From 333954df0df9327cea2a75c906a63aa5fea3544e Mon Sep 17 00:00:00 2001
From: Florian Tack <florian.tack@sap.com>
Date: Tue, 10 Nov 2020 16:42:22 +0100
Subject: [PATCH 01/76] Restructure login method to not read all
 IdentityProviders on login_hint

---
 .../identity/uaa/login/LoginInfoEndpoint.java | 70 ++++++++++++-------
 .../uaa/login/LoginInfoEndpointTests.java     | 24 +++++--
 2 files changed, 65 insertions(+), 29 deletions(-)

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java b/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java
index 4a8042215b0..aea0b5682f2 100755
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java
@@ -74,6 +74,7 @@
 import java.sql.Timestamp;
 import java.text.SimpleDateFormat;
 import java.time.Duration;
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Date;
@@ -273,15 +274,31 @@ private String login(Model model, Principal principal, List<String> excludedProm
             clientName = (String) clientInfo.get(ClientConstants.CLIENT_NAME);
         }
 
-        Map<String, SamlIdentityProviderDefinition> samlIdentityProviders =
-                getSamlIdentityProviderDefinitions(allowedIdentityProviderKeys);
-        Map<String, AbstractExternalOAuthIdentityProviderDefinition> oauthIdentityProviders =
-                getOauthIdentityProviderDefinitions(allowedIdentityProviderKeys);
-        Map<String, AbstractIdentityProviderDefinition> allIdentityProviders =
-                new HashMap<>() {{
-                    putAll(samlIdentityProviders);
-                    putAll(oauthIdentityProviders);
-                }};
+        Map<String, SamlIdentityProviderDefinition> samlIdentityProviders;
+        Map<String, AbstractExternalOAuthIdentityProviderDefinition> oauthIdentityProviders;
+        Map<String, AbstractIdentityProviderDefinition> allIdentityProviders = Collections.emptyMap();
+        Map<String, AbstractIdentityProviderDefinition> loginHintProviders = Collections.emptyMap();
+
+        String loginHintParam = extractLoginHintParam(session, request);
+        UaaLoginHint uaaLoginHint = UaaLoginHint.parseRequestParameter(loginHintParam);
+        if (uaaLoginHint != null && (allowedIdentityProviderKeys == null || allowedIdentityProviderKeys.contains(uaaLoginHint.getOrigin()))) {
+            if (!(OriginKeys.UAA.equals(uaaLoginHint.getOrigin()) || OriginKeys.LDAP.equals(uaaLoginHint.getOrigin()))) {
+                try {
+                    IdentityProvider loginHintProvider = externalOAuthProviderConfigurator
+                            .retrieveByOrigin(uaaLoginHint.getOrigin(), IdentityZoneHolder.get().getId());
+                    loginHintProviders = Collections.singletonList(loginHintProvider).stream().collect(
+                            new MapCollector<IdentityProvider, String, AbstractIdentityProviderDefinition>(
+                                    IdentityProvider::getOriginKey, IdentityProvider::getConfig));
+                } catch (EmptyResultDataAccessException ignored) {
+                }
+            }
+            oauthIdentityProviders = Collections.emptyMap();
+            samlIdentityProviders = Collections.emptyMap();
+        } else {
+            samlIdentityProviders = getSamlIdentityProviderDefinitions(allowedIdentityProviderKeys);
+            oauthIdentityProviders = getOauthIdentityProviderDefinitions(allowedIdentityProviderKeys);
+            allIdentityProviders = new HashMap<>() {{putAll(samlIdentityProviders);putAll(oauthIdentityProviders);}};
+        }
 
         boolean fieldUsernameShow = true;
         boolean returnLoginPrompts = true;
@@ -311,8 +328,8 @@ private String login(Model model, Principal principal, List<String> excludedProm
         }
 
         Map.Entry<String, AbstractIdentityProviderDefinition> idpForRedirect;
-        idpForRedirect = evaluateLoginHint(model, session, samlIdentityProviders,
-                oauthIdentityProviders, allIdentityProviders, allowedIdentityProviderKeys, request);
+        idpForRedirect = evaluateLoginHint(model, samlIdentityProviders,
+                oauthIdentityProviders, allIdentityProviders, allowedIdentityProviderKeys, loginHintParam, uaaLoginHint, loginHintProviders);
 
         boolean discoveryEnabled = IdentityZoneHolder.get().getConfig().isIdpDiscoveryEnabled();
         boolean discoveryPerformed = Boolean.parseBoolean(request.getParameter("discoveryPerformed"));
@@ -480,27 +497,29 @@ private Map.Entry<String, AbstractIdentityProviderDefinition> evaluateIdpDiscove
         return idpForRedirect;
     }
 
+    private String extractLoginHintParam(HttpSession session, HttpServletRequest request) {
+        String loginHintParam =
+                ofNullable(session)
+                        .flatMap(s -> ofNullable(SessionUtils.getSavedRequestSession(s)))
+                        .flatMap(sr -> ofNullable(sr.getParameterValues("login_hint")))
+                        .flatMap(lhValues -> Arrays.stream(lhValues).findFirst())
+                        .orElse(request.getParameter("login_hint"));
+        return loginHintParam;
+    }
+
     private Map.Entry<String, AbstractIdentityProviderDefinition> evaluateLoginHint(
             Model model,
-            HttpSession session,
             Map<String, SamlIdentityProviderDefinition> samlIdentityProviders,
             Map<String, AbstractExternalOAuthIdentityProviderDefinition> oauthIdentityProviders,
             Map<String, AbstractIdentityProviderDefinition> allIdentityProviders,
             List<String> allowedIdentityProviderKeys,
-            HttpServletRequest request
+            String loginHintParam,
+            UaaLoginHint uaaLoginHint,
+            Map<String, AbstractIdentityProviderDefinition> loginHintProviders
     ) {
-
         Map.Entry<String, AbstractIdentityProviderDefinition> idpForRedirect = null;
-        String loginHintParam =
-                ofNullable(session)
-                        .flatMap(s -> ofNullable(SessionUtils.getSavedRequestSession(s)))
-                        .flatMap(sr -> ofNullable(sr.getParameterValues("login_hint")))
-                        .flatMap(lhValues -> Arrays.stream(lhValues).findFirst())
-                        .orElse(request.getParameter("login_hint"));
-
         if (loginHintParam != null) {
             // parse login_hint in JSON format
-            UaaLoginHint uaaLoginHint = UaaLoginHint.parseRequestParameter(loginHintParam);
             if (uaaLoginHint != null) {
                 logger.debug("Received login hint: " + loginHintParam);
                 logger.debug("Received login hint with origin: " + uaaLoginHint.getOrigin());
@@ -519,12 +538,13 @@ private Map.Entry<String, AbstractIdentityProviderDefinition> evaluateLoginHint(
                             allIdentityProviders.entrySet().stream().filter(
                                     idp -> idp.getKey().equals(uaaLoginHint.getOrigin())
                             ).collect(Collectors.toList());
-                    if (hintIdentityProviders.size() > 1) {
+                    if (loginHintProviders.size() > 1) {
                         throw new IllegalStateException(
                                 "There is a misconfiguration with the identity provider(s). Please contact your system administrator."
                         );
-                    } else if (hintIdentityProviders.size() == 1) {
-                        idpForRedirect = hintIdentityProviders.get(0);
+                    }
+                    if (loginHintProviders.size() == 1) {
+                        idpForRedirect = new ArrayList<>(loginHintProviders.entrySet()).get(0);
                         logger.debug("Setting redirect from origin login_hint to: " + idpForRedirect);
                     } else {
                         logger.debug("Client does not allow provider for login_hint with origin key: "
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java
index 9e1dbb0d570..9f6f0110237 100755
--- a/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java
@@ -36,6 +36,7 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.dao.DataAccessException;
+import org.springframework.dao.EmptyResultDataAccessException;
 import org.springframework.http.MediaType;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
@@ -1163,7 +1164,7 @@ void loginHintOriginOidc() throws Exception {
 
         MultitenantClientServices clientDetailsService = mockClientService();
 
-        mockOidcProvider(mockIdentityProviderProvisioning);
+        mockLoginHintProvider(configurator);
 
         LoginInfoEndpoint endpoint = getEndpoint(IdentityZoneHolder.get(), clientDetailsService);
 
@@ -1184,7 +1185,7 @@ void loginHintOriginOidcForJson() throws Exception {
 
         MultitenantClientServices clientDetailsService = mockClientService();
 
-        mockOidcProvider(mockIdentityProviderProvisioning);
+        mockLoginHintProvider(configurator);
 
         LoginInfoEndpoint endpoint = getEndpoint(IdentityZoneHolder.get(), clientDetailsService);
 
@@ -1197,7 +1198,7 @@ void loginHintOriginOidcForJson() throws Exception {
         assertNotNull(extendedModelMap.get("prompts"));
         assertTrue(extendedModelMap.get("prompts") instanceof Map);
         Map<String, String[]> returnedPrompts = (Map<String, String[]>) extendedModelMap.get("prompts");
-        assertEquals(3, returnedPrompts.size());
+        assertEquals(2, returnedPrompts.size());
     }
 
     @Test
@@ -1210,6 +1211,7 @@ void loginHintOriginInvalid() throws Exception {
 
         SavedRequest savedRequest = SessionUtils.getSavedRequestSession(mockHttpServletRequest.getSession());
         when(savedRequest.getParameterValues("login_hint")).thenReturn(new String[]{"{\"origin\":\"my-OIDC-idp1\"}"});
+        when(configurator.retrieveByOrigin(eq("my-OIDC-idp1"), anyString())).thenThrow(new EmptyResultDataAccessException(0));
 
 
         endpoint.loginForHtml(extendedModelMap, null, mockHttpServletRequest, singletonList(MediaType.TEXT_HTML));
@@ -1405,7 +1407,7 @@ void loginHintOverridesDefaultProvider() throws Exception {
 
         MultitenantClientServices clientDetailsService = mockClientService();
 
-        mockOidcProvider(mockIdentityProviderProvisioning);
+        mockLoginHintProvider(configurator);
 
         LoginInfoEndpoint endpoint = getEndpoint(IdentityZoneHolder.get(), clientDetailsService);
 
@@ -1656,4 +1658,18 @@ private static void mockOidcProvider(IdentityProviderProvisioning mockIdentityPr
         when(mockOidcConfig.isShowLinkText()).thenReturn(true);
         when(mockIdentityProviderProvisioning.retrieveAll(anyBoolean(), any())).thenReturn(singletonList(mockProvider));
     }
+
+    private static void mockLoginHintProvider(ExternalOAuthProviderConfigurator mockIdentityProviderProvisioning)
+            throws MalformedURLException {
+        IdentityProvider mockProvider = mock(IdentityProvider.class);
+        when(mockProvider.getOriginKey()).thenReturn("my-OIDC-idp1");
+        when(mockProvider.getType()).thenReturn(OriginKeys.OIDC10);
+        AbstractExternalOAuthIdentityProviderDefinition mockOidcConfig = mock(OIDCIdentityProviderDefinition.class);
+        when(mockOidcConfig.getAuthUrl()).thenReturn(new URL("http://localhost:8080/uaa"));
+        when(mockOidcConfig.getRelyingPartyId()).thenReturn("client-id");
+        when(mockOidcConfig.getResponseType()).thenReturn("token");
+        when(mockProvider.getConfig()).thenReturn(mockOidcConfig);
+        when(mockOidcConfig.isShowLinkText()).thenReturn(true);
+        when(mockIdentityProviderProvisioning.retrieveByOrigin(eq("my-OIDC-idp1"), any())).thenReturn(mockProvider);
+    }
 }

From 0e31bb4cce3399d242b477dd2a9d992e2bcfc407 Mon Sep 17 00:00:00 2001
From: Florian Tack <florian.tack@sap.com>
Date: Thu, 12 Nov 2020 11:29:25 +0100
Subject: [PATCH 02/76] Move read configurations and parameters to allow
 earlier decisions

---
 .../identity/uaa/login/LoginInfoEndpoint.java | 36 ++++++++++---------
 .../uaa/login/LoginInfoEndpointTests.java     |  7 ----
 2 files changed, 20 insertions(+), 23 deletions(-)

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java b/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java
index aea0b5682f2..d9b3c8a276e 100755
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java
@@ -274,14 +274,25 @@ private String login(Model model, Principal principal, List<String> excludedProm
             clientName = (String) clientInfo.get(ClientConstants.CLIENT_NAME);
         }
 
+        //Read all configuration and parameters at the beginning to allow earlier decisions
+        boolean discoveryEnabled = IdentityZoneHolder.get().getConfig().isIdpDiscoveryEnabled();
+        boolean discoveryPerformed = Boolean.parseBoolean(request.getParameter("discoveryPerformed"));
+        String defaultIdentityProviderName = IdentityZoneHolder.get().getConfig().getDefaultIdentityProvider();
+        boolean accountChooserEnabled = IdentityZoneHolder.get().getConfig().isAccountChooserEnabled();
+        boolean otherAccountSignIn = Boolean.parseBoolean(request.getParameter("otherAccountSignIn"));
+        boolean savedAccountsEmpty = getSavedAccounts(request.getCookies(), SavedAccountOption.class).isEmpty();
+        boolean accountChooserNeeded = accountChooserEnabled && !(otherAccountSignIn || savedAccountsEmpty) && discoveryEnabled &&!discoveryPerformed;
+
+        String loginHintParam = extractLoginHintParam(session, request);
+        UaaLoginHint uaaLoginHint = UaaLoginHint.parseRequestParameter(loginHintParam);
+
         Map<String, SamlIdentityProviderDefinition> samlIdentityProviders;
         Map<String, AbstractExternalOAuthIdentityProviderDefinition> oauthIdentityProviders;
         Map<String, AbstractIdentityProviderDefinition> allIdentityProviders = Collections.emptyMap();
         Map<String, AbstractIdentityProviderDefinition> loginHintProviders = Collections.emptyMap();
 
-        String loginHintParam = extractLoginHintParam(session, request);
-        UaaLoginHint uaaLoginHint = UaaLoginHint.parseRequestParameter(loginHintParam);
         if (uaaLoginHint != null && (allowedIdentityProviderKeys == null || allowedIdentityProviderKeys.contains(uaaLoginHint.getOrigin()))) {
+            // Login hint: Only try to read the hinted IdP from database
             if (!(OriginKeys.UAA.equals(uaaLoginHint.getOrigin()) || OriginKeys.LDAP.equals(uaaLoginHint.getOrigin()))) {
                 try {
                     IdentityProvider loginHintProvider = externalOAuthProviderConfigurator
@@ -294,6 +305,10 @@ private String login(Model model, Principal principal, List<String> excludedProm
             }
             oauthIdentityProviders = Collections.emptyMap();
             samlIdentityProviders = Collections.emptyMap();
+        } else if (accountChooserNeeded || (discoveryEnabled && !discoveryPerformed)) {
+            //Account Chooser and discovery do not need any IdP information
+            oauthIdentityProviders = Collections.emptyMap();
+            samlIdentityProviders = Collections.emptyMap();
         } else {
             samlIdentityProviders = getSamlIdentityProviderDefinitions(allowedIdentityProviderKeys);
             oauthIdentityProviders = getOauthIdentityProviderDefinitions(allowedIdentityProviderKeys);
@@ -331,10 +346,6 @@ private String login(Model model, Principal principal, List<String> excludedProm
         idpForRedirect = evaluateLoginHint(model, samlIdentityProviders,
                 oauthIdentityProviders, allIdentityProviders, allowedIdentityProviderKeys, loginHintParam, uaaLoginHint, loginHintProviders);
 
-        boolean discoveryEnabled = IdentityZoneHolder.get().getConfig().isIdpDiscoveryEnabled();
-        boolean discoveryPerformed = Boolean.parseBoolean(request.getParameter("discoveryPerformed"));
-        String defaultIdentityProviderName = IdentityZoneHolder.get().getConfig().getDefaultIdentityProvider();
-
         idpForRedirect = evaluateIdpDiscovery(model, samlIdentityProviders, oauthIdentityProviders,
                 allIdentityProviders, allowedIdentityProviderKeys, idpForRedirect, discoveryEnabled, discoveryPerformed, defaultIdentityProviderName);
         if (idpForRedirect == null && !jsonResponse && !fieldUsernameShow && allIdentityProviders.size() == 1) {
@@ -381,7 +392,7 @@ private String login(Model model, Principal principal, List<String> excludedProm
                 excludedPrompts, returnLoginPrompts);
 
         if (principal == null) {
-            return getUnauthenticatedRedirect(model, request, discoveryEnabled, discoveryPerformed);
+            return getUnauthenticatedRedirect(model, request, discoveryEnabled, discoveryPerformed, accountChooserNeeded);
         }
         return "home";
     }
@@ -390,25 +401,18 @@ private String getUnauthenticatedRedirect(
             Model model,
             HttpServletRequest request,
             boolean discoveryEnabled,
-            boolean discoveryPerformed
+            boolean discoveryPerformed,
+            boolean accountChooserNeeded
     ) {
         String formRedirectUri = request.getParameter(UaaSavedRequestAwareAuthenticationSuccessHandler.FORM_REDIRECT_PARAMETER);
         if (hasText(formRedirectUri)) {
             model.addAttribute(UaaSavedRequestAwareAuthenticationSuccessHandler.FORM_REDIRECT_PARAMETER, formRedirectUri);
         }
 
-        boolean accountChooserEnabled = IdentityZoneHolder.get().getConfig().isAccountChooserEnabled();
-        boolean otherAccountSignIn = Boolean.parseBoolean(request.getParameter("otherAccountSignIn"));
-        boolean savedAccountsEmpty = getSavedAccounts(request.getCookies(), SavedAccountOption.class).isEmpty();
-
         if (discoveryEnabled) {
             if (model.containsAttribute("login_hint")) {
                 return goToPasswordPage(request.getParameter("email"), model);
             }
-            boolean accountChooserNeeded = accountChooserEnabled
-                    && !(otherAccountSignIn || savedAccountsEmpty)
-                    && !discoveryPerformed;
-
             if (accountChooserNeeded) {
                 return "idp_discovery/account_chooser";
             }
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java
index 9f6f0110237..d498b30de69 100755
--- a/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java
@@ -818,13 +818,6 @@ void authcodeWithAllowedProviderStillUsesAccountChooser() throws Exception {
         MultitenantClientServices clientDetailsService = mock(MultitenantClientServices.class);
         when(clientDetailsService.loadClientByClientId("client-id", "other-zone")).thenReturn(clientDetails);
 
-        // mock SamlIdentityProviderConfigurator
-        List<SamlIdentityProviderDefinition> clientIDPs = new LinkedList<>();
-        clientIDPs.add(createIdentityProviderDefinition("my-client-awesome-idp1", "other-zone"));
-        clientIDPs.add(createIdentityProviderDefinition("uaa", "other-zone"));
-        when(mockSamlIdentityProviderConfigurator.getIdentityProviderDefinitions(eq(allowedProviders), eq(zone))).thenReturn(clientIDPs);
-
-
         LoginInfoEndpoint endpoint = getEndpoint(IdentityZoneHolder.get(), clientDetailsService);
         endpoint.loginForHtml(extendedModelMap, null, request, singletonList(MediaType.TEXT_HTML));
 

From 7e7c376cd4bc5180eb78b43bcc33b21b069bb8aa Mon Sep 17 00:00:00 2001
From: Florian Tack <florian.tack@sap.com>
Date: Fri, 29 Jan 2021 13:18:49 +0100
Subject: [PATCH 03/76] Fix bug with invalid login_hint on login page

---
 .../identity/uaa/login/LoginInfoEndpoint.java | 12 ++++++++--
 .../uaa/login/LoginInfoEndpointTests.java     | 24 +++++++++++++++++++
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java b/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java
index d9b3c8a276e..9776b363adf 100755
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java
@@ -303,8 +303,16 @@ private String login(Model model, Principal principal, List<String> excludedProm
                 } catch (EmptyResultDataAccessException ignored) {
                 }
             }
-            oauthIdentityProviders = Collections.emptyMap();
-            samlIdentityProviders = Collections.emptyMap();
+            if (!loginHintProviders.isEmpty()) {
+                oauthIdentityProviders = Collections.emptyMap();
+                samlIdentityProviders = Collections.emptyMap();
+            } else {
+                samlIdentityProviders = getSamlIdentityProviderDefinitions(allowedIdentityProviderKeys);
+                oauthIdentityProviders = getOauthIdentityProviderDefinitions(allowedIdentityProviderKeys);
+                allIdentityProviders = new HashMap<>();
+                allIdentityProviders.putAll(samlIdentityProviders);
+                allIdentityProviders.putAll(oauthIdentityProviders);
+            }
         } else if (accountChooserNeeded || (discoveryEnabled && !discoveryPerformed)) {
             //Account Chooser and discovery do not need any IdP information
             oauthIdentityProviders = Collections.emptyMap();
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java
index d498b30de69..e410ed4aa9e 100755
--- a/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java
@@ -1151,6 +1151,30 @@ void invalidLoginHintErrorOnDiscoveryPage() throws Exception {
         assertEquals("idp_discovery/email", redirect);
     }
 
+    @Test
+    public void testInvalidLoginHintLoginPageReturnsList() throws Exception {
+        MockHttpServletRequest mockHttpServletRequest = getMockHttpServletRequest();
+
+        BaseClientDetails clientDetails = new BaseClientDetails();
+        clientDetails.setClientId("client-id");
+        MultitenantClientServices clientDetailsService = mock(MultitenantClientServices.class);
+        when(clientDetailsService.loadClientByClientId("client-id", "uaa")).thenReturn(clientDetails);
+        LoginInfoEndpoint endpoint = getEndpoint(IdentityZoneHolder.get(), clientDetailsService);
+
+        List<IdentityProvider> clientAllowedIdps = new LinkedList<>();
+        clientAllowedIdps.add(createOIDCIdentityProvider("my-OIDC-idp1"));
+        clientAllowedIdps.add(createOIDCIdentityProvider("my-OIDC-idp2"));
+        when(mockIdentityProviderProvisioning.retrieveAll(eq(true), anyString())).thenReturn(clientAllowedIdps);
+        when(mockIdentityProviderProvisioning.retrieveByOrigin(eq("invalidorigin"), anyString())).thenThrow(new EmptyResultDataAccessException(1));
+
+        SavedRequest savedRequest = SessionUtils.getSavedRequestSession(mockHttpServletRequest.getSession());
+        when(savedRequest.getParameterValues("login_hint")).thenReturn(new String[]{"{\"origin\":\"invalidorigin\"}"});
+
+        endpoint.loginForHtml(extendedModelMap, null, mockHttpServletRequest, Collections.singletonList(MediaType.TEXT_HTML));
+
+        assertFalse(((Map)extendedModelMap.get("oauthLinks")).isEmpty());
+    }
+
     @Test
     void loginHintOriginOidc() throws Exception {
         MockHttpServletRequest mockHttpServletRequest = getMockHttpServletRequest();

From c32c34908d7e885202ef6ea86a143732c16cb121 Mon Sep 17 00:00:00 2001
From: Florian Tack <florian.tack@sap.com>
Date: Fri, 29 Jan 2021 13:19:10 +0100
Subject: [PATCH 04/76] Add MockMvc Test to show performance improvement

---
 .../LoginPagePerformanceMockMvcTest.java      | 166 ++++++++++++++++++
 1 file changed, 166 insertions(+)
 create mode 100644 uaa/src/test/java/org/cloudfoundry/identity/uaa/performance/LoginPagePerformanceMockMvcTest.java

diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/performance/LoginPagePerformanceMockMvcTest.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/performance/LoginPagePerformanceMockMvcTest.java
new file mode 100644
index 00000000000..3ad5ab09761
--- /dev/null
+++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/performance/LoginPagePerformanceMockMvcTest.java
@@ -0,0 +1,166 @@
+package org.cloudfoundry.identity.uaa.performance;
+
+import static org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils.CookieCsrfPostProcessor.cookieCsrf;
+import static org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils.createOtherIdentityZoneAndReturnResult;
+import static org.junit.Assert.assertFalse;
+import static org.springframework.http.MediaType.TEXT_HTML;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+import java.io.File;
+import java.net.URL;
+import java.util.Collections;
+
+import org.cloudfoundry.identity.uaa.DefaultTestContext;
+import org.cloudfoundry.identity.uaa.codestore.JdbcExpiringCodeStore;
+import org.cloudfoundry.identity.uaa.constants.OriginKeys;
+import org.cloudfoundry.identity.uaa.impl.config.IdentityZoneConfigurationBootstrap;
+import org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils;
+import org.cloudfoundry.identity.uaa.provider.AbstractExternalOAuthIdentityProviderDefinition;
+import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
+import org.cloudfoundry.identity.uaa.provider.JdbcIdentityProviderProvisioning;
+import org.cloudfoundry.identity.uaa.provider.OIDCIdentityProviderDefinition;
+import org.cloudfoundry.identity.uaa.provider.oauth.OidcMetadataFetcher;
+import org.cloudfoundry.identity.uaa.util.SetServerNameRequestPostProcessor;
+import org.cloudfoundry.identity.uaa.web.LimitedModeUaaFilter;
+import org.cloudfoundry.identity.uaa.zone.IdentityZone;
+import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
+import org.cloudfoundry.identity.uaa.zone.MultitenancyFixture;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.common.util.RandomValueStringGenerator;
+import org.springframework.security.oauth2.provider.client.BaseClientDetails;
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.MvcResult;
+import org.springframework.util.StopWatch;
+import org.springframework.util.StringUtils;
+import org.springframework.web.context.WebApplicationContext;
+
+@DefaultTestContext
+@DirtiesContext
+public class LoginPagePerformanceMockMvcTest {
+
+    private WebApplicationContext webApplicationContext;
+
+    private RandomValueStringGenerator generator;
+
+    private MockMvc mockMvc;
+
+
+
+    private File originalLimitedModeStatusFile;
+
+    @MockBean
+    OidcMetadataFetcher oidcMetadataFetcher;
+
+    @BeforeEach
+    void setUpContext(
+            @Autowired WebApplicationContext webApplicationContext,
+            @Autowired MockMvc mockMvc,
+            @Autowired LimitedModeUaaFilter limitedModeUaaFilter
+    )  {
+        generator = new RandomValueStringGenerator();
+        this.webApplicationContext = webApplicationContext;
+        this.mockMvc = mockMvc;
+        SecurityContextHolder.clearContext();
+
+        originalLimitedModeStatusFile = MockMvcUtils.getLimitedModeStatusFile(webApplicationContext);
+        MockMvcUtils.resetLimitedModeStatusFile(webApplicationContext, null);
+        assertFalse(limitedModeUaaFilter.isEnabled());
+    }
+
+    @AfterEach
+    void resetGenerator(
+            @Autowired JdbcExpiringCodeStore jdbcExpiringCodeStore
+    ) {
+        jdbcExpiringCodeStore.setGenerator(new RandomValueStringGenerator(24));
+    }
+
+    @AfterEach
+    void tearDown(@Autowired IdentityZoneConfigurationBootstrap identityZoneConfigurationBootstrap) throws Exception {
+        MockMvcUtils.setSelfServiceLinksEnabled(webApplicationContext, IdentityZone.getUaaZoneId(), true);
+        identityZoneConfigurationBootstrap.afterPropertiesSet();
+        SecurityContextHolder.clearContext();
+        IdentityZoneHolder.clear();
+        MockMvcUtils.resetLimitedModeStatusFile(webApplicationContext, originalLimitedModeStatusFile);
+    }
+
+    @Test
+    void idpDiscoveryRedirectsToOIDCProvider(
+            @Autowired JdbcIdentityProviderProvisioning jdbcIdentityProviderProvisioning
+    ) throws Exception {
+        String subdomain = "oidc-discovery-" + generator.generate().toLowerCase();
+        IdentityZone zone = MultitenancyFixture.identityZone(subdomain, subdomain);
+        zone.getConfig().setIdpDiscoveryEnabled(true);
+        BaseClientDetails client = new BaseClientDetails("admin", null, null, "client_credentials",
+                "clients.admin,scim.read,scim.write,idps.write,uaa.admin", "http://redirect.url");
+        client.setClientSecret("admin-secret");
+        createOtherIdentityZoneAndReturnResult(mockMvc, webApplicationContext, client, zone, false, IdentityZoneHolder.getCurrentZoneId());
+
+
+        createOIDCProvider(jdbcIdentityProviderProvisioning, generator, zone, "id_token code", null);
+        createOIDCProvider(jdbcIdentityProviderProvisioning, generator, zone, "id_token code", null);
+        createOIDCProvider(jdbcIdentityProviderProvisioning, generator, zone, "id_token code", null);
+        createOIDCProvider(jdbcIdentityProviderProvisioning, generator, zone, "id_token code", null);
+        createOIDCProvider(jdbcIdentityProviderProvisioning, generator, zone, "id_token code", null);
+        createOIDCProvider(jdbcIdentityProviderProvisioning, generator, zone, "id_token code", null);
+        createOIDCProvider(jdbcIdentityProviderProvisioning, generator, zone, "id_token code", null);
+        createOIDCProvider(jdbcIdentityProviderProvisioning, generator, zone, "id_token code", null);
+        createOIDCProvider(jdbcIdentityProviderProvisioning, generator, zone, "id_token code", null);
+        createOIDCProvider(jdbcIdentityProviderProvisioning, generator, zone, "id_token code", null);
+        createOIDCProvider(jdbcIdentityProviderProvisioning, generator, zone, "id_token code", null);
+        String originKey = createOIDCProvider(jdbcIdentityProviderProvisioning, generator, zone, "id_token code", "test.org");
+
+        StopWatch stopWatch = new StopWatch();
+        stopWatch.start();
+        for (int i = 0; i <1000; i++) {
+            MvcResult mvcResult = mockMvc.perform(get("/login")
+                    .with(cookieCsrf())
+                    .header("Accept", TEXT_HTML)
+                    .with(new SetServerNameRequestPostProcessor(zone.getSubdomain() + ".localhost")))
+                    .andExpect(status().isOk())
+                    .andReturn();
+            MockHttpServletResponse response = mvcResult.getResponse();
+        }
+
+        stopWatch.stop();
+        long totalTimeMillis = stopWatch.getTotalTimeMillis();
+
+        System.out.println(totalTimeMillis + "ms");
+    }
+
+
+    private static String createOIDCProvider(JdbcIdentityProviderProvisioning jdbcIdentityProviderProvisioning, RandomValueStringGenerator generator, IdentityZone zone, String responseType, String domain) throws Exception {
+        String originKey = generator.generate();
+        AbstractExternalOAuthIdentityProviderDefinition definition = new OIDCIdentityProviderDefinition();
+        definition.setAuthUrl(new URL("http://myauthurl.com"));
+        definition.setTokenKey("key");
+        definition.setTokenUrl(new URL("http://mytokenurl.com"));
+        definition.setRelyingPartyId("id");
+        definition.setRelyingPartySecret("secret");
+        definition.setLinkText("my oidc provider");
+        if (StringUtils.hasText(responseType)) {
+            definition.setResponseType(responseType);
+        }
+        if (StringUtils.hasText(domain)) {
+            definition.setEmailDomain(Collections.singletonList(domain));
+        }
+
+        IdentityProvider identityProvider = MultitenancyFixture.identityProvider(originKey, zone.getId());
+        identityProvider.setType(OriginKeys.OIDC10);
+        identityProvider.setConfig(definition);
+        createIdentityProvider(jdbcIdentityProviderProvisioning, zone, identityProvider);
+        return originKey;
+    }
+
+    private static IdentityProvider createIdentityProvider(JdbcIdentityProviderProvisioning jdbcIdentityProviderProvisioning, IdentityZone identityZone, IdentityProvider activeIdentityProvider) {
+        activeIdentityProvider.setIdentityZoneId(identityZone.getId());
+        return jdbcIdentityProviderProvisioning.create(activeIdentityProvider, identityZone.getId());
+    }
+}

From e21ece5dc99c129c7616ab0322c4c803c1b18764 Mon Sep 17 00:00:00 2001
From: Cloud Foundry Identity Team <cf-identity-eng@pivotal.io>
Date: Wed, 3 Feb 2021 00:53:19 +0000
Subject: [PATCH 05/76] Update UAA image reference in k8s deployment template
 to
 cloudfoundry/uaa@sha256:c1d54700f1e6b8fabe49917a8e4ca59f381a11c69982439525f9af8a08f29e0c

---
 k8s/templates/values/image.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/k8s/templates/values/image.yml b/k8s/templates/values/image.yml
index 54e35b92c5b..0ac73de2027 100644
--- a/k8s/templates/values/image.yml
+++ b/k8s/templates/values/image.yml
@@ -1,3 +1,3 @@
 #@data/values
 ---
-image: "cloudfoundry/uaa@sha256:37fcf63a156b75174fbc7be0e3809d64cda6851de0bfe6fa7f12793d919de96a"
+image: "cloudfoundry/uaa@sha256:c1d54700f1e6b8fabe49917a8e4ca59f381a11c69982439525f9af8a08f29e0c"

From ecf3734d0b8533f1571220c450979f5595d92edf Mon Sep 17 00:00:00 2001
From: Bruce Ricard <bricard@vmware.com>
Date: Thu, 4 Feb 2021 11:51:58 -0800
Subject: [PATCH 06/76] Bump dependency

* the previous version of mime has a vulnerability
  https://nvd.nist.gov/vuln/detail/CVE-2017-16138
---
 uaa/slate/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/uaa/slate/package.json b/uaa/slate/package.json
index db4427c6ca5..b11f2920864 100644
--- a/uaa/slate/package.json
+++ b/uaa/slate/package.json
@@ -116,7 +116,7 @@
     "map-obj": "^1.0.1",
     "media-typer": "^0.3.0",
     "meow": "^3.7.0",
-    "mime": "^1.3.4",
+    "mime": "^2.5.0",
     "mime-db": "^1.22.0",
     "mime-types": "^2.1.10",
     "minimatch": "^3.0.0",

From 9834fc3405b31a0a887d22e48e4162d57364217c Mon Sep 17 00:00:00 2001
From: Cloud Foundry Identity Team <cf-identity-eng@pivotal.io>
Date: Sun, 14 Feb 2021 06:41:15 +0000
Subject: [PATCH 07/76] Update UAA image reference in k8s deployment template
 to
 cloudfoundry/uaa@sha256:7fd48f08134e279a4fe2b8a200ecfdca8cda847175df38f1293e9818d7dd53cc

---
 k8s/templates/values/image.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/k8s/templates/values/image.yml b/k8s/templates/values/image.yml
index 0ac73de2027..0a6418f398e 100644
--- a/k8s/templates/values/image.yml
+++ b/k8s/templates/values/image.yml
@@ -1,3 +1,3 @@
 #@data/values
 ---
-image: "cloudfoundry/uaa@sha256:c1d54700f1e6b8fabe49917a8e4ca59f381a11c69982439525f9af8a08f29e0c"
+image: "cloudfoundry/uaa@sha256:7fd48f08134e279a4fe2b8a200ecfdca8cda847175df38f1293e9818d7dd53cc"

From fdd4e72ee103ba12f9baef19058eb0acc9edaa53 Mon Sep 17 00:00:00 2001
From: Peter Chen <peterch@vmware.com>
Date: Thu, 25 Feb 2021 11:55:01 -0800
Subject: [PATCH 08/76] feat: for unit tests, add time out to waiting for DB to
 start

- and print out the DB boot log if fail to start

[#177100664]
---
 scripts/start_db_helper.sh | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/scripts/start_db_helper.sh b/scripts/start_db_helper.sh
index b7dcb37889a..036e9c9f3d8 100755
--- a/scripts/start_db_helper.sh
+++ b/scripts/start_db_helper.sh
@@ -16,7 +16,8 @@ function bootDB {
   db=$1
 
   if [[ "${db}" = "postgresql" ]]; then
-    launchDB="(/docker-entrypoint.sh postgres -c 'max_connections=250' &> /var/log/postgres-boot.log) &"
+    bootLogLocation="/var/log/postgres-boot.log"
+    launchDB="(/docker-entrypoint.sh postgres -c 'max_connections=250' &> ${bootLogLocation}) &"
     testConnection="(! ps aux | grep docker-entrypoint | grep -v 'grep') && psql -h localhost -U postgres -c '\conninfo' &>/dev/null"
     initDB="psql -c 'drop database if exists uaa;' -U postgres; psql -c 'create database uaa;' -U postgres; psql -c 'drop user if exists root;' --dbname=uaa -U postgres; psql -c \"create user root with superuser password 'changeme';\" --dbname=uaa -U postgres; psql -c 'show max_connections;' --dbname=uaa -U postgres;"
 
@@ -27,7 +28,8 @@ function bootDB {
 
 
   elif [[ "${db}" = "mysql" ]]  || [[ "${db}" = "mysql-5.6" ]]; then
-    launchDB="(MYSQL_DATABASE=uaa MYSQL_ROOT_HOST=127.0.0.1 MYSQL_ROOT_PASSWORD='changeme' bash /entrypoint.sh mysqld &> /var/log/mysql-boot.log) &"
+    bootLogLocation="/var/log/mysql-boot.log"
+    launchDB="(MYSQL_DATABASE=uaa MYSQL_ROOT_HOST=127.0.0.1 MYSQL_ROOT_PASSWORD='changeme' bash /entrypoint.sh mysqld &> ${bootLogLocation}) &"
     testConnection="echo '\s;' | mysql -uroot -pchangeme &>/dev/null"
     initDB="mysql -uroot -pchangeme -e 'SET GLOBAL max_connections = 250; ALTER DATABASE uaa DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;';"
 
@@ -37,7 +39,8 @@ function bootDB {
     }
 
   elif [[ "${db}" = "percona" ]]; then
-    launchDB="bash /entrypoint.sh &> /var/log/mysql-boot.log"
+    bootLogLocation="/var/log/mysql-boot.log"
+    launchDB="bash /entrypoint.sh &> ${bootLogLocation}"
     testConnection="echo '\s;' | mysql &>/dev/null"
     initDB="mysql -e \"CREATE USER 'root'@'127.0.0.1' IDENTIFIED BY 'changeme' ;\";
          mysql -e \"GRANT ALL ON *.* TO 'root'@'127.0.0.1' WITH GRANT OPTION ;\";
@@ -60,7 +63,9 @@ function bootDB {
   echo -n "Booting $db"
   set -x
   eval "$launchDB"
-  while true; do
+  
+  for i in {0..600} # wait at most 10 mins to the database to start
+  do
     set +ex
     eval "$testConnection"
     exitcode=$?
@@ -80,4 +85,8 @@ function bootDB {
     echo -n "."
     sleep 1
   done
+
+  echo "Printing database boot logs:"
+  cat "$bootLogLocation"
+  exit 1
 }

From 766e981735b144aa33b674b7f3fab9d798a8f3d0 Mon Sep 17 00:00:00 2001
From: Olivier Lechevalier <RageZBla@users.noreply.github.com>
Date: Mon, 26 Oct 2020 17:07:48 +0900
Subject: [PATCH 09/76] Fix typo

---
 .../manager/DynamicZoneAwareAuthenticationManagerTest.java      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/authentication/manager/DynamicZoneAwareAuthenticationManagerTest.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/authentication/manager/DynamicZoneAwareAuthenticationManagerTest.java
index fc0ffc45b32..1eb215e7691 100644
--- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/authentication/manager/DynamicZoneAwareAuthenticationManagerTest.java
+++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/authentication/manager/DynamicZoneAwareAuthenticationManagerTest.java
@@ -142,7 +142,7 @@ void testNonUAAZoneUaaActiveAccountLocked() {
     }
 
     @Test
-    void testNonUAAZoneUaaActiveUaaAuthenticationSucccess() {
+    void testNonUAAZoneUaaActiveUaaAuthenticationSuccess() {
         IdentityZoneHolder.set(ZONE);
         when(providerProvisioning.retrieveByOrigin(OriginKeys.UAA, ZONE.getId())).thenReturn(uaaActive);
         when(providerProvisioning.retrieveByOrigin(OriginKeys.LDAP, ZONE.getId())).thenReturn(ldapActive);

From c88dfff40118d395b71607b4d3a2e265168625e4 Mon Sep 17 00:00:00 2001
From: Markus Strehle <strehle@users.noreply.github.com>
Date: Fri, 19 Mar 2021 09:28:58 +0100
Subject: [PATCH 10/76] refactor: implement recommendation from thymeleaf
 (#1512)

by change I found warnings in log. in total 3 warnings found

[THYMELEAF][Test worker] Template Mode 'HTML5' is deprecated. Using Template Mode 'HTML' instead.
[THYMELEAF][Test worker] Template Mode 'HTML5' is deprecated. Using Template Mode 'HTML' instead.
Initializing Spring TestDispatcherServlet ''
Initializing Servlet ''
Completed initialization in 3 ms
The layout:decorator/data-layout-decorator processor has been deprecated and will be removed in the next major version of the layout dialect.  Please use layout:decorate/data-layout-decorate instead to future-proof your code.  See https://github.com/ultraq/thymeleaf-layout-dialect/issues/95 for more information.
Fragment expression "layouts/main" is being wrapped as a Thymeleaf 3 fragment expression (~{...}) for backwards compatibility purposes.  This wrapping will be dropped in the next major version of the expression processor, so please rewrite as a Thymeleaf 3 fragment expression to future-proof your code.  See https://github.com/thymeleaf/thymeleaf/issues/451 for more information.

