Merge branch 'releases/2.7.1'

README.md

@@ -402,3 +402,4 @@ Here are some ways for you to get involved in the community:
 * Watch for upcoming articles on Cloud Foundry by
   [subscribing](http://blog.cloudfoundry.org) to the cloudfoundry.org
   blog
+

build.gradle

@@ -198,7 +198,7 @@ dependencies {
   }
 }
 
-apply plugin: 'flyway'
+apply plugin: 'org.flywaydb.flyway'
 
 flyway {
   switch (databaseType()) {

common/src/main/java/org/cloudfoundry/identity/uaa/ExternalIdentityProviderDefinition.java

@@ -0,0 +1,62 @@
+package org.cloudfoundry.identity.uaa;
+
+import com.fasterxml.jackson.annotation.JsonIgnore;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+
+/*******************************************************************************
+ * Cloud Foundry
+ * Copyright (c) [2009-2015] Pivotal Software, Inc. All Rights Reserved.
+ * <p>
+ * This product is licensed to you under the Apache License, Version 2.0 (the "License").
+ * You may not use this product except in compliance with the License.
+ * <p>
+ * This product includes a number of subcomponents with
+ * separate copyright notices and license terms. Your use of these
+ * subcomponents is subject to the terms and conditions of the
+ * subcomponent's license, as noted in the LICENSE file.
+ *******************************************************************************/
+public class ExternalIdentityProviderDefinition extends AbstractIdentityProviderDefinition {
+    public static final String GROUP_ATTRIBUTE_NAME = "external_groups"; //can be a string or a list of strings
+    public static final String EMAIL_ATTRIBUTE_NAME = "email"; //can be a string
+    public static final String GIVEN_NAME_ATTRIBUTE_NAME = "given_name"; //can be a string
+    public static final String FAMILY_NAME_ATTRIBUTE_NAME = "family_name"; //can be a string
+    public static final String PHONE_NUMBER_ATTRIBUTE_NAME = "phone_number"; //can be a string
+    public static final String USER_ATTRIBUTE_PREFIX = "user.attribute.";
+
+    public static final String EXTERNAL_GROUPS_WHITELIST = "externalGroupsWhitelist";
+    public static final String ATTRIBUTE_MAPPINGS = "attributeMappings";
+
+    private List<String> externalGroupsWhitelist = new LinkedList<>();
+    private Map<String, Object> attributeMappings = new HashMap<>();
+
+    public List<String> getExternalGroupsWhitelist() {
+        return Collections.unmodifiableList(externalGroupsWhitelist);
+    }
+
+    public void setExternalGroupsWhitelist(List<String> externalGroupsWhitelist) {
+        this.externalGroupsWhitelist = new LinkedList<>(externalGroupsWhitelist!=null ? externalGroupsWhitelist : Collections.EMPTY_LIST);
+    }
+
+    @JsonIgnore
+    public void addWhiteListedGroup(String group) {
+        this.externalGroupsWhitelist.add(group);
+    }
+
+    public void setAttributeMappings(Map<String, Object> attributeMappings) {
+        this.attributeMappings = new HashMap<>(attributeMappings!=null?attributeMappings:Collections.EMPTY_MAP);
+    }
+
+    public Map<String, Object> getAttributeMappings() {
+        return Collections.unmodifiableMap(attributeMappings);
+    }
+
+    @JsonIgnore
+    public void addAttributeMapping(String key, Object value) {
+        attributeMappings.put(key, value);
+    }
+}

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/Origin.java

@@ -28,8 +28,6 @@ public class Origin {
     public static final String KEYSTONE = "keystone";
     public static final String SAML = "saml";
     public static final String NotANumber = "NaN";
-    public static final String UNKNOWN = "unknown";
-
 
     public static String getUserId(Authentication authentication) {
         String id;

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthentication.java

@@ -12,26 +12,38 @@
  *******************************************************************************/
 package org.cloudfoundry.identity.uaa.authentication;
 
-import com.fasterxml.jackson.annotation.JsonCreator;
-import com.fasterxml.jackson.annotation.JsonIgnore;
-import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
 
 import java.io.Serializable;
 import java.util.Collection;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import static java.util.Collections.EMPTY_MAP;
 
