Merge branch 'develop' into iglezruiz/cargo-migration

Author: ireneGonzalezRuiz

run-integration-tests.sh

@@ -3,6 +3,10 @@ set -eu -o pipefail
 
 #######################################
 # main function to run the integration tests
+# Global env vars:
+#   UAA_DOCKER_ARGS: Additional args to pass to docker run
+#   UAA_GRADLE_INT_TEST_COMMAND: Gradle command to run integration tests (default: integrationTest)
+#       this could include :cloudfoundry-identity-server:integrationTest --tests to run specific tests
 #######################################
 main() {
   local script_dir;  script_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
@@ -30,6 +34,8 @@ main() {
     --env DB="${DB}" \
     --env RUN_TESTS="${RUN_TESTS:-true}" \
     --publish 8081:8080 \
+    ${UAA_DOCKER_ARGS:-} \
+    --env UAA_GRADLE_INT_TEST_COMMAND="${UAA_GRADLE_INT_TEST_COMMAND:-integrationTest}" \
     "${DOCKER_IMAGE}" \
     /root/uaa/scripts/integration_tests.sh "${PROFILE_NAME}" "${run_as_boot}"
 }

run-unit-tests.sh

@@ -3,9 +3,13 @@ set -eu -o pipefail
 
 #######################################
 # main function to run the unit tests
+# Global env vars:
+#   UAA_DOCKER_ARGS: Additional args to pass to docker run
+#   UAA_GRADLE_UNIT_TEST_COMMAND: Gradle command to run unit tests (default: test)
+#       this could include :cloudfoundry-identity-server:test --tests to run specific tests
 #######################################
 main() {
-  local script_dir;  script_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+  local script_dir; script_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
   source "${script_dir}/scripts/lib_timer.sh"
   start_timer
 
@@ -27,6 +31,8 @@ main() {
     --volume "${script_dir}":"${container_script_dir}" \
     --volume "${gradle_lock_dir}" \
     --env DB="${DB}" \
+    ${UAA_DOCKER_ARGS:-} \
+    --env UAA_GRADLE_UNIT_TEST_COMMAND="${UAA_GRADLE_UNIT_TEST_COMMAND:-test}" \
     "${DOCKER_IMAGE}" \
     /root/uaa/scripts/unit_tests.sh "${PROFILE_NAME}"
 }

scripts/integration_tests.sh

@@ -3,6 +3,9 @@ set -eu
 
 #######################################
 # The main function to run the integration tests within a container
+# Global env vars:
+#   UAA_GRADLE_INT_TEST_COMMAND: Gradle command to run integration tests (default: integrationTest)
+#       this could include :cloudfoundry-identity-server:integrationTest --tests to run specific tests
 #######################################
 function main() {
   local script_dir; script_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
@@ -46,7 +49,7 @@ function main() {
     readonly integration_test_code="./gradlew '-Dspring.profiles.active=${test_profile}' \
                 '-Djava.security.egd=file:/dev/./urandom' \
                 '-DskipUaaAutoStart=true' \
-                integrationTest \
+                ${UAA_GRADLE_INT_TEST_COMMAND:-integrationTest} \
                 --stacktrace \
                 --console=plain"
 

scripts/start_docker_database.sh

@@ -5,6 +5,10 @@ set -eu -o pipefail
 # main function to start a docker container with the specified database
 # usage: start_docker_database.sh [db_name]
 #   db_name: one of "mysql(-*)", "postgres(-*)", etc. (default: "mysql")
+# Global env vars:
+#   DEBUG_MODE: if set to any value, enables remote debugging on port 5005
+#   WEB_MODE: if set to any value, enables web access on port 8080
+#   UAA_DOCKER_ARGS: Additional args to pass to docker run
 #######################################
 main() {
   local uaa_dir;  uaa_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
@@ -43,6 +47,7 @@ main() {
     --publish "${db_port}:${db_port}" \
     ${DEBUG_MODE:+--publish "5005:5005"} \
     ${WEB_MODE:+--publish "8080:8080"} \
+    ${UAA_DOCKER_ARGS:-} \
     "${DOCKER_IMAGE}"
 }
 

scripts/unit_tests.sh

@@ -3,6 +3,9 @@ set -eu
 
 #######################################
 # The main function to run the unit tests within a container
+# Global env vars:
+#   UAA_GRADLE_UNIT_TEST_COMMAND: Gradle command to run unit tests (default: test)
+#       this could include :cloudfoundry-identity-server:test --tests to run specific tests
 #######################################
 function main() {
   local script_dir; script_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
@@ -23,7 +26,7 @@ function main() {
     export GRADLE_OPTS="-Xmx2048m"
     ./gradlew "-Dspring.profiles.active=${test_profile}" \
             "-Djava.security.egd=file:/dev/./urandom" \
-            test \
+            ${UAA_GRADLE_UNIT_TEST_COMMAND:-test} \
             --stacktrace  \
             --console=plain
   popd

