fix(vulnerabilities)/vulnerabilities_fixes_datahub (#8075)

build.gradle

@@ -7,7 +7,6 @@ buildscript {
   ext.springBootVersion = '2.7.11'
   ext.openTelemetryVersion = '1.18.0'
   ext.neo4jVersion = '4.4.9'
-  ext.graphQLJavaVersion = '19.0'
   ext.testContainersVersion = '1.17.4'
   ext.elasticsearchVersion = '7.10.2'
   // TODO: Change to final release version once it's out ETA Mid-April
@@ -92,8 +91,8 @@ project.ext.externalDependency = [
     'elasticSearchRest': 'org.elasticsearch.client:elasticsearch-rest-high-level-client:' + elasticsearchVersion,
     'elasticSearchTransport': 'org.elasticsearch.client:transport:' + elasticsearchVersion,
     'findbugsAnnotations': 'com.google.code.findbugs:annotations:3.0.1',
-    'graphqlJava': 'com.graphql-java:graphql-java:' + graphQLJavaVersion,
-    'graphqlJavaScalars': 'com.graphql-java:graphql-java-extended-scalars:' + graphQLJavaVersion,
+    'graphqlJava': 'com.graphql-java:graphql-java:19.5',
+    'graphqlJavaScalars': 'com.graphql-java:graphql-java-extended-scalars:19.1',
     'gson': 'com.google.code.gson:gson:2.8.9',
     'guice': 'com.google.inject:guice:4.2.3',
     'guava': 'com.google.guava:guava:27.0.1-jre',
@@ -206,7 +205,12 @@ project.ext.externalDependency = [
     'testContainersKafka': 'org.testcontainers:kafka:' + testContainersVersion,
     'typesafeConfig':'com.typesafe:config:1.4.1',
     'wiremock':'com.github.tomakehurst:wiremock:2.10.0',
-    'zookeeper': 'org.apache.zookeeper:zookeeper:3.4.14'
+    'zookeeper': 'org.apache.zookeeper:zookeeper:3.4.14',
+    'wire': 'com.squareup.wire:wire-compiler:3.7.1',
+    'charle':  'com.charleskorn.kaml:kaml:0.53.0',
+    'common': 'commons-io:commons-io:2.7',
+    'jline':'jline:jline:1.4.1',
+    'jetbrains':' org.jetbrains.kotlin:kotlin-stdlib:1.6.0'
 
 ]
 

datahub-frontend/app/controllers/AuthenticationController.java

@@ -49,7 +49,7 @@
 
 // TODO add logging.
 public class AuthenticationController extends Controller {
-
+    public static final String AUTH_VERBOSE_LOGGING = "auth.verbose.logging";
     private static final String AUTH_REDIRECT_URI_PARAM = "redirect_uri";
     private static final String ERROR_MESSAGE_URI_PARAM = "error_msg";
     private static final String SSO_DISABLED_ERROR_MESSAGE = "SSO is not configured";
@@ -60,6 +60,7 @@ public class AuthenticationController extends Controller {
     private final CookieConfigs _cookieConfigs;
     private final JAASConfigs _jaasConfigs;
     private final NativeAuthenticationConfigs _nativeAuthenticationConfigs;
+    private final boolean _verbose;
 
     @Inject
     private org.pac4j.core.config.Config _ssoConfig;
@@ -78,6 +79,7 @@ public AuthenticationController(@Nonnull Config configs) {
         _cookieConfigs = new CookieConfigs(configs);
         _jaasConfigs = new JAASConfigs(configs);
         _nativeAuthenticationConfigs = new NativeAuthenticationConfigs(configs);
+        _verbose = configs.hasPath(AUTH_VERBOSE_LOGGING) && configs.getBoolean(AUTH_VERBOSE_LOGGING);
     }
 
     /**
@@ -282,7 +284,11 @@ private Optional<Result> redirectToIdentityProvider(Http.RequestHeader request,
             final Optional<RedirectionAction> action = client.getRedirectionAction(playWebContext);
             return action.map(act -> new PlayHttpActionAdapter().adapt(act, playWebContext));
         } catch (Exception e) {
-            _logger.error("Caught exception while attempting to redirect to SSO identity provider! It's likely that SSO integration is mis-configured", e);
+            if (_verbose) {
+                _logger.error("Caught exception while attempting to redirect to SSO identity provider! It's likely that SSO integration is mis-configured", e);
+            } else {
+                _logger.error("Caught exception while attempting to redirect to SSO identity provider! It's likely that SSO integration is mis-configured");
+            }
             return Optional.of(Results.redirect(
                 String.format("/login?error_msg=%s",
                 URLEncoder.encode("Failed to redirect to Single Sign-On provider. Please contact your DataHub Administrator, "
@@ -316,7 +322,11 @@ private boolean tryLogin(String username, String password) {
                 _logger.debug("Jaas authentication successful. Login succeeded");
                 loginSucceeded = true;
             } catch (Exception e) {
-                _logger.debug("Jaas authentication error. Login failed", e);
+                if (_verbose) {
+                    _logger.debug("Jaas authentication error. Login failed", e);
+                } else {
+                    _logger.debug("Jaas authentication error. Login failed");
+                }
             }
         }
 

