italiangrid · expuss2000 · Jul 3, 2023 · Oct 2, 2024 · Oct 3, 2024 · Oct 16, 2024
diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml
@@ -13,10 +13,10 @@ jobs:
       - uses: actions/checkout@v2
         with:
           fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
-      - name: Set up JDK 11
+      - name: Set up JDK 17
         uses: actions/setup-java@v1
         with:
-          java-version: 11
+          java-version: 17
       - name: Cache SonarCloud packages
         uses: actions/cache@v1
         with:
@@ -33,4 +33,4 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        run: mvn -s maven/cnaf-mirror-settings.xml -B -U install org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=italiangrid_storm-webdav
+        run: mvn -s maven/cnaf-mirror-settings.xml -B -U install org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=italiangrid_storm-webdav
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,36 +1,65 @@
 # Changelog
 
+## 1.4.2 (2023-06-27)
+
+## Description
+
+This release:
+
+* upgrades significant dependencies (spring-boot, canl, bouncycastle, jQuery)
+* removes the support for TRACE method
+* tunes some default values (default TPC timeout, default heap size, etc.)
+* and fixes other minor bugs/issues.
+
+### fixes
+
+* [[STOR-1396](https://issues.infn.it/jira/browse/STOR-1396)] - Ensure adler32 checksums are always 8 chars long
+* [[STOR-1450](https://issues.infn.it/jira/browse/STOR-1450)] - Increase default timeout for TPC to 30 seconds
+* [[STOR-1500](https://issues.infn.it/jira/browse/STOR-1500)] - When redis is disabled the health indicator for redis should be disabled
+* [[STOR-1574](https://issues.infn.it/jira/browse/STOR-1574)] - Old java/canl creates problems with encoding of subject/issuer names in self-signed certificates
+* [[STOR-1440](https://issues.infn.it/jira/browse/STOR-1440)] - StoRM WebDAV should configure a bigger heap by default
+* [[STOR-1497](https://issues.infn.it/jira/browse/STOR-1497)] - Upgrade canl-java to v2.6.0
+* [[STOR-1515](https://issues.infn.it/jira/browse/STOR-1515)] - StoRM WebDAV metrics on TPC.pull/push.throughput
+* [[STOR-1555](https://issues.infn.it/jira/browse/STOR-1555)] - Upgrade jQuery version
+* [[STOR-1556](https://issues.infn.it/jira/browse/STOR-1556)] - Remove TRACE from allowed methods
+* [[STOR-1557](https://issues.infn.it/jira/browse/STOR-1557)] - Upgrade Spring Boot version to the latest
+* [[STOR-1558](https://issues.infn.it/jira/browse/STOR-1558)] - Update bouncycastle version to 1.67
+* [[STOR-1576](https://issues.infn.it/jira/browse/STOR-1576)] - Add .well-known endpoint for StoRM WebDAV to point to the Tape REST endpoint
+
+
+## 1.4.1 (2021-05-12)
+
+This release fixes the failed state shown on stop/restart of the service due to a misunderstood exit code meaning.
+
+### Fixed
+
+- [[STOR-1400](https://issues.infn.it/jira/browse/STOR-1400)] - StoRM WebDAV service enters failed state when stopped
+
 ## 1.4.0 (2021-04-01)
 
 ### Added
 
-- [Add support for externalized session management](https://issues.infn.it/jira/browse/STOR-1336)
+- [[STOR-1336](https://issues.infn.it/jira/browse/STOR-1336)] - Add support for externalized session management
 
 ### Fixed
 
-- [Login with OIDC button not shown for error
-  pages](https://issues.infn.it/jira/browse/STOR-1335) 
-- [StoRM WebDAV: Login with OIDC button displayed only on storage area index
-  page]( https://issues.infn.it/jira/browse/STOR-1332)
-- [StoRM WebDAV rpm doesn't set the proper ownership on
-  /var/log/storm](https://issues.infn.it/jira/browse/STOR-1298)
-- [StoRM WebDAV package should install Java
-  11](https://issues.infn.it/jira/browse/STOR-1358)
+- [[STOR-1335](https://issues.infn.it/jira/browse/STOR-1335)] - Login with OIDC button not shown for error
+  pages
+- [[STOR-1332](https://issues.infn.it/jira/browse/STOR-1332)] - Login with OIDC button displayed only on storage area index page
+- [[STOR-1298](https://issues.infn.it/jira/browse/STOR-1298)] - StoRM WebDAV RPM doesn't set the proper ownership on `/var/log/storm`
+- [[STOR-1358](https://issues.infn.it/jira/browse/STOR-1358)] - StoRM WebDAV package should install Java 11
 
