Bump the maven group across 1 directory with 11 updates#184
Open
dependabot[bot] wants to merge 38 commits into
Open
Bump the maven group across 1 directory with 11 updates#184dependabot[bot] wants to merge 38 commits into
dependabot[bot] wants to merge 38 commits into
Conversation
feat: add CTDS CI build and push Co-authored-by: Andrew Prokhorenkov <aprokh@uchicago.edu>
- feat: introduce custom configuration option Update pom.xml with a better default authorization url - feat: improve logging of jwt - fix: add "Atlas users" as default system role - feat: add more log statements for PermissionManager - feat: ensure /user/me endpoint also triggers the UPDATE_TOKEN filter - feat: ensure the teamproject is stored per user ...and allow reading current teamproject from cache in case of a request to /user/refresh endpoint - feat: main logic in new filter class TeamProjectBasedAuthorizingFilter - fix: ensure reset of roles always happens - feat: remove unnecessary method from PermissionManager - fix: use lower() in SQL query itself for finding login - fix: take login from shiro-parsed principal instead of DB ... to avoid the issue where the login is all lowercase in db - feat: move the defaultRoles definition into AtlasSecurity - fix: move authorizationMode check to PostConstruct ...to avoid NullPointerException as attributes are not yet wired when in constructor - fix: remove session.stop() call from UpdateAccessTokenFilter ...and therefore from the flow of endpoints like /user/refresh. Not sure why this was added there, as the /user/logout should be the place to remove a session. This solves a org.apache.shiro.subject.support.DisabledSessionException. If the worry is that logout won`t be called, then the expiry time should just be set to a short period. The adjustment in JwtAuthRealm.java was to deal with the side effect that occurred after the removal of the .stop in the UpdateAccessTokenFilter filter: java.lang.ClassCastException: io.buji.pac4j.subject.Pac4jPrincipal cannot be cast to java.lang.String - fix: do not create a new session when requesting current session
downgrade pac4j
…_permission Update src/main/resources/db/migration/postgresql/V2.15.0.20240515220400_atlas_global_share_permission.sql
i.e. also add the "Source user (omop)" role to the list of defaultRoles for each user. TODO - replace with final solution from https://ctds-planx.atlassian.net/browse/VADC-1086
* fix: pom.xml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-IONETTY-2812456 - https://snyk.io/vuln/SNYK-JAVA-IONETTY-5725787 - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESOLR-6241853 - https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-2945452 - https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-2945453 - https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-5426161 - https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-5902998 - https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-5958847 - https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTYHTTP2-5958845 - https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTYHTTP2-5958918 - https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-570203 - https://snyk.io/vuln/SNYK-JAVA-ORGXERIALSNAPPY-5710959 - https://snyk.io/vuln/SNYK-JAVA-ORGXERIALSNAPPY-5710960 - https://snyk.io/vuln/SNYK-JAVA-ORGXERIALSNAPPY-5710961 * some reverts --------- Co-authored-by: snyk-bot <snyk-bot@snyk.io>
…anch Feat/enable CI for local main branch
* feat: remove the * permissions * fix: remove extra item from concat(l,m,r) * tmp: temporarily disable conflicting check * fix: put back the regular vocabulary: permissions * tmp: disable "source user" role assignment * tmp: rename flyway script * fix: ensure source:omop:access becomes part of role 15 * tmp: rename sql migration script * fix: make sure copy permission is part of the default permission schema for cohortdefinition * fix: add cohortdefinition:*:exists:get permission to role 15 * fix: revert copy permission part ...as this would cause the current code to filter out all cohorts. Current code requires the user to have ALL read permissions listed in the schema to see a cohort definition... * fix: add cohortdefinition:*:copy:get permisstion to role 15 * Revert "fix: revert copy permission part" This reverts commit 8c9caf9. * feat: migration script to add copy:get permission to teamproject cohorts * fix: set permissionEntity to use right sequence * fix: fix the migration script / schema name part for setval * feat: migration script to add generate:SOURCE:get permission to role 15 * fix: added extra conceptset permissions to role 15, some of which will need review ...and fixing in ConceptSetPermissionSchema.java * fix: support two authorization rules, where one should match the method and service expected * fix: remove temporary solution for "Source user" ... as we have now moved the most relevant permissions into role 15 * fix: format in CohortDefinitionPermissionSchema.java
* dep: update runtime image to AmazonCorretto 8u412-al2023 * feat: adding newline * feat: JSONArgsRecommended CMD statement * feat: back to shell form
* dep: update base Docker images to Amazon Corretto images * dep: update to jackson * dep: update tika-core * dep: update msal4j
* fix: revert back original session.stop() code from upstream * fix: do not use session for teamproject role management
* fix: added missing migration line to prev migration script Adding this for completeness... * fix: move too broad conceptset:* permissions to narrow ones ...linked to specific individual conceptsets * fix: added missing readPermissions for conceptsets These changes remove the need for having these permissions granted as * permission. Instead, users now get a conceptset specific permission.
