diff --git a/build.gradle b/build.gradle index b8ff6437..b7e2b8f0 100644 --- a/build.gradle +++ b/build.gradle @@ -1,6 +1,6 @@ plugins { id 'io.spring.dependency-management' version '1.0.9.RELEASE' - id 'org.springframework.boot' version '2.5.14' + id 'org.springframework.boot' version '2.5.15' id 'java' id "org.owasp.dependencycheck" version "5.3.1" } @@ -49,61 +49,63 @@ dependencyManagement { dependencies { if (releaseMode) { - compile 'com.epam.reportportal:commons-dao' - compile 'com.epam.reportportal:commons-rules' - compile 'com.epam.reportportal:commons-model' + implementation 'com.epam.reportportal:commons-dao' + implementation 'com.epam.reportportal:commons-rules' + implementation 'com.epam.reportportal:commons-model' } else { - compile 'com.github.reportportal:commons-dao:f042158b' - compile 'com.github.reportportal:commons-rules:933ff17d' - compile 'com.github.reportportal:commons-model:232e69a5' + implementation 'com.github.reportportal:commons-dao:f042158b' + implementation 'com.github.reportportal:commons-rules:933ff17d' + implementation 'com.github.reportportal:commons-model:232e69a5' } //Fix CVE-2021-41079, CVE-2022-23181, CVE-2021-33037, CVE-2021-30640, CVE-2022-42252 - compile 'org.apache.tomcat.embed:tomcat-embed-core:9.0.68' - compile 'org.apache.tomcat.embed:tomcat-embed-el:9.0.68' - compile 'org.apache.tomcat.embed:tomcat-embed-websocket:9.0.68' + implementation 'org.apache.tomcat.embed:tomcat-embed-core:9.0.82' + implementation 'org.apache.tomcat.embed:tomcat-embed-el:9.0.82' + implementation 'org.apache.tomcat.embed:tomcat-embed-websocket:9.0.82' //Fix CVE-2020-15522 - compile 'org.bouncycastle:bcprov-jdk15on:1.69' + implementation 'org.bouncycastle:bcprov-jdk15on:1.69' //Fix CVE-2015-7501, CVE-2015-4852 - compile 'commons-collections:commons-collections:3.2.2' + implementation 'org.apache.commons:commons-collections4:4.4' //Fix CVE-2018-10237 - compile 'com.google.guava:guava:24.1.1-jre' + implementation 'com.google.guava:guava:31.1-jre' //Fix CVE-2020-13956 - compile 'org.apache.httpcomponents:httpclient:4.5.13' + implementation 'org.apache.httpcomponents:httpclient:4.5.14' //Fix CVE-2022-40152 - compile 'com.fasterxml.woodstox:woodstox-core:5.4.0' + implementation 'com.fasterxml.woodstox:woodstox-core:6.5.1' - compile 'org.springframework.boot:spring-boot-starter-web' - compile 'org.springframework.boot:spring-boot-starter-actuator' - compile 'org.springframework.boot:spring-boot-starter-security' - compile 'org.springframework.boot:spring-boot-starter-amqp' + implementation 'org.springframework.boot:spring-boot-starter-web' + implementation 'org.springframework.boot:spring-boot-starter-actuator' + implementation 'org.springframework.boot:spring-boot-starter-security' + implementation 'org.springframework.boot:spring-boot-starter-amqp' ///// Security //https://nvd.nist.gov/vuln/detail/CVE-2020-5407 AND https://nvd.nist.gov/vuln/detail/CVE-2020-5408 - compile 'org.springframework.security:spring-security-core:5.5.8' - compile 'org.springframework.security:spring-security-config:5.5.8' - compile 'org.springframework.security:spring-security-web:5.5.8' + implementation 'org.springframework.security:spring-security-core:5.8.5' + implementation 'org.springframework.security:spring-security-config:5.8.5' + implementation 'org.springframework.security:spring-security-web:5.8.5' // - compile 'org.springframework.security:spring-security-oauth2-client' + implementation 'org.springframework.security:spring-security-oauth2-client' //Fix CVE-2022-22969 - compile 'org.springframework.security.oauth:spring-security-oauth2:2.5.2.RELEASE' - compile 'org.springframework.security:spring-security-jwt:1.0.11.RELEASE' - compile 'org.springframework.security:spring-security-ldap' - compile 'org.springframework.security.extensions:spring-security-saml2-core:2.0.0.M31' + implementation 'org.springframework.security.oauth:spring-security-oauth2:2.5.2.RELEASE' + implementation 'org.springframework.security:spring-security-jwt:1.0.11.RELEASE' + implementation 'org.springframework.security:spring-security-ldap' + // TODO: consider migration to spring-security-saml2-service-provider + implementation 'org.springframework.security.extensions:spring-security-saml2-core:2.0.0.M31' // Temporary fix of