Merge pull request #56 from catenax-ng/hot_fix_3.2

fix: _Security issue  fix_

CHANGELOG.md

@@ -7,6 +7,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ## [Unreleased]
  - NA
 
+## [1.4.0] - 2023-08-17
+
+### Fixed
+ - Security issue fixed
+
 ## [1.3.9] - 2023-08-14
 
 ### Added

DEPENDENCIES

@@ -121,7 +121,7 @@ maven/mavencentral/org.springframework.data/spring-data-commons/3.1.0, Apache-2.
 maven/mavencentral/org.springframework.data/spring-data-jpa/3.1.0, Apache-2.0, approved, #9120
 maven/mavencentral/org.springframework.retry/spring-retry/2.0.1, Apache-2.0, approved, clearlydefined
 maven/mavencentral/org.springframework.security/spring-security-config/6.1.2, Apache-2.0, approved, #9736
-maven/mavencentral/org.springframework.security/spring-security-core/6.1.0, Apache-2.0, approved, #9801
+maven/mavencentral/org.springframework.security/spring-security-core/6.0.3, Apache-2.0, approved, #7325
 maven/mavencentral/org.springframework.security/spring-security-crypto/6.1.0, Apache-2.0 AND ISC, approved, #9735
 maven/mavencentral/org.springframework.security/spring-security-oauth2-client/6.1.0, Apache-2.0, approved, #9740
 maven/mavencentral/org.springframework.security/spring-security-oauth2-core/6.1.0, Apache-2.0, approved, #9741

README.md

@@ -12,8 +12,8 @@ This service will help service provider to set up DFT/SDE with EDC and EDC as se
 ### Software Version
 
 ```shell
-Application version: 1.3.9
-Helm release version: 1.3.9
+Application version: 1.4.0
+Helm release version: 1.4.0
 ```
 
 ### Container images

charts/orchestrator/Chart.yaml

@@ -38,13 +38,13 @@ sources:
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.3.9
+version: 1.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.3.9"
+appVersion: "1.4.0"
 
 dependencies:
   - condition: postgresql.enabled

charts/orchestrator/README.md

@@ -1,6 +1,6 @@
 # autosetup
 
-![Version: 1.3.9](https://img.shields.io/badge/Version-1.3.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.9](https://img.shields.io/badge/AppVersion-1.3.9-informational?style=flat-square)
+![Version: 1.4.0](https://img.shields.io/badge/Version-1.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.4.0](https://img.shields.io/badge/AppVersion-1.4.0-informational?style=flat-square)
 
 This service will help service provider to set up DFT/SDE with EDC and EDC as service in service provider environment.
 

pom.xml

@@ -32,7 +32,7 @@
 	</parent>
 	<groupId>org.eclipse.tractusx</groupId>
 	<artifactId>auto-setup</artifactId>
-	<version>1.3.9</version>
+	<version>1.4.0</version>
 	<name>auto-setup</name>
 	<description>auto-setup</description>
 	<properties>
@@ -198,6 +198,10 @@
 						spring-security-oauth2-client
 					</artifactId>
 				</exclusion>
+				<exclusion>
+					<groupId>org.springframework.security</groupId>
+					<artifactId>spring-security-config</artifactId>
+				</exclusion>
 			</exclusions>
 		</dependency>
 		<dependency>
@@ -212,6 +216,10 @@
 					<groupId>org.springframework.security</groupId>
 					<artifactId>spring-security-web</artifactId>
 				</exclusion>
+				<exclusion>
+					<groupId>org.springframework.security</groupId>
+					<artifactId>spring-security-config</artifactId>
+				</exclusion>
 			</exclusions>
 		</dependency>
 		<dependency>
@@ -222,6 +230,10 @@
 					<groupId>org.springframework.security</groupId>
 					<artifactId>spring-security-web</artifactId>
 				</exclusion>
+				<exclusion>
+					<groupId>org.springframework.security</groupId>
+					<artifactId>spring-security-config</artifactId>
+				</exclusion>
 			</exclusions>
 		</dependency>
 		<dependency>
@@ -246,18 +258,33 @@
 					<groupId>org.springframework.security</groupId>
 					<artifactId>spring-security-web</artifactId>
 				</exclusion>
+				<exclusion>
+					<groupId>org.springframework.security</groupId>
+					<artifactId>spring-security-core</artifactId>
+				</exclusion>
 			</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-web</artifactId>
 			<version>6.1.0</version>
+			<exclusions>
+				<exclusion>
+					<groupId>org.springframework.security</groupId>
+					<artifactId>spring-security-core</artifactId>
+				</exclusion>
+			</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-config</artifactId>
 			<version>6.1.2</version>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-core</artifactId>
+			<version>6.0.3</version>
+		</dependency>
 		<dependency>
 			<groupId>com.h2database</groupId>
 			<artifactId>h2</artifactId>

src/main/java/org/eclipse/tractusx/autosetup/exception/GlobalDefaultExceptionHandler.java

