[7.x] Update opensaml dependency (#44972) (#49512)

Add a mirror of the maven repository of the shibboleth project
and upgrade opensaml and related dependencies to the latest
version available version

Resolves: #44947

Author: jkakavas

buildSrc/version.properties

@@ -29,7 +29,6 @@ joda              = 2.10.4
 #  - distribution/tools/plugin-cli
 #  - x-pack/plugin/security
 bouncycastle      = 1.61
-
 # test dependencies
 randomizedrunner  = 2.7.1
 junit             = 4.12

x-pack/build.gradle

@@ -4,6 +4,22 @@ import org.elasticsearch.gradle.precommit.LicenseHeadersTask
 Project xpackRootProject = project
 
 subprojects {
+
+  // We define a specific repository for opensaml since the shibboleth project doesn't publish to maven central and the
+  // artifacts that are located there are not curated/updated by the project
+  // see: https://wiki.shibboleth.net/confluence/display/DEV/Use+of+Maven+Central
+  repositories {
+    maven {
+      name "opensaml"
+      url "https://artifactory.elstc.co/artifactory/shibboleth-releases/"
+      content {
+        includeGroup "org.opensaml"
+        includeGroup "net.shibboleth.utilities"
+        includeGroup "net.shibboleth"
+      }
+    }
+  }
+
   group = 'org.elasticsearch.plugin'
   ext.xpackRootProject = xpackRootProject
   ext.xpackProject = { String projectName -> xpackRootProject.project(projectName) }

x-pack/plugin/security/build.gradle

@@ -29,25 +29,25 @@ dependencies {
   compileOnly 'org.bouncycastle:bcpkix-jdk15on:1.59'
 
   // the following are all SAML dependencies - might as well download the whole internet
-  compile "org.opensaml:opensaml-core:3.3.0"
-  compile "org.opensaml:opensaml-saml-api:3.3.0"
-  compile "org.opensaml:opensaml-saml-impl:3.3.0"
-  compile "org.opensaml:opensaml-messaging-api:3.3.0"
-  compile "org.opensaml:opensaml-messaging-impl:3.3.0"
-  compile "org.opensaml:opensaml-security-api:3.3.0"
-  compile "org.opensaml:opensaml-security-impl:3.3.0"
-  compile "org.opensaml:opensaml-profile-api:3.3.0"
-  compile "org.opensaml:opensaml-profile-impl:3.3.0"
-  compile "org.opensaml:opensaml-xmlsec-api:3.3.0"
-  compile "org.opensaml:opensaml-xmlsec-impl:3.3.0"
-  compile "org.opensaml:opensaml-soap-api:3.3.0"
-  compile "org.opensaml:opensaml-soap-impl:3.3.0"
-  compile "org.opensaml:opensaml-storage-api:3.3.0"
-  compile "org.opensaml:opensaml-storage-impl:3.3.0"
-  compile "net.shibboleth.utilities:java-support:7.3.0"
-  compile "org.apache.santuario:xmlsec:2.0.8"
+  compile "org.opensaml:opensaml-core:3.4.5"
+  compile "org.opensaml:opensaml-saml-api:3.4.5"
+  compile "org.opensaml:opensaml-saml-impl:3.4.5"
+  compile "org.opensaml:opensaml-messaging-api:3.4.5"
+  compile "org.opensaml:opensaml-messaging-impl:3.4.5"
+  compile "org.opensaml:opensaml-security-api:3.4.5"
+  compile "org.opensaml:opensaml-security-impl:3.4.5"
+  compile "org.opensaml:opensaml-profile-api:3.4.5"
+  compile "org.opensaml:opensaml-profile-impl:3.4.5"
+  compile "org.opensaml:opensaml-xmlsec-api:3.4.5"
+  compile "org.opensaml:opensaml-xmlsec-impl:3.4.5"
+  compile "org.opensaml:opensaml-soap-api:3.4.5"
+  compile "org.opensaml:opensaml-soap-impl:3.4.5"
+  compile "org.opensaml:opensaml-storage-api:3.4.5"
+  compile "org.opensaml:opensaml-storage-impl:3.4.5"
+  compile "net.shibboleth.utilities:java-support:7.5.1"
+  compile "org.apache.santuario:xmlsec:2.1.4"
   compile "io.dropwizard.metrics:metrics-core:3.2.2"
-  compile "org.cryptacular:cryptacular:1.2.0"
+  compile "org.cryptacular:cryptacular:1.2.3"
   compile "org.slf4j:slf4j-api:${versions.slf4j}"
   compile "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}"
   compile "org.apache.httpcomponents:httpclient:${versions.httpclient}"
@@ -178,107 +178,106 @@ forbiddenApisMain {
 
