Op-21881:CVE-fixes with java-17 and spring-boot upgrade-v4.0 (#466)

.github/workflows/build.yml

@@ -25,7 +25,7 @@ jobs:
         uses: docker/setup-buildx-action@v2
       - uses: actions/setup-java@v2
         with:
-          java-version: 11
+          java-version: 17
           distribution: 'zulu'
           cache: 'gradle'
       - name: Prepare build variables

.github/workflows/pr.yml

@@ -19,7 +19,7 @@ jobs:
         uses: docker/setup-buildx-action@v2
       - uses: actions/setup-java@v2
         with:
-          java-version: 11
+          java-version: 17
           distribution: 'zulu'
           cache: 'gradle'
       - name: Prepare build variables

.github/workflows/release.yml

@@ -23,7 +23,7 @@ jobs:
         uses: docker/setup-buildx-action@v2
       - uses: actions/setup-java@v2
         with:
-          java-version: 11
+          java-version: 17
           distribution: 'zulu'
           cache: 'gradle'
       - name: Assemble release info

Build-push.sh

@@ -5,12 +5,12 @@ git --version
 docker --version
 
 # To Run Gradale Build need to have Java Vesion 1.11.+
-export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
+export JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64
 
 # Setting JAVA_HOME to System PATH
 export PATH=$PATH:$JAVA_HOME
 
-# Get the Shorter format of Git-SHA 
+# Get the Shorter format of Git-SHA
 export GITHASH=`git rev-parse --short HEAD`
 
 # Get the BUILD Date
@@ -19,7 +19,7 @@ export BUILDDATE=`date -u +"%Y%m%d%H%M"`
 # For Assiging the Gradle Resources
 export GRADLE_OPTS="-Xmx6g -Xms6g"
 
-# The Current Build ID 
+# The Current Build ID
 echo "Build id is --------------------- $BUILD_ID"
 
 # Gradle command  to Produce the Dependant targetfiles for Docker build
@@ -29,29 +29,29 @@ cp docker/custom-plugin.json custom-plugin.json
 
    # Assigning Rhel Image Name according to Quay.io Details
    IMAGENAME="quay.io/opsmxpublic/ubi8-oes-gate:${GITHASH}-${BUILD_NUMBER}"
-   
+
    # Assigning Rhel Image Name according to Docker.io Details
-   RELEASE_IMAGENAME="opsmx11/ubi8-oes-gate:${GITHASH}-${BUILD_NUMBER}"  
+   RELEASE_IMAGENAME="opsmx11/ubi8-oes-gate:${GITHASH}-${BUILD_NUMBER}"
+
 
-
    # To Build Docker image with Given Docker File
-   docker build -t $IMAGENAME .  -f  ${DOCKERFILE_PATH} --no-cache  --build-arg CUSTOMPLUGIN_RELEASEVERSION=${CUSTOMPLUGIN_RELEASEVERSION} 
-   
+   docker build -t $IMAGENAME .  -f  ${DOCKERFILE_PATH} --no-cache  --build-arg CUSTOMPLUGIN_RELEASEVERSION=${CUSTOMPLUGIN_RELEASEVERSION}
+
    # Create new Image Tag for Docker.io with the previous Build
    docker tag $IMAGENAME $RELEASE_IMAGENAME
-   
+
    # Quay.io login
    docker login -u $quay_user -p $quay_pass quay.io
-   
+
    # To Push the Docker image into Quay.io
    docker push $IMAGENAME
 
    # Docker.io login
    docker login -u $docker_user -p $docker_pass docker.io
-   
+
    # To Push the Docker image into Quay.io
    docker push $RELEASE_IMAGENAME
-   
+
    echo "Gate: ${IMAGENAME}"
 