server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java

@@ -116,6 +116,7 @@
 import static java.util.Collections.singletonMap;
 import static java.util.Objects.isNull;
 import static java.util.stream.Collectors.toSet;
+import static org.cloudfoundry.identity.uaa.constants.OriginKeys.OAUTH20;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.SUB;
 import static org.cloudfoundry.identity.uaa.oauth.token.CompositeToken.ID_TOKEN;
 import static org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.GRANT_TYPE_AUTHORIZATION_CODE;
@@ -609,9 +610,14 @@ protected <T extends AbstractExternalOAuthIdentityProviderDefinition<T>> Map<Str
             ExternalOAuthCodeToken codeToken,
             final IdentityProvider<T> identityProvider
     ) {
-        String idToken = getTokenFromCode(codeToken, identityProvider);
-        codeToken.setIdToken(idToken);
-        return getClaimsFromToken(idToken, identityProvider);
+        String tokenFieldName = getTokenFieldName(identityProvider.getConfig());
+        String token = getTokenFromCode(codeToken, identityProvider);
+        if ("access_token".equals(tokenFieldName) && token != null && OAUTH20.equals(identityProvider.getType())) {
+            codeToken.setAccessToken(token);
+        } else {
+            codeToken.setIdToken(token);
+        }
+        return getClaimsFromToken(token, identityProvider);
     }
 
     protected <T extends AbstractExternalOAuthIdentityProviderDefinition<T>> Map<String, Object> getClaimsFromToken(

server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthProviderConfigurator.java

@@ -108,7 +108,7 @@ public String getIdpAuthenticationUrl(
         }
 
         if (OIDCIdentityProviderDefinition.class.equals(definition.getParameterizedClass())) {
-            var nonceGenerator = new RandomValueStringGenerator(12);
+            var nonceGenerator = new RandomValueStringGenerator(22);
             uriBuilder.queryParam("nonce", nonceGenerator.generate());
 
             Map<String, String> additionalParameters = ofNullable(((OIDCIdentityProviderDefinition) definition).getAdditionalAuthzParameters()).orElse(emptyMap());
@@ -123,7 +123,7 @@ protected static boolean isPkceNeeded(AbstractExternalOAuthIdentityProviderDefin
     }
 
     private String generateStateParam() {
-        return uaaRandomStringUtil.getSecureRandom(10);
+        return uaaRandomStringUtil.getSecureRandom(22);
     }
 
     private String generateCodeVerifier() {

server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerIT.java

@@ -7,6 +7,7 @@
 import org.apache.commons.lang3.RandomStringUtils;
 import org.cloudfoundry.identity.uaa.authentication.AccountNotPreCreatedException;
 import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
+import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
 import org.cloudfoundry.identity.uaa.authentication.event.IdentityProviderAuthenticationSuccessEvent;
 import org.cloudfoundry.identity.uaa.authentication.manager.ExternalGroupAuthorizationEvent;
 import org.cloudfoundry.identity.uaa.authentication.manager.InvitedUserAuthenticatedEvent;
@@ -95,6 +96,7 @@
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.assertj.core.api.Assertions.fail;
+import static org.cloudfoundry.identity.uaa.constants.OriginKeys.OAUTH20;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.ISS;
 import static org.cloudfoundry.identity.uaa.provider.ExternalIdentityProviderDefinition.GROUP_ATTRIBUTE_NAME;
 import static org.cloudfoundry.identity.uaa.provider.ExternalIdentityProviderDefinition.USER_NAME_ATTRIBUTE_NAME;
@@ -109,6 +111,7 @@
 import static org.mockito.Mockito.eq;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.reset;
 import static org.mockito.Mockito.same;
 import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.times;
@@ -515,6 +518,55 @@ void discoveryURL_is_used() throws MalformedURLException {
 