 // classes are missing, e.g. com.ibm.icu.lang.UCharacter
 thirdPartyAudit {
-  ignoreMissingClasses(
-    // SAML dependencies
-    // [missing classes] Some cli utilities that we don't use depend on these missing JCommander classes
-    'com.beust.jcommander.JCommander',
-    'com.beust.jcommander.converters.BaseConverter',
-    // [missing classes] Shibboleth + OpenSAML have servlet support that we don't use
-    'javax.servlet.AsyncContext',
-    'javax.servlet.DispatcherType',
-    'javax.servlet.Filter',
-    'javax.servlet.FilterChain',
-    'javax.servlet.FilterConfig',
-    'javax.servlet.RequestDispatcher',
-    'javax.servlet.ServletContext',
-    'javax.servlet.ServletException',
-    'javax.servlet.ServletInputStream',
-    'javax.servlet.ServletOutputStream',
-    'javax.servlet.ServletRequest',
-    'javax.servlet.ServletResponse',
-    'javax.servlet.http.Cookie',
-    'javax.servlet.http.HttpServletRequest',
-    'javax.servlet.http.HttpServletResponse',
-    'javax.servlet.http.HttpServletResponseWrapper',
-    'javax.servlet.http.HttpSession',
-    'javax.servlet.http.Part',
-    // [missing classes] Shibboleth + OpenSAML have velocity support that we don't use
-    'org.apache.velocity.VelocityContext',
-    'org.apache.velocity.app.VelocityEngine',
-    'org.apache.velocity.context.Context',
-    'org.apache.velocity.exception.VelocityException',
-    'org.apache.velocity.runtime.RuntimeServices',
-    'org.apache.velocity.runtime.log.LogChute',
-    'org.apache.velocity.runtime.resource.loader.StringResourceLoader',
-    'org.apache.velocity.runtime.resource.util.StringResourceRepository',
-    // [missing classes] OpenSAML depends on Apache XML security which depends on Xalan, but only for functionality that OpenSAML doesn't use
-    'org.apache.xml.dtm.DTM',
-    'org.apache.xml.utils.PrefixResolver',
-    'org.apache.xml.utils.PrefixResolverDefault',
-    'org.apache.xpath.Expression',
-    'org.apache.xpath.NodeSetDTM',
-    'org.apache.xpath.XPath',
-    'org.apache.xpath.XPathContext',
-    'org.apache.xpath.compiler.FunctionTable',
-    'org.apache.xpath.functions.Function',
-    'org.apache.xpath.objects.XNodeSet',
-    'org.apache.xpath.objects.XObject',
-    // [missing classes] OpenSAML storage has an optional LDAP storage impl
-    'org.ldaptive.AttributeModification',
-    'org.ldaptive.AttributeModificationType',
-    'org.ldaptive.Connection',
-    'org.ldaptive.DeleteOperation',
-    'org.ldaptive.DeleteRequest',
-    'org.ldaptive.LdapAttribute',
-    'org.ldaptive.LdapEntry',
-    'org.ldaptive.LdapException',
-    'org.ldaptive.ModifyOperation',
-    'org.ldaptive.ModifyRequest',
-    'org.ldaptive.Response',
-    'org.ldaptive.ResultCode',
-    'org.ldaptive.SearchOperation',
-    'org.ldaptive.SearchRequest',
-    'org.ldaptive.SearchResult',
-    'org.ldaptive.ext.MergeOperation',
-    'org.ldaptive.ext.MergeRequest',
-    'org.ldaptive.pool.ConnectionPool',
-    'org.ldaptive.pool.PooledConnectionFactory',
-    // [missing classes] OpenSAML storage has an optional JSON-backed storage impl
-    'javax.json.Json',
-    'javax.json.JsonException',
-    'javax.json.JsonNumber',
-    'javax.json.JsonObject',
