parent 60728d8

author Simon Demaziere <[email protected]> 1705593850 +0100
committer Simon Demaziere <[email protected]> 1719218708 +0200

chore: move from javax.persistence to jakarta.persistence package

wip: for CVE evaluation

chore: remove cyclic dependencies, migrate tests to mockMvc

chore: external services props handling
remove unused files
remove basic auth mode

fix: clean/update jar dependencies

feat: log4j -> logback

- going from log4j to logback
- add log interceptor to log all requests to endpoints

ci: upgrade dependencies

- upgrade github actions dependencies
- build with JAVA 21
- Upgrade docker container

refactor: 🔧 reduce boilerplate with Lombok and remove dead code

fix: 🐛 WIP endpoint role mapping

add security constraint on endpoints

refactor: 🔧 Lombok > boilerplate

use Lombok annotations for getters/setters/constructors

refactor: 🔧 lombok et minor refactor

lombok annotations, dead code removal, minor syntax readability

feat: add security infrastructure (#157)

- remove public urls
- add security to infrastructure package, api package is not coupled with spring security anymore
- refactor authentication properties
- add a default authenticated user when oidc is disabled
- remove useless check on user id
- gitignore application profile configurations

refactor: 🔥 removen unused Validation annotation

refactor: ♻️ & 🧪

.github/workflows/build.yml

@@ -9,19 +9,20 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - name: Set up JDK 11
-        uses: actions/setup-java@v1
+      - uses: actions/checkout@v4
+      - name: Set up JDK 21
+        uses: actions/setup-java@v4
         with:
-          java-version: 11
+          distribution: "temurin"
+          java-version: "21"
       - name: Get current version
         id: version
         run: echo "::set-output name=prop::$(mvn -f pom.xml help:evaluate -Dexpression=project.version -q -DforceStdout)"
       - run: echo ${{steps.version.outputs.prop}}
       - name: Build with Maven
         run: mvn install --file pom.xml --batch-mode --no-transfer-progress
-      - name: Upload war
-        uses: actions/upload-artifact@v2
+      - name: Upload jar
+        uses: actions/upload-artifact@v4
         with:
-          name: war
-          path: target/*.war
+          name: app-jar
+          path: target/

.github/workflows/develop-release.yml

@@ -11,23 +11,24 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - name: Set up JDK 11
-        uses: actions/setup-java@v1
+      - uses: actions/checkout@v4
+      - name: Set up JDK 21
+        uses: actions/setup-java@v4
         with:
-          java-version: 11
+          distribution: "temurin"
+          java-version: "21"
       - name: Build with Maven
         run: mvn install --file pom.xml --batch-mode --no-transfer-progress
-      - name: Upload war
-        uses: actions/upload-artifact@v2
+      - name: Upload jar
+        uses: actions/upload-artifact@v4
         with:
-          name: war
-          path: target/*.war
+          name: app-jar
+          path: target/
   release:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout current branch
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Get current version
         id: version
         run: echo "::set-output name=prop::$(mvn -f pom.xml help:evaluate -Dexpression=project.version -q -DforceStdout)"

.github/workflows/release.yml

@@ -12,22 +12,23 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - name: Set up JDK 11
-        uses: actions/setup-java@v1
+      - name: Set up JDK 21
+        uses: actions/setup-java@v4
         with:
-          java-version: 11
+          distribution: "temurin"
+          java-version: "21"
       - name: Build with Maven
         run: mvn install --file pom.xml --batch-mode --no-transfer-progress
-      - name: Upload war
-        uses: actions/upload-artifact@v2
+      - name: Upload jar
+        uses: actions/upload-artifact@v4
         with:
-          name: war
-          path: target/*.war
+          name: app-jar
+          path: target/
   release:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout current branch
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Get current version
         id: version
         run: echo "::set-output name=prop::$(mvn -f pom.xml help:evaluate -Dexpression=project.version -q -DforceStdout)"
@@ -46,19 +47,19 @@ jobs:
     needs: build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Download build
         id: download
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4
         with:
-          name: war
+          name: app-jar
           path: target/
       - name: Get current version
         id: version
         run: echo "::set-output name=prop::$(mvn -f pom.xml help:evaluate -Dexpression=project.version -q -DforceStdout)"
       - run: echo ${{steps.version.outputs.prop}}
       - name: Publish to Registry
-        uses: elgohr/Publish-Docker-Github-Action@master
+        uses: elgohr/Publish-Docker-Github-Action@v5
         with:
           name: inseefr/pearl-jam-back-office
           username: ${{ secrets.DOCKERHUB_USERNAME }}

.github/workflows/sonar.yml

@@ -13,22 +13,22 @@ jobs:
     name: Build and analyze
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
-      - name: Set up JDK 11
-        uses: actions/setup-java@v3
+      - name: Set up JDK 21
+        uses: actions/setup-java@v4
         with:
-          java-version: 11
-          distribution: 'adopt'
+          distribution: "temurin"
+          java-version: "21"
       - name: Cache SonarCloud packages
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
           restore-keys: ${{ runner.os }}-sonar
       - name: Cache Maven packages
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}

.gitignore

@@ -29,7 +29,11 @@ build/
 
 ### VS Code ###
 .vscode/
-/application-insee.properties
+
+**/.flattened-pom.xml
+**/src/main/resources/application-*.yaml
+**/src/main/resources/application-*.yml
+**/src/main/resources/application-*.properties
 
 *.DS_Store
 /.apt_generated_tests/

.mvn/wrapper/maven-wrapper.properties

@@ -1,2 +1,18 @@
-distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.6.3/apache-maven-3.6.3-bin.zip
-wrapperUrl=https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+wrapperVersion=3.3.1
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.6/apache-maven-3.9.6-bin.zip

Dockerfile

@@ -1,5 +1,13 @@
-FROM tomcat:8.5-jdk11-slim
+FROM eclipse-temurin:21.0.3_9-jre-alpine
 
-RUN rm -rf $CATALINA_HOME/webapps/*
-COPY pearljambo.properties log4j2.xml $CATALINA_HOME/webapps/
-ADD /target/*.war $CATALINA_HOME/webapps/ROOT.war
+WORKDIR /opt/app/
+COPY ./target/*.jar /opt/app/app.jar
+
+# Setup a non-root user context (security)
+RUN addgroup -g 1000 tomcatgroup
+RUN adduser -D -s / -u 1000 tomcatuser -G tomcatgroup
+RUN chown -R 1000:1000 /opt/app
+
+USER 1000
+
+ENTRYPOINT ["java", "-jar",  "/opt/app/app.jar"]

README.md

@@ -57,7 +57,6 @@ Create pearljambo.properties near war file and complete the following properties
 spring.profiles.active=prod
 
 #Logs configuration
-fr.insee.pearljam.logging.path=${catalina.base}/webapps/log4j2.xml
 fr.insee.pearljam.logging.level=DEBUG
 
 #Application configuration
@@ -102,9 +101,6 @@ fr.insee.pearljam.user.local.role=manager_local
 fr.insee.pearljam.user.national.role=manager_national
 ```
 
-#### External log file
-Create log4j2.xml near war file and define your  external config for logs. 
-
 ### 4. Tomcat start
 From a terminal navigate to tomcat/bin folder and execute  
 ```shell