     }
 
+    @Test
+    void oauth20_flow_works_with_non_jwt_token() throws Exception {
+        String userInfoResponse = """
+                {
+                  "login": "octocat",
+                  "id": 1,
+                  "type": "User",
+                  "site_admin": false,
+                  "name": "monalisa octocat",
+                  "company": "GitHub",
+                  "email": "[email protected]"
+                }""";
+
+        CompositeToken accessToken = getCompositeAccessToken();
+        accessToken.setIdTokenValue(null); //DOES NOT EXIST FOR OAUTH2.0
+        String oauth2TokenResponse = JsonUtils.writeValueAsString(accessToken);
+
+        //UAA exchanges the code for a token
+        mockUaaServer.expect(requestTo("http://localhost/oauth/token"))
+                .andExpect(header("Authorization", "Basic " + new String(Base64.encodeBase64("identity:identitysecret".getBytes()))))
+                .andExpect(header("Accept", "application/json"))
+                .andExpect(content().string(containsString("grant_type=authorization_code")))
+                .andExpect(content().string(containsString("code=the_code")))
+                .andExpect(content().string(containsString("redirect_uri=http%3A%2F%2Flocalhost%2Fcallback%2Fthe_origin")))
+                .andExpect(content().string(containsString("response_type=code")))
+                .andRespond(withStatus(OK).contentType(APPLICATION_JSON).body(oauth2TokenResponse));
+
+        //UAA retrieves user info using an access token
+        mockUaaServer.expect(requestTo(config.getUserInfoUrl().toString()))
+                .andRespond(withStatus(OK).contentType(APPLICATION_JSON).body(userInfoResponse));
+
+        IdentityProvider<RawExternalOAuthIdentityProviderDefinition> identityProvider = getOauth20Provider();
+        identityProvider.getConfig().setResponseType("code");
+        reset(provisioning);
+        when(provisioning.retrieveByOrigin(eq(ORIGIN), anyString())).thenReturn(identityProvider);
+
+        addTheUserOnAuth();
+
+        Authentication authentication = externalOAuthAuthenticationManager.authenticate(xCodeToken);
+        assertThat(authentication).isNotNull();
+        assertThat(authentication.getPrincipal()).isInstanceOf(UaaPrincipal.class);
+        UaaPrincipal principal = (UaaPrincipal) authentication.getPrincipal();
+        assertThat(principal).isNotNull();
+        assertThat(principal.getName()).isEqualTo("octocat");
+        assertThat(principal.getEmail()).isEqualTo("[email protected]");
+        mockUaaServer.verify();
+
+    }
+
     @Test
     void clientAuthInBody_is_used() {
         config.setClientAuthInBody(true);
@@ -1291,6 +1343,31 @@ private IdentityProvider<OIDCIdentityProviderDefinition> getProvider() {
         return identityProvider;
     }
 
+    private IdentityProvider<RawExternalOAuthIdentityProviderDefinition> getOauth20Provider()  throws Exception {
+        RawExternalOAuthIdentityProviderDefinition config = new RawExternalOAuthIdentityProviderDefinition()
+                .setAuthUrl(URI.create("http://localhost/oauth/authorize").toURL())
+                .setTokenUrl(URI.create("http://localhost/oauth/token").toURL())
+                .setIssuer("http://localhost/oauth/token")
+                .setShowLinkText(true)
+                .setLinkText("My oauth20 Provider")
+                .setRelyingPartyId("identity")
+                .setRelyingPartySecret("identitysecret")
+                .setUserInfoUrl(URI.create("http://localhost/userinfo").toURL())
+                .setTokenKey(PUBLIC_KEY);
+        config.setExternalGroupsWhitelist(Collections.singletonList("*"));
+        attributeMappings.put(USER_NAME_ATTRIBUTE_NAME, "login");
+        config.setAttributeMappings(attributeMappings);
+        config.setResponseType("code");
+
+        IdentityProvider<RawExternalOAuthIdentityProviderDefinition> identityProvider = new IdentityProvider<>();
+        identityProvider.setName("my oauth20 provider");
+        identityProvider.setIdentityZoneId(OriginKeys.UAA);
+        identityProvider.setType(OAUTH20);
+        identityProvider.setConfig(config);
+        identityProvider.setOriginKey(ORIGIN);
+        return identityProvider;
+    }
+
     private void testTokenHasAuthoritiesFromIdTokenRoles() {
         attributeMappings.put(GROUP_ATTRIBUTE_NAME, "scope");
         mockToken();

server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerTest.java

@@ -30,6 +30,7 @@
 import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
 import org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning;
 import org.cloudfoundry.identity.uaa.provider.OIDCIdentityProviderDefinition;
+import org.cloudfoundry.identity.uaa.provider.RawExternalOAuthIdentityProviderDefinition;
 import org.cloudfoundry.identity.uaa.scim.ScimGroupExternalMember;
 import org.cloudfoundry.identity.uaa.scim.jdbc.JdbcScimGroupExternalMembershipManager;
 import org.cloudfoundry.identity.uaa.user.UaaUser;
@@ -40,6 +41,7 @@
 import org.cloudfoundry.identity.uaa.util.UaaTokenUtils;
 import org.cloudfoundry.identity.uaa.zone.IdentityZone;
 import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
+import org.cloudfoundry.identity.uaa.zone.beans.IdentityZoneManager;
 import org.cloudfoundry.identity.uaa.zone.beans.IdentityZoneManagerImpl;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
@@ -83,6 +85,7 @@
 import static org.assertj.core.api.Assertions.assertThatNoException;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.assertj.core.api.Assertions.fail;
+import static org.cloudfoundry.identity.uaa.constants.OriginKeys.OAUTH20;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.AUD;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.EMAIL;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.EXPIRY_IN_SECONDS;
@@ -1083,6 +1086,49 @@ void oidcPasswordGrantWithPrompts() throws MalformedURLException, JOSEException
         assertThat(headers).doesNotContainKey("X-Forwarded-For");
     }
 