-    'javax.json.JsonReader',
-    'javax.json.JsonValue$ValueType',
-    'javax.json.JsonValue',
-    'javax.json.stream.JsonGenerator',
-    // [missing classes] OpenSAML storage has an optional JPA storage impl
-    'javax.persistence.EntityManager',
-    'javax.persistence.EntityManagerFactory',
-    'javax.persistence.EntityTransaction',
-    'javax.persistence.LockModeType',
-    'javax.persistence.Query',
-    // [missing classes] OpenSAML storage and HttpClient cache have optional memcache support
-    'net.spy.memcached.CASResponse',
-    'net.spy.memcached.CASValue',
-    'net.spy.memcached.MemcachedClient',
-    'net.spy.memcached.MemcachedClientIF',
-    'net.spy.memcached.CachedData',
-    'net.spy.memcached.internal.OperationFuture',
-    'net.spy.memcached.transcoders.Transcoder',
-    // [missing classes] Http Client cache has optional ehcache support
-    'net.sf.ehcache.Ehcache',
-    'net.sf.ehcache.Element',
-    // [missing classes] SLF4j includes an optional class that depends on an extension class (!)
-    'org.slf4j.ext.EventData',
-    // Optional dependency of oauth2-oidc-sdk that we don't need since we do not support AES-SIV for JWE
-    'org.cryptomator.siv.SivMode',
-    // Optional dependency of nimbus-jose-jwt for handling Ed25519 signatures and ECDH with X25519 (RFC 8037)
-    'com.google.crypto.tink.subtle.Ed25519Sign',
-    'com.google.crypto.tink.subtle.Ed25519Sign$KeyPair',
-    'com.google.crypto.tink.subtle.Ed25519Verify',
-    'com.google.crypto.tink.subtle.X25519'
-
+  ignoreMissingClasses (
+      // SAML dependencies
+      // [missing classes] Some cli utilities that we don't use depend on these missing JCommander classes
+      'com.beust.jcommander.JCommander',
+      'com.beust.jcommander.converters.BaseConverter',
+      // [missing classes] Shibboleth + OpenSAML have servlet support that we don't use
+      'javax.servlet.AsyncContext',
+      'javax.servlet.DispatcherType',
+      'javax.servlet.Filter',
+      'javax.servlet.FilterChain',
+      'javax.servlet.FilterConfig',
+      'javax.servlet.RequestDispatcher',
+      'javax.servlet.ServletContext',
+      'javax.servlet.ServletException',
+      'javax.servlet.ServletInputStream',
+      'javax.servlet.ServletOutputStream',
+      'javax.servlet.ServletRequest',
+      'javax.servlet.ServletResponse',
+      'javax.servlet.http.Cookie',
+      'javax.servlet.http.HttpServletRequest',
+      'javax.servlet.http.HttpServletResponse',
+      'javax.servlet.http.HttpServletResponseWrapper',
+      'javax.servlet.http.HttpSession',
+      'javax.servlet.http.Part',
+      // [missing classes] Shibboleth + OpenSAML have velocity support that we don't use
+      'org.apache.velocity.VelocityContext',
+      'org.apache.velocity.app.VelocityEngine',
+      'org.apache.velocity.context.Context',
+      'org.apache.velocity.exception.VelocityException',
+      'org.apache.velocity.runtime.RuntimeServices',
+      'org.apache.velocity.runtime.log.LogChute',
+      'org.apache.velocity.runtime.resource.loader.StringResourceLoader',
+      'org.apache.velocity.runtime.resource.util.StringResourceRepository',
