RIPE NCC has merged bce9b25a6

* Clean a sonarqube nit [f2c12853c] * Clean commandaudit in integration tests [0eec93b63] * Fix getCAStatEvents [360db641a] * JpaCertificateAuthorityRepository: fix class cast error [a5a732830] * Add test cases for CaStat methods [9faca1eec] * SecurityConfig: fix admin UI access when authorization is disabled [52ed3b2ad] * SecurityConfig: fix provisioning config [cf384d82b] * SecurityConfig: disable session request cache parameter [c126055eb] * SecurityConfig: use java method naming conventions [19d678a61] * OIDC needs to be added in the same chain that it applies to [5401517af] * Rewrite the SecurityConfig [68edba4c6] * SonarQube nits [98939469b] * Fix the disabled test in UpStreamCARequestEntityTest [91937c1d8] * Build a container with JRE 17 [1c0e6ff2e] * Truncate instant to ms in ProvisioningCmsSigningTimeStoreTest [543a05e6d] * Use Instant instead of Timestamp in JpaRoaConfigurationRepository [e69771564] * Update query in JpaRoaConfigurationRepositoryTest for new types [aee572b62] * Update shouldFindAllPerCaAndCountPrefixes for new types [9f26fcfc2] * Two unnecessary imports [cd393d814] * Adjust ExpireOutgoingResourceCertificateResult to use long [0c401f547] * Use Instant in PublishedObject(Data|Entry) [1eee1854d] * Hibernate returns Instant instead of Timestamp [cfe8b4e73] * Result is a long with Hibernate 6 [2df77ebca] * Store artefacts for failed builds [b8ca3ff78] * Use lenient stubbing in UpstreamCaControllerTest [2eed0dc98] * Use thymeleaf-spring6 and refactor admin tests to Jupiter APIs [3e27c1817] * Fix incorrect JPQL reference to certificate ids [3edc720ab] * Use Wiremock for integration test case [1b720adb7] * CertificationDomainTestCase did not persist KeyPair [a9d90164d] * Remove usage of RandomUtil [90d284304] * Use new DefaulTransactionStatus constructor [da9d23a7f] * Validate.notNull without explanation is deprecated [ec5593ef8] * Use new Spring Security syntax [eb262c1a3] * AutoConfigureMetrics is now AutoConfigureObservability [ec51a5ddb] * Enum is now mapped as tinyint [d62fd4e14] * Hibernate version specific dialects are deprecated [0c5b01391] * javax.persistence -> jakarta.persistence [7b805d021] * Switch back to DBProvider name [8a555792d] * New jar artifact name [b84fa63c2] * Test DBProvider 1.6-SNAPSHOT [e2117413f] * additional .toList changes after rebase [b5371e0ad] * Update default `JAVA_HOME` to pick java 17 [d90e2186f] * Fix `toList` derived types [a54d1a8ce] * Low-handing Java 17 changes [433da1eb1] * Toolchain is needed once [2f47cb82f] * Switch to Java 17 [de744b3b9] * Use postgres 15 in unit tests run on Github actions [de72145a1] * chore(deps): update plugin com.google.cloud.tools.jib to v3.4.2 [69c6cb91c] * chore(deps): update dependency org.springdoc:springdoc-openapi-ui to v1.8.0 [59403bcb7] * chore(deps): update dependency gradle to v8.7 [515ba2e4a] * Remove commons-text and do not use tomcat dependency [4171caf49] * chore(deps): update dependency commons-io:commons-io to v2.16.1 [f0512bbc8] * chore(deps): update dependency org.postgresql:postgresql to v42.7.3 [255ed5d55] * Remove workaround [b1c3f03b1] * chore(deps): update dependency net.jqwik:jqwik to v1.8.4 [4eb03d2dc]
RIPE-NCC · Apr 26, 2024 · e1f4451 · e1f4451
1 parent 579f41a
commit e1f4451
Show file tree

Hide file tree

Showing 274 changed files with 1,329 additions and 1,101 deletions.
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
@@ -1,4 +1,4 @@
-name: JUnit Tests 
+name: JUnit Tests
 on:
   pull_request:
   push:
@@ -9,12 +9,12 @@ jobs:
     # runs-on: gradle:7.5.1-jdk8
     services:
       postgres:
-        image: postgres:12.15
+        image: postgres:15
         env:
           POSTGRES_USER: certdb
           POSTGRES_PASSWORD: certdb
           POSTGRES_DB: certdb_test
-        ports:          
+        ports:
           - 5432:5432
         options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
 
