Report section for Actuator Endpoints Sanitization

- Report section rendered for Boot 2.7 and 3.0

Author: fabapp2

components/sbm-recipes-boot-upgrade/src/main/java/org/springframework/sbm/boot/upgrade_27_30/report/SpringBootUpgradeReportSection.java

@@ -245,7 +245,10 @@ public List<Author> getAuthors() {
 
     private String renderRemediation() {
         StringBuilder sb = new StringBuilder();
-        sb.append(remediation.getDescription()).append(ls).append(ls);
+        if(remediation.getDescription() != null) {
+            sb.append(remediation.getDescription()).append(ls);
+        }
+        sb.append(ls);
         if(remediation.getPossibilities().isEmpty()) {
             renderResourcesList(sb, remediation);
             renderRecipeButton(sb, remediation.getRecipe());

components/sbm-recipes-boot-upgrade/src/main/java/org/springframework/sbm/boot/upgrade_27_30/report/helper/ActuatorEndpointsSanitizationHelper.java

@@ -0,0 +1,63 @@
+/*
+ * Copyright 2021 - 2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.sbm.boot.upgrade_27_30.report.helper;
+import org.springframework.sbm.boot.common.conditions.IsSpringBootProject;
+import org.springframework.sbm.boot.upgrade_27_30.report.SpringBootUpgradeReportSection;
+import org.springframework.sbm.build.api.BuildFile;
+import org.springframework.sbm.build.api.Module;
+import org.springframework.sbm.engine.context.ProjectContext;
+import org.springframework.sbm.project.resource.ProjectResource;
+
+import java.util.Comparator;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+
+/**
+ * @author Fabian Krüger
+ */
+public class ActuatorEndpointsSanitizationHelper extends SpringBootUpgradeReportSection.AbstractHelper<List<BuildFile>> {
+
+    private static final String ACTUATOR_GROUP_ID = "org.springframework.boot";
+    private static final String ACTUATOR_ARTIFACT_ID = "spring-boot-actuator";
+    public static final String VERSION_PATTERN = "(2\\.7\\..*)|(3\\.0\\..*)";
+    private List<BuildFile> buildFilesWithActuatorOnClasspath;
+
+    @Override
+    public boolean evaluate(ProjectContext context) {
+        IsSpringBootProject isSpringBootProjectCondition = new IsSpringBootProject();
+        isSpringBootProjectCondition.setVersionPattern(VERSION_PATTERN);
+        boolean isSpringBoot3Application = isSpringBootProjectCondition.evaluate(context);
+        if(! isSpringBoot3Application) {
+            return false;
+        }
+        buildFilesWithActuatorOnClasspath = getActuatorDependency(context);
+        return ! buildFilesWithActuatorOnClasspath.isEmpty();
+    }
+
+    private List<BuildFile> getActuatorDependency(ProjectContext context) {
+        return context.getApplicationModules().stream()
+                .map(Module::getBuildFile)
+                .filter(b -> b.getEffectiveDependencies().stream().anyMatch(d -> d.getGroupId().equals(ACTUATOR_GROUP_ID) && d.getArtifactId().equals(ACTUATOR_ARTIFACT_ID)))
+                .sorted(Comparator.comparing(ProjectResource::getSourcePath))
+                .collect(Collectors.toList());
+    }
+
+    @Override
+    public Map<String, List<BuildFile>> getData() {
+        return Map.of("matchingBuildFiles", buildFilesWithActuatorOnClasspath);
+    }
+}

components/sbm-recipes-boot-upgrade/src/main/resources/recipes/27_30/report/sbu30-report.yaml

@@ -87,19 +87,20 @@
       sections:
 
