Merge pull request #162 from RADAR-base/fix/audience-claim

mpgxvii · web-flow · commit c42b8522816b · 2025-04-25T18:54:04.000+01:00
Add audience claim in UserRepository
diff --git a/.github/workflows/scheduled-snyk-docker.yaml b/.github/workflows/scheduled-snyk-docker.yaml
@@ -0,0 +1,62 @@
+name: Snyk scheduled Docker base image scan
+
+on:
+  schedule:
+    - cron: '0 3 * * 1'
+  workflow_dispatch:
+
+env:
+    DOCKER_IMAGE_FITBIT: radarbase/kafka-connect-rest-fitbit-source
+    DOCKER_IMAGE_OURA: radarbase/kafka-connect-rest-oura-source
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Run Snyk to check for vulnerabilities on Fitbit image
+        continue-on-error: true # To make sure that SARIF upload gets called
+        uses: snyk/actions/docker@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: ${{ env.DOCKER_IMAGE_FITBIT }}
+          args: >-
+            --file=kafka-connect-fitbit-source/Dockerfile
+            --fail-on=upgradable
+            --severity-threshold=high
+            --policy-path=.snyk
+            --exclude-app-vulns
+            --org=radar-base
+            --sarif-file-output=snyk.sarif
+
+      # Detected vulnerabilities will appear on Github in Security->Code_scanning_alerts tab
+      - name: Upload Fitbit result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          category: fitbit
+          sarif_file: snyk.sarif
+
+      - name: Run Snyk to check for vulnerabilities on Oura image
+        continue-on-error: true # To make sure that SARIF upload gets called
+        uses: snyk/actions/docker@master
+        env:
+            SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+            image: ${{ env.DOCKER_IMAGE_OURA }}
+            args: >-
+              --file=kafka-connect-oura-source/Dockerfile
+              --fail-on=upgradable
+              --severity-threshold=high
+              --policy-path=.snyk
+              --exclude-app-vulns
+              --org=radar-base
+              --sarif-file-output=snyk.sarif
+
+      - name: Upload Oura result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          category: oura
+          sarif_file: snyk.sarif
diff --git a/.github/workflows/scheduled-snyk.yaml b/.github/workflows/scheduled-snyk.yaml
@@ -0,0 +1,34 @@
+name: Snyk scheduled code base scan
+
+on:
+  schedule:
+    - cron: '0 2 * * 1'
+  workflow_dispatch:
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/gradle-jdk17@master
+        continue-on-error: true # To make sure that SARIF upload gets called
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: >-
+            --all-projects
+            --configuration-matching='^runtimeClasspath$'
+            --fail-on=upgradable
+            --severity-threshold=high
+            --policy-path=.snyk
+            --org=radar-base
+            --sarif-file-output=snyk.sarif
+
+      # Detected vulnerabilities will appear on Github in Security->Code_scanning_alerts tab
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: snyk.sarif
diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml
@@ -1,34 +1,27 @@
-name: Snyk test
+name: Snyk test on PR commits
 
 on:
-  - pull_request
+  pull_request:
+    branches:
+      - master
+      - dev
+      - release-*
 
 jobs:
   security:
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@v3
-      - uses: snyk/actions/setup@master
-        with:
-          snyk-version: v1.1032.0
-
-      - uses: actions/setup-java@v3
-        with:
-          distribution: temurin
-          java-version: 17
-
-      - name: Setup Gradle
-        uses: gradle/gradle-build-action@v2
 
       - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/gradle-jdk17@master
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        run: >
-          snyk test
-          --all-projects
-          --configuration-matching="^runtimeClasspath$"
-          --fail-on=upgradable
-          --org=radar-base
-          --policy-path=.snyk
-          --severity-threshold=high
+        with:
+          args: >-
+            --all-projects
+            --configuration-matching="^runtimeClasspath$"
+            --severity-threshold=high
+            --fail-on=upgradable
+            --org=radar-base
+            --policy-path=.snyk
diff --git a/.snyk b/.snyk
@@ -0,0 +1,5 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+patch: {}
diff --git a/buildSrc/src/main/kotlin/Versions.kt b/buildSrc/src/main/kotlin/Versions.kt
@@ -1,13 +1,13 @@
 @Suppress("ConstPropertyName", "MemberVisibilityCanBePrivate")
 object Versions {
-    const val project = "0.5.4"
+    const val project = "0.6.1"
 