+      // [missing classes] OpenSAML depends on Apache XML security which depends on Xalan, but only for functionality that OpenSAML doesn't use
+      'org.apache.xml.dtm.DTM',
+      'org.apache.xml.utils.PrefixResolver',
+      'org.apache.xml.utils.PrefixResolverDefault',
+      'org.apache.xpath.Expression',
+      'org.apache.xpath.NodeSetDTM',
+      'org.apache.xpath.XPath',
+      'org.apache.xpath.XPathContext',
+      'org.apache.xpath.compiler.FunctionTable',
+      'org.apache.xpath.functions.Function',
+      'org.apache.xpath.objects.XNodeSet',
+      'org.apache.xpath.objects.XObject',
+      // [missing classes] OpenSAML storage has an optional LDAP storage impl
+      'org.ldaptive.AttributeModification',
+      'org.ldaptive.AttributeModificationType',
+      'org.ldaptive.Connection',
+      'org.ldaptive.DeleteOperation',
+      'org.ldaptive.DeleteRequest',
+      'org.ldaptive.LdapAttribute',
+      'org.ldaptive.LdapEntry',
+      'org.ldaptive.LdapException',
+      'org.ldaptive.ModifyOperation',
+      'org.ldaptive.ModifyRequest',
+      'org.ldaptive.Response',
+      'org.ldaptive.ResultCode',
+      'org.ldaptive.SearchOperation',
+      'org.ldaptive.SearchRequest',
+      'org.ldaptive.SearchResult',
+      'org.ldaptive.ext.MergeOperation',
+      'org.ldaptive.ext.MergeRequest',
+      'org.ldaptive.pool.ConnectionPool',
+      'org.ldaptive.pool.PooledConnectionFactory',
+      // [missing classes] OpenSAML storage has an optional JSON-backed storage impl
+      'javax.json.Json',
+      'javax.json.JsonException',
+      'javax.json.JsonNumber',
+      'javax.json.JsonObject',
+      'javax.json.JsonReader',
+      'javax.json.JsonValue$ValueType',
+      'javax.json.JsonValue',
+      'javax.json.stream.JsonGenerator',
+      // [missing classes] OpenSAML storage has an optional JPA storage impl
+      'javax.persistence.EntityManager',
+      'javax.persistence.EntityManagerFactory',
+      'javax.persistence.EntityTransaction',
+      'javax.persistence.LockModeType',
+      'javax.persistence.Query',
+      // [missing classes] OpenSAML storage and HttpClient cache have optional memcache support
+      'net.spy.memcached.CASResponse',
+      'net.spy.memcached.CASValue',
+      'net.spy.memcached.MemcachedClient',
+      'net.spy.memcached.MemcachedClientIF',
+      'net.spy.memcached.CachedData',
+      'net.spy.memcached.internal.OperationFuture',
+      'net.spy.memcached.transcoders.Transcoder',
+      // [missing classes] Http Client cache has optional ehcache support
+      'net.sf.ehcache.Ehcache',
+      'net.sf.ehcache.Element',
+      // [missing classes] SLF4j includes an optional class that depends on an extension class (!)
+      'org.slf4j.ext.EventData',
+      // Optional dependency of oauth2-oidc-sdk that we don't need since we do not support AES-SIV for JWE
+      'org.cryptomator.siv.SivMode',
+      // Optional dependency of nimbus-jose-jwt for handling Ed25519 signatures and ECDH with X25519 (RFC 8037)
+      'com.google.crypto.tink.subtle.Ed25519Sign',
+      'com.google.crypto.tink.subtle.Ed25519Sign$KeyPair',
+      'com.google.crypto.tink.subtle.Ed25519Verify',
+      'com.google.crypto.tink.subtle.X25519'
   )
 
