Skip to content

Commit

Permalink
dep: APPS-942 fix http2 rapid-reset CVE-2023-44487
Browse files Browse the repository at this point in the history
  • Loading branch information
Jesse Schmidt committed Oct 20, 2023
1 parent 55d5bd8 commit fa3fca5
Show file tree
Hide file tree
Showing 7 changed files with 212 additions and 177 deletions.
10 changes: 4 additions & 6 deletions build.gradle
Original file line number Diff line number Diff line change
@@ -1,9 +1,8 @@
buildscript {
ext {
springBootVersion = "2.7.11"
springBootVersion = "3.1.5"
httpclientVersion = "4.5.14"
aerospikeClientVersion = findProperty("aerospikeClientVersion") ?: "7.1.0"
set('snakeyaml.version', '2.0') // Can be removed after upgrading to springboot 3.x
}
if (findProperty("aerospikeUseLocal")) {
print("using Local repo")
Expand Down Expand Up @@ -72,15 +71,14 @@ openApi {

dependencies {
implementation('org.msgpack:msgpack-core:0.9.3')
implementation('org.springframework.boot:spring-boot-starter-web:3.0.6')
// Separately upgraded to fix vulnerability. Version should be removed after upgrading to spring-boot 3.x
implementation("org.springframework.boot:spring-boot-starter-web:${springBootVersion}")
implementation("com.aerospike:aerospike-client:${aerospikeClientVersion}")
implementation("com.aerospike:aerospike-document-api:1.2.0")
implementation("org.msgpack:jackson-dataformat-msgpack:0.9.3")
implementation('org.springframework.retry:spring-retry:2.0.1')
implementation('org.springframework:spring-aspects:6.0.6')
implementation('org.springframework:spring-aspects:6.0.9')
implementation("org.springframework.cloud:spring-cloud-starter-circuitbreaker-resilience4j:2.1.7")
implementation('org.springdoc:springdoc-openapi-ui:1.6.14')
implementation('org.springdoc:springdoc-openapi-ui:1.6.15')
implementation("javax.inject:javax.inject:1")
implementation("com.google.guava:guava:31.1-jre")
implementation("org.springframework.boot:spring-boot-starter-validation")
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -40,13 +40,13 @@ public ResponseEntity<Object> handleAsError(AerospikeException ex) {
return new ResponseEntity<>(new RestClientError(ex), getStatusCodeFromException(ex));
}

@Override
protected ResponseEntity<Object> handleHttpMessageNotReadable(HttpMessageNotReadableException ex,
HttpHeaders headers, HttpStatus status,
WebRequest request) {
protected ResponseEntity<Object> handleHttpMessageNotReadable(
HttpMessageNotReadableException ex, HttpHeaders headers, HttpStatus status, WebRequest request
) {
logger.warn(ex.getMessage());
return new ResponseEntity<>(new RestClientError(ex.getMostSpecificCause().getMessage()),
HttpStatus.BAD_REQUEST);
HttpStatus.BAD_REQUEST
);
}

@ExceptionHandler({RestClientErrors.AerospikeRestClientError.class})
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,11 @@
import io.swagger.v3.oas.annotations.responses.ApiResponse;
import io.swagger.v3.oas.annotations.responses.ApiResponses;
import io.swagger.v3.oas.annotations.tags.Tag;
import jakarta.validation.Valid;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.*;

import javax.validation.Valid;
import java.util.List;

@Tag(name = "Admin Operations", description = "Manage users and privileges.")
Expand Down Expand Up @@ -101,12 +101,12 @@ public User[] getUsers(@RequestHeader(value = "Authorization", required = false)
)
@DefaultRestClientAPIResponses
@RequestMapping(
method = RequestMethod.GET,
value = "/user/{user}",
produces = {"application/json", "application/msgpack"}
method = RequestMethod.GET, value = "/user/{user}", produces = {"application/json", "application/msgpack"}
)
public User getUser(@Parameter(required = true) @PathVariable(value = "user") String user,
@RequestHeader(value = "Authorization", required = false) String basicAuth) {
public User getUser(
@Parameter(required = true) @PathVariable(value = "user") String user,
@RequestHeader(value = "Authorization", required = false) String basicAuth
) {

AuthDetails authDetails = HeaderHandler.extractAuthDetails(basicAuth);
return adminService.getUser(authDetails, user);
Expand All @@ -131,8 +131,10 @@ public User getUser(@Parameter(required = true) @PathVariable(value = "user") St
@DefaultRestClientAPIResponses
@ResponseStatus(value = HttpStatus.ACCEPTED)
@DeleteMapping(value = "/user/{user}", produces = {"application/json", "application/msgpack"})
public void dropUser(@Parameter(required = true) @PathVariable(value = "user") String user,
@RequestHeader(value = "Authorization", required = false) String basicAuth) {
public void dropUser(
@Parameter(required = true) @PathVariable(value = "user") String user,
@RequestHeader(value = "Authorization", required = false) String basicAuth
) {