     const val java = 17
     const val kotlin = "1.9.22"
-    const val wrapper = "8.4"
+    const val wrapper = "8.9"
 
     const val radarCommons = "1.1.3"
-    const val confluent = "7.7.0"
+    const val confluent = "7.8.1"
     const val kafka = "$confluent-ce"
     const val avro = "1.12.0"
 
@@ -29,4 +29,6 @@ object Versions {
     const val junit = "5.10.2"
     const val wiremock = "3.0.1"
     const val mockito = "5.11.0"
+
+    const val nettyVersion = "4.1.118.Final"
 }
diff --git a/kafka-connect-fitbit-source/Dockerfile b/kafka-connect-fitbit-source/Dockerfile
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM --platform=$BUILDPLATFORM gradle:8.4-jdk17 as builder
+FROM --platform=$BUILDPLATFORM gradle:8.9-jdk17 AS builder
 
 RUN mkdir /code
 WORKDIR /code
@@ -32,16 +32,11 @@ COPY ./kafka-connect-fitbit-source/src/ /code/kafka-connect-fitbit-source/src
 
 RUN gradle jar
 
-FROM confluentinc/cp-kafka-connect-base:7.6.0
-
-USER root
-
-RUN yum remove -y zulu11-ca-jdk-headless && yum remove -y zulu11-ca-jre-headless
-RUN yum install -y zulu17-ca-jdk-headless && yum install -y zulu17-ca-jre-headless
+FROM confluentinc/cp-kafka-connect-base:7.8.1
 
 USER appuser
 
-MAINTAINER Pim van Nierop <pim@thehyve.nl>
+LABEL org.opencontainers.image.authors="pim@thehyve.nl"
 
 LABEL description="Kafka REST API Source connector"
 
diff --git a/kafka-connect-fitbit-source/build.gradle.kts b/kafka-connect-fitbit-source/build.gradle.kts
@@ -1,6 +1,13 @@
 description = "Kafka connector for Fitbit API source"
 
 dependencies {
+
+    /* The entries in the block below are added here to force the version of
+     * transitive dependencies and mitigate reported vulnerabilities
+     */
+    implementation("io.netty:netty-handler-proxy:${Versions.nettyVersion}")
+    implementation("io.netty:netty-handler:${Versions.nettyVersion}")
+
     api(project(":kafka-connect-rest-source"))
     api(project(":oura-library"))
     api("io.confluent:kafka-connect-avro-converter:${Versions.confluent}")
diff --git a/kafka-connect-fitbit-source/src/main/java/org/radarbase/connect/rest/fitbit/user/ServiceUserRepository.kt b/kafka-connect-fitbit-source/src/main/java/org/radarbase/connect/rest/fitbit/user/ServiceUserRepository.kt
@@ -90,6 +90,8 @@ class ServiceUserRepository : UserRepository {
             tokenUrl = URLBuilder(config.fitbitUserRepositoryTokenUrl.toString()).build(),
             clientId = config.fitbitUserRepositoryClientId,
             clientSecret = config.fitbitUserRepositoryClientSecret,
+            scope = "SUBJECT.READ MEASUREMENT.CREATE",
+            audience = "res_restAuthorizer",
         )
 