   ignoreViolations(

x-pack/plugin/security/licenses/cryptacular-1.2.0.jar.sha1

@@ -0,0 +1 @@
+7b0398d04a68ff7f58657938b3bdc5f2799b4b49

x-pack/plugin/security/licenses/cryptacular-1.2.3.jar.sha1

@@ -0,0 +1 @@
+c3fecaa141e8f0fff8a14e6800aefa8155c9b3e8

x-pack/plugin/security/licenses/java-support-7.3.0.jar.sha1

@@ -0,0 +1 @@
+0958fae127de9e8b0296e6f089c7451b6d5f0846

x-pack/plugin/security/licenses/java-support-7.5.1.jar.sha1

@@ -0,0 +1 @@
+e3ec93dfbf90c451e9f7fb34a3e33a6ac60edd31

x-pack/plugin/security/licenses/opensaml-core-3.3.0.jar.sha1

@@ -0,0 +1 @@
+beaca9bd69ad861dbb55f1694853a02cb6988ae7

x-pack/plugin/security/licenses/opensaml-core-3.4.5.jar.sha1

@@ -0,0 +1 @@
+bb0a1f97d38342a5715bad628ee24000b08e821e

x-pack/plugin/security/licenses/opensaml-messaging-api-3.3.0.jar.sha1

@@ -0,0 +1 @@
+6cb4595c7a988d964f6a2d55dcac754b0c68904e

x-pack/plugin/security/licenses/opensaml-messaging-api-3.4.5.jar.sha1

@@ -0,0 +1 @@
+bef43d21b2d878baceae291af4a0ad3449c7d7ec

x-pack/plugin/security/licenses/opensaml-messaging-impl-3.3.0.jar.sha1

@@ -0,0 +1 @@
+ecf4a9552575d38cffd4dc56d95e7564b7dccfc1

x-pack/plugin/security/licenses/opensaml-messaging-impl-3.4.5.jar.sha1

@@ -0,0 +1 @@
+15cbb232ae6665edc5df5f260e551e69fdb362e5

x-pack/plugin/security/licenses/opensaml-profile-api-3.3.0.jar.sha1

@@ -0,0 +1 @@
+b2bc1aa5b0f400aa50499f3783b10e9f7c216a47

x-pack/plugin/security/licenses/opensaml-profile-api-3.4.5.jar.sha1

@@ -0,0 +1 @@
+c497df002980c6e482ce7b828924bb24f60f99f7

x-pack/plugin/security/licenses/opensaml-profile-impl-3.3.0.jar.sha1

@@ -0,0 +1 @@
+30ed8d37259e840df5b3fd8daf7b654129a9190c

x-pack/plugin/security/licenses/opensaml-profile-impl-3.4.5.jar.sha1

@@ -0,0 +1 @@
+a984671fd04e50da03f68003d2b062578e63ec86

x-pack/plugin/security/licenses/opensaml-saml-api-3.3.0.jar.sha1

@@ -0,0 +1 @@
+a4b828fe1a9d64953ecdd8a9e00ff31b63ad6ef0

x-pack/plugin/security/licenses/opensaml-saml-api-3.4.5.jar.sha1

@@ -0,0 +1 @@
+a1b10f97deca1e3405f95db5b39697c0d46f5e0d

x-pack/plugin/security/licenses/opensaml-saml-impl-3.3.0.jar.sha1

@@ -0,0 +1 @@
+d46cb9854a1ff85bea34ece7077bc32dbc2f10da

x-pack/plugin/security/licenses/opensaml-saml-impl-3.4.5.jar.sha1

@@ -0,0 +1 @@
+cb43326f02e3e77526c24269c8b5d3cc3f7f6653