 
-        - title: Add Spring Boot dependency and plugin milestone repository
-          helper: org.springframework.sbm.boot.upgrade_27_30.report.helper.AddSpringBootRepositoriesHelper
-          change: |-
-            As currently only milestone releases exist these are required
-          affected: |-
-            You want to update to 3.0 so you're affected
-          remediation:
-            description: |-
-              Add Spring Boot milestone repositories.
-            recipe: sbu30-add-milestone-repositories
-          gitHubIssue: 441
-          contributors:
-            - "Fabian Krüger[@fabapp2]"
+# Note re required anymore now that 3.0 is released. Kept for reference
+#        - title: Add Spring Boot dependency and plugin milestone repository
+#          helper: org.springframework.sbm.boot.upgrade_27_30.report.helper.AddSpringBootRepositoriesHelper
+#          change: |-
+#            As currently only milestone releases exist these are required
+#          affected: |-
+#            You want to update to 3.0 so you're affected
+#          remediation:
+#            description: |-
+#              Add Spring Boot milestone repositories.
+#            recipe: sbu30-add-milestone-repositories
+#          gitHubIssue: 441
+#          contributors:
+#            - "Fabian Krüger[@fabapp2]"
 
         - title: Upgrade Dependencies
           helper: org.springframework.sbm.boot.upgrade_27_30.report.helper.UpgradeDependenciesHelper
@@ -132,6 +133,58 @@
             - "Fabian Krüger[@fabapp2]"
 
 
+        - title: Actuator Endpoints Sanitization
+          helper: org.springframework.sbm.boot.upgrade_27_30.report.helper.ActuatorEndpointsSanitizationHelper
+          change: |-
+            Since, the `/env` and `/configprops` endpoints can contains sensitive values, all values are always masked by default.
+            This used to be case only for keys considered to be sensitive.
+            
+            Instead, this release opts for a more secure default.
+            The keys-based approach has been removed in favor of a role based approach, similar to the health endpoint details.
+            Whether unsanitized values are shown or not can be configured using a property which can have the following values:
+          
+            - `NEVER` - All values are sanitized.
+            - `ALWAYS` - All values are present in the output (sanitizing functions will apply).
+            - `WHEN_AUTHORIZED` - Values are present in the output only if a user is authorized (sanitizing functions will apply).
+            
+            For JMX, users are always considered to be authorized. For HTTP, users are considered to be authorized if they are authenticated and have the specified roles.
+            
+            Sanitization for the QuartzEndpoint is also configurable in the same way.
+          affected: |-
+            The scan found a dependency to actuator on the classpath.
+            
+            <#list matchingBuildFiles as match>
+              * file://${match.absolutePath}[`${match.sourcePath}`]<#lt>
+            </#list>
+          remediation:
+            possibilities:
+              - title: Verify the new sanitization fulfills your requirements
+                description: |- 
+                  Please verify that none of the sanitized values must be plain text to meet your requirements.
+                  If some sanitized values are required in plain text a custom `SanitizingFunction` must be provided.
+                  Please see the documentation about https://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/html/howto.html#howto.actuator.sanitize-sensitive-values.customizing-sanitization[Customizing Sanitization^, role="ext-link"] 
+                  for further information on how to do this.
+                resources:
+                  - https://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/html/howto.html#howto.actuator.sanitize-sensitive-values[Sanitize Sensitive Values^, role="ext-link"]
+                  - https://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/html/howto.html#howto.actuator.sanitize-sensitive-values.customizing-sanitization[Customizing Sanitization^, role="ext-link"]
+# Not available until upgrade to the latest rewrite version which is currently blocked
+#
+#              - title: Reset behavior to prior 3.0
+#                description: |-
+#                  Because Spring Boot Migrator can't tell if the now sanitized properties are required in plain-text,
+#                  the only automated change we can do is setting `management.endpoint.configprops.show-values`,
+#                  `management.endpoint.env.show-values` and `management.endpoint.quartz.show-values` to `ALWAYS`.
+#                  This means the application does not benefit from the new and more secure configuration in Spring Boot 3.0.0.
+#                  We strongly recommend you adjust this configuration to your needs.
+#
+#                  WARNING:  This would result in some values not being sanitized when in 2.7 they would have been.
+#                recipe: sbu30-225-actuator-endpoint-sanitization
+          projects:
+            - spring-boot
+          gitHubIssue: 445
+          contributors:
+            - "Fabian Krüger[@fabapp2]"
+
         - title: Changes to Data Properties
           helper: org.springframework.sbm.boot.upgrade_27_30.report.helper.ChangesToDataPropertiesHelper
           change: |-
@@ -226,8 +279,8 @@
             `@Autowired` annotation.
           sources:
             - https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-3.0.0-M2-Release-Notes#constructingbinding-no-longer-needed-at-the-type-level[Spring Boot Release Notes]
-            - https://docs.spring.io/spring-boot/docs/3.0.0-M4/api/org/springframework/boot/context/properties/ConstructorBinding.html[@ConstructorBinding API]
-            - https://docs.spring.io/spring-boot/docs/3.0.0-M4/api/org/springframework/boot/context/properties/ConfigurationProperties.html[@ConfigurationProperties API]
+            - https://docs.spring.io/spring-boot/docs/3.0.0/api/org/springframework/boot/context/properties/ConstructorBinding.html[@ConstructorBinding API]
+            - https://docs.spring.io/spring-boot/docs/3.0.0/api/org/springframework/boot/context/properties/ConfigurationProperties.html[@ConfigurationProperties API]
           affected: |-
             We found usage of `@ConstructorBinding` in following files:
 

