WIP: Actuator Endpoints Sanitization report section

Author: fabapp2

components/sbm-recipes-boot-upgrade/src/main/java/org/springframework/sbm/boot/upgrade_27_30/report/helper/ActuatorEndpointsSanitizationHelper.java

@@ -0,0 +1,59 @@
+/*
+ * Copyright 2021 - 2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.sbm.boot.upgrade_27_30.report.helper;
+import org.springframework.sbm.boot.common.conditions.IsSpringBootProject;
+import org.springframework.sbm.boot.upgrade_27_30.report.SpringBootUpgradeReportSection;
+import org.springframework.sbm.build.api.BuildFile;
+import org.springframework.sbm.build.api.Module;
+import org.springframework.sbm.engine.context.ProjectContext;
+
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+
+/**
+ * @author Fabian Krüger
+ */
+public class ActuatorEndpointsSanitizationHelper extends SpringBootUpgradeReportSection.AbstractHelper<List<BuildFile>> {
+
+    private static final String ACTUATOR_GROUP_ID = "org.springframework.boot";
+    private static final String ACTUATOR_ARTIFACT_ID = "spring-boot-actuator";
+    private List<BuildFile> buildFilesWithActuatorOnClasspath;
+
+    @Override
+    public boolean evaluate(ProjectContext context) {
+        IsSpringBootProject isSpringBootProjectCondition = new IsSpringBootProject();
+        isSpringBootProjectCondition.setVersionPattern("3\\.0\\..*");
+        boolean isSpringBoot3Application = isSpringBootProjectCondition.evaluate(context);
+        if(! isSpringBoot3Application) {
+            return false;
+        }
+        buildFilesWithActuatorOnClasspath = getActuatorDependency(context);
+        return ! buildFilesWithActuatorOnClasspath.isEmpty();
+    }
+
+    private List<BuildFile> getActuatorDependency(ProjectContext context) {
+        return context.getApplicationModules().stream()
+                .map(Module::getBuildFile)
+                .filter(b -> b.getEffectiveDependencies().stream().anyMatch(d -> d.getGroupId().equals(ACTUATOR_GROUP_ID) && d.getArtifactId().equals(ACTUATOR_ARTIFACT_ID)))
+                .collect(Collectors.toList());
+    }
+
+    @Override
+    public Map<String, List<BuildFile>> getData() {
+        return Map.of("matchingBuildFiles", buildFilesWithActuatorOnClasspath);
+    }
+}

components/sbm-recipes-boot-upgrade/src/main/resources/recipes/27_30/report/sbu30-report.yaml

@@ -132,6 +132,34 @@
             - "Fabian Krüger[@fabapp2]"
 
 
+        - title: Actuator Endpoints Sanitization
+          helper: org.springframework.sbm.boot.upgrade_27_30.report.helper.ActuatorEndpointsSanitizationHelper
+          change: |-
+            Since, the `/env` and `/configprops` endpoints can contains sensitive values, all values are always masked by default.
+            This used to be case only for keys considered to be sensitive.
+            
+            Instead, this release opts for a more secure default.
+            The keys-based approach has been removed in favor of a role based approach, similar to the health endpoint details.
+            Whether unsanitized values are shown or not can be configured using a property which can have the following values:
+          
+            - `NEVER` - All values are sanitized.
+            - `ALWAYS` - All values are present in the output (sanitizing functions will apply).
+            - `WHEN_AUTHORIZED` - Values are present in the output only if a user is authorized (sanitizing functions will apply).
+            
+            For JMX, users are always considered to be authorized. For HTTP, users are considered to be authorized if they are authenticated and have the specified roles.
+            
+            Sanitization for the QuartzEndpoint is also configurable in the same way.
+          affected:
+            The scan found a dependency to actuator on the classpath. The Actuator endpoint sanitization changed in Spring Boot 3.0.0.
+            Because Spring Boot Migrator can't tell if the now sanitized properties are required in plain-text, the default in 2.7 will be reset. This means the application does not benefit from the new and more secure configuration in Spring Boot 3.0.0.
+            We strongly recommend you adjust this configuration to your needs.
+          remediation: |-
+            consult the documentation {Link to relevant section(s) in M5 and current reference}
+            configure Actuator endpoint sanitization to your needs by adjusting management.endpoint.configprops.show-values, management.endpoint.env.show-values and management.endpoint.quartz.show-values.
+          githubIssue: 445
+          contributors:
+            - "Fabian Krüger[@fabapp2]"
+
         - title: Changes to Data Properties
           helper: org.springframework.sbm.boot.upgrade_27_30.report.helper.ChangesToDataPropertiesHelper
           change: |-

components/sbm-recipes-boot-upgrade/src/test/java/org/springframework/sbm/boot/upgrade_27_30/report/helper/ActuatorEndpointsSanitizationHelperTest.java

@@ -0,0 +1,64 @@
+package org.springframework.sbm.boot.upgrade_27_30.report.helper;
+
+import org.assertj.core.api.Assertions;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+import org.springframework.sbm.build.util.PomBuilder;
+import org.springframework.sbm.engine.context.ProjectContext;
+import org.springframework.sbm.project.resource.TestProjectContext;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * @author Fabian Krüger
+ */
+class ActuatorEndpointsSanitizationHelperTest {
+
+    @Test
+    void withSingleModuleApplication() {
+        ProjectContext context = TestProjectContext
+                .buildProjectContext()
+                .withSpringBootParentOf("3.0.0")
+                .withBuildFileHavingDependencies("org.springframework.boot:spring-boot-actuator")
+                .build();
+
+        ActuatorEndpointsSanitizationHelper sut = new ActuatorEndpointsSanitizationHelper();
+        assertThat(sut.evaluate(context)).isTrue();
+        assertThat(sut.getData()).hasSize(1);
+        assertThat(sut.getData().get("matchingBuildFile")).containsExactly(context.getApplicationModules().getRootModule().getBuildFile());
+    }
+
+    @Test
+    void withMultiModuleApplication() {
+        String parentPom = PomBuilder
+                .buildParentPom("org.springframework.boot:spring-boot-starter-parent:3.0.0", "com.example:parent:1.0")
+                .withModules("moduleA", "moduleB", "moduleC")
+                .build();
+        String moduleA = PomBuilder
+                .buildPom("com.example:parent:1.0", "moduleA")
+                .compileScopeDependencies("com.example:moduleC")
+                .build();
+        String moduleB = PomBuilder
+                .buildPom("com.example:parent:1.0", "moduleB")
+                .compileScopeDependencies("com.example:moduleC")
+                .build();
+        String moduleC = PomBuilder
+                .buildPom("com.example:parent:1.0", "moduleC")
+                .compileScopeDependencies("org.springframework.boot:spring-boot-actuator")
+                .build();
+
+        ProjectContext context = TestProjectContext
+                .buildProjectContext()
+                .withMavenRootBuildFileSource(parentPom)
+                .withMavenBuildFileSource("moduleA", moduleA)
+                .withMavenBuildFileSource("moduleB", moduleB)
+                .withMavenBuildFileSource("moduleC", moduleC)
+                .build();
+
+        ActuatorEndpointsSanitizationHelper sut = new ActuatorEndpointsSanitizationHelper();
+        assertThat(sut.evaluate(context)).isTrue();
+        assertThat(sut.getData()).hasSize(3);
+    }
+
+}