Merge branch 'refs/heads/main' into fix-one-of-7.22

Author: CharlesDuboisSAP

.github/workflows/blackduck.yaml

@@ -5,10 +5,14 @@ on:
   schedule:
     - cron: 0 23 * * *
 
+permissions: {}
+
 jobs:
   scan:
     name: "Blackduck Scan"
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 15
     steps:
       - uses: actions/checkout@v6
@@ -19,6 +23,8 @@ jobs:
 
   notify-job:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: [ scan ]
     if: ${{ failure() && github.ref == 'refs/heads/main' }}
     steps:

.github/workflows/continuous-integration.yaml

@@ -50,12 +50,16 @@ env:
   MVN_SINGLE_THREADED_ARGS: --batch-mode --no-transfer-progress --fail-at-end --show-version --threads 1
   MVN_SKIP_CI_PLUGINS: -DskipFormatting -Denforcer.skip -Djacoco.skip -Dmdep.analyze.skip
 
+permissions: {}
+
 jobs:
   context:
     name: "Collect Context"
     outputs:
       commit: ${{ steps.calculate-commit-sha.outputs.COMMIT }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: "Calculate Commit SHA"
         id: calculate-commit-sha
@@ -79,6 +83,8 @@ jobs:
     name: "Check Formatting"
     needs: [ context ]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: "Checkout Repository"
         uses: actions/checkout@v6
@@ -106,6 +112,8 @@ jobs:
     name: "Build"
     needs: [ context, check-formatting ]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # upload-artifacts does not use github-token
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v6
@@ -160,6 +168,8 @@ jobs:
     name: "Test"
     needs: [ context, build ]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v6
@@ -202,6 +212,8 @@ jobs:
   static-code-analysis:
     needs: [ context, build ]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         task:
@@ -262,6 +274,9 @@ jobs:
     name: "Run CodeQL Analysis"
     needs: [ context ]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write # needed for Perform CodeQL Analysis
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v6
@@ -301,6 +316,8 @@ jobs:
   test-archetypes:
     runs-on: ubuntu-latest
     needs: [ context, build ]
+    permissions:
+      contents: read
     strategy:
       matrix:
         task:
@@ -396,6 +413,8 @@ jobs:
     if: ${{ github.event.inputs.run-blackduck-scan == 'true' }}
     needs: [ context ]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v6
@@ -412,6 +431,8 @@ jobs:
     if: ${{ github.event.inputs.run-security-rating == 'true' }}
     needs: [ context ]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed for Run FOSStars Rating
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v6

.github/workflows/dependabot-automerge.yaml

@@ -14,6 +14,8 @@ env:
 jobs:
   review-prs:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # all write operations use app token
     steps:
       - name: Checkout
         uses: actions/checkout@v6

.github/workflows/deploy-snapshot.yaml

@@ -9,6 +9,8 @@ jobs:
   deploy-snapshot:
     name: Deploy Snapshot
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: "Checkout Repository"
         uses: actions/checkout@v6

.github/workflows/fosstars-report.yml

@@ -8,6 +8,8 @@ jobs:
   create_fosstars_report:
     runs-on: ubuntu-latest
     name: "Security rating"
+    permissions:
+      contents: write # needed to push to branch
     steps:
       - uses: actions/checkout@v6
       - uses: SAP/fosstars-rating-core-action@v1.14.0

.github/workflows/javadoc.yaml

@@ -17,6 +17,8 @@ jobs:
   build:
     name: 'JavaDoc to Documentation Portal'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # all write operations use app token
 
     steps:
       - name: 'Prepare git'

.github/workflows/prepare-release.yaml

@@ -18,6 +18,8 @@ env:
   JAVA_VERSION: 17
   DOCS_REPO: SAP/cloud-sdk
 
+permissions: {}
+
 jobs:
   bump-version:
     name: 'Bump Version'
@@ -29,6 +31,8 @@ jobs:
       release-commit: ${{ steps.prepare-release.outputs.RELEASE_COMMIT_ID }}
       release-tag: ${{ steps.prepare-release.outputs.TAG_NAME }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed for git push
     steps:
       - name: 'Checkout Repository'
         uses: actions/checkout@v6
@@ -180,6 +184,8 @@ jobs:
     outputs:
       pr-url: ${{ steps.create-release-notes-pr.outputs.PR_URL }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # all write operations use app token
     steps:
       - name: 'Create GitHub App Token'
         id: app-token
@@ -269,6 +275,8 @@ jobs:
     outputs:
       pr-url: ${{ steps.create-code-pr.outputs.PR_URL }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # all write operations use app token
     steps:
       - name: 'Create GitHub App Token'
         id: app-token