https://nvd.nist.gov/vuln/detail/CVE-2019-12400 - compile 'org.apache.santuario:xmlsec:2.1.7' - - compile 'org.apache.tika:tika-core' - - compile 'javax.inject:javax.inject:1' - compile 'io.springfox:springfox-swagger2' - compile 'org.apache.commons:commons-compress:1.21' - compile 'org.cryptacular:cryptacular:1.1.4' - compile 'org.yaml:snakeyaml:1.32' - compile 'org.hibernate:hibernate-core:5.4.24.Final' - compile 'org.springframework:spring-core:5.3.20' - compile "com.rabbitmq:http-client:2.1.0.RELEASE" + implementation 'org.apache.santuario:xmlsec:3.0.3' + + implementation 'org.apache.tika:tika-core' + + implementation 'javax.inject:javax.inject:1' + implementation 'io.springfox:springfox-swagger2' + implementation 'org.apache.commons:commons-compress:1.21' + implementation 'org.cryptacular:cryptacular:1.1.4' + // TODO: snakeyaml 2.0 supported by Spring Boot 3 only + implementation 'org.yaml:snakeyaml:1.33' + implementation 'org.hibernate:hibernate-core:5.4.24.Final' + implementation 'org.springframework:spring-core:5.3.30' + implementation "com.rabbitmq:http-client:5.0.0" } processResources { @@ -122,4 +124,3 @@ jar.archiveClassifier.set('') publish.dependsOn build publish.mustRunAfter build - diff --git a/src/main/java/com/epam/reportportal/auth/AdminPasswordInitializer.java b/src/main/java/com/epam/reportportal/auth/AdminPasswordInitializer.java index f787e939..99a6aeb5 100644 --- a/src/main/java/com/epam/reportportal/auth/AdminPasswordInitializer.java +++ b/src/main/java/com/epam/reportportal/auth/AdminPasswordInitializer.java @@ -7,7 +7,7 @@ import com.epam.ta.reportportal.entity.user.User; import java.util.Optional; import javax.persistence.EntityNotFoundException; -import org.apache.commons.lang.StringUtils; +import org.apache.commons.lang3.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Value; diff --git a/src/main/java/com/epam/reportportal/auth/config/saml/SamlServiceProviderConfiguration.java b/src/main/java/com/epam/reportportal/auth/config/saml/SamlServiceProviderConfiguration.java index c81e88eb..196a1bdb 100644 --- a/src/main/java/com/epam/reportportal/auth/config/saml/SamlServiceProviderConfiguration.java +++ b/src/main/java/com/epam/reportportal/auth/config/saml/SamlServiceProviderConfiguration.java @@ -25,6 +25,8 @@ import com.epam.ta.reportportal.entity.integration.IntegrationType; import com.google.common.collect.Lists; import org.opensaml.saml.saml2.core.NameID; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; @@ -60,7 +62,9 @@ @Configuration public class SamlServiceProviderConfiguration { - @Value("${rp.auth.saml.base-path}") + private static final Logger LOGGER = LoggerFactory.getLogger(SamlServiceProviderConfiguration.class); + + @Value("${rp.auth.saml.base-path}") private String basePath; @Value("${rp.auth.saml.entity-id}") @@ -148,14 +152,14 @@ private List providers() { } private RotatingKeys rotatingKeys() { - return new RotatingKeys().setActive(activeKey()).setStandBy(standbyKeys()); + return new RotatingKeys().setActive(getActiveKey()).setStandBy(standbyKeys()); } private List standbyKeys() { return Collections.emptyList(); } - private SimpleKey activeKey() { + private SimpleKey getActiveKey() { if (signedRequests) { X509Certificate certificate = CertificationUtil.getCertificateByName(keyAlias, keyStore, keyStorePassword); @@ -167,7 +171,7 @@ private SimpleKey activeKey() { .setPrivateKey(getEncoder().encodeToString(privateKey.getEncoded())) .setName(activeKeyName); } catch (CertificateEncodingException e) { - e.printStackTrace(); + LOGGER.error("Failed to retrieve active key", e); } } return new SimpleKey(); @@ -192,4 +196,4 @@ public String getBasePath() { } } -} \ No newline at end of file +} diff --git a/src/main/java/com/epam/reportportal/auth/integration/ldap/LdapUserReplicator.java b/src/main/java/com/epam/reportportal/auth/integration/ldap/LdapUserReplicator.java index 7960ea9c..46b9b481 100644 --- a/src/main/java/com/epam/reportportal/auth/integration/ldap/LdapUserReplicator.java +++ b/src/main/java/com/epam/reportportal/auth/integration/ldap/LdapUserReplicator.java @@ -33,7 +33,7 @@ import com.epam.ta.reportportal.util.PersonalProjectService; import java.util.Map; import java.util.Optional; -import org.apache.commons.lang.StringUtils; +import