+    @Test
+    void oauth20AuthorizationFlowWithUserInfo() throws Exception {
+
+        final ExternalOAuthCodeToken codeToken = new ExternalOAuthCodeToken("thecode", "some-origin", "http://google.com", null, null, "signedrequest");
+        final RestTemplate restTemplate = mock(RestTemplate.class);
+        final ResponseEntity<Map<String, Object>> responseEntity = mock(ResponseEntity.class);
+        when(responseEntity.getStatusCode()).thenReturn(HttpStatus.OK);
+        when(responseEntity.getBody()).thenReturn(Collections.emptyMap());
+        when(restTemplate.exchange(any(URI.class), eq(HttpMethod.GET), any(HttpEntity.class), any(ParameterizedTypeReference.class))).thenReturn(responseEntity);
+        authManager = new ExternalOAuthAuthenticationManager(
+                identityProviderProvisioning,
+                mock(IdentityZoneManager.class),
+                restTemplate,
+                restTemplate,
+                tokenEndpointBuilder,
+                new KeyInfoService("http://uaa.example.com"),
+                null
+        ) {
+            @Override
+            protected <T extends AbstractExternalOAuthIdentityProviderDefinition<T>> String getTokenFromCode(
+                    ExternalOAuthCodeToken codeToken,
+                    IdentityProvider<T> config
+            ) {
+                return "opaque-access-token";
+            }
+
+            @Override
+            public RestTemplate getRestTemplate(AbstractExternalOAuthIdentityProviderDefinition config) {
+                return restTemplate;
+            }
+        };
+        final RawExternalOAuthIdentityProviderDefinition config = new RawExternalOAuthIdentityProviderDefinition();
+        config.setResponseType("code");
+        config.setUserInfoUrl(URI.create("https://some.metadata.url/userinfo").toURL());
+        final IdentityProvider<AbstractExternalOAuthIdentityProviderDefinition> idp = new IdentityProvider<>();
+        idp.setType(OAUTH20);
+        idp.setConfig(config);
+        authManager.getClaimsFromToken(codeToken, idp);
+        assertThat(codeToken.getIdToken()).isNull();
+        assertThat(codeToken.getAccessToken()).isEqualTo("opaque-access-token");
+
+    }
+
     private static void assertAuthorizationHeaderIsSetAndStartsWithBasic(final HttpHeaders headers) {
         assertThat(headers).containsKey("Authorization");
         final List<String> authorizationHeaders = headers.get("Authorization");

server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthProviderConfiguratorTests.java

@@ -585,4 +585,30 @@ void idpWithAliasExistsInZone(final boolean resultFromDelegate) {
         when(mockIdentityProviderProvisioning.idpWithAliasExistsInZone(zoneId)).thenReturn(resultFromDelegate);
         assertThat(configurator.idpWithAliasExistsInZone(zoneId)).isEqualTo(resultFromDelegate);
     }
+
+    @Test
+    void getIdpAuthenticationUrl_verifyNonceAndStateLength() {
+        // Mock state generation (22 characters)
+        String stateValue = "a".repeat(22); // exactly 22 characters
+        when(mockUaaRandomStringUtil.getSecureRandom(22)).thenReturn(stateValue);
+        
+        // Mock code verifier generation (128 characters) - needed for PKCE
+        String codeVerifierValue = "b".repeat(128);
+        when(mockUaaRandomStringUtil.getSecureRandom(128)).thenReturn(codeVerifierValue);
+        
+        String authzUri = configurator.getIdpAuthenticationUrl(oidc, "alias", mockHttpServletRequest);
+        Map<String, String> queryParams =
+                UriComponentsBuilder.fromUriString(authzUri).build().getQueryParams().toSingleValueMap();
+        
+        // Verify state is at least 22 characters
+        assertThat(queryParams.get("state"))
+                .as("State parameter should be at least 22 characters")
+                .hasSizeGreaterThanOrEqualTo(22);
+        
+        // Verify nonce exists and has expected length (RandomValueStringGenerator(22) generates 22 chars)
+        assertThat(queryParams.get("nonce"))
+                .as("Nonce parameter should be at least 22 characters")
+                .isNotNull()
+                .hasSizeGreaterThanOrEqualTo(22);
+    }
 }