Merge pull request #205 from iExecBlockchainComputing/release/8.3.0

Release/8.3.0

CHANGELOG.md

@@ -2,6 +2,28 @@
 
 All notable changes to this project will be documented in this file.
 
+## [[8.3.0]](https://github.com/iExecBlockchainComputing/iexec-sms/releases/tag/v8.3.0) 2023-09-28
+
+### Bug Fixes
+- Fix and harmonize `Dockerfile entrypoint` in all Spring Boot applications. (#194)
+- Check authorization before working with web2 or web3 secrets. (#200)
+### Quality
+- Upgrade to Gradle 8.2.1 with up-to-date plugins. (#193)
+- Use `JpaRepository` in all repository classes for improved features. (#195)
+- Remove session display option to prevent information leaks. (#197)
+- Immutable classes for TEE enclaves and sessions manipulations. (#198)
+- Immutable `TeeAppProperties` class with `@Builder` pattern. (#201)
+- Fix Scone generated sessions permissions. (#202)
+- Remove `VersionService#isSnapshot`. (#204)
+### Dependency Upgrades
+- Upgrade to `eclipse-temurin` 11.0.20. (#191)
+- Upgrade to Spring Boot 2.7.14. (#192)
+- Upgrade to Spring Dependency Management Plugin 1.1.3. (#192)
+- Upgrade to `H2` 2.2.222. (#196)
+- Upgrade to `jenkins-library` 2.7.3. (#199)
+- Upgrade to `iexec-common` 8.3.0. (#203)
+- Upgrade to `iexec-common-poco` 3.1.0. (#203)
+
 ## [[8.2.0]](https://github.com/iExecBlockchainComputing/iexec-sms/releases/tag/v8.2.0) 2023-08-11
 
 ### New Features

Dockerfile

@@ -1,4 +1,4 @@
-FROM openjdk:11.0.16-jre-slim
+FROM eclipse-temurin:11.0.20_8-jre-focal
 
 ARG jar
 
@@ -12,4 +12,4 @@ COPY $jar /app/iexec-sms.jar
 
 COPY src/main/resources/ssl-keystore-dev.p12 /app/ssl-keystore-dev.p12
 
-ENTRYPOINT [ "/bin/sh", "-c", "java -jar /app/iexec-sms.jar" ]
+ENTRYPOINT [ "java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/app/iexec-sms.jar" ]

Jenkinsfile

@@ -1,4 +1,4 @@
-@Library('global-jenkins-library@2.6.0') _
+@Library('global-jenkins-library@2.7.3') _
 
 String repositoryName = 'iexec-sms'
 
@@ -21,11 +21,7 @@ buildJavaProject(
         shouldPublishJars: true,
         shouldPublishDockerImages: true,
         dockerfileDir: '.',
-        buildContext: '.',
-        preDevelopVisibility: 'iex.ec',
-        developVisibility: 'iex.ec',
-        preProductionVisibility: 'docker.io',
-        productionVisibility: 'docker.io')
+        buildContext: '.')
 
 // BUILD_TEE parameter only exists if addParameters is true
 // If BUILD_TEE is false, TEE builds won't be executed and we return here

README.md

@@ -59,7 +59,6 @@ To support:
 | `IEXEC_BLOCK_TIME` | Duration between consecutive blocks on the blockchain network. | String | `PT5S` | `PT5S` |
 | `IEXEC_GAS_PRICE_MULTIPLIER` | Transactions will be sent with `networkGasPrice * IEXEC_GAS_PRICE_MULTIPLIER`. | Float | `1.0` | `1.0` |
 | `IEXEC_GAS_PRICE_CAP` | In Wei, will be used for transactions if `networkGasPrice * IEXEC_GAS_PRICE_MULTIPLIER > IEXEC_GAS_PRICE_CAP`. | Integer | `22000000000` | `22000000000` |
-| `IEXEC_SMS_DISPLAY_DEBUG_SESSION` | Whether to display TEE enclaves sessions configuration in SMS logs. | Boolean | `false` | `false` |
 | `IEXEC_SECRET_PROVISIONER_WEB_HOSTNAME` | Secret provisioner server host for session management. Used to post sessions of secrets. | String | `localhost` | `localhost` |
 | `IEXEC_SECRET_PROVISIONER_WEB_PORT` | Secret provisioner server port for session management. | Positive integer | `8081` | `8080` |
 | `IEXEC_SECRET_PROVISIONER_ENCLAVE_HOSTNAME` | Secret provisioner server host for retrieving secrets from attested enclaves. Typically used by workers to execute TEE tasks. | Positive integer | `localhost` | `localhost` |

build.gradle

@@ -1,10 +1,10 @@
 plugins {
     id 'java'
-    id 'io.freefair.lombok' version '6.6.1'
-    id 'org.springframework.boot' version '2.6.14'
-    id 'io.spring.dependency-management' version '1.1.0'
+    id 'io.freefair.lombok' version '8.2.2'
+    id 'org.springframework.boot' version '2.7.14'
+    id 'io.spring.dependency-management' version '1.1.3'
     id 'jacoco'
-    id 'org.sonarqube' version '3.3'
+    id 'org.sonarqube' version '4.2.1.3168'
     id 'maven-publish'
 }
 