## https://github.com/ultraq/thymeleaf-layout-dialect/issues/95 , changed layout:decorator to layout:decorate
## use template mode HTML instead of HTML5
## swtiched back to from th:with="isLdap which was removed with spring update
---
 .../identity/uaa/login/ThymeleafConfig.java            |  3 ++-
 .../resources/templates/web/access_confirmation.html   |  2 +-
 .../templates/web/access_confirmation_error.html       |  2 +-
 .../resources/templates/web/accounts/email_sent.html   |  2 +-
 .../resources/templates/web/accounts/link_prompt.html  |  2 +-
 .../templates/web/accounts/new_activation_email.html   |  2 +-
 server/src/main/resources/templates/web/approvals.html |  2 +-
 .../src/main/resources/templates/web/change_email.html |  2 +-
 .../main/resources/templates/web/change_password.html  |  2 +-
 .../src/main/resources/templates/web/email_sent.html   |  2 +-
 server/src/main/resources/templates/web/error.html     |  2 +-
 .../resources/templates/web/external_auth_error.html   |  2 +-
 .../resources/templates/web/force_password_change.html |  2 +-
 .../main/resources/templates/web/forgot_password.html  |  2 +-
 server/src/main/resources/templates/web/home.html      |  2 +-
 .../templates/web/idp_discovery/account_chooser.html   |  2 +-
 .../resources/templates/web/idp_discovery/email.html   |  2 +-
 .../templates/web/idp_discovery/password.html          |  2 +-
 .../main/resources/templates/web/invalid_request.html  |  2 +-
 .../templates/web/invitations/accept_invite.html       | 10 +++++-----
 server/src/main/resources/templates/web/login.html     |  2 +-
 .../main/resources/templates/web/login_implicit.html   |  2 +-
 .../main/resources/templates/web/mfa/enter_code.html   |  2 +-
 .../templates/web/mfa/manual_registration.html         |  2 +-
 .../src/main/resources/templates/web/mfa/qr_code.html  |  2 +-
 server/src/main/resources/templates/web/passcode.html  |  2 +-
 .../main/resources/templates/web/reset_password.html   |  2 +-
 .../src/main/resources/templates/web/switch_idp.html   |  2 +-
 28 files changed, 33 insertions(+), 32 deletions(-)

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/login/ThymeleafConfig.java b/server/src/main/java/org/cloudfoundry/identity/uaa/login/ThymeleafConfig.java
index 673230e6472..7efd81c0e43 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/login/ThymeleafConfig.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/login/ThymeleafConfig.java
@@ -28,6 +28,7 @@
 import org.thymeleaf.spring5.SpringTemplateEngine;
 import org.thymeleaf.spring5.templateresolver.SpringResourceTemplateResolver;
 import org.thymeleaf.spring5.view.ThymeleafViewResolver;
+import org.thymeleaf.templatemode.TemplateMode;
 import org.thymeleaf.templateresolver.ITemplateResolver;
 
 import java.nio.charset.StandardCharsets;
@@ -104,7 +105,7 @@ public org.springframework.web.servlet.view.ContentNegotiatingViewResolver viewR
     private SpringResourceTemplateResolver baseHtmlTemplateResolver(ApplicationContext context) {
         SpringResourceTemplateResolver templateResolver = new SpringResourceTemplateResolver();
         templateResolver.setSuffix(".html");
-        templateResolver.setTemplateMode("HTML5");
+        templateResolver.setTemplateMode(TemplateMode.HTML);
         templateResolver.setApplicationContext(context);
         return templateResolver;
     }
diff --git a/server/src/main/resources/templates/web/access_confirmation.html b/server/src/main/resources/templates/web/access_confirmation.html
index 99e230ec0ba..a66b703a9e3 100644
--- a/server/src/main/resources/templates/web/access_confirmation.html
+++ b/server/src/main/resources/templates/web/access_confirmation.html
@@ -2,7 +2,7 @@
 <html xmlns="http://www.w3.org/1999/html"
       xmlns:th="http://www.thymeleaf.org"
       xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
-      layout:decorator="layouts/main">
+      layout:decorate="~{layouts/main}">
 <head>
     <th:block layout:include="nav :: head"></th:block>
 </head>
diff --git a/server/src/main/resources/templates/web/access_confirmation_error.html b/server/src/main/resources/templates/web/access_confirmation_error.html
index 7d454fd650c..2fbe2f85337 100644
--- a/server/src/main/resources/templates/web/access_confirmation_error.html
+++ b/server/src/main/resources/templates/web/access_confirmation_error.html
@@ -1,5 +1,5 @@
 <!DOCTYPE html>
-<html xmlns:th="http://www.thymeleaf.org" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" layout:decorator="layouts/main">
+<html xmlns:th="http://www.thymeleaf.org" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" layout:decorate="~{layouts/main}">
 <div class="island" layout:fragment="page-content">
     <div class="island-content">
         <div th:if="${error_message_code}" class="alert alert-error">
diff --git a/server/src/main/resources/templates/web/accounts/email_sent.html b/server/src/main/resources/templates/web/accounts/email_sent.html
index 5b0d5084c10..389d37b61b0 100644
--- a/server/src/main/resources/templates/web/accounts/email_sent.html
+++ b/server/src/main/resources/templates/web/accounts/email_sent.html
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html xmlns:th="http://www.thymeleaf.org"
       xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
-      layout:decorator="layouts/main">
+      layout:decorate="~{layouts/main}">
 <head>
     <link rel="stylesheet" href="/resources/font-awesome/css/font-awesome.min.css" th:href="@{/resources/font-awesome/css/font-awesome.min.css}" />
 </head>
diff --git a/server/src/main/resources/templates/web/accounts/link_prompt.html b/server/src/main/resources/templates/web/accounts/link_prompt.html
index 145b18d69fa..27d34953a52 100644
--- a/server/src/main/resources/templates/web/accounts/link_prompt.html
+++ b/server/src/main/resources/templates/web/accounts/link_prompt.html
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html xmlns:th="http://www.thymeleaf.org"
       xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
-      layout:decorator="layouts/main">
+      layout:decorate="~{layouts/main}">
 <div class="island-landscape" layout:fragment="page-content">
     <div class="island-title">
         <h1>Create your <th:block th:text="${!companyName.equals('Cloud Foundry') and isUaa ? companyName + ' account': 'account'}">account</th:block></h1>
diff --git a/server/src/main/resources/templates/web/accounts/new_activation_email.html b/server/src/main/resources/templates/web/accounts/new_activation_email.html
index a77bc756f2b..7150431ff98 100644
--- a/server/src/main/resources/templates/web/accounts/new_activation_email.html
+++ b/server/src/main/resources/templates/web/accounts/new_activation_email.html
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html xmlns:th="http://www.thymeleaf.org"
       xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
-      layout:decorator="layouts/main">
+      layout:decorate="~{layouts/main}">
 <div th:switch="${error_message_code}" class="island-landscape" layout:fragment="page-content">
     <div class="island-title">
         <h1>Create your <th:block th:text="${!companyName.equals('Cloud Foundry') and isUaa ? (companyName + ' account') : 'account'}">account</th:block></h1>
diff --git a/server/src/main/resources/templates/web/approvals.html b/server/src/main/resources/templates/web/approvals.html
index a72c4348b7d..6d392a12450 100644
--- a/server/src/main/resources/templates/web/approvals.html
+++ b/server/src/main/resources/templates/web/approvals.html
@@ -2,7 +2,7 @@
 <html xmlns="http://www.w3.org/1999/html"
       xmlns:th="http://www.thymeleaf.org"
       xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
-      layout:decorator="layouts/main">
+      layout:decorate="~{layouts/main}">
 <head>
     <th:block layout:include="nav :: head"></th:block>
     <script type="text/javascript">
diff --git a/server/src/main/resources/templates/web/change_email.html b/server/src/main/resources/templates/web/change_email.html
index 081452b4218..368193ce3ac 100644
--- a/server/src/main/resources/templates/web/change_email.html
+++ b/server/src/main/resources/templates/web/change_email.html
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html xmlns:th="http://www.thymeleaf.org"
       xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
-      layout:decorator="layouts/main">
+      layout:decorate="~{layouts/main}">
 <head>
     <th:block layout:include="nav :: head"></th:block>
 </head>
diff --git a/server/src/main/resources/templates/web/change_password.html b/server/src/main/resources/templates/web/change_password.html
index 71ac5d1a738..738082b0545 100644
--- a/server/src/main/resources/templates/web/change_password.html
+++ b/server/src/main/resources/templates/web/change_password.html
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html xmlns:th="http://www.thymeleaf.org"
       xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
-      layout:decorator="layouts/main">
+      layout:decorate="~{layouts/main}">
 <head>
     <th:block layout:include="nav :: head"></th:block>
 </head>
diff --git a/server/src/main/resources/templates/web/email_sent.html b/server/src/main/resources/templates/web/email_sent.html
index 955c2613422..f5161ffbebe 100644
--- a/server/src/main/resources/templates/web/email_sent.html
+++ b/server/src/main/resources/templates/web/email_sent.html
@@ -1,5 +1,5 @@
 <!DOCTYPE html>
-<html xmlns:th="http://www.thymeleaf.org" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" layout:decorator="layouts/main">
+<html xmlns:th="http://www.thymeleaf.org" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" layout:decorate="~{layouts/main}">
 <head>
     <link rel="stylesheet" href="/resources/font-awesome/css/font-awesome.min.css" th:href="@{/resources/font-awesome/css/font-awesome.min.css}" />
 </head>
diff --git a/server/src/main/resources/templates/web/error.html b/server/src/main/resources/templates/web/error.html
index 9352240bbc1..c54e3bc78cd 100644
--- a/server/src/main/resources/templates/web/error.html
+++ b/server/src/main/resources/templates/web/error.html
@@ -1,5 +1,5 @@
 <!DOCTYPE html>
-<html xmlns:th="http://www.thymeleaf.org" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" layout:decorator="layouts/main">
+<html xmlns:th="http://www.thymeleaf.org" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" layout:decorate="~{layouts/main}">
 <head>
 </head>
 <div class="island" layout:fragment="page-content">
diff --git a/server/src/main/resources/templates/web/external_auth_error.html b/server/src/main/resources/templates/web/external_auth_error.html
index 5827526b44a..b9c8a151270 100644
--- a/server/src/main/resources/templates/web/external_auth_error.html
+++ b/server/src/main/resources/templates/web/external_auth_error.html
@@ -13,7 +13,7 @@
   ~ *******************************************************************************
   -->
 
-<html xmlns:th="http://www.thymeleaf.org" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" layout:decorator="layouts/main">
+<html xmlns:th="http://www.thymeleaf.org" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" layout:decorate="~{layouts/main}">
 <head>
 </head>
 <body>
diff --git a/server/src/main/resources/templates/web/force_password_change.html b/server/src/main/resources/templates/web/force_password_change.html
index 788d82085a8..91a0bcb610a 100644
--- a/server/src/main/resources/templates/web/force_password_change.html
+++ b/server/src/main/resources/templates/web/force_password_change.html
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html xmlns:th="http://www.thymeleaf.org"
       xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
-      layout:decorator="layouts/main">
+      layout:decorate="~{layouts/main}">
 <div class="island" layout:fragment="page-content">
     <h1>Force Change Password</h1>
     <div class="island-content">
diff --git a/server/src/main/resources/templates/web/forgot_password.html b/server/src/main/resources/templates/web/forgot_password.html
index f506a130084..77f55d1f3ca 100644
--- a/server/src/main/resources/templates/web/forgot_password.html
+++ b/server/src/main/resources/templates/web/forgot_password.html
@@ -1,5 +1,5 @@
 <!DOCTYPE html>
-<html xmlns:th="http://www.thymeleaf.org" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" layout:decorator="layouts/main">
+<html xmlns:th="http://www.thymeleaf.org" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" layout:decorate="~{layouts/main}">
 <div class="island" layout:fragment="page-content">
     <h1>Reset Password</h1>
     <div class="island-content">
diff --git a/server/src/main/resources/templates/web/home.html b/server/src/main/resources/templates/web/home.html
index 061588bebf2..554322507f3 100644
--- a/server/src/main/resources/templates/web/home.html
+++ b/server/src/main/resources/templates/web/home.html
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html xmlns:th="http://www.thymeleaf.org"
       xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
-      layout:decorator="layouts/main">
+      layout:decorate="~{layouts/main}">
 <head>
     <th:block layout:include="nav :: head"></th:block>
     <style th:each="tile,status : ${tiles}" th:utext="'.tile-' + ${status.count} + ' .tile-icon {background-image: url(&#34;' + @{${tile.appIcon}} + '&#34;)}'"></style>
diff --git a/server/src/main/resources/templates/web/idp_discovery/account_chooser.html b/server/src/main/resources/templates/web/idp_discovery/account_chooser.html
index bf2105be609..d196dd9d9b1 100644
--- a/server/src/main/resources/templates/web/idp_discovery/account_chooser.html
+++ b/server/src/main/resources/templates/web/idp_discovery/account_chooser.html
@@ -1,5 +1,5 @@
 <!DOCTYPE html>
-<html xmlns:th="http://www.thymeleaf.org" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" layout:decorator="layouts/pui-account-discovery-main">
+<html xmlns:th="http://www.thymeleaf.org" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" layout:decorate="~{layouts/pui-account-discovery-main}">
 <div layout:fragment="page-content">
   <h4 class="txt-c pbxxl ptxl" th:text="${T(org.springframework.util.StringUtils).hasText(clientName) ? 'Sign in to continue to ' + clientName : 'Sign in to continue'}">
     Choose an account
diff --git a/server/src/main/resources/templates/web/idp_discovery/email.html b/server/src/main/resources/templates/web/idp_discovery/email.html
index 4209695f1d9..e78885bd437 100644
--- a/server/src/main/resources/templates/web/idp_discovery/email.html
+++ b/server/src/main/resources/templates/web/idp_discovery/email.html
@@ -1,5 +1,5 @@
 <!DOCTYPE html>
-<html xmlns:th="http://www.thymeleaf.org" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" layout:decorator="layouts/pui-account-discovery-main">
+<html xmlns:th="http://www.thymeleaf.org" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" layout:decorate="~{layouts/pui-account-discovery-main}">
 <div layout:fragment="page-content">
 <h4 class="txt-c pbxxl ptxl" th:text="${T(org.springframework.util.StringUtils).hasText(clientName) ? 'Sign in to continue to ' + clientName : 'Sign in to continue'}">
     Sign in to continue
diff --git a/server/src/main/resources/templates/web/idp_discovery/password.html b/server/src/main/resources/templates/web/idp_discovery/password.html
index 8cd5bc71f32..25401a5b053 100644
--- a/server/src/main/resources/templates/web/idp_discovery/password.html
+++ b/server/src/main/resources/templates/web/idp_discovery/password.html
@@ -1,5 +1,5 @@
 <!DOCTYPE html>
-<html xmlns:th="http://www.thymeleaf.org" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" layout:decorator="layouts/pui-account-discovery-main">
+<html xmlns:th="http://www.thymeleaf.org" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" layout:decorate="~{layouts/pui-account-discovery-main}">
 <div layout:fragment="page-content">
     <form action="/login.do" th:action="@{/login.do}" method="post" role="form" _lpchecked="1">
         <div class="form-group">
diff --git a/server/src/main/resources/templates/web/invalid_request.html b/server/src/main/resources/templates/web/invalid_request.html
index f89c358b02e..5cd4e03379d 100644
--- a/server/src/main/resources/templates/web/invalid_request.html
+++ b/server/src/main/resources/templates/web/invalid_request.html
@@ -1,5 +1,5 @@
 <!DOCTYPE html>
-<html xmlns:th="http://www.thymeleaf.org" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" layout:decorator="layouts/main">
+<html xmlns:th="http://www.thymeleaf.org" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" layout:decorate="~{layouts/main}">
 <div class="island" layout:fragment="page-content">
     <div class="island-content">
         <div class="alert alert-error">
diff --git a/server/src/main/resources/templates/web/invitations/accept_invite.html b/server/src/main/resources/templates/web/invitations/accept_invite.html
index 468018d3b29..ec2577f89f0 100644
--- a/server/src/main/resources/templates/web/invitations/accept_invite.html
+++ b/server/src/main/resources/templates/web/invitations/accept_invite.html
@@ -1,10 +1,10 @@
 <!DOCTYPE html>
 <html xmlns:th="http://www.thymeleaf.org"
       xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
-      layout:decorator="layouts/main" >
-<div class="island-landscape" layout:fragment="page-content">
+      layout:decorate="~{layouts/main}">
+<div class="island-landscape" layout:fragment="page-content" th:with="isLdap=${provider=='ldap'}">
     <div class="island-title">
-        <h1><th:block th:unless="${provider=='ldap'}">Create</th:block><th:block th:if="${provider=='ldap'}">Link</th:block> your <th:block th:text="${!companyName.equals('Cloud Foundry') and isUaa ? (companyName + ' account') : 'account'}">account</th:block></h1>
+        <h1><th:block th:unless="${isLdap}">Create</th:block><th:block th:if="${isLdap}">Link</th:block> your <th:block th:text="${!companyName.equals('Cloud Foundry') and isUaa ? (companyName + ' account') : 'account'}">account</th:block></h1>
     </div>
     <div class="island-content">
         <div th:text="|Email: ${email}|" th:unless="${error_message_code == 'code_expired'}" class="email-display">Email: user@example.com</div>
@@ -31,7 +31,7 @@ <h1><th:block th:unless="${provider=='ldap'}">Create</th:block><th:block th:if="
                 <input type="submit" th:value="${!companyName.equals('Cloud Foundry') and isUaa ? 'Create ' + companyName + ' account' : 'Create account'}" class="island-button"/>
             </form>
           </th:block>
-            <th:block th:if="${provider=='ldap'}">
+            <th:block th:if="${isLdap}">
                 <p>Sign in with enterprise credentials: </p>
                 <form th:action="@{/invitations/accept_enterprise.do}" method="post" novalidate="novalidate">
                     <input name="enterprise_email" type="hidden" th:value="${email}"/>
@@ -44,4 +44,4 @@ <h1><th:block th:unless="${provider=='ldap'}">Create</th:block><th:block th:if="
         </th:block>
     </div>
 </div>
-</html>
+</html>
\ No newline at end of file
diff --git a/server/src/main/resources/templates/web/login.html b/server/src/main/resources/templates/web/login.html
index 1ae57f44cdf..f1f58822d9d 100644
--- a/server/src/main/resources/templates/web/login.html
+++ b/server/src/main/resources/templates/web/login.html
@@ -1,5 +1,5 @@
 <!DOCTYPE html>
-<html xmlns:th="http://www.thymeleaf.org" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" layout:decorator="layouts/main">
+<html xmlns:th="http://www.thymeleaf.org" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" layout:decorate="~{layouts/main}">
 <head>
     <meta http-equiv="refresh" th:content="${@loginCookieCsrfRepository.getCookieMaxAge()}" />
 </head>
diff --git a/server/src/main/resources/templates/web/login_implicit.html b/server/src/main/resources/templates/web/login_implicit.html
index b7cf37c30fe..2963b1c0097 100644
--- a/server/src/main/resources/templates/web/login_implicit.html
+++ b/server/src/main/resources/templates/web/login_implicit.html
@@ -15,7 +15,7 @@
   ~ *****************************************************************************
   -->
 
-<html xmlns:th="http://www.thymeleaf.org" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" layout:decorator="layouts/main">
+<html xmlns:th="http://www.thymeleaf.org" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" layout:decorate="~{layouts/main}">
 
 <div class="island" layout:fragment="page-content">
     <h1 th:text="${T(org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder).uaa ? 'One more step!':'One more step to access '+zone_name+'!'}">Your authentication is being processed!</h1>
diff --git a/server/src/main/resources/templates/web/mfa/enter_code.html b/server/src/main/resources/templates/web/mfa/enter_code.html
index cff60aeb76f..08d6305969b 100644
--- a/server/src/main/resources/templates/web/mfa/enter_code.html
+++ b/server/src/main/resources/templates/web/mfa/enter_code.html
@@ -15,7 +15,7 @@
 
 <html xmlns:th="http://www.thymeleaf.org"
       xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
-      layout:decorator="layouts/pui-mfa-main">
+      layout:decorate="~{layouts/pui-mfa-main}">
 <head>
     <th:block layout:include="nav :: head"></th:block>
 </head>
diff --git a/server/src/main/resources/templates/web/mfa/manual_registration.html b/server/src/main/resources/templates/web/mfa/manual_registration.html
index 785f5fab4d5..5866eac9563 100644
--- a/server/src/main/resources/templates/web/mfa/manual_registration.html
+++ b/server/src/main/resources/templates/web/mfa/manual_registration.html
@@ -15,7 +15,7 @@
 
 <html xmlns:th="http://www.thymeleaf.org"
             xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
-            layout:decorator="layouts/pui-mfa-main">
+            layout:decorate="~{layouts/pui-mfa-main}">
 <body>
 <div class="island" layout:fragment="page-content">
     <h2 id="mfa-identity-zone" th:text="${identity_zone}" class="txt-c mfa-header"></h2>
diff --git a/server/src/main/resources/templates/web/mfa/qr_code.html b/server/src/main/resources/templates/web/mfa/qr_code.html
index 210ed897f27..8a0ea1abcfb 100644
--- a/server/src/main/resources/templates/web/mfa/qr_code.html
+++ b/server/src/main/resources/templates/web/mfa/qr_code.html
@@ -15,7 +15,7 @@
 
 <html xmlns:th="http://www.thymeleaf.org"
             xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
-            layout:decorator="layouts/pui-mfa-main">
+            layout:decorate="~{layouts/pui-mfa-main}">
 <body>
 <div class="island" layout:fragment="page-content">
     <h2 id="mfa-identity-zone" th:text="${identity_zone}" class="txt-c mfa-header"></h2>
diff --git a/server/src/main/resources/templates/web/passcode.html b/server/src/main/resources/templates/web/passcode.html
index 5cab43a3214..a1bf8c86aba 100644
--- a/server/src/main/resources/templates/web/passcode.html
+++ b/server/src/main/resources/templates/web/passcode.html
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html xmlns:th="http://www.thymeleaf.org"
       xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
-      layout:decorator="layouts/main">
+      layout:decorate="~{layouts/main}">
 <head>
     <th:block layout:include="nav :: head"></th:block>
 </head>
diff --git a/server/src/main/resources/templates/web/reset_password.html b/server/src/main/resources/templates/web/reset_password.html
index 4423b684308..cc2ffe1cc63 100644
--- a/server/src/main/resources/templates/web/reset_password.html
+++ b/server/src/main/resources/templates/web/reset_password.html
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html xmlns:th="http://www.thymeleaf.org"
       xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
-      layout:decorator="layouts/main">
+      layout:decorate="~{layouts/main}">
 <div class="island" layout:fragment="page-content">
     <h1>Reset Password</h1>
     <div class="island-content">
diff --git a/server/src/main/resources/templates/web/switch_idp.html b/server/src/main/resources/templates/web/switch_idp.html
index c3cde3de336..f3717d86155 100644
--- a/server/src/main/resources/templates/web/switch_idp.html
+++ b/server/src/main/resources/templates/web/switch_idp.html
@@ -2,7 +2,7 @@
 <html xmlns="http://www.w3.org/1999/html"
       xmlns:th="http://www.thymeleaf.org"
       xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
-      layout:decorator="layouts/main">
+      layout:decorate="~{layouts/main}">
 <head>
     <th:block layout:include="nav :: head"></th:block>
 </head>

From 2d0e75ca1edff95eb238d307fb63b284924213de Mon Sep 17 00:00:00 2001
From: Markus Strehle <strehle@users.noreply.github.com>
Date: Mon, 22 Mar 2021 13:52:55 +0100
Subject: [PATCH 11/76] Dependeny Updagtes (#1538)

* spring boot 2.4.4
* spring framework 5.3.5
* tomcat 9.0.41
---
 dependencies.gradle | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/dependencies.gradle b/dependencies.gradle
index 813a85da8cc..d1c7c7c55c2 100644
--- a/dependencies.gradle
+++ b/dependencies.gradle
@@ -12,13 +12,13 @@ versions.aspectJVersion = "1.9.4"
 versions.apacheDsVersion = "2.0.0.AM26"
 versions.bouncyCastleVersion = "1.68"
 versions.hamcrestVersion = "2.2"
-versions.springBootVersion = "2.4.2"
+versions.springBootVersion = "2.4.4"
 versions.springSecurityJwtVersion = "1.1.1.RELEASE"
 versions.springSecurityOAuthVersion = "2.5.0.RELEASE"
 versions.springSecuritySamlVersion = "1.0.10.RELEASE"
-versions.springVersion = "5.3.3"
+versions.springVersion = "5.3.5"
 versions.xmlBind = "2.3.0.1"
-versions.tomcatCargoVersion = "9.0.41"
+versions.tomcatCargoVersion = "9.0.44"
 
 // Dependencies (some rely on shared versions, some are shared between projects)
 libraries.apacheCommonsRngCore = "org.apache.commons:commons-rng-core:1.3"

From 411b141ce3ae1a823ee776883a292bb01d5cfe37 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 22 Mar 2021 15:39:26 +0100
Subject: [PATCH 12/76] Bump github.com/onsi/gomega from 1.10.4 to 1.11.0 in
 /k8s (#1532)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.10.4 to 1.11.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.10.4...v1.11.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 k8s/go.mod | 2 +-
 k8s/go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/k8s/go.mod b/k8s/go.mod
index 2544264bf88..17a57600872 100644
--- a/k8s/go.mod
+++ b/k8s/go.mod
@@ -4,7 +4,7 @@ go 1.15
 
 require (
 	github.com/onsi/ginkgo v1.14.2
-	github.com/onsi/gomega v1.10.4
+	github.com/onsi/gomega v1.11.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.20.2
 	k8s.io/apimachinery v0.20.2
diff --git a/k8s/go.sum b/k8s/go.sum
index 78d10abc292..ab12f176d85 100644
--- a/k8s/go.sum
+++ b/k8s/go.sum
@@ -171,8 +171,8 @@ github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1Cpa
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1 h1:o0+MgICZLuZ7xjH7Vx6zS/zcu93/BEp1VwkIW1mEXCE=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
-github.com/onsi/gomega v1.10.4 h1:NiTx7EEvBzu9sFOD1zORteLSt3o8gnlvZZwSE9TnY9U=
-github.com/onsi/gomega v1.10.4/go.mod h1:g/HbgYopi++010VEqkFgJHKC09uJiW9UkXvMUuKHUCQ=
+github.com/onsi/gomega v1.11.0 h1:+CqWgvj0OZycCaqclBD1pxKHAU+tOkHmQIWvDHq2aug=
+github.com/onsi/gomega v1.11.0/go.mod h1:azGKhqFUon9Vuj0YmTfLSmx0FUwqXYSTl5re8lQLTUg=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=

From f1450a4b4c3902b2a9b4ab67438ebb22514455fc Mon Sep 17 00:00:00 2001
From: Bruce Ricard <bruce.ricard@gmail.com>
Date: Fri, 12 Mar 2021 15:21:41 -0800
Subject: [PATCH 13/76] refactor: rename

---
 .../identity/uaa/oauth/token/ClaimConstants.java     |  2 +-
 .../identity/uaa/oauth/token/Claims.java             |  2 +-
 .../identity/uaa/oauth/UaaTokenServices.java         | 12 ++++++------
 .../identity/uaa/oauth/openid/IdToken.java           |  4 ++--
 .../identity/uaa/oauth/openid/IdTokenCreator.java    |  5 ++---
 .../uaa/oauth/refresh/RefreshTokenCreator.java       |  2 +-
 .../identity/uaa/util/TokenValidation.java           |  4 ++--
 .../uaa/oauth/DeprecatedUaaTokenServicesTests.java   |  2 +-
 .../uaa/oauth/openid/IdTokenCreatorTest.java         |  3 +--
 .../token/matchers/OAuth2AccessTokenMatchers.java    |  8 ++++----
 .../token/matchers/OAuth2RefreshTokenMatchers.java   |  8 ++++----
 .../ExternalOAuthAuthenticationManagerTest.java      |  4 ++--
 .../uaa/mock/token/RefreshTokenMockMvcTests.java     |  8 ++++----
 .../identity/uaa/mock/token/TokenMvcMockTests.java   |  4 ++--
 14 files changed, 33 insertions(+), 35 deletions(-)

diff --git a/model/src/main/java/org/cloudfoundry/identity/uaa/oauth/token/ClaimConstants.java b/model/src/main/java/org/cloudfoundry/identity/uaa/oauth/token/ClaimConstants.java
index b040543d834..ccee9736ef5 100644
--- a/model/src/main/java/org/cloudfoundry/identity/uaa/oauth/token/ClaimConstants.java
+++ b/model/src/main/java/org/cloudfoundry/identity/uaa/oauth/token/ClaimConstants.java
@@ -29,7 +29,7 @@ public class ClaimConstants {
     public static final String EMAIL = "email";
     public static final String EMAIL_VERIFIED = "email_verified";
     public static final String CLIENT_ID = "client_id";
-    public static final String EXP = "exp";
+    public static final String EXPIRY_IN_SECONDS = "exp";
     public static final String AUTHORITIES = "authorities";
     public static final String SCOPE = "scope";
     public static final String GRANTED_SCOPES = "granted_scopes";
diff --git a/model/src/main/java/org/cloudfoundry/identity/uaa/oauth/token/Claims.java b/model/src/main/java/org/cloudfoundry/identity/uaa/oauth/token/Claims.java
index fbbebf87318..641602220f8 100644
--- a/model/src/main/java/org/cloudfoundry/identity/uaa/oauth/token/Claims.java
+++ b/model/src/main/java/org/cloudfoundry/identity/uaa/oauth/token/Claims.java
@@ -41,7 +41,7 @@ public class Claims {
     private String email;
     @JsonProperty(ClaimConstants.CLIENT_ID)
     private String clientId;
-    @JsonProperty(ClaimConstants.EXP)
+    @JsonProperty(ClaimConstants.EXPIRY_IN_SECONDS)
     private Long exp;
     @JsonProperty(ClaimConstants.AUTHORITIES)
     private List<String> authorities;
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java
index 832c2574b23..53e1b441674 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java
@@ -102,7 +102,7 @@
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.CID;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.CLIENT_ID;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.EMAIL;
-import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.EXP;
+import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.EXPIRY_IN_SECONDS;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.GRANTED_SCOPES;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.GRANT_TYPE;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.IAT;
@@ -142,7 +142,7 @@ public class UaaTokenServices implements AuthorizationServerTokenServices, Resou
             CLIENT_ID, CID, AZP, REVOCABLE,
             GRANT_TYPE, USER_ID, ORIGIN, USER_NAME,
             EMAIL, AUTH_TIME, REVOCATION_SIGNATURE, IAT,
-            EXP, ISS, ZONE_ID, AUD
+            EXPIRY_IN_SECONDS, ISS, ZONE_ID, AUD
     );
     private final Logger logger = LoggerFactory.getLogger(UaaTokenServices.class);
     private UaaUserDatabase userDatabase;
@@ -234,7 +234,7 @@ public OAuth2AccessToken refreshAccessToken(String refreshTokenValue, TokenReque
 