@@ -71,7 +71,7 @@ protected ResponseEntity<Object> handleMethodArgumentNotValid(MethodArgumentNotV
 
 		Object inputRequest = ex.getBindingResult().getTarget();
 		if (inputRequest != null)
-			log.error(inputRequest.toString());
+			log.error(LogUtil.encode(inputRequest.toString()));
 
 		ex.getBindingResult().getAllErrors().forEach(error -> {
 			String fieldName = ((FieldError) error).getField();

src/main/java/org/eclipse/tractusx/autosetup/exception/ServiceException.java

@@ -20,6 +20,8 @@
 
 package org.eclipse.tractusx.autosetup.exception;
 
+import org.eclipse.tractusx.autosetup.utility.LogUtil;
+
 import lombok.extern.slf4j.Slf4j;
 
 @Slf4j
@@ -32,6 +34,6 @@ public class ServiceException extends RuntimeException {
 
 	public ServiceException(String exceptionstr) {
 		super(exceptionstr);
-		log.error(exceptionstr);
+		log.error(LogUtil.encode(exceptionstr));
 	}
 }

src/main/java/org/eclipse/tractusx/autosetup/manager/DTRegistryManager.java

@@ -1,4 +1,5 @@
 /********************************************************************************
+
  * Copyright (c) 2023 T-Systems International GmbH
  * Copyright (c) 2023 Contributors to the Eclipse Foundation
  *
@@ -34,6 +35,7 @@
 import org.eclipse.tractusx.autosetup.exception.ServiceException;
 import org.eclipse.tractusx.autosetup.model.Customer;
 import org.eclipse.tractusx.autosetup.model.SelectedTools;
+import org.eclipse.tractusx.autosetup.utility.LogUtil;
 import org.eclipse.tractusx.autosetup.utility.WaitingTimeUtility;
 import org.springframework.retry.annotation.Backoff;
 import org.springframework.retry.annotation.Retryable;
@@ -107,10 +109,10 @@ public Map<String, String> managePackage(Customer customerDetails, AppActions ac
 			ServiceException.class }, maxAttemptsExpression = "${retry.maxAttempts}", backoff = @Backoff(delayExpression = "#{${retry.backOffDelay}}"))
 	public void dtRegistryRegistrationInEDC(Customer customerDetails, SelectedTools tool, Map<String, String> inputData,
 			AutoSetupTriggerEntry triger) {
+		String tenantName = LogUtil.encode(customerDetails.getOrganizationName());
 		try {
-
-			WaitingTimeUtility.waitingTime(customerDetails.getOrganizationName()
-					+ ": Waiting for EDC asset creation after DT setup to get connector pod up");
+			WaitingTimeUtility.waitingTime(
+					tenantName + ": Waiting for EDC asset creation after DT setup to get connector pod up");
 
 			String asset = eDCProxyService.getAssets(customerDetails, inputData);
 
@@ -119,7 +121,7 @@ public void dtRegistryRegistrationInEDC(Customer customerDetails, SelectedTools
 			}
 
 		} catch (Exception e) {
-			String errorMsg = customerDetails.getOrganizationName()
+			String errorMsg = tenantName
 					+ ":It looks EDC connector is not up for DT asset creation, Oops! We have an exception - "
 					+ e.getMessage();
 			log.error(errorMsg);
@@ -144,22 +146,22 @@ private void createEDCAsset(Customer customerDetails, SelectedTools tool, Map<St
 
 		AutoSetupTriggerDetails autoSetupTriggerDetails = AutoSetupTriggerDetails.builder()
 				.id(UUID.randomUUID().toString()).step("DT_CreateEDCAsset").build();
-		log.info(customerDetails.getOrganizationName() + ":DT createEDCAsset creating");
+		String tenantName = LogUtil.encode(customerDetails.getOrganizationName());
+
+		log.info(tenantName + ":DT createEDCAsset creating");
 		try {
 
 			String assetId = eDCProxyService.createAsset(customerDetails, inputData);
-			log.info(customerDetails.getOrganizationName() + ":DT createEDCAsset created " + assetId);
+			log.info(tenantName + ":DT createEDCAsset created " + assetId);
 			inputData.put("assetId", assetId);
 
