Merge branch 'master' into fix/MNT-23960_add-notosans-and-font-options

Alfresco · Feb 2, 2024 · 68f0b36 · 68f0b36
2 parents 901abd2 + bb5d861
commit 68f0b36
Show file tree

Hide file tree

Showing 24 changed files with 573 additions and 190 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -35,7 +35,7 @@ env:
   GITHUB_ACTIONS_DEPLOY_TIMEOUT: 60
 
 jobs:
-  veracode:
+  veracode_sca:
     name: "Veracode - Source Clear Scan (SCA)"
     runs-on: ubuntu-latest
     if: >
@@ -52,6 +52,62 @@ jobs:
         with:
           srcclr-api-token: ${{ secrets.SRCCLR_API_TOKEN }}
 
+  veracode_sast:
+    name: "Pipeline SAST Scan"
+    runs-on: ubuntu-latest
+    if: >
+      (github.ref_name == 'master' || startsWith(github.ref_name, 'SP/') || startsWith(github.ref_name, 'HF/') || github.event_name == 'pull_request') &&
+      github.actor != 'dependabot[bot]' &&
+      !contains(github.event.head_commit.message, '[skip tests]')
+    steps:
+      - uses: actions/checkout@v3
+      - uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
+      - uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
+      - name: "Login to Docker Hub"
+        uses: docker/[email protected]
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: "Login to Quay.io"
+        uses: docker/[email protected]
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_PASSWORD }}
+      - uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
+        with:
+          token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          repository: "Alfresco/veracode-baseline-archive"
+          file-path: "alfresco-transform-core/alfresco-transform-core-baseline.json"
+          target: "baseline.json"
+      - name: "Build"
+        run: mvn -B -U install -DskipTests
+      - name: "Create zip"
+        run: zip -r to-scan.zip engines/aio/target/alfresco-transform-core-aio-*.jar engines/base/target/alfresco-base-t-engine-*.jar model/target/alfresco-transform-model-*.jar
+      - name: "Run SAST Scan"
+        uses: veracode/[email protected]
+        with:
+          vid: ${{ secrets.VERACODE_API_ID }}
+          vkey: ${{ secrets.VERACODE_API_KEY }}
+          file: "to-scan.zip"
+          fail_build: true
+          project_name: alfresco-transform-core
+          issue_details: true
+          veracode_policy_name: Alfresco Default
+          summary_output: true
+          summary_output_file: results.json
+          summary_display: true
+          baseline_file: baseline.json
+      - name: Upload scan result
+        if: success() || failure()
+        run: zip readable_output.zip results.json
+      - name: Upload Artifact
+        if: success() || failure()
+        uses: actions/upload-artifact@v3
+        with:
+          name: Veracode Pipeline-Scan Results (Human Readable)
+          path: readable_output.zip
+
   build_and_test:
     name: "Core & Base Snapshot deployment"
     runs-on: ubuntu-latest
@@ -146,7 +202,7 @@ jobs:
   release:
     name: "Release"
     runs-on: ubuntu-latest
-    needs: [veracode, build_and_test, all_tests_matrix]
+    needs: [veracode_sca, build_and_test, all_tests_matrix]
     if: >
       !(failure() || cancelled()) &&
       contains(github.event.head_commit.message, '[release]') &&

diff --git a/deprecated/alfresco-transformer-base/pom.xml b/deprecated/alfresco-transformer-base/pom.xml
@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-transform-core</artifactId>
-        <version>5.0.1-A2-SNAPSHOT</version>
+        <version>5.0.2-A5-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

diff --git a/engines/aio/Dockerfile b/engines/aio/Dockerfile
@@ -17,7 +17,7 @@ ENV IMAGEMAGICK_DEP_RPM_URL=https://dl.fedoraproject.org/pub/epel/epel-release-l
 