…#157) * fix: add Transactional annotation to method to fix "no session" error * fix: try to initialize session
* dep: update xstream to 1.4.21 * dep: update commons-codes to 1.14
* Update Dockerfile * Fix Dockerfile syntax error
Create NOTICE file
…analysis to role 15 (#176) * feat: add the extra permissions needed for cohort characterization and feature analysis to role 15 fix: disable two unecessary global cohort-characterization permissions, incompatible with "teamprojects" ...and improve debug logs fix: add cohort-characterization id to various methods/api calls - This allows for the correct (more strict) permission check to find place based on the user's permissions on the given cohort-characterization - Also expanded the new api patterns into CohortCharacterizationPermissionSchema and removed cohort-characterization permissions that were too broad from role 15 migration script. * fix: remove wrong/nonsensical(?) role cohort-characterization:design:%s:get
Bumps the maven group with 11 updates in the / directory: | Package | From | To | | --- | --- | --- | | [org.apache.activemq:activemq-client](https://github.com/apache/activemq) | `5.15.16` | `6.1.7` | | [org.apache.activemq:activemq-openwire-legacy](https://github.com/apache/activemq) | `5.15.16` | `5.16.8` | | commons-beanutils:commons-beanutils | `1.9.4` | `1.11.0` | | org.apache.santuario:xmlsec | `2.1.7` | `2.2.6` | | org.hibernate:hibernate-validator | `5.4.2.Final` | `6.2.0.Final` | | org.apache.commons:commons-lang3 | `3.12.0` | `3.18.0` | | commons-fileupload:commons-fileupload | `1.5` | `1.6.0` | | [org.pac4j:pac4j-oidc](https://github.com/pac4j/pac4j) | `4.0.0` | `4.5.5` | | [org.springframework.security:spring-security-crypto](https://github.com/spring-projects/spring-security) | `4.2.16.RELEASE` | `6.3.8` | | [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) | `2.3.2.RELEASE` | `2.4.4` | | com.databricks:databricks-jdbc | `2.6.34` | `2.6.40` | Updates `org.apache.activemq:activemq-client` from 5.15.16 to 6.1.7 - [Commits](apache/activemq@activemq-5.15.16...activemq-6.1.7) Updates `org.apache.activemq:activemq-openwire-legacy` from 5.15.16 to 5.16.8 - [Commits](apache/activemq@activemq-5.15.16...activemq-5.16.8) Updates `commons-beanutils:commons-beanutils` from 1.9.4 to 1.11.0 Updates `org.apache.santuario:xmlsec` from 2.1.7 to 2.2.6 Updates `org.hibernate:hibernate-validator` from 5.4.2.Final to 6.2.0.Final Updates `org.apache.commons:commons-lang3` from 3.12.0 to 3.18.0 Updates `commons-fileupload:commons-fileupload` from 1.5 to 1.6.0 Updates `org.pac4j:pac4j-oidc` from 4.0.0 to 4.5.5 - [Commits](pac4j/pac4j@pac4j-4.0.0...pac4j-4.5.5) Updates `org.springframework.security:spring-security-crypto` from 4.2.16.RELEASE to 6.3.8 - [Release notes](https://github.com/spring-projects/spring-security/releases) - [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc) - [Commits](spring-projects/spring-security@4.2.16.RELEASE...6.3.8) Updates `org.springframework.ldap:spring-ldap-core` from 2.3.2.RELEASE to 2.4.4 - [Release notes](https://github.com/spring-projects/spring-ldap/releases) - [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt) - [Commits](spring-projects/spring-ldap@2.3.2.RELEASE...2.4.4) Updates `com.databricks:databricks-jdbc` from 2.6.34 to 2.6.40 --- updated-dependencies: - dependency-name: org.apache.activemq:activemq-client dependency-version: 6.1.7 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.activemq:activemq-openwire-legacy dependency-version: 5.16.8 dependency-type: direct:production dependency-group: maven - dependency-name: commons-beanutils:commons-beanutils dependency-version: 1.11.0 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.santuario:xmlsec dependency-version: 2.2.6 dependency-type: direct:production dependency-group: maven - dependency-name: org.hibernate:hibernate-validator dependency-version: 6.2.0.Final dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.commons:commons-lang3 dependency-version: 3.18.0 dependency-type: direct:production dependency-group: maven - dependency-name: commons-fileupload:commons-fileupload dependency-version: 1.6.0 dependency-type: direct:production dependency-group: maven - dependency-name: org.pac4j:pac4j-oidc dependency-version: 4.5.5 dependency-type: direct:production dependency-group: maven - dependency-name: org.springframework.security:spring-security-crypto dependency-version: 6.3.8 dependency-type: direct:production dependency-group: maven - dependency-name: org.springframework.ldap:spring-ldap-core dependency-version: 2.4.4 dependency-type: direct:production dependency-group: maven - dependency-name: com.databricks:databricks-jdbc dependency-version: 2.6.40 dependency-type: direct:production dependency-group: maven ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