@@ -25,6 +25,6 @@ jobs:
         uses: dorny/test-reporter@v1
         if: success() || failure()    # run this step even if previous step failed
         with:
-          name: JUnit Tests            
+          name: JUnit Tests
           path: 'build/test-results/test/TEST-*.xml'
-          reporter: java-junit
+          reporter: java-junit
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -1,5 +1,5 @@
 default:
-  image: gradle:8.6-jdk11
+  image: gradle:8.7-jdk17
 
 # Explicit version of the Mergerequests-Pipelines workflow, with the main branch
 # added.
@@ -67,6 +67,7 @@ build:
     - ./gradlew -i build integrationTest
     - cat build/reports/jacoco/test/html/index.html
   artifacts:
+    when: always
     paths:
       - build
       - scripts/*

diff --git a/build.gradle b/build.gradle
@@ -1,9 +1,9 @@
 plugins {
     id 'rpki-ripe-ncc.build-conventions'
-    id 'org.springframework.boot' version '2.7.18'
+    id 'org.springframework.boot' version "3.2.4"
     id 'distribution'
     id 'jacoco'
-    id "com.google.cloud.tools.jib" version "3.3.2"
+    id "com.google.cloud.tools.jib" version "3.4.2"
     id "com.google.osdetector" version "1.7.3"
 }
 
@@ -41,30 +41,29 @@ dependencies {
     }
     implementation 'org.flywaydb:flyway-core'
 
-    implementation "org.thymeleaf:thymeleaf:3.1.1.RELEASE"
-    implementation "org.thymeleaf:thymeleaf-spring5:3.1.1.RELEASE"
+    implementation "org.thymeleaf:thymeleaf:3.1.2.RELEASE"
+    implementation "org.thymeleaf:thymeleaf-spring6:3.1.2.RELEASE"
 
     implementation platform('io.sentry:sentry-bom:6.34.0')
     implementation 'io.sentry:sentry-spring-boot-starter'
     implementation 'io.sentry:sentry-logback'
 
     implementation "net.ripe.rpki:rpki-commons:$rpki_commons_version"
 
-    implementation 'org.springdoc:springdoc-openapi-ui:1.7.0'
+    implementation 'org.springdoc:springdoc-openapi-ui:1.8.0'
 
     runtimeOnly 'io.micrometer:micrometer-registry-prometheus'
-    implementation 'org.postgresql:postgresql:42.7.2'
+    implementation 'org.postgresql:postgresql:42.7.3'
     runtimeOnly 'org.springframework.boot:spring-boot-starter-tomcat'
 
     implementation 'com.google.code.gson:gson:2.10.1'
     implementation 'com.jamesmurty.utils:java-xmlbuilder:1.3'
     implementation 'commons-codec:commons-codec:1.16.1'
-    implementation 'commons-io:commons-io:2.15.1'
+    implementation 'commons-io:commons-io:2.16.1'
     implementation 'ch.qos.logback.contrib:logback-json-classic:0.1.5'
     implementation 'ch.qos.logback.contrib:logback-jackson:0.1.5'
     implementation 'net.logstash.logback:logstash-logback-encoder:7.3'
     implementation 'commons-lang:commons-lang:2.6'
-    implementation 'org.apache.commons:commons-text:1.10.0'
 
     testImplementation('org.springframework.boot:spring-boot-starter-test') {
         exclude group: 'org.junit.vintage', module: 'junit-vintage-engine'
@@ -73,8 +72,8 @@ dependencies {
         exclude group: 'org.hamcrest', module: 'hamcrest-core'
     }
 
-    testImplementation 'com.github.tomakehurst:wiremock-jre8:2.35.0'
-    testImplementation 'net.jqwik:jqwik:1.8.3'
+    testImplementation "org.wiremock:wiremock-jetty12:3.5.2"
+    testImplementation 'net.jqwik:jqwik:1.8.4'
     testImplementation "net.ripe.rpki:rpki-commons:$rpki_commons_version:tests"
     testImplementation 'org.assertj:assertj-core'
 