 /**
  * Authentication token which represents a user.
  */
+@JsonSerialize(using = UaaAuthenticationSerializer.class)
+@JsonDeserialize(using = UaaAuthenticationDeserializer.class)
 public class UaaAuthentication implements Authentication, Serializable {
+
     private List<? extends GrantedAuthority> authorities;
     private Object credentials;
     private UaaPrincipal principal;
     private UaaAuthenticationDetails details;
     private boolean authenticated;
     private long authenticatedTime = -1l;
+    private long expiresAt = -1l;
+    private Set<String> externalGroups;
+    private Map<String, List<String>> userAttributes;
 
     /**
      * Creates a token with the supplied array of authorities.
@@ -45,13 +57,22 @@ public UaaAuthentication(UaaPrincipal principal,
         this(principal, null, authorities, details, true, System.currentTimeMillis());
     }
 
-    @JsonCreator
-    public UaaAuthentication(@JsonProperty("principal") UaaPrincipal principal,
-                             @JsonProperty("credentials") Object credentials,
-                             @JsonProperty("authorities") List<? extends GrantedAuthority> authorities,
-                             @JsonProperty("details") UaaAuthenticationDetails details,
-                             @JsonProperty("authenticated") boolean authenticated,
-                             @JsonProperty(value = "authenticatedTime", defaultValue = "-1") long authenticatedTime) {
+    public UaaAuthentication(UaaPrincipal principal,
+                             Object credentials,
+                             List<? extends GrantedAuthority> authorities,
+                             UaaAuthenticationDetails details,
+                             boolean authenticated,
+                             long authenticatedTime) {
+        this(principal, credentials, authorities, details, authenticated, authenticatedTime, -1);
+    }
+
+    public UaaAuthentication(UaaPrincipal principal,
+                             Object credentials,
+                             List<? extends GrantedAuthority> authorities,
+                             UaaAuthenticationDetails details,
+                             boolean authenticated,
+                             long authenticatedTime,
+                             long expiresAt) {
         if (principal == null || authorities == null) {
             throw new IllegalArgumentException("principal and authorities must not be null");
         }
@@ -60,15 +81,29 @@ public UaaAuthentication(@JsonProperty("principal") UaaPrincipal principal,
         this.details = details;
         this.credentials = credentials;
         this.authenticated = authenticated;
-        this.authenticatedTime = authenticatedTime == 0 ? -1 : authenticatedTime;
+        this.authenticatedTime = authenticatedTime <= 0 ? -1 : authenticatedTime;
+        this.expiresAt = expiresAt <= 0 ? -1 : expiresAt;
+    }
+
+    public UaaAuthentication(UaaPrincipal uaaPrincipal,
+                             Object credentials,
+                             List<? extends GrantedAuthority> uaaAuthorityList,
+                             Set<String> externalGroups,
+                             Map<String, List<String>> userAttributes,
+                             UaaAuthenticationDetails details,
+                             boolean authenticated,
+                             long authenticatedTime,
+                             long expiresAt) {
+        this(uaaPrincipal, credentials, uaaAuthorityList, details, authenticated, authenticatedTime, expiresAt);
+        this.externalGroups = externalGroups;
+        this.userAttributes = new HashMap<>(userAttributes);
     }
 
     public long getAuthenticatedTime() {
         return authenticatedTime;
     }
 
     @Override
-    @JsonIgnore
     public String getName() {
         // Should we return the ID for the principal name? (No, because the
         // UaaUserDatabase retrieves users by name.)
@@ -97,14 +132,18 @@ public UaaPrincipal getPrincipal() {
 
     @Override
     public boolean isAuthenticated() {
-        return authenticated;
+        return authenticated && (expiresAt > 0 ? expiresAt > System.currentTimeMillis() : true);
     }
 
     @Override
     public void setAuthenticated(boolean isAuthenticated) {
         authenticated = isAuthenticated;
     }
 
