Merge branch 'release/0.8.7'

Author: LEDfan

.github/workflows/workflows.yaml

@@ -0,0 +1,51 @@
+name: Tests
+
+on: [push]
+
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        java: [ 8, 11 ]
+        kubernetes: [ 'v1.20.1', 'v1.19.6', 'v1.18.14', 'v1.17.16', 'v1.16.14']
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up JDK
+        uses: actions/setup-java@v1
+        with:
+          java-version: ${{ matrix.java }}
+      - name: Cache Maven packages
+        uses: actions/cache@v2
+        with:
+          path: ~/.m2
+          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2
+      - name: Setup Minikube
+        uses: manusa/actions-setup-minikube@v2.3.0
+        with:
+          minikube version: 'v1.16.0'
+          kubernetes version:  ${{ matrix.kubernetes }}
+      - name: Setup Docker
+        run: sudo apt-get -qq -y install conntrack socat ; nohup socat TCP-LISTEN:2375,reuseaddr,fork UNIX-CONNECT:/var/run/docker.sock &
+      - name: Pull Image
+        run: docker pull openanalytics/shinyproxy-demo:latest
+      - name: Build with Maven
+        run: mvn -U clean install -DskipTests
+      - name: Run Tests
+        run: mvn test
+
+  dependency:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run Dependency Check
+        run: mvn -Powasp-dependency-check verify -DskipTests
+      - name: Archive code coverage results
+        uses: actions/upload-artifact@v2
+        with:
+          name: dependency-check-report
+          path: target/dependency-check-report.html
+

.travis.yml

@@ -5,7 +5,7 @@
 
 	<groupId>eu.openanalytics</groupId>
 	<artifactId>containerproxy</artifactId>
-	<version>0.8.6</version>
+	<version>0.8.7</version>
 	<name>ContainerProxy</name>
 	<packaging>jar</packaging>
 
@@ -289,29 +289,6 @@
 			<version>2.11.2</version>
 		</dependency>
 
-
-		<!-- Deps for tests -->
-		<dependency>
-			<groupId>org.arquillian.cube</groupId>
-			<artifactId>arquillian-cube-bom</artifactId>
-			<version>${version.arquillian_cube}</version>
-			<scope>import</scope>
-			<type>pom</type>
-		</dependency>
-		<dependency>
-			<groupId>org.arquillian.cube</groupId>
-  			<artifactId>arquillian-cube-kubernetes-starter</artifactId>
-  			<version>${version.arquillian_cube}</version>
-			<scope>test</scope>
-		</dependency>
-		<dependency>
-			<groupId>org.arquillian.cube</groupId>
-			<artifactId>arquillian-cube-requirement</artifactId>
-			<version>${version.arquillian_cube}</version>
-			<scope>test</scope>
-		</dependency>
-
-
                 <!-- Recursive dependencies which are upgraded for security -->
                 <dependency>
                     <groupId>commons-collections</groupId>

pom.xml

@@ -20,41 +20,42 @@
  */
 package eu.openanalytics.containerproxy;
 
+import com.fasterxml.jackson.datatype.jsr353.JSR353Module;
 import eu.openanalytics.containerproxy.util.ProxyMappingManager;
 import io.undertow.Handlers;
 import io.undertow.servlet.api.ServletSessionConfig;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.springframework.boot.SpringApplication;
+import org.springframework.boot.actuate.health.Health;
+import org.springframework.boot.actuate.health.HealthIndicator;
+import org.springframework.boot.actuate.redis.RedisHealthIndicator;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.web.embedded.undertow.UndertowServletWebServerFactory;
 import org.springframework.boot.web.server.PortInUseException;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
-import org.springframework.context.event.ContextRefreshedEvent;
-import org.springframework.context.event.EventListener;
 import org.springframework.core.env.Environment;
+import org.springframework.data.redis.connection.RedisConnectionFactory;
 import org.springframework.session.data.redis.config.ConfigureRedisAction;
 import org.springframework.web.filter.FormContentFilter;
-import org.springframework.web.filter.HiddenHttpMethodFilter;
-
-import com.fasterxml.jackson.datatype.jsr353.JSR353Module;
 
 import javax.annotation.PostConstruct;
 import javax.inject.Inject;
 import java.net.InetAddress;
 import java.net.UnknownHostException;
 import java.nio.file.Files;
 import java.nio.file.Paths;
+import java.util.Objects;
 import java.util.Properties;
-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.Logger;
 
