From 56ef71d6e03a6d7a068b7c2f92fe7beca005e838 Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Tue, 7 Jan 2025 17:40:18 +0100 Subject: [PATCH 1/6] version upgrades, but no upgrade to SpringBoot 3.4.1 because Hibernate seems to be incompatible --- build.gradle | 30 +++++++++---------- .../HsUnixUserHostingAssetValidator.java | 2 ++ .../HsHostingAssetControllerRestTest.java | 2 +- 3 files changed, 18 insertions(+), 16 deletions(-) diff --git a/build.gradle b/build.gradle index dbc43589..c561bae9 100644 --- a/build.gradle +++ b/build.gradle @@ -1,11 +1,11 @@ plugins { id 'java' - id 'org.springframework.boot' version '3.3.4' - id 'io.spring.dependency-management' version '1.1.6' + id 'org.springframework.boot' version '3.3.7' + id 'io.spring.dependency-management' version '1.1.7' id 'io.openapiprocessor.openapi-processor' version '2023.2' id 'com.github.jk1.dependency-license-report' version '2.9' - id "org.owasp.dependencycheck" version "10.0.4" - id "com.diffplug.spotless" version "6.25.0" + id "org.owasp.dependencycheck" version "11.1.1" + id "com.diffplug.spotless" version "7.0.0" id 'jacoco' id 'info.solidsoft.pitest' version '1.15.0' id 'se.patrikerdes.use-latest-versions' version '0.2.18' @@ -60,19 +60,19 @@ dependencies { implementation 'org.springframework.boot:spring-boot-starter-validation' implementation 'org.springframework.boot:spring-boot-starter-actuator' implementation 'org.springframework.boot:spring-boot-starter-security' - implementation 'com.github.gavlyukovskiy:datasource-proxy-spring-boot-starter:1.9.2' + implementation 'com.github.gavlyukovskiy:datasource-proxy-spring-boot-starter:1.10.0' implementation 'org.springdoc:springdoc-openapi:2.6.0' implementation 'org.postgresql:postgresql:42.7.4' - implementation 'org.liquibase:liquibase-core:4.29.2' - implementation 'io.hypersistence:hypersistence-utils-hibernate-63:3.8.3' - implementation 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.18.0' + implementation 'org.liquibase:liquibase-core:4.30.0' + implementation 'io.hypersistence:hypersistence-utils-hibernate-63:3.9.0' + implementation 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.18.2' implementation 'org.openapitools:jackson-databind-nullable:0.2.6' - implementation 'org.apache.commons:commons-text:1.12.0' - implementation 'net.java.dev.jna:jna:5.15.0' - implementation 'org.modelmapper:modelmapper:3.2.1' + implementation 'org.apache.commons:commons-text:1.13.0' + implementation 'net.java.dev.jna:jna:5.16.0' + implementation 'org.modelmapper:modelmapper:3.2.2' implementation 'org.iban4j:iban4j:3.2.10-RELEASE' implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.6.0' - implementation 'org.webjars:swagger-ui:5.17.14' + implementation 'org.webjars:swagger-ui:5.18.2' implementation 'org.reflections:reflections:0.10.2' compileOnly 'org.projectlombok:lombok' @@ -112,8 +112,8 @@ tasks.withType(JavaCompile) { // Configure tests tasks.named('test') { useJUnitPlatform() - jvmArgs '-Duser.language=en' - jvmArgs '-Duser.country=US' + jvmArgs += '-Duser.language=en' + jvmArgs += '-Duser.country=US' } // OpenAPI Source Code Generation @@ -205,7 +205,7 @@ openApiGenerate.dependsOn processSpring spotless { java { removeUnusedImports() - indentWithSpaces(4) + leadingTabsToSpaces(4) endWithNewline() toggleOffOn() diff --git a/src/main/java/net/hostsharing/hsadminng/hs/hosting/asset/validators/HsUnixUserHostingAssetValidator.java b/src/main/java/net/hostsharing/hsadminng/hs/hosting/asset/validators/HsUnixUserHostingAssetValidator.java index 024866c2..8cf6b75d 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/hosting/asset/validators/HsUnixUserHostingAssetValidator.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/hosting/asset/validators/HsUnixUserHostingAssetValidator.java @@ -6,6 +6,7 @@ import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType; import net.hostsharing.hsadminng.hs.validation.PropertiesProvider; import jakarta.persistence.EntityManager; +import jakarta.persistence.FlushModeType; import java.util.regex.Pattern; import static net.hostsharing.hsadminng.hs.validation.BooleanProperty.booleanProperty; @@ -53,6 +54,7 @@ class HsUnixUserHostingAssetValidator extends HostingAssetEntityValidator { } private static Integer computeUserId(final EntityManager em, final PropertiesProvider propertiesProvider) { + em.setFlushMode(FlushModeType.COMMIT); final Object result = em.createNativeQuery("SELECT nextval('hs_hosting.asset_unixuser_system_id_seq')", Integer.class) .getSingleResult(); return (Integer) result; diff --git a/src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetControllerRestTest.java