Op-21723:CVE-fixes with java-17 and spring-boot upgrade-v4.1

.github/workflows/pr.yml

@@ -19,7 +19,7 @@ jobs:
         uses: docker/setup-buildx-action@v2
       - uses: actions/setup-java@v2
         with:
-          java-version: 11
+          java-version: 17
           distribution: 'zulu'
           cache: 'gradle'
       - name: Prepare build variables

.github/workflows/release.yml

@@ -23,7 +23,7 @@ jobs:
         uses: docker/setup-buildx-action@v2
       - uses: actions/setup-java@v2
         with:
-          java-version: 11
+          java-version: 17
           distribution: 'zulu'
           cache: 'gradle'
       - name: Assemble release info

Dockerfile

@@ -1,11 +1,11 @@
 FROM registry.access.redhat.com/ubi8/ubi:8.3
 MAINTAINER [email protected]
 COPY ./gate-web/build/install/gate /opt/gate
-RUN yum -y install java-11-openjdk-headless.x86_64 wget vim curl net-tools nettle
+RUN yum -y install java-17-openjdk-headless.x86_64 wget vim curl net-tools nettle
 RUN yum -y update
 RUN adduser spinnaker
-RUN mkdir -p /opt/gate/plugins && mkdir -p /opt/spinnaker/plugins 
-####adding customplugin zip 
+RUN mkdir -p /opt/gate/plugins && mkdir -p /opt/spinnaker/plugins
+####adding customplugin zip
 ARG CUSTOMPLUGIN_RELEASEVERSION
 ENV CUSTOMPLUGIN_RELEASEVERSION=$CUSTOMPLUGIN_RELEASEVERSION
 COPY custom-plugin.json /opt/spinnaker/plugins/plugins.json
@@ -16,7 +16,7 @@ RUN wget -O VerificationPlugin-v1.0.1-SNAPSHOT.zip -c https://github.com/OpsMx/C
 RUN mv VerificationPlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/ \
     && mv TestVerificationPlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/ \
     && mv policyPlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/ \
-    && mv ApprovalStagePlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/ 
+    && mv ApprovalStagePlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/
 
 RUN sed -i 's/"VERIFICATION_SHASUM"/'\""$(sha512sum /opt/spinnaker/plugins/VerificationPlugin-v1.0.1-SNAPSHOT.zip | awk '{print $1}')"\"'/g' /opt/spinnaker/plugins/plugins.json \
     && sed -i 's/"TESTVERIFICATION_SHASUM"/'\""$(sha512sum /opt/spinnaker/plugins/TestVerificationPlugin-v1.0.1-SNAPSHOT.zip | awk '{print $1}')"\"'/g' /opt/spinnaker/plugins/plugins.json \

build.gradle

@@ -7,18 +7,33 @@ plugins {
 
 allprojects {
   apply plugin: 'io.spinnaker.project'
+  repositories {
+    mavenLocal()
+    mavenCentral()
+  }
+  tasks.withType( Copy).all {
+    duplicatesStrategy 'exclude'
+  }
 
   group = "io.spinnaker.gate"
 
-  if (name != "gate-bom") {
-    apply plugin: 'java-library'
-    apply plugin: 'groovy'
 
-    if ([korkVersion, fiatVersion].find { it.endsWith('-SNAPSHOT') }) {
+
+    if ([korkVersion].find { it.endsWith('-SNAPSHOT') }) {
       repositories {
         mavenLocal()
+        maven{
+          url "https://nexus.opsmx.net/repository/maven-snapshots/"
+          credentials {
+            username = "NEXUS_USERNAME"
+            password = "NEXUS_PASSWORD"
+          }
+        }
       }
     }
+  if (name != "gate-bom" && name != "gate-api") {
+    apply plugin: 'java-library'
+    apply plugin: 'groovy'
 
     repositories {
       maven { url 'https://build.shibboleth.net/nexus/content/repositories/releases/' }
@@ -33,43 +48,48 @@ allprojects {
       compileOnly "org.projectlombok:lombok"
       annotationProcessor "org.projectlombok:lombok"
       testAnnotationProcessor "org.projectlombok:lombok"
-      compile("org.springframework.cloud:spring-cloud-starter-vault-config")
-      compile("io.micrometer:micrometer-registry-prometheus")
-
 
