chore(deps): upgrade play to remove CVEs (datahub-project#4864)

infobip · May 6, 2022 · 84a026b · 84a026b
1 parent 2a19a85
commit 84a026b
Show file tree

Hide file tree

Showing 21 changed files with 176 additions and 86 deletions.
diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
@@ -75,7 +75,9 @@ jobs:
       - name: Install dependencies
         run: ./metadata-ingestion/scripts/install_deps.sh
       - name: Gradle build
-        run: ./gradlew build -x check -x docs-website:build -x test -x yarnTest -x lint -x yarnLint -x testQuick -x :metadata-integration:java:spark-lineage:test
+        run: |
+          ./gradlew build -x check -x docs-website:build -x test -x yarnTest -x lint -x yarnLint -x testQuick -x :metadata-integration:java:spark-lineage:test
+          ./gradlew :datahub-frontend:dist
       - name: Smoke test
         run: ./smoke-test/smoke.sh
         env:

diff --git a/.gitignore b/.gitignore
@@ -64,4 +64,7 @@ metadata-ingestion/generated/**
 # docs
 docs/generated/
 tmp*
-temp*
+temp*
+
+# frontend assets
+datahub-frontend/public/**
diff --git a/build.gradle b/build.gradle
@@ -16,6 +16,7 @@ buildscript {
     }
     classpath "io.codearte.gradle.nexus:gradle-nexus-staging-plugin:0.30.0"
     classpath "com.palantir.gradle.gitversion:gradle-git-version:0.12.3"
+    classpath "org.gradle.playframework:gradle-playframework:0.12"
     classpath "gradle.plugin.org.hidetake:gradle-swagger-generator-plugin:2.18.1"
   }
 }
@@ -110,14 +111,14 @@ project.ext.externalDependency = [
     'opentracingJdbc':'io.opentracing.contrib:opentracing-jdbc:0.2.15',
     'parquet': 'org.apache.parquet:parquet-avro:1.12.2',
     'picocli': 'info.picocli:picocli:4.5.0',
-    'playCache': 'com.typesafe.play:play-cache_2.11:2.6.18',
-    'playWs': 'com.typesafe.play:play-ahc-ws-standalone_2.11:2.0.8',
-    'playDocs': 'com.typesafe.play:play-docs_2.11:2.6.18',
-    'playGuice': 'com.typesafe.play:play-guice_2.11:2.6.18',
-    'playJavaJdbc': 'com.typesafe.play:play-java-jdbc_2.11:2.6.18',
-    'playTest': 'com.typesafe.play:play-test_2.11:2.6.18',
+    'playCache': 'com.typesafe.play:play-cache_2.12:2.7.6',
+    'playWs': 'com.typesafe.play:play-ahc-ws-standalone_2.12:2.0.8',
+    'playDocs': 'com.typesafe.play:play-docs_2.12:2.7.6',
+    'playGuice': 'com.typesafe.play:play-guice_2.12:2.7.6',
+    'playJavaJdbc': 'com.typesafe.play:play-java-jdbc_2.12:2.7.6',
+    'playTest': 'com.typesafe.play:play-test_2.12:2.7.6',
     'pac4j': 'org.pac4j:pac4j-oidc:3.6.0',
-    'playPac4j': 'org.pac4j:play-pac4j_2.11:7.0.1',
+    'playPac4j': 'org.pac4j:play-pac4j_2.12:8.0.2',
     'postgresql': 'org.postgresql:postgresql:42.3.3',
     'protobuf': 'com.google.protobuf:protobuf-java:3.19.3',
     'reflections': 'org.reflections:reflections:0.9.9',

diff --git a/datahub-frontend/app/auth/AuthModule.java b/datahub-frontend/app/auth/AuthModule.java
@@ -12,7 +12,6 @@
 import com.linkedin.util.Configuration;
 import com.datahub.authentication.Authentication;
 import java.nio.charset.StandardCharsets;
-import java.security.MessageDigest;
 import java.util.Collections;
 import org.apache.commons.codec.digest.DigestUtils;
 import org.pac4j.core.client.Client;

diff --git a/datahub-frontend/app/auth/Authenticator.java b/datahub-frontend/app/auth/Authenticator.java
@@ -1,6 +1,7 @@
 package auth;
 
 import com.typesafe.config.Config;
+import java.util.Optional;
 import javax.inject.Inject;
 import play.mvc.Http;
 import play.mvc.Result;
@@ -22,7 +23,8 @@ public class Authenticator extends Security.Authenticator {
 