 # Quay Image Name as Artifact

Dockerfile

@@ -1,11 +1,11 @@
 FROM registry.access.redhat.com/ubi8/ubi:8.3
 MAINTAINER sig-platform@spinnaker.io
 COPY ./gate-web/build/install/gate /opt/gate
-RUN yum -y install java-11-openjdk-headless.x86_64 wget vim curl net-tools nettle
+RUN yum -y install java-17-openjdk-headless.x86_64 wget vim curl net-tools nettle
 RUN yum -y update
 RUN adduser spinnaker
-RUN mkdir -p /opt/gate/plugins && mkdir -p /opt/spinnaker/plugins 
-####adding customplugin zip 
+RUN mkdir -p /opt/gate/plugins && mkdir -p /opt/spinnaker/plugins
+####adding customplugin zip
 ARG CUSTOMPLUGIN_RELEASEVERSION
 ENV CUSTOMPLUGIN_RELEASEVERSION=$CUSTOMPLUGIN_RELEASEVERSION
 COPY custom-plugin.json /opt/spinnaker/plugins/plugins.json
@@ -16,7 +16,7 @@ RUN wget -O VerificationPlugin-v1.0.1-SNAPSHOT.zip -c https://github.com/OpsMx/C
 RUN mv VerificationPlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/ \
     && mv TestVerificationPlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/ \
     && mv policyPlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/ \
-    && mv ApprovalStagePlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/ 
+    && mv ApprovalStagePlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/
 
 RUN sed -i 's/"VERIFICATION_SHASUM"/'\""$(sha512sum /opt/spinnaker/plugins/VerificationPlugin-v1.0.1-SNAPSHOT.zip | awk '{print $1}')"\"'/g' /opt/spinnaker/plugins/plugins.json \
     && sed -i 's/"TESTVERIFICATION_SHASUM"/'\""$(sha512sum /opt/spinnaker/plugins/TestVerificationPlugin-v1.0.1-SNAPSHOT.zip | awk '{print $1}')"\"'/g' /opt/spinnaker/plugins/plugins.json \

build.gradle

@@ -7,21 +7,33 @@ plugins {
 
 allprojects {
   apply plugin: 'io.spinnaker.project'
+  repositories {
+    mavenLocal()
+    mavenCentral()
+  }
+  tasks.withType( Copy).all {
+    duplicatesStrategy 'exclude'
+  }
 
   group = "io.spinnaker.gate"
 
-  if (name != "gate-bom") {
-    apply plugin: 'java-library'
-    apply plugin: 'groovy'
+
 
     if ([korkVersion, fiatVersion].find { it.endsWith('-SNAPSHOT') }) {
       repositories {
         mavenLocal()
         maven{
           url "https://nexus.opsmx.net/repository/maven-snapshots/"
+          credentials {
+            username = "NEXUS_USERNAME"
+            password = "NEXUS_PASSWORD"
+          }
         }
       }
     }
+  if (name != "gate-bom" && name != "gate-api") {
+    apply plugin: 'java-library'
+    apply plugin: 'groovy'
 
     repositories {
       maven { url 'https://build.shibboleth.net/nexus/content/repositories/releases/' }
@@ -36,44 +48,49 @@ allprojects {
       compileOnly "org.projectlombok:lombok"
       annotationProcessor "org.projectlombok:lombok"
       testAnnotationProcessor "org.projectlombok:lombok"
-      compile("org.springframework.cloud:spring-cloud-starter-vault-config")
-      compile("io.micrometer:micrometer-registry-prometheus")
 
-
-      implementation "org.codehaus.groovy:groovy"
-      implementation "net.logstash.logback:logstash-logback-encoder"
+      implementation "org.apache.groovy:groovy:4.0.9"
+      implementation "net.logstash.logback:logstash-logback-encoder:4.11"
       implementation "org.jetbrains.kotlin:kotlin-reflect"
+      implementation "org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.6.0"
 
       testImplementation "org.spockframework:spock-core"
       testImplementation "org.spockframework:spock-spring"
       testImplementation "org.springframework.boot:spring-boot-starter-test"
       testImplementation "org.hamcrest:hamcrest-core"
-      testRuntimeOnly "cglib:cglib-nodep"
-      testRuntimeOnly "org.junit.vintage:junit-vintage-engine"
+      testRuntimeOnly "cglib:cglib-nodep:3.3.0"
       testRuntimeOnly "org.objenesis:objenesis"
     }
 
+    java {
+      sourceCompatibility = JavaVersion.VERSION_17
+      targetCompatibility = JavaVersion.VERSION_17
+    }
+
     configurations.all {
-      exclude group: 'javax.servlet', module: 'servlet-api'
       exclude group: 'javax.servlet', module: 'javax.servlet-api'
-      resolutionStrategy.eachDependency { DependencyResolveDetails details ->
-        if (details.requested.group == 'org.apache.logging.log4j') {
-          details.useVersion '2.17.1'
-        }
-      }
+   //   exclude group: 'javax.servlet', module: 'servlet-api'
     }
 
-    tasks.withType(JavaExec) {
-      if (System.getProperty('DEBUG', 'false') == 'true') {
-        jvmArgs '-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=8184'
-      }
+  }
+
+  tasks.withType(JavaExec) {
+    if (System.getProperty('DEBUG', 'false') == 'true') {
+      jvmArgs '-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=8184'
     }
+  }
 
-    test {
-      testLogging {
-        exceptionFormat = 'full'
+  test {
+    testLogging {
+      exceptionFormat = 'full'
+      afterSuite { desc, result ->
+        if (!desc.parent) {
+          println "Results: ${result.resultType} (${result.testCount} tests, ${result.successfulTestCount} successes, ${result.failedTestCount} failures, ${result.skippedTestCount} skipped)"
+          println "Report file: ${reports.html.entryPoint}"
+        }
       }
     }
+    useJUnitPlatform()
   }
 }
 

docker/ubi8/Dockerfile

@@ -1,11 +1,11 @@
 FROM registry.access.redhat.com/ubi8/ubi:8.3
 MAINTAINER sig-platform@spinnaker.io
 COPY ./gate-web/build/install/gate /opt/gate
-RUN yum -y install java-11-openjdk-headless.x86_64 wget vim curl net-tools nettle tzdata-java
+RUN yum -y install java-17-openjdk-headless.x86_64 wget vim curl net-tools nettle tzdata-java
 RUN yum -y update
 RUN adduser spinnaker
-RUN mkdir -p /opt/gate/plugins && mkdir -p /opt/spinnaker/plugins 
-####adding customplugin zip 
+RUN mkdir -p /opt/gate/plugins && mkdir -p /opt/spinnaker/plugins
+####adding customplugin zip
 ARG CUSTOMPLUGIN_RELEASEVERSION
 ENV CUSTOMPLUGIN_RELEASEVERSION=$CUSTOMPLUGIN_RELEASEVERSION
 COPY custom-plugin.json /opt/spinnaker/plugins/plugins.json
@@ -16,8 +16,8 @@ RUN wget -O VerificationPlugin-v1.0.1-SNAPSHOT.zip -c https://github.com/OpsMx/C
 RUN mv VerificationPlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/ \
     && mv TestVerificationPlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/ \
     && mv policyPlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/ \
-    && mv ApprovalStagePlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/ 
-    
+    && mv ApprovalStagePlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/
+
 RUN sed -i 's/"VERIFICATION_SHASUM"/'\""$(sha512sum /opt/spinnaker/plugins/VerificationPlugin-v1.0.1-SNAPSHOT.zip | awk '{print $1}')"\"'/g' /opt/spinnaker/plugins/plugins.json \
     && sed -i 's/"TESTVERIFICATION_SHASUM"/'\""$(sha512sum /opt/spinnaker/plugins/TestVerificationPlugin-v1.0.1-SNAPSHOT.zip | awk '{print $1}')"\"'/g' /opt/spinnaker/plugins/plugins.json \
     && sed -i 's/"POLICY_SHASUM"/'\""$(sha512sum /opt/spinnaker/plugins/policyPlugin-v1.0.1-SNAPSHOT.zip | awk '{print $1}')"\"'/g' /opt/spinnaker/plugins/plugins.json \

docker/ubi8/Gate-Dockerfile

@@ -1,11 +1,11 @@
 FROM registry.access.redhat.com/ubi8/ubi:8.3
 MAINTAINER sig-platform@spinnaker.io
 COPY ./gate-web/build/install/gate /opt/gate
-RUN yum -y install java-11-openjdk-headless.x86_64 wget vim curl net-tools nettle
+RUN yum -y install java-17-openjdk-headless.x86_64 wget vim curl net-tools nettle
 RUN yum -y update
 RUN adduser spinnaker
-RUN mkdir -p /opt/gate/plugins && mkdir -p /opt/spinnaker/plugins 
-####adding customplugin zip 
+RUN mkdir -p /opt/gate/plugins && mkdir -p /opt/spinnaker/plugins
+####adding customplugin zip
 ARG CUSTOMPLUGIN_RELEASEVERSION
 ENV CUSTOMPLUGIN_RELEASEVERSION=$CUSTOMPLUGIN_RELEASEVERSION
 COPY custom-plugin.json /opt/spinnaker/plugins/plugins.json
@@ -16,7 +16,7 @@ RUN wget -O VerificationPlugin-v1.0.1-SNAPSHOT.zip -c https://github.com/OpsMx/C
 RUN mv VerificationPlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/ \
     && mv TestVerificationPlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/ \
     && mv policyPlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/ \
-    && mv ApprovalStagePlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/ 
+    && mv ApprovalStagePlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/
 
 RUN sed -i 's/"VERIFICATION_SHASUM"/'\""$(sha512sum /opt/spinnaker/plugins/VerificationPlugin-v1.0.1-SNAPSHOT.zip | awk '{print $1}')"\"'/g' /opt/spinnaker/plugins/plugins.json \
     && sed -i 's/"TESTVERIFICATION_SHASUM"/'\""$(sha512sum /opt/spinnaker/plugins/TestVerificationPlugin-v1.0.1-SNAPSHOT.zip | awk '{print $1}')"\"'/g' /opt/spinnaker/plugins/plugins.json \

docker_build/Dockerfile.prod

@@ -1,12 +1,12 @@
-FROM quay.io/opsmxpublic/ubi8-jre-11:v1
+FROM quay.io/opsmxpublic/ubi8-jre-17:v1
 MAINTAINER OpsMx
 
 # Add user opsmx and create logs and spinnaker config directory
 RUN adduser opsmx \
     && usermod -aG wheel opsmx \
     && mkdir -p /opsmx/workdir/logs \
     && mkdir -p /opt/spinnaker/config \
-    && mkdir -p /opt/spinnaker/plugins 
+    && mkdir -p /opt/spinnaker/plugins
 
 # Install procps(ps)
 RUN yum install -y wget

docker_build/Dockerfile.rhel8-ubi8

@@ -1,4 +1,5 @@
-FROM registry.access.redhat.com/ubi8/ubi:latest
+FROM quay.io/opsmxpublic/ubifips:8.7
+#FROM registry.access.redhat.com/ubi8/ubi-minimal:8.7 as java-base
 MAINTAINER OpsMx
 
 # Disable old version and uninstalling
@@ -17,16 +18,16 @@ RUN adduser opsmx \
 
 # Install procps(ps)
 RUN yum install -y procps nginx net-tools wget
-# Install java 11
-RUN yum -y install tzdata-java java-11-openjdk-headless.x86_64
+# Install java 17
+RUN yum -y install tzdata-java java-17-openjdk-headless.x86_64
 # Install ping
 RUN yum install -y iputils
 
 RUN yum -y update
 
 #######Gate Dependencies#########
 ENV WORK_DIR=/opsmx/workdir
-ENV JAVA_HOME=/usr/lib/jvm/jre-11-openjdk
+ENV JAVA_HOME=/usr/lib/jvm/jre-17-openjdk
 COPY /docker_build/run.sh /usr/local/bin/run.sh
 RUN  chmod +x /usr/local/bin/run.sh
 COPY /docker_build/gate.yml /opt/spinnaker/config/

gate-api-tck/gate-api-tck.gradle

@@ -5,5 +5,6 @@ dependencies {
   implementation(project(":gate-web"))
 
   api("org.springframework.boot:spring-boot-starter-test")
-  api("dev.minutest:minutest")
+  api("dev.minutest:minutest:1.13.0")
+  api("io.mockk:mockk:1.10.5")
 }

gate-basic/src/main/java/com/netflix/spinnaker/gate/security/basic/BasicAuthConfig.java

@@ -26,13 +26,13 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 import org.springframework.session.web.http.DefaultCookieSerializer;
 
@@ -41,7 +41,7 @@
 @SpinnakerAuthConfig
 @EnableWebSecurity
 @Slf4j
-public class BasicAuthConfig extends WebSecurityConfigurerAdapter {
+public class BasicAuthConfig {
 
   private final AuthConfig authConfig;
 
@@ -90,18 +90,14 @@ public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception
     auth.authenticationProvider(authProvider);
   }
 
-  @Override
-  protected void configure(HttpSecurity http) throws Exception {
+  @Bean
+  public SecurityFilterChain configure(HttpSecurity http) throws Exception {
     defaultCookieSerializer.setSameSite(null);
     http.formLogin()
         .and()
         .httpBasic()
         .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"));
     authConfig.configure(http);
-  }
-
-  @Override
-  public void configure(WebSecurity web) throws Exception {
-    authConfig.configure(web);
+    return http.build();
   }
 }