3c53809
2 parents 64c8d8e + 1348b1c
commit 3c53809
Show file tree

Hide file tree

Showing 304 changed files with 9,404 additions and 6,062 deletions.
diff --git a/.github/workflows/sonar.yaml b/.github/workflows/sonar.yaml
@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - develop
+
   pull_request:
     types: [opened, edited, reopened, synchronize]
 

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,16 +1,52 @@
 # Changelog
 
+## 1.11.0 (2024-12-19)
+
+### What's Changed
+
+* Add confirmation before rotate client secret by @SteDev2 in https://github.com/indigo-iam/iam/pull/875
+* Fix account mapping in VOMS AA by @rmiccoli in https://github.com/indigo-iam/iam/pull/872
+* Add POST endpoint for registration requests confirmation by @enricovianello in https://github.com/indigo-iam/iam/pull/881
+* Fix CERN lifecycle handler by @enricovianello in https://github.com/indigo-iam/iam/pull/871, https://github.com/indigo-iam/iam/pull/896
+* Grant admin scopes to admin-approved clients only by @rmiccoli in https://github.com/indigo-iam/iam/commit/6bbaccd4e85cc1dc1659ea10fa31dd5307b2dc62
+* Client-credentials flow won't create a refresh token by @rmiccoli in https://github.com/indigo-iam/OpenID-Connect-Java-Spring-Server/pull/22
+* Redirect to login page when signing AUP by @federicaagostini in https://github.com/indigo-iam/iam/commit/5acde91cd333d139991e2ba1ee6d5fe062d986a0
+* Fix missing update of matchingPolicy by @garaimanoj in https://github.com/indigo-iam/iam/commit/f15ef57b1e11f3f08e1b5cb2462520efd3c1108d
+* Find account by certificate sub and iss in VOMS AA by @rmiccoli in https://github.com/indigo-iam/iam/pull/897
+* Exclude IAM optional groups from VOMS AC by @rmiccoli in https://github.com/indigo-iam/iam/pull/894
+* Find account by certificate sub and iss in VOMS AA by @rmiccoli in https://github.com/indigo-iam/iam/pull/897
+* Prevent the issue of broken SAML login flow by @DonaldChung-HK in https://github.com/indigo-iam/iam/pull/885
+
+### Added
+
+* (_Experimental_*) Implement MFA by @sam-glendenning, @rmiccoli, @garaimanoj, @Sae126V in https://github.com/indigo-iam/iam/pull/733
+
+(*) This initial release featuring Multi-Factor Authentication is experimental and will be enhanced and expanded with new features in future releases, based also on user feedback.
+
+### MFA experimental feature summary
+
+* Each authenticated user can enable/disable MFA through a button in their homepage
+  * user will use an authenticator, as it is required to generate the time-based one-time passwords (TOTPs) necessary for authentication
+* If issues arise with the authenticator, the IAM administrator can disable MFA for a user
+* Authenticator working for local authentication only
+  * integration with X.509 certificates and external providers not yet supported
+* Encryption and decryption of MFA secrets
+
+#### Configuration
+
+The `mfa` Spring profile is used to enable MFA functionality. By default, MFA is disabled for all users.
+
 ## 1.10.2 (2024-09-30)
 
-## What's Changed
+### What's Changed
 
 * Add devcontainer configuration https://github.com/indigo-iam/iam/pull/835
 * Track refresh tokens in access token AUDIT logs https://github.com/indigo-iam/iam/pull/838
 * Combine CERN HR logic with internal life-cycle https://github.com/indigo-iam/iam/pull/844
 
 ## 1.10.1 (2024-08-22)
 
-## What's Fixed
+### What's Fixed
 
 * Fix repeated suspensions https://github.com/indigo-iam/iam/pull/831
 * Fix typo in AUDIT log for suspended accounts https://github.com/indigo-iam/iam/pull/832
@@ -259,7 +295,6 @@ fixes several bugs for the IAM login service.
 ## 1.7.2 (2021-12-03)
 
 This release provides a single dependency change for the IAM login service
-application.
 
 ### Added
 
@@ -271,6 +306,10 @@ This release provides changes and bug fixes to the IAM test client application.
 
 ### Added
 
+This release provides changes and bug fixes to the IAM test client application.
+
+### Added
+
 - The IAM test client application, in its default configuration, no longer
   exposes tokens, but only the claims contained in tokens. It's possible to
   revert to the previous behavior by setting the `IAM_CLIENT_HIDE_TOKENS=false`

diff --git a/Jenkinsfile b/Jenkinsfile
@@ -90,7 +90,7 @@ pipeline {
           post {
             always {
               script {
-                maybeArchiveJUnitReports()
+                maybeArchiveJUnitReportsWithJacoco()
               }
             }
           }

