chore(dependency): upgrade spring boot from 2.7.x to 3.0.x and spring cloud from 2021.0.x to 2022.0.x

kork-actuator/src/main/java/com/netflix/spinnaker/kork/actuator/ActuatorEndpointsConfiguration.java

@@ -19,22 +19,28 @@
 
 import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
 import org.springframework.boot.actuate.health.HealthEndpoint;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.web.SecurityFilterChain;
 
 @Configuration
 @Order(Ordered.HIGHEST_PRECEDENCE + 67)
-public class ActuatorEndpointsConfiguration extends WebSecurityConfigurerAdapter {
+@EnableWebSecurity
+public class ActuatorEndpointsConfiguration {
 
-  @Override
-  public void configure(HttpSecurity http) throws Exception {
+  @Bean
+  public SecurityFilterChain configure(HttpSecurity http) throws Exception {
     // The health endpoint should always be exposed without auth.
-    http.requestMatcher(EndpointRequest.to(HealthEndpoint.class))
-        .authorizeRequests()
+    http.securityMatcher(EndpointRequest.to(HealthEndpoint.class));
+    http.authorizeHttpRequests()
+        .requestMatchers(EndpointRequest.to(HealthEndpoint.class))
+        .permitAll()
         .anyRequest()
-        .permitAll();
+        .authenticated();
+    return http.build();
   }
 }

kork-actuator/src/main/java/com/netflix/spinnaker/kork/actuator/ActuatorSanitizingFunction.java

@@ -0,0 +1,135 @@
+/*
+ * Copyright 2024 OpsMx, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.netflix.spinnaker.kork.actuator;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+import java.util.Set;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+import org.springframework.boot.actuate.endpoint.SanitizableData;
+import org.springframework.boot.actuate.endpoint.SanitizingFunction;
+import org.springframework.stereotype.Component;
+import org.springframework.util.StringUtils;
+
+@Component
+public class ActuatorSanitizingFunction implements SanitizingFunction {
+
+  private static final String[] REGEX_PARTS = {"*", "$", "^", "+"};
+  private static final Set<String> DEFAULT_KEYS_TO_SANITIZE =
+      Set.of(
+          "password",
+          "secret",
+          "key",
+          "token",
+          ".*credentials.*",
+          "vcap_services",
+          "^vcap\\.services.*$",
+          "sun.java.command",
+          "^spring[._]application[._]json$");
+  private static final Set<String> URI_USERINFO_KEYS =
+      Set.of("uri", "uris", "url", "urls", "address", "addresses");
+  private static final Pattern URI_USERINFO_PATTERN =
+      Pattern.compile("^\\[?[A-Za-z][A-Za-z0-9\\+\\.\\-]+://.+:(.*)@.+$");
+  private List<Pattern> keysToSanitize = new ArrayList<>();
+
+  public ActuatorSanitizingFunction(List<String> additionalKeysToSanitize) {
+    addKeysToSanitize(DEFAULT_KEYS_TO_SANITIZE);
+    addKeysToSanitize(URI_USERINFO_KEYS);
+    addKeysToSanitize(additionalKeysToSanitize);
+  }
+
+  public ActuatorSanitizingFunction() {
+    addKeysToSanitize(DEFAULT_KEYS_TO_SANITIZE);
+    addKeysToSanitize(URI_USERINFO_KEYS);
+  }
+
+  private void addKeysToSanitize(Collection<String> keysToSanitize) {
+    for (String key : keysToSanitize) {
+      this.keysToSanitize.add(getPattern(key));
+    }
+  }
+
+  private Pattern getPattern(String value) {
+    if (isRegex(value)) {
+      return Pattern.compile(value, Pattern.CASE_INSENSITIVE);
+    }
+    return Pattern.compile(".*" + value + "$", Pattern.CASE_INSENSITIVE);
+  }
+
+  private boolean isRegex(String value) {
+    for (String part : REGEX_PARTS) {
+      if (value.contains(part)) {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  public void setKeysToSanitize(String... keysToSanitize) {
+    if (keysToSanitize != null) {
+      for (String key : keysToSanitize) {
+        this.keysToSanitize.add(getPattern(key)); // todo: clear oll existing the make the list.
+      }
+    }
+  }
+
+  @Override
+  public SanitizableData apply(SanitizableData data) {
+    if (data.getValue() == null) {
+      return data;
+    }
+
+    for (Pattern pattern : keysToSanitize) {
+      if (pattern.matcher(data.getKey()).matches()) {
+        if (keyIsUriWithUserInfo(pattern)) {
+          return data.withValue(sanitizeUris(data.getValue().toString()));
+        }
+
+        return data.withValue(SanitizableData.SANITIZED_VALUE);
+      }
+    }
+
+    return data;
+  }
+
+  private boolean keyIsUriWithUserInfo(Pattern pattern) {
+    for (String uriKey : URI_USERINFO_KEYS) {
+      if (pattern.matcher(uriKey).matches()) {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  private Object sanitizeUris(String value) {
+    return Arrays.stream(value.split(",")).map(this::sanitizeUri).collect(Collectors.joining(","));
+  }
+
+  private String sanitizeUri(String value) {
+    Matcher matcher = URI_USERINFO_PATTERN.matcher(value);
+    String password = matcher.matches() ? matcher.group(1) : null;
+    if (password != null) {
+      return StringUtils.replace(
+          value, ":" + password + "@", ":" + SanitizableData.SANITIZED_VALUE + "@");
+    }
+    return value;
+  }
+}

kork-actuator/src/main/java/com/netflix/spinnaker/kork/actuator/endpoint/ResolvedEnvironmentEndpoint.java

