Merge branch 'release/21.1.0'

Author: cslzchen

.github/workflows/build.yml

@@ -33,4 +33,5 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        run: ./gradlew build sonarqube --info
+        run: ./gradlew build sonarqube -Dsonar.projectKey=${{ secrets.SONAR_KEY }} -Dsonar.host.url=${{ secrets.SONAR_URL }} --info
+        continue-on-error: true

CHANGELOG.md

@@ -2,7 +2,19 @@
 
 We follow the CalVer (https://calver.org/) versioning scheme: YY.MINOR.MICRO.
 
-21.0.0 (02-03-2020)
+21.1.0 (03-30-2021)
+===================
+
+OSF CAS feature-complete release
+
+* OSF CAS as an OAuth 2.0 server
+* OSF personal access token, developer apps and oauth scopes
+* Authentication failure throttling
+* Customized institution logout
+* Institution department
+* Overlay template and core library upgrade
+
+21.0.0 (02-03-2021)
 ===================
 
 OSF CAS third release with web flow updates, institution SSO, and FE rework

build.gradle

@@ -93,64 +93,69 @@ idea {
 }
 
 apply plugin: "org.sonarqube"
-sonarqube {
-    properties {
-        property "sonar.projectKey", "CenterForOpenScience_osf-cas"
-        property "sonar.organization", "centerforopenscience"
-        property "sonar.host.url", "https://sonarcloud.io"
-    }
-}
 
 dependencies {
     // Other CAS dependencies/modules may be listed here...
 
-    // JSON Service Registry
-    implementation "org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"
-
+    // Authentication
+    implementation "org.apereo.cas:cas-server-core-authentication:${project.'cas.version'}"
+    implementation "org.apereo.cas:cas-server-core-authentication-api:${project.'cas.version'}"
+    implementation "org.apereo.cas:cas-server-core-authentication-attributes:${project.'cas.version'}"
+    implementation "org.apereo.cas:cas-server-core-authentication-mfa-api:${project.'cas.version'}"
+    implementation "org.apereo.cas:cas-server-core-authentication-throttle:${project.'cas.version'}"
+    // Cookie
+    implementation "org.apereo.cas:cas-server-core-cookie-api:${project.'cas.version'}"
+    // Services
+    implementation "org.apereo.cas:cas-server-core-services:${project.'cas.version'}"
+    implementation "org.apereo.cas:cas-server-core-services-api:${project.'cas.version'}"
+    implementation "org.apereo.cas:cas-server-core-services-registry:${project.'cas.version'}"
+    // Ticket
+    implementation "org.apereo.cas:cas-server-core-tickets-api:${project.'cas.version'}"
     // Core Utilities
     implementation "org.apereo.cas:cas-server-core-util-api:${project.'cas.version'}"
-
-    // Web and Requests
+    // Validation
+    implementation "org.apereo.cas:cas-server-core-validation-api:${project.'cas.version'}"
+    // Web
     implementation "org.apereo.cas:cas-server-core-web-api:${project.'cas.version'}"
-
-    // Web Flow Customization
+    // Web Flow
     implementation "org.apereo.cas:cas-server-core-webflow:${project.'cas.version'}"
     implementation "org.apereo.cas:cas-server-core-webflow-api:${project.'cas.version'}"
+    // Actions
     implementation "org.apereo.cas:cas-server-support-actions:${project.'cas.version'}"
-
-    // Authentication Customization
-    implementation "org.apereo.cas:cas-server-core-authentication:${project.'cas.version'}"
-    implementation "org.apereo.cas:cas-server-core-authentication-api:${project.'cas.version'}"
-    implementation "org.apereo.cas:cas-server-core-authentication-mfa-api:${project.'cas.version'}"
-
-    // Authentication Delegation: Vanilla
-    implementation "org.apereo.cas:cas-server-support-pac4j-webflow:${project.'cas.version'}"
-    // Authentication Delegation: Customization
-    implementation "org.apereo.cas:cas-server-support-pac4j-core:${project.'cas.version'}"
-
     // JDBC Drivers
     implementation "org.apereo.cas:cas-server-support-jdbc-drivers:${project.'cas.version'}"
-
-    // JPA OSF PostgreSQL
-    implementation "org.apereo.cas:cas-server-support-jpa-util:${project.'cas.version'}"
-
     // JPA Ticket Registry
     implementation "org.apereo.cas:cas-server-support-jpa-ticket-registry:${project.'cas.version'}"
+    // JPA Utilities
+    implementation "org.apereo.cas:cas-server-support-jpa-util:${project.'cas.version'}"
+    // JSON Service Registry
+    implementation "org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"
+    // OAuth 2.0 Server
+    implementation "org.apereo.cas:cas-server-support-oauth-api:${project.'cas.version'}"
+    implementation "org.apereo.cas:cas-server-support-oauth-core-api:${project.'cas.version'}"
+    implementation "org.apereo.cas:cas-server-support-oauth-services:${project.'cas.version'}"
+    implementation "org.apereo.cas:cas-server-support-oauth-webflow:${project.'cas.version'}"
+    // Pac4j
+    implementation "org.apereo.cas:cas-server-support-pac4j-api:${project.'cas.version'}"
+    implementation "org.apereo.cas:cas-server-support-pac4j-core:${project.'cas.version'}"
+    implementation "org.apereo.cas:cas-server-support-pac4j-webflow:${project.'cas.version'}"
+    // Token
+    implementation "org.apereo.cas:cas-server-support-token-core-api:${project.'cas.version'}"
+    // Throttling
+    implementation "org.apereo.cas:cas-server-support-throttle:${project.'cas.version'}"
 