         String userId = (String) refreshTokenClaims.get(USER_ID);
         String refreshTokenId = (String) refreshTokenClaims.get(JTI);
-        Integer refreshTokenExpirySeconds = (Integer) refreshTokenClaims.get(EXP);
+        Integer refreshTokenExpirySeconds = (Integer) refreshTokenClaims.get(EXPIRY_IN_SECONDS);
         String clientId = (String) refreshTokenClaims.get(CID);
         Boolean revocableClaim = (Boolean) refreshTokenClaims.get(REVOCABLE);
         String refreshGrantType = refreshTokenClaims.get(GRANT_TYPE).toString();
@@ -522,7 +522,7 @@ private KeyInfo getActiveKeyInfo() {
         }
 
         claims.put(IAT, timeService.getCurrentTimeMillis() / 1000);
-        claims.put(EXP, token.getExpiration().getTime() / 1000);
+        claims.put(EXPIRY_IN_SECONDS, token.getExpiration().getTime() / 1000);
 
         if (tokenEndpointBuilder.getTokenEndpoint(IdentityZoneHolder.get()) != null) {
             claims.put(ISS, tokenEndpointBuilder.getTokenEndpoint(IdentityZoneHolder.get()));
@@ -779,7 +779,7 @@ public OAuth2Authentication loadAuthentication(String accessToken) throws Authen
         accessToken = tokenValidation.getJwt().getEncoded();
 
         // Check token expiry
-        Long expiration = Long.valueOf(claims.get(EXP).toString());
+        Long expiration = Long.valueOf(claims.get(EXPIRY_IN_SECONDS).toString());
         if (new Date(expiration * 1000L).before(timeService.getCurrentDate())) {
             throw new InvalidTokenException("Invalid access token: expired at " + new Date(expiration * 1000L));
         }
@@ -852,7 +852,7 @@ public OAuth2AccessToken readAccessToken(String accessToken) {
         // Expiry is verified by check_token
         CompositeToken token = new CompositeToken(accessToken);
         token.setTokenType(OAuth2AccessToken.BEARER_TYPE);
-        token.setExpiration(new Date(Long.valueOf(claims.get(EXP).toString()) * 1000L));
+        token.setExpiration(new Date(Long.valueOf(claims.get(EXPIRY_IN_SECONDS).toString()) * 1000L));
 
         @SuppressWarnings("unchecked")
         ArrayList<String> scopes = (ArrayList<String>) claims.get(SCOPE);
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/openid/IdToken.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/openid/IdToken.java
index 2dea49a0099..8ff3aec7916 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/openid/IdToken.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/openid/IdToken.java
@@ -17,7 +17,7 @@
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.CID;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.CLIENT_ID;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.EMAIL_VERIFIED;
-import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.EXP;
+import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.EXPIRY_IN_SECONDS;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.FAMILY_NAME;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.GIVEN_NAME;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.GRANT_TYPE;
@@ -137,7 +137,7 @@ public String getClientId() {
         return clientId;
     }
 
-    @JsonProperty(EXP)
+    @JsonProperty(EXPIRY_IN_SECONDS)
     public Long getExpInSeconds() {
         return exp.getTime() / 1000;
     }
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/openid/IdTokenCreator.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/openid/IdTokenCreator.java
index b9b0e030136..37eb596cba1 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/openid/IdTokenCreator.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/openid/IdTokenCreator.java
@@ -11,7 +11,6 @@
 import org.cloudfoundry.identity.uaa.user.UaaUserDatabase;
 import org.cloudfoundry.identity.uaa.util.TimeService;
 import org.cloudfoundry.identity.uaa.zone.MultitenantClientServices;
-import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.oauth2.provider.ClientDetails;
 
 import java.util.Date;
@@ -28,7 +27,7 @@
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.CID;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.EMAIL;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.EMAIL_VERIFIED;
-import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.EXP;
+import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.EXPIRY_IN_SECONDS;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.FAMILY_NAME;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.GIVEN_NAME;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.GRANT_TYPE;
@@ -95,7 +94,7 @@ public IdToken create(ClientDetails clientDetails,
             getIfNotExcluded(uaaUser.getId(), USER_ID),
             getIfNotExcluded(newArrayList(clientDetails.getClientId()), AUD),
             getIfNotExcluded(issuerUrl, ISS),
-            getIfNotExcluded(expiryDate, EXP),
+            getIfNotExcluded(expiryDate, EXPIRY_IN_SECONDS),
             getIfNotExcluded(issuedAt, IAT),
             getIfNotExcluded(userAuthenticationData.authTime, AUTH_TIME),
             getIfNotExcluded(userAuthenticationData.authenticationMethods, AMR),
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/refresh/RefreshTokenCreator.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/refresh/RefreshTokenCreator.java
index 87c32d1064c..fcfbb6ef0ba 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/refresh/RefreshTokenCreator.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/refresh/RefreshTokenCreator.java
@@ -80,7 +80,7 @@ private String buildJwtToken(UaaUser user,
             claims.put(JTI, tokenId);
             claims.put(SUB, user.getId());
             claims.put(IAT, timeService.getCurrentTimeMillis() / 1000);
-            claims.put(EXP, expirationDate.getTime() / 1000);
+            claims.put(EXPIRY_IN_SECONDS, expirationDate.getTime() / 1000);
             claims.put(CID, tokenRequestData.clientId);
             claims.put(CLIENT_ID, tokenRequestData.clientId);
             claims.put(ISS, tokenEndpointBuilder.getTokenEndpoint(IdentityZoneHolder.get()));
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/util/TokenValidation.java b/server/src/main/java/org/cloudfoundry/identity/uaa/util/TokenValidation.java
index 77945f7b439..ba1b9a9cc88 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/util/TokenValidation.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/util/TokenValidation.java
@@ -140,11 +140,11 @@ public TokenValidation checkIssuer(String issuer) {
     }
 
     protected TokenValidation checkExpiry(Instant asOf) {
-        if (!claims.containsKey(EXP)) {
+        if (!claims.containsKey(EXPIRY_IN_SECONDS)) {
             throw new InvalidTokenException("Token does not bear an EXP claim.", null);
         }
 
-        Object expClaim = claims.get(EXP);
+        Object expClaim = claims.get(EXPIRY_IN_SECONDS);
         long expiry;
         try {
             expiry = (int) expClaim;
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/DeprecatedUaaTokenServicesTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/DeprecatedUaaTokenServicesTests.java
index 5d90f94a314..a82de9fb546 100644
--- a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/DeprecatedUaaTokenServicesTests.java
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/DeprecatedUaaTokenServicesTests.java
@@ -221,7 +221,7 @@ public void refreshAccessToken_buildsIdToken_withRolesAndAttributesAndACR() thro
         String userId = "userid";
         claims.put(ClaimConstants.USER_ID, userId);
         claims.put(ClaimConstants.CID, TokenTestSupport.CLIENT_ID);
-        claims.put(ClaimConstants.EXP, 1);
+        claims.put(ClaimConstants.EXPIRY_IN_SECONDS, 1);
         claims.put(ClaimConstants.GRANTED_SCOPES, Lists.newArrayList("read", "write", "openid"));
         claims.put(ClaimConstants.GRANT_TYPE, "password");
         claims.put(ClaimConstants.AUD, Lists.newArrayList(TokenTestSupport.CLIENT_ID));
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/openid/IdTokenCreatorTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/openid/IdTokenCreatorTest.java
index d8f72d6533c..b7482471d58 100644
--- a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/openid/IdTokenCreatorTest.java
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/openid/IdTokenCreatorTest.java
@@ -16,7 +16,6 @@
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.oauth2.provider.client.BaseClientDetails;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
@@ -310,7 +309,7 @@ void create_doesntIncludesExcludedClaims() throws IdTokenCreationException {
         excludedClaims.add(ClaimConstants.USER_ID);
         excludedClaims.add(ClaimConstants.AUD);
         excludedClaims.add(ClaimConstants.ISS);
-        excludedClaims.add(ClaimConstants.EXP);
+        excludedClaims.add(ClaimConstants.EXPIRY_IN_SECONDS);
         excludedClaims.add(ClaimConstants.IAT);
         excludedClaims.add(ClaimConstants.AUTH_TIME);
         excludedClaims.add(ClaimConstants.AMR);
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/matchers/OAuth2AccessTokenMatchers.java b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/matchers/OAuth2AccessTokenMatchers.java
index cbd30638605..46afb61fa76 100644
--- a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/matchers/OAuth2AccessTokenMatchers.java
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/matchers/OAuth2AccessTokenMatchers.java
@@ -74,7 +74,7 @@ public static Matcher<OAuth2AccessToken> issuedAt(Matcher<Integer> iat) {
     }
 
     public static Matcher<OAuth2AccessToken> expiry(Matcher<Integer> expiry) {
-        return new OAuth2AccessTokenMatchers(ClaimConstants.EXP, expiry);
+        return new OAuth2AccessTokenMatchers(ClaimConstants.EXPIRY_IN_SECONDS, expiry);
     }
 
     public static Matcher<OAuth2AccessToken> username(Matcher<Object> username) {
@@ -104,8 +104,8 @@ public static Matcher<OAuth2AccessToken> validFor(Matcher<?> validFor) {
             protected boolean matchesSafely(OAuth2AccessToken token) {
                 Map<String, Object> claims = getClaims(token);
                 assertTrue(((Integer) claims.get(ClaimConstants.IAT)) > 0);
-                assertTrue(((Integer) claims.get(ClaimConstants.EXP)) > 0);
-                return value.matches(((Integer) claims.get(ClaimConstants.EXP)) - ((Integer) claims.get(ClaimConstants.IAT)));
+                assertTrue(((Integer) claims.get(ClaimConstants.EXPIRY_IN_SECONDS)) > 0);
+                return value.matches(((Integer) claims.get(ClaimConstants.EXPIRY_IN_SECONDS)) - ((Integer) claims.get(ClaimConstants.IAT)));
             }
 
             @Override
@@ -117,7 +117,7 @@ public void describeTo(Description description) {
             protected void describeMismatchSafely(OAuth2AccessToken accessToken, Description mismatchDescription) {
                 if (accessToken != null) {
                     Map<String, Object> claims = getClaims(accessToken);
-                    mismatchDescription.appendText(" but was ").appendValue(((Integer) claims.get(ClaimConstants.EXP)) - ((Integer) claims.get(ClaimConstants.IAT)));
+                    mismatchDescription.appendText(" but was ").appendValue(((Integer) claims.get(ClaimConstants.EXPIRY_IN_SECONDS)) - ((Integer) claims.get(ClaimConstants.IAT)));
                 }
             }
         };
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/matchers/OAuth2RefreshTokenMatchers.java b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/matchers/OAuth2RefreshTokenMatchers.java
index 431c60fb791..170d3465fe4 100644
--- a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/matchers/OAuth2RefreshTokenMatchers.java
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/matchers/OAuth2RefreshTokenMatchers.java
@@ -75,7 +75,7 @@ public static Matcher<OAuth2RefreshToken> issuedAt(Matcher<Integer> iat) {
     }
 
     public static Matcher<OAuth2RefreshToken> expiry(Matcher<Integer> expiry) {
-        return new OAuth2RefreshTokenMatchers(ClaimConstants.EXP, expiry);
+        return new OAuth2RefreshTokenMatchers(ClaimConstants.EXPIRY_IN_SECONDS, expiry);
     }
 
     public static Matcher<OAuth2RefreshToken> username(Matcher<Object> username) {
@@ -105,8 +105,8 @@ public static Matcher<OAuth2RefreshToken> validFor(Matcher<?> validFor) {
             protected boolean matchesSafely(OAuth2RefreshToken token) {
                 Map<String, Object> claims = getClaims(token);
                 assertTrue(((Integer) claims.get(ClaimConstants.IAT)) > 0);
-                assertTrue(((Integer) claims.get(ClaimConstants.EXP)) > 0);
-                return validFor.matches(((Integer) claims.get(ClaimConstants.EXP)) - ((Integer) claims.get(ClaimConstants.IAT)));
+                assertTrue(((Integer) claims.get(ClaimConstants.EXPIRY_IN_SECONDS)) > 0);
+                return validFor.matches(((Integer) claims.get(ClaimConstants.EXPIRY_IN_SECONDS)) - ((Integer) claims.get(ClaimConstants.IAT)));
             }
 
             @Override
@@ -118,7 +118,7 @@ public void describeTo(Description description) {
             protected void describeMismatchSafely(OAuth2RefreshToken accessToken, Description mismatchDescription) {
                 if (accessToken != null) {
                     Map<String, Object> claims = getClaims(accessToken);
-                    mismatchDescription.appendText(" was ").appendValue(((Integer) claims.get(ClaimConstants.EXP)) - ((Integer) claims.get(ClaimConstants.IAT)));
+                    mismatchDescription.appendText(" was ").appendValue(((Integer) claims.get(ClaimConstants.EXPIRY_IN_SECONDS)) - ((Integer) claims.get(ClaimConstants.IAT)));
                 }
             }
         };
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerTest.java
index 61cd5b97b44..0dd483abbab 100644
--- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerTest.java
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerTest.java
@@ -177,7 +177,7 @@ public void getExternalAuthenticationDetails_doesNotThrowWhenIdTokenIsValid() {
                 entry(EMAIL, "someuser@google.com"),
                 entry(ISS, oidcConfig.getIssuer()),
                 entry(AUD, "uaa-relying-party"),
-                entry(EXP, ((int) (System.currentTimeMillis()/1000L)) + 60),
+                entry(EXPIRY_IN_SECONDS, ((int) (System.currentTimeMillis()/1000L)) + 60),
                 entry(SUB, "abc-def-asdf")
         );
         IdentityZoneHolder.get().getConfig().getTokenPolicy().setKeys(Collections.singletonMap("uaa-key", uaaIdentityZoneTokenSigningKey));
@@ -200,7 +200,7 @@ public void getExternalAuthenticationDetails_whenUaaToken_doesNotThrowWhenIdToke
                 entry(EMAIL, "someuser@google.com"),
                 entry(ISS, oidcConfig.getIssuer()),
                 entry(AUD, "uaa-relying-party"),
-                entry(EXP, ((int) (System.currentTimeMillis()/1000L)) + 60),
+                entry(EXPIRY_IN_SECONDS, ((int) (System.currentTimeMillis()/1000L)) + 60),
                 entry(SUB, "abc-def-asdf")
         );
         IdentityZoneHolder.get().getConfig().getTokenPolicy().setKeys(Collections.singletonMap("uaa-key", uaaIdentityZoneTokenSigningKey));
diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/RefreshTokenMockMvcTests.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/RefreshTokenMockMvcTests.java
index c24a6d0fde7..193a5cf1071 100644
--- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/RefreshTokenMockMvcTests.java
+++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/RefreshTokenMockMvcTests.java
@@ -48,7 +48,7 @@
 import java.util.Map;
 
 import static junit.framework.TestCase.assertNull;
-import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.EXP;
+import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.EXPIRY_IN_SECONDS;
 import static org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.GRANT_TYPE_CLIENT_CREDENTIALS;
 import static org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.GRANT_TYPE_PASSWORD;
 import static org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.REQUEST_TOKEN_FORMAT;
@@ -422,13 +422,13 @@ void refreshTokenGrantType_withJwtTokens_preservesRefreshTokenExpiryClaim() thro
         assertEquals(HttpStatus.SC_OK, refreshResponse.getStatus());
         CompositeToken compositeToken = JsonUtils.readValue(refreshResponse.getContentAsString(), CompositeToken.class);
         String refreshTokenJwt = compositeToken.getRefreshToken().getValue();
-        assertThat(getClaims(refreshTokenJwt).get(EXP), equalTo(getClaims(refreshToken).get(EXP)));
+        assertThat(getClaims(refreshTokenJwt).get(EXPIRY_IN_SECONDS), equalTo(getClaims(refreshToken).get(EXPIRY_IN_SECONDS)));
 
         CompositeToken newTokenResponse = getTokensWithPasswordGrant(client.getClientId(), SECRET, user.getUserName(), SECRET, getZoneHostUrl(zone), "jwt");
         String newRefreshToken = newTokenResponse.getRefreshToken().getValue();
 
-        assertThat(getClaims(newRefreshToken).get(EXP), not(nullValue()));
-        assertThat(getClaims(newRefreshToken).get(EXP), not(equalTo(getClaims(refreshToken).get(EXP))));
+        assertThat(getClaims(newRefreshToken).get(EXPIRY_IN_SECONDS), not(nullValue()));
+        assertThat(getClaims(newRefreshToken).get(EXPIRY_IN_SECONDS), not(equalTo(getClaims(refreshToken).get(EXPIRY_IN_SECONDS))));
     }
 
     @Test
diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/TokenMvcMockTests.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/TokenMvcMockTests.java
index af3b91921f7..c7a6320bc19 100644
--- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/TokenMvcMockTests.java
+++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/TokenMvcMockTests.java
@@ -2585,7 +2585,7 @@ void test_Token_Expiry_Time() throws Exception {
 
         Map<String, Object> claims = JsonUtils.readValue(tokenJwt.getClaims(), new TypeReference<Map<String, Object>>() {
         });
-        Integer expirationTime = (Integer) claims.get(ClaimConstants.EXP);
+        Integer expirationTime = (Integer) claims.get(ClaimConstants.EXPIRY_IN_SECONDS);
 
         Calendar nineYearsAhead = new GregorianCalendar();
         nineYearsAhead.setTimeInMillis(System.currentTimeMillis());
@@ -4142,7 +4142,7 @@ private void validateOpenIdConnectToken(String token, String userId, String clie
         assertEquals(userId, sub);
         List<String> aud = (List<String>) result.get(ClaimConstants.AUD);
         assertTrue(aud.contains(clientId));
-        Integer exp = (Integer) result.get(ClaimConstants.EXP);
+        Integer exp = (Integer) result.get(ClaimConstants.EXPIRY_IN_SECONDS);
         assertNotNull(exp);
         Integer iat = (Integer) result.get(ClaimConstants.IAT);
         assertNotNull(iat);

From b23937c06019d6d61a8f9bb3439a18e00d85625f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 23 Mar 2021 09:14:04 +0100
Subject: [PATCH 14/76] Bump k8s.io/api from 0.20.2 to 0.20.5 in /k8s (#1542)

Bumps [k8s.io/api](https://github.com/kubernetes/api) from 0.20.2 to 0.20.5.
- [Release notes](https://github.com/kubernetes/api/releases)
- [Commits](https://github.com/kubernetes/api/compare/v0.20.2...v0.20.5)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 k8s/go.mod |  4 ++--
 k8s/go.sum | 31 ++++---------------------------
 2 files changed, 6 insertions(+), 29 deletions(-)

diff --git a/k8s/go.mod b/k8s/go.mod
index 17a57600872..b01f46bd536 100644
--- a/k8s/go.mod
+++ b/k8s/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/onsi/ginkgo v1.14.2
 	github.com/onsi/gomega v1.11.0
 	gopkg.in/yaml.v2 v2.4.0
-	k8s.io/api v0.20.2
-	k8s.io/apimachinery v0.20.2
+	k8s.io/api v0.20.5
+	k8s.io/apimachinery v0.20.5
 	k8s.io/client-go v0.20.2
 )
diff --git a/k8s/go.sum b/k8s/go.sum
index ab12f176d85..79e058753ac 100644
--- a/k8s/go.sum
+++ b/k8s/go.sum
@@ -53,7 +53,6 @@ github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.m
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
-github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
@@ -84,7 +83,6 @@ github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt
 github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
 github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
@@ -94,22 +92,18 @@ github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrU
 github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
-github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
 github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -128,7 +122,6 @@ github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3i
 github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
@@ -139,7 +132,6 @@ github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
@@ -169,7 +161,6 @@ github.com/onsi/ginkgo v1.14.2/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9k
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
-github.com/onsi/gomega v1.10.1 h1:o0+MgICZLuZ7xjH7Vx6zS/zcu93/BEp1VwkIW1mEXCE=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.11.0 h1:+CqWgvj0OZycCaqclBD1pxKHAU+tOkHmQIWvDHq2aug=
 github.com/onsi/gomega v1.11.0/go.mod h1:azGKhqFUon9Vuj0YmTfLSmx0FUwqXYSTl5re8lQLTUg=
@@ -186,7 +177,6 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
@@ -251,9 +241,7 @@ golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7 h1:AeiKBIuRw3UomYXSbLy0Mc2dDLfdtbT/IVn4keq83P0=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb h1:eBmm0M9fYhWpKZLjQUUKka/LtIxf46G4fxeEz5KJr9U=
 golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
@@ -282,7 +270,6 @@ golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e h1:N7DeIrjYszNmSW409R3frPPwglRwMkXSBzwVbkOjLLA=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -293,18 +280,14 @@ golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200519105757-fe76b779f299 h1:DYfZAGf2WMFjMxbgTjaC+2HC7NkNAQs+6Q8b9WEB/F4=
 golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f h1:+Nyd8tzPX9R7BWHguqsrbFdRx3WQ/1ib8I44HXV5yTA=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201112073958-5cba982894dd h1:5CtCZbICpIOFdgO940moixOPjc0178IU44m4EjOO5IY=
 golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4 h1:0YWbFKbhXG/wIiuHDSKpS0Iy7FSA+u45VtBMfQcFTTc=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -346,7 +329,6 @@ golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapK
 golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -397,18 +379,15 @@ google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQ
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.0 h1:4MY060fB1DLGMB/7MBTLnwQUY6+F09GEiz6SsrNqyzM=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
@@ -416,11 +395,8 @@ gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkep
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
@@ -432,10 +408,12 @@ honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.20.2 h1:y/HR22XDZY3pniu9hIFDLpUCPq2w5eQ6aV/VFQ7uJMw=
 k8s.io/api v0.20.2/go.mod h1:d7n6Ehyzx+S+cE3VhTGfVNNqtGc/oL9DCdYYahlurV8=
-k8s.io/apimachinery v0.20.2 h1:hFx6Sbt1oG0n6DZ+g4bFt5f6BoMkOjKWsQFu077M3Vg=
+k8s.io/api v0.20.5 h1:zsMTffV0Le2EiI0aKvlTHEnXGxk1HiqGRhJcCPiI7JI=
+k8s.io/api v0.20.5/go.mod h1:FQjAceXnVaWDeov2YUWhOb6Yt+5UjErkp6UO3nczO1Y=
 k8s.io/apimachinery v0.20.2/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
+k8s.io/apimachinery v0.20.5 h1:wO/FxMVRn223rAKxnBbwCyuN96bS9MFTIvP0e/V7cps=
+k8s.io/apimachinery v0.20.5/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
 k8s.io/client-go v0.20.2 h1:uuf+iIAbfnCSw8IGAv/Rg0giM+2bOzHLOsbbrwrdhNQ=
 k8s.io/client-go v0.20.2/go.mod h1:kH5brqWqp7HDxUFKoEgiI4v8G1xzbe9giaCenUWJzgE=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
@@ -449,7 +427,6 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.2 h1:YHQV7Dajm86OuqnIR6zAelnDWBRjo+YhYV9PmGrh1s8=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
-sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
 sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=

From 2ce502f363fdfe1aea7c189909707085403846d2 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 23 Mar 2021 11:33:19 +0100
Subject: [PATCH 15/76] Bump github.com/onsi/ginkgo from 1.14.2 to 1.15.2 in
 /k8s (#1535)

Bumps [github.com/onsi/ginkgo](https://github.com/onsi/ginkgo) from 1.14.2 to 1.15.2.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v1.14.2...v1.15.2)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 k8s/go.mod |  2 +-
 k8s/go.sum | 16 +++++++++++-----
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/k8s/go.mod b/k8s/go.mod
index b01f46bd536..2253032179d 100644
--- a/k8s/go.mod
+++ b/k8s/go.mod
@@ -3,7 +3,7 @@ module github.com/cloudfoundry/uaa
 go 1.15
 
 require (
-	github.com/onsi/ginkgo v1.14.2
+	github.com/onsi/ginkgo v1.15.2
 	github.com/onsi/gomega v1.11.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.20.5
diff --git a/k8s/go.sum b/k8s/go.sum
index 79e058753ac..17e0fcc6891 100644
--- a/k8s/go.sum
+++ b/k8s/go.sum
@@ -150,14 +150,15 @@ github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
+github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
+github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
 github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
-github.com/onsi/ginkgo v1.14.2 h1:8mVmC9kjFFmA8H4pKMUhcblgifdkOIXPvbhN1T36q1M=
-github.com/onsi/ginkgo v1.14.2/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
+github.com/onsi/ginkgo v1.15.2 h1:l77YT15o814C2qVL47NOyjV/6RbaP7kKdrvZnxQ3Org=
+github.com/onsi/ginkgo v1.15.2/go.mod h1:Dd6YFfwBW84ETqqtL0CPyPXillHgY6XhQH3uuCCTr/o=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
@@ -180,6 +181,7 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
@@ -220,6 +222,7 @@ golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -242,6 +245,7 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb h1:eBmm0M9fYhWpKZLjQUUKka/LtIxf46G4fxeEz5KJr9U=
 golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
@@ -256,6 +260,7 @@ golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -280,10 +285,10 @@ golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201112073958-5cba982894dd h1:5CtCZbICpIOFdgO940moixOPjc0178IU44m4EjOO5IY=
 golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210112080510-489259a85091 h1:DMyOG0U+gKfu8JZzg2UQe9MeaC1X+xQWlAKcRnjxjCw=
+golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -327,6 +332,7 @@ golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapK
 golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
+golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

From 7e7c544ea97a137cbef842d8ac0e54620f513657 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 23 Mar 2021 13:15:04 +0100
Subject: [PATCH 16/76] Bump k8s.io/client-go from 0.20.2 to 0.20.5 in /k8s
 (#1541)

Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.20.2 to 0.20.5.
- [Release notes](https://github.com/kubernetes/client-go/releases)
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.20.2...v0.20.5)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 k8s/go.mod | 2 +-
 k8s/go.sum | 6 ++----
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/k8s/go.mod b/k8s/go.mod
index 2253032179d..4734184d1f5 100644
--- a/k8s/go.mod
+++ b/k8s/go.mod
@@ -8,5 +8,5 @@ require (
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.20.5
 	k8s.io/apimachinery v0.20.5
-	k8s.io/client-go v0.20.2
+	k8s.io/client-go v0.20.5
 )
diff --git a/k8s/go.sum b/k8s/go.sum
index 17e0fcc6891..cb6e0133ca5 100644
--- a/k8s/go.sum
+++ b/k8s/go.sum
@@ -414,14 +414,12 @@ honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.20.2/go.mod h1:d7n6Ehyzx+S+cE3VhTGfVNNqtGc/oL9DCdYYahlurV8=
 k8s.io/api v0.20.5 h1:zsMTffV0Le2EiI0aKvlTHEnXGxk1HiqGRhJcCPiI7JI=
 k8s.io/api v0.20.5/go.mod h1:FQjAceXnVaWDeov2YUWhOb6Yt+5UjErkp6UO3nczO1Y=
-k8s.io/apimachinery v0.20.2/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
 k8s.io/apimachinery v0.20.5 h1:wO/FxMVRn223rAKxnBbwCyuN96bS9MFTIvP0e/V7cps=
 k8s.io/apimachinery v0.20.5/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
-k8s.io/client-go v0.20.2 h1:uuf+iIAbfnCSw8IGAv/Rg0giM+2bOzHLOsbbrwrdhNQ=
-k8s.io/client-go v0.20.2/go.mod h1:kH5brqWqp7HDxUFKoEgiI4v8G1xzbe9giaCenUWJzgE=
+k8s.io/client-go v0.20.5 h1:dJGtYUvFrFGjQ+GjXEIby0gZWdlAOc0xJBJqY3VyDxA=
+k8s.io/client-go v0.20.5/go.mod h1:Ee5OOMMYvlH8FCZhDsacjMlCBwetbGZETwo1OA+e6Zw=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.4.0 h1:7+X0fUguPyrKEC4WjH8iGDg3laWgMo5tMnRTIGTTxGQ=

From ad4a24861853348b52627c03541bd8b50d655e51 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 5 Apr 2021 16:05:20 +0200
Subject: [PATCH 17/76] Bump tomcat-embed-core from 9.0.37 to 9.0.44 in /uaa
 (#1548)

* Bump tomcat-embed-core from 9.0.37 to 9.0.41 in /uaa

Bumps tomcat-embed-core from 9.0.37 to 9.0.41.

Signed-off-by: dependabot[bot] <support@github.com>

* Update pom.xml

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Markus Strehle <strehle@users.noreply.github.com>
---
 uaa/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/uaa/pom.xml b/uaa/pom.xml
index ce84bd1618b..a69385f3a50 100644
--- a/uaa/pom.xml
+++ b/uaa/pom.xml
@@ -297,7 +297,7 @@
     <dependency>
       <groupId>org.apache.tomcat.embed</groupId>
       <artifactId>tomcat-embed-core</artifactId>
-      <version>9.0.37</version>
+      <version>9.0.44</version>
       <scope>provided</scope>
       <exclusions>
         <exclusion>

From 4fd13e817d5f4eff297da9db123e00e5e9a9a1d8 Mon Sep 17 00:00:00 2001
From: Florian Tack <florian.tack@sap.com>
Date: Wed, 24 Feb 2021 12:41:56 +0100
Subject: [PATCH 18/76] Fix wrong username mapping on jwt Bearer with UAA token

---
 .../oauth/ExternalOAuthAuthenticationManager.java        | 2 ++
 .../oauth/ExternalOAuthAuthenticationManagerIT.java      | 9 +++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
index 9858e35a081..bf91b724dea 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
@@ -174,6 +174,8 @@ private boolean idTokenWasIssuedByTheUaa(String issuer) {
     private IdentityProvider buildInternalUaaIdpConfig(String issuer, String originKey) {
         OIDCIdentityProviderDefinition uaaOidcProviderConfig = new OIDCIdentityProviderDefinition();
         uaaOidcProviderConfig.setIssuer(issuer);
+        Map<String, Object> userNameMapping = Collections.singletonMap(USER_NAME_ATTRIBUTE_NAME, USER_NAME_ATTRIBUTE_NAME);
+        uaaOidcProviderConfig.setAttributeMappings(userNameMapping);
         IdentityProvider<OIDCIdentityProviderDefinition> uaaIdp = new IdentityProvider<>();
         uaaIdp.setOriginKey(originKey);
         uaaIdp.setConfig(uaaOidcProviderConfig);
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerIT.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerIT.java
index 80e5da69661..1839e2e04b3 100644
--- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerIT.java
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerIT.java
@@ -80,6 +80,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.UUID;
 import java.util.concurrent.CountDownLatch;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
@@ -442,7 +443,9 @@ void when_exchanging_an_id_token_retrieved_from_the_internal_uaa_idp_for_an_acce
         when(provisioning.retrieveAll(eq(true), anyString())).thenReturn(new ArrayList<>());
 
         String username = RandomStringUtils.random(50);
-        claims.put("sub", username);
+        String userid = UUID.randomUUID().toString();
+        claims.put("sub", userid);
+        claims.put("user_name", username);
         claims.put("iss", "http://localhost/oauth/token");
         claims.put("origin", UAA_ORIGIN);
 
@@ -485,7 +488,9 @@ void when_exchanging_an_id_token_retrieved_by_uaa_via_an_oidc_idp_for_an_access_
         when(provisioning.retrieveAll(eq(true), anyString())).thenReturn(Collections.singletonList(idpProvider));
 
         String username = RandomStringUtils.random(50);
-        claims.put("sub", username);
+        String userid = UUID.randomUUID().toString();
+        claims.put("sub", userid);
+        claims.put("user_name", username);
         claims.put("iss", UAA_ISSUER_URL);
         claims.put("origin", idpProvider.getOriginKey());
 

From 3e6729df8aad6914b7bbc0b58ad09c74ad5e5815 Mon Sep 17 00:00:00 2001
From: Florian Tack <florian.tack@sap.com>
Date: Tue, 2 Mar 2021 15:12:41 +0100
Subject: [PATCH 19/76] Only update user if token not issued by UAA

---
 .../ExternalOAuthAuthenticationManager.java   | 42 ++++++++++++++-----
 1 file changed, 31 insertions(+), 11 deletions(-)

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
index bf91b724dea..72ab9b2ebe3 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
@@ -406,23 +406,43 @@ protected UaaUser userAuthenticated(Authentication request, UaaUser userFromRequ
         }
 
         //we must check and see if the email address has changed between authentications
-            if (haveUserAttributesChanged(userFromDb, userFromRequest)) {
-                logger.debug("User attributed have changed, updating them.");
-                userFromDb = userFromDb.modifyAttributes(email,
-                                                         userFromRequest.getGivenName(),
-                                                         userFromRequest.getFamilyName(),
-                                                         userFromRequest.getPhoneNumber(),
-                                                         userFromRequest.getExternalId(),
-                                                         userFromDb.isVerified() || userFromRequest.isVerified())
-                    .modifyUsername(userFromRequest.getUsername());
-                userModified = true;
-            }
+        if (haveUserAttributesChanged(userFromDb, userFromRequest) && !isIdTokenIssuedByUaaWithoutIdpRegistration(request)) {
+            logger.debug("User attributed have changed, updating them.");
+            userFromDb = userFromDb.modifyAttributes(email,
+                                                     userFromRequest.getGivenName(),
+                                                     userFromRequest.getFamilyName(),
+                                                     userFromRequest.getPhoneNumber(),
+                                                     userFromRequest.getExternalId(),
+                                                     userFromDb.isVerified() || userFromRequest.isVerified())
+                .modifyUsername(userFromRequest.getUsername());
+            userModified = true;
+        }
 
         ExternalGroupAuthorizationEvent event = new ExternalGroupAuthorizationEvent(userFromDb, userModified, userFromRequest.getAuthorities(), true);
         publish(event);
         return getUserDatabase().retrieveUserById(userFromDb.getId());
     }
 
+    private boolean isIdTokenIssuedByUaaWithoutIdpRegistration(Authentication request) {
+        String idToken = ((ExternalOAuthCodeToken) request).getIdToken();
+        if (idToken == null) {
+            return false;
+        }
+        String claimsString = JwtHelper.decode(ofNullable(idToken).orElse("")).getClaims();
+        Map<String, Object> claims = JsonUtils.readValue(claimsString, new TypeReference<Map<String, Object>>() {});
+        String issuer = (String) claims.get(ClaimConstants.ISS);
+        if (idTokenWasIssuedByTheUaa(issuer)) {
+            try {
+                ((ExternalOAuthProviderConfigurator) getProviderProvisioning()).retrieveByIssuer(issuer, IdentityZoneHolder.get().getId());
+                return false;
+            } catch (IncorrectResultSizeDataAccessException e) {
+                return true;
+            }
+        } else {
+            return false;
+        }
+    }
+
     @Override
     protected boolean isAddNewShadowUser() {
         if (!super.isAddNewShadowUser()) {

From 3b4c7e9fc888829c3af5095ac20defd8c18fab31 Mon Sep 17 00:00:00 2001
From: Florian Tack <florian.tack@sap.com>
Date: Mon, 29 Mar 2021 14:44:37 +0200
Subject: [PATCH 20/76] Add additional tests

---
 .../token/JwtBearerGrantMockMvcTests.java     | 124 +++++++++++++++++-
 1 file changed, 122 insertions(+), 2 deletions(-)

diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/JwtBearerGrantMockMvcTests.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/JwtBearerGrantMockMvcTests.java
index c1d8ac68e69..e74af553071 100644
--- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/JwtBearerGrantMockMvcTests.java
+++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/JwtBearerGrantMockMvcTests.java
@@ -15,10 +15,13 @@
 
 package org.cloudfoundry.identity.uaa.mock.token;
 
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.core.type.TypeReference;
 import org.cloudfoundry.identity.uaa.constants.OriginKeys;
+import org.cloudfoundry.identity.uaa.mock.util.JwtTokenUtils;
 import org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils;
 import org.cloudfoundry.identity.uaa.oauth.KeyInfoService;
+import org.cloudfoundry.identity.uaa.oauth.token.CompositeToken;
 import org.cloudfoundry.identity.uaa.oauth.token.TokenConstants;
 import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
 import org.cloudfoundry.identity.uaa.provider.JdbcIdentityProviderProvisioning;
@@ -42,10 +45,12 @@
 import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
 
 import java.net.URL;
+import java.util.List;
 import java.util.Map;
 
 import static org.cloudfoundry.identity.uaa.oauth.TokenTestSupport.GRANT_TYPE;
 import static org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.GRANT_TYPE_JWT_BEARER;
+import static org.junit.Assert.assertEquals;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
@@ -84,6 +89,85 @@ void default_zone_jwt_grant() throws Exception {
             .andExpect(jsonPath("$.access_token").isNotEmpty());
     }
 