@@ -18,13 +18,16 @@
 
 import static java.lang.String.format;
 
+import com.netflix.spinnaker.kork.actuator.ActuatorSanitizingFunction;
 import java.util.Arrays;
+import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.SortedSet;
 import java.util.TreeSet;
 import java.util.stream.Collectors;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.actuate.endpoint.SanitizableData;
 import org.springframework.boot.actuate.endpoint.Sanitizer;
 import org.springframework.boot.actuate.endpoint.annotation.Endpoint;
 import org.springframework.boot.actuate.endpoint.annotation.ReadOperation;
@@ -33,7 +36,9 @@
 @Endpoint(id = "resolvedEnv")
 public class ResolvedEnvironmentEndpoint {
 
-  private final Sanitizer sanitizer = new Sanitizer();
+  private final Sanitizer sanitizer;
+  private final ActuatorSanitizingFunction actuatorSanitizingFunction =
+      new ActuatorSanitizingFunction();
   private final Environment environment;
 
   @Autowired
@@ -42,7 +47,8 @@ public ResolvedEnvironmentEndpoint(
     this.environment = environment;
     Optional.ofNullable(properties.getKeysToSanitize())
         .map(p -> p.toArray(new String[0]))
-        .ifPresent(sanitizer::setKeysToSanitize);
+        .ifPresent(actuatorSanitizingFunction::setKeysToSanitize);
+    sanitizer = new Sanitizer(List.of(actuatorSanitizingFunction));
   }
 
   @ReadOperation
@@ -53,7 +59,9 @@ public Map<String, Object> resolvedEnv() {
                 property -> property,
                 property -> {
                   try {
-                    return sanitizer.sanitize(property, environment.getProperty(property));
+                    return sanitizer.sanitize(
+                        new SanitizableData(null, property, environment.getProperty(property)),
+                        true);
                   } catch (Exception e) {
                     return format("Exception occurred: %s", e.getMessage());
                   }

kork-cloud-config-server/src/main/java/com/netflix/spinnaker/kork/configserver/autoconfig/RemoteConfigSourceConfigured.java

@@ -16,7 +16,7 @@
 
 package com.netflix.spinnaker.kork.configserver.autoconfig;
 
-import javax.validation.constraints.NotNull;
+import jakarta.validation.constraints.NotNull;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
 import org.springframework.context.annotation.Condition;

kork-core/src/main/java/com/netflix/spinnaker/kork/metrics/SpectatorConfiguration.java

@@ -22,7 +22,7 @@
 import com.netflix.spectator.jvm.Jmx;
 import com.netflix.spectator.micrometer.MicrometerRegistry;
 import io.micrometer.core.instrument.MeterRegistry;
-import javax.annotation.PreDestroy;
+import jakarta.annotation.PreDestroy;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;

kork-credentials-api/kork-credentials-api.gradle

@@ -22,7 +22,7 @@ dependencies {
   api project(":kork-plugins-api")
   implementation project(":kork-annotations")
   implementation project(":kork-exceptions")
-  implementation 'javax.annotation:javax.annotation-api'
+  implementation 'jakarta.annotation:jakarta.annotation-api'
 
   testRuntimeOnly "cglib:cglib-nodep"
   testRuntimeOnly "org.objenesis:objenesis"

kork-credentials-api/src/main/java/com/netflix/spinnaker/credentials/definition/AbstractCredentialsLoader.java

@@ -18,7 +18,7 @@
 
 import com.netflix.spinnaker.credentials.Credentials;
 import com.netflix.spinnaker.credentials.CredentialsRepository;
-import javax.annotation.PostConstruct;
+import jakarta.annotation.PostConstruct;
 import lombok.Getter;
 
 public abstract class AbstractCredentialsLoader<T extends Credentials>

kork-credentials/kork-credentials.gradle

@@ -24,7 +24,7 @@ dependencies {
   implementation 'org.apache.logging.log4j:log4j-api'
   implementation "org.springframework.boot:spring-boot"
   implementation 'org.springframework.boot:spring-boot-starter-json'
-  implementation 'javax.annotation:javax.annotation-api'
+  implementation 'jakarta.annotation:jakarta.annotation-api'
   implementation 'org.slf4j:slf4j-api'
 
   testRuntimeOnly "cglib:cglib-nodep"

kork-crypto/src/main/java/com/netflix/spinnaker/kork/crypto/NestedSecurityIOException.java

@@ -16,10 +16,10 @@
 
 package com.netflix.spinnaker.kork.crypto;
 