org.apache.commons.lang3.StringUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.ldap.core.DirContextOperations; import org.springframework.stereotype.Component; diff --git a/src/main/java/com/epam/reportportal/auth/integration/parameter/SamlParameter.java b/src/main/java/com/epam/reportportal/auth/integration/parameter/SamlParameter.java index 31975dfa..45cb35d5 100644 --- a/src/main/java/com/epam/reportportal/auth/integration/parameter/SamlParameter.java +++ b/src/main/java/com/epam/reportportal/auth/integration/parameter/SamlParameter.java @@ -21,7 +21,7 @@ import com.epam.ta.reportportal.exception.ReportPortalException; import com.epam.ta.reportportal.ws.model.ErrorType; import com.epam.ta.reportportal.ws.model.integration.auth.UpdateAuthRQ; -import org.apache.commons.lang.StringUtils; +import org.apache.commons.lang3.StringUtils; import java.util.HashMap; import java.util.Map; diff --git a/src/main/java/com/epam/reportportal/auth/store/events/AuthAttributesEventListener.java b/src/main/java/com/epam/reportportal/auth/store/events/AuthAttributesEventListener.java deleted file mode 100644 index f32c0355..00000000 --- a/src/main/java/com/epam/reportportal/auth/store/events/AuthAttributesEventListener.java +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright 2019 EPAM Systems - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.epam.reportportal.auth.store.events; - -/** - * Decrypts auth config passwords if present - * - * @author Andrei Varabyeu - */ -//@Component -//public class AuthAttributesEventListener extends AbstractMongoEventListener { -public class AuthAttributesEventListener { - -// private static final Logger LOGGER = LoggerFactory.getLogger(AuthAttributesEventListener.class); -// private static final String MANAGER_PASSWORD_FIELD = "managerPassword"; -// -// @Autowired -// private Encryptor encryptor; -// -// @Override -// public void onApplicationEvent(MongoMappingEvent event) { -// super.onApplicationEvent(event); -// } -// -// @Override -// public void onAfterLoad(AfterLoadEvent event) { -// Optional.ofNullable(event.getSource()).flatMap(dbo -> Optional.ofNullable(dbo.get("ldap"))).ifPresent(ldapDbo -> { -// DBObject ldap = ((DBObject) ldapDbo); -// Object managerPassword = ldap.get(MANAGER_PASSWORD_FIELD); -// if (null != managerPassword) { -// try { -// String decrypted = encryptor.decrypt((String) managerPassword); -// ldap.put(MANAGER_PASSWORD_FIELD, decrypted); -// } catch (Exception e) { -// LOGGER.error("Cannot decrypt password", e); -// //do nothing -// } -// -// } -// }); -// } - -} \ No newline at end of file diff --git a/src/main/java/com/epam/reportportal/auth/util/CertificationUtil.java b/src/main/java/com/epam/reportportal/auth/util/CertificationUtil.java index 96f5773e..90847d66 100644 --- a/src/main/java/com/epam/reportportal/auth/util/CertificationUtil.java +++ b/src/main/java/com/epam/reportportal/auth/util/CertificationUtil.java @@ -18,10 +18,17 @@ import java.io.IOException; import java.nio.file.Files; import java.nio.file.Paths; -import java.security.*; +import java.security.Key; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.UnrecoverableKeyException; import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** * Utility class for loading certificates from trusted stores @@ -30,7 +37,9 @@ */ public class CertificationUtil { - public static X509Certificate getCertificateByName(String certificateAlias, String trustStoreName, String password) { + private static final Logger LOGGER = LoggerFactory.getLogger(CertificationUtil.class); + + public static X509Certificate getCertificateByName(String certificateAlias, String trustStoreName, String password) { try { KeyStore keyStore = KeyStore.getInstance("JKS"); loadKeyStore(keyStore, trustStoreName, password); @@ -67,7 +76,13 @@ private static void loadKeyStore(KeyStore keyStore, String jksPath, String jksPa if (jksPath.startsWith("file://")) { keyStore.load(Files.newInputStream(Paths.get(jksPath.replaceFirst("file://", ""))), password); } else { - keyStore.load(ClassLoader.getSystemResourceAsStream(jksPath), password); + try (var is = ClassLoader.getSystemResourceAsStream(jksPath)) { + keyStore.load(is, password); + } catch (Exception e) { + LOGGER.error("Failed to load key store", e); + throw e; + } + } } }