+    @Test
+    void non_default_zone_jwt_grant_user_update() throws Exception {
+        BaseClientDetails targetZoneClient = new BaseClientDetails(generator.generate(), "", "openid", "password", null);
+        targetZoneClient.setClientSecret(SECRET);
+        String subdomain = generator.generate().toLowerCase();
+        IdentityZone targetZone = MockMvcUtils.createOtherIdentityZoneAndReturnResult(subdomain,
+                mockMvc,
+                webApplicationContext,
+                targetZoneClient,
+                false, IdentityZoneHolder.getCurrentZoneId()).getIdentityZone();
+        ScimUser targetZoneUser = createUser(targetZone);
+
+        String originZoneOriginKey = createProvider(targetZone, getTokenVerificationKey(originZone.getIdentityZone()));
+
+        //Check for internal User
+        String targetZoneIdToken = getUaaIdToken(targetZone, targetZoneClient, targetZoneUser);
+        String accessTokenForTargetZoneUser = performJWTBearerGrantForJWT(targetZone, targetZoneIdToken);
+
+        //Verify JWT Bearer did not change values of internal User
+        ScimUser targetUserAfterGrant = getScimUser(targetZoneUser.getUserName(), OriginKeys.UAA, targetZone.getId());
+        assertEquals(targetZoneUser.getUserName(), targetUserAfterGrant.getUserName());
+        assertEquals(targetZoneUser.getExternalId(), targetUserAfterGrant.getExternalId());
+
+        //Check for user of registered IdP
+        String originZoneIdToken = getUaaIdToken(originZone.getIdentityZone(), originClient, originUser);
+        String accessTokenForOriginZoneUser = performJWTBearerGrantForJWT(targetZone, originZoneIdToken);
+        Map<String, Object> originUserClaims = JwtTokenUtils.getClaimsForToken(accessTokenForOriginZoneUser);
+
+        //Verify values for new shadow user set
+        ScimUser originShadowUser = getScimUser(originUser.getEmails().get(0).getValue(), originZoneOriginKey, targetZone.getId());
+        assertEquals(originShadowUser.getUserName(), originUserClaims.get("user_name"));
+        assertEquals(originShadowUser.getExternalId(), originUser.getId());
+
+        //JWT Bearer with token from target Zone and external User
+        performJWTBearerGrantForJWT(targetZone, accessTokenForOriginZoneUser);
+
+        //Verify username and External ID not changed after this internal grant
+        ScimUser originShadowUserAfterExchange = getScimUser(originUser.getEmails().get(0).getValue(), originZoneOriginKey, targetZone.getId());
+        assertEquals(originShadowUser.getUserName(), originShadowUserAfterExchange.getUserName());
+        assertEquals(originShadowUser.getExternalId(), originShadowUserAfterExchange.getExternalId());
+    }
+
+    @Test
+    void default_zone_jwt_grant_user_update_same_zone_with_registration() throws Exception {
+        BaseClientDetails targetZoneClient = new BaseClientDetails(generator.generate(), "", "openid", "password",
+                null);
+        targetZoneClient.setClientSecret(SECRET);
+        String subdomain = generator.generate().toLowerCase();
+        IdentityZone targetZone = MockMvcUtils.createOtherIdentityZoneAndReturnResult(subdomain,
+                mockMvc,
+                webApplicationContext,
+                targetZoneClient,
+                false, IdentityZoneHolder.getCurrentZoneId()).getIdentityZone();
+        ScimUser targetZoneUser = createUser(targetZone);
+
+        String originZoneOriginKey = createOIDCProvider(targetZone,
+                getTokenVerificationKey(targetZone),
+                "http://" + targetZone.getSubdomain() + ".localhost:8080/uaa/oauth/token",
+                targetZoneClient.getClientId()).getOriginKey();
+
+        String targetZoneIdToken = getUaaIdToken(targetZone, targetZoneClient, targetZoneUser);
+        String accessTokenForTargetZoneUser = performJWTBearerGrantForJWT(targetZone, targetZoneIdToken);
+
+        Map<String, Object> targetUserClaims = JwtTokenUtils.getClaimsForToken(accessTokenForTargetZoneUser);
+
+        //Verify shadow user of same-zone Idp created
+        ScimUser originShadowUser = getScimUser(targetZoneUser.getEmails().get(0).getValue(), originZoneOriginKey, targetZone.getId());
+        assertEquals(originShadowUser.getUserName(), targetUserClaims.get("user_name"));
+        assertEquals(originShadowUser.getExternalId(), targetZoneUser.getId());
+
+        //JWT Bearer with token from target Zone and shadow user of registered IdP (with same issuer)
+        performJWTBearerGrantForJWT(targetZone, accessTokenForTargetZoneUser);
+
+        //Verify username and External ID changed after this internal grant (as they are updated values of registered issuer)
+        ScimUser originShadowUserAfterExchange = getScimUser(targetZoneUser.getEmails().get(0).getValue(), originZoneOriginKey, targetZone.getId());
+        assertEquals(originShadowUserAfterExchange.getUserName(), targetUserClaims.get("user_name"));
+        assertEquals(originShadowUserAfterExchange.getExternalId(), targetUserClaims.get("sub"));
+    }
+
     @Test
     void non_default_zone_jwt_grant() throws Exception {
         String subdomain = generator.generate().toLowerCase();
@@ -164,11 +248,39 @@ ResultActions perform_grant_in_zone(IdentityZone theZone, String assertion) thro
             .andDo(print());
     }
 
-    void createProvider(IdentityZone theZone, String verificationKey) throws Exception {
-        createOIDCProvider(theZone,
+    private String performJWTBearerGrantForJWT(IdentityZone theZone, String assertion) throws Exception {
+        ClientDetails client = createJwtBearerClient(theZone);
+
+        MockHttpServletRequestBuilder jwtBearerGrant = post("/oauth/token")
+                .header(HttpHeaders.ACCEPT, MediaType.APPLICATION_JSON_VALUE)
+                .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE)
+                .param("client_id", client.getClientId())
+                .param("client_secret", client.getClientSecret())
+                .param(GRANT_TYPE, GRANT_TYPE_JWT_BEARER)
+                .param(TokenConstants.REQUEST_TOKEN_FORMAT, TokenConstants.TokenFormat.JWT.getStringValue())
+                .param("response_type", "token id_token")
+                .param("scope", "openid")
+                .param("assertion", assertion);
+        if (hasText(theZone.getSubdomain())) {
+            jwtBearerGrant = jwtBearerGrant.header("Host", theZone.getSubdomain()+".localhost");
+        }
+        String tokenResponse = mockMvc.perform(jwtBearerGrant)
+                .andDo(print())
+                .andExpect(jsonPath("$.access_token").isNotEmpty())
+                .andReturn()
+                .getResponse()
+                .getContentAsString();
+        Map<String, Object> tokenMap = JsonUtils.readValue(tokenResponse, Map.class);
+        String accessToken = (String) tokenMap.get("access_token");
+        return accessToken;
+    }
+
+    String createProvider(IdentityZone theZone, String verificationKey) throws Exception {
+        IdentityProvider idp = createOIDCProvider(theZone,
                 verificationKey,
                 "http://" + originZone.getIdentityZone().getSubdomain() + ".localhost:8080/uaa/oauth/token",
                 originClient.getClientId());
+        return idp.getOriginKey();
     }
 
     String getUaaIdToken(IdentityZone zone, ClientDetails client, ScimUser user) throws Exception {
@@ -207,6 +319,14 @@ public ScimUser createUser(IdentityZone zone) {
         }
     }
 
+    private ScimUser getScimUser(String username, String origin, String zoneId) {
+        ScimUserProvisioning scimUserProvisioning = webApplicationContext.getBean(ScimUserProvisioning.class);
+
+        List<ScimUser> scimUsers = scimUserProvisioning.retrieveByUsernameAndOriginAndZone(username, origin, zoneId);
+        assertEquals(1, scimUsers.size());
+        return scimUsers.get(0);
+    }
+
     ClientDetails createJwtBearerClient(IdentityZone zone) {
         BaseClientDetails details = new BaseClientDetails(
             generator.generate().toLowerCase(),

From 863c0aadbd4603ceae63dff738dc92b55c5df5c8 Mon Sep 17 00:00:00 2001
From: Florian Tack <florian.tack@sap.com>
Date: Mon, 29 Mar 2021 16:08:01 +0200
Subject: [PATCH 21/76] Invert boolean method to have a more intuitive naming

---
 .../oauth/ExternalOAuthAuthenticationManager.java    | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
index 72ab9b2ebe3..b24fdb02641 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
@@ -406,7 +406,7 @@ protected UaaUser userAuthenticated(Authentication request, UaaUser userFromRequ
         }
 
         //we must check and see if the email address has changed between authentications
-        if (haveUserAttributesChanged(userFromDb, userFromRequest) && !isIdTokenIssuedByUaaWithoutIdpRegistration(request)) {
+        if (haveUserAttributesChanged(userFromDb, userFromRequest) && isRegisteredIdpAuthentication(request)) {
             logger.debug("User attributed have changed, updating them.");
             userFromDb = userFromDb.modifyAttributes(email,
                                                      userFromRequest.getGivenName(),
@@ -423,10 +423,10 @@ protected UaaUser userAuthenticated(Authentication request, UaaUser userFromRequ
         return getUserDatabase().retrieveUserById(userFromDb.getId());
     }
 
-    private boolean isIdTokenIssuedByUaaWithoutIdpRegistration(Authentication request) {
+    private boolean isRegisteredIdpAuthentication(Authentication request) {
         String idToken = ((ExternalOAuthCodeToken) request).getIdToken();
         if (idToken == null) {
-            return false;
+            return true;
         }
         String claimsString = JwtHelper.decode(ofNullable(idToken).orElse("")).getClaims();
         Map<String, Object> claims = JsonUtils.readValue(claimsString, new TypeReference<Map<String, Object>>() {});
@@ -434,12 +434,12 @@ private boolean isIdTokenIssuedByUaaWithoutIdpRegistration(Authentication reques
         if (idTokenWasIssuedByTheUaa(issuer)) {
             try {
                 ((ExternalOAuthProviderConfigurator) getProviderProvisioning()).retrieveByIssuer(issuer, IdentityZoneHolder.get().getId());
-                return false;
-            } catch (IncorrectResultSizeDataAccessException e) {
                 return true;
+            } catch (IncorrectResultSizeDataAccessException e) {
+                return false;
             }
         } else {
-            return false;
+            return true;
         }
     }
 

From c10f574d7e426fb821e0d3b9886dc35b75d33c45 Mon Sep 17 00:00:00 2001
From: Florian Tack <florian.tack@sap.com>
Date: Tue, 6 Apr 2021 18:33:03 +0200
Subject: [PATCH 22/76] Rename variable and test case for clarity

---
 .../uaa/mock/token/JwtBearerGrantMockMvcTests.java | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/JwtBearerGrantMockMvcTests.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/JwtBearerGrantMockMvcTests.java
index e74af553071..886d8d2c9e8 100644
--- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/JwtBearerGrantMockMvcTests.java
+++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/JwtBearerGrantMockMvcTests.java
@@ -118,21 +118,21 @@ void non_default_zone_jwt_grant_user_update() throws Exception {
         Map<String, Object> originUserClaims = JwtTokenUtils.getClaimsForToken(accessTokenForOriginZoneUser);
 
         //Verify values for new shadow user set
-        ScimUser originShadowUser = getScimUser(originUser.getEmails().get(0).getValue(), originZoneOriginKey, targetZone.getId());
-        assertEquals(originShadowUser.getUserName(), originUserClaims.get("user_name"));
-        assertEquals(originShadowUser.getExternalId(), originUser.getId());
+        ScimUser shadowUser = getScimUser(originUser.getEmails().get(0).getValue(), originZoneOriginKey, targetZone.getId());
+        assertEquals(shadowUser.getUserName(), originUserClaims.get("user_name"));
+        assertEquals(shadowUser.getExternalId(), originUser.getId());
 
         //JWT Bearer with token from target Zone and external User
         performJWTBearerGrantForJWT(targetZone, accessTokenForOriginZoneUser);
 
         //Verify username and External ID not changed after this internal grant
-        ScimUser originShadowUserAfterExchange = getScimUser(originUser.getEmails().get(0).getValue(), originZoneOriginKey, targetZone.getId());
-        assertEquals(originShadowUser.getUserName(), originShadowUserAfterExchange.getUserName());
-        assertEquals(originShadowUser.getExternalId(), originShadowUserAfterExchange.getExternalId());
+        ScimUser shadowUserAfterExchange = getScimUser(originUser.getEmails().get(0).getValue(), originZoneOriginKey, targetZone.getId());
+        assertEquals(shadowUser.getUserName(), shadowUserAfterExchange.getUserName());
+        assertEquals(shadowUser.getExternalId(), shadowUserAfterExchange.getExternalId());
     }
 
     @Test
-    void default_zone_jwt_grant_user_update_same_zone_with_registration() throws Exception {
+    void non_default_zone_jwt_grant_user_update_same_zone_with_registration() throws Exception {
         BaseClientDetails targetZoneClient = new BaseClientDetails(generator.generate(), "", "openid", "password",
                 null);
         targetZoneClient.setClientSecret(SECRET);

From c0298237cb8cc15de1ba519a1b9df18fc383baca Mon Sep 17 00:00:00 2001
From: Peter Chen <peterch@vmware.com>
Date: Fri, 9 Apr 2021 12:02:47 -0700
Subject: [PATCH 23/76] refactor: extract shared code into helper methods

---
 .../ExternalOAuthAuthenticationManager.java   | 20 +++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
index b24fdb02641..29080f9cded 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
@@ -140,15 +140,14 @@ public void setOrigin(String origin) {
 
     public IdentityProvider resolveOriginProvider(String idToken) throws AuthenticationException {
         try {
-            String claimsString = JwtHelper.decode(ofNullable(idToken).orElse("")).getClaims();
-            Map<String, Object> claims = JsonUtils.readValue(claimsString, new TypeReference<Map<String, Object>>() {});
+            Map<String, Object> claims = parseClaimsFromIdTokenString(idToken);
             String issuer = (String) claims.get(ClaimConstants.ISS);
             if (isEmpty(issuer)) {
                 throw new InsufficientAuthenticationException("Issuer is missing in id_token");
             }
             //1. Check if issuer is registered provider
             try {
-                return ((ExternalOAuthProviderConfigurator) getProviderProvisioning()).retrieveByIssuer(issuer, IdentityZoneHolder.get().getId());
+                return retrieveRegisteredIdentityProviderByIssuer(issuer);
             } catch (IncorrectResultSizeDataAccessException x) {
                 logger.debug("No registered identity provider found for given issuer. Checking for uaa.");
             }
@@ -167,6 +166,15 @@ public IdentityProvider resolveOriginProvider(String idToken) throws Authenticat
         }
     }
 
+    private IdentityProvider retrieveRegisteredIdentityProviderByIssuer(String issuer) {
+        return ((ExternalOAuthProviderConfigurator) getProviderProvisioning()).retrieveByIssuer(issuer, IdentityZoneHolder.get().getId());
+    }
+
+    private Map<String, Object> parseClaimsFromIdTokenString(String idToken) {
+        String claimsString = JwtHelper.decode(ofNullable(idToken).orElse("")).getClaims();
+        return JsonUtils.readValue(claimsString, new TypeReference<Map<String, Object>>() {});
+    }
+
     private boolean idTokenWasIssuedByTheUaa(String issuer) {
         return issuer.equals(tokenEndpointBuilder.getTokenEndpoint(IdentityZoneHolder.get()));
     }
@@ -428,12 +436,12 @@ private boolean isRegisteredIdpAuthentication(Authentication request) {
         if (idToken == null) {
             return true;
         }
-        String claimsString = JwtHelper.decode(ofNullable(idToken).orElse("")).getClaims();
-        Map<String, Object> claims = JsonUtils.readValue(claimsString, new TypeReference<Map<String, Object>>() {});
+        Map<String, Object> claims = parseClaimsFromIdTokenString(idToken);
         String issuer = (String) claims.get(ClaimConstants.ISS);
         if (idTokenWasIssuedByTheUaa(issuer)) {
             try {
-                ((ExternalOAuthProviderConfigurator) getProviderProvisioning()).retrieveByIssuer(issuer, IdentityZoneHolder.get().getId());
+                // check if the UAA Identity Zone is registered as an external Idp of itself
+                retrieveRegisteredIdentityProviderByIssuer(issuer);
                 return true;
             } catch (IncorrectResultSizeDataAccessException e) {
                 return false;

From 3178b4379c4d6aacc5d3fe64677ae39c96e1526c Mon Sep 17 00:00:00 2001
From: Markus Strehle <strehle@users.noreply.github.com>
Date: Fri, 16 Apr 2021 07:06:01 +0200
Subject: [PATCH 24/76] Bump Spring Dependencies (#1559)

spring boot 2.4.5
spring framework 5.3.6
tomcat 9.0.45
---
 dependencies.gradle | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/dependencies.gradle b/dependencies.gradle
index d1c7c7c55c2..71ffbd6d158 100644
--- a/dependencies.gradle
+++ b/dependencies.gradle
@@ -12,13 +12,13 @@ versions.aspectJVersion = "1.9.4"
 versions.apacheDsVersion = "2.0.0.AM26"
 versions.bouncyCastleVersion = "1.68"
 versions.hamcrestVersion = "2.2"
-versions.springBootVersion = "2.4.4"
+versions.springBootVersion = "2.4.5"
 versions.springSecurityJwtVersion = "1.1.1.RELEASE"
 versions.springSecurityOAuthVersion = "2.5.0.RELEASE"
 versions.springSecuritySamlVersion = "1.0.10.RELEASE"
-versions.springVersion = "5.3.5"
+versions.springVersion = "5.3.6"
 versions.xmlBind = "2.3.0.1"
-versions.tomcatCargoVersion = "9.0.44"
+versions.tomcatCargoVersion = "9.0.45"
 
 // Dependencies (some rely on shared versions, some are shared between projects)
 libraries.apacheCommonsRngCore = "org.apache.commons:commons-rng-core:1.3"

From 93cab51d3a408c3ef212640cd5e0d81978354dca Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 8 Apr 2021 11:03:08 +0000
Subject: [PATCH 25/76] Bump github.com/onsi/ginkgo from 1.15.2 to 1.16.1 in
 /k8s

Bumps [github.com/onsi/ginkgo](https://github.com/onsi/ginkgo) from 1.15.2 to 1.16.1.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v1.15.2...v1.16.1)

Signed-off-by: dependabot[bot] <support@github.com>
---
 k8s/go.mod | 2 +-
 k8s/go.sum | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/k8s/go.mod b/k8s/go.mod
index 4734184d1f5..47642508cfc 100644
--- a/k8s/go.mod
+++ b/k8s/go.mod
@@ -3,7 +3,7 @@ module github.com/cloudfoundry/uaa
 go 1.15
 
 require (
-	github.com/onsi/ginkgo v1.15.2
+	github.com/onsi/ginkgo v1.16.1
 	github.com/onsi/gomega v1.11.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.20.5
diff --git a/k8s/go.sum b/k8s/go.sum
index cb6e0133ca5..4dbc04179db 100644
--- a/k8s/go.sum
+++ b/k8s/go.sum
@@ -70,6 +70,7 @@ github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL9
 github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo=
 github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@@ -157,8 +158,8 @@ github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
-github.com/onsi/ginkgo v1.15.2 h1:l77YT15o814C2qVL47NOyjV/6RbaP7kKdrvZnxQ3Org=
-github.com/onsi/ginkgo v1.15.2/go.mod h1:Dd6YFfwBW84ETqqtL0CPyPXillHgY6XhQH3uuCCTr/o=
+github.com/onsi/ginkgo v1.16.1 h1:foqVmeWDD6yYpK+Yz3fHyNIxFYNxswxqNFjSKe+vI54=
+github.com/onsi/ginkgo v1.16.1/go.mod h1:CObGmKUOKaSC0RjmoAK7tKyn4Azo5P2IWuoMnvwxz1E=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
@@ -179,6 +180,7 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

From f01cff0107abec7d98e5ff697515c3884f538d8e Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 16 Apr 2021 08:10:53 +0000
Subject: [PATCH 26/76] Bump k8s.io/apimachinery from 0.20.5 to 0.21.0 in /k8s

Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.20.5 to 0.21.0.
- [Release notes](https://github.com/kubernetes/apimachinery/releases)
- [Commits](https://github.com/kubernetes/apimachinery/compare/v0.20.5...v0.21.0)

Signed-off-by: dependabot[bot] <support@github.com>
---
 k8s/go.mod |  2 +-
 k8s/go.sum | 40 ++++++++++++++++++++++++++++++----------
 2 files changed, 31 insertions(+), 11 deletions(-)

diff --git a/k8s/go.mod b/k8s/go.mod
index 47642508cfc..a295209d17d 100644
--- a/k8s/go.mod
+++ b/k8s/go.mod
@@ -7,6 +7,6 @@ require (
 	github.com/onsi/gomega v1.11.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.20.5
-	k8s.io/apimachinery v0.20.5
+	k8s.io/apimachinery v0.21.0
 	k8s.io/client-go v0.20.5
 )
diff --git a/k8s/go.sum b/k8s/go.sum
index 4dbc04179db..0971d7a1610 100644
--- a/k8s/go.sum
+++ b/k8s/go.sum
@@ -41,6 +41,7 @@ github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWR
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -61,8 +62,9 @@ github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
-github.com/go-logr/logr v0.2.0 h1:QvGt2nLcHH0WK9orKa+ppBPAxREcH364nPUedEpK0TY=
 github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
+github.com/go-logr/logr v0.4.0 h1:K7/B1jt6fIBQVd4Owv2MqGQClcgf0R266+7C/QjRcLc=
+github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
 github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg=
 github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
 github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc=
@@ -71,8 +73,9 @@ github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8
 github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
-github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -120,6 +123,7 @@ github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg=
+github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
@@ -132,17 +136,19 @@ github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -151,6 +157,8 @@ github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
@@ -183,6 +191,7 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81P
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
@@ -249,8 +258,9 @@ golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb h1:eBmm0M9fYhWpKZLjQUUKka/LtIxf46G4fxeEz5KJr9U=
 golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210224082022-3d97a244fca7 h1:OgUuv8lsRpBibGNbSizVwKWlysjaNzmC9gYMhPVfqFM=
+golang.org/x/net v0.0.0-20210224082022-3d97a244fca7/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -289,8 +299,11 @@ golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210112080510-489259a85091 h1:DMyOG0U+gKfu8JZzg2UQe9MeaC1X+xQWlAKcRnjxjCw=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073 h1:8qxJSnu+7dRq6upnbntrmriWByIakBuct5OM/MdQC1M=
+golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -334,7 +347,9 @@ golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapK
 golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -393,8 +408,9 @@ google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
@@ -418,21 +434,25 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 k8s.io/api v0.20.5 h1:zsMTffV0Le2EiI0aKvlTHEnXGxk1HiqGRhJcCPiI7JI=
 k8s.io/api v0.20.5/go.mod h1:FQjAceXnVaWDeov2YUWhOb6Yt+5UjErkp6UO3nczO1Y=
-k8s.io/apimachinery v0.20.5 h1:wO/FxMVRn223rAKxnBbwCyuN96bS9MFTIvP0e/V7cps=
 k8s.io/apimachinery v0.20.5/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
+k8s.io/apimachinery v0.21.0 h1:3Fx+41if+IRavNcKOz09FwEXDBG6ORh6iMsTSelhkMA=
+k8s.io/apimachinery v0.21.0/go.mod h1:jbreFvJo3ov9rj7eWT7+sYiRx+qZuCYXwWT1bcDswPY=
 k8s.io/client-go v0.20.5 h1:dJGtYUvFrFGjQ+GjXEIby0gZWdlAOc0xJBJqY3VyDxA=
 k8s.io/client-go v0.20.5/go.mod h1:Ee5OOMMYvlH8FCZhDsacjMlCBwetbGZETwo1OA+e6Zw=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
-k8s.io/klog/v2 v2.4.0 h1:7+X0fUguPyrKEC4WjH8iGDg3laWgMo5tMnRTIGTTxGQ=
 k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
+k8s.io/klog/v2 v2.8.0 h1:Q3gmuM9hKEjefWFFYF0Mat+YyFJvsUyYuwyNNJ5C9Ts=
+k8s.io/klog/v2 v2.8.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
 k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM=
+k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7/go.mod h1:wXW5VT87nVfh/iLV8FpR2uDvrFyomxbtb1KivDbvPTE=
 k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-sigs.k8s.io/structured-merge-diff/v4 v4.0.2 h1:YHQV7Dajm86OuqnIR6zAelnDWBRjo+YhYV9PmGrh1s8=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
+sigs.k8s.io/structured-merge-diff/v4 v4.1.0 h1:C4r9BgJ98vrKnnVCjwCSXcWjWe0NKcUQkmzDXZXGwH8=
+sigs.k8s.io/structured-merge-diff/v4 v4.1.0/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
 sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=

From d7f70c17eb452f4b943179a5607aacde8ce2a6ac Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 16 Apr 2021 08:38:36 +0000
Subject: [PATCH 27/76] Bump k8s.io/client-go from 0.20.5 to 0.21.0 in /k8s

Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.20.5 to 0.21.0.
- [Release notes](https://github.com/kubernetes/client-go/releases)
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.20.5...v0.21.0)

Signed-off-by: dependabot[bot] <support@github.com>
---
 k8s/go.mod |  4 ++--
 k8s/go.sum | 31 ++++++++++---------------------
 2 files changed, 12 insertions(+), 23 deletions(-)

diff --git a/k8s/go.mod b/k8s/go.mod
index a295209d17d..61b6b34b8f6 100644
--- a/k8s/go.mod
+++ b/k8s/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/onsi/ginkgo v1.16.1
 	github.com/onsi/gomega v1.11.0
 	gopkg.in/yaml.v2 v2.4.0
-	k8s.io/api v0.20.5
+	k8s.io/api v0.21.0
 	k8s.io/apimachinery v0.21.0
-	k8s.io/client-go v0.20.5
+	k8s.io/client-go v0.21.0
 )
diff --git a/k8s/go.sum b/k8s/go.sum
index 0971d7a1610..18d1c63c483 100644
--- a/k8s/go.sum
+++ b/k8s/go.sum
@@ -22,11 +22,9 @@ cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0Zeo
 cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
-github.com/Azure/go-autorest/autorest v0.11.1/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw=
-github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg=
+github.com/Azure/go-autorest/autorest v0.11.12/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw=
 github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A=
 github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74=
-github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
 github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
 github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
 github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
@@ -45,8 +43,6 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
-github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
@@ -57,12 +53,10 @@ github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoD
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
-github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
 github.com/go-logr/logr v0.4.0 h1:K7/B1jt6fIBQVd4Owv2MqGQClcgf0R266+7C/QjRcLc=
 github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
 github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg=
@@ -73,7 +67,6 @@ github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8
 github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
-github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@@ -135,7 +128,6 @@ github.com/json-iterator/go v1.1.10 h1:Kz6Cvnvv2wGdaG/V8yMvfkmNiXq9Ya2KUv4rouJJr
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
-github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@@ -204,6 +196,7 @@ golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -257,7 +250,6 @@ golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210224082022-3d97a244fca7 h1:OgUuv8lsRpBibGNbSizVwKWlysjaNzmC9gYMhPVfqFM=
 golang.org/x/net v0.0.0-20210224082022-3d97a244fca7/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -287,6 +279,7 @@ golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -298,12 +291,13 @@ golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073 h1:8qxJSnu+7dRq6upnbntrmriWByIakBuct5OM/MdQC1M=
 golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -314,9 +308,8 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
@@ -432,19 +425,16 @@ honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.20.5 h1:zsMTffV0Le2EiI0aKvlTHEnXGxk1HiqGRhJcCPiI7JI=
-k8s.io/api v0.20.5/go.mod h1:FQjAceXnVaWDeov2YUWhOb6Yt+5UjErkp6UO3nczO1Y=
-k8s.io/apimachinery v0.20.5/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
+k8s.io/api v0.21.0 h1:gu5iGF4V6tfVCQ/R+8Hc0h7H1JuEhzyEi9S4R5LM8+Y=
+k8s.io/api v0.21.0/go.mod h1:+YbrhBBGgsxbF6o6Kj4KJPJnBmAKuXDeS3E18bgHNVU=
 k8s.io/apimachinery v0.21.0 h1:3Fx+41if+IRavNcKOz09FwEXDBG6ORh6iMsTSelhkMA=
 k8s.io/apimachinery v0.21.0/go.mod h1:jbreFvJo3ov9rj7eWT7+sYiRx+qZuCYXwWT1bcDswPY=
-k8s.io/client-go v0.20.5 h1:dJGtYUvFrFGjQ+GjXEIby0gZWdlAOc0xJBJqY3VyDxA=
-k8s.io/client-go v0.20.5/go.mod h1:Ee5OOMMYvlH8FCZhDsacjMlCBwetbGZETwo1OA+e6Zw=
+k8s.io/client-go v0.21.0 h1:n0zzzJsAQmJngpC0IhgFcApZyoGXPrDIAD601HD09ag=
+k8s.io/client-go v0.21.0/go.mod h1:nNBytTF9qPFDEhoqgEPaarobC8QPae13bElIVHzIglA=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
-k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
 k8s.io/klog/v2 v2.8.0 h1:Q3gmuM9hKEjefWFFYF0Mat+YyFJvsUyYuwyNNJ5C9Ts=
 k8s.io/klog/v2 v2.8.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
-k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM=
 k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7/go.mod h1:wXW5VT87nVfh/iLV8FpR2uDvrFyomxbtb1KivDbvPTE=
 k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
@@ -453,6 +443,5 @@ rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
 sigs.k8s.io/structured-merge-diff/v4 v4.1.0 h1:C4r9BgJ98vrKnnVCjwCSXcWjWe0NKcUQkmzDXZXGwH8=
 sigs.k8s.io/structured-merge-diff/v4 v4.1.0/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
-sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
 sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=

From ffc4782928a59fa4311d78fcad9e44c5aa0474b1 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 18 Mar 2021 11:01:30 +0000
Subject: [PATCH 28/76] Bump jasmine from 3.6.4 to 3.7.0 in /uaa

Bumps [jasmine](https://github.com/jasmine/jasmine-npm) from 3.6.4 to 3.7.0.
- [Release notes](https://github.com/jasmine/jasmine-npm/releases)
- [Commits](https://github.com/jasmine/jasmine-npm/compare/v3.6.4...v3.7.0)

Signed-off-by: dependabot[bot] <support@github.com>
---
 uaa/package-lock.json | 15 +++++++++++----
 uaa/package.json      |  2 +-
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/uaa/package-lock.json b/uaa/package-lock.json
index 8d9328d7f61..4bd2bb745a9 100644
--- a/uaa/package-lock.json
+++ b/uaa/package-lock.json
@@ -56,12 +56,19 @@
       "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ=="
     },
     "jasmine": {
-      "version": "3.6.4",
-      "resolved": "https://registry.npmjs.org/jasmine/-/jasmine-3.6.4.tgz",
-      "integrity": "sha512-hIeOou6y0BgCOKYgXYveQvlY+PTHgDPajFf+vLCYbMTQ+VjAP9+EQv0nuC9+gyCAAWISRFauB1XUb9kFuOKtcQ==",
+      "version": "3.7.0",
+      "resolved": "https://registry.npmjs.org/jasmine/-/jasmine-3.7.0.tgz",
+      "integrity": "sha512-wlzGQ+cIFzMEsI+wDqmOwvnjTvolLFwlcpYLCqSPPH0prOQaW3P+IzMhHYn934l1imNvw07oCyX+vGUv3wmtSQ==",
       "requires": {
         "glob": "^7.1.6",
-        "jasmine-core": "~3.6.0"
+        "jasmine-core": "~3.7.0"
+      },
+      "dependencies": {
+        "jasmine-core": {
+          "version": "3.7.0",
+          "resolved": "https://registry.npmjs.org/jasmine-core/-/jasmine-core-3.7.0.tgz",
+          "integrity": "sha512-jmeRIgxS/abz8afk9NKJ1yP7n93aZdRaHDWtTHJBlYu6fhbzvErjiO3mMlSSrJefVk1a+26JlABrHS2iBH8Azw=="
+        }
       }
     },
     "jasmine-core": {
diff --git a/uaa/package.json b/uaa/package.json
index 64ae0fb96c9..5312339df46 100644
--- a/uaa/package.json
+++ b/uaa/package.json
@@ -13,7 +13,7 @@
   "author": "CloudFoundry",
   "license": "Apache-2.0",
   "dependencies": {
-    "jasmine": "^3.6.4",
+    "jasmine": "^3.7.0",
     "jasmine-core": "3.6.0"
   }
 }

From 74880c44488a5ca2997a1ce077442f73a9f2f759 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 16 Apr 2021 11:31:18 +0000
Subject: [PATCH 29/76] Bump jasmine-core from 3.6.0 to 3.7.1 in /uaa

Bumps [jasmine-core](https://github.com/jasmine/jasmine) from 3.6.0 to 3.7.1.
- [Release notes](https://github.com/jasmine/jasmine/releases)
- [Changelog](https://github.com/jasmine/jasmine/blob/main/RELEASE.md)
- [Commits](https://github.com/jasmine/jasmine/compare/v3.6.0...v3.7.1)

Signed-off-by: dependabot[bot] <support@github.com>
---
 uaa/package-lock.json | 6 +++---
 uaa/package.json      | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/uaa/package-lock.json b/uaa/package-lock.json
index 4bd2bb745a9..6c2adc98cca 100644
--- a/uaa/package-lock.json
+++ b/uaa/package-lock.json
@@ -72,9 +72,9 @@
       }
     },
     "jasmine-core": {
-      "version": "3.6.0",
-      "resolved": "https://registry.npmjs.org/jasmine-core/-/jasmine-core-3.6.0.tgz",
-      "integrity": "sha512-8uQYa7zJN8hq9z+g8z1bqCfdC8eoDAeVnM5sfqs7KHv9/ifoJ500m018fpFc7RDaO6SWCLCXwo/wPSNcdYTgcw=="
+      "version": "3.7.1",
+      "resolved": "https://registry.npmjs.org/jasmine-core/-/jasmine-core-3.7.1.tgz",
+      "integrity": "sha512-DH3oYDS/AUvvr22+xUBW62m1Xoy7tUlY1tsxKEJvl5JeJ7q8zd1K5bUwiOxdH+erj6l2vAMM3hV25Xs9/WrmuQ=="
     },
     "minimatch": {
       "version": "3.0.4",
diff --git a/uaa/package.json b/uaa/package.json
index 5312339df46..1c3f5c8682e 100644
--- a/uaa/package.json
+++ b/uaa/package.json
@@ -14,6 +14,6 @@
   "license": "Apache-2.0",
   "dependencies": {
     "jasmine": "^3.7.0",
-    "jasmine-core": "3.6.0"
+    "jasmine-core": "3.7.1"
   }
 }

From 0391f8e1adce7482e284a0daf07231a2f96f6e40 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 16 Apr 2021 15:19:44 +0200
Subject: [PATCH 30/76] Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /statsd
 (#1547)

* Bump tomcat-embed-core from 9.0.37 to 9.0.41 in /statsd

Bumps tomcat-embed-core from 9.0.37 to 9.0.41.

Signed-off-by: dependabot[bot] <support@github.com>

* Update pom.xml

* Update pom.xml

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Markus Strehle <strehle@users.noreply.github.com>
---
 statsd/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/statsd/pom.xml b/statsd/pom.xml
index a408b5d5e19..a791d4ec7fe 100644
--- a/statsd/pom.xml
+++ b/statsd/pom.xml
@@ -56,7 +56,7 @@
     <dependency>
       <groupId>org.apache.tomcat.embed</groupId>
       <artifactId>tomcat-embed-core</artifactId>
-      <version>9.0.37</version>
+      <version>9.0.45</version>
       <scope>provided</scope>
       <exclusions>
         <exclusion>

From 7a798c7950f20136793a95fadec2fd2db8d305fa Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 16 Apr 2021 15:47:25 +0200
Subject: [PATCH 31/76] Bump tomcat-embed-core from 9.0.37 to 9.0.45 in /server
 (#1545)

* Bump tomcat-embed-core from 9.0.37 to 9.0.41 in /server

Bumps tomcat-embed-core from 9.0.37 to 9.0.41.