b/src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetControllerRestTest.java index ffc97a63..be1eaef9 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetControllerRestTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetControllerRestTest.java @@ -20,11 +20,11 @@ import org.junit.runner.RunWith; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest; import org.springframework.boot.test.context.TestConfiguration; -import org.springframework.boot.test.mock.mockito.MockBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Import; import org.springframework.http.MediaType; import org.springframework.test.context.ActiveProfiles; +import org.springframework.boot.test.mock.mockito.MockBean; import org.springframework.test.context.junit4.SpringRunner; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; -- 2.39.5 From fdb3bd3897d65f9566f0d8b7346fcdcf760bbab5 Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Tue, 7 Jan 2025 18:08:12 +0100 Subject: [PATCH 2/6] exclude CVE-2024-12798 --- etc/owasp-dependency-check-suppression.xml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/etc/owasp-dependency-check-suppression.xml b/etc/owasp-dependency-check-suppression.xml index b407e289..52fe065c 100644 --- a/etc/owasp-dependency-check-suppression.xml +++ b/etc/owasp-dependency-check-suppression.xml @@ -9,8 +9,12 @@ - CVE-2024-9329 + ^pkg:maven/ch\.qos\.logback/logback-core@.*$ + cpe:/a:qos:logback + CVE-2024-12798 + -- 2.39.5 From 0bd50fba9063856ef13ad1e0b401aea84c95c6dd Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Wed, 8 Jan 2025 09:49:53 +0100 Subject: [PATCH 3/6] remove setFlusMode(COMMIT) - belongs to SpringBoot 3.4.x upgrade and revert jvmArgs via += --- build.gradle | 4 ++-- .../asset/validators/HsUnixUserHostingAssetValidator.java | 2 -- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/build.gradle b/build.gradle index c561bae9..6f254509 100644 --- a/build.gradle +++ b/build.gradle @@ -112,8 +112,8 @@ tasks.withType(JavaCompile) { // Configure tests tasks.named('test') { useJUnitPlatform() - jvmArgs += '-Duser.language=en' - jvmArgs += '-Duser.country=US' + jvmArgs '-Duser.language=en' + jvmArgs '-Duser.country=US' } // OpenAPI Source Code Generation diff --git a/src/main/java/net/hostsharing/hsadminng/hs/hosting/asset/validators/HsUnixUserHostingAssetValidator.java b/src/main/java/net/hostsharing/hsadminng/hs/hosting/asset/validators/HsUnixUserHostingAssetValidator.java index 8cf6b75d..024866c2 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/hosting/asset/validators/HsUnixUserHostingAssetValidator.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/hosting/asset/validators/HsUnixUserHostingAssetValidator.java @@ -6,7 +6,6 @@ import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType; import net.hostsharing.hsadminng.hs.validation.PropertiesProvider; import jakarta.persistence.EntityManager; -import jakarta.persistence.FlushModeType; import java.util.regex.Pattern; import static net.hostsharing.hsadminng.hs.validation.BooleanProperty.booleanProperty; @@ -54,7 +53,6 @@ class HsUnixUserHostingAssetValidator extends HostingAssetEntityValidator { } private static Integer computeUserId(final EntityManager em, final PropertiesProvider propertiesProvider) { - em.setFlushMode(FlushModeType.COMMIT); final Object result = em.createNativeQuery("SELECT nextval('hs_hosting.asset_unixuser_system_id_seq')", Integer.class) .getSingleResult(); return (Integer) result; -- 2.39.5 From 329122347d1ee2d324f2e22417282e13f79af631 Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Wed, 8 Jan 2025 12:34:18 +0100 Subject: [PATCH 4/6] Swagger-UI on actuator-port to bypass CAS, also enables /actuator/mappings endpoint --- README.md | 2 +- src/main/resources/application.yml | 6 +++++- .../hsadminng/config/WebSecurityConfigIntegrationTest.java | 4 ++-- src/test/resources/application.yml | 4 ++++ 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index cfa7f45f..a015f73c 100644 --- a/README.md +++ b/README.md @@ -109,7 +109,7 @@ Also try for example 'admin@xxx.example.com' or 'unknown@example.org'. If you want a formatted JSON output, you can pipe the result to `jq` or similar. -And to see the full, currently implemented, API, open http://localhost:8080/swagger-ui/index.html. +And to see the full, currently implemented, API, open http://localhost:8081/actuator/swagger-ui/index.html (uses management-port and thus bypasses authentication). If you still need to install some of these tools, find some hints in the next chapters. diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml index 69ad1e1b..f6a6fe88 100644 --- a/src/main/resources/application.yml +++ b/src/main/resources/application.yml @@ -9,7 +9,7 @@ management: web: exposure: # HOWTO: view _clickable_ Spring Actuator (Micrometer) Metrics endpoints: http://localhost:8081/actuator/metric-links - include: info, health, metrics, metric-links + include: info, health, metrics, metric-links, mappings, openapi, swaggerui observations: annotations: enabled: true @@ -30,6 +30,10 @@ spring: hibernate: dialect: net.hostsharing.hsadminng.config.PostgresCustomDialect +# keep this in sync with test/.../application.yml +springdoc: + use-management-port: true + liquibase: contexts: dev diff --git a/src/test/java/net/hostsharing/hsadminng/config/WebSecurityConfigIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/config/WebSecurityConfigIntegrationTest.java index 586702c2..00444c3a 100644 --- a/src/test/java/net/hostsharing/hsadminng/config/WebSecurityConfigIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/config/WebSecurityConfigIntegrationTest.java @@ -82,14 +82,14 @@ class WebSecurityConfigIntegrationTest { @Test public void shouldSupportSwaggerUi() { final var result = this.restTemplate.getForEntity( - "http://localhost:" + this.managementPort + "/swagger-ui/index.html", String.class); + "http://localhost:" + this.managementPort + "/actuator/swagger-ui/index.html", String.class); assertThat(result.getStatusCode()).isEqualTo(HttpStatus.OK); } @Test public void shouldSupportApiDocs() { final var result = this.restTemplate.getForEntity( - "http://localhost:" + this.managementPort + "/v3/api-docs/swagger-config", String.class); + "http://localhost:" + this.managementPort + "/actuator/v3/api-docs/swagger-config", String.class); assertThat(result.getStatusCode()).isEqualTo(HttpStatus.NOT_FOUND); // permitted but not configured } diff --git a/src/test/resources/application.yml b/src/test/resources/application.yml index a69f8aa1..954bdd63 100644 --- a/src/test/resources/application.yml +++ b/src/test/resources/application.yml @@ -39,6 +39,10 @@ spring: change-log: classpath:/db/changelog/db.changelog-master.yaml contexts: tc,test,dev,pg_stat_statements +# keep this in sync with main/.../application.yml +springdoc: + use-management-port: true + logging: level: liquibase: WARN -- 2.39.5 From 3b39f1035e46da4c457a3c28c287e6ca59110651 Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Thu, 9 Jan 2025 08:43:34 +0100 Subject: [PATCH 5/6] revert some version upgrades which caused problems => generally working versions --- build.gradle | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/build.gradle b/build.gradle index 6f254509..7430d964 100644 --- a/build.gradle +++ b/build.gradle @@ -1,6 +1,6 @@ plugins { id 'java' - id 'org.springframework.boot' version '3.3.7' + id 'org.springframework.boot' version '3.3.4' // FIXME: 3.3.7 id 'io.spring.dependency-management' version '1.1.7' id 'io.openapiprocessor.openapi-processor' version '2023.2' id 'com.github.jk1.dependency-license-report' version '2.9' @@ -72,13 +72,13 @@ dependencies { implementation 'org.modelmapper:modelmapper:3.2.2' implementation 'org.iban4j:iban4j:3.2.10-RELEASE' implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.6.0' - implementation 'org.webjars:swagger-ui:5.18.2' + // implementation 'org.webjars:swagger-ui:5.17.14' // FIXME: remove implementation 'org.reflections:reflections:0.10.2' compileOnly 'org.projectlombok:lombok' testCompileOnly 'org.projectlombok:lombok' - developmentOnly 'org.springframework.boot:spring-boot-devtools' + // FIXME: developmentOnly 'org.springframework.boot:spring-boot-devtools' annotationProcessor 'org.projectlombok:lombok' testAnnotationProcessor 'org.projectlombok:lombok' -- 2.39.5 From e945f9ac79614e65df4427f6e3b5c83a5807c9de Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Thu, 9 Jan 2025 08:57:27 +0100 Subject: [PATCH 6/6] upgrade to 'org.springframework.boot' version '3.3.7', still generally working --- build.gradle | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/build.gradle b/build.gradle index 7430d964..7646a33b 100644 --- a/build.gradle +++ b/build.gradle @@ -1,6 +1,6 @@ plugins { id 'java' - id 'org.springframework.boot' version '3.3.4' // FIXME: 3.3.7 + id 'org.springframework.boot' version '3.3.7' id 'io.spring.dependency-management' version '1.1.7' id 'io.openapiprocessor.openapi-processor' version '2023.2' id 'com.github.jk1.dependency-license-report' version '2.9' @@ -72,7 +72,6 @@ dependencies { implementation 'org.modelmapper:modelmapper:3.2.2' implementation 'org.iban4j:iban4j:3.2.10-RELEASE' implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.6.0' - // implementation 'org.webjars:swagger-ui:5.17.14' // FIXME: remove implementation 'org.reflections:reflections:0.10.2' compileOnly 'org.projectlombok:lombok' -- 2.39.5