@@ -42,6 +42,17 @@ allprojects {
     }
 }
 
+sourceSets {
+    integrationTest {
+        java {
+            compileClasspath += sourceSets.main.output
+            runtimeClasspath += sourceSets.main.output
+            srcDir 'src/itest/java'
+        }
+        resources.srcDir 'src/itest/resources'
+    }
+}
+
 configurations {
     integrationTestImplementation.extendsFrom testImplementation
     integrationTestRuntimeOnly.extendsFrom runtimeOnly
@@ -60,47 +71,29 @@ dependencies {
     implementation 'org.springframework.retry:spring-retry'
     // H2
     implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
-    runtimeOnly 'com.h2database:h2:1.4.200'
+    runtimeOnly 'com.h2database:h2:2.2.222'
 
     // Spring Doc
     implementation 'org.springdoc:springdoc-openapi-ui:1.6.3'
 
     //ssl
     implementation 'org.apache.httpcomponents:httpclient'
 
-    // Web3j issues, see core build.gradle
-    // NoSuchMethodError: 'okhttp3.RequestBody okhttp3.RequestBody.create(java.lang.String, okhttp3.MediaType)'
-    // Spring Boot dependencies BOM enforces okhttp3 3.14.9 in 2.6.X
-    // It is required to define the dependency version required by web3j until migration to at least Spring Boot 2.7.X
-    implementation 'com.squareup.okhttp3:okhttp:4.9.0' // Web3j issue: https://github.com/web3j/web3j/issues/1180
-
     // observability
     runtimeOnly 'io.micrometer:micrometer-registry-prometheus'
 
-    // test
-    testImplementation('org.springframework.boot:spring-boot-starter-test') {
-        exclude group: 'org.junit.vintage', module: 'junit-vintage-engine'
-    }
-
     // feign
     implementation "io.github.openfeign:feign-jackson:$openFeignVersion"
     implementation "io.github.openfeign:feign-slf4j:$openFeignVersion"
 
+    // test
+    testImplementation 'org.springframework.boot:spring-boot-starter-test'
+    testRuntimeOnly("org.junit.platform:junit-platform-launcher")
+
     // awaitility
     testImplementation 'org.awaitility:awaitility'
 }
 
-sourceSets {
-    integrationTest {
-        java {
-            compileClasspath += sourceSets.main.output
-            runtimeClasspath += sourceSets.main.output
-            srcDir 'src/itest/java'
-        }
-        resources.srcDir 'src/itest/resources'
-    }
-}
-
 springBoot {
     buildInfo()
 }
@@ -116,7 +109,7 @@ test {
     useJUnitPlatform()
 }
 
-task itest(type:Test) {
+tasks.register('itest', Test) {
     group       'Verification'
     description 'Runs the integration tests.'
     testClassesDirs = sourceSets.integrationTest.output.classesDirs
@@ -125,9 +118,6 @@ task itest(type:Test) {
     useJUnitPlatform()
 }
 
-jacoco {
-    toolVersion = '0.8.7'
-}
 // sonarqube code coverage requires jacoco XML report
 jacocoTestReport {
     reports {
@@ -159,7 +149,7 @@ ext.jarPathForOCI  = relativePath(tasks.bootJar.outputs.files.singleFile)
 ext.gitShortCommit = 'git rev-parse --short=8 HEAD'.execute().text.trim()
 ext.ociImageName   = 'local/' + ['bash', '-c', 'basename $(git config --get remote.origin.url) .git'].execute().text.trim()
 
-task buildImage(type: Exec) {
+tasks.register('buildImage', Exec) {
     group       'Build'
     description 'Builds an OCI image from a Dockerfile.'
     dependsOn   bootJar
@@ -173,7 +163,7 @@ task buildImage(type: Exec) {
     }
 }
 
-task buildSconeImage(type: Exec) {
+tasks.register('buildSconeImage', Exec) {
     group       "Build"
     description "Build an OCI image compatible with scontain TEE framework"
     dependsOn   buildImage

docker/sconify.args

@@ -3,7 +3,7 @@
 --base=${IMG_FROM} \
 --from=${IMG_FROM} \
 --to=${IMG_TO} \
---binary=/usr/local/openjdk-11/bin/java \
+--binary=/opt/java/openjdk/bin/java \
 --heap="8G" \
 --stack="8M" \
 --binary-fs \

gradle.properties

@@ -1,6 +1,6 @@
-version=8.2.0
-iexecCommonVersion=8.2.1
-iexecCommonsPocoVersion=3.0.5
+version=8.3.0
+iexecCommonVersion=8.3.0
+iexecCommonsPocoVersion=3.1.0
 
 nexusUser
 nexusPassword

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.6-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.2.1-bin.zip
 networkTimeout=10000
+validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists

gradlew

@@ -85,9 +85,6 @@ done
 APP_BASE_NAME=${0##*/}
 APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
 
-# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
-DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
-
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
 
@@ -133,26 +130,29 @@ location of your Java installation."
     fi
 else
     JAVACMD=java
-    which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+    if ! command -v java >/dev/null 2>&1
+    then
+        die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
 
 Please set the JAVA_HOME variable in your environment to match the
 location of your Java installation."
+    fi
 fi
 
 # Increase the maximum file descriptors if we can.
 if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
     case $MAX_FD in #(
       max*)
         # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
-        # shellcheck disable=SC3045 
+        # shellcheck disable=SC3045
         MAX_FD=$( ulimit -H -n ) ||
             warn "Could not query maximum file descriptor limit"
     esac
     case $MAX_FD in  #(
       '' | soft) :;; #(
       *)
         # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
-        # shellcheck disable=SC3045 
+        # shellcheck disable=SC3045
         ulimit -n "$MAX_FD" ||
             warn "Could not set maximum file descriptor limit to $MAX_FD"
     esac
@@ -197,6 +197,10 @@ if "$cygwin" || "$msys" ; then
     done
 fi
 
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+
 # Collect all arguments for the java command;
 #   * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of
 #     shell script including quotes and variable substitutions, so put them in

iexec-sms-library/build.gradle

@@ -10,6 +10,7 @@ dependencies {
     implementation "com.iexec.common:iexec-common:$iexecCommonVersion"
     testImplementation "org.assertj:assertj-core:3.22.0"
     testImplementation 'org.junit.jupiter:junit-jupiter:5.8.2'
+    testRuntimeOnly("org.junit.platform:junit-platform-launcher")
     testImplementation 'org.mockito:mockito-junit-jupiter:4.7.0'
 }
 
@@ -22,9 +23,6 @@ test {
     useJUnitPlatform()
 }
 
-jacoco {
-    toolVersion = "0.8.7"
-}
 // sonarqube code coverage requires jacoco XML report
 jacocoTestReport {
     reports {

iexec-sms-library/src/main/java/com/iexec/sms/api/config/TeeAppProperties.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022 IEXEC BLOCKCHAIN TECH
+ * Copyright 2022-2023 IEXEC BLOCKCHAIN TECH
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,19 +16,23 @@
 
 package com.iexec.sms.api.config;
 
-import lombok.AllArgsConstructor;
-import lombok.Getter;
-import lombok.NoArgsConstructor;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonPOJOBuilder;
+import lombok.Builder;
+import lombok.Value;
 
-@Getter
-@NoArgsConstructor
-@AllArgsConstructor
+@Value
+@Builder
+@JsonDeserialize(builder = TeeAppProperties.TeeAppPropertiesBuilder.class)
 public class TeeAppProperties {
-    private String image;
-    private String fingerprint;
-    private String entrypoint;
+    String image;
+    String fingerprint;
+    String entrypoint;
     /**
      * Represents the app heap size, in bytes.
      */
-    private long heapSizeInBytes;
+    long heapSizeInBytes;
+
+    @JsonPOJOBuilder(withPrefix = "")
+    public static class TeeAppPropertiesBuilder{}
 }

src/itest/java/com/iexec/sms/MockTeeConfiguration.java

@@ -1,9 +1,7 @@
 package com.iexec.sms;
 
-import com.iexec.sms.api.config.TeeAppProperties;
 import com.iexec.sms.api.config.TeeServicesProperties;
 import com.iexec.sms.tee.session.generic.TeeSessionHandler;
-import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.boot.test.mock.mockito.MockBean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
@@ -19,10 +17,4 @@ public class MockTeeConfiguration {
     private TeeSessionHandler teeSessionHandler;
     @MockBean
     private TeeServicesProperties teeServicesProperties;
-    @MockBean
-    @Qualifier("preComputeProperties")
-    private TeeAppProperties preComputeProperties;
-    @MockBean
-    @Qualifier("postComputeProperties")
-    private TeeAppProperties postComputeProperties;
 }

src/main/java/com/iexec/sms/config/OpenApiConfig.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020 IEXEC BLOCKCHAIN TECH
+ * Copyright 2020-2023 IEXEC BLOCKCHAIN TECH
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,7 +16,7 @@
 
 package com.iexec.sms.config;
 
-import com.iexec.sms.utils.version.VersionService;
+import com.iexec.sms.version.VersionService;
 import io.swagger.v3.oas.models.OpenAPI;
 import io.swagger.v3.oas.models.info.Info;
 import org.springframework.context.annotation.Bean;
@@ -41,4 +41,4 @@ public OpenAPI api() {
                         .title("iExec SMS")
                         .version(versionService.getVersion())
         );
-    }}
+    }}

src/main/java/com/iexec/sms/secret/Secret.java

@@ -28,7 +28,7 @@
 @Getter
 @NoArgsConstructor(access = AccessLevel.PROTECTED)
 public abstract class Secret {
-    @Column(columnDefinition = "LONGTEXT")
+    @Column(length = SecretUtils.SECRET_MAX_SIZE * 2)
     private String value;
 
     /**