Signed-off-by: dependabot[bot] <support@github.com>

* Update pom.xml

* Update pom.xml

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Markus Strehle <strehle@users.noreply.github.com>
---
 server/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/pom.xml b/server/pom.xml
index 0db5700fae5..31a26f3d081 100644
--- a/server/pom.xml
+++ b/server/pom.xml
@@ -1870,7 +1870,7 @@
     <dependency>
       <groupId>org.apache.tomcat.embed</groupId>
       <artifactId>tomcat-embed-core</artifactId>
-      <version>9.0.37</version>
+      <version>9.0.45</version>
       <scope>provided</scope>
       <exclusions>
         <exclusion>

From 8b1f10f13e1f61ae617d5a6c1feaac3002b59e82 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 16 Apr 2021 17:56:01 +0200
Subject: [PATCH 32/76] Bump tomcat-embed-core from 9.0.37 to 9.0.45 in
 /samples/app (#1546)

* Bump tomcat-embed-core from 9.0.37 to 9.0.41 in /samples/app

Bumps tomcat-embed-core from 9.0.37 to 9.0.41.

Signed-off-by: dependabot[bot] <support@github.com>

* Update pom.xml

* Update pom.xml

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Markus Strehle <strehle@users.noreply.github.com>
---
 samples/app/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/samples/app/pom.xml b/samples/app/pom.xml
index a4a24df1c2f..712f909c828 100644
--- a/samples/app/pom.xml
+++ b/samples/app/pom.xml
@@ -56,7 +56,7 @@
     <dependency>
       <groupId>org.apache.tomcat.embed</groupId>
       <artifactId>tomcat-embed-core</artifactId>
-      <version>9.0.37</version>
+      <version>9.0.45</version>
       <scope>provided</scope>
       <exclusions>
         <exclusion>

From 395059b1f02c96716e35eebd94efa08b71ab86b8 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 16 Apr 2021 17:56:16 +0200
Subject: [PATCH 33/76] Bump tomcat-embed-core from 9.0.37 to 9.0.45 in
 /samples/api (#1544)

* Bump tomcat-embed-core from 9.0.37 to 9.0.41 in /samples/api

Bumps tomcat-embed-core from 9.0.37 to 9.0.41.

Signed-off-by: dependabot[bot] <support@github.com>

* Update pom.xml

* Update pom.xml

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Markus Strehle <strehle@users.noreply.github.com>
---
 samples/api/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/samples/api/pom.xml b/samples/api/pom.xml
index 43f85a5d504..d201f66d6ca 100644
--- a/samples/api/pom.xml
+++ b/samples/api/pom.xml
@@ -142,7 +142,7 @@
     <dependency>
       <groupId>org.apache.tomcat.embed</groupId>
       <artifactId>tomcat-embed-core</artifactId>
-      <version>9.0.37</version>
+      <version>9.0.45</version>
       <scope>provided</scope>
       <exclusions>
         <exclusion>

From 04aa595bf8b0cebe8afac63a7b771ca2e753570e Mon Sep 17 00:00:00 2001
From: Steve Taylor <staylor@pivotal.io>
Date: Tue, 30 Mar 2021 10:11:55 -0700
Subject: [PATCH 34/76] login_hint should not automatically bypass discovery
 logic

---
 .../identity/uaa/login/LoginInfoEndpoint.java |   8 +-
 .../uaa/login/LoginInfoEndpointTests.java     |  51 ++++++++-
 .../identity/uaa/login/LoginMockMvcTests.java | 103 +++++++++++++++---
 3 files changed, 138 insertions(+), 24 deletions(-)

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java b/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java
index 9776b363adf..2957f33b422 100755
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java
@@ -281,7 +281,9 @@ private String login(Model model, Principal principal, List<String> excludedProm
         boolean accountChooserEnabled = IdentityZoneHolder.get().getConfig().isAccountChooserEnabled();
         boolean otherAccountSignIn = Boolean.parseBoolean(request.getParameter("otherAccountSignIn"));
         boolean savedAccountsEmpty = getSavedAccounts(request.getCookies(), SavedAccountOption.class).isEmpty();
-        boolean accountChooserNeeded = accountChooserEnabled && !(otherAccountSignIn || savedAccountsEmpty) && discoveryEnabled &&!discoveryPerformed;
+        boolean accountChooserNeeded = accountChooserEnabled
+                && !(otherAccountSignIn || savedAccountsEmpty)
+                && !discoveryPerformed;
 
         String loginHintParam = extractLoginHintParam(session, request);
         UaaLoginHint uaaLoginHint = UaaLoginHint.parseRequestParameter(loginHintParam);
@@ -307,6 +309,7 @@ private String login(Model model, Principal principal, List<String> excludedProm
                 oauthIdentityProviders = Collections.emptyMap();
                 samlIdentityProviders = Collections.emptyMap();
             } else {
+                accountChooserNeeded = false;
                 samlIdentityProviders = getSamlIdentityProviderDefinitions(allowedIdentityProviderKeys);
                 oauthIdentityProviders = getOauthIdentityProviderDefinitions(allowedIdentityProviderKeys);
                 allIdentityProviders = new HashMap<>();
@@ -418,9 +421,6 @@ private String getUnauthenticatedRedirect(
         }
 
         if (discoveryEnabled) {
-            if (model.containsAttribute("login_hint")) {
-                return goToPasswordPage(request.getParameter("email"), model);
-            }
             if (accountChooserNeeded) {
                 return "idp_discovery/account_chooser";
             }
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java
index e410ed4aa9e..38662f3d851 100755
--- a/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java
@@ -73,6 +73,7 @@
 import static java.util.Collections.emptySet;
 import static java.util.Collections.singletonList;
 import static org.cloudfoundry.identity.uaa.util.AssertThrowsWithMessage.assertThrowsWithMessageThat;
+import static org.cloudfoundry.identity.uaa.util.SessionUtils.SAVED_REQUEST_SESSION_ATTRIBUTE;
 import static org.cloudfoundry.identity.uaa.util.UaaUrlUtils.addSubdomainToUrl;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
@@ -1111,15 +1112,59 @@ void loginHintUaaNotAllowedLoginPageNotEmpty() throws Exception {
     }
 
     @Test
-    void loginHintOriginUaaSkipAccountChooser() throws Exception {
+    void testNoLoginHintAccountChooser() throws Exception {
         MockHttpServletRequest mockHttpServletRequest = getMockHttpServletRequest();
+        SavedAccountOption savedAccount = new SavedAccountOption();
 
-        MultitenantClientServices clientDetailsService = mockClientService();
+        savedAccount.setUsername("bob");
+        savedAccount.setEmail("bob@example.com");
+        savedAccount.setUserId("xxxx");
+        savedAccount.setOrigin("uaa");
+        Cookie cookie1 = new Cookie("Saved-Account-xxxx", URLEncoder.encode(JsonUtils.writeValueAsString(savedAccount), UTF_8.name()));
+
+        savedAccount.setUsername("tim");
+        savedAccount.setEmail("tim@example.org");
+        savedAccount.setUserId("zzzz");
+        savedAccount.setOrigin("ldap");
+        Cookie cookie2 = new Cookie("Saved-Account-zzzz", URLEncoder.encode(JsonUtils.writeValueAsString(savedAccount), UTF_8.name()));
 
+        mockHttpServletRequest.setCookies(cookie1, cookie2);
+
+        MultitenantClientServices clientDetailsService = mockClientService();
         LoginInfoEndpoint endpoint = getEndpoint(IdentityZoneHolder.get(), clientDetailsService);
+        SavedRequest savedRequest = SessionUtils.getSavedRequestSession(mockHttpServletRequest.getSession());
+
+        IdentityZoneHolder.get().getConfig().setIdpDiscoveryEnabled(true);
+        IdentityZoneHolder.get().getConfig().setAccountChooserEnabled(true);
+
+        String redirect = endpoint.loginForHtml(extendedModelMap, null, mockHttpServletRequest, Collections.singletonList(MediaType.TEXT_HTML));
+
+        assertEquals("idp_discovery/account_chooser", redirect);
+    }
+
+    @Test
+    void loginHintOriginUaaSkipAccountChooser() throws Exception {
+        MockHttpServletRequest mockHttpServletRequest = getMockHttpServletRequest();
+        SavedAccountOption savedAccount = new SavedAccountOption();
+
+        savedAccount.setUsername("bob");
+        savedAccount.setEmail("bob@example.com");
+        savedAccount.setUserId("xxxx");
+        savedAccount.setOrigin("uaa");
+        Cookie cookie1 = new Cookie("Saved-Account-xxxx", URLEncoder.encode(JsonUtils.writeValueAsString(savedAccount), UTF_8.name()));
 
+        savedAccount.setUsername("tim");
+        savedAccount.setEmail("tim@example.org");
+        savedAccount.setUserId("zzzz");
+        savedAccount.setOrigin("ldap");
+        Cookie cookie2 = new Cookie("Saved-Account-zzzz", URLEncoder.encode(JsonUtils.writeValueAsString(savedAccount), UTF_8.name()));
 
+        mockHttpServletRequest.setCookies(cookie1, cookie2);
+
+        MultitenantClientServices clientDetailsService = mockClientService();
+        LoginInfoEndpoint endpoint = getEndpoint(IdentityZoneHolder.get(), clientDetailsService);
         SavedRequest savedRequest = SessionUtils.getSavedRequestSession(mockHttpServletRequest.getSession());
+
         when(savedRequest.getParameterValues("login_hint")).thenReturn(new String[]{"{\"origin\":\"uaa\"}"});
 
         IdentityZoneHolder.get().getConfig().setIdpDiscoveryEnabled(true);
@@ -1128,7 +1173,7 @@ void loginHintOriginUaaSkipAccountChooser() throws Exception {
         String redirect = endpoint.loginForHtml(extendedModelMap, null, mockHttpServletRequest, singletonList(MediaType.TEXT_HTML));
 
         assertEquals("{\"origin\":\"uaa\"}", extendedModelMap.get("login_hint"));
-        assertEquals("idp_discovery/password", redirect);
+        assertEquals("idp_discovery/email", redirect);
     }
 
     @Test
diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/LoginMockMvcTests.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/LoginMockMvcTests.java
index b00e3d24b2e..ee958ef5ed0 100644
--- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/LoginMockMvcTests.java
+++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/LoginMockMvcTests.java
@@ -32,14 +32,7 @@
 import org.cloudfoundry.identity.uaa.util.SessionUtils;
 import org.cloudfoundry.identity.uaa.util.SetServerNameRequestPostProcessor;
 import org.cloudfoundry.identity.uaa.web.LimitedModeUaaFilter;
-import org.cloudfoundry.identity.uaa.zone.BrandingInformation;
-import org.cloudfoundry.identity.uaa.zone.IdentityZone;
-import org.cloudfoundry.identity.uaa.zone.IdentityZoneConfiguration;
-import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
-import org.cloudfoundry.identity.uaa.zone.IdentityZoneProvisioning;
-import org.cloudfoundry.identity.uaa.zone.InvalidIdentityZoneDetailsException;
-import org.cloudfoundry.identity.uaa.zone.Links;
-import org.cloudfoundry.identity.uaa.zone.MultitenancyFixture;
+import org.cloudfoundry.identity.uaa.zone.*;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Nested;
@@ -82,13 +75,7 @@
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
 import java.sql.Timestamp;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Locale;
-import java.util.Map;
+import java.util.*;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -96,14 +83,15 @@
 import static java.util.Collections.EMPTY_LIST;
 import static java.util.Collections.singleton;
 import static java.util.Collections.singletonList;
-import static org.cloudfoundry.identity.uaa.constants.OriginKeys.LDAP;
-import static org.cloudfoundry.identity.uaa.constants.OriginKeys.UAA;
+import static org.cloudfoundry.identity.uaa.constants.OriginKeys.*;
+import static org.cloudfoundry.identity.uaa.constants.OriginKeys.SAML;
 import static org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils.CookieCsrfPostProcessor.cookieCsrf;
 import static org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils.IdentityZoneCreationResult;
 import static org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils.constructGoogleMfaProvider;
 import static org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils.createOtherIdentityZone;
 import static org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils.getMarissaSecurityContext;
 import static org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils.getUaaSecurityContext;
+import static org.cloudfoundry.identity.uaa.util.SessionUtils.SAVED_REQUEST_SESSION_ATTRIBUTE;
 import static org.cloudfoundry.identity.uaa.zone.IdentityZone.getUaa;
 import static org.hamcrest.Matchers.allOf;
 import static org.hamcrest.Matchers.containsString;
@@ -222,6 +210,87 @@ private void resetUaaZoneConfigToDefault(IdentityZoneConfigurationBootstrap iden
         identityZoneConfigurationBootstrap.afterPropertiesSet();
     }
 
+    private static MockHttpSession configure_UAA_for_idp_discovery(
+            WebApplicationContext webApplicationContext,
+            JdbcIdentityProviderProvisioning jdbcIdentityProviderProvisioning,
+            RandomValueStringGenerator generator,
+            String originKey,
+            IdentityZone zone, List<String> allowedProviders) {
+
+        String metadata = String.format(MockMvcUtils.IDP_META_DATA, new RandomValueStringGenerator().generate());
+        SamlIdentityProviderDefinition config = (SamlIdentityProviderDefinition) new SamlIdentityProviderDefinition()
+                .setMetaDataLocation(metadata)
+                .setIdpEntityAlias(originKey)
+                .setLinkText("Active SAML Provider")
+                .setZoneId(zone.getId())
+                .setEmailDomain(Collections.singletonList("test.org"));
+
+        IdentityProvider identityProvider = MultitenancyFixture.identityProvider(originKey, zone.getId());
+        identityProvider.setType(OriginKeys.SAML);
+        identityProvider.setConfig(config);
+        createIdentityProvider(jdbcIdentityProviderProvisioning, zone, identityProvider);
+
+        identityProvider = MultitenancyFixture.identityProvider(LDAP, zone.getId());
+        identityProvider.setType(LDAP);
+        identityProvider.setConfig(new LdapIdentityProviderDefinition().setEmailDomain(Collections.singletonList("testLdap.org")));
+        createIdentityProvider(jdbcIdentityProviderProvisioning, zone, identityProvider);
+
+        String clientId = generator.generate();
+        BaseClientDetails client = new BaseClientDetails(clientId, "", "", "client_credentials", "uaa.none", "http://*.wildcard.testing,http://testing.com");
+        client.addAdditionalInformation(ClientConstants.ALLOWED_PROVIDERS, allowedProviders);
+
+        MockMvcUtils.createClient(webApplicationContext, client, zone);
+        SavedRequest savedRequest = getSavedRequest(client);
+
+        MockHttpSession session = new MockHttpSession();
+        session.setAttribute(SAVED_REQUEST_SESSION_ATTRIBUTE, savedRequest);
+        return session;
+    }
+
+    private void expect_idp_discovery(
+            JdbcIdentityProviderProvisioning identityProviderProvisioning,
+            JdbcIdentityZoneProvisioning identityZoneProvisioning,
+            List<String> allowedProviders
+    ) throws Exception {
+        IdentityZoneConfiguration config = new IdentityZoneConfiguration();
+        config.setIdpDiscoveryEnabled(true);
+
+        IdentityZone zone = setupZone(webApplicationContext, mockMvc, identityZoneProvisioning, generator, config);
+
+        String originKey = "fake-origin-key";
+        allowedProviders.add(originKey);
+
+        MockHttpSession session = configure_UAA_for_idp_discovery(webApplicationContext, identityProviderProvisioning, generator, originKey, zone, allowedProviders);
+
+        mockMvc.perform(get("/login")
+                .session(session)
+                .header("Accept", TEXT_HTML)
+                .with(new SetServerNameRequestPostProcessor(zone.getSubdomain() + ".localhost")))
+                .andExpect(status().isOk())
+                .andExpect(view().name("idp_discovery/email"))
+                .andExpect(xpath("//input[@name='email']").exists());
+    }
+
+    @Test
+    void access_discovery_when_expected(
+            @Autowired JdbcIdentityProviderProvisioning identityProviderProvisioning,
+            @Autowired JdbcIdentityZoneProvisioning identityZoneProvisioning) throws Exception {
+
+        List<List<String>> allowedProvidersPermutations = new ArrayList<>();
+        allowedProvidersPermutations.add(new ArrayList<>(asList(UAA, LDAP, SAML))); // Model should not contain a login hint if we allow both UAA and LDAP
+        allowedProvidersPermutations.add(new ArrayList<>(asList(UAA, LDAP      ))); // Model should not contain a login hint if we allow both UAA and LDAP
+        allowedProvidersPermutations.add(new ArrayList<>(asList(UAA,       SAML))); // Model should contain a login hint if we exclude LDAP from allowed providers
+        allowedProvidersPermutations.add(new ArrayList<>(asList(     LDAP, SAML))); // Model should contain a login hint if we exclude UAA from allowed providers
+
+        allowedProvidersPermutations.add(new ArrayList<>(singletonList(UAA)));  // Model should contain a login hint if we exclude LDAP from allowed providers
+        allowedProvidersPermutations.add(new ArrayList<>(singletonList(LDAP))); // Model should contain a login hint if we exclude UAA from allowed providers
+        allowedProvidersPermutations.add(new ArrayList<>(singletonList(SAML))); // Model should not contain a login hint if we exclude both UAA and LDAP
+
+        for (List<String> allowedProviders : allowedProvidersPermutations) {
+            expect_idp_discovery(identityProviderProvisioning, identityZoneProvisioning, allowedProviders);
+        }
+    }
+
     @Test
     void access_login_page_while_logged_in() throws Exception {
         SecurityContext securityContext = MockMvcUtils.getMarissaSecurityContext(webApplicationContext, IdentityZoneHolder.getCurrentZoneId());

From b1e23eceb3745859f415ceb8d8d2bb4ceb15ca38 Mon Sep 17 00:00:00 2001
From: Steve Taylor <staylor@pivotal.io>
Date: Wed, 21 Apr 2021 11:13:49 -0700
Subject: [PATCH 35/76] Restore explicit imports.

- My IntelliJ configuration wants "splat" imports, which appears to be
  out of fashion in the current OSS codebase. I prefer the new style of
  explicit imports, so I've restored them manually.

- Also use uniform static imports for OriginKeys constants.
---
 .../identity/uaa/login/LoginMockMvcTests.java | 48 ++++++++++++-------
 1 file changed, 32 insertions(+), 16 deletions(-)

diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/LoginMockMvcTests.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/LoginMockMvcTests.java
index ee958ef5ed0..dd82070f645 100644
--- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/LoginMockMvcTests.java
+++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/LoginMockMvcTests.java
@@ -6,7 +6,6 @@
 import org.cloudfoundry.identity.uaa.codestore.ExpiringCode;
 import org.cloudfoundry.identity.uaa.codestore.ExpiringCodeStore;
 import org.cloudfoundry.identity.uaa.codestore.JdbcExpiringCodeStore;
-import org.cloudfoundry.identity.uaa.constants.OriginKeys;
 import org.cloudfoundry.identity.uaa.impl.config.IdentityZoneConfigurationBootstrap;
 import org.cloudfoundry.identity.uaa.mfa.MfaProvider;
 import org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils;
@@ -32,7 +31,15 @@
 import org.cloudfoundry.identity.uaa.util.SessionUtils;
 import org.cloudfoundry.identity.uaa.util.SetServerNameRequestPostProcessor;
 import org.cloudfoundry.identity.uaa.web.LimitedModeUaaFilter;
-import org.cloudfoundry.identity.uaa.zone.*;
+import org.cloudfoundry.identity.uaa.zone.BrandingInformation;
+import org.cloudfoundry.identity.uaa.zone.IdentityZone;
+import org.cloudfoundry.identity.uaa.zone.IdentityZoneConfiguration;
+import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
+import org.cloudfoundry.identity.uaa.zone.IdentityZoneProvisioning;
+import org.cloudfoundry.identity.uaa.zone.InvalidIdentityZoneDetailsException;
+import org.cloudfoundry.identity.uaa.zone.JdbcIdentityZoneProvisioning;
+import org.cloudfoundry.identity.uaa.zone.Links;
+import org.cloudfoundry.identity.uaa.zone.MultitenancyFixture;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Nested;
@@ -75,7 +82,14 @@
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
 import java.sql.Timestamp;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -83,8 +97,10 @@
 import static java.util.Collections.EMPTY_LIST;
 import static java.util.Collections.singleton;
 import static java.util.Collections.singletonList;
-import static org.cloudfoundry.identity.uaa.constants.OriginKeys.*;
+import static org.cloudfoundry.identity.uaa.constants.OriginKeys.LDAP;
+import static org.cloudfoundry.identity.uaa.constants.OriginKeys.OIDC10;
 import static org.cloudfoundry.identity.uaa.constants.OriginKeys.SAML;
+import static org.cloudfoundry.identity.uaa.constants.OriginKeys.UAA;
 import static org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils.CookieCsrfPostProcessor.cookieCsrf;
 import static org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils.IdentityZoneCreationResult;
 import static org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils.constructGoogleMfaProvider;
@@ -226,7 +242,7 @@ private static MockHttpSession configure_UAA_for_idp_discovery(
                 .setEmailDomain(Collections.singletonList("test.org"));
 
         IdentityProvider identityProvider = MultitenancyFixture.identityProvider(originKey, zone.getId());
-        identityProvider.setType(OriginKeys.SAML);
+        identityProvider.setType(SAML);
         identityProvider.setConfig(config);
         createIdentityProvider(jdbcIdentityProviderProvisioning, zone, identityProvider);
 
@@ -1308,7 +1324,7 @@ void testSamlLoginLinksShowActiveProviders(
                 .setShowSamlLink(true)
                 .setZoneId(identityZone.getId());
         IdentityProvider activeIdentityProvider = new IdentityProvider();
-        activeIdentityProvider.setType(OriginKeys.SAML);
+        activeIdentityProvider.setType(SAML);
         activeIdentityProvider.setName("Active SAML Provider");
         activeIdentityProvider.setConfig(activeSamlIdentityProviderDefinition);
         activeIdentityProvider.setActive(true);
@@ -1322,7 +1338,7 @@ void testSamlLoginLinksShowActiveProviders(
                 .setLinkText("You should not see me")
                 .setZoneId(identityZone.getId());
         IdentityProvider inactiveIdentityProvider = new IdentityProvider();
-        inactiveIdentityProvider.setType(OriginKeys.SAML);
+        inactiveIdentityProvider.setType(SAML);
         inactiveIdentityProvider.setName("Inactive SAML Provider");
         inactiveIdentityProvider.setConfig(inactiveSamlIdentityProviderDefinition);
         inactiveIdentityProvider.setActive(false);
@@ -1354,7 +1370,7 @@ void testSamlRedirectWhenTheOnlyProvider(
                 .setLinkText("Active SAML Provider")
                 .setZoneId(identityZone.getId());
         IdentityProvider activeIdentityProvider = new IdentityProvider();
-        activeIdentityProvider.setType(OriginKeys.SAML);
+        activeIdentityProvider.setType(SAML);
         activeIdentityProvider.setName("Active SAML Provider");
         activeIdentityProvider.setActive(true);
         activeIdentityProvider.setConfig(activeSamlIdentityProviderDefinition);
@@ -1418,7 +1434,7 @@ void samlRedirect_onlyOneProvider_noClientContext(
                 .setLinkText("Active SAML Provider")
                 .setZoneId(identityZone.getId());
         IdentityProvider activeIdentityProvider = new IdentityProvider();
-        activeIdentityProvider.setType(OriginKeys.SAML);
+        activeIdentityProvider.setType(SAML);
         activeIdentityProvider.setName("Active SAML Provider");
         activeIdentityProvider.setActive(true);
         activeIdentityProvider.setConfig(activeSamlIdentityProviderDefinition);
@@ -1637,7 +1653,7 @@ void noRedirect_ifProvidersOfDifferentTypesPresent(
                 .setLinkText("Active SAML Provider")
                 .setZoneId(identityZone.getId());
         IdentityProvider activeIdentityProvider = new IdentityProvider();
-        activeIdentityProvider.setType(OriginKeys.SAML);
+        activeIdentityProvider.setType(SAML);
         activeIdentityProvider.setName("Active SAML Provider");
         activeIdentityProvider.setActive(true);
         activeIdentityProvider.setConfig(activeSamlIdentityProviderDefinition);
@@ -1691,7 +1707,7 @@ void testNoCreateAccountLinksWhenUAAisNotAllowedProvider(
                 .setLinkText("Active3 SAML Provider")
                 .setZoneId(identityZone.getId());
         IdentityProvider activeIdentityProvider3 = new IdentityProvider();
-        activeIdentityProvider3.setType(OriginKeys.SAML);
+        activeIdentityProvider3.setType(SAML);
         activeIdentityProvider3.setName("Active 3 SAML Provider");
         activeIdentityProvider3.setActive(true);
         activeIdentityProvider3.setConfig(activeSamlIdentityProviderDefinition3);
@@ -1704,7 +1720,7 @@ void testNoCreateAccountLinksWhenUAAisNotAllowedProvider(
                 .setLinkText("Active2 SAML Provider")
                 .setZoneId(identityZone.getId());
         IdentityProvider activeIdentityProvider2 = new IdentityProvider();
-        activeIdentityProvider2.setType(OriginKeys.SAML);
+        activeIdentityProvider2.setType(SAML);
         activeIdentityProvider2.setName("Active 2 SAML Provider");
         activeIdentityProvider2.setActive(true);
         activeIdentityProvider2.setConfig(activeSamlIdentityProviderDefinition2);
@@ -1789,7 +1805,7 @@ void testDeactivatedProviderIsRemovedFromSamlLoginLinks(
                 .setShowSamlLink(true)
                 .setZoneId(identityZone.getId());
         IdentityProvider identityProvider = new IdentityProvider();
-        identityProvider.setType(OriginKeys.SAML);
+        identityProvider.setType(SAML);
         identityProvider.setName("SAML Provider");
         identityProvider.setActive(true);
         identityProvider.setConfig(samlIdentityProviderDefinition);
@@ -1992,7 +2008,7 @@ void testCsrfForInvitationAcceptPost(@Autowired ExpiringCodeStore expiringCodeSt
         Map<String, String> codeData = new HashMap();
         codeData.put("user_id", ((UaaPrincipal) marissaContext.getAuthentication().getPrincipal()).getId());
         codeData.put("email", ((UaaPrincipal) marissaContext.getAuthentication().getPrincipal()).getEmail());
-        codeData.put("origin", OriginKeys.UAA);
+        codeData.put("origin", UAA);
 
         ExpiringCode code = expiringCodeStore.generateCode(JsonUtils.writeValueAsString(codeData), new Timestamp(System.currentTimeMillis() + 1000 * 60), null, IdentityZoneHolder.get().getId());
 
@@ -2706,7 +2722,7 @@ private static MockHttpSession setUpClientAndProviderForIdpDiscovery(
             .setEmailDomain(Collections.singletonList("test.org"));
 
         IdentityProvider identityProvider = MultitenancyFixture.identityProvider(originKey, zone.getId());
-        identityProvider.setType(OriginKeys.SAML);
+        identityProvider.setType(SAML);
         identityProvider.setConfig(config);
         createIdentityProvider(jdbcIdentityProviderProvisioning, zone, identityProvider);
 
@@ -2884,7 +2900,7 @@ private static String createOIDCProvider(JdbcIdentityProviderProvisioning jdbcId
         }
 
         IdentityProvider identityProvider = MultitenancyFixture.identityProvider(originKey, zone.getId());
-        identityProvider.setType(OriginKeys.OIDC10);
+        identityProvider.setType(OIDC10);
         identityProvider.setConfig(definition);
         createIdentityProvider(jdbcIdentityProviderProvisioning, zone, identityProvider);
         return originKey;

From 1098b19c23aa22aa5ae520e2bdccffec02e10232 Mon Sep 17 00:00:00 2001
From: Cloud Foundry Identity Team <cf-identity-eng@pivotal.io>
Date: Wed, 28 Apr 2021 18:41:35 +0000
Subject: [PATCH 36/76] Update UAA image reference in k8s deployment template
 to
 cloudfoundry/uaa@sha256:4c7f2d881bc9c4a075232064e906d032c9512b03b87c06cbb2501560cb2f14e4

---
 k8s/templates/values/image.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/k8s/templates/values/image.yml b/k8s/templates/values/image.yml
index 0a6418f398e..c87d02bb66f 100644
--- a/k8s/templates/values/image.yml
+++ b/k8s/templates/values/image.yml
@@ -1,3 +1,3 @@
 #@data/values
 ---
-image: "cloudfoundry/uaa@sha256:7fd48f08134e279a4fe2b8a200ecfdca8cda847175df38f1293e9818d7dd53cc"
+image: "cloudfoundry/uaa@sha256:4c7f2d881bc9c4a075232064e906d032c9512b03b87c06cbb2501560cb2f14e4"

From 55ba41c74fcd64ec533a363c92f74cecf33da6ed Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sun, 2 May 2021 10:43:59 +0200
Subject: [PATCH 37/76] Bump bcprov-jdk15on from 1.66 to 1.67 in /server
 (#1564)

Bumps [bcprov-jdk15on](https://github.com/bcgit/bc-java) from 1.66 to 1.67.
- [Release notes](https://github.com/bcgit/bc-java/releases)
- [Changelog](https://github.com/bcgit/bc-java/blob/master/docs/releasenotes.html)
- [Commits](https://github.com/bcgit/bc-java/commits)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 server/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/pom.xml b/server/pom.xml
index 31a26f3d081..a0ae35d2397 100644
--- a/server/pom.xml
+++ b/server/pom.xml
@@ -766,7 +766,7 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-jdk15on</artifactId>
-      <version>1.66</version>
+      <version>1.67</version>
       <scope>compile</scope>
       <exclusions>
         <exclusion>

From e5ae91967f69507a83a4d37d8614916ddf5641b6 Mon Sep 17 00:00:00 2001
From: Florian Tack <florian.tack@sap.com>
Date: Wed, 5 May 2021 16:09:50 +0200
Subject: [PATCH 38/76] Include passcode prompt in json response if discovery
 or account chooser are enabled

---
 .../identity/uaa/login/LoginInfoEndpoint.java |  2 +-
 .../uaa/login/LoginInfoEndpointTests.java     | 38 +++++++++++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java b/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java
index 2957f33b422..4e81a988826 100755
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java
@@ -316,7 +316,7 @@ private String login(Model model, Principal principal, List<String> excludedProm
                 allIdentityProviders.putAll(samlIdentityProviders);
                 allIdentityProviders.putAll(oauthIdentityProviders);
             }
-        } else if (accountChooserNeeded || (discoveryEnabled && !discoveryPerformed)) {
+        } else if (!jsonResponse && (accountChooserNeeded || (discoveryEnabled && !discoveryPerformed))) {
             //Account Chooser and discovery do not need any IdP information
             oauthIdentityProviders = Collections.emptyMap();
             samlIdentityProviders = Collections.emptyMap();
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java
index 38662f3d851..419942690e2 100755
--- a/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java
@@ -909,6 +909,44 @@ void passcode_prompt_present_whenThereIsAtleastOneActiveOauthProvider() throws E
         assertNotNull(mapPrompts.get("passcode"));
     }
 
+    @Test
+    void passcode_prompt_present_whenThereIsAtleastOneActiveOauthProvider_stillWorksWithAccountChooser() throws Exception {
+        IdentityZoneHolder.get().getConfig().setAccountChooserEnabled(true);
+        LoginInfoEndpoint endpoint = getEndpoint(IdentityZoneHolder.get());
+
+        RawExternalOAuthIdentityProviderDefinition definition = new RawExternalOAuthIdentityProviderDefinition()
+                .setAuthUrl(new URL("http://auth.url"))
+                .setTokenUrl(new URL("http://token.url"));
+
+        IdentityProvider<AbstractExternalOAuthIdentityProviderDefinition> identityProvider = MultitenancyFixture.identityProvider("oauth-idp-alias", "uaa");
+        identityProvider.setConfig(definition);
+
+        when(mockIdentityProviderProvisioning.retrieveAll(anyBoolean(), anyString())).thenReturn(singletonList(identityProvider));
+        endpoint.infoForLoginJson(extendedModelMap, null, new MockHttpServletRequest("GET", "http://someurl"));
+
+        Map mapPrompts = (Map) extendedModelMap.get("prompts");
+        assertNotNull(mapPrompts.get("passcode"));
+    }
+
+    @Test
+    void passcode_prompt_present_whenThereIsAtleastOneActiveOauthProvider_stillWorksWithDiscovery() throws Exception {
+        IdentityZoneHolder.get().getConfig().setIdpDiscoveryEnabled(true);
+        LoginInfoEndpoint endpoint = getEndpoint(IdentityZoneHolder.get());
+
+        RawExternalOAuthIdentityProviderDefinition definition = new RawExternalOAuthIdentityProviderDefinition()
+                .setAuthUrl(new URL("http://auth.url"))
+                .setTokenUrl(new URL("http://token.url"));
+
+        IdentityProvider<AbstractExternalOAuthIdentityProviderDefinition> identityProvider = MultitenancyFixture.identityProvider("oauth-idp-alias", "uaa");
+        identityProvider.setConfig(definition);
+
+        when(mockIdentityProviderProvisioning.retrieveAll(anyBoolean(), anyString())).thenReturn(singletonList(identityProvider));
+        endpoint.infoForLoginJson(extendedModelMap, null, new MockHttpServletRequest("GET", "http://someurl"));
+
+        Map mapPrompts = (Map) extendedModelMap.get("prompts");
+        assertNotNull(mapPrompts.get("passcode"));
+    }
+
     @Test
     void we_return_both_oauth_and_oidc_providers() throws Exception {
         LoginInfoEndpoint endpoint = getEndpoint(IdentityZoneHolder.get());

From 3e8d91a0ba90f7b7eabfb182da81475f5b7079a5 Mon Sep 17 00:00:00 2001
From: Peter Chen <peterch@vmware.com>
Date: Mon, 10 May 2021 10:23:09 -0700
Subject: [PATCH 39/76] Fix comment

---
 .../org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java b/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java
index 4e81a988826..8f22b788c60 100755
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java
@@ -317,6 +317,7 @@ private String login(Model model, Principal principal, List<String> excludedProm
                 allIdentityProviders.putAll(oauthIdentityProviders);
             }
         } else if (!jsonResponse && (accountChooserNeeded || (discoveryEnabled && !discoveryPerformed))) {
+            // when `/login` is requested to return html response (as opposed to json response)
             //Account Chooser and discovery do not need any IdP information
             oauthIdentityProviders = Collections.emptyMap();
             samlIdentityProviders = Collections.emptyMap();

From 5bbd5f847a303b6d136afe67c04bad3d646b2d38 Mon Sep 17 00:00:00 2001
From: Hongchol Sinn <hsinn@hsinn-a01.vmware.com>
Date: Tue, 18 May 2021 16:57:25 -0700
Subject: [PATCH 40/76] Fixed the CVE issue where the delete-identity-provider
 response contains relyingPartySecret value #178139149

---
 .../provider/IdentityProviderEndpoints.java   |  1 +
 .../IdentityProviderEndpointsTest.java        | 63 ++++++++++++++++++-
 ...IdentityProviderEndpointsMockMvcTests.java | 38 +++++++++++
 3 files changed, 101 insertions(+), 1 deletion(-)

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpoints.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpoints.java
index 66adefdad0d..f9eda516696 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpoints.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpoints.java
@@ -139,6 +139,7 @@ public ResponseEntity<IdentityProvider> deleteIdentityProvider(@PathVariable Str
         if (publisher!=null && existing!=null) {
             existing.setSerializeConfigRaw(rawConfig);
             publisher.publishEvent(new EntityDeletedEvent<>(existing, SecurityContextHolder.getContext().getAuthentication(), identityZoneManager.getCurrentIdentityZoneId()));
+            redactSensitiveData(existing);
             return new ResponseEntity<>(existing, OK);
         } else {
             return new ResponseEntity<>(UNPROCESSABLE_ENTITY);
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpointsTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpointsTest.java
index 0adccb701de..eb805a545e7 100644
--- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpointsTest.java
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpointsTest.java
@@ -12,6 +12,7 @@
 import org.mockito.Mock;
 import org.mockito.Mockito;
 import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 
@@ -20,6 +21,7 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
+import java.util.UUID;
 import java.util.function.Consumer;
 import java.util.function.Supplier;
 