components/sbm-recipes-boot-upgrade/src/test/java/org/springframework/sbm/boot/upgrade_27_30/report/helper/ActuatorEndpointsSanitizationHelperTest.java

@@ -0,0 +1,84 @@
+/*
+ * Copyright 2021 - 2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.sbm.boot.upgrade_27_30.report.helper;
+
+import org.assertj.core.api.Assertions;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+import org.springframework.sbm.build.util.PomBuilder;
+import org.springframework.sbm.engine.context.ProjectContext;
+import org.springframework.sbm.project.resource.TestProjectContext;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * @author Fabian Krüger
+ */
+class ActuatorEndpointsSanitizationHelperTest {
+
+    @Test
+    void withSingleModuleApplication() {
+        ProjectContext context = TestProjectContext
+                .buildProjectContext()
+                .withSpringBootParentOf("3.0.0")
+                .withBuildFileHavingDependencies("org.springframework.boot:spring-boot-actuator")
+                .build();
+
+        ActuatorEndpointsSanitizationHelper sut = new ActuatorEndpointsSanitizationHelper();
+        assertThat(sut.evaluate(context)).isTrue();
+        assertThat(sut.getData()).hasSize(1);
+        assertThat(sut.getData().get("matchingBuildFiles")).containsExactly(context.getApplicationModules().getRootModule().getBuildFile());
+    }
+
+    @Test
+    void withMultiModuleApplication() {
+        String parentPom = PomBuilder
+                .buildParentPom("org.springframework.boot:spring-boot-starter-parent:3.0.0", "com.example:parent:1.0")
+                .withModules("moduleA", "moduleB", "moduleC")
+                .build();
+        String moduleA = PomBuilder
+                .buildPom("com.example:parent:1.0", "moduleA")
+                .compileScopeDependencies("com.example:moduleC:1.0")
+                .build();
+        String moduleB = PomBuilder
+                .buildPom("com.example:parent:1.0", "moduleB")
+                .compileScopeDependencies("com.example:moduleC:1.0")
+                .build();
+        String moduleC = PomBuilder
+                .buildPom("com.example:parent:1.0", "moduleC")
+                .compileScopeDependencies("org.springframework.boot:spring-boot-starter-actuator")
+                .build();
+
+        ProjectContext context = TestProjectContext
+                .buildProjectContext()
+                .withMavenRootBuildFileSource(parentPom)
+                .withMavenBuildFileSource("moduleA", moduleA)
+                .withMavenBuildFileSource("moduleB", moduleB)
+                .withMavenBuildFileSource("moduleC", moduleC)
+                .build();
+
+        ActuatorEndpointsSanitizationHelper sut = new ActuatorEndpointsSanitizationHelper();
+        assertThat(sut.evaluate(context)).isTrue();
+        assertThat(sut.getData().get("matchingBuildFiles")).hasSize(3);
+        assertThat(sut.getData().get("matchingBuildFiles")).containsExactly(
+                context.getApplicationModules().getModule("moduleA").getBuildFile(),
+                context.getApplicationModules().getModule("moduleB").getBuildFile(),
+                context.getApplicationModules().getModule("moduleC").getBuildFile()
+        );
+    }
+
+}