+    public long getExpiresAt() {
+        return expiresAt;
+    }
+
     @Override
     public boolean equals(Object o) {
         if (this == o) {
@@ -132,4 +171,28 @@ public int hashCode() {
         result = 31 * result + principal.hashCode();
         return result;
     }
+
+    public Set<String> getExternalGroups() {
+        return externalGroups;
+    }
+
+    public void setExternalGroups(Set<String> externalGroups) {
+        this.externalGroups = externalGroups;
+    }
+
+    public MultiValueMap<String,String> getUserAttributes() {
+        return new LinkedMultiValueMap<>(userAttributes!=null?userAttributes: EMPTY_MAP);
+    }
+
+    public Map<String,List<String>> getUserAttributesAsMap() {
+        return userAttributes!=null ? new HashMap<>(userAttributes) : EMPTY_MAP;
+    }
+
+    public void setUserAttributes(MultiValueMap<String, String> userAttributes) {
+        this.userAttributes = new HashMap<>();
+        for (Map.Entry<String, List<String>> entry : userAttributes.entrySet()) {
+            this.userAttributes.put(entry.getKey(), entry.getValue());
+        }
+    }
+
 }

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthenticationDeserializer.java

@@ -0,0 +1,82 @@
+/*
+ * *****************************************************************************
+ *      Cloud Foundry
+ *      Copyright (c) [2009-2015] Pivotal Software, Inc. All Rights Reserved.
+ *      This product is licensed to you under the Apache License, Version 2.0 (the "License").
+ *      You may not use this product except in compliance with the License.
+ *
+ *      This product includes a number of subcomponents with
+ *      separate copyright notices and license terms. Your use of these
+ *      subcomponents is subject to the terms and conditions of the
+ *      subcomponent's license, as noted in the LICENSE file.
+ * *****************************************************************************
+ */
+package org.cloudfoundry.identity.uaa.authentication;
+
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.core.JsonToken;
+import com.fasterxml.jackson.core.type.TypeReference;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.JsonDeserializer;
+import com.fasterxml.jackson.databind.JsonMappingException;
+import org.springframework.security.core.GrantedAuthority;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import static java.util.Collections.EMPTY_LIST;
+import static java.util.Collections.EMPTY_MAP;
+import static java.util.Collections.EMPTY_SET;
+
+public class UaaAuthenticationDeserializer extends JsonDeserializer<UaaAuthentication> implements UaaAuthenticationJsonBase {
+    @Override
+    public UaaAuthentication deserialize(JsonParser jp, DeserializationContext ctxt) throws IOException {
+        UaaAuthenticationDetails details = null;
+        UaaPrincipal princpal = null;
+        List<? extends GrantedAuthority> authorities = EMPTY_LIST;
+        Set<String> externalGroups = EMPTY_SET;
+        long expiresAt = -1;
+        long authenticatedTime = -1;
+        boolean authenticated = false;
+        Map<String,List<String>> userAttributes = EMPTY_MAP;
+        while (jp.nextToken() != JsonToken.END_OBJECT) {
+            if (jp.getCurrentToken() == JsonToken.FIELD_NAME) {
+                String fieldName = jp.getCurrentName();
+                jp.nextToken();
+                if (NULL_STRING.equals(jp.getText())) {
+                    //do nothing
+                } else if (DETAILS.equals(fieldName)) {
+                    details = jp.readValueAs(UaaAuthenticationDetails.class);
+                } else if (PRINCIPAL.equals(fieldName)) {
+                    princpal = jp.readValueAs(UaaPrincipal.class);
+                } else if (AUTHORITIES.equals(fieldName)) {
+                    authorities = deserializeAuthorites(jp.readValueAs(new TypeReference<List<String>>(){}));
+                } else if (EXTERNAL_GROUPS.equals(fieldName)) {
+                    externalGroups = jp.readValueAs(new TypeReference<Set<String>>(){});
+                } else if (EXPIRES_AT.equals(fieldName)) {
+                    expiresAt = jp.getLongValue();
+                } else if (AUTH_TIME.equals(fieldName)) {
+                    authenticatedTime = jp.getLongValue();
+                } else if (AUTHENTICATED.equals(fieldName)) {
+                    authenticated = jp.getBooleanValue();
+                } else if (USER_ATTRIBUTES.equals(fieldName)) {
+                    userAttributes = jp.readValueAs(new TypeReference<Map<String,List<String>>>() {});
+                }
+            }
+        }
+        if (princpal==null) {
+            throw new JsonMappingException("Missing "+UaaPrincipal.class.getName());
+        }
+        return new UaaAuthentication(princpal,
+                                     null,
+                                     authorities,
+                                     externalGroups,
+                                     userAttributes,
+                                     details,
+                                     authenticated,
+                                     authenticatedTime,
+                                     expiresAt);
+    }
+}