 ## 1.2.0 (2019-08-??)
 
 ### Added
 
-- [Spring boot updated to 2.1.4.RELEASE][STOR-1098]
-- [Introduced support for Conscrypt JSSE provider to improve TLS
-  performace][STOR-1097]
+- [[STOR-1098](https://issues.infn.it/jira/browse/STOR-1098)] - Spring boot updated to 2.1.4.RELEASE
+- [[STOR-1097](https://issues.infn.it/jira/browse/STOR-1097)] - Introduced support for Conscrypt JSSE provider to improve TLS performance
 
 ### Fixed
 
-- [StoRM WebDAV default configuration does not depend anymore on
-  iam-test.indigo-datacloud.eu][STOR-1095]
-- [Unreachable OpenID Connect provider causes StoRM WebDAV startup
-  failure][STOR-1096]
+- [[STOR-1095](https://issues.infn.it/jira/browse/STOR-1095)] - StoRM WebDAV default configuration does not depend anymore on `iam-test.indigo-datacloud.eu`
+- [[STOR-1096](https://issues.infn.it/jira/browse/STOR-1096)] - Unreachable OpenID Connect provider causes StoRM WebDAV startup failure
 
 ## 1.1.0 (2019-02-28)
 
@@ -46,8 +75,3 @@
 
 - POST handled as GET fixed 
 
-
-[STOR-1095]: https://issues.infn.it/jira/browse/STOR-1095
-[STOR-1096]: https://issues.infn.it/jira/browse/STOR-1096
-[STOR-1097]: https://issues.infn.it/jira/browse/STOR-1097
-[STOR-1098]: https://issues.infn.it/jira/browse/STOR-1098
diff --git a/doc/nginx-reverse-proxy.md b/doc/nginx-reverse-proxy.md
@@ -0,0 +1,61 @@
+# Use nginx as a reverse proxy
+
+It is possible to deploy StoRM WebDAV using nginx as a reverse proxy.
+
+The main pros of this type of deployment are:
+
+- use nginx to manage TLS termination
+- delegate VOMS proxy authentication to [ngx_http_voms_module](https://baltig.infn.it/cnafsd/ngx_http_voms_module)
+- improve performance of downloads by using nginx to handle GET requests
+
+## How to deploy StoRM WebDAV using nginx
+
+Install nginx and [ngx_http_voms_module](https://baltig.infn.it/cnafsd/ngx_http_voms_module) on your server.
+
+Change the configuration of nginx to:
+
+- enable the client certificates
+- set the correct headers for VOMS authentication
+- add an internal endpoint to which to redirect GET requests
+
+In your `application.yml` configuration set `storm.nginx-reverse-proxy` to `true`.
+
+Example nginx configuration:
+
+```
+server {
+	location /internal-get {
+		internal;
+		alias /;
+		sendfile on;
+		tcp_nopush on;
+		keepalive_timeout 65;
+		tcp_nodelay on;
+	}
+	location / {
+		proxy_pass http://127.0.0.1:8086;
+		proxy_set_header X-VOMS-voms_user $voms_user;
+		proxy_set_header X-VOMS-ssl_client_ee_s_dn $ssl_client_ee_s_dn;
+		proxy_set_header X-VOMS-voms_user_ca $voms_user_ca;
+		proxy_set_header X-VOMS-ssl_client_ee_i_dn $ssl_client_ee_i_dn;
+		proxy_set_header X-VOMS-voms_fqans $voms_fqans;
+		proxy_set_header X-VOMS-voms_server $voms_server;
+		proxy_set_header X-VOMS-voms_server_ca $voms_server_ca;
+		proxy_set_header X-VOMS-voms_vo $voms_vo;
+		proxy_set_header X-VOMS-voms_server_uri $voms_server_uri;
+		proxy_set_header X-VOMS-voms_not_before $voms_not_before;
+		proxy_set_header X-VOMS-voms_not_after $voms_not_after;
+		proxy_set_header X-VOMS-voms_generic_attributes $voms_generic_attributes;
+		proxy_set_header X-VOMS-voms_serial $voms_serial;
+	}
+	listen [::]:8443 ssl http2;
+	listen 8443 ssl http2;
+	ssl_certificate /etc/grid-security/hostcert.pem;
+	ssl_certificate_key /etc/grid-security/hostkey.pem;
+	ssl_client_certificate /etc/pki/ca-trust/extracted/pem/tls-ca-bundle-all.pem;
+	ssl_verify_client optional;
+	ssl_verify_depth 10;
+	client_max_body_size 0;
+	error_page 497 https://$host:8443$request_uri;
+}
+```
diff --git a/etc/storm-webdav/logback-access.xml b/etc/storm-webdav/logback-access.xml
@@ -11,7 +11,7 @@
 