     @Inject
     public Authenticator(@Nonnull Config config) {
-        this.metadataServiceAuthEnabled = config.hasPath(METADATA_SERVICE_AUTH_ENABLED_CONFIG_PATH) && config.getBoolean(METADATA_SERVICE_AUTH_ENABLED_CONFIG_PATH);
+        this.metadataServiceAuthEnabled = config.hasPath(METADATA_SERVICE_AUTH_ENABLED_CONFIG_PATH)
+            && config.getBoolean(METADATA_SERVICE_AUTH_ENABLED_CONFIG_PATH);
     }
 
     @Override
@@ -38,9 +40,28 @@ public String getUsername(@Nonnull Http.Context ctx) {
         }
     }
 
+    @Override
+    public Optional<String> getUsername(@Nonnull Http.Request request) {
+        Http.Context ctx = Http.Context.current();
+        if (this.metadataServiceAuthEnabled) {
+            // If Metadata Service auth is enabled, we only want to verify presence of the
+            // "Authorization" header OR the presence of a frontend generated session cookie.
+            // At this time, the actor is still considered to be unauthenicated.
+            return Optional.ofNullable(AuthUtils.isEligibleForForwarding(ctx) ? "urn:li:corpuser:UNKNOWN" : null);
+        } else {
+            // If Metadata Service auth is not enabled, verify the presence of a valid session cookie.
+            return Optional.ofNullable(AuthUtils.hasValidSessionCookie(ctx) ? ctx.session().get(ACTOR) : null);
+        }
+    }
+
     @Override
     @Nonnull
     public Result onUnauthorized(@Nullable Http.Context ctx) {
         return unauthorized();
     }
+
+    @Override
+    public Result onUnauthorized(Http.Request req) {
+        return unauthorized();
+    }
 }
diff --git a/datahub-frontend/app/auth/sso/oidc/OidcResponseErrorHandler.java b/datahub-frontend/app/auth/sso/oidc/OidcResponseErrorHandler.java
@@ -10,6 +10,11 @@
 
 
 public class OidcResponseErrorHandler {
+
+    private OidcResponseErrorHandler() {
+
+    }
+
     private static final Logger _logger = LoggerFactory.getLogger("OidcResponseErrorHandler");
 
     private static final String ERROR_FIELD_NAME = "error";
@@ -22,20 +27,18 @@ public static Result handleError(final PlayWebContext context) {
                 getErrorDescription(context));
 
         if (getError(context).equals("access_denied")) {
-            return unauthorized(String.format("Access denied. " +
-                            "The OIDC service responded with 'Access denied'. " +
-                            "It seems that you don't have access to this application yet. Please apply for access. \n\n" +
-                            "If you already have been assigned this application, it may be so that your OIDC request is still in action. " +
-                            "Error details: '%s':'%s'",
+            return unauthorized(String.format("Access denied. "
+                    + "The OIDC service responded with 'Access denied'. "
+                    + "It seems that you don't have access to this application yet. Please apply for access. \n\n"
+                    + "If you already have been assigned this application, it may be so that your OIDC request is still in action. "
+                    + "Error details: '%s':'%s'",
                     context.getRequestParameter("error"),
                     context.getRequestParameter("error_description")));
         }
 
         return internalServerError(
-                String.format("Internal server error. The OIDC service responded with an error: '%s'.\n" +
-                                "Error description: '%s'",
-                getError(context),
-                getErrorDescription(context)));
+                String.format("Internal server error. The OIDC service responded with an error: '%s'.\n"
+                        + "Error description: '%s'", getError(context), getErrorDescription(context)));
     }
 