pieterlukasse
force-pushed
the
2.15.0-DEV
branch
from
d409c3b to
abb5096
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the maven group with 11 updates in the / directory:
5.15.166.1.75.15.165.16.81.9.41.11.02.1.72.2.65.4.2.Final6.2.0.Final3.12.03.18.01.51.6.04.0.04.5.54.2.16.RELEASE6.3.82.3.2.RELEASE2.4.42.6.342.6.40Updates
org.apache.activemq:activemq-clientfrom 5.15.16 to 6.1.7Commits
2e94ec3[maven-release-plugin] prepare release activemq-6.1.7dd4205cFix javadoc9ca5d0eAMQ-9503: Add wireFormat.displayStackTrace option on the HTTP transport conne...c3c0d69Upgrade spring.schemas in preparation for 6.1.7 release7854f8cAMQ-9730: Upgrade to Camel 4.10.5 (#1459)0070ef1AMQ-9729: Upgrade to Jackson 2.19.1 (#1460)6f73b89AMQ-9731: Upgrade to Spring 6.1.21 (#1458)c001b9edon't print stack traces when stopping or stopped (#1414)990a8d6AMQ-9726 - Fix FilePendingMessageCursor clear() method (#1452)cdf8e40NO-JIRA: Fix flaky DurableSubscriptionHangTestCaseUpdates
org.apache.activemq:activemq-openwire-legacyfrom 5.15.16 to 5.16.8Commits
f734c20[maven-release-plugin] prepare release activemq-5.16.837ca550Update spring.schemas version in preparation for 5.16.8 releaseb0205f9AMQ-6596 - Validate size of buffers during unmarshalling4891a65Fix line endings in openwire generated filescd201c0AMQ-9418 - Support converting jakarta jms exceptions to javax340dcd9AMQ-9329: Upgrade to Jetty 9.4.53.v202310093af9001AMQ-9383: Copy transport options before sending in introspection setter7115a89[maven-release-plugin] prepare for next development iteration4bbb055[maven-release-plugin] prepare release activemq-5.16.779a43c1Update spring.schemas in preparation for 5.16.7 releaseUpdates
commons-beanutils:commons-beanutilsfrom 1.9.4 to 1.11.0Updates
org.apache.santuario:xmlsecfrom 2.1.7 to 2.2.6Updates
org.hibernate:hibernate-validatorfrom 5.4.2.Final to 6.2.0.FinalUpdates
org.apache.commons:commons-lang3from 3.12.0 to 3.18.0Updates
commons-fileupload:commons-fileuploadfrom 1.5 to 1.6.0Updates
org.pac4j:pac4j-oidcfrom 4.0.0 to 4.5.5Commits
a1ae387[maven-release-plugin] prepare release pac4j-4.5.509684e0Fix CVE-2021-4487890a6cb3[maven-release-plugin] prepare for next development iteration91996a7[maven-release-plugin] prepare release pac4j-4.5.434e9d0fpatch log4j v2d682e7f[maven-release-plugin] prepare for next development iteration49c546e[maven-release-plugin] prepare release pac4j-4.5.3c1ab3e1[pac4j-saml] Upgrade to velocity core engine 2.3 (#1992)cbd73bc[maven-release-plugin] prepare for next development iteration72d9f8a[maven-release-plugin] prepare release pac4j-4.5.2Updates
org.springframework.security:spring-security-cryptofrom 4.2.16.RELEASE to 6.3.8Release notes
Sourced from org.springframework.security:spring-security-crypto's releases.
... (truncated)
Changelog
Sourced from org.springframework.security:spring-security-crypto's changelog.
... (truncated)
Commits
147081fRelease 6.3.8709d9bcBump org.springframework:spring-framework-bom from 6.1.17 to 6.1.18d9bb16eBump io.projectreactor:reactor-bom from 2023.0.15 to 2023.0.161111491Bump org.springframework.data:spring-data-bom from 2024.0.9 to 2024.0.10adb303eAdd testRuntimeOnly junit-platform-launcher46f0dc6Enforce BCrypt password length36ea1b1Fix Compilation Errore793a96Remove s101 From Builds46cd94bSpEL Propagates Authorization Exceptionsacd2de4Bump io.mockk:mockk from 1.13.16 to 1.13.17Updates
org.springframework.ldap:spring-ldap-corefrom 2.3.2.RELEASE to 2.4.4Release notes
Sourced from org.springframework.ldap:spring-ldap-core's releases.
... (truncated)
Commits
ec1d0acRelease 2.4.41bfb466Polish toLower/UpperCase Usageec09768Update to Spring Security 5.8.151838e6eUpdate to SLF4J 1.7.3608a5f53Update to Hibernate 5.6.15db231b3Update to Freemarker 2.3.333616818Update to Apache HttpClient 4.5.1441a9adbUpdate to AspectJ 1.9.22.1a2a42acUpdate to Jackson 2.13.4bd76003Update to Spring Data 2021.1.10Updates
com.databricks:databricks-jdbcfrom 2.6.34 to 2.6.40Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.