Relase 1.18.0

CHANGELOG.md

@@ -1,4 +1,9 @@
 
+## 1.18.0 (22-05-2024)
+
+### Novità: 1
+- [#32595](https://parermine.regione.emilia-romagna.it/issues/32595) Introduzione Apache basic client "no-retry" per recupero oggetto da object storage
+
 ## 1.17.0 (10-04-2024)
 
 ### Novità: 2

CONTAINER-SCAN-REPORT.md

@@ -1,8 +1,10 @@
 ## Container scan evidence CVE
 <strong>Image name:</strong> registry.ente.regione.emr.it/parer/okd/verifica-firma-eidas:sast
-<br/><strong>Run date:</strong> Wed Apr 10 16:45:14 CEST 2024
-<br/><strong>Produced by:</strong> <a href="https://gitlab.ente.regione.emr.it/parer/okd/verifica-firma-eidas/-/jobs/216130">Job</a>
-<br/><strong>CVE founded:</strong> 1
+<br/><strong>Run date:</strong> Wed May 22 15:30:46 CEST 2024
+<br/><strong>Produced by:</strong> <a href="https://gitlab.ente.regione.emr.it/parer/okd/verifica-firma-eidas/-/jobs/243866">Job</a>
+<br/><strong>CVE founded:</strong> 3
 | CVE | Description | Severity | Solution | 
 |:---:|:---|:---:|:---|
-| [CVE-2024-28182](https://access.redhat.com/security/cve/CVE-2024-28182)|A vulnerability was found in how nghttp2 implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated remote attacker to send packets to vulnerable servers, which could use up compute or memory resources to cause a Denial of Service.|High|No solution provided|
+| [CVE-2024-2961](http://www.openwall.com/lists/oss-security/2024/04/17/9)|The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.|High|Upgrade glibc to 2.28-236.el8_9.13|
+| [CVE-2024-2961](http://www.openwall.com/lists/oss-security/2024/04/17/9)|The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.|High|Upgrade glibc-common to 2.28-236.el8_9.13|
+| [CVE-2024-2961](http://www.openwall.com/lists/oss-security/2024/04/17/9)|The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.|High|Upgrade glibc-minimal-langpack to 2.28-236.el8_9.13|

RELEASE-NOTES.md

@@ -1,5 +1,4 @@
-## 1.17.0 (10-04-2024)
+## 1.18.0 (22-05-2024)
 
-### Novità: 2
-- [#31808](https://parermine.regione.emilia-romagna.it/issues/31808) Rilassamento vincoli con verifica OCSP e data certificato antecedenete a quella del responder
-- [#31709](https://parermine.regione.emilia-romagna.it/issues/31709) Gestione migliorata sorgenti revoche (cache / online)
+### Novità: 1
+- [#32595](https://parermine.regione.emilia-romagna.it/issues/32595) Introduzione Apache basic client "no-retry" per recupero oggetto da object storage

pom.xml

@@ -2,15 +2,15 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 	<artifactId>verifica-firma-eidas</artifactId>
-	<version>1.17.1-SNAPSHOT</version>
+	<version>1.18.1-SNAPSHOT</version>
 	<packaging>${packaging.type}</packaging>
 	<name>Verifica Firma EIDAS</name>
 	<description>Progetto per effettuare firme e validazioni con librerie DSS (EIDAS)</description>
 
 	<parent>
 		<groupId>it.eng.parer</groupId>
 		<artifactId>parer-pom</artifactId>
-		<version>4.2.0</version>
+		<version>5.2.1</version>
 	</parent>
 
     <properties>

src/main/java/it/eng/parer/eidas/core/helper/EidasHelper.java

@@ -40,14 +40,22 @@
 import java.time.Duration;
 import java.util.List;
 import java.util.Set;
+import java.util.concurrent.TimeUnit;
 
 import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 
 import org.apache.commons.io.FileUtils;
+import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.hc.client5.http.classic.methods.HttpGet;
+import org.apache.hc.client5.http.config.ConnectionConfig;
+import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
+import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
+import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager;
+import org.apache.hc.core5.http.ClassicHttpResponse;
 import org.apache.tika.config.TikaConfig;
 import org.apache.tika.detect.Detector;
 import org.apache.tika.io.TikaInputStream;
@@ -67,6 +75,7 @@
 import eu.europa.esig.dss.enumerations.MimeTypeEnum;
 import eu.europa.esig.dss.model.DSSDocument;
 import eu.europa.esig.dss.spi.DSSUtils;
+import it.eng.parer.eidas.core.util.Constants.URIClientType;
 import it.eng.parer.eidas.model.EidasDataToValidateMetadata;
 import it.eng.parer.eidas.model.EidasRemoteDocument;
 import it.eng.parer.eidas.model.exception.EidasParerException;
@@ -94,18 +103,47 @@ public class EidasHelper {
     @Autowired
     BuildProperties buildProperties;
 
+    @Value("${parer.eidas.uriloader.client-type:httpclient}")
+    URIClientType uRIClientType;
+
+    /*
+     * Flux+Mono config
+     */
     // default 60 s
-    @Value("${parer.eidas.webclient.timeout:360}")
+    @Value("${parer.eidas.uriloader.webclient.timeout:60}")
     long webClientTimeout;
 