     // Tomcat Catalina
     implementation "org.apache.tomcat:tomcat-catalina:${springBootTomcatVersion}"
-
     // Hibernate
     implementation "org.hibernate:hibernate-core:${hibernateCoreVersion}"
-
     // Google GSON
     implementation "com.google.code.gson:gson:${gsonVersion}"
-
     // Javascript Object Signing and Encryption (JOSE) and JSON Web Tokens (JWT)
     implementation "com.nimbusds:nimbus-jose-jwt:${nimbusJoseVersion}"
-
-    // Apache HttpComponents Client fluent API
+    // Apache HttpComponents Client Fluent API
     implementation "org.apache.httpcomponents:fluent-hc:${fluentHcVersion}"
+    // Jasig CAS Client
+    implementation "org.jasig.cas.client:cas-client-core:${casClientVersion}"
 }
 
 tasks.findByName("jibDockerBuild")

etc/cas/config/cas.properties

@@ -17,6 +17,21 @@ cas.server.prefix=${cas.server.name}
 cas.server.tomcat.server-name=OSF CAS
 ########################################################################################################################
 
+########################################################################################################################
+# Throttling
+# Configuration guide: https://apereo.github.io/cas/6.2.x/installation/Configuring-Authentication-Throttling.html
+# Properties: https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties.html#authentication-throttling
+########################################################################################################################
+#
+# Authentication Failure Throttling
+#
+cas.authn.throttle.username-parameter=username
+cas.authn.throttle.app-code=CAS
+cas.authn.throttle.failure.code=AUTHENTICATION_FAILED
+cas.authn.throttle.failure.threshold=5
+cas.authn.throttle.failure.range-seconds=1
+########################################################################################################################
+
 ########################################################################################################################
 # CAS Web Application Endpoints Security
 # See: https://docs.spring.io/spring-boot/docs/2.2.8.RELEASE/reference/htmlsingle/#boot-features-security
@@ -239,3 +254,43 @@ cas.authn.pac4j.cas[1].client-name=okstate
 cas.authn.pac4j.cas[1].protocol=SAML
 cas.authn.pac4j.cas[1].callback-url-type=QUERY_PARAMETER
 ########################################################################################################################
+
+########################################################################################################################
+# OAuth 2.0 Server
+# Configuration guide: https://apereo.github.io/cas/6.2.x/installation/OAuth-OpenId-Authentication.html
+# Properties: https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties.html#oauth2
+########################################################################################################################
+# Authorization Code
+#
+cas.authn.oauth.code.time-to-kill-in-seconds=60
+cas.authn.oauth.code.number-of-uses=1
+#
+# Access token
+#
+cas.authn.oauth.access-token.time-to-kill-in-seconds=7200
+cas.authn.oauth.access-token.max-time-to-live-in-seconds=28800
+#
+# OAuth JWT Access Tokens
+# Signing and encryption are not enabled for Token / JWT Tickets.
+# The keys will only attempt to produce signed (signing key) and plain (encryption key) objects.
+#
+cas.authn.oauth.access-token.create-as-jwt=false
+cas.authn.oauth.access-token.crypto.encryption-enabled=false
+cas.authn.oauth.access-token.crypto.signing-enabled=false
+cas.authn.oauth.access-token.crypto.signing.key=${OAUTH_JWT_ACCESS_TOKEN_SIGNING_KEY}
+cas.authn.oauth.access-token.crypto.encryption.key=${OAUTH_JWT_ACCESS_TOKEN_ENCRYPTION_KEY}
+#
+# Refresh token
+#
+cas.authn.oauth.refresh-token.time-to-kill-in-seconds=2592000
+#
+# Personal access token
+#
+cas.authn.oauth.personal-access-token.time-to-kill-in-seconds=2592000
+cas.authn.oauth.personal-access-token.max-time-to-live-in-seconds=31104000
+#
+# Signing and encryption for OAuth registered service
+#
+cas.authn.oauth.crypto.signing.key=${OAUTH_REGISTERED_SERVICE_SIGNING_KEY}
+cas.authn.oauth.crypto.encryption.key=${OAUTH_REGISTERED_SERVICE_ENCRYPTION_KEY}
+########################################################################################################################