     <!-- Check http://logback.qos.ch/manual/layouts.html#AccessPatternLayout to get the meaning of the fields -->
     <encoder>
-      <pattern>%a %localPort "%reqAttribute{storm.remoteUser}" %date{"yyyy-MM-dd'T'HH:mm:ss.SSSXXX", UTC} "%reqAttribute{storm.requestId}" "%m %U %H" %s %b %D</pattern>
+      <pattern>%replace(%a){'^$','-'} %localPort "%reqAttribute{storm.remoteUser}" %date{"yyyy-MM-dd'T'HH:mm:ss.SSSXXX", UTC} "%reqAttribute{storm.requestId}" "%m %U %H" %s %b %D</pattern>
     </encoder>
   </appender>
 

diff --git a/etc/systemd/system/storm-webdav.service.d/storm-webdav.conf b/etc/systemd/system/storm-webdav.service.d/storm-webdav.conf
@@ -127,3 +127,40 @@ Environment="STORM_WEBDAV_TPC_MAX_CONNECTIONS_PER_ROUTE=25"
 # Source file for the tape REST API well-known endpoint
 # Default: '/etc/storm/webdav/wlcg-tape-rest-api.json'
 # Environment="STORM_WEBDAV_TAPE_WELLKNOWN_SOURCE=/etc/storm/webdav/wlcg-tape-rest-api.json"
+
+# Buffer size for both internal and third-party copy requests.
+# This adds more efficiency than to write the whole data. Valid values are numbers >= 4096.
+# Default: 1048576
+# Environment="STORM_WEBDAV_BUFFER_FILE_BUFFER_SIZE_BYTES=1048576"
+
+# Enable checksum filter which adds checksum as an header following RFC 3230.
+# Default: true
+# Environment="STORM_WEBDAV_CHECKSUM_FILTER_ENABLED=true"
+
+# Enable Macaroon filter to process Macaroon tokens. Requires authz server enabled.
+# Default: true
+# Environment="STORM_WEBDAV_MACAROON_FILTER_ENABLED=true"
+
+# TLS protocol for non-TPC requests
+# Default: TLS
+# Environment="STORM_WEBDAV_TLS_PROTOCOL=TLS"
+
+# VOMS Trust Store directory
+# Default: /etc/grid-security/vomsdir
+# Environment="STORM_WEBDAV_VOMS_TRUST_STORE_DIR=/etc/grid-security/vomsdir"
+
+# VOMS Trust Store refresh interval
+# Default: 43200
+# Environment="STORM_WEBDAV_VOMS_TRUST_STORE_REFRESH_INTERVAL_SEC=43200"
+
+# Enable caching for VOMS certificate validation
+# Default: true
+# Environment="STORM_WEBDAV_VOMS_CACHE_ENABLE=true"
+
+# Cache entries lifetime, used if caching for VOMS certificate validation is enabled
+# Default: 300
+# Environment="STORM_WEBDAV_VOMS_CACHE_ENTRY_LIFETIME_SEC=300"
+
+# Use nginx as a reverse proxy
+# Default: false
+# Environment="STORM_WEBDAV_NGINX_REVERSE_PROXY=false"