Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BackPort]: Upgrade pac4j-oidc to 4.5.7 to address CVE-2021-44878 #185

Merged
merged 2 commits into from
Feb 6, 2024
Merged

[BackPort]: Upgrade pac4j-oidc to 4.5.7 to address CVE-2021-44878 #185

merged 2 commits into from
Feb 6, 2024

Conversation

Pankaj260100
Copy link
Member

Description

This PR has:

  • been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • a release note entry in the PR description.
  • added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
  • added or updated version, license, or notice information in licenses.yaml
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
  • added integration tests.
  • been tested in a test Druid cluster.

KeerthanaSrikanth and others added 2 commits February 2, 2024 14:30
@KeerthanaSrikanth @Pankaj260100
Upgrade pac4j-oidc to 4.5.7 to address CVE-2021-44878 (apache#15522)
34e438b 
* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878
* add CVE suppression and notes, since vulnerability scan still shows this CVE
* Add tests to improve coverage
@Pankaj260100
pac4j: fix incompatible dependencies + authorization regression (apac…
4f0caed 
…he#15753)

- After upgrading the pac4j version in: apache#15522. We were not able to access the druid ui. 
- Upgraded the Nimbus libraries version to a compatible version to pac4j.
- In the older pac4j version, when we return RedirectAction there we also update the webcontext Response status code and add the authentication URL to the header. But in the newer pac4j version, we just simply return the RedirectAction. So that's why it was not getting redirected to the generated authentication URL.
- To fix the above, I have updated the NOOP_HTTP_ACTION_ADAPTER to JEE_HTTP_ACTION_ADAPTER and it updates the HTTP Response in context as per the HTTP Action.
@Pankaj260100 Pankaj260100 requested review from a team as code owners February 2, 2024 09:13
pagrawal10
pagrawal10 approved these changes Feb 2, 2024
View reviewed changes
Copy link

@pagrawal10 pagrawal10 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Already approved in upstream.

@pagrawal10 pagrawal10 merged commit 62d8a38 into 28.0.1-confluent Feb 6, 2024
3 checks passed
@pagrawal10 pagrawal10 deleted the pankaj/CherryPickPac4j branch February 6, 2024 07:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pagrawal10 pagrawal10 pagrawal10 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Pankaj260100 @pagrawal10 @KeerthanaSrikanth