     public static boolean isError(final PlayWebContext context) {

diff --git a/datahub-frontend/app/auth/sso/oidc/custom/CustomOidcAuthenticator.java b/datahub-frontend/app/auth/sso/oidc/custom/CustomOidcAuthenticator.java
@@ -71,8 +71,12 @@ public CustomOidcAuthenticator(final OidcConfiguration configuration, final Oidc
           chosenMethod = preferredMethod;
         } else {
           throw new TechnicalException(
-              "Preferred authentication method (" + preferredMethod + ") not supported " +
-                  "by provider according to provider metadata (" + metadataMethods + ").");
+              "Preferred authentication method ("
+                  + preferredMethod
+                  + ") not supported "
+                  + "by provider according to provider metadata ("
+                  + metadataMethods
+                  + ").");
         }
       } else {
         chosenMethod = firstSupportedMethod(metadataMethods);
@@ -83,13 +87,13 @@ public CustomOidcAuthenticator(final OidcConfiguration configuration, final Oidc
           chosenMethod);
     }
 
-    final ClientID _clientID = new ClientID(configuration.getClientId());
+    final ClientID clientID = new ClientID(configuration.getClientId());
     if (ClientAuthenticationMethod.CLIENT_SECRET_POST.equals(chosenMethod)) {
-      final Secret _secret = new Secret(configuration.getSecret());
-      clientAuthentication = new ClientSecretPost(_clientID, _secret);
+      final Secret secret = new Secret(configuration.getSecret());
+      clientAuthentication = new ClientSecretPost(clientID, secret);
     } else if (ClientAuthenticationMethod.CLIENT_SECRET_BASIC.equals(chosenMethod)) {
-      final Secret _secret = new Secret(configuration.getSecret());
-      clientAuthentication = new ClientSecretBasic(_clientID, _secret);
+      final Secret secret = new Secret(configuration.getSecret());
+      clientAuthentication = new ClientSecretBasic(clientID, secret);
     } else if (ClientAuthenticationMethod.NONE.equals(chosenMethod)) {
       clientAuthentication = null; // No client authentication in none mode
     } else {
@@ -128,8 +132,8 @@ private static ClientAuthenticationMethod firstSupportedMethod(final List<Client
     if (firstSupported.isPresent()) {
       return firstSupported.get();
     } else {
-      throw new TechnicalException("None of the Token endpoint provider metadata authentication methods are supported: " +
-          metadataMethods);
+      throw new TechnicalException("None of the Token endpoint provider metadata authentication methods are supported: "
+          +  metadataMethods);
     }
   }
 

diff --git a/datahub-frontend/app/client/AuthServiceClient.java b/datahub-frontend/app/client/AuthServiceClient.java
@@ -56,7 +56,8 @@ public String generateSessionTokenForUser(@Nonnull final String userId) {
     try {
 
       final String protocol = this.metadataServiceUseSsl ? "https" : "http";
-      final HttpPost request = new HttpPost(String.format("%s://%s:%s/%s", protocol, this.metadataServiceHost, this.metadataServicePort, GENERATE_SESSION_TOKEN_ENDPOINT));
+      final HttpPost request = new HttpPost(String.format("%s://%s:%s/%s", protocol, this.metadataServiceHost,
+          this.metadataServicePort, GENERATE_SESSION_TOKEN_ENDPOINT));
 
       // Build JSON request to generate a token on behalf of a user.
       String json = String.format("{ \"%s\":\"%s\" }", USER_ID_FIELD, userId);

diff --git a/datahub-frontend/app/controllers/Application.java b/datahub-frontend/app/controllers/Application.java
@@ -14,7 +14,7 @@
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ExecutionException;
 import java.util.stream.Collectors;
-import play.Play;
+import play.api.Play;
 import play.http.HttpEntity;
 import play.libs.ws.InMemoryBodyWritable;
 import play.libs.ws.StandaloneWSClient;
@@ -59,7 +59,7 @@ public Application(@Nonnull Config config) {
    */
   @Nonnull
   private Result serveAsset(@Nullable String path) {
-    InputStream indexHtml = Play.application().classloader().getResourceAsStream("public/index.html");
+    InputStream indexHtml = Play.current().classloader().getResourceAsStream("public/index.html");
     response().setHeader("Cache-Control", "no-cache");
     return ok(indexHtml).as("text/html");
   }
@@ -114,7 +114,8 @@ public CompletableFuture<Result> proxy(String path) throws ExecutionException, I
             .toMap()
             .entrySet()
             .stream()
-            .filter(entry -> !AuthenticationConstants.LEGACY_X_DATAHUB_ACTOR_HEADER.equals(entry.getKey())) // Remove X-DataHub-Actor to prevent malicious delegation.
+            // Remove X-DataHub-Actor to prevent malicious delegation.
+            .filter(entry -> !AuthenticationConstants.LEGACY_X_DATAHUB_ACTOR_HEADER.equals(entry.getKey()))
             .filter(entry -> !Http.HeaderNames.CONTENT_LENGTH.equals(entry.getKey()))
             .filter(entry -> !Http.HeaderNames.CONTENT_TYPE.equals(entry.getKey()))
             .filter(entry -> !Http.HeaderNames.AUTHORIZATION.equals(entry.getKey()))

