Merge branch 'releases/1.10'

.gitignore

@@ -28,4 +28,5 @@ coverage.ec
 build/
 /classes/
 uaa/src/main/resources/build.properties
-uaa/src/main/resources/git.properties
+uaa/src/main/resources/git.properties
+bin

build.gradle

@@ -15,6 +15,7 @@ buildscript {
     classpath group: 'org.mariadb.jdbc', name: 'mariadb-java-client', version:'1.1.7'
     classpath group: 'postgresql', name: 'postgresql', version:'9.1-901.jdbc3'
     classpath group: 'org.flywaydb', name: 'flyway-gradle-plugin', version: '3.0'
+    classpath 'org.springframework.build.gradle:propdeps-plugin:0.0.7'
   }
 }
 
@@ -42,6 +43,12 @@ allprojects {
   version = uaaVersion
 
   apply plugin: 'cobertura'
+  apply plugin: 'propdeps'
+  apply plugin: 'propdeps-maven'
+  apply plugin: 'propdeps-idea'
+  apply plugin: 'propdeps-eclipse'
+  configurations.provided.transitive = false
+  apply plugin: 'eclipse-wtp'
 
   repositories {
     mavenCentral()

common/.gitignore

@@ -1 +1,2 @@
 /target
+/bin

common/build.gradle

@@ -1,8 +1,8 @@
 description = 'CloudFoundry Identity Common Jar'
 
-configurations { providedCompile }
-
 dependencies {
+  compile group: 'org.bouncycastle', name: 'bcpkix-jdk15on', version:'1.47'
+  compile group: 'org.bouncycastle', name: 'bcprov-jdk15on', version:'1.47'
   compile group: 'org.springframework.security', name: 'spring-security-ldap', version:parent.springSecurityVersion
   compile group: 'org.springframework.ldap', name: 'spring-ldap-core', version:parent.springSecurityLdapVersion
   compile group: 'org.springframework.ldap', name: 'spring-ldap-core-tiger', version:parent.springSecurityLdapVersion
@@ -48,7 +48,7 @@ dependencies {
   compile group: 'com.googlecode.flyway', name: 'flyway-core', version:'2.3.1'
   compile group: 'org.hsqldb', name: 'hsqldb', version:'2.3.1'
 
-  providedCompile group: 'javax.servlet', name: 'javax.servlet-api', version:'3.0.1'
+  provided group: 'javax.servlet', name: 'javax.servlet-api', version:'3.0.1'
 
   testCompile group: 'org.springframework', name: 'spring-test', version:parent.springVersion
   testCompile group: 'junit', name: 'junit', version:'4.11'
@@ -60,9 +60,6 @@ dependencies {
   testCompile group: 'org.apache.tomcat', name: 'tomcat-jdbc', version:parent.tomcatVersion
 }
 
-sourceSets.main.compileClasspath += configurations.providedCompile
-sourceSets.test.compileClasspath += configurations.providedCompile
-sourceSets.test.runtimeClasspath += configurations.providedCompile
 
 processResources {
   //maven replaces project.artifactId in the log4j.properties file

common/src/main/java/org/cloudfoundry/identity/uaa/UaaConfiguration.java

@@ -51,6 +51,7 @@ public class UaaConfiguration {
     public boolean dump_requests;
     public boolean require_https;
     public boolean loginAddnew;
+    public boolean allowUnverifiedUsers;
     @Valid
     public PasswordPolicy passwordPolicy;
     @Valid

common/src/main/java/org/cloudfoundry/identity/uaa/audit/AuditEventType.java

@@ -47,7 +47,8 @@ public enum AuditEventType {
     GroupCreatedEvent(23),
     GroupModifiedEvent(24),
     GroupDeletedEvent(25),
-    EmailChangedEvent(26);
+    EmailChangedEvent(26),
+    UnverifiedUserAuthentication(27);
 
 
     private final int code;

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/AccountNotVerifiedException.java

@@ -0,0 +1,9 @@
+package org.cloudfoundry.identity.uaa.authentication;
+
+import org.springframework.security.authentication.AccountStatusException;
+
+public class AccountNotVerifiedException extends AccountStatusException {
+    public AccountNotVerifiedException(String msg) {
+        super(msg);
+    }
+}

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/AccountNotVerifiedExceptionTranslator.java

