Merge pull request #2362 from OpenBankProject/develop

fix logback and cookie security

.github/Dockerfile_PreBuild_OC

@@ -2,7 +2,10 @@ FROM jetty:9.4-jdk11-alpine
 # Copy build artifact (.war file) into jetty from 'maven' stage.
 COPY /obp-api/target/obp-api-1.*.war /var/lib/jetty/webapps/ROOT.war
 USER root
+RUN mkdir -p /WEB-INF/classes
+COPY .github/logback.xml /WEB-INF/classes/
+RUN cd / && jar uvf /var/lib/jetty/webapps/ROOT.war WEB-INF/classes/logback.xml
 RUN chgrp -R 0 /tmp/jetty && chmod -R g+rwX /tmp/jetty
 RUN chgrp -R 0 /var/lib/jetty && chmod -R g+rwX /var/lib/jetty
 RUN chgrp -R 0 /usr/local/jetty && chmod -R g+rwX /usr/local/jetty
-USER jetty
+USER jetty

obp-api/src/main/resources/logback-test.xml → .github/logback.xml

@@ -6,7 +6,8 @@
     </encoder>
   </appender>
 
-  <root level="DEBUG">
+  <root level="INFO">
     <appender-ref ref="STDOUT"/>
   </root>
-</configuration>
+</configuration>
+

README.md

@@ -190,9 +190,9 @@ Note: Your Java environment may need to be setup correctly to use SSL
 
 Restart OBP-API, if you get an error, check your Java environment can connect to the host over SSL.
 
-Note you can change the log level in:
- - /obp-api/src/main/resources/default.logback.xml (try TRACE or DEBUG)
- - /obp-api/src/main/resources/logback-test.xml (try TRACE or DEBUG)
+Note: You can copy the following example files to prepare your own configurations
+ - /obp-api/src/main/resources/logback.xml.example -> /obp-api/src/main/resources/logback.xml (try TRACE or DEBUG)
+ - /obp-api/src/main/resources/logback-test.xml.example -> /obp-api/src/main/resources/logback-test.xml (try TRACE or DEBUG)
 
 There is a gist / tool which is useful for this. Search the web for SSLPoke. Note this is an external repository.
 

obp-api/src/main/resources/props/sample.props.template

@@ -1290,4 +1290,7 @@ validate_iban=false
 
 # This returns Regulated Entities
 # sample props regulated_entities = [{"certificate_authority_ca_owner_id":"CY_CBC","entity_certificate_public_key":"-----BEGIN CERTIFICATE-----MIICsjCCAZqgAwIBAgIGAYwQ62R0MA0GCSqGSIb3DQEBCwUAMBoxGDAWBgNVBAMMD2FwcC5leGFtcGxlLmNvbTAeFw0yMzExMjcxMzE1MTFaFw0yNTExMjYxMzE1MTFaMBoxGDAWBgNVBAMMD2FwcC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK9WIodZHWzKyCcf9YfWEhPURbfO6zKuMqzHN27GdqHsVVEGxP4F/J4mso+0ENcRr6ur4u81iREaVdCc40rHDHVJNEtniD8Icbz7tcsqAewIVhc/q6WXGqImJpCq7hA0m247dDsaZT0lb/MVBiMoJxDEmAE/GYYnWTEn84R35WhJsMvuQ7QmLvNg6RkChY6POCT/YKe9NKwa1NqI1U+oA5RFzAaFtytvZCE3jtp+aR0brL7qaGfgxm6B7dEpGyhg0NcVCV7xMQNq2JxZTVdAr6lcsRGaAFulakmW3aNnmK+L35Wu8uW+OxNxwUuC6f3b4FVBa276FMuUTRfu7gc+k6kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAAU5CjEyAoyTn7PgFpQD48ZNPuUsEQ19gzYgJvHMzFIoZ7jKBodjO5mCzWBcR7A4mpeAsdyiNBl2sTiZscSnNqxk61jVzP5Ba1D7XtOjjr7+3iqowrThj6BY40QqhYh/6BSY9fDzVZQiHnvlo6ZUM5kUK6OavZOovKlp5DIl5sGqoP0qAJnpQ4nhB2WVVsKfPlOXc+2KSsbJ23g9l8zaTMr+X0umlvfEKqyEl1Fa2L1dO0y/KFQ+ILmxcZLpRdq1hRAjd0quq9qGC8ucXhRWDgM4hslVpau0da68g0aItWNez3mc5lB82b3dcZpFMzO41bgw7gvw10AvvTfQDqEYIuQ==-----END CERTIFICATE-----","entity_code":"PSD_PICY_CBC!12345","entity_type":"PSD_PI","entity_address":"EXAMPLE COMPANY LTD, 5 SOME STREET","entity_town_city":"SOME CITY","entity_post_code":"1060","entity_country":"CY","entity_web_site":"www.example.com","services":[{"CY":["PS_010","PS_020","PS_03C","PS_04C"]}]}]
-regulated_entities = []
+regulated_entities = []
+
+
+# Note: For secure and http only settings for cookies see resources/web.xml which is mentioned in the README.md

obp-api/src/main/scala/bootstrap/liftweb/Boot.scala

@@ -756,25 +756,30 @@ class Boot extends MdcLoggable {
       def onBeginServicing(session: LiftSession, req: Req): Unit = {
         logger.debug(s"Hello from UsernameLockedChecker.onBeginServicing")
         checkIsLocked()
+        logger.debug(s"Bye from UsernameLockedChecker.onBeginServicing")
       }
       def onSessionActivate(session: LiftSession): Unit = {
         logger.debug(s"Hello from UsernameLockedChecker.onSessionActivate")
         checkIsLocked()
+        logger.debug(s"Bye from UsernameLockedChecker.onSessionActivate")
       }
       def onSessionPassivate(session: LiftSession): Unit = {
         logger.debug(s"Hello from UsernameLockedChecker.onSessionPassivate")
         checkIsLocked()
+        logger.debug(s"Bye from UsernameLockedChecker.onSessionPassivate")
       }
       private def checkIsLocked(): Unit = {
         AuthUser.currentUser match {
           case Full(user) =>
             LoginAttempt.userIsLocked(localIdentityProvider, user.username.get) match {
               case true => 
                 AuthUser.logoutCurrentUser
-                logger.warn(s"User ${user.username.get} has been logged out due to it has been locked.")
+                logger.warn(s"checkIsLocked says: User ${user.username.get} has been logged out because it is locked.")
               case false => // Do nothing
+                logger.debug(s"checkIsLocked says: User ${user.username.get} is not locked.")
             }
-          case _ => // Do nothing
+          case _ => // No user found
+            logger.debug(s"checkIsLocked says: No User Found.")
         }
       }
     }