@@ -87,12 +86,6 @@ dependencies {
 
 }
 
-java {
-    toolchain {
-        languageVersion = JavaLanguageVersion.of(11)
-    }
-}
-
 sourceSets {
     integration {
         java.srcDir 'src/integration/java'
@@ -151,7 +144,7 @@ distributions {
 
 jib {
     from {
-        image = "openjdk:11-jdk-slim"
+        image = "openjdk:17-jdk-slim"
     }
     to {
         image = "docker-registry.ripe.net/rpki/rpki-ripe-ncc"

diff --git a/buildSrc/src/main/groovy/rpki-ripe-ncc.build-conventions.gradle b/buildSrc/src/main/groovy/rpki-ripe-ncc.build-conventions.gradle
@@ -35,11 +35,14 @@ repositories {
     maven {
         url = uri('https://maven.nexus.ripe.net/repository/maven-third-party')
     }
+    maven {
+        url = uri('https://maven.nexus.ripe.net/repository/maven-third-party-snapshots')
+    }
 }
 
 java {
     toolchain {
-        languageVersion = JavaLanguageVersion.of(11)
+        languageVersion = JavaLanguageVersion.of(17)
     }
 }
 

diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.6-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

diff --git a/hsm/build.gradle b/hsm/build.gradle
@@ -31,7 +31,8 @@ dependencies {
         }
     }
     thalesImplementation "net.ripe.rpki:rpki-commons:$rpki_commons_version"
-    thalesImplementation 'com.thales.esecurity.asg.ripe.db-jceprovider:DBProvider:1.4'
+    // 2024-4-16: Test DBProvider snapshot provided by Entrust
+    thalesImplementation 'com.thales.esecurity.asg.ripe.db-jceprovider:DBProvider:1.6-SNAPSHOT'
     // **When using JDK 11** make sure the matching version of nCipherKM is on classpath because DBProvider depends on it.
     thalesImplementation 'com.ncipher.nfast:nCipherKM:13.4.5'
 

diff --git a/...ion/java/net/ripe/rpki/ripencc/services/impl/KrillNonHostedPublisherRepositoryBeanIT.java b/...ion/java/net/ripe/rpki/ripencc/services/impl/KrillNonHostedPublisherRepositoryBeanIT.java
@@ -14,7 +14,7 @@
 import org.springframework.core.io.Resource;
 import org.springframework.test.context.ActiveProfiles;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 import java.nio.charset.StandardCharsets;
 import java.util.Set;
 import java.util.UUID;

diff --git a/src/integration/java/net/ripe/rpki/ripencc/services/impl/RestCustomerServiceClientIT.java b/src/integration/java/net/ripe/rpki/ripencc/services/impl/RestCustomerServiceClientIT.java
@@ -8,9 +8,9 @@
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.test.context.ActiveProfiles;
 
-import javax.inject.Inject;
-import javax.ws.rs.ProcessingException;
-import javax.ws.rs.core.Response;
+import jakarta.inject.Inject;
+import jakarta.ws.rs.ProcessingException;
+import jakarta.ws.rs.core.Response;
 import java.util.List;
 
 import static org.junit.Assert.assertFalse;

diff --git a/src/integration/java/net/ripe/rpki/ripencc/services/impl/RestResourceServicesClientIT.java b/src/integration/java/net/ripe/rpki/ripencc/services/impl/RestResourceServicesClientIT.java
@@ -11,9 +11,9 @@
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.test.context.ActiveProfiles;
 
-import javax.inject.Inject;
-import javax.ws.rs.ProcessingException;
-import javax.ws.rs.core.Response;
+import jakarta.inject.Inject;
+import jakarta.ws.rs.ProcessingException;
+import jakarta.ws.rs.core.Response;
 import java.util.Map;
 
 import static org.assertj.core.api.Assertions.assertThat;

diff --git a/src/integration/java/net/ripe/rpki/util/ActuatorMetricsIT.java b/src/integration/java/net/ripe/rpki/util/ActuatorMetricsIT.java
@@ -4,16 +4,18 @@
 import net.ripe.rpki.TestRpkiBootApplication;
 import net.ripe.rpki.rest.service.Rest;
 import net.ripe.rpki.server.api.services.system.ActiveNodeService;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.actuate.metrics.AutoConfigureMetrics;
+import org.springframework.boot.test.autoconfigure.actuate.observability.AutoConfigureObservability;
 import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.context.annotation.ComponentScan;
 import org.springframework.http.MediaType;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.TestPropertySource;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.context.junit4.SpringRunner;
 import org.springframework.test.web.servlet.MockMvc;
 
@@ -23,9 +25,9 @@
 @TestPropertySource(properties = {"management.port="})
 @ComponentScan(value = "net.ripe.rpki", lazyInit = false)
 @ActiveProfiles("test")
-@RunWith(SpringRunner.class)
+@ExtendWith(SpringExtension.class)
 @AutoConfigureMockMvc
-@AutoConfigureMetrics
+@AutoConfigureObservability
 @SpringBootTest(classes = TestRpkiBootApplication.class, properties = "instance.name=unittest.local")
 /**
  * Validate that the metrics can be loaded.

diff --git a/src/main/dist/rpki-ripe-ncc.sh b/src/main/dist/rpki-ripe-ncc.sh
@@ -5,7 +5,7 @@
 #   APPLICATION_ENVIRONMENT=prepdev rpki-ripe-ncc.sh
 #
 
