From e10aeeb7dcf6d1b719d2e0180c17497ee335cd9c Mon Sep 17 00:00:00 2001 From: Maxim Nesen Date: Mon, 4 Mar 2024 20:20:18 +0100 Subject: [PATCH] security review for archetypes (#8445) Signed-off-by: Maxim Nesen --- .../files/src/main/resources/keystore.p12 | Bin 2700 -> 2693 bytes .../archetype/mp/custom/database-outputs.xml | 4 +-- .../files/application.http-signature.yaml | 4 +-- .../archetype/se/custom/database-output.xml | 4 +-- .../main/resources/client-service-jwt.yaml | 6 ++-- .../OutboundOverrideJwtTest.java.mustache | 4 +-- .../__pkg__/SignatureMainTest.java.mustache | 2 +- .../archetype/se/custom/security-outputs.xml | 34 +++++++++--------- 8 files changed, 29 insertions(+), 29 deletions(-) diff --git a/archetypes/archetypes/src/main/archetype/common/files/src/main/resources/keystore.p12 b/archetypes/archetypes/src/main/archetype/common/files/src/main/resources/keystore.p12 index ff2c52d6694ae5c23a1b15d971935a9fa33ba1d4..96df596265a4799186924602afa1d101e5e80baa 100644 GIT binary patch literal 2693 zcmaKucQhM{8o-lCVkIR;sTr$khjK59+N(xX)wQ=0qqf?lMq^d+u9k?Es#ko>xhKX{&x#T0|ez_A(Gcn3}yOb0|H0sqJ(~yFcb%v zD$jPiy8W;z9R#8RpkPp{|C|6(LjWjFD79^@HqeOz3={^_%gY^kw{8N+e})Q67D?HS zg0bKsmYCHO+T_{lPm9&_=mB>kNs-Ry^VPVE$zy$=%2cj3>YV1pUx*J8?&sqXRFdj% zEF%ru62Rm0S_3$#&!r^RsS3D4E8|p6T^$OzvUzA|&{KhR9});8o%7CxVd72>rT9&b zgqy^(Yz$0)3(!jKQfvOUB<$o)bGHkF(d8FI81Ht|7aN_=;NuH%9!NFC;{(JHgPCUG zMCa=ZybtSOrl*qfj!k2n`TG9;zoe6;?UWY!6&cIbbr(ee>#TWW4h!3%<6bSW#k2lb zH`oSsS$#9pXVBS>a;lgN{l#=EnKhj9rJwtkP{1NmSG?--W)!(&q<<Jx zmOq;vPjsAo>l>5`pQ=Dw@Pfbe@(lGIUH7uPMC9Ozu4#zUupeEQ>FX9Hj{Cj)UNXog zAG!wr9vZrj!k0L6NAT-`jbOFK9HZ>FkAtYM2%ba*_P$^}c&NLlt-uvqcIaup6?gO2 zheNB1F^;GZVLwQFDPgqSzI>fd>s#M!UfrPTGNa2DtJ)_0VJy+ojw%I5a#;CDZX5v5ASq{^d zapXMm=pFJKOKALycN$SJYUGzxA{`wyL7+lL&zSWEU~7@;h)!R}g_YM_&0qIKZfTJC zPgdQ<&f_RKGxe7^+_LxqbB(W=CpFsV*k|m{s#vo}N22+xnWu*Fxop(DYUq+KeIr+A z!_Z}~W=x#*kfmvU6zuk}a|09C^aNtM5?)e2({eAP3fBFaxa8T#yl(&`C2w@O=CwwlW- z>H2fK=Zo@_SVWAZ0y8JQ6D^#f-?WFs%QiO;_lmfvgorjNvhR?Ggtg@5b1^39hOspI zCA)m@LZTCr2T)8;mNzplrt0Kr1+6KzyzOO9V8njrArGe{pEs=ZKU`OMDvZZS_K7Cl zkm{iQbB4}0p{F)bZg)Jg`9ad~!H|~t?`5}=DijZpIxlPm#Kso3Yc7ozBnS;A1V^Q&{9A_B4SIz1$YFS3LfIxcE`G`X4||%_B11xK7&%*us*ft;?}zteDxKER@;Ta* zYR?&ja-qJ9XoUzC7TX33z_ECM&R&Q}ZzqDZ+I}xyCjVE0Lr2%FnuGEr#efZ8nDy8B zy`>LVd3|a34!rs!D+|g6>@hf#jC%AoUO05xOnzr{!Oq%_bVXXa@>+&|EGKPqDSt1q zMa>_Y3rq0Bm(pYUL$XU^HnT+Z7&!D6+ypaM!$lctnJ@MSy)`$6lLzhd{S-yc;NUOj zKDQke+ShV<4vHs@(n}1aiKWY)_-Uw33oTLIu@P{9%nIze`SOFe@ zAb=OZ2jB__0N4Ti08Rk6>j*+2ehxBAg25ovwQj-QKOiME7Ynw(M%Ex8;5z-(FeMP> z{A29e$z~|opCt?