diff --git a/datahub-frontend/app/controllers/CentralLogoutController.java b/datahub-frontend/app/controllers/CentralLogoutController.java
@@ -19,14 +19,14 @@ public class CentralLogoutController extends LogoutController {
   @Inject
   public CentralLogoutController(Config config) {
 
-    String _authBaseUrl = config.hasPath(AUTH_BASE_URL_CONFIG_PATH)
+    String authBaseUrl = config.hasPath(AUTH_BASE_URL_CONFIG_PATH)
             ? config.getString(AUTH_BASE_URL_CONFIG_PATH)
             : DEFAULT_BASE_URL_PATH;
 
     _isOidcEnabled = config.hasPath("auth.oidc.enabled") && config.getBoolean("auth.oidc.enabled");
 
-    setDefaultUrl(_authBaseUrl);
-    setLogoutUrlPattern(_authBaseUrl + ".*");
+    setDefaultUrl(authBaseUrl);
+    setLogoutUrlPattern(authBaseUrl + ".*");
     setLocalLogout(true);
     setCentralLogout(true);
 

diff --git a/datahub-frontend/app/controllers/SsoCallbackController.java b/datahub-frontend/app/controllers/SsoCallbackController.java
@@ -58,7 +58,8 @@ public class SsoCallbackLogic implements CallbackLogic<Result, PlayWebContext> {
 
     private final OidcCallbackLogic _oidcCallbackLogic;
 
-    SsoCallbackLogic(final SsoManager ssoManager, final Authentication systemAuthentication, final EntityClient entityClient, final AuthServiceClient authClient) {
+    SsoCallbackLogic(final SsoManager ssoManager, final Authentication systemAuthentication,
+        final EntityClient entityClient, final AuthServiceClient authClient) {
       _oidcCallbackLogic = new OidcCallbackLogic(ssoManager, systemAuthentication, entityClient, authClient);
     }
 

diff --git a/datahub-frontend/app/controllers/TrackingController.java b/datahub-frontend/app/controllers/TrackingController.java
@@ -35,7 +35,7 @@ public class TrackingController extends Controller {
     private final Logger _logger = LoggerFactory.getLogger(TrackingController.class.getName());
 
     private static final List<String> KAFKA_SSL_PROTOCOLS = Collections.unmodifiableList(
-            Arrays.asList(SecurityProtocol.SSL.name(),SecurityProtocol.SASL_SSL.name(),
+            Arrays.asList(SecurityProtocol.SSL.name(), SecurityProtocol.SASL_SSL.name(),
             SecurityProtocol.SASL_PLAINTEXT.name()));
 
     private final Boolean _isEnabled;
@@ -81,7 +81,7 @@ public Result track() throws Exception {
              _producer.send(record);
              _producer.flush();
              return ok();
-        } catch(Exception e) {
+        } catch (Exception e) {
             _logger.error(String.format("Failed to emit product analytics event. actor: %s, event: %s", actor, event));
             return internalServerError(e.getMessage());
         }

diff --git a/datahub-frontend/app/security/AuthenticationManager.java b/datahub-frontend/app/security/AuthenticationManager.java
@@ -44,6 +44,7 @@ public void handle(@Nonnull Callback[] callbacks) {
       NameCallback nc = null;
       PasswordCallback pc = null;
       for (Callback callback : callbacks) {
+        Logger.error("The submitted callback is of type: " + callback.getClass() + " : " + callback);
         if (callback instanceof NameCallback) {
           nc = (NameCallback) callback;
           nc.setName(this.username);