 ARG LIBREOFFICE_VERSION=7.2.5
 ENV LIBREOFFICE_RPM_URL=https://nexus.alfresco.com/nexus/service/local/repositories/thirdparty/content/org/libreoffice/libreoffice-dist/${LIBREOFFICE_VERSION}/libreoffice-dist-${LIBREOFFICE_VERSION}-linux.gz
-ENV LIBREOFFICE_ARM64_RPM_URL=https://dl.rockylinux.org/pub/rocky/8/Devel/aarch64/os/Packages/l/libreoffice-6.4.7.2-13.el8.aarch64.rpm
+ENV LIBREOFFICE_ARM64_RPM_URL=https://dl.rockylinux.org/pub/rocky/8/Devel/aarch64/os/Packages/l/libreoffice-6.4.7.2-15.el8.aarch64.rpm
 
 ARG PDF_RENDERER_VERSION=1.2
 ENV ALFRESCO_PDF_RENDERER_LIB_RPM_URL=https://nexus.alfresco.com/nexus/service/local/repositories/releases/content/org/alfresco/alfresco-pdf-renderer/${PDF_RENDERER_VERSION}/alfresco-pdf-renderer-${PDF_RENDERER_VERSION}-linux.tgz

diff --git a/engines/aio/pom.xml b/engines/aio/pom.xml
@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-transform-core</artifactId>
-        <version>5.0.1-A2-SNAPSHOT</version>
+        <version>5.0.2-A5-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
@@ -132,6 +132,11 @@
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.testcontainers</groupId>
+            <artifactId>testcontainers</artifactId>
+            <scope>test</scope>
+        </dependency>
      </dependencies>
 
     <build>
@@ -140,7 +145,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-dependency-plugin</artifactId>
-                <version>3.6.0</version>
+                <version>3.6.1</version>
                 <configuration>
                     <includeGroupIds>${project.groupId}</includeGroupIds>
                     <includeArtifactIds>alfresco-transform-imagemagick,alfresco-transform-libreoffice,alfresco-transform-misc,alfresco-transform-pdf-renderer,alfresco-transform-tika</includeArtifactIds>

diff --git a/engines/aio/src/test/java/org/alfresco/transform/aio/AIOLivenessReadinessProbeIT.java b/engines/aio/src/test/java/org/alfresco/transform/aio/AIOLivenessReadinessProbeIT.java
@@ -0,0 +1,37 @@
+/*
+ * #%L
+ * Alfresco Transform Core
+ * %%
+ * Copyright (C) 2005 - 2023 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * -
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ * -
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * -
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ * -
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+
+package org.alfresco.transform.aio;
+
+import org.alfresco.transform.base.LivenessReadinessProbeTest;
+
+public class AIOLivenessReadinessProbeIT extends LivenessReadinessProbeTest {
+    @Override
+    protected LivenessReadinessProbeTest.ImagesForTests getImageForTest() {
+        return new ImagesForTests("alfresco-transform-core-aio", "text/plain", "text/plain", "original.txt");
+    }
+}
diff --git a/engines/base/pom.xml b/engines/base/pom.xml
@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-transform-core</artifactId>
-        <version>5.0.1-A2-SNAPSHOT</version>
+        <version>5.0.2-A5-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
@@ -35,6 +35,16 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-webflux</artifactId>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.springframework.boot</groupId>
+                    <artifactId>spring-boot-starter-reactor-netty</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.eclipse.jetty</groupId>
+            <artifactId>jetty-reactive-httpclient</artifactId>
         </dependency>
         <dependency>
             <groupId>org.springframework.retry</groupId>
@@ -97,6 +107,11 @@
             <version>4.2.0</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.testcontainers</groupId>
+            <artifactId>testcontainers</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>

diff --git a/engines/base/src/main/java/org/alfresco/transform/base/config/MTLSConfig.java b/engines/base/src/main/java/org/alfresco/transform/base/config/MTLSConfig.java
@@ -26,8 +26,6 @@
  */
 package org.alfresco.transform.base.config;
 