.github/workflows/reuse.yaml

@@ -11,6 +11,8 @@ on:
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v6
     - name: REUSE Compliance Check

cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/BtpServicePropertySuppliers.java

@@ -195,6 +195,7 @@ public OAuth2Options getOAuth2Options()
                     .peek(format -> builder.withTokenRetrievalParameter("token_format", format));
             }
             attachClientKeyStore(builder);
+            getCredential(URI.class, "btp-tenant-api").peek(builder::withBtpTenantApiBaseUri);
 
             return builder.build();
         }

cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/IasTenantHostResolver.java

@@ -0,0 +1,90 @@
+package com.sap.cloud.sdk.cloudplatform.connectivity;
+
+import java.io.IOException;
+import java.net.URI;
+import java.nio.charset.StandardCharsets;
+
+import javax.annotation.Nonnull;
+
+import org.apache.hc.client5.http.classic.methods.HttpGet;
+import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
+import org.apache.hc.client5.http.impl.classic.HttpClients;
+import org.apache.hc.core5.http.HttpStatus;
+import org.apache.hc.core5.http.io.entity.EntityUtils;
+import org.json.JSONObject;
+
+import com.sap.cloud.sdk.cloudplatform.connectivity.exception.DestinationAccessException;
+
+import lombok.extern.slf4j.Slf4j;
+import lombok.val;
+
+/**
+ * Resolves the IAS tenant host for a given tenant ID by querying the BTP tenant API.
+ * <p>
+ * The endpoint returns OIDC metadata including a {@code token_endpoint}. The IAS host subdomain is extracted from the
+ * first host label of that URL, which identifies the IAS tenant.
+ */
+@Slf4j
+class IasTenantHostResolver
+{
+    static final IasTenantHostResolver DEFAULT_INSTANCE = new IasTenantHostResolver();
+    private static final String TENANT_INFO_ENDPOINT_TEMPLATE = "/sap/rest/tenantLoginInfo?id=%s";
+
+    private final CloseableHttpClient httpClient;
+
+    private IasTenantHostResolver()
+    {
+        this.httpClient = HttpClients.createDefault();
+    }
+
+    /**
+     * Queries {@code btpTenantApiUri} with {@code ?id=<tenantId>} and extracts the IAS tenant subdomain from the
+     * {@code token_endpoint} field in the JSON response.
+     *
+     * @param btpTenantApiUri
+     *            The full URL of the BTP tenant login-info endpoint.
+     * @param tenantId
+     *            The tenant ID (app_tid/subaccount ID) to look up.
+     * @return The subdomain extracted from the {@code token_endpoint} host.
+     * @throws DestinationAccessException
+     *             if the HTTP request fails, the response is not 200, or the subdomain cannot be parsed from the
+     *             response.
+     */
+    @Nonnull
+    String resolve( @Nonnull final URI btpTenantApiUri, @Nonnull final String tenantId )
+    {
+        val url = btpTenantApiUri.resolve(TENANT_INFO_ENDPOINT_TEMPLATE.formatted(tenantId));
+        log.debug("Dynamically resolving IAS tenant host for tenant '{}' via {}.", tenantId, url);
+        val req = new HttpGet(url);
+        try {
+            return httpClient.execute(req, response -> {
+                if( response.getCode() != HttpStatus.SC_OK ) {
+                    throw new DestinationAccessException(
+                        "Failed to query BTP tenant API: Server returned status code %d for GET request to '%s'."
+                            .formatted(response.getCode(), url));
+                }
+                val body = EntityUtils.toString(response.getEntity(), StandardCharsets.UTF_8);
+                return extractSubdomainFromTokenEndpoint(body);
+            });
+        }
+        catch( IOException e ) {
+            throw new DestinationAccessException("Failed to query BTP tenant API: " + e.getMessage(), e);
+        }
+    }
+
+    @Nonnull
+    static String extractSubdomainFromTokenEndpoint( @Nonnull final String responseBody )
+    {
+        try {
+            final String tokenEndpoint = new JSONObject(responseBody).getString("token_endpoint");
+            final String host = URI.create(tokenEndpoint).getHost();
+            return host.substring(0, host.indexOf('.'));
+        }
+        catch( final Exception e ) {
+            throw new DestinationAccessException(
+                "Failed to extract IAS tenant host from the BTP tenant API response. The response did not conform to the expected format: "
+                    + responseBody,
+                e);
+        }
+    }
+}