-JAVA_HOME=${JAVA_HOME:-"/usr/lib/jvm/jre-11-openjdk"}
+JAVA_HOME=${JAVA_HOME:-"/usr/lib/jvm/jre-17-openjdk"}
 LANG=${LANG:-"en_US.UTF-8"}
 
 cd "$(dirname "$0")" || exit 1

diff --git a/src/main/java/net/ripe/rpki/application/impl/CommandAuditServiceBean.java b/src/main/java/net/ripe/rpki/application/impl/CommandAuditServiceBean.java
@@ -15,9 +15,9 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
-import javax.persistence.EntityManager;
-import javax.persistence.PersistenceContext;
-import javax.persistence.Query;
+import jakarta.persistence.EntityManager;
+import jakarta.persistence.PersistenceContext;
+import jakarta.persistence.Query;
 import javax.security.auth.x500.X500Principal;
 import java.util.List;
 import java.util.Map;
@@ -59,7 +59,7 @@ public List<CommandAuditData> findMostRecentCommandsForCa(long caId) {
     }
 
     private List<CommandAuditData> convertToData(List<CommandAudit> commandAuditList) {
-        return commandAuditList.stream().map(CommandAudit::toData).collect(Collectors.toList());
+        return commandAuditList.stream().map(CommandAudit::toData).toList();
     }
 
     @SuppressWarnings("unchecked")
@@ -79,8 +79,7 @@ public CommandContext startRecording(CertificateAuthorityCommand command) {
         VersionedId caVersionedId;
         X500Principal caName;
         UUID caUuid;
-        if (command instanceof CertificateAuthorityCreationCommand) {
-            CertificateAuthorityCreationCommand activationCommand = (CertificateAuthorityCreationCommand) command;
+        if (command instanceof CertificateAuthorityCreationCommand activationCommand) {
             caVersionedId = activationCommand.getCertificateAuthorityVersionedId();
             caName = activationCommand.getName();
             caUuid = activationCommand.getUuid();
@@ -104,7 +103,7 @@ public void finishRecording(CommandContext context) {
         CommandAudit commandAudit = context.getCommandAudit();
         CertificateAuthorityCommand command = context.getCommand();
 
-        List<String> events = context.getRecordedEvents().stream().map(Object::toString).collect(Collectors.toList());
+        List<String> events = context.getRecordedEvents().stream().map(Object::toString).toList();
         String commandEvents = events.stream().collect(Collectors.joining("\n    ", "\n    ", ""));
 
         log.info(

diff --git a/src/main/java/net/ripe/rpki/bgpris/BgpRisEntryRepositoryBean.java b/src/main/java/net/ripe/rpki/bgpris/BgpRisEntryRepositoryBean.java
@@ -29,7 +29,7 @@ public class BgpRisEntryRepositoryBean implements BgpRisEntryViewService {
     /*
      * All BgpRisEntries that have enough visibility.
      */
-    private AtomicReference<IntervalMap<IpRange, ArrayList<BgpRisEntry>>> entries = new AtomicReference<>(emptyEntries());
+    private final AtomicReference<IntervalMap<IpRange, ArrayList<BgpRisEntry>>> entries = new AtomicReference<>(emptyEntries());
 
     @Override
     public boolean isEmpty() {
@@ -43,9 +43,8 @@ public Collection<BgpRisEntry> findMostSpecificOverlapping(ImmutableResourceSet
         Collection<BgpRisEntry> result = new HashSet<>();
         for (IpRange prefix : getPrefixes(resources)) {
             final List<BgpRisEntry> exactAndMoreSpecific = current.findExactAndAllMoreSpecific(prefix)
-                .stream()
-                .flatMap(Collection::stream)
-                .collect(Collectors.toList());
+                    .stream()
+                    .flatMap(Collection::stream).toList();
             result.addAll(exactAndMoreSpecific);
 