-import io.netty.handler.ssl.SslContext;
-import io.netty.handler.ssl.SslContextBuilder;
 import org.alfresco.transform.base.WebClientBuilderAdjuster;
 import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
 import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
@@ -41,21 +39,19 @@
 import org.apache.hc.core5.http.config.RegistryBuilder;
 import org.apache.hc.core5.http.ssl.TLS;
 import org.apache.hc.core5.ssl.SSLContextBuilder;
+import org.eclipse.jetty.client.HttpClient;
+import org.eclipse.jetty.client.transport.HttpClientTransportDynamic;
+import org.eclipse.jetty.io.ClientConnector;
+import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.io.Resource;
 import org.springframework.http.client.ClientHttpRequestFactory;
 import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
-import org.springframework.http.client.reactive.ReactorClientHttpConnector;
+import org.springframework.http.client.reactive.JettyClientHttpConnector;
 import org.springframework.web.client.RestTemplate;
-import reactor.netty.http.client.HttpClient;
 
-import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.SSLEngine;
-import javax.net.ssl.SSLException;
-import javax.net.ssl.SSLParameters;
-import javax.net.ssl.TrustManagerFactory;
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.KeyManagementException;
@@ -90,35 +86,33 @@ public class MTLSConfig {
     private boolean hostNameVerificationDisabled;
 
     @Bean
-    public WebClientBuilderAdjuster webClientBuilderAdjuster(SslContextBuilder nettySslContextBuilder)
+    public WebClientBuilderAdjuster webClientBuilderAdjuster(SslContextFactory.Client sslContextFactory)
     {
         return builder -> {
             if(isTlsOrMtlsConfigured())
             {
-                HttpClient httpClientWithSslContext = null;
-                try {
-                    httpClientWithSslContext = createHttpClientWithSslContext(nettySslContextBuilder);
-                } catch (SSLException e) {
-                    throw new RuntimeException(e);
-                }
-                builder.clientConnector(new ReactorClientHttpConnector(httpClientWithSslContext));
+                ClientConnector clientConnector = new ClientConnector();
+                clientConnector.setSslContextFactory(sslContextFactory);
+                HttpClient httpClientWithSslContext = new HttpClient(new HttpClientTransportDynamic(clientConnector));
+
+                builder.clientConnector(new JettyClientHttpConnector(httpClientWithSslContext));
             }
         };
     }
 
     @Bean
-    public RestTemplate restTemplate(SSLContextBuilder apacheSSLContextBuilder) throws IOException, CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException, UnrecoverableKeyException
+    public RestTemplate restTemplate(SSLContextBuilder sslContextBuilder) throws NoSuchAlgorithmException, KeyManagementException
     {
         if(isTlsOrMtlsConfigured())
         {
-            return createRestTemplateWithSslContext(apacheSSLContextBuilder);
+            return createRestTemplateWithSslContext(sslContextBuilder);
         } else {
             return new RestTemplate();
         }
     }
 
     @Bean
-    public SSLContextBuilder apacheSSLContextBuilder() throws CertificateException, KeyStoreException, IOException, NoSuchAlgorithmException, UnrecoverableKeyException {
+    public SSLContextBuilder sslContextBuilder() throws CertificateException, KeyStoreException, IOException, NoSuchAlgorithmException, UnrecoverableKeyException {
         SSLContextBuilder sslContextBuilder = new SSLContextBuilder();
         if(isKeystoreConfigured())
         {
@@ -136,21 +130,15 @@ public SSLContextBuilder apacheSSLContextBuilder() throws CertificateException,
     }
 
