Shibboleth Developer's Meeting, 2020-08-21

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2020-09-04. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

Add items for discussion here

Attendees:

Brent

IDP-1657 - Getting issue details... STATUS
- Fun with TLS! We see different behavior when connecting to newer vs older target Linux systems with different versions of openssl. Trying to confirm.

Daniel

Henri

Polishing JOIDC-5 - Getting issue details... STATUS
- Testing client secret value resolution on test deployment
- Polishing the configuration XMLs (also help documentation)
Premilinary studying JOIDC-13 - Getting issue details... STATUS

Ian

Mostly complete: GEN-264 - Getting issue details... STATUS
- gitolite-config and personal repositories still unconverted. Probably declaring victory, assuming people don't think it's worth fixing gitolite-config (would require changes to Gitolite itself).
- Meanwhile, I observe that the main branch in java-idp-jetty-base and java-idp-tomcat-base is surplus to requirements.
  - Proposal: remove the main branch in these two repositories and set HEAD to the most recent numbered branch (e.g., 9.4 for java-idp-jetty-base).
    ok with me --Tom
Progress on JPAR-132 - Getting issue details... STATUS (for MDA-65 - Getting issue details... STATUS )
- Have this working on one module (the important one) in java-metadata-aggregator. You can see it as part of the site for the product here:
  - https://build.shibboleth.net/nexus/content/sites/site/java-metadata-aggregator/0.10.0-SNAPSHOT/aggregator-pipeline/jacoco/index.html
- Changes seem minimal:
  - Needs a build plugin instance and a reporting plugin instance.
  - Need to add test to the command line used to build the site, or it doesn't include it (probably fixable, if we care).
- We could probably add these to the parent POM if we wanted this everywhere. I don't know if it would work everywhere, of course.
- There's a Jenkins plugin to allow you to graph a summary from job results, perhaps the nightlies? Not using that yet.
- Example output from mvn clean verify (with <haltOnFailure>false</haltOnFailure>):
  [WARNING] Rule violated for bundle aggregator-pipeline: classes missed count is 4, but expected maximum is 0
  [WARNING] Rule violated for package net.shibboleth.metadata.pipeline: instructions covered ratio is 0.69, but expected minimum is 0.80
  [WARNING] Rule violated for package net.shibboleth.metadata.pipeline: classes missed count is 3, but expected maximum is 0
  [WARNING] Rule violated for package net.shibboleth.metadata.dom: instructions covered ratio is 0.78, but expected minimum is 0.80
  [WARNING] Rule violated for package net.shibboleth.metadata: classes missed count is 1, but expected maximum is 0
  [WARNING] Rule violated for package net.shibboleth.metadata.dom.impl: instructions covered ratio is 0.67, but expected minimum is 0.80
  [WARNING] Rule violated for package net.shibboleth.metadata.pipeline.impl: instructions covered ratio is 0.75, but expected minimum is 0.80

John

Marvin

Phil

Some leave, plus one more day tomorrow so will not be able to attend.
Closed JDUO-10 - Getting issue details... STATUS thanks to Scott's work on IDP-1652 - Getting issue details... STATUS

Spent some time understanding where the supported principals were set, overridden, and used in order to (I think) add a strategy sensibly to the Duo validation action e.g. JDUO-5 - Getting issue details... STATUS (leaving open for now).
Updated to the latest Duo SDK ( JDUO-4 - Getting issue details... STATUS ). Adds more validation including id_token authentication.
Plugin POM now has the java-parent as the parent, works well. Updated to make explicit SL4FJ in the plugin.
Still, cleanups and tickets left.

Rod

Plugin management. Installation now works (as does listing).
Update is all that left
Plus bugs
Plus tweaks:
- UI work sucks. The plugin interface will need extensive feedback. Right now my approach is "The Perfect Is The Enemy Of The Good"
Thinking about optional config files - I'd like to discuss briefly.

Scott

More support stuff than usual
JPAR-171 - Getting issue details... STATUS
IDP-1652 - Getting issue details... STATUS
IDP-1642 - Getting issue details... STATUS
Work all over the map on configuration, auto-wiring collections of configuration objects
Eliminated two existing files for the majority of deployers (some properties added or reworked to get at settings, so property file added)
Working on more property-driven settings for authentication flows
Will need to revamp more internals to autowire more objects like Principal serializers, Transcoder naming registry, all the lists that cause problems for plugins
Going from basic to advanced cases probably will need to rely on some way to document or produce XML snippets

Tom

Still need to patch ec2.s.n
- Slack #infra channel to communicate server downtime ? Invite or add everyone ?
- Any advice re EC2 backups ?
Tests :
- troubleshooting test failures
- working on improving logging to make troubleshooting easier
- revisiting multi-configuration integ tests
FWIW dependency PGP / checksum pinning :
- "central" map :
  https://github.com/s4u/pgp-keys-map/blob/master/resources/pgp-keys-map.list
- issue from which map was created :
  https://github.com/s4u/pgpverify-maven-plugin/issues/48
- overview :
  https://medium.com/@vladimirsitniko/dependency-verification-checksum-vs-pgp-582e76207019
- example request to associate PGP keys with project :
  https://github.com/spring-projects/spring-framework/issues/23434
- Bazel
  https://en.wikipedia.org/wiki/Bazel_(software)
  https://github.com/bazelbuild/rules_jvm_external#pinning-artifacts-and-integration-with-bazels-downloader

Other