 @SpringBootApplication
 @ComponentScan("eu.openanalytics")
 public class ContainerProxyApplication {
 	public static final String CONFIG_FILENAME = "application.yml";
 	public static final String CONFIG_DEMO_PROFILE = "demo";
-	
+
 	@Inject
 	private Environment environment;
 
@@ -68,9 +69,9 @@ public static void main(String[] args) {
 
 		boolean hasExternalConfig = Files.exists(Paths.get(CONFIG_FILENAME));
 		if (!hasExternalConfig) app.setAdditionalProfiles(CONFIG_DEMO_PROFILE);
-		
+
 		setDefaultProperties(app);
-		
+
 		try {
 			app.setLogStartupInfo(false);
 			app.run(args);
@@ -81,13 +82,13 @@ public static void main(String[] args) {
 			if (e instanceof PortInUseException) System.exit(-1);
 		}
 	}
-	
+
 	@PostConstruct
-    public void init() {
+	public void init() {
 		if (environment.getProperty("server.use-forward-headers") != null) {
 			log.warn("WARNING: Using server.use-forward-headers will not work in this ShinyProxy release. See https://shinyproxy.io/documentation/security/#https-ssl--tls on how to change your configuration.");
 		}
-    }
+	}
 
 	@Bean
 	public UndertowServletWebServerFactory servletContainer() {
@@ -111,11 +112,11 @@ public UndertowServletWebServerFactory servletContainer() {
 			throw new IllegalArgumentException("Invalid bind address specified", e);
 		}
 		factory.setPort(Integer.parseInt(environment.getProperty("proxy.port", "8080")));
-		return factory;	
+		return factory;
 	}
-	
+
 	// Disable specific Spring filters that parse the request body, preventing it from being proxied.
-	
+
 	@Bean
 	public FilterRegistrationBean<FormContentFilter> registration2(FormContentFilter filter) {
 		FilterRegistrationBean<FormContentFilter> registration = new FilterRegistrationBean<>(filter);
@@ -125,6 +126,7 @@ public FilterRegistrationBean<FormContentFilter> registration2(FormContentFilter
 
 	/**
 	 * Register the Jackson module which implements compatibility between javax.json and Jackson.
+	 *
 	 * @return
 	 */
 	@Bean
@@ -134,30 +136,66 @@ public JSR353Module jsr353Module() {
 
 	/**
 	 * Compatibility with AWS ElastiCache
+	 *
 	 * @return
 	 */
 	@Bean
 	public static ConfigureRedisAction configureRedisAction() {
 		return ConfigureRedisAction.NO_OP;
 	}
-	
-	private static void setDefaultProperties(SpringApplication app ) {
+
+	@Bean
+	public HealthIndicator redisSessionHealthIndicator(RedisConnectionFactory rdeRedisConnectionFactory) {
+		if (Objects.equals(environment.getProperty("spring.session.store-type"), "redis")) {
+			// if we are using redis for session -> use a proper health check for redis
+			return new RedisHealthIndicator(rdeRedisConnectionFactory);
+		} else {
+			// not using redis for session -> just pretend it's always online
+			return new HealthIndicator() {
+
+				@Override
+				public Health getHealth(boolean includeDetails) {
+					return Health.up().build();
+				}
+
+				@Override
+				public Health health() {
+					return Health.up().build();
+				}
+			};
+		}
+	}
+
+	private static void setDefaultProperties(SpringApplication app) {
 		Properties properties = new Properties();
-		properties.put("management.health.ldap.enabled", false);
-		properties.put("management.endpoint.health.probes.enabled", true);
-	
+
 		// use in-memory session storage by default. Can be overwritten in application.yml
 		properties.put("spring.session.store-type", "none");
-		
+
 		// disable multi-part handling by Spring. We don't need this anywhere in the application.
 		// When enabled this will cause problems when proxying file-uploads to the shiny apps.
 		properties.put("spring.servlet.multipart.enabled", "false");
-		
+
 		// disable logging of requests, since this reads part of the requests and therefore undertow is unable to correctly handle those requests
 		properties.put("logging.level.org.springframework.web.servlet.DispatcherServlet", "INFO");
-		
+
 		properties.put("spring.application.name", "ContainerProxy");
+
+		// Health configuration
+		// ====================
+
+		// enable redisSession check for the readiness probe
+		properties.put("management.endpoint.health.group.readiness.include", "readinessProbe,redisSession");
+		// disable ldap health endpoint
+		properties.put("management.health.ldap.enabled", false);
+		// disable default redis health endpoint since it's managed by redisSession
+		properties.put("management.health.redis.enabled", "false");
+		// enable Kubernetes porobes
+		properties.put("management.endpoint.health.probes.enabled", true);
+
+		// ====================
+
 		app.setDefaultProperties(properties);
 	}
-	
-}
+
+}

