Op-21881:CVE-fixes with java-17 and spring-boot upgrade-v4.0 #466

emanipravallika · 2024-03-22T05:21:32Z

(https://devopsmx.atlassian.net/browse/OP-21881)

… along with CVE fixes-v4.0

gate-core/src/main/groovy/com/netflix/spinnaker/gate/security/anonymous/AnonymousConfig.groovy

rahul-chekuri · 2024-03-22T05:41:53Z

gate-iap/src/main/java/com/netflix/spinnaker/gate/security/iap/IapSsoConfig.java

remove commented out code
also we have to fix the bean creation here properly.

rahul-chekuri · 2024-03-22T05:42:48Z

gate-file/src/main/groovy/com/netflix/spinnaker/gate/security/file/FileSsoConfig.groovy

remove commented out code
also, we have to fix the bean creation here properly.

rahul-chekuri · 2024-03-22T06:01:18Z

gate-ldap/src/main/groovy/com/netflix/spinnaker/gate/security/ldap/LdapSsoConfig.groovy

+  @Bean
+  public AuthenticationManager authenticationManager(
+    AuthenticationConfiguration authConfig) throws Exception {
+    return authConfig.getAuthenticationManager();


do we have getAuthenticationManager defined in AuthConfig? but why do we need to have the bean declaration then?

No, it is not defined in AuthConfig

than why it used here authConfig.getAuthenticationManager();

will remove it

gate-ldap/src/main/groovy/com/netflix/spinnaker/gate/security/ldap/LdapSsoConfig.groovy

rahul-chekuri · 2024-03-22T06:51:02Z

gate-oauth2/src/main/java/com/netflix/spinnaker/gate/security/oauth2/BearerTokenExtractor.java

+import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+
+public class BearerTokenExtractor {


Attach a java doc explaining where this is needed

rahul-chekuri · 2024-03-22T06:53:36Z

gate-saml/src/main/groovy/com/netflix/spinnaker/gate/security/saml/SamlSsoConfig.groovy

-    SamlAuthTokenUpdateFilter authTokenUpdateFilter = new SamlAuthTokenUpdateFilter()
-    http.addFilterAfter(authTokenUpdateFilter,
-        BasicAuthenticationFilter.class)
+    //      saml.init(http)


gate-saml/src/main/groovy/com/netflix/spinnaker/gate/security/saml/SamlSsoConfig.groovy

rahul-chekuri · 2024-03-22T07:04:33Z

gate-web/src/main/groovy/com/opsmx/spinnaker/gate/exception/RetrofitErrorHandler.groovy


 @Slf4j
 @ControllerAdvice(basePackageClasses = [OpsmxSaporPolicyController.class, OpsmxAutopilotController.class,
-OpsmxAuditClientServiceController.class, OpsmxDashboardController.class, OpsmxPlatformController.class,


why OpsmxDashboardController has been removed?

will add back

rahul-chekuri

@emanipravallika overall good work, highly appreciated.

Did you test swagger after this upgrade?
Did you test saml config? what was the outcome?
What other auth configs you tested other than ldap?

There are a lot of places where cleanup is needed. I have pointed most of them but you too review them and remove.

rahul-chekuri · 2024-03-22T07:07:22Z

gate-web/src/main/java/com/opsmx/spinnaker/gate/rbac/ApplicationFeatureRbac.java

@@ -94,60 +96,54 @@ public void authorizeUserForApplicationId(

    log.debug("authorizing the endpoint : {}", endpointUrl);

-    switch (method) {


why the switch has been replaced by if-else?

if switch case is used - encountered this error{Incompatible types. Found: 'org.springframework.http.HttpMethod', required: 'char, byte, short, int, Character, Byte, Short, Integer, String, or an enum'}, SO, I replaced with if-else

rahul-chekuri · 2024-03-22T07:10:47Z

gate-web/src/main/java/com/opsmx/spinnaker/gate/rbac/ApplicationFeatureRbac.java

@@ -182,64 +178,59 @@ public void authorizeUserForServiceId(String username, String endpointUrl, Strin

    log.info("authorizing the endpoint for service Id : {}", endpointUrl);

-    switch (method) {


if switch case is used - encountered this error{Incompatible types. Found: 'org.springframework.http.HttpMethod', required: 'char, byte, short, int, Character, Byte, Short, Integer, String, or an enum'}, SO, I replaced with if-else

rahul-chekuri · 2024-03-22T07:12:17Z

gate-x509/src/main/groovy/com/netflix/spinnaker/gate/security/x509/X509Config.groovy

@@ -13,6 +13,8 @@
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
+//file:noinspection GroovyAssignabilityCheck
+//file:noinspection GroovyAccessibility


cleanup needed??

rahul-chekuri · 2024-03-22T07:13:20Z

gradle.properties

 org.gradle.parallel=true
-spinnakerGradleVersion=8.25.0
-targetJava11=true
+spinnakerGradleVersion=1-0-SNAPSHOT


from where did we pick these versions?

From spinnaker gate-oes

rahul-chekuri · 2024-03-22T07:13:35Z

gradle.properties

-spinnakerGradleVersion=8.25.0
-targetJava11=true
+spinnakerGradleVersion=1-0-SNAPSHOT
+#targetJava11=true


cleanup needed??

rahul-chekuri · 2024-03-22T07:15:27Z

gradle.properties

@@ -21,3 +21,4 @@ targetJava11=true
 #
 #fiatComposite=true
 #korkComposite=true
+org.gradle.jvmargs=-Xmx6g -Xms6g


why are we passing JVM args in props? do these shouldn't be part of the run command? how are we sure about the values like 6g?

… dependency

emanipravallika and others added 7 commits March 20, 2024 19:11

OP-21881: Bugfix upgrade SpringBoot-3.2.2 and java-17 related changes…

be2e69d

… along with CVE fixes-v4.0

OP-21881: removing old beans that are causing problems.

a7e5c58

OP-21881: Bugfix upgrade SpringBoot-3.2.2 and java-17 related changes…

36a6e4c

… along with CVE fixes-v4.0

OP-21881: Bugfix

88e7a92

OP-21881: Bugfix

f00c107

OP-21881: Bugfix

66c3b96

OP-21881: Bugfix

57b58c9

emanipravallika requested review from sudhakaropsmx and rakeshkrmeena March 22, 2024 05:21