 		} catch (Exception ex) {
-			log.error(
-					customerDetails.getOrganizationName()
-							+ ":DTRegistryManager createEDCAsset failed retry attempt: : {}",
+			log.error(tenantName + ":DTRegistryManager createEDCAsset failed retry attempt: : {}",
 					RetrySynchronizationManager.getContext().getRetryCount() + 1);
 			autoSetupTriggerDetails.setStatus(TriggerStatusEnum.FAILED.name());
 			autoSetupTriggerDetails.setRemark(ex.getMessage());
-			throw new ServiceException(customerDetails.getOrganizationName()
-					+ ":DTRegistryManager createEDCAsset Oops! We have an exception - " + ex.getMessage());
+			throw new ServiceException(
+					tenantName + ":DTRegistryManager createEDCAsset Oops! We have an exception - " + ex.getMessage());
 		} finally {
 			autoSetupTriggerManager.saveTriggerDetails(autoSetupTriggerDetails, triger);
 		}
@@ -172,24 +174,23 @@ private void createEDCPolicy(Customer customerDetails, SelectedTools tool, Map<S
 			AutoSetupTriggerEntry triger) {
 		AutoSetupTriggerDetails autoSetupTriggerDetails = AutoSetupTriggerDetails.builder()
 				.id(UUID.randomUUID().toString()).step("DT_CreateEDCPolicy").build();
-		log.info(customerDetails.getOrganizationName() + ":DT CreateEDCPolicy creating");
+		String tenantName = LogUtil.encode(customerDetails.getOrganizationName());
+		log.info(tenantName + ":DT CreateEDCPolicy creating");
 		try {
 
 			String policyId = eDCProxyService.createPolicy(customerDetails, inputData);
-			log.info(customerDetails.getOrganizationName() + ":DT createEDCPolicy created :" + policyId);
+			log.info(tenantName + ":DT createEDCPolicy created :" + policyId);
 			inputData.put("policyId", policyId);
 
 		} catch (Exception ex) {
 
-			log.error(
-					customerDetails.getOrganizationName()
-							+ ":DTRegistryManager CreateEDCPolicy failed retry attempt: : {}",
+			log.error(tenantName + ":DTRegistryManager CreateEDCPolicy failed retry attempt: : {}",
 					RetrySynchronizationManager.getContext().getRetryCount() + 1);
 
 			autoSetupTriggerDetails.setStatus(TriggerStatusEnum.FAILED.name());
 			autoSetupTriggerDetails.setRemark(ex.getMessage());
-			throw new ServiceException(customerDetails.getOrganizationName()
-					+ ":DTRegistryManager CreateEDCPolicy Oops! We have an exception - " + ex.getMessage());
+			throw new ServiceException(
+					tenantName + ":DTRegistryManager CreateEDCPolicy Oops! We have an exception - " + ex.getMessage());
 		} finally {
 			autoSetupTriggerManager.saveTriggerDetails(autoSetupTriggerDetails, triger);
 		}
@@ -201,7 +202,8 @@ private void createContractDefination(Customer customerDetails, SelectedTools to
 			AutoSetupTriggerEntry triger) {
 		AutoSetupTriggerDetails autoSetupTriggerDetails = AutoSetupTriggerDetails.builder()
 				.id(UUID.randomUUID().toString()).step("DT_CreateContractDefination").build();
-		log.info(customerDetails.getOrganizationName() + ":DT createContractDefination creating");
+		String tenantName = LogUtil.encode(customerDetails.getOrganizationName());
+		log.info(tenantName + ":DT createContractDefination creating");
 		try {
 
 			String assetId = inputData.get("assetId");
@@ -212,19 +214,16 @@ private void createContractDefination(Customer customerDetails, SelectedTools to
 
 			inputData.put("contractPolicyId", contractPolicyId);
 
-			log.info(
-					customerDetails.getOrganizationName() + ":DT CreateContractDefination created " + contractPolicyId);
+			log.info(tenantName + ":DT CreateContractDefination created " + contractPolicyId);
 
 		} catch (Exception ex) {
 
-			log.error(
-					customerDetails.getOrganizationName()
-							+ ":DTRegistryManager CreateContractDefination failed retry attempt: : {}",
+			log.error(tenantName + ":DTRegistryManager CreateContractDefination failed retry attempt: : {}",
 					RetrySynchronizationManager.getContext().getRetryCount() + 1);
 
 			autoSetupTriggerDetails.setStatus(TriggerStatusEnum.FAILED.name());
 			autoSetupTriggerDetails.setRemark(ex.getMessage());
-			throw new ServiceException(customerDetails.getOrganizationName()
+			throw new ServiceException(tenantName
 					+ ":DTRegistryManager CreateContractDefination Oops! We have an exception - " + ex.getMessage());
 		} finally {
 			autoSetupTriggerManager.saveTriggerDetails(autoSetupTriggerDetails, triger);