AuthDetails authDetails = HeaderHandler.extractAuthDetails(basicAuth);
adminService.dropUser(authDetails, user);
Expand Down Expand Up @@ -161,9 +163,11 @@ public void dropUser(@Parameter(required = true) @PathVariable(value = "user") S
consumes = {"application/json", "application/msgpack"},
produces = {"application/json", "application/msgpack"}
)
public void changePassword(@Parameter(required = true) @PathVariable(value = "user") String user,
@Parameter(required = true) @RequestBody String password,
@RequestHeader(value = "Authorization", required = false) String basicAuth) {
public void changePassword(
@Parameter(required = true) @PathVariable(value = "user") String user,
@Parameter(required = true) @RequestBody String password,
@RequestHeader(value = "Authorization", required = false) String basicAuth
) {

AuthDetails authDetails = HeaderHandler.extractAuthDetails(basicAuth);
adminService.changePassword(authDetails, user, password);
Expand Down Expand Up @@ -196,8 +200,10 @@ public void changePassword(@Parameter(required = true) @PathVariable(value = "us
consumes = {"application/json", "application/msgpack"},
produces = {"application/json", "application/msgpack"}
)
public void createUser(@Parameter(required = true) @Valid @RequestBody RestClientUserModel userInfo,
@RequestHeader(value = "Authorization", required = false) String basicAuth) {
public void createUser(
@Parameter(required = true) @Valid @RequestBody RestClientUserModel userInfo,
@RequestHeader(value = "Authorization", required = false) String basicAuth
) {

AuthDetails authDetails = HeaderHandler.extractAuthDetails(basicAuth);
adminService.createUser(authDetails, userInfo);
Expand Down Expand Up @@ -231,17 +237,17 @@ public void createUser(@Parameter(required = true) @Valid @RequestBody RestClien
consumes = {"application/json", "application/msgpack"},
produces = {"application/json", "application/msgpack"}
)
public void grantRoles(@Parameter(required = true) @PathVariable(value = "user") String user,
@io.swagger.v3.oas.annotations.parameters.RequestBody(
required = true,
content = @Content(
examples = @ExampleObject(
name = RequestBodyExamples.ROLES_NAME,
value = RequestBodyExamples.ROLES_VALUE
)
)
) @RequestBody List<String> roles,
@RequestHeader(value = "Authorization", required = false) String basicAuth) {
public void grantRoles(
@Parameter(required = true) @PathVariable(value = "user") String user,
@io.swagger.v3.oas.annotations.parameters.RequestBody(
required = true, content = @Content(
examples = @ExampleObject(
name = RequestBodyExamples.ROLES_NAME, value = RequestBodyExamples.ROLES_VALUE
)
)
) @RequestBody List<String> roles,
@RequestHeader(value = "Authorization", required = false) String basicAuth
) {

AuthDetails authDetails = HeaderHandler.extractAuthDetails(basicAuth);
adminService.grantRoles(authDetails, user, roles);
Expand Down Expand Up @@ -275,18 +281,17 @@ public void grantRoles(@Parameter(required = true) @PathVariable(value = "user")
consumes = {"application/json", "application/msgpack"},
produces = {"application/json", "application/msgpack"}
)
public void revokeRoles(@PathVariable(value = "user") @Parameter(
description = "The user from which to revoke roles",
required = true
) String user, @io.swagger.v3.oas.annotations.parameters.RequestBody(
required = true,
content = @Content(
examples = @ExampleObject(
name = RequestBodyExamples.ROLES_NAME,
value = RequestBodyExamples.ROLES_VALUE
)
public void revokeRoles(
@PathVariable(value = "user") @Parameter(
description = "The user from which to revoke roles", required = true
) String user, @io.swagger.v3.oas.annotations.parameters.RequestBody(
required = true, content = @Content(
examples = @ExampleObject(
name = RequestBodyExamples.ROLES_NAME, value = RequestBodyExamples.ROLES_VALUE
)
) @RequestBody List<String> roles, @RequestHeader(value = "Authorization", required = false) String basicAuth) {
)
) @RequestBody List<String> roles, @RequestHeader(value = "Authorization", required = false) String basicAuth
) {

AuthDetails authDetails = HeaderHandler.extractAuthDetails(basicAuth);
adminService.revokeRoles(authDetails, user, roles);
Expand Down Expand Up @@ -339,8 +344,10 @@ public List<RestClientRole> getRoles(@RequestHeader(value = "Authorization", req
consumes = {"application/json", "application/msgpack"},
produces = {"application/json", "application/msgpack"}
)
public void createRole(@Parameter(required = true) @RequestBody RestClientRole rcRole,
@RequestHeader(value = "Authorization", required = false) String basicAuth) {
public void createRole(
@Parameter(required = true) @RequestBody RestClientRole rcRole,
@RequestHeader(value = "Authorization", required = false) String basicAuth
) {