datahub-frontend/app/security/AuthenticationManager.java

@@ -18,8 +18,7 @@
 
 public class AuthenticationManager {
 
-  private AuthenticationManager() {
-
+  private AuthenticationManager(boolean verbose) {
   }
 
   public static void authenticateJaasUser(@Nonnull String userName, @Nonnull String password) throws Exception {
@@ -33,7 +32,9 @@ public static void authenticateJaasUser(@Nonnull String userName, @Nonnull Strin
       LoginContext lc = new LoginContext("WHZ-Authentication", new WHZCallbackHandler(userName, password));
       lc.login();
     } catch (LoginException le) {
-      throw new AuthenticationException(le.toString(), le);
+      AuthenticationException authenticationException = new AuthenticationException(le.getMessage());
+      authenticationException.setRootCause(le);
+      throw authenticationException;
     }
   }
 

datahub-frontend/conf/application.conf

@@ -142,6 +142,13 @@ ui.new.browse.dataset = true
 
 # React App Authentication
 # ~~~~~
+
+#
+# Enable verbose authentication logging
+#
+auth.verbose.logging = false
+auth.verbose.logging = ${?AUTH_VERBOSE_LOGGING}
+
 # React currently supports OIDC SSO + self-configured JAAS for authentication. Below you can find the supported configurations for
 # each mechanism.
 #

datahub-upgrade/build.gradle

@@ -15,6 +15,7 @@ dependencies {
   compile project(':metadata-io')
   compile project(':metadata-service:factories')
   compile project(':metadata-service:restli-client')
+  implementation externalDependency.charle
 
   compile externalDependency.javaxInject
   compile(externalDependency.hadoopClient) {
@@ -23,6 +24,8 @@ dependencies {
     exclude group: "org.apache.htrace", module: "htrace-core4"
     exclude group: "org.eclipse.jetty", module: "jetty-util"
     exclude group: "org.apache.hadoop.thirdparty", module: "hadoop-shaded-protobuf_3_7"
+    exclude group: "com.charleskorn.kaml", module:"kaml"
+
   }
 
   constraints {
@@ -101,3 +104,4 @@ task cleanLocalDockerImages {
   }
 }
 dockerClean.finalizedBy(cleanLocalDockerImages)
+

metadata-service/factories/build.gradle

@@ -46,7 +46,13 @@ dependencies {
   testCompile externalDependency.mockito
   testCompile externalDependency.testng
   testCompile externalDependency.hazelcastTest
+  implementation externalDependency.jline
+  implementation externalDependency.common
+}
 
+configurations.all{
+  exclude group: "commons-io", module:"commons-io"
+  exclude group: "jline", module:"jline"
 }
 
 processResources.configure {

metadata-service/graphql-servlet-impl/build.gradle

@@ -13,6 +13,14 @@ dependencies {
   compile externalDependency.springContext
   implementation externalDependency.slf4jApi
   compileOnly externalDependency.lombok
-
   annotationProcessor externalDependency.lombok
+
+  implementation externalDependency.charle
+  implementation externalDependency.jetbrains
+
+}
+
+configurations.all{
+  exclude group: "com.charleskorn.kaml", module:"kaml"
+  exclude group: " org.jetbrains.kotlin", module:"kotlin-stdlib"
 }

metadata-service/war/build.gradle

@@ -39,8 +39,12 @@ dependencies {
   runtime externalDependency.logbackClassic
   implementation externalDependency.awsMskIamAuth
   testRuntime externalDependency.logbackClassic
+  implementation externalDependency.charle
+}
+configurations.all{
+  exclude group: "com.charleskorn.kaml", module:"kaml"
+
 }
-
 configurations {
   jetty9
 }
@@ -83,4 +87,4 @@ task cleanLocalDockerImages {
     rootProject.ext.cleanLocalDockerImages(docker_registry, docker_repo, "v${version}")
   }
 }
-dockerClean.finalizedBy(cleanLocalDockerImages)
+dockerClean.finalizedBy(cleanLocalDockerImages)