@@ -413,4 +415,63 @@ void testPatchIdentityProviderStatus() {
         ResponseEntity responseEntity = identityProviderEndpoints.updateIdentityProviderStatus("123", identityProviderStatus);
         assertEquals(HttpStatus.OK, responseEntity.getStatusCode());
     }
-}
\ No newline at end of file
+
+    @Test
+    void testDeleteIdentityProviderExisting() {
+        String zoneId = IdentityZone.getUaaZoneId();
+        IdentityProvider validIDP = new IdentityProvider();
+        validIDP.setType(OriginKeys.UAA);
+        validIDP.setConfig(new UaaIdentityProviderDefinition(
+                new PasswordPolicy(), null));
+        String identityProviderIdentifier = UUID.randomUUID().toString();
+        when(mockIdentityProviderProvisioning.retrieve(
+                identityProviderIdentifier, zoneId)).thenReturn(validIDP);
+        identityProviderEndpoints.setApplicationEventPublisher(
+                mock(ApplicationEventPublisher.class));
+
+        // Verify that delete succeeds
+        ResponseEntity<IdentityProvider> deleteResponse =
+                identityProviderEndpoints.deleteIdentityProvider(
+                        identityProviderIdentifier, false);
+        assertEquals(HttpStatus.OK, deleteResponse.getStatusCode());
+        assertEquals(validIDP, deleteResponse.getBody());
+    }
+
+    @Test
+    void testDeleteIdentityProviderNotExisting() {
+        String zoneId = IdentityZone.getUaaZoneId();
+        String identityProviderIdentifier = UUID.randomUUID().toString();
+        when(mockIdentityProviderProvisioning.retrieve(
+                identityProviderIdentifier, zoneId)).thenReturn(null);
+
+        ResponseEntity<IdentityProvider> deleteResponse =
+                identityProviderEndpoints.deleteIdentityProvider(
+                        identityProviderIdentifier, false);
+        assertEquals(HttpStatus.UNPROCESSABLE_ENTITY,
+                deleteResponse.getStatusCode());
+    }
+
+    @Test
+    void testDeleteIdentityProviderResponseNotContainingRelyingPartySecret() {
+        String zoneId = IdentityZone.getUaaZoneId();
+        IdentityProvider validIDP = new IdentityProvider();
+        validIDP.setType(OIDC10);
+        OIDCIdentityProviderDefinition identityProviderDefinition =
+                new OIDCIdentityProviderDefinition();
+        identityProviderDefinition.setRelyingPartySecret("myRelyingPartySecret");
+        validIDP.setConfig(identityProviderDefinition);
+        String identityProviderIdentifier = UUID.randomUUID().toString();
+        when(mockIdentityProviderProvisioning.retrieve(
+                identityProviderIdentifier, zoneId)).thenReturn(validIDP);
+        identityProviderEndpoints.setApplicationEventPublisher(
+                mock(ApplicationEventPublisher.class));
+
+        // Verify that the response's config does not contain relyingPartySecret
+        ResponseEntity<IdentityProvider> deleteResponse =
+                identityProviderEndpoints.deleteIdentityProvider(
+                        identityProviderIdentifier, false);
+        assertEquals(HttpStatus.OK, deleteResponse.getStatusCode());
+        assertNull(((AbstractExternalOAuthIdentityProviderDefinition)deleteResponse
+                .getBody().getConfig()).getRelyingPartySecret());
+    }
+}
diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/providers/IdentityProviderEndpointsMockMvcTests.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/providers/IdentityProviderEndpointsMockMvcTests.java
index 89c43207368..c684d4e9a0e 100644
--- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/providers/IdentityProviderEndpointsMockMvcTests.java
+++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/providers/IdentityProviderEndpointsMockMvcTests.java
@@ -18,6 +18,7 @@
 import org.cloudfoundry.identity.uaa.audit.AuditEventType;
 import org.cloudfoundry.identity.uaa.constants.OriginKeys;
 import org.cloudfoundry.identity.uaa.impl.config.IdentityProviderBootstrap;
+import org.cloudfoundry.identity.uaa.login.Prompt;
 import org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils;
 import org.cloudfoundry.identity.uaa.provider.*;
 import org.cloudfoundry.identity.uaa.provider.saml.BootstrapSamlIdentityProviderDataTests;
@@ -215,6 +216,43 @@ void test_delete_with_invalid_id_returns_404() throws Exception {
         ).andExpect(status().isNotFound());
     }
 
+    @Test
+    void test_delete_response_not_containing_relying_partySecret() throws Exception {
+        BaseClientDetails client = getBaseClientDetails();
+
+        ScimUser user = MockMvcUtils.createAdminForZone(mockMvc, adminToken, "idps.read,idps.write", IdentityZone.getUaaZoneId());
+        String accessToken = MockMvcUtils.getUserOAuthAccessToken(mockMvc, client.getClientId(), client.getClientSecret(), user.getUserName(), "secr3T", "idps.read,idps.write");
+
+        String originKey = RandomStringUtils.randomAlphabetic(6);
+        OIDCIdentityProviderDefinition definition = new OIDCIdentityProviderDefinition();
+        definition.setDiscoveryUrl(new URL("https://accounts.google.com/.well-known/openid-configuration"));
+        definition.setSkipSslValidation(true);
+        definition.setRelyingPartyId("uaa");
+        definition.setRelyingPartySecret("secret");
+        definition.setShowLinkText(false);
+        definition.setUserPropagationParameter("username");
+        definition.setExternalGroupsWhitelist(Collections.singletonList("uaa.user"));
+        List<Prompt> prompts = Arrays.asList(new Prompt("username", "text", "Email"),
+                new Prompt("password", "password", "Password"),
+                new Prompt("passcode", "password", "Temporary Authentication Code (Get on at /passcode)"));
+        definition.setPrompts(prompts);
+
+        IdentityProvider newIdp = MultitenancyFixture.identityProvider(originKey, IdentityZone.getUaaZoneId());
+        newIdp.setConfig(definition);
+
+        IdentityProvider createdIdp = createIdentityProvider(null, newIdp, accessToken, status().isCreated());
+
+        MockHttpServletRequestBuilder requestBuilder = delete("/identity-providers/" + createdIdp.getId())
+                .header("Authorization", "Bearer" + accessToken)
+                .contentType(APPLICATION_JSON);
+
+        MvcResult result = mockMvc.perform(requestBuilder).andExpect(status().isOk()).andReturn();
+        IdentityProvider returnedIdentityProvider = JsonUtils.readValue(
+                result.getResponse().getContentAsString(), IdentityProvider.class);
+        assertNull(((AbstractExternalOAuthIdentityProviderDefinition)returnedIdentityProvider.getConfig())
+                .getRelyingPartySecret());
+    }
+
     @Test
     void testEnsureWeRetrieveInactiveIDPsToo() throws Exception {
         testRetrieveIdps(false);

From 8107496961858d5c6bbc8046eb9c13a7e0c166a0 Mon Sep 17 00:00:00 2001
From: Peter Chen <peterch@vmware.com>
Date: Wed, 19 May 2021 15:34:47 -0700
Subject: [PATCH 41/76] feat: validate java version

* When starting the server with gradle

Co-Authored-by: Bruce Ricard <bricard@vmware.com>
---
 build.gradle | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/build.gradle b/build.gradle
index 9e4d492f631..ac6a43135ad 100644
--- a/build.gradle
+++ b/build.gradle
@@ -149,6 +149,10 @@ cargo {
     containerId = "tomcat9x"
     port = applicationPort
 
+    if (JavaVersion.current() != JavaVersion.VERSION_11) {
+        throw new GradleException("This build must be run with java 11")
+    }
+
     deployable {
         file = file("samples/api/build/libs/cloudfoundry-identity-api-" + version + ".war")
         context = "api"

From 71723a71b91e9c57fe34332bd8dec9343d33977d Mon Sep 17 00:00:00 2001
From: Bruce Ricard <bruce.ricard@gmail.com>
Date: Thu, 20 May 2021 11:13:17 -0700
Subject: [PATCH 42/76] feat: error log on internal error

---
 .../identity/uaa/provider/IdentityProviderEndpoints.java      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpoints.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpoints.java
index f9eda516696..804dafb2e8c 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpoints.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpoints.java
@@ -127,7 +127,7 @@ public ResponseEntity<IdentityProvider> createIdentityProvider(@RequestBody Iden
         } catch (IdpAlreadyExistsException e) {
             return new ResponseEntity<>(body, CONFLICT);
         } catch (Exception x) {
-            logger.debug("Unable to create IdentityProvider[origin="+body.getOriginKey()+"; zone="+body.getIdentityZoneId()+"]", x);
+            logger.error("Unable to create IdentityProvider[origin="+body.getOriginKey()+"; zone="+body.getIdentityZoneId()+"]", x);
             return new ResponseEntity<>(body, INTERNAL_SERVER_ERROR);
         }
     }
@@ -241,7 +241,7 @@ public ResponseEntity<String> testIdentityProvider(@RequestBody IdentityProvider
             status = BAD_REQUEST;
             exception = getExceptionString(x);
         } catch (Exception x) {
-            logger.debug("Identity provider validation failed.", x);
+            logger.error("Identity provider validation failed.", x);
             status = INTERNAL_SERVER_ERROR;
             exception = "check server logs";
         }finally {

From 59f7281ee411df83d012d0dac13586a23f8e1a05 Mon Sep 17 00:00:00 2001
From: Benjamin Gandon <benjamin@gstack.io>
Date: Sat, 5 Dec 2020 19:20:37 +0100
Subject: [PATCH 43/76] Implement support for Github OAuth 2.0 provider

---
 docs/github-oauth2-provider.md                |  46 ++++++
 .../ExternalOAuthAuthenticationManager.java   |  48 +++++-
 ...lOAuthAuthenticationManagerGithubTest.java | 149 ++++++++++++++++++
 .../ExternalOAuthAuthenticationManagerIT.java |   3 +
 4 files changed, 244 insertions(+), 2 deletions(-)
 create mode 100644 docs/github-oauth2-provider.md
 create mode 100644 server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerGithubTest.java

diff --git a/docs/github-oauth2-provider.md b/docs/github-oauth2-provider.md
new file mode 100644
index 00000000000..76658164a2c
--- /dev/null
+++ b/docs/github-oauth2-provider.md
@@ -0,0 +1,46 @@
+# Registering Github as external OAuth provider in UAA
+ 
+Github can be setup as an Oauth2 provider for UAA. 
+
+1. Create an OAuth “application” client in Github.
+   For example at: `https://github.com/organizations/{YOUR-ORG}/settings/applications/new`.
+
+   Add following URI in the “_Authorization callback URL_” text field:
+   `http://{UAA_HOST}/login/callback/{origin}`. Additional Github
+   documentation for achieving this can be found here:
+   [Creating an OAuth App](https://docs.github.com/en/free-pro-team@latest/developers/apps/creating-an-oauth-app)
+   [Authorizing OAuth Apps](https://docs.github.com/en/free-pro-team@latest/developers/apps/authorizing-oauth-apps)
+
+2. Make sure you have `Client ID` and `Client secret`.
+
+3. The following configuration needs to be added in login.yml. 
+   Please refer to 'https://accounts.google.com/.well-known/openid-configuration' for authUrl and tokenUrl
+
+        login:
+          oauth:
+            providers:
+              github:
+                type: oauth2.0
+                providerDescription: Github OAuth provider, using the 'Authorization Code Grant' flow
+                authUrl: https://github.com/login/oauth/authorize
+                tokenUrl: https://github.com/login/oauth/access_token
+                checkTokenUrl: https://api.github.com/user
+                scopes:
+                  - read:user
+                  - user:email
+                linkText: Login with Github
+                showLinkText: true
+                addShadowUserOnLogin: true # users won't need to be pre-populated into the UAA database prior to authenticating with Github
+                relyingPartyId: REPLACE_WITH_CLIENT_ID
+                relyingPartySecret: REPLACE_WITH_CLIENT_SECRET
+                skipSslValidation: false
+                clientAuthInBody: true
+                attributeMappings:
+                  given_name: login
+                  family_name: name # Github doesn't split 'given_name' and 'family_name'
+                  user_name: email
+
+4. Ensure that the scope `email` is included in the`scopes` property. Without
+   this, UAA will not be able to identify the authenticated user.
+
+5. Restart UAA. You will see `Login with github` link on your login page.
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
index 29080f9cded..85d7cf06990 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
@@ -37,6 +37,7 @@
 import org.cloudfoundry.identity.uaa.user.UaaUserPrototype;
 import org.cloudfoundry.identity.uaa.util.JsonUtils;
 import org.cloudfoundry.identity.uaa.util.LinkedMaskingMultiValueMap;
+import org.cloudfoundry.identity.uaa.util.SessionUtils;
 import org.cloudfoundry.identity.uaa.util.TokenValidation;
 import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
 import org.slf4j.Logger;
@@ -63,6 +64,7 @@
 import org.springframework.web.client.RestTemplate;
 import org.springframework.web.context.request.RequestAttributes;
 import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.servlet.support.RequestContextUtils;
 
 import java.net.URI;
 import java.net.URISyntaxException;
@@ -472,6 +474,8 @@ protected String getResponseType(AbstractExternalOAuthIdentityProviderDefinition
         if (RawExternalOAuthIdentityProviderDefinition.class.isAssignableFrom(config.getClass())) {
             if ("signed_request".equals(config.getResponseType()))
                 return "signed_request";
+            else if ("code".equals(config.getResponseType()))
+                return "code";
             else
                 return "token";
         } else if (OIDCIdentityProviderDefinition.class.isAssignableFrom(config.getClass())) {
@@ -523,6 +527,35 @@ protected Map<String, Object> getClaimsFromToken(String idToken,
                 logger.error("Exception", e);
                 return null;
             }
+        } else if ("code".equals(config.getResponseType())
+                && RawExternalOAuthIdentityProviderDefinition.class.isAssignableFrom(config.getClass())
+                && ((RawExternalOAuthIdentityProviderDefinition) config).getCheckTokenUrl() != null) {
+            RawExternalOAuthIdentityProviderDefinition narrowedConfig = (RawExternalOAuthIdentityProviderDefinition) config;
+
+            HttpHeaders headers = new HttpHeaders();
+            headers.add("Authorization", "token " + idToken);
+            headers.add("Accept", "application/json");
+
+            URI requestUri;
+            HttpEntity requestEntity = new HttpEntity<>(headers);
+            try {
+                requestUri = narrowedConfig.getCheckTokenUrl().toURI();
+            } catch (URISyntaxException exc) {
+                logger.error("Invalid URI configured:" + narrowedConfig.getCheckTokenUrl(), exc);
+                return null;
+            }
+
+            logger.debug(String.format("Performing token check with url:%s", requestUri));
+            ResponseEntity<Map<String, Object>> responseEntity =
+                getRestTemplate(config)
+                    .exchange(requestUri,
+                              HttpMethod.GET,
+                              requestEntity,
+                              new ParameterizedTypeReference<Map<String, Object>>() {
+                              }
+                    );
+            logger.debug(String.format("Request completed with status:%s", responseEntity.getStatusCode()));
+            return responseEntity.getBody();
         } else {
             TokenValidation validation = validateToken(idToken, config);
             logger.debug("Decoding id_token");
@@ -596,9 +629,12 @@ private String getTokenFromCode(ExternalOAuthCodeToken codeToken, AbstractExtern
         }
         MultiValueMap<String, String> body = new LinkedMaskingMultiValueMap<>("code", "client_secret");
         body.add("grant_type", GRANT_TYPE_AUTHORIZATION_CODE);
-        body.add("response_type", getResponseType(config));
+        body.add("response_type", getResponseType(config)); // not required by the Oauth 2.0 standard in this 'Access Token Request'
         body.add("code", codeToken.getCode());
         body.add("redirect_uri", codeToken.getRedirectUrl());
+        // NOTE: the "state" body parameter is optional. We also are in
+        // trouble here about how to obtain the correct 'httpSession' to use.
+//         body.add("state", SessionUtils.getStateParam(RequestContextHolder...httpSession, SessionUtils.stateParameterAttributeKeyForIdp(codeToken.getOrigin())));
 
         logger.debug("Adding new client_id and client_secret for token exchange");
         body.add("client_id", config.getRelyingPartyId());
@@ -634,7 +670,7 @@ private String getTokenFromCode(ExternalOAuthCodeToken codeToken, AbstractExtern
                           }
                 );
         logger.debug(String.format("Request completed with status:%s", responseEntity.getStatusCode()));
-        return responseEntity.getBody().get(getResponseType(config));
+        return responseEntity.getBody().get(getTokenFieldName(config));
     }
 
     private String getClientAuthHeader(AbstractExternalOAuthIdentityProviderDefinition config) {
@@ -642,6 +678,14 @@ private String getClientAuthHeader(AbstractExternalOAuthIdentityProviderDefiniti
         return "Basic " + clientAuth;
     }
 
+    private String getTokenFieldName(AbstractExternalOAuthIdentityProviderDefinition config) {
+        String responseType = getResponseType(config);
+        if (responseType == "code" || responseType == "token") {
+            return "access_token"; // Oauth 2.0
+        }
+        return responseType;
+    }
+
     public void setTokenEndpointBuilder(TokenEndpointBuilder tokenEndpointBuilder) {
         this.tokenEndpointBuilder = tokenEndpointBuilder;
     }
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerGithubTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerGithubTest.java
new file mode 100644
index 00000000000..80128b77041
--- /dev/null
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerGithubTest.java
@@ -0,0 +1,149 @@
+package org.cloudfoundry.identity.uaa.provider.oauth;
+
+import static com.google.common.collect.Lists.newArrayList;
+import static org.cloudfoundry.identity.uaa.util.UaaMapUtils.entry;
+import static org.cloudfoundry.identity.uaa.util.UaaMapUtils.map;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.is;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+import static org.springframework.http.HttpHeaders.ACCEPT;
+import static org.springframework.http.HttpHeaders.AUTHORIZATION;
+import static org.springframework.http.HttpMethod.GET;
+import static org.springframework.http.HttpMethod.POST;
+import static org.springframework.http.MediaType.APPLICATION_JSON;
+import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
+import static org.springframework.test.web.client.match.MockRestRequestMatchers.header;
+import static org.springframework.test.web.client.match.MockRestRequestMatchers.method;
+import static org.springframework.test.web.client.match.MockRestRequestMatchers.requestTo;
+import static org.springframework.test.web.client.response.MockRestResponseCreators.withSuccess;
+
+import java.net.URL;
+import java.util.Map;
+
+import org.cloudfoundry.identity.uaa.oauth.KeyInfoService;
+import org.cloudfoundry.identity.uaa.oauth.TokenEndpointBuilder;
+import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
+import org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning;
+import org.cloudfoundry.identity.uaa.provider.RawExternalOAuthIdentityProviderDefinition;
+import org.cloudfoundry.identity.uaa.provider.oauth.ExternalOAuthAuthenticationManager.AuthenticationData;
+import org.cloudfoundry.identity.uaa.zone.IdentityZone;
+import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
+import org.hamcrest.MatcherAssert;
+import org.hamcrest.Matchers;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.test.web.client.MockRestServiceServer;
+import org.springframework.web.client.RestTemplate;
+
+public class ExternalOAuthAuthenticationManagerGithubTest {
+    
+    private static final String AUTH_URL = "https://github.example.com/login/oauth/authorize";
+    private static final String TOKEN_URL = "https://github.example.com/login/oauth/access_token";
+    private static final String USER_INFO_URL = "https://api.github.example.com/user";
+
+    private MockRestServiceServer mockGithubServer;
+
+    private ExternalOAuthAuthenticationManager authManager;
+    private String origin;
+    private String zoneId;
+
+    private RawExternalOAuthIdentityProviderDefinition providerConfig;
+    private String uaaIssuerBaseUrl;
+    private TokenEndpointBuilder tokenEndpointBuilder;
+
+    @Before
+    public void setup() throws Exception {
+        origin = "github";
+        zoneId = "zoneId";
+        IdentityZone identityZone = new IdentityZone();
+        identityZone.setId(zoneId);
+        IdentityZoneHolder.set(identityZone);
+
+        IdentityProviderProvisioning identityProviderProvisioning = mock(IdentityProviderProvisioning.class);
+        IdentityProvider<RawExternalOAuthIdentityProviderDefinition> provider = new IdentityProvider<>();
+        providerConfig = new RawExternalOAuthIdentityProviderDefinition();
+        providerConfig.setResponseType("code");
+        providerConfig.setAuthUrl(new URL(AUTH_URL));
+        providerConfig.setTokenUrl(new URL(TOKEN_URL));
+        providerConfig.setCheckTokenUrl(new URL(USER_INFO_URL));
+        providerConfig.setScopes(newArrayList(new String[] { "openid", "email" }));
+        providerConfig.setAddShadowUserOnLogin(true); // the default anyway
+        providerConfig.setRelyingPartyId("github_app_client_id");
+        providerConfig.setRelyingPartySecret("github_app_client_secret");
+        providerConfig.setSkipSslValidation(false); // the default
+        providerConfig.setClientAuthInBody(true);
+        Map<String, Object> attributeMappings = map(
+                entry("given_name", "login"),
+                entry("family_name", "name"),
+                entry("user_name", "email")
+        );
+        providerConfig.setAttributeMappings(attributeMappings);
+        provider.setConfig(providerConfig);
+        when(identityProviderProvisioning.retrieveByOrigin(origin, zoneId)).thenReturn(provider);
+        uaaIssuerBaseUrl = "http://uaa.example.com";
+        tokenEndpointBuilder = new TokenEndpointBuilder(uaaIssuerBaseUrl);
+        
+        RestTemplate trustingRestTemplate = null;
+        RestTemplate nonTrustingRestTemplate = new RestTemplate();
+        mockGithubServer = MockRestServiceServer.createServer(nonTrustingRestTemplate);
+        
+        authManager = new ExternalOAuthAuthenticationManager(identityProviderProvisioning, trustingRestTemplate, nonTrustingRestTemplate, tokenEndpointBuilder, new KeyInfoService(uaaIssuerBaseUrl));
+    }
+
+    @After
+    public void cleanup() {
+        IdentityZoneHolder.clear();
+    }
+
+
+    @Test
+    public void getExternalAuthenticationDetails_doesNotThrowWhenIdTokenIsValid() {
+        // Given
+        String idToken = "xyz";
+        String accessToken = "e72e16c7e42f292c6912e7710c838347ae178b4a";
+        String tokenResponse = "{\"access_token\":\"" + accessToken + "\", \"scope\":\"repo,gist\", \"token_type\":\"bearer\"}";
+        mockGithubServer.expect(method(POST))
+            .andExpect(requestTo(TOKEN_URL))
+            .andExpect(header(ACCEPT, APPLICATION_JSON_VALUE))
+//            .andExpect(content().json("{\n"
+//                    + "\"client_id\": \"github_app_client_id\",\n"
+//                    + "\"client_secret\": \"github_app_client_secret\",\n"
+//                    + "\"code\": \"" + idToken + "\"\n"
+//                    + "}"))
+            .andRespond(withSuccess(tokenResponse, APPLICATION_JSON));
+
+        String userInfoResponse = "{\n"
+                + "  \"login\": \"octocat\",\n"
+                + "  \"id\": 1,\n"
+                + "  \"type\": \"User\",\n"
+                + "  \"site_admin\": false,\n"
+                + "  \"name\": \"monalisa octocat\",\n"
+                + "  \"company\": \"GitHub\",\n"
+                + "  \"email\": \"octocat@github.example.com\"\n"
+                + "}";
+        mockGithubServer.expect(method(GET))
+            .andExpect(requestTo(USER_INFO_URL))
+            .andExpect(header(ACCEPT, APPLICATION_JSON_VALUE))
+            .andExpect(header(AUTHORIZATION, "token " + accessToken))
+            .andRespond(withSuccess(userInfoResponse, APPLICATION_JSON));
+        
+        ExternalOAuthCodeToken oauth2Authentication = new ExternalOAuthCodeToken(null, origin, "http://uaa.example.com/login/callback/github", idToken, "accesstoken", "signedrequest");
+
+        // When
+        AuthenticationData authenticationData = authManager.getExternalAuthenticationDetails(oauth2Authentication);
+
+        // Then
+        mockGithubServer.verify();
+        assertThat(authenticationData.getUsername(), is(equalTo("octocat@github.example.com")));
+
+        Map<String, Object> claims = authenticationData.getClaims();
+        assertThat(claims.get("login"), is(equalTo("octocat")));
+        assertThat(claims.get("name"), is(equalTo("monalisa octocat")));
+        assertThat(claims.get("email"), is(equalTo("octocat@github.example.com")));
+        
+    }
+    
+}
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerIT.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerIT.java
index 1839e2e04b3..9c3c8e99021 100644
--- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerIT.java
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerIT.java
@@ -284,10 +284,13 @@ void setUp() throws Exception {
     void get_response_type_for_oauth2() {
         RawExternalOAuthIdentityProviderDefinition signed = new RawExternalOAuthIdentityProviderDefinition();
         signed.setResponseType("signed_request");
+        RawExternalOAuthIdentityProviderDefinition code = new RawExternalOAuthIdentityProviderDefinition();
         RawExternalOAuthIdentityProviderDefinition token = new RawExternalOAuthIdentityProviderDefinition();
+        token.setResponseType("token");
         OIDCIdentityProviderDefinition oidcIdentityProviderDefinition = new OIDCIdentityProviderDefinition();
 
         assertEquals("signed_request", externalOAuthAuthenticationManager.getResponseType(signed));
+        assertEquals("code", externalOAuthAuthenticationManager.getResponseType(code));
         assertEquals("token", externalOAuthAuthenticationManager.getResponseType(token));
         assertEquals("id_token", externalOAuthAuthenticationManager.getResponseType(oidcIdentityProviderDefinition));
     }

From c854c335e85518c770014aec69db7308421a2e2b Mon Sep 17 00:00:00 2001
From: Benjamin Gandon <benjamin@gstack.io>
Date: Mon, 7 Dec 2020 14:29:33 +0100
Subject: [PATCH 44/76] Various code/spaces improvements

---
 docs/github-oauth2-provider.md                           | 6 +++---
 .../oauth/ExternalOAuthAuthenticationManager.java        | 9 ++++-----
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/docs/github-oauth2-provider.md b/docs/github-oauth2-provider.md
index 76658164a2c..5a5437e1235 100644
--- a/docs/github-oauth2-provider.md
+++ b/docs/github-oauth2-provider.md
@@ -1,6 +1,6 @@
 # Registering Github as external OAuth provider in UAA
- 
-Github can be setup as an Oauth2 provider for UAA. 
+
+Github can be setup as an Oauth2 provider for UAA.
 
 1. Create an OAuth “application” client in Github.
    For example at: `https://github.com/organizations/{YOUR-ORG}/settings/applications/new`.
@@ -13,7 +13,7 @@ Github can be setup as an Oauth2 provider for UAA.
 
 2. Make sure you have `Client ID` and `Client secret`.
 
-3. The following configuration needs to be added in login.yml. 
+3. The following configuration needs to be added in login.yml.
    Please refer to 'https://accounts.google.com/.well-known/openid-configuration' for authUrl and tokenUrl
 
         login:
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
index 85d7cf06990..f4fa234f03e 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
@@ -98,6 +98,7 @@
 import static org.cloudfoundry.identity.uaa.provider.ExternalIdentityProviderDefinition.USER_NAME_ATTRIBUTE_NAME;
 import static org.cloudfoundry.identity.uaa.util.TokenValidation.buildIdTokenValidator;
 import static org.cloudfoundry.identity.uaa.util.UaaHttpRequestUtils.isAcceptedInvitationAuthentication;
+import static org.springframework.http.HttpMethod.GET;
 import static org.springframework.util.StringUtils.hasText;
 import static org.springframework.util.StringUtils.isEmpty;
 
@@ -537,20 +538,18 @@ protected Map<String, Object> getClaimsFromToken(String idToken,
             headers.add("Accept", "application/json");
 
             URI requestUri;
-            HttpEntity requestEntity = new HttpEntity<>(headers);
+            HttpEntity<Object> requestEntity = new HttpEntity<>(headers);
             try {
                 requestUri = narrowedConfig.getCheckTokenUrl().toURI();
             } catch (URISyntaxException exc) {
-                logger.error("Invalid URI configured:" + narrowedConfig.getCheckTokenUrl(), exc);
+                logger.error("Invalid URI configured: <" + narrowedConfig.getCheckTokenUrl() + ">", exc);
                 return null;
             }
 
             logger.debug(String.format("Performing token check with url:%s", requestUri));
             ResponseEntity<Map<String, Object>> responseEntity =
                 getRestTemplate(config)
-                    .exchange(requestUri,
-                              HttpMethod.GET,
-                              requestEntity,
+                    .exchange(requestUri, GET, requestEntity,
                               new ParameterizedTypeReference<Map<String, Object>>() {
                               }
                     );

From a000f4edf42acb168e7a83dda9a4f0043cf26d5c Mon Sep 17 00:00:00 2001
From: Benjamin Gandon <benjamin@gstack.io>
Date: Mon, 7 Dec 2020 14:31:39 +0100
Subject: [PATCH 45/76] Share common 'userInfoUrl' property between OIDC and
 OAuth2 config + Use it to fetch OAuth2 user info

---
 docs/github-oauth2-provider.md                       |  2 +-
 ...tractExternalOAuthIdentityProviderDefinition.java | 12 ++++++++++++
 .../uaa/provider/OIDCIdentityProviderDefinition.java | 12 ------------
 .../oauth/ExternalOAuthAuthenticationManager.java    |  6 +++---
 ...ExternalOAuthAuthenticationManagerGithubTest.java |  2 +-
 5 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/docs/github-oauth2-provider.md b/docs/github-oauth2-provider.md
index 5a5437e1235..e3125d38590 100644
--- a/docs/github-oauth2-provider.md
+++ b/docs/github-oauth2-provider.md
@@ -24,7 +24,7 @@ Github can be setup as an Oauth2 provider for UAA.
                 providerDescription: Github OAuth provider, using the 'Authorization Code Grant' flow
                 authUrl: https://github.com/login/oauth/authorize
                 tokenUrl: https://github.com/login/oauth/access_token
-                checkTokenUrl: https://api.github.com/user
+                userInfoUrl: https://api.github.com/user
                 scopes:
                   - read:user
                   - user:email
diff --git a/model/src/main/java/org/cloudfoundry/identity/uaa/provider/AbstractExternalOAuthIdentityProviderDefinition.java b/model/src/main/java/org/cloudfoundry/identity/uaa/provider/AbstractExternalOAuthIdentityProviderDefinition.java
index 62df5728e7f..0e09e866906 100644
--- a/model/src/main/java/org/cloudfoundry/identity/uaa/provider/AbstractExternalOAuthIdentityProviderDefinition.java
+++ b/model/src/main/java/org/cloudfoundry/identity/uaa/provider/AbstractExternalOAuthIdentityProviderDefinition.java
@@ -28,6 +28,7 @@ public abstract class AbstractExternalOAuthIdentityProviderDefinition<T extends
     private URL tokenUrl;
     private URL tokenKeyUrl;
     private String tokenKey;
+    private URL userInfoUrl;
     private String linkText;
     private boolean showLinkText = true;
     private boolean clientAuthInBody = false;
@@ -75,6 +76,15 @@ public T setTokenKey(String tokenKey) {
         return (T) this;
     }
 
+    public URL getUserInfoUrl() {
+        return userInfoUrl;
+    }
+
+    public T setUserInfoUrl(URL userInfoUrl) {
+        this.userInfoUrl = userInfoUrl;
+        return (T) this;
+    }
+
     public String getLinkText() {
         return linkText;
     }
@@ -187,6 +197,7 @@ public boolean equals(Object o) {
         if (!Objects.equals(tokenUrl, that.tokenUrl)) return false;
         if (!Objects.equals(tokenKeyUrl, that.tokenKeyUrl)) return false;
         if (!Objects.equals(tokenKey, that.tokenKey)) return false;
+        if (!Objects.equals(userInfoUrl, that.userInfoUrl)) return false;
         if (!Objects.equals(linkText, that.linkText)) return false;
         if (!Objects.equals(relyingPartyId, that.relyingPartyId))
             return false;
@@ -206,6 +217,7 @@ public int hashCode() {
         result = 31 * result + (tokenUrl != null ? tokenUrl.hashCode() : 0);
         result = 31 * result + (tokenKeyUrl != null ? tokenKeyUrl.hashCode() : 0);
         result = 31 * result + (tokenKey != null ? tokenKey.hashCode() : 0);
+        result = 31 * result + (userInfoUrl != null ? userInfoUrl.hashCode() : 0);
         result = 31 * result + (linkText != null ? linkText.hashCode() : 0);
         result = 31 * result + (showLinkText ? 1 : 0);
         result = 31 * result + (skipSslValidation ? 1 : 0);
diff --git a/model/src/main/java/org/cloudfoundry/identity/uaa/provider/OIDCIdentityProviderDefinition.java b/model/src/main/java/org/cloudfoundry/identity/uaa/provider/OIDCIdentityProviderDefinition.java
index 0fede8b4f52..9a73d252e48 100644
--- a/model/src/main/java/org/cloudfoundry/identity/uaa/provider/OIDCIdentityProviderDefinition.java
+++ b/model/src/main/java/org/cloudfoundry/identity/uaa/provider/OIDCIdentityProviderDefinition.java
@@ -24,22 +24,12 @@
 @JsonIgnoreProperties(ignoreUnknown = true)
 public class OIDCIdentityProviderDefinition extends AbstractExternalOAuthIdentityProviderDefinition<OIDCIdentityProviderDefinition>
 implements Cloneable {
-    private URL userInfoUrl;
     private URL discoveryUrl;
     private boolean passwordGrantEnabled = false;
     private boolean setForwardHeader = false;
     @JsonInclude(JsonInclude.Include.NON_NULL)
     private List<Prompt> prompts = null;
 
-    public URL getUserInfoUrl() {
-        return userInfoUrl;
-    }
-
-    public OIDCIdentityProviderDefinition setUserInfoUrl(URL userInfoUrl) {
-        this.userInfoUrl = userInfoUrl;
-        return this;
-    }
-
     public URL getDiscoveryUrl() {
         return discoveryUrl;
     }
@@ -85,7 +75,6 @@ public boolean equals(Object o) {
 
         OIDCIdentityProviderDefinition that = (OIDCIdentityProviderDefinition) o;
 
-        if (!Objects.equals(userInfoUrl, that.userInfoUrl)) return false;
         if (this.passwordGrantEnabled != that.passwordGrantEnabled) return false;
         if (this.setForwardHeader != that.setForwardHeader) return false;
         return Objects.equals(discoveryUrl, that.discoveryUrl);
@@ -95,7 +84,6 @@ public boolean equals(Object o) {
     @Override
     public int hashCode() {
         int result = super.hashCode();
-        result = 31 * result + (userInfoUrl != null ? userInfoUrl.hashCode() : 0);
         result = 31 * result + (discoveryUrl != null ? discoveryUrl.hashCode() : 0);
         result = 31 * result + (passwordGrantEnabled ? 1 : 0);
         result = 31 * result + (setForwardHeader ? 1 : 0);
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
index f4fa234f03e..51537cc1bea 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
@@ -530,7 +530,7 @@ protected Map<String, Object> getClaimsFromToken(String idToken,
             }
         } else if ("code".equals(config.getResponseType())
                 && RawExternalOAuthIdentityProviderDefinition.class.isAssignableFrom(config.getClass())
-                && ((RawExternalOAuthIdentityProviderDefinition) config).getCheckTokenUrl() != null) {
+                && ((RawExternalOAuthIdentityProviderDefinition) config).getUserInfoUrl() != null) {
             RawExternalOAuthIdentityProviderDefinition narrowedConfig = (RawExternalOAuthIdentityProviderDefinition) config;
 
             HttpHeaders headers = new HttpHeaders();
@@ -540,9 +540,9 @@ protected Map<String, Object> getClaimsFromToken(String idToken,
             URI requestUri;
             HttpEntity<Object> requestEntity = new HttpEntity<>(headers);
             try {
-                requestUri = narrowedConfig.getCheckTokenUrl().toURI();
+                requestUri = narrowedConfig.getUserInfoUrl().toURI();
             } catch (URISyntaxException exc) {
-                logger.error("Invalid URI configured: <" + narrowedConfig.getCheckTokenUrl() + ">", exc);
+                logger.error("Invalid user info URI configured: <" + narrowedConfig.getUserInfoUrl() + ">", exc);
                 return null;
             }
 
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerGithubTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerGithubTest.java
index 80128b77041..dffe517c41f 100644
--- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerGithubTest.java
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerGithubTest.java
@@ -68,7 +68,7 @@ public void setup() throws Exception {
         providerConfig.setResponseType("code");
         providerConfig.setAuthUrl(new URL(AUTH_URL));
         providerConfig.setTokenUrl(new URL(TOKEN_URL));
-        providerConfig.setCheckTokenUrl(new URL(USER_INFO_URL));
+        providerConfig.setUserInfoUrl(new URL(USER_INFO_URL));
         providerConfig.setScopes(newArrayList(new String[] { "openid", "email" }));
         providerConfig.setAddShadowUserOnLogin(true); // the default anyway
         providerConfig.setRelyingPartyId("github_app_client_id");