AuthDetails authDetails = HeaderHandler.extractAuthDetails(basicAuth);
adminService.createRole(authDetails, rcRole);
Expand All @@ -364,11 +371,12 @@ public void createRole(@Parameter(required = true) @RequestBody RestClientRole r
)
@DefaultRestClientAPIResponses
@GetMapping(value = "/role/{name}", produces = {"application/json", "application/msgpack"})
public RestClientRole getRole(@Parameter(
description = "The name of the role whose information should be retrieved.",
required = true
) @PathVariable(value = "name") String role,
@RequestHeader(value = "Authorization", required = false) String basicAuth) {
public RestClientRole getRole(
@Parameter(
description = "The name of the role whose information should be retrieved.", required = true
) @PathVariable(value = "name") String role,
@RequestHeader(value = "Authorization", required = false) String basicAuth
) {

AuthDetails authDetails = HeaderHandler.extractAuthDetails(basicAuth);
return adminService.getRole(authDetails, role);
Expand Down Expand Up @@ -401,11 +409,13 @@ public RestClientRole getRole(@Parameter(
consumes = {"application/json", "application/msgpack"},
produces = {"application/json", "application/msgpack"}
)
public void setRoleQuotas(@Parameter(
description = "The name of the role to which quotas will be set.",
required = true
) @PathVariable(value = "name") String name, @Parameter(required = true) @RequestBody RestClientRoleQuota roleQuota,
@RequestHeader(value = "Authorization", required = false) String basicAuth) {
public void setRoleQuotas(
@Parameter(
description = "The name of the role to which quotas will be set.", required = true
) @PathVariable(value = "name") String name,
@Parameter(required = true) @RequestBody RestClientRoleQuota roleQuota,
@RequestHeader(value = "Authorization", required = false) String basicAuth
) {

AuthDetails authDetails = HeaderHandler.extractAuthDetails(basicAuth);
adminService.setRoleQuotas(authDetails, name, roleQuota);
Expand All @@ -430,11 +440,12 @@ public void setRoleQuotas(@Parameter(
@DefaultRestClientAPIResponses
@ResponseStatus(value = HttpStatus.ACCEPTED)
@DeleteMapping(value = "/role/{name}", produces = {"application/json", "application/msgpack"})
public void dropRole(@Parameter(
description = "The name of the role to remove.",
required = true
) @PathVariable(value = "name") String role,
@RequestHeader(value = "Authorization", required = false) String basicAuth) {
public void dropRole(
@Parameter(
description = "The name of the role to remove.", required = true
) @PathVariable(value = "name") String role,
@RequestHeader(value = "Authorization", required = false) String basicAuth
) {

AuthDetails authDetails = HeaderHandler.extractAuthDetails(basicAuth);
adminService.dropRole(authDetails, role);
Expand Down Expand Up @@ -467,12 +478,13 @@ public void dropRole(@Parameter(
consumes = {"application/json", "application/msgpack"},
produces = {"application/json", "application/msgpack"}
)
public void grantPrivileges(@Parameter(
description = "The name of the role to which privileges will be granted.",
required = true
) @PathVariable(value = "name") String name,
@Parameter(required = true) @RequestBody List<RestClientPrivilege> privileges,
@RequestHeader(value = "Authorization", required = false) String basicAuth) {
public void grantPrivileges(
@Parameter(
description = "The name of the role to which privileges will be granted.", required = true
) @PathVariable(value = "name") String name,
@Parameter(required = true) @RequestBody List<RestClientPrivilege> privileges,
@RequestHeader(value = "Authorization", required = false) String basicAuth
) {

AuthDetails authDetails = HeaderHandler.extractAuthDetails(basicAuth);
adminService.grantPrivileges(authDetails, name, privileges);
Expand Down Expand Up @@ -505,12 +517,13 @@ public void grantPrivileges(@Parameter(
consumes = {"application/json", "application/msgpack"},
produces = {"application/json", "application/msgpack"}
)
public void revokePrivileges(@Parameter(
description = "The name of the role from which privileges will be removed.",
required = true
) @PathVariable(value = "name") String name,
@Parameter(required = true) @RequestBody List<RestClientPrivilege> privileges,
@RequestHeader(value = "Authorization", required = false) String basicAuth) {
public void revokePrivileges(
@Parameter(
description = "The name of the role from which privileges will be removed.", required = true
) @PathVariable(value = "name") String name,
@Parameter(required = true) @RequestBody List<RestClientPrivilege> privileges,
@RequestHeader(value = "Authorization", required = false) String basicAuth
) {

AuthDetails authDetails = HeaderHandler.extractAuthDetails(basicAuth);
adminService.revokePrivileges(authDetails, name, privileges);
Expand Down
Loading

0 comments on commit fa3fca5

Please sign in to comment.