-      implementation "org.codehaus.groovy:groovy-all"
-      implementation "net.logstash.logback:logstash-logback-encoder"
+      implementation "org.apache.groovy:groovy:4.0.9"
+      implementation "net.logstash.logback:logstash-logback-encoder:4.11"
       implementation "org.jetbrains.kotlin:kotlin-reflect"
+      implementation "org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.6.0"
 
       testImplementation "org.spockframework:spock-core"
       testImplementation "org.spockframework:spock-spring"
       testImplementation "org.springframework.boot:spring-boot-starter-test"
       testImplementation "org.hamcrest:hamcrest-core"
-      testRuntimeOnly "cglib:cglib-nodep"
+      testRuntimeOnly "cglib:cglib-nodep:3.3.0"
       testRuntimeOnly "org.objenesis:objenesis"
     }
 
+    java {
+      sourceCompatibility = JavaVersion.VERSION_17
+      targetCompatibility = JavaVersion.VERSION_17
+    }
+
     configurations.all {
-      exclude group: 'javax.servlet', module: 'servlet-api'
       exclude group: 'javax.servlet', module: 'javax.servlet-api'
-      resolutionStrategy.eachDependency { DependencyResolveDetails details ->
-        if (details.requested.group == 'org.apache.logging.log4j') {
-          details.useVersion '2.19.0'
-        }
-      }
     }
 
-    tasks.withType(JavaExec) {
-      if (System.getProperty('DEBUG', 'false') == 'true') {
-        jvmArgs '-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=8184'
-      }
+  }
+
+  tasks.withType(JavaExec) {
+    if (System.getProperty('DEBUG', 'false') == 'true') {
+      jvmArgs '-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=8184'
     }
+  }
 
-    test {
-      testLogging {
-        exceptionFormat = 'full'
+  test {
+    testLogging {
+      exceptionFormat = 'full'
+      afterSuite { desc, result ->
+        if (!desc.parent) {
+          println "Results: ${result.resultType} (${result.testCount} tests, ${result.successfulTestCount} successes, ${result.failedTestCount} failures, ${result.skippedTestCount} skipped)"
+          println "Report file: ${reports.html.entryPoint}"
+        }
       }
     }
+    useJUnitPlatform()
   }
 }
 

docker/ubi8/Gate-Dockerfile

@@ -1,11 +1,11 @@
 FROM registry.access.redhat.com/ubi8/ubi:8.3
 MAINTAINER [email protected]
 COPY ./gate-web/build/install/gate /opt/gate
-RUN yum -y install java-11-openjdk-headless.x86_64 wget vim curl net-tools nettle
+RUN yum -y install java-17-openjdk-headless.x86_64 wget vim curl net-tools nettle
 RUN yum -y update
 RUN adduser spinnaker
-RUN mkdir -p /opt/gate/plugins && mkdir -p /opt/spinnaker/plugins 
-####adding customplugin zip 
+RUN mkdir -p /opt/gate/plugins && mkdir -p /opt/spinnaker/plugins
+####adding customplugin zip
 ARG CUSTOMPLUGIN_RELEASEVERSION
 ENV CUSTOMPLUGIN_RELEASEVERSION=$CUSTOMPLUGIN_RELEASEVERSION
 COPY custom-plugin.json /opt/spinnaker/plugins/plugins.json
@@ -16,7 +16,7 @@ RUN wget -O VerificationPlugin-v1.0.1-SNAPSHOT.zip -c https://github.com/OpsMx/C
 RUN mv VerificationPlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/ \
     && mv TestVerificationPlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/ \
     && mv policyPlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/ \
-    && mv ApprovalStagePlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/ 
+    && mv ApprovalStagePlugin-v1.0.1-SNAPSHOT.zip /opt/spinnaker/plugins/
 
 RUN sed -i 's/"VERIFICATION_SHASUM"/'\""$(sha512sum /opt/spinnaker/plugins/VerificationPlugin-v1.0.1-SNAPSHOT.zip | awk '{print $1}')"\"'/g' /opt/spinnaker/plugins/plugins.json \
     && sed -i 's/"TESTVERIFICATION_SHASUM"/'\""$(sha512sum /opt/spinnaker/plugins/TestVerificationPlugin-v1.0.1-SNAPSHOT.zip | awk '{print $1}')"\"'/g' /opt/spinnaker/plugins/plugins.json \

docker_build/Dockerfile.prod

@@ -1,4 +1,4 @@
-FROM quay.io/opsmxpublic/ubi8-jre-11:v1
+FROM quay.io/opsmxpublic/ubi8-jre-17:v1
 MAINTAINER OpsMx
 
 # Install procps(ps)

docker_build/Dockerfile.rhel8-ubi8

@@ -1,4 +1,5 @@
-FROM registry.access.redhat.com/ubi8/ubi:latest
+FROM quay.io/opsmxpublic/ubifips:8.7
+#FROM registry.access.redhat.com/ubi8/ubi-minimal:8.7 as java-base
 MAINTAINER OpsMx
 