diff --git a/compose/custom-nginx/iam.conf b/compose/custom-nginx/iam.conf
@@ -38,6 +38,8 @@ server {
     proxy_set_header        X-SSL-Client-Verify  $ssl_client_verify;
     proxy_set_header        X-SSL-Protocol $ssl_protocol;
     proxy_set_header        X-SSL-Server-Name $ssl_server_name;
+
+    proxy_cookie_flags ~ secure samesite=none;
   }
 
   location /iam-test-client {

diff --git a/iam-login-service/docker/Dockerfile.prod b/iam-login-service/docker/Dockerfile.prod
@@ -1,4 +1,5 @@
 FROM eclipse-temurin:17 as builder
+
 RUN mkdir /indigo-iam
 WORKDIR /indigo-iam
 COPY iam-login-service.war /indigo-iam/

diff --git a/iam-login-service/pom.xml b/iam-login-service/pom.xml
@@ -92,7 +92,6 @@
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-data-redis</artifactId>
     </dependency>
-
 
     <!-- Web Jars -->
     <dependency>
@@ -221,6 +220,11 @@
       <artifactId>spring-security-oauth2</artifactId>
     </dependency>
 
+    <dependency>
+      <groupId>org.springframework.security</groupId>
+      <artifactId>spring-security-oauth2-client</artifactId>
+    </dependency>
+
     <dependency>
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-test</artifactId>
@@ -406,6 +410,13 @@
       <artifactId>jaxb-runtime</artifactId>
     </dependency>
 
+    <!-- Secret, TOTP, QR code generator for multi-factor authentication -->
+    <dependency>
+      <groupId>dev.samstevens.totp</groupId>
+      <artifactId>totp</artifactId>
+      <version>1.7.1</version>
+    </dependency>
+
   </dependencies>
 
   <build>

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/AccountUtils.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/AccountUtils.java
@@ -15,18 +15,16 @@
  */
 package it.infn.mw.iam.api.account;
 
-import static java.util.Objects.isNull;
-
 import java.util.Optional;
 
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.stereotype.Component;
 
 import it.infn.mw.iam.authn.util.Authorities;
+import it.infn.mw.iam.core.ExtendedAuthenticationToken;
 import it.infn.mw.iam.persistence.model.IamAccount;
 import it.infn.mw.iam.persistence.repository.IamAccountRepository;
 
@@ -35,35 +33,43 @@
 public class AccountUtils {
   IamAccountRepository accountRepo;
 
-  @Autowired
   public AccountUtils(IamAccountRepository accountRepo) {
     this.accountRepo = accountRepo;
   }
 
   public boolean isRegisteredUser(Authentication auth) {
-    if (auth == null || auth.getAuthorities() == null) {
+    if (auth == null || auth.getAuthorities().isEmpty()) {
       return false;
     }
 
     return auth.getAuthorities().contains(Authorities.ROLE_USER);
   }
 
   public boolean isAdmin(Authentication auth) {
-    if (auth == null || auth.getAuthorities() == null) {
+    if (auth == null || auth.getAuthorities().isEmpty()) {
       return false;
     }
 
     return auth.getAuthorities().contains(Authorities.ROLE_ADMIN);
   }
 
+  public boolean isPreAuthenticated(Authentication auth) {
+    if (auth == null || auth.getAuthorities().isEmpty()) {
+      return false;
+    }
+
+    return auth.getAuthorities().contains(Authorities.ROLE_PRE_AUTHENTICATED);
+  }
+
   public boolean isAuthenticated() {
     Authentication auth = SecurityContextHolder.getContext().getAuthentication();
 
     return isAuthenticated(auth);
   }
 
   public boolean isAuthenticated(Authentication auth) {
-    return !(isNull(auth) || auth instanceof AnonymousAuthenticationToken);
+    return auth != null && !(auth instanceof AnonymousAuthenticationToken)
+        && (!(auth instanceof ExtendedAuthenticationToken) || auth.isAuthenticated());
   }
 
   public Optional<IamAccount> getAuthenticatedUserAccount(Authentication authn) {
@@ -72,7 +78,7 @@ public Optional<IamAccount> getAuthenticatedUserAccount(Authentication authn) {
     }
 
     Authentication userAuthn = authn;
-    
+
     if (authn instanceof OAuth2Authentication) {
       OAuth2Authentication oauth = (OAuth2Authentication) authn;
       if (oauth.getUserAuthentication() == null) {
@@ -86,13 +92,13 @@ public Optional<IamAccount> getAuthenticatedUserAccount(Authentication authn) {
   }
 
   public Optional<IamAccount> getAuthenticatedUserAccount() {
-    
+
     Authentication auth = SecurityContextHolder.getContext().getAuthentication();
- 
+
     return getAuthenticatedUserAccount(auth);
   }
-  
-  public Optional<IamAccount> getByAccountId(String accountId){
+
+  public Optional<IamAccount> getByAccountId(String accountId) {
     return accountRepo.findByUuid(accountId);
   }
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,6 +4,7 @@ on: @@
       push:
         branches:
           - develop
       pull_request:
         types: [opened, edited, reopened, synchronize]
@@ Expand Down @@