etc/cas/config/local/cas-local.properties

@@ -23,6 +23,21 @@ cas.server.tomcat.server-name=OSF CAS
 # e.g. cas.server.tomcat.http.attributes.{attribute-name}={attributeValue}
 ########################################################################################################################
 
+########################################################################################################################
+# Throttling
+# Configuration guide: https://apereo.github.io/cas/6.2.x/installation/Configuring-Authentication-Throttling.html
+# Properties: https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties.html#authentication-throttling
+########################################################################################################################
+#
+# Authentication Failure Throttling
+#
+cas.authn.throttle.username-parameter=username
+cas.authn.throttle.app-code=CAS
+cas.authn.throttle.failure.code=AUTHENTICATION_FAILED
+cas.authn.throttle.failure.threshold=5
+cas.authn.throttle.failure.range-seconds=1
+########################################################################################################################
+
 ########################################################################################################################
 # CAS Web Application Endpoints Security
 # See: https://docs.spring.io/spring-boot/docs/2.2.8.RELEASE/reference/htmlsingle/#boot-features-security
@@ -254,3 +269,43 @@ cas.authn.pac4j.cas[2].client-name=fakecas
 cas.authn.pac4j.cas[2].protocol=CAS30
 cas.authn.pac4j.cas[2].callback-url-type=QUERY_PARAMETER
 ########################################################################################################################
+
+########################################################################################################################
+# OAuth 2.0 Server
+# Configuration guide: https://apereo.github.io/cas/6.2.x/installation/OAuth-OpenId-Authentication.html
+# Properties: https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties.html#oauth2
+########################################################################################################################
+# Authorization Code
+#
+cas.authn.oauth.code.time-to-kill-in-seconds=60
+cas.authn.oauth.code.number-of-uses=1
+#
+# Access token
+#
+cas.authn.oauth.access-token.time-to-kill-in-seconds=7200
+cas.authn.oauth.access-token.max-time-to-live-in-seconds=28800
+#
+# OAuth JWT Access Tokens
+# Signing and encryption are not enabled for Token / JWT Tickets.
+# The keys will only attempt to produce signed (signing key) and plain (encryption key) objects.
+#
+cas.authn.oauth.access-token.create-as-jwt=false
+cas.authn.oauth.access-token.crypto.encryption-enabled=false
+cas.authn.oauth.access-token.crypto.signing-enabled=false
+cas.authn.oauth.access-token.crypto.signing.key=changeme
+cas.authn.oauth.access-token.crypto.encryption.key=changeme
+#
+# Refresh token
+#
+cas.authn.oauth.refresh-token.time-to-kill-in-seconds=2592000
+#
+# Personal access token
+#
+cas.authn.oauth.personal-access-token.time-to-kill-in-seconds=2592000
+cas.authn.oauth.personal-access-token.max-time-to-live-in-seconds=31104000
+#
+# Signing and encryption for OAuth registered service
+#
+cas.authn.oauth.crypto.signing.key=changeme
+cas.authn.oauth.crypto.encryption.key=changeme
+########################################################################################################################