@@ -0,0 +1,52 @@
+package org.cloudfoundry.identity.uaa.authentication;
+
+import org.cloudfoundry.identity.uaa.authentication.AccountNotVerifiedException;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
+import org.springframework.security.oauth2.provider.error.DefaultWebResponseExceptionTranslator;
+
+import java.io.IOException;
+
+public class AccountNotVerifiedExceptionTranslator extends DefaultWebResponseExceptionTranslator{
+
+    @Override
+    public ResponseEntity<OAuth2Exception> translate(Exception e) throws Exception {
+        if (e instanceof AccountNotVerifiedException) {
+            return handleOAuth2Exception(new ForbiddenException(e.getMessage(), e));
+        }
+
+        return super.translate(e);
+    }
+
+    private ResponseEntity<OAuth2Exception> handleOAuth2Exception(OAuth2Exception e) throws IOException {
+
+        int status = e.getHttpErrorCode();
+        HttpHeaders headers = new HttpHeaders();
+        headers.set("Cache-Control", "no-store");
+        headers.set("Pragma", "no-cache");
+
+        ResponseEntity<OAuth2Exception> response = new ResponseEntity<OAuth2Exception>(e, headers,
+            HttpStatus.valueOf(status));
+
+        return response;
+
+    }
+
+    private static class ForbiddenException extends OAuth2Exception {
+
+        public ForbiddenException(String msg, Throwable t) {
+            super(msg, t);
+        }
+
+        public String getOAuth2ErrorCode() {
+            return "access_denied";
+        }
+
+        public int getHttpErrorCode() {
+            return 403;
+        }
+
+    }
+}

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/event/UnverifiedUserAuthenticationEvent.java

@@ -0,0 +1,28 @@
+package org.cloudfoundry.identity.uaa.authentication.event;
+
+import org.cloudfoundry.identity.uaa.audit.AuditEvent;
+import org.cloudfoundry.identity.uaa.audit.AuditEventType;
+import org.cloudfoundry.identity.uaa.user.UaaUser;
+import org.springframework.security.core.Authentication;
+import org.springframework.util.Assert;
+
+public class UnverifiedUserAuthenticationEvent extends AbstractUaaAuthenticationEvent {
+
+    private final UaaUser user;
+
+    public UnverifiedUserAuthenticationEvent(UaaUser user, Authentication authentication) {
+        super(authentication);
+        Assert.notNull(user, "UaaUser object cannot be null");
+        this.user = user;
+    }
+
+    @Override
+    public AuditEvent getAuditEvent() {
+        return createAuditRecord(user.getId(), AuditEventType.UnverifiedUserAuthentication, getOrigin(getAuthenticationDetails()),
+                user.getUsername());
+    }
+
+    public UaaUser getUser() {
+        return user;
+    }
+}

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/login/RemoteAuthenticationEndpoint.java

@@ -21,6 +21,7 @@
 import com.googlecode.flyway.core.util.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.cloudfoundry.identity.uaa.authentication.AccountNotVerifiedException;
 import org.cloudfoundry.identity.uaa.authentication.AuthzAuthenticationRequest;
 import org.cloudfoundry.identity.uaa.authentication.Origin;
 import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationDetails;
@@ -81,6 +82,9 @@ public HttpEntity<Map<String, String>> authenticate(HttpServletRequest request,
             }
             processAdditionalInformation(responseBody, a);
             status = HttpStatus.OK;
+        } catch (AccountNotVerifiedException e) {
+            responseBody.put("error", "account not verified");
+            status = HttpStatus.FORBIDDEN;
         } catch (AuthenticationException e) {
             responseBody.put("error", "authentication failed");
         } catch (Exception e) {

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/AuthzAuthenticationManager.java

@@ -13,18 +13,18 @@
 package org.cloudfoundry.identity.uaa.authentication.manager;
 
 import java.security.SecureRandom;
-import java.util.Arrays;
-import java.util.Collections;
 import java.util.List;
 import java.util.Locale;
 import java.util.UUID;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.cloudfoundry.identity.uaa.authentication.AccountNotVerifiedException;
 import org.cloudfoundry.identity.uaa.authentication.AuthenticationPolicyRejectionException;
 import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
 import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationDetails;
 import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
+import org.cloudfoundry.identity.uaa.authentication.event.UnverifiedUserAuthenticationEvent;
 import org.cloudfoundry.identity.uaa.authentication.event.UserAuthenticationFailureEvent;
 import org.cloudfoundry.identity.uaa.authentication.event.UserAuthenticationSuccessEvent;
 import org.cloudfoundry.identity.uaa.authentication.event.UserNotFoundEvent;
@@ -59,6 +59,8 @@ public class AuthzAuthenticationManager implements AuthenticationManager, Applic
     private AccountLoginPolicy accountLoginPolicy = new PermitAllAccountLoginPolicy();
 
     private String origin;
+    private boolean allowUnverifiedUsers = true;
+
     /**
      * Dummy user allows the authentication process for non-existent and locked
      * out users to be as close to
@@ -107,6 +109,12 @@ public Authentication authenticate(Authentication req) throws AuthenticationExce
         if (passwordMatches) {
             logger.debug("Password successfully matched for userId["+user.getUsername()+"]:"+user.getId());
 