src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java

@@ -50,7 +50,9 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Lazy;
 import org.springframework.core.env.Environment;
+import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@@ -85,7 +87,11 @@ public class KeycloakAuthenticationBackend implements IAuthenticationBackend {
 
 	@Inject
 	ApplicationContext ctx;
-	
+
+	@Inject
+	@Lazy
+	AuthenticationManager authenticationManager;
+
 	@Override
 	public String getName() {
 		return NAME;
@@ -126,14 +132,14 @@ protected KeycloakAuthenticationProcessingFilter keycloakAuthenticationProcessin
 		// Possible solution for issue #21037, create a custom RequestMatcher that doesn't include a QueryParamPresenceRequestMatcher(OAuth2Constants.ACCESS_TOKEN) request matcher.
 		// The QueryParamPresenceRequestMatcher(OAuth2Constants.ACCESS_TOKEN) caused the HTTP requests to be changed before they where processed.
 		// Because the HTTP requests are adapted before they are processed, the requested failed to complete successfully and caused an io.undertow.server.TruncatedResponseException
-		// If in the future we need a RequestMatcher for het ACCESS_TOKEN, we can implement one ourself  
+		// If in the future we need a RequestMatcher for het ACCESS_TOKEN, we can implement one ourself
 		RequestMatcher requestMatcher =
 				new OrRequestMatcher(
 	                    new AntPathRequestMatcher(KeycloakAuthenticationProcessingFilter.DEFAULT_LOGIN_URL),
 	                    new RequestHeaderRequestMatcher(KeycloakAuthenticationProcessingFilter.AUTHORIZATION_HEADER)
 	            );
-		
-		KeycloakAuthenticationProcessingFilter filter = new KeycloakAuthenticationProcessingFilter(webSecurityConfigurerAdapter.authenticationManagerBean(), requestMatcher);
+
+		KeycloakAuthenticationProcessingFilter filter = new KeycloakAuthenticationProcessingFilter(authenticationManager, requestMatcher);
 		filter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy());
 		// Fix: call afterPropertiesSet manually, because Spring doesn't invoke it for some reason.
 		filter.setApplicationContext(ctx);

src/main/java/eu/openanalytics/containerproxy/auth/impl/KeycloakAuthenticationBackend.java

@@ -69,6 +69,7 @@
 import net.minidev.json.JSONArray;
 import net.minidev.json.parser.JSONParser;
 import net.minidev.json.parser.ParseException;
+import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
 
 public class OpenIDAuthenticationBackend implements IAuthenticationBackend {
 
@@ -115,7 +116,7 @@ public void configureHttpSecurity(HttpSecurity http, AuthorizedUrl anyRequestCon
 					public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
 							AuthenticationException exception) throws IOException, ServletException {
 						log.error(exception);
-						response.sendRedirect("/auth-error");
+						response.sendRedirect(ServletUriComponentsBuilder.fromCurrentContextPath().path("/auth-error").build().toUriString());
 					}
 
 				})