From e88732fe1fa0159adb2fdecee8af8ced36de6df1 Mon Sep 17 00:00:00 2001
From: Benjamin Gandon <benjamin@gstack.io>
Date: Wed, 26 May 2021 12:40:54 +0200
Subject: [PATCH 46/76] Adjust unit test to new constructor signature, after
 rebasing on top of the 'develop' branch

---
 ...ernalOAuthAuthenticationManagerGithubTest.java | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerGithubTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerGithubTest.java
index dffe517c41f..ccff4ad6da9 100644
--- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerGithubTest.java
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerGithubTest.java
@@ -20,14 +20,17 @@
 import static org.springframework.test.web.client.response.MockRestResponseCreators.withSuccess;
 
 import java.net.URL;
+import java.time.Duration;
 import java.util.Map;
 
+import org.cloudfoundry.identity.uaa.cache.ExpiringUrlCache;
 import org.cloudfoundry.identity.uaa.oauth.KeyInfoService;
 import org.cloudfoundry.identity.uaa.oauth.TokenEndpointBuilder;
 import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
 import org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning;
 import org.cloudfoundry.identity.uaa.provider.RawExternalOAuthIdentityProviderDefinition;
 import org.cloudfoundry.identity.uaa.provider.oauth.ExternalOAuthAuthenticationManager.AuthenticationData;
+import org.cloudfoundry.identity.uaa.util.TimeServiceImpl;
 import org.cloudfoundry.identity.uaa.zone.IdentityZone;
 import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
 import org.hamcrest.MatcherAssert;
@@ -85,12 +88,18 @@ public void setup() throws Exception {
         when(identityProviderProvisioning.retrieveByOrigin(origin, zoneId)).thenReturn(provider);
         uaaIssuerBaseUrl = "http://uaa.example.com";
         tokenEndpointBuilder = new TokenEndpointBuilder(uaaIssuerBaseUrl);
-        
+
         RestTemplate trustingRestTemplate = null;
         RestTemplate nonTrustingRestTemplate = new RestTemplate();
         mockGithubServer = MockRestServiceServer.createServer(nonTrustingRestTemplate);
-        
-        authManager = new ExternalOAuthAuthenticationManager(identityProviderProvisioning, trustingRestTemplate, nonTrustingRestTemplate, tokenEndpointBuilder, new KeyInfoService(uaaIssuerBaseUrl));
+
+        OidcMetadataFetcher oidcMetadataFetcher = new OidcMetadataFetcher(
+            new ExpiringUrlCache(Duration.ofMinutes(2), new TimeServiceImpl(), 10),
+            trustingRestTemplate,
+            nonTrustingRestTemplate
+        );
+        authManager = new ExternalOAuthAuthenticationManager(identityProviderProvisioning, trustingRestTemplate,
+                nonTrustingRestTemplate, tokenEndpointBuilder, new KeyInfoService(uaaIssuerBaseUrl), oidcMetadataFetcher);
     }
 
     @After

From ae1944333a080233ba9c78578dad81f7877d7522 Mon Sep 17 00:00:00 2001
From: Hongchol Sinn <83615060+hsinn0@users.noreply.github.com>
Date: Thu, 27 May 2021 16:34:04 -0700
Subject: [PATCH 47/76] Additional test cases to verify that ldap bindSecret is
 not included in the response for the CVE issue where the
 delete-identity-provider response contained sensitive data #178139149 (#1572)

---
 .../IdentityProviderEndpointsTest.java        | 18 +++++
 ...IdentityProviderEndpointsMockMvcTests.java | 78 ++++++++++++++++++-
 2 files changed, 93 insertions(+), 3 deletions(-)

diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpointsTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpointsTest.java
index eb805a545e7..bfaeb647235 100644
--- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpointsTest.java
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpointsTest.java
@@ -474,4 +474,22 @@ void testDeleteIdentityProviderResponseNotContainingRelyingPartySecret() {
         assertNull(((AbstractExternalOAuthIdentityProviderDefinition)deleteResponse
                 .getBody().getConfig()).getRelyingPartySecret());
     }
+
+    @Test
+    void testDeleteIdentityProviderResponseNotContainingBindPassword() {
+        String zoneId = IdentityZone.getUaaZoneId();
+        IdentityProvider identityProvider = getLdapDefinition();
+        when(mockIdentityProviderProvisioning.retrieve(
+                identityProvider.getId(), zoneId)).thenReturn(identityProvider);
+        identityProviderEndpoints.setApplicationEventPublisher(
+                mock(ApplicationEventPublisher.class));
+
+        // Verify that the response's config does not contain bindPassword
+        ResponseEntity<IdentityProvider> deleteResponse =
+                identityProviderEndpoints.deleteIdentityProvider(
+                        identityProvider.getId(), false);
+        assertEquals(HttpStatus.OK, deleteResponse.getStatusCode());
+        assertNull(((LdapIdentityProviderDefinition)deleteResponse
+                .getBody().getConfig()).getBindPassword());
+    }
 }
diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/providers/IdentityProviderEndpointsMockMvcTests.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/providers/IdentityProviderEndpointsMockMvcTests.java
index c684d4e9a0e..760b51417fa 100644
--- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/providers/IdentityProviderEndpointsMockMvcTests.java
+++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/providers/IdentityProviderEndpointsMockMvcTests.java
@@ -21,12 +21,15 @@
 import org.cloudfoundry.identity.uaa.login.Prompt;
 import org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils;
 import org.cloudfoundry.identity.uaa.provider.*;
+import org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator;
 import org.cloudfoundry.identity.uaa.provider.saml.BootstrapSamlIdentityProviderDataTests;
 import org.cloudfoundry.identity.uaa.scim.ScimUser;
+import org.cloudfoundry.identity.uaa.test.InMemoryLdapServer;
 import org.cloudfoundry.identity.uaa.test.TestApplicationEventListener;
 import org.cloudfoundry.identity.uaa.test.TestClient;
 import org.cloudfoundry.identity.uaa.util.JsonUtils;
 import org.cloudfoundry.identity.uaa.zone.IdentityZone;
+import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
 import org.cloudfoundry.identity.uaa.zone.IdentityZoneSwitchingFilter;
 import org.cloudfoundry.identity.uaa.zone.MultitenancyFixture;
 import org.cloudfoundry.identity.uaa.zone.event.IdentityProviderModifiedEvent;
@@ -51,6 +54,7 @@
 import java.net.URL;
 import java.util.*;
 
+import static org.cloudfoundry.identity.uaa.constants.OriginKeys.LDAP;
 import static org.cloudfoundry.identity.uaa.provider.ExternalIdentityProviderDefinition.USER_NAME_ATTRIBUTE_NAME;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.not;
@@ -217,9 +221,8 @@ void test_delete_with_invalid_id_returns_404() throws Exception {
     }
 
     @Test
-    void test_delete_response_not_containing_relying_partySecret() throws Exception {
+    void test_delete_response_not_containing_relying_party_secret() throws Exception {
         BaseClientDetails client = getBaseClientDetails();
-
         ScimUser user = MockMvcUtils.createAdminForZone(mockMvc, adminToken, "idps.read,idps.write", IdentityZone.getUaaZoneId());
         String accessToken = MockMvcUtils.getUserOAuthAccessToken(mockMvc, client.getClientId(), client.getClientSecret(), user.getUserName(), "secr3T", "idps.read,idps.write");
 
@@ -241,7 +244,6 @@ void test_delete_response_not_containing_relying_partySecret() throws Exception
         newIdp.setConfig(definition);
 
         IdentityProvider createdIdp = createIdentityProvider(null, newIdp, accessToken, status().isCreated());
-
         MockHttpServletRequestBuilder requestBuilder = delete("/identity-providers/" + createdIdp.getId())
                 .header("Authorization", "Bearer" + accessToken)
                 .contentType(APPLICATION_JSON);
@@ -253,6 +255,76 @@ void test_delete_response_not_containing_relying_partySecret() throws Exception
                 .getRelyingPartySecret());
     }
 
+    @Test
+    void test_delete_response_not_containing_bind_password() throws Exception {
+        BaseClientDetails client = getBaseClientDetails();
+        MockMvcUtils.IdentityZoneCreationResult zone =
+                MockMvcUtils.createOtherIdentityZoneAndReturnResult(
+                        "my-sub-domain", mockMvc, webApplicationContext,
+                        client, IdentityZoneHolder.getCurrentZoneId());
+
+        IdentityProvider newIdp = MultitenancyFixture.identityProvider(
+                OriginKeys.LDAP, "");
+        newIdp.setType(LDAP);
+        LdapIdentityProviderDefinition providerDefinition =
+                new LdapIdentityProviderDefinition();
+        providerDefinition.setLdapProfileFile("ldap/ldap-search-and-compare.xml");
+        providerDefinition.setLdapGroupFile("ldap/ldap-groups-as-scopes.xml");
+        providerDefinition.setBindUserDn("cn=admin,ou=Users,dc=test,dc=com");
+        providerDefinition.setBindPassword("adminsecret");
+        providerDefinition.setUserSearchBase("dc=test,dc=com");
+        providerDefinition.setUserSearchFilter("cn={0}");
+        providerDefinition.setPasswordAttributeName("userPassword");
+        providerDefinition.setLocalPasswordCompare(true);
+        providerDefinition.setPasswordEncoder(DynamicPasswordComparator.class.getName());
+        providerDefinition.setGroupSearchBase("ou=scopes,dc=test,dc=com");
+        providerDefinition.setGroupSearchFilter("member={0}");
+        providerDefinition.setAutoAddGroups(true);
+        providerDefinition.setGroupSearchSubTree(true);
+        providerDefinition.setMaxGroupSearchDepth(3);
+        providerDefinition.setGroupRoleAttribute("description");
+
+        try (InMemoryLdapServer ldapServer =
+                     InMemoryLdapServer.startLdap(33389)) {
+            providerDefinition.setBaseUrl(ldapServer.getLdapBaseUrl());
+            newIdp.setConfig(providerDefinition);
+
+            // Create an ldap identity provider
+            MockHttpServletRequestBuilder createRequestBuilder = post(
+                    "/identity-providers")
+                    .param("rawConfig", "true")
+                    .header(IdentityZoneSwitchingFilter.SUBDOMAIN_HEADER,
+                            zone.getIdentityZone().getSubdomain())
+                    .header("Authorization", "Bearer " + zone.getZoneAdminToken())
+                    .contentType(APPLICATION_JSON)
+                    .content(JsonUtils.writeValueAsString(newIdp));
+            MvcResult createResult = mockMvc.perform(createRequestBuilder)
+                    .andExpect(status().isCreated()).andReturn();
+            IdentityProvider createdIdp = JsonUtils.readValue(
+                    createResult.getResponse().getContentAsString(),
+                    IdentityProvider.class);
+
+            // Delete the ldap identity provider and verify that the response
+            // does not contain bindPassword
+            MockHttpServletRequestBuilder requestBuilder = delete(
+                    "/identity-providers/" + createdIdp.getId())
+                    .param("rawConfig", "false")
+                    .header(IdentityZoneSwitchingFilter.HEADER,
+                            zone.getIdentityZone().getId())
+                    .header(IdentityZoneSwitchingFilter.SUBDOMAIN_HEADER,
+                            zone.getIdentityZone().getSubdomain())
+                    .header("Authorization", "Bearer " + zone.getZoneAdminToken())
+                    .contentType(APPLICATION_JSON);
+            MvcResult deleteResult = mockMvc.perform(requestBuilder).andExpect(
+                    status().isOk()).andReturn();
+            IdentityProvider returnedIdentityProvider = JsonUtils.readValue(
+                    deleteResult.getResponse().getContentAsString(),
+                    IdentityProvider.class);
+            assertNull(((LdapIdentityProviderDefinition)returnedIdentityProvider.
+                    getConfig()).getBindPassword());
+        }
+    }
+
     @Test
     void testEnsureWeRetrieveInactiveIDPsToo() throws Exception {
         testRetrieveIdps(false);

From b1b51dc8937963124d2725cedba3d93aec49ecfd Mon Sep 17 00:00:00 2001
From: Peter Chen <pchen@pivotal.io>
Date: Fri, 28 May 2021 10:47:14 -0700
Subject: [PATCH 48/76] Make Java 11 our minimum

- From https://www.oracle.com/java/technologies/java-se-support-roadmap.html,
  Java 11 is the current "LTS".  The next LTS version will be 17, out
  later this year.

Signed-off-by: Steve Taylor <staylor@pivotal.io>
---
 build.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index ac6a43135ad..be6a5a13a84 100644
--- a/build.gradle
+++ b/build.gradle
@@ -149,8 +149,8 @@ cargo {
     containerId = "tomcat9x"
     port = applicationPort
 
-    if (JavaVersion.current() != JavaVersion.VERSION_11) {
-        throw new GradleException("This build must be run with java 11")
+    if (JavaVersion.current() < JavaVersion.VERSION_11) {
+        throw new GradleException("This build must be run with Java version [ " + JavaVersion.VERSION_11 + " ] or greater. Your Java version is [ " + JavaVersion.current() + " ]")
     }
 
     deployable {

From e8a7e497db411a0374c31ac7926dac8ce008ba25 Mon Sep 17 00:00:00 2001
From: Hongchol Sinn <hsinn@vmware.com>
Date: Thu, 3 Jun 2021 12:35:38 -0700
Subject: [PATCH 49/76] Backfilled unit test

* Testing different authTimes for UAATokenSerivces.refreshAccessToken() method

Co-Authored-By: Bruce Ricard <bricard@vmware.com>
---
 .../uaa/oauth/UaaTokenServicesTests.java      | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServicesTests.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServicesTests.java
index 0cd02b4cf70..b60ae5d7b2d 100644
--- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServicesTests.java
+++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServicesTests.java
@@ -31,6 +31,7 @@
 import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
 import org.junit.jupiter.params.provider.ValueSource;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -43,6 +44,7 @@
 import org.springframework.test.annotation.DirtiesContext;
 import org.springframework.test.context.TestPropertySource;
 
+import java.time.*;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Date;
@@ -280,6 +282,29 @@ void happyCase() {
             assertThat(refreshedToken, is(notNullValue()));
         }
 
+        @MethodSource("org.cloudfoundry.identity.uaa.oauth.UaaTokenServicesTests#dates")
+        @ParameterizedTest
+        void authTime(Date authTimeDate) {
+            RefreshTokenRequestData refreshTokenRequestData = new RefreshTokenRequestData(
+                    GRANT_TYPE_AUTHORIZATION_CODE,
+                    Sets.newHashSet("openid", "user_attributes"),
+                    null,
+                    "",
+                    Sets.newHashSet(""),
+                    "jku_test",
+                    false,
+                    authTimeDate,
+                    null,
+                    null
+            );
+            UaaUser uaaUser = jdbcUaaUserDatabase.retrieveUserByName("admin", "uaa");
+            refreshToken = refreshTokenCreator.createRefreshToken(uaaUser, refreshTokenRequestData, null);
+            assertThat(refreshToken, is(notNullValue()));
+            OAuth2AccessToken refreshedToken = tokenServices.refreshAccessToken(this.refreshToken.getValue(), new TokenRequest(new HashMap<>(), "jku_test", Lists.newArrayList("openid", "user_attributes"), GRANT_TYPE_REFRESH_TOKEN));
+
+            assertThat(refreshedToken, is(notNullValue()));
+        }
+
         @Nested
         @DisplayName("when ACR claim is present")
         @DefaultTestContext
@@ -508,4 +533,14 @@ private boolean waitForClient(String clientId, int max) {
         }
         return false;
     }
+
+    private static Stream<Arguments> dates() {
+        return Stream.of(
+                Instant.ofEpochSecond(0),
+                Instant.ofEpochSecond(-1),
+                Instant.ofEpochSecond(1),
+                Instant.now(),
+                Instant.ofEpochSecond(Integer.MAX_VALUE)
+        ).map(Date::from).map(Arguments::of);
+    }
 }

From 40e4f4cc90a6451906707842fcd4c52e0a67e251 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 19 May 2021 07:16:47 +0000
Subject: [PATCH 50/76] Bump nokogiri from 1.11.0 to 1.11.4 in /uaa/slate

Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.11.0 to 1.11.4.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.11.0...v1.11.4)

Signed-off-by: dependabot[bot] <support@github.com>
---
 uaa/slate/Gemfile      | 2 +-
 uaa/slate/Gemfile.lock | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/uaa/slate/Gemfile b/uaa/slate/Gemfile
index e27bea82eb4..06dc4f55345 100644
--- a/uaa/slate/Gemfile
+++ b/uaa/slate/Gemfile
@@ -8,6 +8,6 @@ gem 'middleman-autoprefixer', '~> 2.7.0'
 gem 'middleman-sprockets', "~> 4.1.1"
 gem 'rouge', '~> 2.0.5'
 gem 'redcarpet', '~> 3.5.1'
-gem 'nokogiri', '~> 1.11.0'
+gem 'nokogiri', '~> 1.11.4'
 gem 'ffi', '~> 1.9.24'
 gem 'therubyracer', :platform => :ruby
diff --git a/uaa/slate/Gemfile.lock b/uaa/slate/Gemfile.lock
index 1eb59dd45b5..02943481b30 100644
--- a/uaa/slate/Gemfile.lock
+++ b/uaa/slate/Gemfile.lock
@@ -80,9 +80,9 @@ GEM
     middleman-syntax (3.0.0)
       middleman-core (>= 3.2)
       rouge (~> 2.0)
-    mini_portile2 (2.5.0)
+    mini_portile2 (2.5.1)
     minitest (5.10.1)
-    nokogiri (1.11.0)
+    nokogiri (1.11.4)
       mini_portile2 (~> 2.5.0)
       racc (~> 1.4)
     padrino-helpers (0.13.3.3)
@@ -126,7 +126,7 @@ DEPENDENCIES
   middleman-autoprefixer (~> 2.7.0)
   middleman-sprockets (~> 4.1.1)
   middleman-syntax (~> 3.0.0)
-  nokogiri (~> 1.11.0)
+  nokogiri (~> 1.11.4)
   redcarpet (~> 3.5.1)
   rouge (~> 2.0.5)
   therubyracer

From b546b512b049b7199e5693a434254ed9341402a7 Mon Sep 17 00:00:00 2001
From: Hongchol Sinn <hsinn@vmware.com>
Date: Fri, 4 Jun 2021 11:17:36 -0700
Subject: [PATCH 51/76] fix: authTime can be later than 2037

* When attempting to refresh a token with authTime past Jan 2038, the uaa used to return http 500 and logged "class java.lang.Long cannot be cast to class java.lang.Integer"

[#178305682](https://www.pivotaltracker.com/story/show/178305682)

Co-Authored-By: Bruce Ricard <bricard@vmware.com>
---
 .../identity/uaa/oauth/AuthTimeDateConverter.java         | 4 ++--
 .../cloudfoundry/identity/uaa/oauth/UaaTokenServices.java | 8 +++++++-
 .../identity/uaa/oauth/AuthTimeDateConverterTest.java     | 2 +-
 .../identity/uaa/oauth/UaaTokenServicesTests.java         | 8 +++++++-
 4 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/AuthTimeDateConverter.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/AuthTimeDateConverter.java
index 186306874a0..53ed7f2f394 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/AuthTimeDateConverter.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/AuthTimeDateConverter.java
@@ -12,9 +12,9 @@
  * http://openid.net/specs/openid-connect-core-1_0.html#IDToken
  */
 public class AuthTimeDateConverter {
-    public static Date authTimeToDate(Integer authTime) {
+    public static Date authTimeToDate(Long authTime) {
         if (null != authTime) {
-            return new Date(authTime.longValue() * 1000l);
+            return new Date(authTime * 1000l);
         }
         return null;
     }
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java
index 53e1b441674..b4595b21deb 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java
@@ -242,7 +242,13 @@ public OAuth2AccessToken refreshAccessToken(String refreshTokenValue, TokenReque
         String revocableHashSignature = (String) refreshTokenClaims.get(REVOCATION_SIGNATURE);
         Map<String, String> additionalAuthorizationInfo = (Map<String, String>) refreshTokenClaims.get(ADDITIONAL_AZ_ATTR);
         Set<String> audience = new HashSet<>((ArrayList<String>) refreshTokenClaims.get(AUD));
-        Integer authTime = (Integer) refreshTokenClaims.get(AUTH_TIME);
+        Number authTimeNumber= (Number) refreshTokenClaims.get(AUTH_TIME);
+        Long authTime;
+        if (authTimeNumber instanceof Integer) {
+            authTime = authTimeNumber.longValue();
+        } else {
+            authTime = (Long)authTimeNumber;
+        }
 
         // default request scopes to what is in the refresh token
         Set<String> requestedScopes = request.getScope().isEmpty() ? Sets.newHashSet(tokenScopes) : request.getScope();
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/AuthTimeDateConverterTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/AuthTimeDateConverterTest.java
index 2f90c2dd89c..6b0abc43b9f 100644
--- a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/AuthTimeDateConverterTest.java
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/AuthTimeDateConverterTest.java
@@ -15,7 +15,7 @@ public void authTimeToDate_whenNull() {
 
     @Test
     public void authTimeToDate_whenNotNull() {
-        Date date = AuthTimeDateConverter.authTimeToDate(1);
+        Date date = AuthTimeDateConverter.authTimeToDate(1l);
         assertEquals(new Date(1000l), date);
     }
 
diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServicesTests.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServicesTests.java
index b60ae5d7b2d..30b2c5a57dd 100644
--- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServicesTests.java
+++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServicesTests.java
@@ -540,7 +540,13 @@ private static Stream<Arguments> dates() {
                 Instant.ofEpochSecond(-1),
                 Instant.ofEpochSecond(1),
                 Instant.now(),
-                Instant.ofEpochSecond(Integer.MAX_VALUE)
+                Instant.ofEpochSecond(Integer.MAX_VALUE),
+                Instant.ofEpochSecond(Integer.MAX_VALUE + 1L),
+                Instant.from(ZonedDateTime.of(
+                        LocalDate.of(10000, Month.MAY, 20),
+                        LocalTime.of(0, 0),
+                        ZoneId.systemDefault())
+                )
         ).map(Date::from).map(Arguments::of);
     }
 }

From f45d3c0c727b3bd22773ef2142a428745a89774c Mon Sep 17 00:00:00 2001
From: Bruce Ricard <bruce.ricard@gmail.com>
Date: Tue, 8 Jun 2021 04:16:35 -0700
Subject: [PATCH 52/76] fix: test runner flakes

* the tests are flaking regularly because the DB initialization
  command is failing stating that it cannot connect to the DB

* this commit adds a retry to that DB initialization command which
  should hopefully fix the issue
---
 scripts/start_db_helper.sh | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/scripts/start_db_helper.sh b/scripts/start_db_helper.sh
index 036e9c9f3d8..081162ce9e4 100755
--- a/scripts/start_db_helper.sh
+++ b/scripts/start_db_helper.sh
@@ -74,7 +74,18 @@ function bootDB {
       set -x
       echo "Connection established to $db"
       sleep 1
-      eval "$initDB"
+
+      for attempt in $(seq 1 10); do
+          if eval "$initDB"; then
+              echo 'DB initialized'
+              break
+          else
+              local wait_time="$((2 ** (attempt - 1)))"
+              echo "Error initializing the DB, retrying in ${wait_time} seconds"
+              sleep "${wait_time}"
+          fi
+      done
+
 
       for db_id in `seq 1 $NUM_OF_DATABASES_TO_CREATE`; do
         createDB $db_id

From 10f351878dd1030fab99283c01283e214140d9ef Mon Sep 17 00:00:00 2001
From: Bruce Ricard <bruce.ricard@gmail.com>
Date: Tue, 8 Jun 2021 04:19:58 -0700
Subject: [PATCH 53/76] do not sleep more than 1 minute

---
 scripts/start_db_helper.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/start_db_helper.sh b/scripts/start_db_helper.sh
index 081162ce9e4..8baa9d25c29 100755
--- a/scripts/start_db_helper.sh
+++ b/scripts/start_db_helper.sh
@@ -75,7 +75,7 @@ function bootDB {
       echo "Connection established to $db"
       sleep 1
 
-      for attempt in $(seq 1 10); do
+      for attempt in $(seq 1 7); do
           if eval "$initDB"; then
               echo 'DB initialized'
               break

From 2a4d27128653fb9ddd0ff3b805bafa2fce6155d6 Mon Sep 17 00:00:00 2001
From: Bruce Ricard <bruce.ricard@gmail.com>
Date: Tue, 8 Jun 2021 04:20:54 -0700
Subject: [PATCH 54/76] formatting: whitespaces

---
 scripts/start_db_helper.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/start_db_helper.sh b/scripts/start_db_helper.sh
index 8baa9d25c29..09d8f813c21 100755
--- a/scripts/start_db_helper.sh
+++ b/scripts/start_db_helper.sh
@@ -63,7 +63,7 @@ function bootDB {
   echo -n "Booting $db"
   set -x
   eval "$launchDB"
-  
+
   for i in {0..600} # wait at most 10 mins to the database to start
   do
     set +ex

From 1c5b06588617fcf95476d50e943cb6343c94f334 Mon Sep 17 00:00:00 2001
From: Bruce Ricard <bruce.ricard@gmail.com>
Date: Tue, 8 Jun 2021 04:21:48 -0700
Subject: [PATCH 55/76] refactor: extract variable

---
 scripts/start_db_helper.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/start_db_helper.sh b/scripts/start_db_helper.sh
index 09d8f813c21..99d073c28e3 100755
--- a/scripts/start_db_helper.sh
+++ b/scripts/start_db_helper.sh
@@ -75,7 +75,8 @@ function bootDB {
       echo "Connection established to $db"
       sleep 1
 
-      for attempt in $(seq 1 7); do
+      local number_attempts=7
+      for attempt in $(seq 1 ${number_attempts}); do
           if eval "$initDB"; then
               echo 'DB initialized'
               break

From b262e9860cf0d991a2141ade9e02d9e85fb1999d Mon Sep 17 00:00:00 2001
From: Bruce Ricard <bruce.ricard@gmail.com>
Date: Tue, 8 Jun 2021 04:23:21 -0700
Subject: [PATCH 56/76] feat: output message when DB cannot be initialized

---
 scripts/start_db_helper.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/scripts/start_db_helper.sh b/scripts/start_db_helper.sh
index 99d073c28e3..7bcab978619 100755
--- a/scripts/start_db_helper.sh
+++ b/scripts/start_db_helper.sh
@@ -81,6 +81,11 @@ function bootDB {
               echo 'DB initialized'
               break
           else
+              if [[ ${attempt} == ${number_attempts} ]]; then
+                  echo 'error initializing the DB, aborting'
+                  exit 2
+              fi
+
               local wait_time="$((2 ** (attempt - 1)))"
               echo "Error initializing the DB, retrying in ${wait_time} seconds"
               sleep "${wait_time}"

From 0da508734c73e332db000e398d89600b7872da61 Mon Sep 17 00:00:00 2001
From: Hongchol Sinn <hsinn@vmware.com>
Date: Wed, 9 Jun 2021 15:09:03 -0700
Subject: [PATCH 57/76] Use Claims class to desrialize the token string.

Co-authored-by: Peter Chen <peterch@vmware.com>
Co-authored-by: Bruce Ricard <bricard@vmware.com>
---
 .../identity/uaa/oauth/UaaTokenServices.java  | 38 ++++++++++---------
 1 file changed, 20 insertions(+), 18 deletions(-)

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java
index b4595b21deb..49a24b56956 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java
@@ -27,6 +27,7 @@
 import org.cloudfoundry.identity.uaa.oauth.refresh.CompositeExpiringOAuth2RefreshToken;
 import org.cloudfoundry.identity.uaa.oauth.refresh.RefreshTokenCreator;
 import org.cloudfoundry.identity.uaa.oauth.refresh.RefreshTokenRequestData;
+import org.cloudfoundry.identity.uaa.oauth.token.Claims;
 import org.cloudfoundry.identity.uaa.oauth.token.CompositeToken;
 import org.cloudfoundry.identity.uaa.oauth.token.RevocableToken;
 import org.cloudfoundry.identity.uaa.oauth.token.RevocableTokenProvisioning;
@@ -229,26 +230,27 @@ public OAuth2AccessToken refreshAccessToken(String refreshTokenValue, TokenReque
         Map<String, Object> refreshTokenClaims = tokenValidation.getClaims();
 
         ArrayList<String> tokenScopes = getScopesFromRefreshToken(refreshTokenClaims);
-
         refreshTokenCreator.ensureRefreshTokenCreationNotRestricted(tokenScopes);
 
-        String userId = (String) refreshTokenClaims.get(USER_ID);
-        String refreshTokenId = (String) refreshTokenClaims.get(JTI);
-        Integer refreshTokenExpirySeconds = (Integer) refreshTokenClaims.get(EXPIRY_IN_SECONDS);
-        String clientId = (String) refreshTokenClaims.get(CID);
-        Boolean revocableClaim = (Boolean) refreshTokenClaims.get(REVOCABLE);
-        String refreshGrantType = refreshTokenClaims.get(GRANT_TYPE).toString();
-        String nonce = (String) refreshTokenClaims.get(NONCE);
-        String revocableHashSignature = (String) refreshTokenClaims.get(REVOCATION_SIGNATURE);
-        Map<String, String> additionalAuthorizationInfo = (Map<String, String>) refreshTokenClaims.get(ADDITIONAL_AZ_ATTR);
-        Set<String> audience = new HashSet<>((ArrayList<String>) refreshTokenClaims.get(AUD));
-        Number authTimeNumber= (Number) refreshTokenClaims.get(AUTH_TIME);
-        Long authTime;
-        if (authTimeNumber instanceof Integer) {
-            authTime = authTimeNumber.longValue();
-        } else {
-            authTime = (Long)authTimeNumber;
-        }
+        Claims claims;
+        try {
+            String s = JsonUtils.writeValueAsString(refreshTokenClaims);
+            claims = JsonUtils.readValue(s, Claims.class);
+        } catch (JsonUtils.JsonUtilException e) {
+            logger.error("Cannot read token claims", e);
+            throw new InvalidTokenException("Cannot read token claims", e);
+        }
+        String userId = claims.getUserId();
+        String refreshTokenId = claims.getJti();
+        Long refreshTokenExpirySeconds = claims.getExp();
+        String clientId = claims.getCid();
+        Boolean revocableClaim = claims.isRevocable();
+        String refreshGrantType = claims.getGrantType();
+        String nonce = claims.getNonce();
+        String revocableHashSignature = claims.getRevSig();
+        Map<String, String> additionalAuthorizationInfo = claims.getAzAttr();
+        Set<String> audience = Set.copyOf(claims.getAud());
+        Long authTime = claims.getAuthTime();
 
         // default request scopes to what is in the refresh token
         Set<String> requestedScopes = request.getScope().isEmpty() ? Sets.newHashSet(tokenScopes) : request.getScope();

From f9cfbc9401b70fcf0ec4147739b14a5ef319d163 Mon Sep 17 00:00:00 2001
From: Torsten Luh <torsten-sap@users.noreply.github.com>
Date: Thu, 10 Jun 2021 17:53:19 +0200
Subject: [PATCH 58/76] Small improvements for the consent form (#1561)

---
 .../src/main/resources/templates/web/access_confirmation.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/src/main/resources/templates/web/access_confirmation.html b/server/src/main/resources/templates/web/access_confirmation.html
index a66b703a9e3..7f55cd48f42 100644
--- a/server/src/main/resources/templates/web/access_confirmation.html
+++ b/server/src/main/resources/templates/web/access_confirmation.html
@@ -21,7 +21,7 @@ <h2 th:text="${client_display_name}">Cloudbees</h2>
             <p>
                 <th:block th:text="${client_display_name}">Cloudbees</th:block> has requested permission to
                 access your account. If you do not recognize this application or
-                its URL, you should click deny. The application will not see your password.
+                its URL, you should click Deny. The application will not see your password.
             </p>
             <ul class="application-scopes">
                 <th:block th:each="scope, iter : ${undecided_scopes}">
@@ -51,7 +51,7 @@ <h2 th:text="${client_display_name}">Cloudbees</h2>
             </ul>
             <p>
                 You can change your approval of permissions or revoke access for this application
-                at any time from account settings. By approving access, you agree to
+                at any time from the account settings. By approving access, you agree to
                 <th:block th:text="${client_display_name}">Cloudbees</th:block>'s terms of service and privacy policy.
             </p>
             <div class="actions">

From 64f0d47d0bd8ed03dc0e664e52a02e04eea35b8c Mon Sep 17 00:00:00 2001
From: Markus Strehle <strehle@users.noreply.github.com>
Date: Thu, 10 Jun 2021 00:00:39 +0200
Subject: [PATCH 59/76] Bump bouncyCastleVersion from 1.68 to 1.69

---
 dependencies.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dependencies.gradle b/dependencies.gradle
index 71ffbd6d158..db7c6d385a0 100644
--- a/dependencies.gradle
+++ b/dependencies.gradle
@@ -10,7 +10,7 @@ ext["flyway.version"] = "5.2.4"
 // Versions shared between multiple dependencies
 versions.aspectJVersion = "1.9.4"
 versions.apacheDsVersion = "2.0.0.AM26"
-versions.bouncyCastleVersion = "1.68"
+versions.bouncyCastleVersion = "1.69"
 versions.hamcrestVersion = "2.2"
 versions.springBootVersion = "2.4.5"
 versions.springSecurityJwtVersion = "1.1.1.RELEASE"

From f1dcbbd863447a4d80b9841c2eb082b64e6e9289 Mon Sep 17 00:00:00 2001
From: Markus Strehle <strehle@users.noreply.github.com>
Date: Thu, 10 Jun 2021 19:27:35 +0200
Subject: [PATCH 60/76] Bump Spring Dependencies (#1577)

* Bump Spring Dependencies

spring boot 2.4.6
spring framework 5.3.7
tomcat 9.0.46

* Update settings.gradle

* Update settings.gradle

* Update settings.gradle
---
 dependencies.gradle | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/dependencies.gradle b/dependencies.gradle
index db7c6d385a0..45245736062 100644
--- a/dependencies.gradle
+++ b/dependencies.gradle
@@ -12,13 +12,13 @@ versions.aspectJVersion = "1.9.4"
 versions.apacheDsVersion = "2.0.0.AM26"
 versions.bouncyCastleVersion = "1.69"
 versions.hamcrestVersion = "2.2"
-versions.springBootVersion = "2.4.5"
+versions.springBootVersion = "2.4.6"
 versions.springSecurityJwtVersion = "1.1.1.RELEASE"
 versions.springSecurityOAuthVersion = "2.5.0.RELEASE"
 versions.springSecuritySamlVersion = "1.0.10.RELEASE"
-versions.springVersion = "5.3.6"
+versions.springVersion = "5.3.7"
 versions.xmlBind = "2.3.0.1"
-versions.tomcatCargoVersion = "9.0.45"
+versions.tomcatCargoVersion = "9.0.46"
 
 // Dependencies (some rely on shared versions, some are shared between projects)
 libraries.apacheCommonsRngCore = "org.apache.commons:commons-rng-core:1.3"

From edcf52e64324ce9ce2c6f0a25dc2ff0505f35c22 Mon Sep 17 00:00:00 2001
From: Peter Chen <peterch@vmware.com>
Date: Mon, 14 Jun 2021 13:39:13 -0700
Subject: [PATCH 61/76] fix: test token audience claim in an unordered way

- certain recent change (possibly this commit: https://github.com/cloudfoundry/uaa/commit/0da508734c73e332db000e398d89600b7872da61)
results in failed tests that assert that the token's audience claim should conform to a certain order
- this is likely due to the source of the audience claim data uses the  data structure, where order is not guaranteed
- We believe that based on OAuth/OIDC specs, the audience claim data (which is an array in the JSON token)
is meant to be unordered, so the tests are overly strict
- In this commit, we relax the tests to not assert on the order of the audience claim array

