Skip to content

Commit 73d0d37

Browse files
authored
Fixed: remove generateSecretKeys dependency from test to improve build caching
The `test` task depends on `generateSecretKeys`, which writes new random values to `framework/security/config/security.properties` on every build. Since this file is part of the main resource source set (`config/` dirs are included via `getDirectoryInActiveComponentsIfExists('config')`), changing it causes cascading Gradle build cache misses for: - `:compileTestGroovy` — classpath includes main resources - `:checkstyleMain` — classpath includes `sourceSets.main.output` - `:checkstyleTest` — same reason - `:test` — classpath + test classes differ This commit: 1. Removes `dependsOn 'generateSecretKeys'` from the `test` task — the main `security.properties` is no longer mutated during `build` 2. Adds a test-specific `security.properties` in `framework/security/src/test/resources/` with fixed keys — this shadows the main config on the test classpath so unit tests that require JWT keys (e.g. `ModelFormTest`) continue to work The `generateSecretKeys` task is unchanged and remains available for manual use (`./gradlew generateSecretKeys`) and as a dependency of `loadAll`.
1 parent 5a6790b commit 73d0d37

2 files changed

Lines changed: 48 additions & 2 deletions

File tree

build.gradle

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -371,12 +371,10 @@ eclipse.classpath.file.whenMerged { classpath ->
371371
tasks.eclipse.dependsOn(cleanEclipse)
372372

373373
test {
374-
dependsOn 'generateSecretKeys'
375374
useJUnit()
376375
jvmArgs "-javaagent:${classpath.find { it.name.contains('jmockit') }.absolutePath}"
377376
}
378377

379-
processResources.mustRunAfter 'generateSecretKeys'
380378

381379
/* ========================================================
382380
* Tasks
Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
##############################################################################
2+
# Licensed to the Apache Software Foundation (ASF) under one
3+
# or more contributor license agreements. See the NOTICE file
4+
# distributed with this work for additional information
5+
# regarding copyright ownership. The ASF licenses this file
6+
# to you under the Apache License, Version 2.0 (the
7+
# "License"); you may not use this file except in compliance
8+
# with the License. You may obtain a copy of the License at
9+
#
10+
# http://www.apache.org/licenses/LICENSE-2.0
11+
#
12+
# Unless required by applicable law or agreed to in writing,
13+
# software distributed under the License is distributed on an
14+
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15+
# KIND, either express or implied. See the License for the
16+
# specific language governing permissions and limitations
17+
# under the License.
18+
###############################################################################
19+
####
20+
# OFBiz Security Settings
21+
####
22+
23+
# -- Security key used to encrypt and decrypt the autogenerated password in forgot password functionality.
24+
# Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key
25+
# The key must be 512 bits (ie 64 chars) as we use HMAC512 to create the token, cf. OFBIZ-12724
26+
# Run './gradlew generateSecretKeys' to generate a cryptographically secure random key.
27+
login.secret_key_string=ZdxxqjX87e6CR9Rf5pAzA+GTX4DP2T0H3bimGaDGA59OytU/tVQ7AC7N9PUA9e17
28+
29+
# -- The secret key for the JWT token signature.
30+
# Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key
31+
# The key must be 512 bits (ie 64 chars) as we use HMAC512 to create the token, cf. OFBIZ-12724
32+
# Run './gradlew generateSecretKeys' to generate a cryptographically secure random key.
33+
security.token.key=TzWl/rNavz7VYMc6sxDpf8Yon6NnkbUfrL4JrscJBdTEx3vtwQQ7Mt0wk/TtZXUn
34+
35+
#-- To accept the execution on some groovy script who match the deniedScriptletsTokens regExp, put their hash here.
36+
#-- like allowedScriptletHashes={SHA}59f8ab616b3878ddf825ea50c13ce603a3a6c5a9,{SHA}59f5ab516b3878ddf825ea50c13ce603a3a6c5a9
37+
allowedScriptletHashes= {SHA}4e025676cfa6df142e3457099271ecdcd1c1f5f9,{SHA}d8451d7509ae73421974f47752b6e9eef7503041,{SHA}edf12cf95597d52eacc14020a85a8df2abb34ab7
38+
39+
#-- RegExp to secure groovy script execution. If the regExp match a script, it would be disabled and OFBiz run nothing.
40+
#-- In this case, you will have on log the original script with it hash. The hash can be added on allowedScriptletHashes
41+
#-- properties to accept it on the next execution.
42+
deniedScriptletsTokens=java\\s*\.|import\\s|embed[^\\w]|process[^\\w]|class[^\\w]|require[^\\w]\
43+
|\.\\s*.exec.*[\(|\\s]|\.\\s*calc.*[\(|\\s]|\.\\s*.eval.*[\(|\\s]|Eval\\s*\.|\\s+File\
44+
|System\\s*\.|\.\\s*codehaus|\.\\s*groovy[^:]|\.\\s*runtime\|groovyx\\s*\.
45+
46+
#-- If you want to deactivate the security control on each groovy script set to false.
47+
# Warn ensure to be sure on what you do because this can open the door for code injection
48+
useDeniedScriptletsTokens=true

0 commit comments

Comments
 (0)