>0%p?d-58?9*8-nWO0*PlRj%#dNOT5)1nEIQYrNb1;8K@nd&7QGhrM zf4afyvU@)NW{Q(<%_Z(a!fLMongf9ckD6`76qi46h!wB0`#5Jb?-(k5+Hq$!me^Vt zsTla~axZ+`KSe`@FXRDMCDLFkosmHPYw-~|$DZ-#bM7qEq3%vlu|~=cq(rCGo1s(r za8TC4O|+bk>0`6+t4Vi6cukY6-p&U?p6FqJP0Bg;Xo85Z-W$-PfYb&hN%+v2Jcl|L ze{%oBJa9)@?4@OYwJgQ4!D7#*86sv8;=k@TsmrhFm_bUP+CSfoC_K)HhA1^F=tX($9hakXEVy*L}%e~179x$-h4rr zR8>(wn(zd`Fu7b#T;MJH7P^)Z=Z)MTiT%)YnMN zifYthXR8q6&XauM<j=ymTiP=(j2w`RxJ3bLG(<~hk(I%hxNkt0u!%xN?1Eq1lhc%!vOH=K#mFJ$r)DLBKQ>Ho8_c*_ z8oputpk2HK=Z|BL{jowp}9lU=xMMSZ&%b~TYa242S lkgang+076QW-@QTAnTVZGrZj@U~Q_}Ik2!yef94b@E;L!>WKgV delta 2665 zcmV-v3YPVS6^s>sFoFt*0s#Xsf(k+g2`Yw2hW8Bt2LYgh3Nr+P3NJ8%3M(*z1y}|N zDuzgg_YDCD0ic2fNd$rgMKFQ|K`?>^Jq8OZhDe6@4FL=a0Ro_c1nw|`1nMvx1_~;M zNQUXniavL!nB>x?Jg6&Yr#+qo)xN#%4B?o)4KzBMj7d?Qk2Jb(4vrZ*f zK}p^^HhSx933rT+98(aw_%bDfrDf)wkDXiOHd+dUBvKJ<$)7{^hr{|bJ>&cOqZtG! z?XPT9DXPJLMH1uqAkoy>b0Dog41|RYO9z1bME`SS}ME`hZU!lb8 zDyB&k;YWtmw_or-(p3%c8Y1#qojg@U4d2qe|JZGR^yUIgPYg)-tFBKYBLEZduD(s_ zDDiN%;;$$TL*<41qk|MQmKBxj$$T{rwe$KC_sml-yqA*jksHQdv433Ji*ys*?QgT9 z;qQhGf0{Zf-H43QY7RIj1PN#q8Fk*cCgUZb7P!)d=tF&`WA{gsJo4L$M}M!Oo12d8 z8^x1%T*P9I)_`s$58V6@~|IH4N$zMY4ac`NFdv zeJ!L{7#=I9kGr#dBoKNfB{T8&eyo@FXWaoev_FIJxS}fD#+JgD;~~~qMgL&_-*O_7 zABb%1P`9#m`hxL1R_4@9i6x=td;074ow}$%&GCsO1c2L;Y-wEVVyAsT-ryBqeO~{6 zq1W~ATzD>^PvqK&n+t`#rV?wq6Hw)T&q7B9mMm397)ru_euRobiN*=?>I-OH(83|u z=?S26Ot;#DYTTkkNr1dRkjl+*5d<&qZ#f|*KmGpU-Q0e_adAo|o--PzqRGAsPjlf6 z7P)eGVJmMnP-Kbc2|w+2K`)iXPDDh1&5L zNlOa+B~xl(h9e1OA<{>{fjnP-KdsXs(hdm089YqpM|V(ua1C*ry(1TfUpgdkovr0g zp+w=P^0l>T!L0P0#CF)df!;&=p`MY-@DdY0an|A6oPmfD>||`;dcyQB3$d3zG~O%b{gvg4pM2*Oy&prvt;{F!5vv7cTKKW8h*e$<8r_mj-| zFEQTC$k$^%2XTFq=s?g_Nn|x(4D`4x(fgc<&Ev`fQZnig1o3#4nAi2wZFRR81`h^?%GOHEWSj?1C01tudjHC`Y}G&LNQUorMnF~8= z<#XU!sNkLvzNPKc!0sbIc1F+!2iLnERRE;_4h~Y>$sN+m+ZhMXOSRob#`H7({lFcM z*;P)+Ea{=w_%1hiac=QL@InGd>jL`*zjzZ2)-y`JZA0@CrvOW$kA9z2Vo!&`t zKixwNAE=A=FX-Ba``1$Y-=#cui`O7@%YQI?cX)U81BG)%>REsG`4RVu=Lz&3;LNOf zy6Ovzzu!N+)YJJV-x7}tq;E^O3RdmzsxX)I(f$*Jm4RHNTSLRc0vuC+EC@B0-9XNT z$uWW5KU+iKw*}ALSKi86*535vz7%fj7x5|!wtBNi!8|fCf}8T(U@MyKu;6Hw*27jq z4)9s{BSyj!1S)@Gj5d!f-y1~d*|S;C;{?xcD0I9FJP4;A6NZNO<+*-DCNdb&0F{e~ zz~d}=nNb{!8G08m|Oxh2{nCa*!3fAC6QdUq>uVQ15K z`KUW{KYU&M-3&^o%Xy?5VS&5&nG2{ZN2VK?He3l1hM?0nCF^v~xs9_O)G;tV-!^^? zpvk<^q`&Bbp@LlzX7F+`hTVv%SxT^Fm#n2ODN%pxa5d?k4tIwQE&43J_8qDF4pyhL zga*RKOv}$5#VI{$fioeG=<6a%ghb_t){ZHj?)4?`+~n>w61)u63-JFn(S_>(~fo&LvR((bek8zXxh$hbM0LWVU>420sj}F`gIYq zofLn2U~#(M`U1p4{b$VdBgshxN{-ne5jIzp~alJpo+q&-!cggG!U- zs{Fi-ML+9Bew{8e>CeMe{lF#0IEh<3B<_C?hjUQdA*b!