diff --git a/datahub-frontend/app/utils/ConfigUtil.java b/datahub-frontend/app/utils/ConfigUtil.java
@@ -6,6 +6,10 @@
 
 public class ConfigUtil {
 
+  private ConfigUtil() {
+
+  }
+
   // New configurations, provided via application.conf file.
   public static final String METADATA_SERVICE_HOST_CONFIG_PATH = "metadataService.host";
   public static final String METADATA_SERVICE_PORT_CONFIG_PATH = "metadataService.port";

diff --git a/datahub-frontend/build.gradle b/datahub-frontend/build.gradle
@@ -46,4 +46,21 @@ graphqlCodegen {
 
 tasks.withType(Checkstyle) {
   exclude "**/generated/**"
+}
+
+checkstyleMain.source = "app/"
+
+
+/*
+PLAY UPGRADE NOTE
+Generates the distribution jars under the expected names. The playFramework plugin only accepts certain name values
+for the resulting folders and files, so some changes were made to accommodate. Default distribution is main if these are excluded
+ */
+distributions {
+  create("datahub-frontend") {
+    distributionBaseName = project.ext.playBinaryBaseName
+  }
+  playBinary {
+    distributionBaseName = project.ext.playBinaryBaseName
+  }
 }
diff --git a/datahub-frontend/conf/application.conf b/datahub-frontend/conf/application.conf
@@ -26,6 +26,10 @@ play.modules.disabled += "play.api.mvc.CookiesModule"
 play.modules.enabled += "play.api.mvc.LegacyCookiesModule"
 play.modules.enabled += "auth.AuthModule"
 
+# Legacy Configuration to avoid code changes, update to modern approaches eventually
+play.allowHttpContext = true
+play.allowGlobalApplication = true
+
 # Database configuration
 # ~~~~~
 # You can declare as many datasources as you want.

diff --git a/datahub-frontend/conf/routes b/datahub-frontend/conf/routes
@@ -19,22 +19,22 @@ POST          /callback/:protocol                                             co
 GET           /logOut                                                         controllers.CentralLogoutController.executeLogout()
 
 # Proxies API requests to the metadata service api
-GET           /api/*path                                                      controllers.Application.proxy(path)
-POST          /api/*path                                                      controllers.Application.proxy(path)
-DELETE        /api/*path                                                      controllers.Application.proxy(path)
-PUT           /api/*path                                                      controllers.Application.proxy(path)
+GET           /api/*path                                                     controllers.Application.proxy(path)
+POST          /api/*path                                                     controllers.Application.proxy(path)
+DELETE        /api/*path                                                     controllers.Application.proxy(path)
+PUT           /api/*path                                                     controllers.Application.proxy(path)
 
 # Proxies API requests to the metadata service api
-GET           /openapi/*path                                                  controllers.Application.proxy(path)
-POST          /openapi/*path                                                  controllers.Application.proxy(path)
-DELETE        /openapi/*path                                                  controllers.Application.proxy(path)
-PUT           /openapi/*path                                                  controllers.Application.proxy(path)
+GET           /openapi/*path                                                 controllers.Application.proxy(path)
+POST          /openapi/*path                                                 controllers.Application.proxy(path)
+DELETE        /openapi/*path                                                 controllers.Application.proxy(path)
+PUT           /openapi/*path                                                 controllers.Application.proxy(path)
 
 # Map static resources from the /public folder to the /assets URL path
-GET           /assets/*file                                                   controllers.Assets.at(path="/public", file)
+GET           /assets/*file                                                  controllers.Assets.at(path="/public", file)
 
 # Analytics route
-POST          /track                                                          controllers.TrackingController.track()
+POST          /track                                                         controllers.TrackingController.track()
 
 # Wildcard route accepts any routes and delegates to serveAsset which in turn serves the React Bundle
-GET           /*path                                                          controllers.Application.index(path)
+GET           /*path                                                         controllers.Application.index(path)