[#178504539]
---
 .../uaa/oauth/DeprecatedUaaTokenServicesTests.java         | 7 ++++---
 .../oauth/token/matchers/OAuth2AccessTokenMatchers.java    | 2 +-
 .../oauth/token/matchers/OAuth2RefreshTokenMatchers.java   | 2 +-
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/DeprecatedUaaTokenServicesTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/DeprecatedUaaTokenServicesTests.java
index a82de9fb546..bc61009c5f9 100644
--- a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/DeprecatedUaaTokenServicesTests.java
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/DeprecatedUaaTokenServicesTests.java
@@ -75,6 +75,7 @@
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.startsWith;
 import static org.hamcrest.Matchers.*;
+import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.core.AllOf.allOf;
 import static org.hamcrest.number.OrderingComparison.greaterThan;
 import static org.hamcrest.number.OrderingComparison.lessThanOrEqualTo;
@@ -2103,7 +2104,7 @@ private void assertCommonClientAccessTokenProperties(OAuth2AccessToken accessTok
           username(is(nullValue())),
           cid(is(CLIENT_ID)),
           scope(is(tokenSupport.clientScopes)),
-          audience(is(tokenSupport.resourceIds)),
+          audience(containsInAnyOrder(tokenSupport.resourceIds.toArray(new String[]{}))),
           jwtId(not(isEmptyString())),
           issuedAt(is(greaterThan(0))),
           expiry(is(greaterThan(0)))));
@@ -2114,7 +2115,7 @@ private void assertCommonUserAccessTokenProperties(OAuth2AccessToken accessToken
         assertThat(accessToken, allOf(username(is(tokenSupport.username)),
           clientId(is(clientId)),
           subject(is(tokenSupport.userId)),
-          audience(is(tokenSupport.resourceIds)),
+          audience(containsInAnyOrder(tokenSupport.resourceIds.toArray(new String[]{}))),
           origin(is(OriginKeys.UAA)),
           revocationSignature(is(not(nullValue()))),
           cid(is(clientId)),
@@ -2132,7 +2133,7 @@ private void assertCommonUserRefreshTokenProperties(OAuth2RefreshToken refreshTo
           OAuth2RefreshTokenMatchers.username(is(tokenSupport.username)),
           OAuth2RefreshTokenMatchers.clientId(is(CLIENT_ID)),
           OAuth2RefreshTokenMatchers.subject(is(not(nullValue()))),
-          OAuth2RefreshTokenMatchers.audience(is(tokenSupport.resourceIds)),
+          OAuth2RefreshTokenMatchers.audience(containsInAnyOrder(tokenSupport.resourceIds.toArray(new String[]{}))),
           OAuth2RefreshTokenMatchers.origin(is(OriginKeys.UAA)),
           OAuth2RefreshTokenMatchers.revocationSignature(is(not(nullValue()))),
           OAuth2RefreshTokenMatchers.jwtId(not(isEmptyString())),
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/matchers/OAuth2AccessTokenMatchers.java b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/matchers/OAuth2AccessTokenMatchers.java
index 46afb61fa76..9109ef13f51 100644
--- a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/matchers/OAuth2AccessTokenMatchers.java
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/matchers/OAuth2AccessTokenMatchers.java
@@ -61,7 +61,7 @@ public static Matcher<OAuth2AccessToken> scope(Matcher<Object> scopes) {
         return new OAuth2AccessTokenMatchers(ClaimConstants.SCOPE, scopes);
     }
 
-    public static Matcher<OAuth2AccessToken> audience(Matcher<Object> resourceIds) {
+    public static Matcher<OAuth2AccessToken> audience(Matcher<Iterable<? extends String>> resourceIds) {
         return new OAuth2AccessTokenMatchers(ClaimConstants.AUD, resourceIds);
     }
 
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/matchers/OAuth2RefreshTokenMatchers.java b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/matchers/OAuth2RefreshTokenMatchers.java
index 170d3465fe4..3f9dd674245 100644
--- a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/matchers/OAuth2RefreshTokenMatchers.java
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/matchers/OAuth2RefreshTokenMatchers.java
@@ -62,7 +62,7 @@ public static Matcher<OAuth2RefreshToken> scope(Matcher<Object> scopes) {
         return new OAuth2RefreshTokenMatchers(ClaimConstants.GRANTED_SCOPES, scopes);
     }
 
-    public static Matcher<OAuth2RefreshToken> audience(Matcher<Object> resourceIds) {
+    public static Matcher<OAuth2RefreshToken> audience(Matcher<Iterable<? extends String>> resourceIds) {
         return new OAuth2RefreshTokenMatchers(ClaimConstants.AUD, resourceIds);
     }
 

From b67741ab66f888e349957a28e5087650576868e9 Mon Sep 17 00:00:00 2001
From: Markus Strehle <strehle@users.noreply.github.com>
Date: Tue, 15 Jun 2021 07:39:43 +0200
Subject: [PATCH 62/76] Bump Spring Dependencies (#1580)

spring boot 2.4.7
spring framework 5.3.8
tomcat 9.0.46
---
 dependencies.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dependencies.gradle b/dependencies.gradle
index 45245736062..df8f2dcc8cd 100644
--- a/dependencies.gradle
+++ b/dependencies.gradle
@@ -12,11 +12,11 @@ versions.aspectJVersion = "1.9.4"
 versions.apacheDsVersion = "2.0.0.AM26"
 versions.bouncyCastleVersion = "1.69"
 versions.hamcrestVersion = "2.2"
-versions.springBootVersion = "2.4.6"
+versions.springBootVersion = "2.4.7"
 versions.springSecurityJwtVersion = "1.1.1.RELEASE"
 versions.springSecurityOAuthVersion = "2.5.0.RELEASE"
 versions.springSecuritySamlVersion = "1.0.10.RELEASE"
-versions.springVersion = "5.3.7"
+versions.springVersion = "5.3.8"
 versions.xmlBind = "2.3.0.1"
 versions.tomcatCargoVersion = "9.0.46"
 

From db47c2b1c4a66da22f75a9159076887cfb5adf41 Mon Sep 17 00:00:00 2001
From: Hongchol Sinn <hsinn@vmware.com>
Date: Tue, 15 Jun 2021 17:54:47 -0700
Subject: [PATCH 63/76] Backfill test cases for using refresh token value that
 was created with refresh_token_validity seconds specified [#178076368]

Co-authored-by: Bruce Ricard <bricard@vmware.com>
---
 .../uaa/oauth/UaaTokenServicesTests.java      | 95 ++++++++++++++++++-
 1 file changed, 90 insertions(+), 5 deletions(-)

diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServicesTests.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServicesTests.java
index 30b2c5a57dd..d8022df94c1 100644
--- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServicesTests.java
+++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServicesTests.java
@@ -22,14 +22,11 @@
 import org.cloudfoundry.identity.uaa.oauth.token.CompositeToken;
 import org.cloudfoundry.identity.uaa.user.JdbcUaaUserDatabase;
 import org.cloudfoundry.identity.uaa.user.UaaUser;
+import org.cloudfoundry.identity.uaa.util.TimeService;
 import org.cloudfoundry.identity.uaa.util.UaaTokenUtils;
 import org.cloudfoundry.identity.uaa.zone.MultitenantClientServices;
 import org.joda.time.DateTime;
-import org.junit.jupiter.api.AfterEach;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.DisplayName;
-import org.junit.jupiter.api.Nested;
-import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.*;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
@@ -481,6 +478,94 @@ void happyCase(List<String> amrs) {
         }
     }
 
+    @Nested
+    @DisplayName("when the client was created with refresh_token_validity specified")
+    @DefaultTestContext
+    @TestPropertySource(properties = {"uaa.url=https://uaa.some.test.domain.com:555/uaa"})
+    @DirtiesContext
+    class WhenRefreshTokenValidityIsSpecified {
+        private RefreshTokenCreator refreshTokenCreator;
+        private RefreshTokenRequestData refreshTokenRequestData;
+        private UaaUser uaaUser;
+        private TokenRequest tokenRequest;
+
+        @Autowired
+        private TokenEndpointBuilder tokenEndpointBuilder;
+        @Autowired
+        private TimeService timeService;
+        @Autowired
+        private KeyInfoService keyInfoService;
+
+        @BeforeEach
+        void init() {
+            refreshTokenRequestData = new RefreshTokenRequestData(
+                    GRANT_TYPE_AUTHORIZATION_CODE,
+                    Sets.newHashSet("openid", "user_attributes"),
+                    null,
+                    "",
+                    Sets.newHashSet(""),
+                    "jku_test",
+                    false,
+                    new Date(),
+                    null,
+                    null
+            );
+            uaaUser = jdbcUaaUserDatabase.retrieveUserByName("admin", "uaa");
+            tokenRequest = new TokenRequest(new HashMap<>(), "jku_test",
+                    Lists.newArrayList("openid", "user_attributes"),
+                    GRANT_TYPE_REFRESH_TOKEN);
+        }
+
+        @ParameterizedTest
+        @ValueSource(ints = { 3600, 24*3600*15, Integer.MAX_VALUE })
+        void validExpClaim(int validitySeconds) {
+            RefreshTokenCreator refreshTokenCreator = createRefreshTokenCreator(
+                    validitySeconds);
+            CompositeExpiringOAuth2RefreshToken refreshToken =
+                    refreshTokenCreator.createRefreshToken(uaaUser,
+                            refreshTokenRequestData, null);
+            Assertions.assertNotNull(refreshToken);
+
+            OAuth2AccessToken accessToken = tokenServices.refreshAccessToken(
+                    refreshToken.getValue(), tokenRequest);
+            Assertions.assertNotNull(accessToken);
+        }
+
+        @ParameterizedTest
+        @ValueSource(ints = { -3600, Integer.MIN_VALUE })
+        void invalidExpClaim(int validitySeconds) {
+            RefreshTokenCreator refreshTokenCreator = createRefreshTokenCreator(
+                    validitySeconds);
+            CompositeExpiringOAuth2RefreshToken refreshToken =
+                    refreshTokenCreator.createRefreshToken(uaaUser,
+                            refreshTokenRequestData, null);
+            Assertions.assertNotNull(refreshToken);
+
+            // Verifying with generic Exception instead of specific type because
+            // refreshAccessToken() throws an Exception of which type is
+            // different from the one that is declared in its method signature
+            Assertions.assertThrows(Exception.class, () ->
+                    tokenServices.refreshAccessToken(refreshToken.getValue(),
+                            tokenRequest));
+        }
+
+        private RefreshTokenCreator createRefreshTokenCreator(
+                int validitySeconds) {
+            TokenValidityResolver tokenValidityResolver =
+                    new TokenValidityResolver(
+                            new ClientTokenValidity() {
+                                public Integer getValiditySeconds(String clientId) {
+                                    return validitySeconds;
+                                }
+                                public Integer getZoneValiditySeconds() {
+                                    return 2592000;
+                                }
+                            }, 2592000, timeService);
+            return new RefreshTokenCreator(false, tokenValidityResolver,
+                    tokenEndpointBuilder, timeService, keyInfoService);
+        }
+    }
+
     private OAuth2Authentication constructUserAuthenticationFromAuthzRequest(AuthorizationRequest authzRequest,
                                                                              String userId,
                                                                              String userOrigin,

From 6bfdeacc87c73356ddbea1e358e82d7be90d9c40 Mon Sep 17 00:00:00 2001
From: Steve Taylor <staylor@pivotal.io>
Date: Tue, 15 Jun 2021 15:13:34 -0700
Subject: [PATCH 64/76] Test that we redirect when client allows only SAML

---
 .../identity/uaa/login/LoginMockMvcTests.java | 27 ++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/LoginMockMvcTests.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/LoginMockMvcTests.java
index dd82070f645..674ac298640 100644
--- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/LoginMockMvcTests.java
+++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/LoginMockMvcTests.java
@@ -300,13 +300,38 @@ void access_discovery_when_expected(
 
         allowedProvidersPermutations.add(new ArrayList<>(singletonList(UAA)));  // Model should contain a login hint if we exclude LDAP from allowed providers
         allowedProvidersPermutations.add(new ArrayList<>(singletonList(LDAP))); // Model should contain a login hint if we exclude UAA from allowed providers
-        allowedProvidersPermutations.add(new ArrayList<>(singletonList(SAML))); // Model should not contain a login hint if we exclude both UAA and LDAP
 
         for (List<String> allowedProviders : allowedProvidersPermutations) {
             expect_idp_discovery(identityProviderProvisioning, identityZoneProvisioning, allowedProviders);
         }
     }
 
+    @Test
+    void redirect_when_only_saml_allowed(
+            @Autowired JdbcIdentityProviderProvisioning identityProviderProvisioning,
+            @Autowired JdbcIdentityZoneProvisioning identityZoneProvisioning) throws Exception {
+
+        IdentityZoneConfiguration config = new IdentityZoneConfiguration();
+        config.setIdpDiscoveryEnabled(true);
+
+        IdentityZone zone = setupZone(webApplicationContext, mockMvc, identityZoneProvisioning, generator, config);
+        String originKey = "fake-origin-key";
+
+        MockHttpSession session = configure_UAA_for_idp_discovery(
+                webApplicationContext,
+                identityProviderProvisioning,
+                generator,
+                originKey,
+                zone,
+                new ArrayList<>(asList(originKey, SAML)));
+
+        mockMvc.perform(get("/login")
+                .session(session)
+                .header("Accept", TEXT_HTML)
+                .with(new SetServerNameRequestPostProcessor(zone.getSubdomain() + ".localhost")))
+                .andExpect(status().is3xxRedirection());
+    }
+
     @Test
     void access_login_page_while_logged_in() throws Exception {
         SecurityContext securityContext = MockMvcUtils.getMarissaSecurityContext(webApplicationContext, IdentityZoneHolder.getCurrentZoneId());

From 5ff745f4d7e48815eaae47476208ec56e59ab35a Mon Sep 17 00:00:00 2001
From: Markus Strehle <markus.strehle@sap.com>
Date: Fri, 18 Jun 2021 17:22:34 +0200
Subject: [PATCH 65/76] Fix issue 1584

---
 .../cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java   | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java b/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java
index 8f22b788c60..40b22d7e3d8 100755
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java
@@ -316,11 +316,6 @@ private String login(Model model, Principal principal, List<String> excludedProm
                 allIdentityProviders.putAll(samlIdentityProviders);
                 allIdentityProviders.putAll(oauthIdentityProviders);
             }
-        } else if (!jsonResponse && (accountChooserNeeded || (discoveryEnabled && !discoveryPerformed))) {
-            // when `/login` is requested to return html response (as opposed to json response)
-            //Account Chooser and discovery do not need any IdP information
-            oauthIdentityProviders = Collections.emptyMap();
-            samlIdentityProviders = Collections.emptyMap();
         } else {
             samlIdentityProviders = getSamlIdentityProviderDefinitions(allowedIdentityProviderKeys);
             oauthIdentityProviders = getOauthIdentityProviderDefinitions(allowedIdentityProviderKeys);

From e4546a7b4115c9765081fdb363c7fa5b3d463e70 Mon Sep 17 00:00:00 2001
From: Markus Strehle <strehle@users.noreply.github.com>
Date: Sat, 26 Jun 2021 12:44:04 +0200
Subject: [PATCH 66/76] Bump Spring Dependencies (#1591)

* Bump Spring Dependencies

spring boot 2.4.8
spring framework 5.3.8
tomcat 9.0.48

* Update dependencies.gradle

* Update dependencies.gradle
---
 dependencies.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dependencies.gradle b/dependencies.gradle
index df8f2dcc8cd..773f6064fde 100644
--- a/dependencies.gradle
+++ b/dependencies.gradle
@@ -12,13 +12,13 @@ versions.aspectJVersion = "1.9.4"
 versions.apacheDsVersion = "2.0.0.AM26"
 versions.bouncyCastleVersion = "1.69"
 versions.hamcrestVersion = "2.2"
-versions.springBootVersion = "2.4.7"
+versions.springBootVersion = "2.4.8"
 versions.springSecurityJwtVersion = "1.1.1.RELEASE"
 versions.springSecurityOAuthVersion = "2.5.0.RELEASE"
 versions.springSecuritySamlVersion = "1.0.10.RELEASE"
 versions.springVersion = "5.3.8"
 versions.xmlBind = "2.3.0.1"
-versions.tomcatCargoVersion = "9.0.46"
+versions.tomcatCargoVersion = "9.0.48"
 
 // Dependencies (some rely on shared versions, some are shared between projects)
 libraries.apacheCommonsRngCore = "org.apache.commons:commons-rng-core:1.3"

From d30973cf14f3489b1ab70cb6bb5d20d8146c8fa3 Mon Sep 17 00:00:00 2001
From: Benjamin Gandon <benjamin@gstack.io>
Date: Sat, 26 Jun 2021 18:17:24 +0200
Subject: [PATCH 67/76] Document the 'userInfoUrl' property for OAuth identity
 provider config

---
 .../uaa/mock/providers/IdentityProviderEndpointDocs.java         | 1 +
 1 file changed, 1 insertion(+)

diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/providers/IdentityProviderEndpointDocs.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/providers/IdentityProviderEndpointDocs.java
index fd29ee6730c..35d1b09a3c9 100644
--- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/providers/IdentityProviderEndpointDocs.java
+++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/providers/IdentityProviderEndpointDocs.java
@@ -467,6 +467,7 @@ void createOAuthIdentityProvider() throws Exception {
                 fieldWithPath("config.tokenUrl").required().type(STRING).description("The OAuth 2.0 token endpoint URL"),
                 fieldWithPath("config.tokenKeyUrl").optional(null).type(STRING).description("The URL of the token key endpoint which renders a verification key for validating token signatures"),
                 fieldWithPath("config.tokenKey").optional(null).type(STRING).description("A verification key for validating token signatures, set to null if a `tokenKeyUrl` is provided."),
+                fieldWithPath("config.userInfoUrl").optional(null).type(STRING).description("A URL for fetching user info attributes when queried with the obtained token authorization."),
                 fieldWithPath("config.showLinkText").optional(true).type(BOOLEAN).description("A flag controlling whether a link to this provider's login will be shown on the UAA login page"),
                 fieldWithPath("config.linkText").optional(null).type(STRING).description("Text to use for the login link to the provider"),
                 fieldWithPath("config.relyingPartyId").required().type(STRING).description("The client ID which is registered with the external OAuth provider for use by the UAA"),

From 55bb313b5754f16f6851bd8faa900ab06bd573e3 Mon Sep 17 00:00:00 2001
From: Markus Strehle <strehle@users.noreply.github.com>
Date: Mon, 28 Jun 2021 17:50:38 +0200
Subject: [PATCH 68/76] Bump Guava Dependencies (#1581)

* Bump Guava Dependencies

30.0-jre -> 30.1.1-jre

* Update settings.gradle

* Update settings.gradle
---
 dependencies.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dependencies.gradle b/dependencies.gradle
index 773f6064fde..a68fe998c07 100644
--- a/dependencies.gradle
+++ b/dependencies.gradle
@@ -37,7 +37,7 @@ libraries.eclipseJgit = "org.eclipse.jgit:org.eclipse.jgit:5.8.0.202006091008-r"
 libraries.flywayCore = "org.flywaydb:flyway-core"
 libraries.greenmail = "com.icegreen:greenmail:1.5.11"
 libraries.googleAuth = "com.warrenstrange:googleauth:1.5.0"
-libraries.guava = "com.google.guava:guava:30.0-jre"
+libraries.guava = "com.google.guava:guava:30.1.1-jre"
 libraries.hamcrest = "org.hamcrest:hamcrest:${versions.hamcrestVersion}"
 libraries.hibernateValidator = "org.hibernate.validator:hibernate-validator"
 libraries.hsqldb = "org.hsqldb:hsqldb"

From 39d4c71d2e25ad492b63206957c6d88db99057cb Mon Sep 17 00:00:00 2001
From: Hongchol Sinn <83615060+hsinn0@users.noreply.github.com>
Date: Mon, 28 Jun 2021 13:48:15 -0700
Subject: [PATCH 69/76] Add '-Xdebug' jvm args to application container run in
 cargo if '-Dxdebug=true' option is sepcified for 'gradle run'. (#1592)

---
 build.gradle | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/build.gradle b/build.gradle
index be6a5a13a84..495450e26b3 100644
--- a/build.gradle
+++ b/build.gradle
@@ -180,6 +180,11 @@ cargo {
         if (System.getProperty("spring.profiles.active", "").split(',').contains("debug")) {
             jvmArgs = String.format("%s -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005", jvmArgs)
         }
+        else if (Boolean.valueOf(System.getProperty("xdebug"))) {
+            jvmArgs = String.format("%s -Xdebug " +
+                    "-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005 " +
+                    "-Xnoagent -Djava.compiler=NONE", jvmArgs)
+        }
 
         outputFile = file("uaa/build/reports/tests/uaa-server.log")
         configFile {

From 34f802ba6518c19704df9c2449eaf90ef9f35825 Mon Sep 17 00:00:00 2001
From: Markus Strehle <11627201+strehle@users.noreply.github.com>
Date: Tue, 29 Jun 2021 23:28:54 +0200
Subject: [PATCH 70/76] Github userUserInfo from local configuration (#1595)

---
 .../identity/uaa/provider/oauth/OauthIDPWrapperFactoryBean.java  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/OauthIDPWrapperFactoryBean.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/OauthIDPWrapperFactoryBean.java
index fd1c0efd384..3fb40f29631 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/OauthIDPWrapperFactoryBean.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/OauthIDPWrapperFactoryBean.java
@@ -125,6 +125,7 @@ protected void setCommonProperties(Map<String, Object> idpDefinitionMap, Abstrac
                 idpDefinition.setAuthUrl(new URL((String) idpDefinitionMap.get("authUrl")));
                 idpDefinition.setTokenKeyUrl(idpDefinitionMap.get("tokenKeyUrl") == null ? null : new URL((String) idpDefinitionMap.get("tokenKeyUrl")));
                 idpDefinition.setTokenUrl(new URL((String) idpDefinitionMap.get("tokenUrl")));
+                idpDefinition.setUserInfoUrl(idpDefinitionMap.get("userInfoUrl") == null ? null : new URL((String) idpDefinitionMap.get("userInfoUrl")));
             }
         } catch (MalformedURLException e) {
             throw new IllegalArgumentException("URL is malformed.", e);

From 9192200d4c7e1ed31c96995d8d2139d22f558620 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 30 Jun 2021 06:46:43 +0200
Subject: [PATCH 71/76] Bump k8s.io/apimachinery from 0.21.0 to 0.21.2 in /k8s
 (#1587)

Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.21.0 to 0.21.2.
- [Release notes](https://github.com/kubernetes/apimachinery/releases)
- [Commits](https://github.com/kubernetes/apimachinery/compare/v0.21.0...v0.21.2)

---
updated-dependencies:
- dependency-name: k8s.io/apimachinery
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 k8s/go.mod | 2 +-
 k8s/go.sum | 9 ++++++---
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/k8s/go.mod b/k8s/go.mod
index 61b6b34b8f6..2038de16879 100644
--- a/k8s/go.mod
+++ b/k8s/go.mod
@@ -7,6 +7,6 @@ require (
 	github.com/onsi/gomega v1.11.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.21.0
-	k8s.io/apimachinery v0.21.0
+	k8s.io/apimachinery v0.21.2
 	k8s.io/client-go v0.21.0
 )
diff --git a/k8s/go.sum b/k8s/go.sum
index 18d1c63c483..1a868b36287 100644
--- a/k8s/go.sum
+++ b/k8s/go.sum
@@ -99,8 +99,9 @@ github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M=
+github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
 github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -293,8 +294,9 @@ golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073 h1:8qxJSnu+7dRq6upnbntrmriWByIakBuct5OM/MdQC1M=
 golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210426230700-d19ff857e887 h1:dXfMednGJh/SUUFjTLsWJz3P+TQt9qnR11GgeI3vWKs=
+golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -427,8 +429,9 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 k8s.io/api v0.21.0 h1:gu5iGF4V6tfVCQ/R+8Hc0h7H1JuEhzyEi9S4R5LM8+Y=
 k8s.io/api v0.21.0/go.mod h1:+YbrhBBGgsxbF6o6Kj4KJPJnBmAKuXDeS3E18bgHNVU=
-k8s.io/apimachinery v0.21.0 h1:3Fx+41if+IRavNcKOz09FwEXDBG6ORh6iMsTSelhkMA=
 k8s.io/apimachinery v0.21.0/go.mod h1:jbreFvJo3ov9rj7eWT7+sYiRx+qZuCYXwWT1bcDswPY=
+k8s.io/apimachinery v0.21.2 h1:vezUc/BHqWlQDnZ+XkrpXSmnANSLbpnlpwo0Lhk0gpc=
+k8s.io/apimachinery v0.21.2/go.mod h1:CdTY8fU/BlvAbJ2z/8kBwimGki5Zp8/fbVuLY8gJumM=
 k8s.io/client-go v0.21.0 h1:n0zzzJsAQmJngpC0IhgFcApZyoGXPrDIAD601HD09ag=
 k8s.io/client-go v0.21.0/go.mod h1:nNBytTF9qPFDEhoqgEPaarobC8QPae13bElIVHzIglA=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=

From a4d902895c47472d922663f0e820538218c1bfb5 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 30 Jun 2021 06:49:00 +0200
Subject: [PATCH 72/76] Bump github.com/onsi/ginkgo from 1.16.1 to 1.16.4 in
 /k8s (#1575)

Bumps [github.com/onsi/ginkgo](https://github.com/onsi/ginkgo) from 1.16.1 to 1.16.4.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v1.16.1...v1.16.4)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 k8s/go.mod | 2 +-
 k8s/go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/k8s/go.mod b/k8s/go.mod
index 2038de16879..61128b4ff92 100644
--- a/k8s/go.mod
+++ b/k8s/go.mod
@@ -3,7 +3,7 @@ module github.com/cloudfoundry/uaa
 go 1.15
 
 require (
-	github.com/onsi/ginkgo v1.16.1
+	github.com/onsi/ginkgo v1.16.4
 	github.com/onsi/gomega v1.11.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.21.0
diff --git a/k8s/go.sum b/k8s/go.sum
index 1a868b36287..41bb68dfccd 100644
--- a/k8s/go.sum
+++ b/k8s/go.sum
@@ -159,8 +159,8 @@ github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
-github.com/onsi/ginkgo v1.16.1 h1:foqVmeWDD6yYpK+Yz3fHyNIxFYNxswxqNFjSKe+vI54=
-github.com/onsi/ginkgo v1.16.1/go.mod h1:CObGmKUOKaSC0RjmoAK7tKyn4Azo5P2IWuoMnvwxz1E=
+github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc=
+github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=

From f44dae35c2b3506a97e3d67f4cfb352b21848869 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 30 Jun 2021 07:29:50 +0200
Subject: [PATCH 73/76] Bump github.com/onsi/gomega from 1.11.0 to 1.13.0 in
 /k8s (#1573)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.11.0 to 1.13.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.11.0...v1.13.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 k8s/go.mod |  2 +-
 k8s/go.sum | 24 ++++++++++++++++--------
 2 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/k8s/go.mod b/k8s/go.mod
index 61128b4ff92..0db0958d246 100644
--- a/k8s/go.mod
+++ b/k8s/go.mod
@@ -4,7 +4,7 @@ go 1.15
 
 require (
 	github.com/onsi/ginkgo v1.16.4
-	github.com/onsi/gomega v1.11.0
+	github.com/onsi/gomega v1.13.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.21.0
 	k8s.io/apimachinery v0.21.2
diff --git a/k8s/go.sum b/k8s/go.sum
index 41bb68dfccd..a74324ad7a0 100644
--- a/k8s/go.sum
+++ b/k8s/go.sum
@@ -90,8 +90,10 @@ github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:W
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -100,8 +102,9 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
 github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -159,14 +162,15 @@ github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
+github.com/onsi/ginkgo v1.16.2/go.mod h1:CObGmKUOKaSC0RjmoAK7tKyn4Azo5P2IWuoMnvwxz1E=
 github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc=
 github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
-github.com/onsi/gomega v1.11.0 h1:+CqWgvj0OZycCaqclBD1pxKHAU+tOkHmQIWvDHq2aug=
-github.com/onsi/gomega v1.11.0/go.mod h1:azGKhqFUon9Vuj0YmTfLSmx0FUwqXYSTl5re8lQLTUg=
+github.com/onsi/gomega v1.13.0 h1:7lLHu94wT9Ij0o6EWWclhu0aOh32VxhkwEJvzuWPeak=
+github.com/onsi/gomega v1.13.0/go.mod h1:lRk9szgn8TxENtWd0Tp4c3wjlRfMTMH27I+3Je41yGY=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -251,9 +255,9 @@ golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20210224082022-3d97a244fca7 h1:OgUuv8lsRpBibGNbSizVwKWlysjaNzmC9gYMhPVfqFM=
 golang.org/x/net v0.0.0-20210224082022-3d97a244fca7/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210428140749-89ef3d95e781 h1:DzZ89McO9/gWPsQXS/FVKAlG02ZjaQ6AlZRBimEYOd0=
+golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -295,6 +299,7 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210426230700-d19ff857e887 h1:dXfMednGJh/SUUFjTLsWJz3P+TQt9qnR11GgeI3vWKs=
 golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
@@ -305,8 +310,9 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.4 h1:0YWbFKbhXG/wIiuHDSKpS0Iy7FSA+u45VtBMfQcFTTc=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -399,8 +405,10 @@ google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzi
 google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/lk=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

From f6e0f6f32be7692575f50a48142174eaf02aaf21 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 30 Jun 2021 07:30:38 +0200
Subject: [PATCH 74/76] Bump k8s.io/api from 0.21.0 to 0.21.2 in /k8s (#1585)

Bumps [k8s.io/api](https://github.com/kubernetes/api) from 0.21.0 to 0.21.2.
- [Release notes](https://github.com/kubernetes/api/releases)
- [Commits](https://github.com/kubernetes/api/compare/v0.21.0...v0.21.2)

---
updated-dependencies:
- dependency-name: k8s.io/api
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 k8s/go.mod | 2 +-
 k8s/go.sum | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/k8s/go.mod b/k8s/go.mod
index 0db0958d246..19f90aa03c0 100644
--- a/k8s/go.mod
+++ b/k8s/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/onsi/ginkgo v1.16.4
 	github.com/onsi/gomega v1.13.0
 	gopkg.in/yaml.v2 v2.4.0
-	k8s.io/api v0.21.0
+	k8s.io/api v0.21.2
 	k8s.io/apimachinery v0.21.2
 	k8s.io/client-go v0.21.0
 )
diff --git a/k8s/go.sum b/k8s/go.sum
index a74324ad7a0..b2fcbf46053 100644
--- a/k8s/go.sum
+++ b/k8s/go.sum
@@ -435,8 +435,9 @@ honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.21.0 h1:gu5iGF4V6tfVCQ/R+8Hc0h7H1JuEhzyEi9S4R5LM8+Y=
 k8s.io/api v0.21.0/go.mod h1:+YbrhBBGgsxbF6o6Kj4KJPJnBmAKuXDeS3E18bgHNVU=
+k8s.io/api v0.21.2 h1:vz7DqmRsXTCSa6pNxXwQ1IYeAZgdIsua+DZU+o+SX3Y=
+k8s.io/api v0.21.2/go.mod h1:Lv6UGJZ1rlMI1qusN8ruAp9PUBFyBwpEHAdG24vIsiU=
 k8s.io/apimachinery v0.21.0/go.mod h1:jbreFvJo3ov9rj7eWT7+sYiRx+qZuCYXwWT1bcDswPY=
 k8s.io/apimachinery v0.21.2 h1:vezUc/BHqWlQDnZ+XkrpXSmnANSLbpnlpwo0Lhk0gpc=
 k8s.io/apimachinery v0.21.2/go.mod h1:CdTY8fU/BlvAbJ2z/8kBwimGki5Zp8/fbVuLY8gJumM=

From 6c122ec1a548ae340da4e3bbc4b9912d42984ffa Mon Sep 17 00:00:00 2001
From: Markus Strehle <11627201+strehle@users.noreply.github.com>
Date: Wed, 30 Jun 2021 12:19:35 +0200
Subject: [PATCH 75/76] Bump commons-io from 2.7 to 2.10.0 (#1582)

* Bump commons-io from 2.7 to 2.9.0

* Bump commons-io from 2.7 to 2.9.0

* Update dependencies.gradle

* Update pom.xml

Co-authored-by: Markus Strehle <strehle@users.noreply.github.com>
---
 dependencies.gradle | 2 +-
 model/pom.xml       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/dependencies.gradle b/dependencies.gradle
index a68fe998c07..20234a8cc67 100644
--- a/dependencies.gradle
+++ b/dependencies.gradle
@@ -31,7 +31,7 @@ libraries.aspectJWeaver = "org.aspectj:aspectjweaver"
 libraries.beanutils = "commons-beanutils:commons-beanutils:1.9.4"
 libraries.bouncyCastlePkix = "org.bouncycastle:bcpkix-jdk15on:${versions.bouncyCastleVersion}"
 libraries.bouncyCastleProv = "org.bouncycastle:bcprov-jdk15on:${versions.bouncyCastleVersion}"
-libraries.commonsIo = "commons-io:commons-io:2.7"
+libraries.commonsIo = "commons-io:commons-io:2.10.0"
 libraries.dumbster = "dumbster:dumbster:1.6"
 libraries.eclipseJgit = "org.eclipse.jgit:org.eclipse.jgit:5.8.0.202006091008-r"
 libraries.flywayCore = "org.flywaydb:flyway-core"
diff --git a/model/pom.xml b/model/pom.xml
index e4628036509..42272756c13 100644
--- a/model/pom.xml
+++ b/model/pom.xml
@@ -95,7 +95,7 @@
     <dependency>
       <groupId>commons-io</groupId>
       <artifactId>commons-io</artifactId>
-      <version>2.7</version>
+      <version>2.10.0</version>
       <scope>compile</scope>
       <exclusions>
         <exclusion>

From 423adb8b164f90e56e2962fb30d1077fcbc76573 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 30 Jun 2021 13:18:50 +0200
Subject: [PATCH 76/76] Bump k8s.io/client-go from 0.21.0 to 0.21.2 in /k8s
 (#1586)

Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.21.0 to 0.21.2.
- [Release notes](https://github.com/kubernetes/client-go/releases)
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.21.0...v0.21.2)

---
updated-dependencies:
- dependency-name: k8s.io/client-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 k8s/go.mod | 2 +-
 k8s/go.sum | 8 ++------
 2 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/k8s/go.mod b/k8s/go.mod
index 19f90aa03c0..f556655495d 100644
--- a/k8s/go.mod
+++ b/k8s/go.mod
@@ -8,5 +8,5 @@ require (
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.21.2
 	k8s.io/apimachinery v0.21.2
-	k8s.io/client-go v0.21.0
+	k8s.io/client-go v0.21.2
 )
diff --git a/k8s/go.sum b/k8s/go.sum
index b2fcbf46053..5417f9d9b30 100644
--- a/k8s/go.sum
+++ b/k8s/go.sum
@@ -101,7 +101,6 @@ github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
@@ -298,7 +297,6 @@ golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210426230700-d19ff857e887 h1:dXfMednGJh/SUUFjTLsWJz3P+TQt9qnR11GgeI3vWKs=
 golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -435,14 +433,12 @@ honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.21.0/go.mod h1:+YbrhBBGgsxbF6o6Kj4KJPJnBmAKuXDeS3E18bgHNVU=
 k8s.io/api v0.21.2 h1:vz7DqmRsXTCSa6pNxXwQ1IYeAZgdIsua+DZU+o+SX3Y=
 k8s.io/api v0.21.2/go.mod h1:Lv6UGJZ1rlMI1qusN8ruAp9PUBFyBwpEHAdG24vIsiU=
-k8s.io/apimachinery v0.21.0/go.mod h1:jbreFvJo3ov9rj7eWT7+sYiRx+qZuCYXwWT1bcDswPY=
 k8s.io/apimachinery v0.21.2 h1:vezUc/BHqWlQDnZ+XkrpXSmnANSLbpnlpwo0Lhk0gpc=
 k8s.io/apimachinery v0.21.2/go.mod h1:CdTY8fU/BlvAbJ2z/8kBwimGki5Zp8/fbVuLY8gJumM=
-k8s.io/client-go v0.21.0 h1:n0zzzJsAQmJngpC0IhgFcApZyoGXPrDIAD601HD09ag=
-k8s.io/client-go v0.21.0/go.mod h1:nNBytTF9qPFDEhoqgEPaarobC8QPae13bElIVHzIglA=
+k8s.io/client-go v0.21.2 h1:Q1j4L/iMN4pTw6Y4DWppBoUxgKO8LbffEMVEV00MUp0=
+k8s.io/client-go v0.21.2/go.mod h1:HdJ9iknWpbl3vMGtib6T2PyI/VYxiZfq936WNVHBRrA=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.8.0 h1:Q3gmuM9hKEjefWFFYF0Mat+YyFJvsUyYuwyNNJ5C9Ts=