     // default 5 times
-    @Value("${parer.eidas.webclient.backoff:10}")
+    @Value("${parer.eidas.uriloader.webclient.backoff:5}")
     long webClientBackoff;
 
     // default 3 s
-    @Value("${parer.eidas.webclient.backofftime:3}")
+    @Value("${parer.eidas.uriloader.webclient.backofftime:3}")
     long webClientBackoffTime;
 
+    /*
+     * Standard httpclient
+     */
+    // default 60 s
+    @Value("${parer.eidas.uriloader.httpclient.timeout:60}")
+    long httpClientTimeout;
+
+    // default 60 s
+    @Value("${parer.eidas.uriloader.httpclient.timeoutsocket:60}")
+    int httpClientSocketTimeout;
+
+    // default 4
+    @Value("${parer.eidas.uriloader.httpclient.connectionsmaxperroute:4}")
+    int httpClientConnectionsmaxperroute;
+
+    // default 40
+    @Value("${parer.eidas.uriloader.httpclient.connectionsmax:40}")
+    int httpClientConnectionsmax;
+
+    // default 60s
+    @Value("${parer.eidas.uriloader.httpclient.timetolive:60}")
+    long httpClientTimeToLive;
+
     public String buildversion() {
         return env.getProperty(BUILD_VERSION);
     }
@@ -383,18 +421,49 @@ private Path readBase64EncodedFile(String prefix, InputStream is) throws IOExcep
     }
 
     public void getResourceFromURI(URI signedResource, Path localPath) throws IOException {
+        if (uRIClientType.equals(URIClientType.HTTPCLIENT)) {
+            getWithCommonHttpclient(signedResource, localPath);
+        } else {
+            getWithWebClient(signedResource, localPath);
+        }
+    }
+
+    private void getWithWebClient(URI signedResource, Path localPath) throws IOException {
         try {
-            // Attenzione, se al posto dell'uri viene utilizzata una stringa ci possono essere problemi di conversione
+            // Attenzione, se al posto dell'uri viene utilizzata una stringa ci possono
+            // essere problemi di conversione
             // dei
             // caratteri
             Flux<DataBuffer> dataBuffer = WebClient.create().get().uri(signedResource).retrieve()
                     .bodyToFlux(DataBuffer.class);
-            // scarica sul local path provando 5 volte aspettando almeno 3 secondi tra un prova e l'altra
+            // scarica sul local path provando 5 volte aspettando almeno 3 secondi tra un
+            // prova e l'altra
             DataBufferUtils.write(dataBuffer, localPath).timeout(Duration.ofSeconds(webClientTimeout))
                     .retryWhen(Retry.backoff(webClientBackoff, Duration.ofSeconds(webClientBackoffTime))).share()
                     .block();
         } catch (Exception ex) {
             throw new IOException("Impossibile recuperare il documento da URI", ex);
         }
     }
+
+    private void getWithCommonHttpclient(URI signedResource, Path localPath) throws IOException {
+        // config
+        ConnectionConfig connConfig = ConnectionConfig.custom().setTimeToLive(httpClientTimeToLive, TimeUnit.SECONDS)
+                .setSocketTimeout(httpClientSocketTimeout, TimeUnit.SECONDS)
+                .setConnectTimeout(httpClientTimeout, TimeUnit.SECONDS).build();
+
+        // pool manager
+        PoolingHttpClientConnectionManager connManager = new PoolingHttpClientConnectionManager();
+        connManager.setDefaultConnectionConfig(connConfig); // set config
+        connManager.setDefaultMaxPerRoute(httpClientConnectionsmaxperroute);
+        connManager.setMaxTotal(httpClientConnectionsmax);
+
+        try (CloseableHttpClient httpClient = HttpClientBuilder.create().setConnectionManager(connManager).build();
+                FileOutputStream out = new FileOutputStream(localPath.toFile());) {
+            //
+            ClassicHttpResponse response = httpClient.executeOpen(null, new HttpGet(signedResource), null);
+            IOUtils.copy(response.getEntity().getContent(), out);
+        }
+
+    }
 }

src/main/java/it/eng/parer/eidas/core/util/Constants.java

@@ -47,4 +47,7 @@ private Constants() {
     public static final String STD_MSG_GENERIC_ERROR = "Errore generico";
     public static final String STD_MSG_VALIDATION_ERROR = "Chiamata non valida";
 
+    public enum URIClientType {
+        HTTPCLIENT, WEBCLIENT
+    }
 }

src/main/openshift/verifica-firma-eidas-template.yml

@@ -181,7 +181,6 @@ objects:
     labels:
       app: verificafirma-eidas
       group: it.eng.parer
-      registry: ${REGISTRY}
       gl_log_application: eidas
       gl_tags: ${AMBIENTE}
     name: verificafirma-eidas
@@ -206,7 +205,6 @@ objects:
         labels:
           app: verificafirma-eidas
           group: it.eng.parer
-          registry: ${REGISTRY}
           gl_log_application: eidas
           gl_tags: ${AMBIENTE}          
       spec: