Merge pull request #750 from catenax-ng/chore/TRACEFOSS-XXX-fix-mediu…

…m-findings

chore: TRACEFOSS-XXX update SecurityConfig to not use deprecated methods

.github/workflows/helm-test.yaml

@@ -71,7 +71,7 @@ jobs:
           version: v3.9.3
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.4.0
+        uses: helm/chart-testing-action@v2.6.1
 
       - name: Run chart-testing (list-changed)
         id: list-changed

CHANGELOG.md

@@ -20,6 +20,7 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 - Frontend adapt to backend api changes for activeAlerts and activeInvestigations
 - Reconfigured all docker images user settings
 - Adapted memory / cpu requests and limits in default values helm file
+- Migrate to not deprecated methods in HTTP security
 
 ### Removed
 

charts/traceability-foss/charts/frontend/values.yaml

@@ -60,23 +60,16 @@ serviceAccount:
 
 podAnnotations: { }
 
-podSecurityContext:
-  runAsUser: 10001
-  seccompProfile:
-    type: RuntimeDefault
+podSecurityContext: { }
 # fsGroup: 2000
 
 # Following Catena-X Helm Best Practices @url: https://catenax-ng.github.io/docs/kubernetes-basics/helm
 # @url: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
 securityContext:
   allowPrivilegeEscalation: false
   runAsNonRoot: true
-  runAsUser: 10001
-  runAsGroup: 3000
-  capabilities:
-    drop:
-      - ALL
-  readOnlyRootFilesystem: false
+  runAsUser: 101
+  # runAsGroup: 3000
 
 service:
   type: ClusterIP

charts/traceability-foss/values.yaml

@@ -78,22 +78,16 @@ frontend:
 
   podAnnotations: {}
 
-  podSecurityContext:
-    runAsUser: 10001
-    seccompProfile:
-      type: RuntimeDefault
+  podSecurityContext: {}
+  # fsGroup: 2000
 
   # Following Catena-X Helm Best Practices @url: https://catenax-ng.github.io/docs/kubernetes-basics/helm
   # @url: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
   securityContext:
     allowPrivilegeEscalation: false
     runAsNonRoot: true
-    runAsUser: 10001
-    runAsGroup: 3000
-    capabilities:
-      drop:
-        - ALL
-    readOnlyRootFilesystem: false
+    runAsUser: 101
+    # runAsGroup: 3000
 
   service:
     type: ClusterIP

tx-backend/src/main/java/org/eclipse/tractusx/traceability/assets/domain/base/AssetRepository.java

@@ -34,7 +34,7 @@ public interface AssetRepository {
 
     List<AssetBase> getAssetsById(List<String> assetIds);
 
-    AssetBase getAssetByChildId(String assetId, String childId);
+    AssetBase getAssetByChildId(String childId);
 
     PageResult<AssetBase> getAssets(Pageable pageable, SearchCriteria searchCriteria);
 

tx-backend/src/main/java/org/eclipse/tractusx/traceability/assets/domain/base/service/AbstractAssetBaseService.java

@@ -143,7 +143,7 @@ public List<AssetBase> getAssetsById(List<String> assetIds) {
 
     @Override
     public AssetBase getAssetByChildId(String assetId, String childId) {
-        return getAssetRepository().getAssetByChildId(assetId, childId);
+        return getAssetRepository().getAssetByChildId(childId);
     }
 
     @Override

tx-backend/src/main/java/org/eclipse/tractusx/traceability/assets/infrastructure/asbuilt/repository/AssetAsBuiltRepositoryImpl.java

@@ -72,7 +72,7 @@ public List<AssetBase> getAssetsById(List<String> assetIds) {
     }
 
     @Override
-    public AssetBase getAssetByChildId(String assetId, String childId) {
+    public AssetBase getAssetByChildId(String childId) {
         return jpaAssetAsBuiltRepository.findById(childId)
                 .map(AssetAsBuiltEntity::toDomain)
                 .orElseThrow(() -> new AssetNotFoundException("Child Asset Not Found"));

tx-backend/src/main/java/org/eclipse/tractusx/traceability/assets/infrastructure/asplanned/repository/AssetAsPlannedRepositoryImpl.java

@@ -68,7 +68,7 @@ public List<AssetBase> getAssetsById(List<String> assetIds) {
     }
 
     @Override
-    public AssetBase getAssetByChildId(String assetId, String childId) {
+    public AssetBase getAssetByChildId(String childId) {
         return jpaAssetAsPlannedRepository.findById(childId).map(AssetAsPlannedEntity::toDomain)
                 .orElseThrow(() -> new AssetNotFoundException("Child Asset Not Found"));
     }

tx-backend/src/main/java/org/eclipse/tractusx/traceability/common/config/SecurityConfig.java

@@ -26,8 +26,10 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
@@ -67,12 +69,12 @@ public class SecurityConfig {
     @Bean
     SecurityFilterChain securityFilterChain(final HttpSecurity httpSecurity) throws Exception {
 
-        httpSecurity.httpBasic().disable();
-        httpSecurity.formLogin().disable();
-        httpSecurity.logout().disable();
-        httpSecurity.anonymous().disable();
-        httpSecurity.csrf().disable();
-        httpSecurity.cors();
+        httpSecurity.httpBasic(AbstractHttpConfigurer::disable);
+        httpSecurity.formLogin(AbstractHttpConfigurer::disable);
+        httpSecurity.logout(AbstractHttpConfigurer::disable);
+        httpSecurity.anonymous(AbstractHttpConfigurer::disable);
+        httpSecurity.csrf(AbstractHttpConfigurer::disable);
+        httpSecurity.cors(Customizer.withDefaults());
 
 
         httpSecurity.authorizeHttpRequests(auth -> auth
@@ -81,10 +83,10 @@ SecurityFilterChain securityFilterChain(final HttpSecurity httpSecurity) throws
                 .anyRequest()
                 .authenticated());
 
-        httpSecurity.oauth2ResourceServer(oauth2ResourceServer -> oauth2ResourceServer.jwt()
-                        .jwtAuthenticationConverter(
-                                new JwtAuthenticationTokenConverter(resourceClient)))
-                .oauth2Client();
+        httpSecurity.oauth2ResourceServer(oauth2ResourceServer -> oauth2ResourceServer.jwt((jwt) -> jwt.jwtAuthenticationConverter(
+                        new JwtAuthenticationTokenConverter(resourceClient)))
+                )
+                .oauth2Client(Customizer.withDefaults());
 
         return httpSecurity.build();
     }