         val refreshDuration = config.userCacheRefreshInterval.toKotlinDuration()
@@ -113,6 +115,8 @@ class ServiceUserRepository : UserRepository {
         tokenUrl: Url?,
         clientId: String?,
         clientSecret: String?,
+        scope: String?,
+        audience: String?,
     ): HttpClient = HttpClient(CIO) {
         if (tokenUrl != null) {
             install(Auth) {
@@ -121,6 +125,8 @@ class ServiceUserRepository : UserRepository {
                         tokenUrl.toString(),
                         clientId,
                         clientSecret,
+                        scope,
+                        audience,
                     ).copyWithEnv("MANAGEMENT_PORTAL"),
                     baseUrl.host,
                 )
diff --git a/kafka-connect-fitbit-source/src/main/java/org/radarbase/connect/rest/fitbit/user/ServiceUserRepositoryLegacy.java b/kafka-connect-fitbit-source/src/main/java/org/radarbase/connect/rest/fitbit/user/ServiceUserRepositoryLegacy.java
@@ -36,7 +36,8 @@
  import java.util.stream.Collectors;
  import java.util.stream.Stream;
  import okhttp3.Credentials;
- import okhttp3.HttpUrl;
+import okhttp3.FormBody;
+import okhttp3.HttpUrl;
  import okhttp3.MediaType;
  import okhttp3.OkHttpClient;
  import okhttp3.Request;
@@ -64,6 +65,9 @@ public class ServiceUserRepositoryLegacy implements UserRepository {
    private static final Duration CONNECTION_TIMEOUT = Duration.ofSeconds(60);
    private static final Duration CONNECTION_READ_TIMEOUT = Duration.ofSeconds(90);
  
+   private static final String CLIENT_AUDIENCE = "res_restAuthorizer"; 
+   private static final String CLIENT_AUDIENCE_KEY = "audience";
+
    private final OkHttpClient client;
    private final Map<String, OAuth2UserCredentials> cachedCredentials;
    private final AtomicReference<Instant> nextFetch = new AtomicReference<>(MIN_INSTANT);
@@ -76,6 +80,19 @@ public class ServiceUserRepositoryLegacy implements UserRepository {
  
    public ServiceUserRepositoryLegacy() {
      this.client = new OkHttpClient.Builder()
+          .addInterceptor(chain -> {
+            Request req = chain.request();
+            if ("POST".equalsIgnoreCase(req.method()) && req.body() instanceof FormBody) {
+                FormBody oldBody = (FormBody) req.body();
+                FormBody.Builder newBody = new FormBody.Builder();
+                for (int i = 0; i < oldBody.size(); i++) {
+                    newBody.addEncoded(oldBody.encodedName(i), oldBody.encodedValue(i));
+                }
+                newBody.add(CLIENT_AUDIENCE_KEY, CLIENT_AUDIENCE);
+                req = req.newBuilder().post(newBody.build()).build();
+            }
+            return chain.proceed(req);
+          })
          .connectTimeout(CONNECTION_TIMEOUT)
          .readTimeout(CONNECTION_READ_TIMEOUT)
          .build();
diff --git a/kafka-connect-oura-source/Dockerfile b/kafka-connect-oura-source/Dockerfile
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM --platform=$BUILDPLATFORM gradle:8.4-jdk17 as builder
+FROM --platform=$BUILDPLATFORM gradle:8.9-jdk17 AS builder
 
 RUN mkdir /code
 WORKDIR /code
@@ -32,16 +32,11 @@ COPY ./oura-library/src/ /code/oura-library/src
 
 RUN gradle jar
 
-FROM confluentinc/cp-kafka-connect-base:7.6.0
-
-USER root
-
-RUN yum remove -y zulu11-ca-jdk-headless && yum remove -y zulu11-ca-jre-headless
-RUN yum install -y zulu17-ca-jdk-headless && yum install -y zulu17-ca-jre-headless
+FROM confluentinc/cp-kafka-connect-base:7.8.1
 
 USER appuser
 
-MAINTAINER Pauline Conde <pauline.conde@kcl.ac.uk>
+LABEL org.opencontainers.image.authors="pauline.conde@kcl.ac.uk"
 
