Merge branch 'master' of github.com:uio-bmi/localega-tsd-proxy into f…

…eature/get-tsd-token

.github/dependabot.yml

@@ -1,7 +1,19 @@
 version: 2
+registries:
+  maven-github-uio-bmi:
+    type: maven-repository
+    url: 'https://maven.pkg.github.com/uio-bmi'
+    username: '${{secrets.MAVEN_USER}}'
+    password: '${{secrets.MAVEN_GITHUB}}'
+  maven-github-elixir-oslo:
+    type: maven-repository
+    url: 'https://maven.pkg.github.com/elixir-oslo'
+    username: '${{secrets.MAVEN_USER}}'
+    password: '${{secrets.MAVEN_GITHUB}}'
 updates:
 - package-ecosystem: maven
   directory: "/"
+  registries: "*"
   schedule:
     interval: daily
     time: "04:00"

.github/workflows/Build.yml

@@ -0,0 +1,46 @@
+# This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-maven
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Build Package with Maven
+
+on:
+  push:
+  pull_request_target:
+    branches: [ "master" ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up JDK 17
+        uses: actions/setup-java@v3
+        with:
+          java-version: '17'
+          distribution: 'zulu'
+          cache: maven
+
+      - name: create maven settings.xml
+        uses: s4u/[email protected]
+        with:
+          servers: |
+            [{
+              "id":"github-clearinghouse",
+              "username": "${{ github.actor }}",
+              "password": "${{ secrets.GITHUB_TOKEN }}"
+            },
+            {
+              "id":"github-tsd-file-api-client",
+              "username": "${{ github.actor }}",
+              "password": "${{ secrets.GITHUB_TOKEN }}"
+            }]
+
+      - name: Build with Maven
+        run: mvn -B clean package -DskipTests --file pom.xml

.github/workflows/TrivyScan.yml

@@ -0,0 +1,30 @@
+name: Trivy vulnerability scan
+
+on:
+  schedule:
+    - cron: '0 7 * * *'
+
+jobs:
+  scan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
+        with:
+          args: --security-checks vuln
+          image-ref: 'ghcr.io/${{ github.repository }}:latest'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/publish.yml

@@ -2,7 +2,9 @@ name: Bump version and publish to ghcr.io
 on:
   push:
     branches:
-    - master
+      - master
+
+  workflow_dispatch:
 
 jobs:
   tag:
@@ -13,17 +15,17 @@ jobs:
       new_tag: ${{ steps.bump_tag.outputs.new_tag }}
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-      with:
-        fetch-depth: '1'
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: '1'
 
-    - name: Bump version and push tag
-      id: bump_tag
-      uses: anothrNick/[email protected]
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        WITH_V: true
-        DEFAULT_BUMP: patch
+      - name: Bump version and push tag
+        id: bump_tag
+        uses: anothrNick/[email protected]
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          WITH_V: true
+          DEFAULT_BUMP: patch
 
   push_to_registry:
     needs: tag
@@ -37,9 +39,6 @@ jobs:
       - name: Check out the repo
         uses: actions/checkout@v2
 
-      - name: Add Maven Github authentication
-        run: echo "<settings xmlns='http://maven.apache.org/SETTINGS/1.0.0' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:schemaLocation='http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd'> <servers> <server> <id>github-clearinghouse</id> <username>${{ github.actor }}</username> <password>${{ secrets.GITHUB_TOKEN }}</password> </server> <server> <id>github-tsd-file-api-client</id> <username>${{ github.actor }}</username> <password>${{ secrets.GITHUB_TOKEN }}</password> </server> </servers> </settings>" > settings.xml
-
       - name: Log in to the Github Container registry
         uses: docker/login-action@v1
         with:
@@ -53,6 +52,25 @@ jobs:
         with:
           images: ghcr.io/${{ github.repository }}
 
+      - name: create maven settings.xml
+        uses: s4u/[email protected]
+        with:
+          servers: |
+            [{
+              "id":"github-clearinghouse",
+              "username": "${{ github.actor }}",
+              "password": "${{ secrets.GITHUB_TOKEN }}"
+            },
+            {
+              "id":"github-tsd-file-api-client",
+              "username": "${{ github.actor }}",
+              "password": "${{ secrets.GITHUB_TOKEN }}"
+            }]
+
+      - name: Copy settings.xml to project root
+        shell: bash
+        run: cp /home/runner/.m2/settings.xml ./settings.xml
+
       - name: Build and push
         uses: docker/build-push-action@v2
         with:

Dockerfile

@@ -1,4 +1,4 @@
-FROM maven:3.6.1-jdk-13-alpine as builder
+FROM maven:3.9.2-eclipse-temurin-17-alpine as builder
 
 COPY pom.xml .
 