|6bEfFu2P*SA^1WI)fI|LLK8bwyFfjFaN+vGe zNxmQ5A6B7PFg-9KFbM_)D-Ht!8U+9Z6e#gwIw0FdI#OaRA^DV&e4ypy @@ -318,7 +318,7 @@ docker run --rm --name mysql -p 3306:3306 \ com.mysql.cj.jdbc.MysqlDataSource jdbc:mysql://127.0.0.1:3306/pokemon?useSSL=false user - password + changeit diff --git a/archetypes/archetypes/src/main/archetype/mp/custom/files/application.http-signature.yaml b/archetypes/archetypes/src/main/archetype/mp/custom/files/application.http-signature.yaml index 2f86e37e46e..d4fb707494d 100644 --- a/archetypes/archetypes/src/main/archetype/mp/custom/files/application.http-signature.yaml +++ b/archetypes/archetypes/src/main/archetype/mp/custom/files/application.http-signature.yaml @@ -5,7 +5,7 @@ - key-id: "service1-hmac" principal-name: "Service1 - HMAC signature" # See [EncryptionFilter](https://helidon.io/docs/latest/apidocs/io.helidon.config.encryption/io/helidon/config/encryption/EncryptionFilter.html) for details about encrypting passwords in configuration files. - hmac.secret: "somePasswordForHmacShouldBeEncrypted" + hmac.secret: "changeit" - key-id: "service1-rsa" principal-name: "Service1 - RSA signature" public-key: @@ -17,6 +17,6 @@ # defaults to jdk default # keystore-type: "PKCS12" # password of the keystore - passphrase: "password" + passphrase: "changeit" # alias of the certificate to get public key from cert.alias: "service_cert" diff --git a/archetypes/archetypes/src/main/archetype/se/custom/database-output.xml b/archetypes/archetypes/src/main/archetype/se/custom/database-output.xml index c8a8e8b15ed..b1eac23deea 100644 --- a/archetypes/archetypes/src/main/archetype/se/custom/database-output.xml +++ b/archetypes/archetypes/src/main/archetype/se/custom/database-output.xml @@ -69,7 +69,7 @@ For details, see https://www.h2database.com/html/cheatSheet.html + password: changeit]]> diff --git a/archetypes/archetypes/src/main/archetype/se/custom/files/src/main/resources/client-service-jwt.yaml b/archetypes/archetypes/src/main/archetype/se/custom/files/src/main/resources/client-service-jwt.yaml index 1d892f0c02f..439fad4791c 100644 --- a/archetypes/archetypes/src/main/archetype/se/custom/files/src/main/resources/client-service-jwt.yaml +++ b/archetypes/archetypes/src/main/archetype/se/custom/files/src/main/resources/client-service-jwt.yaml @@ -10,13 +10,13 @@ security: - http-basic-auth: users: - login: "john" - password: "johnnyPassword" + password: "changeit" roles: ["admin"] - login: "jack" - password: "password" + password: "changeit" roles: ["user", "admin"] - login: "jill" - password: "anotherPassword" + password: "changeit" roles: ["user"] - jwt: allow-impersonation: true diff --git a/archetypes/archetypes/src/main/archetype/se/custom/files/src/test/java/__pkg__/OutboundOverrideJwtTest.java.mustache b/archetypes/archetypes/src/main/archetype/se/custom/files/src/test/java/__pkg__/OutboundOverrideJwtTest.java.mustache index 5742a2af785..6385cb9b758 100644 --- a/archetypes/archetypes/src/main/archetype/se/custom/files/src/test/java/__pkg__/OutboundOverrideJwtTest.java.mustache +++ b/archetypes/archetypes/src/main/archetype/se/custom/files/src/test/java/__pkg__/OutboundOverrideJwtTest.java.mustache @@ -47,7 +47,7 @@ public class OutboundOverrideJwtTest { try (Http1ClientResponse response = client.get() .path("/override") .property(EndpointConfig.PROPERTY_OUTBOUND_ID, "jack") - .property(EndpointConfig.PROPERTY_OUTBOUND_SECRET, "password") + .property(EndpointConfig.PROPERTY_OUTBOUND_SECRET, "changeit") .request()) { assertThat(response.status().code(), is(200)); @@ -62,7 +62,7 @@ public class OutboundOverrideJwtTest { try (Http1ClientResponse response = client.get() .path("/propagate") .property(EndpointConfig.PROPERTY_OUTBOUND_ID, "jack") - .property(EndpointConfig.PROPERTY_OUTBOUND_SECRET, "password") + .property(EndpointConfig.PROPERTY_OUTBOUND_SECRET, "changeit") .request()) { assertThat(response.status().code(), is(200)); diff --git a/archetypes/archetypes/src/main/archetype/se/custom/files/src/test/java/__pkg__/SignatureMainTest.java.mustache b/archetypes/archetypes/src/main/archetype/se/custom/files/src/test/java/__pkg__/SignatureMainTest.java.mustache index bdd4e56be1d..5cd89d3bcef 100644 --- a/archetypes/archetypes/src/main/archetype/se/custom/files/src/test/java/__pkg__/SignatureMainTest.java.mustache +++ b/archetypes/archetypes/src/main/archetype/se/custom/files/src/test/java/__pkg__/SignatureMainTest.java.mustache @@ -51,7 +51,7 @@ public abstract class SignatureMainTest { private void test(String uri, Set expectedRoles, Set invalidRoles, String service) { try (Http1ClientResponse response = client.get(uri) .property(PROPERTY_OUTBOUND_ID, "jack") - .property(PROPERTY_OUTBOUND_SECRET, "password") + .property(PROPERTY_OUTBOUND_SECRET, "changeit") .request()) { assertThat(response.status().code(), is(200)); diff --git a/archetypes/archetypes/src/main/archetype/se/custom/security-outputs.xml b/archetypes/archetypes/src/main/archetype/se/custom/security-outputs.xml index ea13511f7da..5bd5b2e0e51 100644 --- a/archetypes/archetypes/src/main/archetype/se/custom/security-outputs.xml +++ b/archetypes/archetypes/src/main/archetype/se/custom/security-outputs.xml @@ -1,7 +1,7 @@