 LABEL description="Kafka Oura REST API Source connector"
 
diff --git a/kafka-connect-oura-source/build.gradle.kts b/kafka-connect-oura-source/build.gradle.kts
@@ -1,6 +1,13 @@
 description = "Kafka connector for Oura API source"
 
 dependencies {
+
+    /* The entries in the block below are added here to force the version of
+     * transitive dependencies and mitigate reported vulnerabilities
+     */
+    implementation("io.netty:netty-handler-proxy:${Versions.nettyVersion}")
+    implementation("io.netty:netty-handler:${Versions.nettyVersion}")
+
     api(project(":oura-library"))
     api("io.confluent:kafka-connect-avro-converter:${Versions.confluent}")
     api("org.radarbase:radar-schemas-commons:${Versions.radarSchemas}")
diff --git a/kafka-connect-oura-source/src/main/java/org/radarbase/connect/rest/oura/user/OuraServiceUserRepository.kt b/kafka-connect-oura-source/src/main/java/org/radarbase/connect/rest/oura/user/OuraServiceUserRepository.kt
@@ -90,6 +90,8 @@ class OuraServiceUserRepository : OuraUserRepository() {
                 tokenUrl = URLBuilder(config.ouraUserRepositoryTokenUrl.toString()).build(),
                 clientId = config.ouraUserRepositoryClientId,
                 clientSecret = config.ouraUserRepositoryClientSecret,
+                scope = "SUBJECT.READ MEASUREMENT.CREATE",
+                audience = "res_restAuthorizer",
             )
 
         userCache =
@@ -111,6 +113,8 @@ class OuraServiceUserRepository : OuraUserRepository() {
         tokenUrl: Url?,
         clientId: String?,
         clientSecret: String?,
+        scope: String?,
+        audience: String?,
     ): HttpClient =
         HttpClient(CIO) {
             if (tokenUrl != null) {
@@ -120,6 +124,8 @@ class OuraServiceUserRepository : OuraUserRepository() {
                             tokenUrl.toString(),
                             clientId,
                             clientSecret,
+                            scope,
+                            audience,
                         ).copyWithEnv("MANAGEMENT_PORTAL"),
                         baseUrl.host,
                     )
diff --git a/kafka-connect-oura-source/src/main/java/org/radarbase/connect/rest/oura/user/OuraServiceUserRepositoryLegacy.java b/kafka-connect-oura-source/src/main/java/org/radarbase/connect/rest/oura/user/OuraServiceUserRepositoryLegacy.java
@@ -40,7 +40,8 @@
  import java.util.stream.Collectors;
  import java.util.stream.Stream;
  import okhttp3.Credentials;
- import okhttp3.HttpUrl;
+import okhttp3.FormBody;
+import okhttp3.HttpUrl;
  import okhttp3.MediaType;
  import okhttp3.OkHttpClient;
  import okhttp3.Request;
@@ -78,6 +79,9 @@ public class OuraServiceUserRepositoryLegacy extends OuraUserRepository {
    private static final Duration CONNECTION_TIMEOUT = Duration.ofSeconds(60);
    private static final Duration CONNECTION_READ_TIMEOUT = Duration.ofSeconds(90);
  
+   private static final String CLIENT_AUDIENCE = "res_restAuthorizer"; 
+   private static final String CLIENT_AUDIENCE_KEY = "audience";
+
    private final OkHttpClient client;
    private final Map<String, OAuth2UserCredentials> cachedCredentials;
    private final AtomicReference<Instant> nextFetch = new AtomicReference<>(MIN_INSTANT);
@@ -90,6 +94,19 @@ public class OuraServiceUserRepositoryLegacy extends OuraUserRepository {
  
    public OuraServiceUserRepositoryLegacy() {
      this.client = new OkHttpClient.Builder()
+          .addInterceptor(chain -> {
+            Request req = chain.request();
+            if ("POST".equalsIgnoreCase(req.method()) && req.body() instanceof FormBody) {
+                FormBody oldBody = (FormBody) req.body();
+                FormBody.Builder newBody = new FormBody.Builder();
+                for (int i = 0; i < oldBody.size(); i++) {
+                    newBody.addEncoded(oldBody.encodedName(i), oldBody.encodedValue(i));
+                }
+                newBody.add(CLIENT_AUDIENCE_KEY, CLIENT_AUDIENCE);
+                req = req.newBuilder().post(newBody.build()).build();
+            }
+            return chain.proceed(req);
+          })
          .connectTimeout(CONNECTION_TIMEOUT)
          .readTimeout(CONNECTION_READ_TIMEOUT)
          .build();