     @Bean
-    public SslContextBuilder nettySslContextBuilder() throws UnrecoverableKeyException, CertificateException, KeyStoreException, IOException, NoSuchAlgorithmException {
-        SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
-        if(isKeystoreConfigured())
-        {
-            KeyManagerFactory keyManagerFactory = initKeyManagerFactory();
-            sslContextBuilder.keyManager(keyManagerFactory);
-        }
-
-        if(isTruststoreConfigured())
-        {
-            TrustManagerFactory trustManagerFactory = initTrustManagerFactory();
-            sslContextBuilder.trustManager(trustManagerFactory);
-        }
+    public SslContextFactory.Client sslContextFactory(SSLContextBuilder sslContextBuilder) throws NoSuchAlgorithmException, KeyManagementException
+    {
+        SslContextFactory.Client sslContextFactory = new SslContextFactory.Client();
+        sslContextFactory.setSslContext(sslContextBuilder.build());
+        sslContextFactory.setTrustAll(false);
+        sslContextFactory.setEndpointIdentificationAlgorithm(hostNameVerificationDisabled ? "" : "HTTPS");
+        sslContextFactory.setIncludeProtocols(TLS.V_1_2.getId(), TLS.V_1_3.getId());
 
-        return sslContextBuilder;
+        return sslContextFactory;
     }
 
     private boolean isTlsOrMtlsConfigured()
@@ -168,21 +156,6 @@ private boolean isKeystoreConfigured()
         return keyStoreResource != null;
     }
 
-    private HttpClient createHttpClientWithSslContext(SslContextBuilder sslContextBuilder) throws SSLException {
-        SslContext sslContext = sslContextBuilder.build();
-        return HttpClient.create().secure(p -> p.sslContext(sslContext).handlerConfigurator(handler -> {
-            SSLEngine sslEngine = handler.engine();
-            SSLParameters sslParameters = sslEngine.getSSLParameters();
-            if(hostNameVerificationDisabled)
-            {
-                sslParameters.setEndpointIdentificationAlgorithm("");
-            } else {
-                sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
-            }
-            sslEngine.setSSLParameters(sslParameters);
-        }));
-    }
-
     private RestTemplate createRestTemplateWithSslContext(SSLContextBuilder sslContextBuilder) throws NoSuchAlgorithmException, KeyManagementException {
         final SSLConnectionSocketFactoryBuilder sslConnectionSocketFactoryBuilder =
                 SSLConnectionSocketFactoryBuilder.create()
@@ -215,20 +188,4 @@ private KeyStore getKeyStore(String keyStoreType, Resource keyStoreResource, cha
         }
         return keyStore;
     }
-
-    private TrustManagerFactory initTrustManagerFactory() throws NoSuchAlgorithmException, KeyStoreException, IOException, CertificateException
-    {
-        KeyStore trustStore = getKeyStore(trustStoreType, trustStoreResource, trustStorePassword);
-        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-        trustManagerFactory.init(trustStore);
-        return trustManagerFactory;
-    }
-
-    private KeyManagerFactory initKeyManagerFactory() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException
-    {
-        KeyStore clientKeyStore = getKeyStore(keyStoreType, keyStoreResource, keyStorePassword);
-        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-        keyManagerFactory.init(clientKeyStore, keyStorePassword);
-        return keyManagerFactory;
-    }
 }
diff --git a/engines/base/src/main/java/org/alfresco/transform/base/probes/ProbeTransform.java b/engines/base/src/main/java/org/alfresco/transform/base/probes/ProbeTransform.java
@@ -169,6 +169,9 @@ private long getPositiveLongEnv(String name, long defaultValue)
     // We don't want to be doing test transforms every few seconds, but do want frequent live probes.
     public String doTransformOrNothing(boolean isLiveProbe, TransformHandler transformHandler)
     {
+        // If we already decided to die then don't bother with any other checks.
+        checkMaxTransformTimeAndCount(isLiveProbe);
+
         // If not initialised OR it is a live probe and we are scheduled to to do a test transform.
         probeCount++;
         // TODO: update/fix/refactor liveness probes as part of ATS-138
@@ -182,7 +185,8 @@ public String doTransformOrNothing(boolean isLiveProbe, TransformHandler transfo
                || !initialised.get()
                ? doTransform(isLiveProbe, transformHandler)
                : doNothing(isLiveProbe);
-
+
+        // Check if the test transformation was too slow.
         checkMaxTransformTimeAndCount(isLiveProbe);
         return result;
     }