+            if (!allowUnverifiedUsers && !user.isVerified()) {
+                publish(new UnverifiedUserAuthenticationEvent(user, req));
+                logger.debug("Account not verified: " + user.getId());
+                throw new AccountNotVerifiedException("Account not verified");
+            }
+
             Authentication success = new UaaAuthentication(new UaaPrincipal(user),
                             user.getAuthorities(), (UaaAuthenticationDetails) req.getDetails());
             publish(new UserAuthenticationSuccessEvent(user, success));
@@ -181,4 +189,8 @@ public String getOrigin() {
     public void setOrigin(String origin) {
         this.origin = origin;
     }
+
+    public void setAllowUnverifiedUsers(Boolean allowUnverifiedUsers) {
+        this.allowUnverifiedUsers = allowUnverifiedUsers;
+    }
 }

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/ChainedAuthenticationManager.java

@@ -22,8 +22,6 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 
-import java.util.List;
-
 /**
  * Chained authentication manager that works of simple conditions
  */
@@ -83,8 +81,13 @@ public Authentication authenticate(Authentication authentication) throws Authent
                             logger.debug("Chained authentication exception:"+x.getMessage()+" at:"+(x.getStackTrace().length>0?x.getStackTrace()[0]:"(no stack trace)"));
                         }
                         lastException = x;
-                        if (delegates[i].getStopIf()!=null && delegates[i].getStopIf().isAssignableFrom(x.getClass())) {
-                            shallContinue = false;
+                        if (delegates[i].getStopIf()!=null) {
+                            for (Class<? extends AuthenticationException> exceptionClass : delegates[i].getStopIf()) {
+                                if (exceptionClass.isAssignableFrom(x.getClass())) {
+                                    shallContinue = false;
+                                    break;
+                                }
+                            }
                         }
                     }
                     lastResult = thisAuth != null && thisAuth.isAuthenticated();
@@ -114,13 +117,13 @@ public Authentication authenticate(Authentication authentication) throws Authent
     public static class AuthenticationManagerConfiguration {
         private AuthenticationManager authenticationManager;
         private String required = null;
-        private Class<? extends AuthenticationException> stopIf;
+        private Class<? extends AuthenticationException>[] stopIf;
 
-        public Class<? extends AuthenticationException> getStopIf() {
+        public Class<? extends AuthenticationException>[] getStopIf() {
             return stopIf;
         }
 
-        public void setStopIf(Class<? extends AuthenticationException> stopIf) {
+        public void setStopIf(Class<? extends AuthenticationException>... stopIf) {
             this.stopIf = stopIf;
         }
 

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/ExternalLoginAuthenticationManager.java

@@ -187,7 +187,8 @@ protected UaaUser getUser(UserDetails details, Map<String, String> info) {
             new Date(),
             new Date(),
             origin,
-            details.getUsername());
+            details.getUsername(),
+            false);
     }
 
     @Override

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/LdapLoginAuthenticationManager.java

@@ -45,7 +45,8 @@ protected UaaUser getUser(UserDetails details, Map<String, String> info) {
                 user.getCreated(),
                 user.getModified(),
                 origin,
-                externalId);
+                externalId,
+                false);
         } else {
             logger.warn("Unable to get DN from user. Not an LDAP user:"+details+" of class:"+details.getClass());
             return user.modifySource(getOrigin(), user.getExternalId());

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/LoginAuthenticationManager.java

@@ -35,7 +35,6 @@
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.oauth2.common.util.RandomValueStringGenerator;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
-import org.springframework.util.StringUtils;
 
 import java.util.Date;
 import java.util.Map;
@@ -174,7 +173,8 @@ protected UaaUser getUser(AuthzAuthenticationRequest req, Map<String, String> in
             new Date(),
             new Date(),
             origin,
-            name);
+            name,
+            false);
 
     }
 }