@@ -13,11 +13,11 @@ COPY src/ /src/
 
 RUN mvn clean install -DskipTests --no-transfer-progress
 
-FROM openjdk:13-alpine
+FROM eclipse-temurin:17-jre-alpine
 
 RUN apk add --no-cache ca-certificates
 
-COPY --from=builder /target/*-SNAPSHOT.jar /localega-tsd-proxy.jar
+COPY --from=builder /target/localega-*.jar /localega-tsd-proxy.jar
 
 RUN addgroup -g 1000 lega && \
     adduser -D -u 1000 -G lega lega

pom.xml

@@ -5,17 +5,17 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.6.3</version>
+        <version>3.2.2</version>
         <relativePath/> <!-- lookup parent from repository -->
     </parent>
-    <groupId>no.uio.ifi</groupId>
+    <groupId>no.elixir.fega</groupId>
     <artifactId>localega-tsd-proxy</artifactId>
-    <version>0.0.1-SNAPSHOT</version>
+    <version>2.0.0</version>
     <name>localega-tsd-proxy</name>
     <description>LocalEGA TSD Proxy</description>
 
     <properties>
-        <java.version>13</java.version>
+        <java.version>17</java.version>
     </properties>
 
     <dependencies>
@@ -58,6 +58,12 @@
         <dependency>
             <groupId>org.apache.httpcomponents</groupId>
             <artifactId>httpclient</artifactId>
+            <version>4.5.14</version>
+        </dependency>
+        <dependency>
+            <groupId>org.yaml</groupId>
+            <artifactId>snakeyaml</artifactId>
+            <version>2.2</version>
         </dependency>
         <dependency>
             <groupId>org.postgresql</groupId>
@@ -66,19 +72,13 @@
         <dependency>
             <groupId>no.uio.ifi</groupId>
             <artifactId>clearinghouse</artifactId>
-            <version>1.1.0</version>
-        </dependency>
-        <dependency>
-            <groupId>com.auth0</groupId>
-            <artifactId>java-jwt</artifactId>
-            <version>3.18.3</version>
+            <version>1.2.1</version>
         </dependency>
         <dependency>
             <groupId>no.uio.ifi</groupId>
             <artifactId>tsd-file-api-client</artifactId>
-            <version>2.0.0</version>
+            <version>2.0.1</version>
         </dependency>
-
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-configuration-processor</artifactId>

src/main/java/no/uio/ifi/ltp/LocalEGATSDProxyApplication.java → src/main/java/no/elixir/fega/ltp/LocalEGATSDProxyApplication.java

@@ -1,4 +1,4 @@
-package no.uio.ifi.ltp;
+package no.elixir.fega.ltp;
 
 import lombok.extern.slf4j.Slf4j;
 import no.uio.ifi.tc.TSDFileAPIClient;
@@ -10,7 +10,7 @@
 import org.springframework.cache.annotation.EnableCaching;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
@@ -19,9 +19,11 @@
 import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames;
 import org.springframework.security.web.PortMapperImpl;
 import org.springframework.security.web.PortResolverImpl;
+import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 import org.springframework.util.StringUtils;
 import org.springframework.web.client.RestTemplate;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 
 import javax.net.ssl.*;
 import java.io.IOException;
@@ -42,38 +44,35 @@
 @Slf4j
 @EnableCaching
 @SpringBootApplication
-public class LocalEGATSDProxyApplication extends WebSecurityConfigurerAdapter {
+@EnableWebSecurity
+public class LocalEGATSDProxyApplication {
 
     public static void main(String[] args) {
         SpringApplication.run(LocalEGATSDProxyApplication.class, args);
     }
 
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         PortMapperImpl portMapper = new PortMapperImpl();
         portMapper.setPortMappings(Collections.singletonMap("8080", "8080"));
         PortResolverImpl portResolver = new PortResolverImpl();
         portResolver.setPortMapper(portMapper);
         LoginUrlAuthenticationEntryPoint entryPoint = new LoginUrlAuthenticationEntryPoint("/oauth2/authorization/elixir-aai");
         entryPoint.setPortMapper(portMapper);
         entryPoint.setPortResolver(portResolver);
-        http
-                .requiresChannel()
-                .anyRequest().requiresSecure()
-                .and()
-                .exceptionHandling()
-                .authenticationEntryPoint(entryPoint)
-                .and()
-                .csrf().disable()
-                .authorizeRequests()
-                .mvcMatchers("/token.html").authenticated()
-                .mvcMatchers("/token").authenticated()
-                .mvcMatchers("/user").authenticated()
-                .and()
-                .oauth2Login()
-                .redirectionEndpoint().baseUri("/oidc-protected")
-                .and()
-                .defaultSuccessUrl("/");
+        http.
+                requiresChannel(channel -> channel.anyRequest().requiresSecure())
+                .exceptionHandling(exception -> exception.authenticationEntryPoint(entryPoint))
+                .csrf(AbstractHttpConfigurer::disable)
+                .securityMatcher("/token.html", "/token", "/user", "/oauth2/authorization/elixir-aai", "/oidc-protected")
+                .authorizeHttpRequests(request -> request
+                        .requestMatchers("/token.html").authenticated()
+                        .requestMatchers("/token").authenticated()
+                        .requestMatchers("/user").authenticated())
+                .oauth2Login(auth -> auth.redirectionEndpoint(endpoint -> endpoint.baseUri("/oidc-protected"))
+                        .defaultSuccessUrl("/"));
+
+        return http.build();
     }
 
     @Bean
@@ -84,9 +83,9 @@ public ClientRegistrationRepository clientRegistrationRepository(@Value("${elixi
                 ClientRegistration.withRegistrationId("elixir-aai")
                         .clientId(elixirAAIClientId)
                         .clientSecret(elixirAAIClientSecret)
-                        .clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+                        .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                         .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
-                        .redirectUriTemplate("{baseUrl}/oidc-protected")
+                        .redirectUri("{baseUrl}/oidc-protected")
                         .scope("openid", "ga4gh_passport_v1")
                         .authorizationUri("https://login.elixir-czech.org/oidc/authorize")
                         .tokenUri("https://login.elixir-czech.org/oidc/token")