Skip to content

Commit

Permalink
security review for archetypes (helidon-io#8445)
Browse files Browse the repository at this point in the history
Signed-off-by: Maxim Nesen <maxim.nesen@oracle.com>
  • Loading branch information
senivam authored and hrstoyanov committed Mar 12, 2024
1 parent 137d3a6 commit e10aeeb
Show file tree
Hide file tree
Showing 8 changed files with 29 additions and 29 deletions.
Binary file not shown.
Original file line number Diff line number Diff line change
Expand Up @@ -292,7 +292,7 @@ docker run --rm --name mysql -p 3306:3306 \
-e MYSQL_ROOT_PASSWORD=root \
-e MYSQL_DATABASE=pokemon \
-e MYSQL_USER=user \
-e MYSQL_PASSWORD=password \
-e MYSQL_PASSWORD=changeit \
mysql:5.7
```
]]></value>
Expand All @@ -318,7 +318,7 @@ docker run --rm --name mysql -p 3306:3306 \
<value key="jdbcDataSource">com.mysql.cj.jdbc.MysqlDataSource</value>
<value key="databaseUrl">jdbc:mysql://127.0.0.1:3306/pokemon?useSSL=false</value>
<value key="dbUser">user</value>
<value key="userPassword">password</value>
<value key="userPassword">changeit</value>
</model>
</output>
</method>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
- key-id: "service1-hmac"
principal-name: "Service1 - HMAC signature"
# See [EncryptionFilter](https://helidon.io/docs/latest/apidocs/io.helidon.config.encryption/io/helidon/config/encryption/EncryptionFilter.html) for details about encrypting passwords in configuration files.
hmac.secret: "somePasswordForHmacShouldBeEncrypted"
hmac.secret: "changeit"
- key-id: "service1-rsa"
principal-name: "Service1 - RSA signature"
public-key:
Expand All @@ -17,6 +17,6 @@
# defaults to jdk default
# keystore-type: "PKCS12"
# password of the keystore
passphrase: "password"
passphrase: "changeit"
# alias of the certificate to get public key from
cert.alias: "service_cert"
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ For details, see https://www.h2database.com/html/cheatSheet.html
<list key="db-connection">
<value><![CDATA[ url: jdbc:mysql://127.0.0.1:3306/pokemon?useSSL=false
username: user
password: password]]></value>
password: changeit]]></value>
</list>
<value key="start-db" template="mustache"><![CDATA[
MySQL:
Expand All @@ -78,7 +78,7 @@ docker run --rm --name mysql -p 3306:3306 \
-e MYSQL_ROOT_PASSWORD=root \
-e MYSQL_DATABASE=pokemon \
-e MYSQL_USER=user \
-e MYSQL_PASSWORD=password \
-e MYSQL_PASSWORD=changeit \
mysql:5.7
```
]]></value>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,13 @@ security:
- http-basic-auth:
users:
- login: "john"
password: "johnnyPassword"
password: "changeit"
roles: ["admin"]
- login: "jack"
password: "password"
password: "changeit"
roles: ["user", "admin"]
- login: "jill"
password: "anotherPassword"
password: "changeit"
roles: ["user"]
- jwt:
allow-impersonation: true
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ public class OutboundOverrideJwtTest {
try (Http1ClientResponse response = client.get()
.path("/override")
.property(EndpointConfig.PROPERTY_OUTBOUND_ID, "jack")
.property(EndpointConfig.PROPERTY_OUTBOUND_SECRET, "password")
.property(EndpointConfig.PROPERTY_OUTBOUND_SECRET, "changeit")
.request()) {
assertThat(response.status().code(), is(200));
Expand All @@ -62,7 +62,7 @@ public class OutboundOverrideJwtTest {
try (Http1ClientResponse response = client.get()
.path("/propagate")
.property(EndpointConfig.PROPERTY_OUTBOUND_ID, "jack")
.property(EndpointConfig.PROPERTY_OUTBOUND_SECRET, "password")
.property(EndpointConfig.PROPERTY_OUTBOUND_SECRET, "changeit")
.request()) {
assertThat(response.status().code(), is(200));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ public abstract class SignatureMainTest {
private void test(String uri, Set<String> expectedRoles, Set<String> invalidRoles, String service) {
try (Http1ClientResponse response = client.get(uri)
.property(PROPERTY_OUTBOUND_ID, "jack")