+import java.io.IOException;
 import java.security.GeneralSecurityException;
-import org.springframework.core.NestedIOException;
 
-public class NestedSecurityIOException extends NestedIOException {
+public class NestedSecurityIOException extends IOException {
   public NestedSecurityIOException(GeneralSecurityException e) {
     super(e.getMessage(), e);
   }

kork-eureka/kork-eureka.gradle

@@ -23,13 +23,14 @@ dependencies {
   implementation project(":kork-core")
   implementation project(":kork-exceptions")
 
-  implementation "javax.inject:javax.inject:1"
+  implementation "jakarta.inject:jakarta.inject-api" // Transitive dependency of com.netflix.eureka:eureka-client-jersey3
   implementation "org.springframework.boot:spring-boot-autoconfigure"
   implementation "org.springframework.boot:spring-boot-starter-actuator"
 
   implementation "com.netflix.archaius:archaius-core"
   implementation "commons-configuration:commons-configuration"
-  implementation "com.netflix.eureka:eureka-client"
+  implementation "com.netflix.eureka:eureka-client-jersey3"
+  implementation "com.netflix.eureka:eureka-core-jersey3"
   implementation "com.netflix.netflix-commons:netflix-eventbus"
 
   testImplementation "org.springframework.boot:spring-boot-starter-test"

kork-eureka/src/main/java/com/netflix/spinnaker/kork/archaius/ArchaiusAutoConfiguration.java

@@ -22,9 +22,9 @@
 import com.netflix.config.DynamicConfiguration;
 import com.netflix.config.FixedDelayPollingScheduler;
 import com.netflix.spinnaker.kork.eureka.EurekaAutoConfiguration;
+import jakarta.annotation.PreDestroy;
 import java.util.*;
 import java.util.concurrent.TimeUnit;
-import javax.annotation.PreDestroy;
 import org.apache.commons.configuration.AbstractConfiguration;
 import org.apache.commons.configuration.CompositeConfiguration;
 import org.springframework.beans.BeansException;

kork-eureka/src/main/java/com/netflix/spinnaker/kork/eureka/EurekaAutoConfiguration.java

@@ -21,12 +21,14 @@
 import com.netflix.discovery.DiscoveryClient;
 import com.netflix.discovery.EurekaClient;
 import com.netflix.discovery.EurekaClientConfig;
+import com.netflix.discovery.shared.transport.jersey.TransportClientFactories;
+import com.netflix.discovery.shared.transport.jersey3.Jersey3TransportClientFactories;
 import com.netflix.eventbus.impl.EventBusImpl;
 import com.netflix.eventbus.spi.EventBus;
 import com.netflix.spinnaker.kork.discovery.DiscoveryAutoConfiguration;
+import jakarta.inject.Provider;
 import java.util.Map;
 import java.util.Objects;
-import javax.inject.Provider;
 import org.springframework.boot.actuate.health.HealthIndicator;
 import org.springframework.boot.actuate.health.StatusAggregator;
 import org.springframework.boot.autoconfigure.AutoConfigureBefore;
@@ -46,14 +48,13 @@ public EventBus eventBus() {
     return new EventBusImpl();
   }
 
-  /** @deprecated use EurekaClient rather than DiscoveryClient */
   @Bean
-  @Deprecated
   public DiscoveryClient discoveryClient(
       ApplicationInfoManager applicationInfoManager,
       EurekaClientConfig eurekaClientConfig,
-      DiscoveryClient.DiscoveryClientOptionalArgs optionalArgs) {
-    return new DiscoveryClient(applicationInfoManager, eurekaClientConfig, optionalArgs);
+      TransportClientFactories transportClientFactories) {
+    return new DiscoveryClient(
+        applicationInfoManager, eurekaClientConfig, transportClientFactories);
   }
 
   @Bean
@@ -86,13 +87,8 @@ EurekaClientConfig eurekaClientConfig(
   }
 
   @Bean
-  DiscoveryClient.DiscoveryClientOptionalArgs optionalArgs(
-      EventBus eventBus, HealthCheckHandler healthCheckHandler) {
-    DiscoveryClient.DiscoveryClientOptionalArgs args =
-        new DiscoveryClient.DiscoveryClientOptionalArgs();
-    args.setEventBus(eventBus);
-    args.setHealthCheckHandlerProvider(new StaticProvider<>(healthCheckHandler));
-    return args;
+  TransportClientFactories transportClientFactories() {
+    return Jersey3TransportClientFactories.getInstance();
   }
 
   @Bean

kork-eureka/src/main/java/com/netflix/spinnaker/kork/eureka/EurekaStatusSubscriber.java

@@ -28,8 +28,8 @@
 import com.netflix.spinnaker.kork.discovery.InstanceStatus;
 import com.netflix.spinnaker.kork.discovery.RemoteStatusChangedEvent;
 import com.netflix.spinnaker.kork.exceptions.SystemException;
+import jakarta.annotation.PreDestroy;
 import java.util.Objects;
-import javax.annotation.PreDestroy;
 import org.springframework.context.ApplicationEventPublisher;
 
 public class EurekaStatusSubscriber implements DiscoveryStatusPublisher {