             final ImmutableResourceSet remaining = findResourcesNotCovered(prefix, exactAndMoreSpecific);
@@ -62,9 +61,8 @@ public Map<Boolean, Collection<BgpRisEntry>> findMostSpecificContainedAndNotCont
         Collection<BgpRisEntry> notContainedEntries = new HashSet<>();
         for (IpRange prefix : getPrefixes(resources)) {
             final List<BgpRisEntry> exactAndMoreSpecific = current.findExactAndAllMoreSpecific(prefix)
-                .stream()
-                .flatMap(Collection::stream)
-                .collect(Collectors.toList());
+                    .stream()
+                    .flatMap(Collection::stream).toList();
             containedEntries.addAll(exactAndMoreSpecific);
             final ImmutableResourceSet remaining = findResourcesNotCovered(prefix, exactAndMoreSpecific);
             addLessSpecificAnnouncements(current, notContainedEntries, remaining);
@@ -133,8 +131,7 @@ private boolean isLargePrefixes(IpRange prefix) {
     private static List<IpRange> getPrefixes(final ImmutableResourceSet resources) {
         List<IpRange> result = new ArrayList<>();
         for (IpResource resource : resources) {
-            if (resource instanceof IpRange) {
-                IpRange range = (IpRange) resource;
+            if (resource instanceof IpRange range) {
                 result.addAll(range.splitToPrefixes());
             } else if (resource instanceof IpAddress) {
                 result.add(IpRange.range((IpAddress) resource, (IpAddress) resource));

diff --git a/src/main/java/net/ripe/rpki/core/read/services/ca/CertificateAuthorityViewServiceImpl.java b/src/main/java/net/ripe/rpki/core/read/services/ca/CertificateAuthorityViewServiceImpl.java
@@ -12,11 +12,11 @@
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
-import javax.inject.Inject;
-import javax.persistence.EntityManager;
-import javax.persistence.EntityNotFoundException;
-import javax.persistence.LockModeType;
-import javax.persistence.TypedQuery;
+import jakarta.inject.Inject;
+import jakarta.persistence.EntityManager;
+import jakarta.persistence.EntityNotFoundException;
+import jakarta.persistence.LockModeType;
+import jakarta.persistence.TypedQuery;
 import javax.security.auth.x500.X500Principal;
 import java.util.*;
 import java.util.stream.Collectors;
@@ -76,11 +76,11 @@ public CertificateAuthorityData findCertificateAuthority(Long caId) {
     @Override
     public Collection<CertificateAuthorityData> findAllChildrenForCa(X500Principal caName) {
         CertificateAuthority parent = certificateAuthorityRepository.findByTypeAndName(CertificateAuthority.class, caName);
-        return parent instanceof ParentCertificateAuthority
-            ? certificateAuthorityRepository.findAllByParent((ParentCertificateAuthority) parent).stream()
-                .map(this::convertToCaData)
-                .collect(Collectors.toList())
-            : Collections.emptyList();
+        if (parent instanceof ParentCertificateAuthority parentCa) {
+            return certificateAuthorityRepository.findAllByParent(parentCa)
+                .stream().map(this::convertToCaData).toList();
+        }
+        return List.of();
     }
 
     @Override
@@ -91,14 +91,13 @@ public Optional<CertificateAuthorityData> findSmallestIntermediateCa(X500Princip
     @Override
     public Collection<ManagedCertificateAuthorityData> findManagedCasEligibleForKeyRevocation() {
         return entityManager.createQuery(
-                "FROM ManagedCertificateAuthority ca " +
-                    "WHERE EXISTS (FROM ca.keyPairs kp WHERE kp.status = :old)",
-                ManagedCertificateAuthority.class
-            )
-            .setParameter("old", KeyPairStatus.OLD)
-            .getResultStream()
-            .map(ManagedCertificateAuthority::toData)
-            .collect(Collectors.toList());
+                        "FROM ManagedCertificateAuthority ca " +
+                                "WHERE EXISTS (FROM ca.keyPairs kp WHERE kp.status = :old)",
+                        ManagedCertificateAuthority.class
+                )
+                .setParameter("old", KeyPairStatus.OLD)
+                .getResultStream()
+                .map(ManagedCertificateAuthority::toData).toList();
     }
 
     @Override
@@ -124,8 +123,7 @@ public Collection<ManagedCertificateAuthorityData> findManagedCasEligibleForKeyR
             .setParameter("maxKpAge", oldestKpCreationTime);
         batchSize.ifPresent(query::setMaxResults);
         return query.getResultStream()
-            .map(ManagedCertificateAuthority::toData)
-            .collect(Collectors.toList());
+                .map(ManagedCertificateAuthority::toData).toList();
     }
 
     @Override
@@ -178,8 +176,8 @@ public List<CertificateAuthorityData> findAllManagedCertificateAuthoritiesWithPe
             .getResultStream();
         return certificateAuthorities
             .sorted(Comparator.comparingInt(CertificateAuthority::depth))
-            .map(ManagedCertificateAuthority::toData)
-            .collect(Collectors.toList());
+            .map((x) -> (CertificateAuthorityData) x.toData())
+            .toList();
     }
 
     private CertificateAuthorityData convertToCaData(CertificateAuthority ca) {