 # Disable old version and uninstalling
@@ -17,16 +18,16 @@ RUN adduser opsmx \
 
 # Install procps(ps)
 RUN yum install -y procps nginx net-tools wget
-# Install java 11
-RUN yum -y install java-11-openjdk-headless.x86_64
+# Install java 17
+RUN yum -y install tzdata-java java-17-openjdk-headless.x86_64
 # Install ping
 RUN yum install -y iputils
 
 RUN yum -y update
 
 #######Gate Dependencies#########
 ENV WORK_DIR=/opsmx/workdir
-ENV JAVA_HOME=/usr/lib/jvm/jre-11-openjdk
+ENV JAVA_HOME=/usr/lib/jvm/jre-17-openjdk
 COPY /docker_build/run.sh /usr/local/bin/run.sh
 RUN  chmod +x /usr/local/bin/run.sh
 COPY /docker_build/gate.yml /opt/spinnaker/config/

gate-api-tck/gate-api-tck.gradle

@@ -5,5 +5,6 @@ dependencies {
   implementation(project(":gate-web"))
 
   api("org.springframework.boot:spring-boot-starter-test")
-  api("dev.minutest:minutest")
+  api("dev.minutest:minutest:1.13.0")
+  api("io.mockk:mockk:1.10.5")
 }

gate-basic/src/main/java/com/netflix/spinnaker/gate/security/basic/BasicAuthConfig.java

@@ -18,21 +18,23 @@
 
 import com.netflix.spinnaker.gate.config.AuthConfig;
 import com.netflix.spinnaker.gate.security.SpinnakerAuthConfig;
-import com.netflix.spinnaker.gate.services.OesAuthorizationService;
-import com.netflix.spinnaker.gate.services.PermissionService;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
+import org.springframework.security.crypto.factory.PasswordEncoderFactories;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 import org.springframework.session.web.http.DefaultCookieSerializer;
 
@@ -41,11 +43,10 @@
 @SpinnakerAuthConfig
 @EnableWebSecurity
 @Slf4j
-public class BasicAuthConfig extends WebSecurityConfigurerAdapter {
+public class BasicAuthConfig {
 
-  private final AuthConfig authConfig;
-
-  private final BasicAuthProvider authProvider;
+  @Autowired private final AuthConfig authConfig;
+  @Autowired private final BasicAuthProvider authProvider;
 
   @Autowired DefaultCookieSerializer defaultCookieSerializer;
 
@@ -58,19 +59,16 @@ public class BasicAuthConfig extends WebSecurityConfigurerAdapter {
   @Value("${security.user.password:}")
   String password;
 
-  @Autowired PermissionService permissionService;
-
   @Autowired
-  public BasicAuthConfig(
-      AuthConfig authConfig,
-      PermissionService permissionService,
-      OesAuthorizationService oesAuthorizationService) {
+  public BasicAuthConfig(AuthConfig authConfig, BasicAuthProvider authProvider) {
     this.authConfig = authConfig;
-    this.authProvider = new BasicAuthProvider(permissionService, oesAuthorizationService);
+    this.authProvider = authProvider;
   }
 
-  @Autowired
-  public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+  @Bean
+  public AuthenticationManager authManager(HttpSecurity http) throws Exception {
+    AuthenticationManagerBuilder authenticationManagerBuilder =
+        http.getSharedObject(AuthenticationManagerBuilder.class);
     if (name == null || name.isEmpty() || password == null || password.isEmpty()) {
       throw new AuthenticationServiceException(
           "User credentials are not configured properly. Please check username and password are properly configured");
@@ -86,22 +84,36 @@ public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception
 
     authProvider.setName(this.name);
     authProvider.setPassword(this.password);
-
-    auth.authenticationProvider(authProvider);
+    authenticationManagerBuilder.authenticationProvider(authProvider);
+    authenticationManagerBuilder.eraseCredentials(false);
+    return authenticationManagerBuilder.build();
   }
 
-  @Override
-  protected void configure(HttpSecurity http) throws Exception {
+  @Bean
+  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
     defaultCookieSerializer.setSameSite(null);
+    http.csrf().disable();
     http.formLogin()
         .and()
         .httpBasic()
         .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"));
     authConfig.configure(http);
+    return http.build();
+  }
+
+  @Bean
+  public WebSecurityCustomizer webSecurityCustomizer() {
+    return (web) -> {
+      try {
+        authConfig.configure(web);
+      } catch (Exception e) {
+        throw new RuntimeException(e);
+      }
+    };
   }
 
-  @Override
-  public void configure(WebSecurity web) throws Exception {
-    authConfig.configure(web);
+  @Bean
+  public PasswordEncoder passwordEncoder() {
+    return PasswordEncoderFactories.createDelegatingPasswordEncoder();
   }
 }