.property(PROPERTY_OUTBOUND_SECRET, "password")
.property(PROPERTY_OUTBOUND_SECRET, "changeit")
.request()) {
assertThat(response.status().code(), is(200));
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2023 Oracle and/or its affiliates.
Copyright (c) 2023, 2024 Oracle and/or its affiliates.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand All @@ -27,7 +27,7 @@
<value><![CDATA[
- oidc:
client-id: "your-client-id"
client-secret: "your-client-secret"
client-secret: "changeit"
identity-uri: "https://your-tenant-id.identity.oracle.com"
# A prefix used for custom scopes
scope-audience: "http://localhost:7987/test-application"
Expand All @@ -49,7 +49,7 @@
# IDCS serves both as open ID connect authenticator and
# as a role mapper. Using minimal configuration here
client-id: "your-client-id"
client-secret: "your-client-secret"
client-secret: "changeit"
identity-uri: "https://your-tenant-id.identity.oracle.com"]]></value>
</list>
<list key="paths-config-entries">
Expand Down Expand Up @@ -348,10 +348,10 @@ Update the following files with your client id (it should support http://localho
## Try JWT
```bash
curl -u "jack:password" http://localhost:8080/propagate
curl -u "jack:password" http://localhost:8080/override
curl -u "jill:anotherPassword" http://localhost:8080/propagate
curl -u "jill:anotherPassword" http://localhost:8080/override
curl -u "jack:changeit" http://localhost:8080/propagate
curl -u "jack:changeit" http://localhost:8080/override
curl -u "jill:changeit" http://localhost:8080/propagate
curl -u "jill:changeit" http://localhost:8080/override
```
]]></value>
</list>
Expand Down Expand Up @@ -411,9 +411,9 @@ curl -u "jill:anotherPassword" http://localhost:8080/override
private static final Map<String, SecureUserStore.User> USERS = new HashMap<>();
static {
addUser("jack", "password", List.of("user", "admin"));
addUser("jill", "password", List.of("user"));
addUser("john", "password", List.of());
addUser("jack", "changeit", List.of("user", "admin"));
addUser("jill", "changeit", List.of("user"));
addUser("john", "changeit", List.of());
}
private static void addUser(String user, String password, List<String> roles) {
Expand Down Expand Up @@ -479,15 +479,15 @@ private static void routing2(HttpRouting.Builder routing) {
.addInbound(InboundClientDefinition
.builder("service1-hmac")
.principalName("Service1 - HMAC signature")
.hmacSecret("somePasswordForHmacShouldBeEncrypted")
.hmacSecret("changeit")
.build())
.addInbound(InboundClientDefinition
.builder("service1-rsa")
.principalName("Service1 - RSA signature")
.publicKeyConfig(Keys.builder()
.keystore(k -> k
.keystore(Resource.create("keystore.p12"))
.passphrase("password")
.passphrase("changeit")
.certAlias("service_cert")
.build())
.build())
Expand Down Expand Up @@ -529,7 +529,7 @@ private static void routing2(HttpRouting.Builder routing) {
.privateKeyConfig(Keys.builder()
.keystore(k -> k
.keystore(Resource.create("keystore.p12"))
.passphrase("password")
.passphrase("changeit")
.keyAlias("myPrivateKey")
.build())
.build())
Expand All @@ -545,7 +545,7 @@ private static void routing2(HttpRouting.Builder routing) {
OutboundTargetDefinition.class,
OutboundTargetDefinition
.builder("service1-hmac")
.hmacSecret("somePasswordForHmacShouldBeEncrypted")
.hmacSecret("changeit")
.build())
.build();
}
Expand Down Expand Up @@ -575,9 +575,9 @@ private static void routing2(HttpRouting.Builder routing) {
## Try Signature
```bash
curl -u "jack:password" http://localhost:8080/service1
curl -u "jill:password" http://localhost:8080/service1-rsa
curl -v -u "john:password" http://localhost:8080/service1
curl -u "jack:changeit" http://localhost:8080/service1
curl -u "jill:changeit" http://localhost:8080/service1-rsa
curl -v -u "john:changeit" http://localhost:8080/service1
```
]]></value>
</list>
Expand Down

0 comments on commit e10aeeb

Please sign in to comment.