Merge pull request #181 from rostilos/1.5.7-rc

1.5.7 fix platform functional and security issues issues, fix surefire fork jvm exit warning

Author: rostilos

frontend

@@ -1,5 +1,5 @@
 # Core module IT properties (local copy — can't use test-support's)
-spring.jpa.hibernate.ddl-auto=create-drop
+spring.jpa.hibernate.ddl-auto=create
 spring.jpa.show-sql=false
 spring.jpa.properties.hibernate.format_sql=false
 spring.datasource.hikari.maximum-pool-size=5

java-ecosystem/libs/core/src/it/resources/application-it.properties

@@ -73,8 +73,7 @@
     opens org.rostilos.codecrow.core.model.workspace
             to org.hibernate.orm.core, spring.beans, spring.context, spring.core, org.rostilos.codecrow.vcs;
 
-    opens org.rostilos.codecrow.core.model.user
-            to org.hibernate.orm.core, spring.beans, spring.context, spring.core;
+    opens org.rostilos.codecrow.core.model.user;
 
     opens org.rostilos.codecrow.core.model.vcs
             to org.hibernate.orm.core, spring.beans, spring.context, spring.core, org.rostilos.codecrow.vcs;
@@ -89,6 +88,8 @@
     exports org.rostilos.codecrow.core.model.branch;
     exports org.rostilos.codecrow.core.persistence.repository.branch;
     exports org.rostilos.codecrow.core.model.project.config;
+    opens org.rostilos.codecrow.core.model.project.config to com.fasterxml.jackson.databind;
+
     exports org.rostilos.codecrow.core.model.analysis;
     exports org.rostilos.codecrow.core.persistence.repository.analysis;
 

java-ecosystem/libs/core/src/main/java/module-info.java

@@ -1,5 +1,6 @@
 package org.rostilos.codecrow.core.dto.qualitygate;
 
+import com.fasterxml.jackson.annotation.JsonProperty;
 import org.rostilos.codecrow.core.model.qualitygate.QualityGate;
 
 import java.time.OffsetDateTime;
@@ -40,7 +41,9 @@ public static QualityGateDTO fromEntity(QualityGate entity) {
     public String getDescription() { return description; }
     public void setDescription(String description) { this.description = description; }
 
+    @JsonProperty("isDefault")
     public boolean isDefault() { return isDefault; }
+    @JsonProperty("isDefault")
     public void setDefault(boolean isDefault) { this.isDefault = isDefault; }
 
     public boolean isActive() { return active; }

java-ecosystem/libs/core/src/main/java/org/rostilos/codecrow/core/dto/qualitygate/QualityGateDTO.java

@@ -5,6 +5,7 @@
 
 import org.rostilos.codecrow.core.model.workspace.Workspace;
 import org.rostilos.codecrow.core.model.workspace.WorkspaceMember;
+import org.springframework.data.jpa.repository.EntityGraph;
 import org.springframework.data.jpa.repository.JpaRepository;
 import org.springframework.data.jpa.repository.Modifying;
 import org.springframework.data.jpa.repository.Query;
@@ -15,6 +16,7 @@
 public interface WorkspaceMemberRepository extends JpaRepository<WorkspaceMember, Long> {
     Optional<WorkspaceMember> findByWorkspaceIdAndUserId(Long workspaceId, Long userId);
     java.util.List<WorkspaceMember> findByUser_Id(Long userId);
+    @EntityGraph(attributePaths = "user")
     java.util.List<WorkspaceMember> findByWorkspace_Id(Long workspaceId);
     Long countByWorkspace_Id(Long workspaceId);
 
@@ -25,4 +27,4 @@ public interface WorkspaceMemberRepository extends JpaRepository<WorkspaceMember
     @Query("SELECT wm.workspace FROM WorkspaceMember wm " +
             "WHERE wm.user.id = :userId AND wm.status = 'ACTIVE'")
     List<Workspace> findActiveWorkspacesByUserId(@Param("userId") Long userId);
-}
+}

java-ecosystem/libs/core/src/main/java/org/rostilos/codecrow/core/persistence/repository/workspace/WorkspaceMemberRepository.java

@@ -24,4 +24,7 @@
     opens org.rostilos.codecrow.security.pipelineagent to spring.core, spring.beans, spring.context;
     opens org.rostilos.codecrow.security.pipelineagent.jwt to spring.core, spring.beans, spring.context;
     opens org.rostilos.codecrow.security.jwt.utils to spring.core, spring.beans, spring.context;
+    opens org.rostilos.codecrow.security.service to spring.core, spring.beans, spring.context;
+    opens org.rostilos.codecrow.security.web;
+    opens org.rostilos.codecrow.security.web.jwt to spring.core, spring.beans, spring.context;
 }

java-ecosystem/libs/security/src/main/java/module-info.java

@@ -18,7 +18,7 @@
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 
-@Configuration
+@Configuration(proxyBeanMethods = false)
 @EnableMethodSecurity(securedEnabled = true, jsr250Enabled = true)
 public class PipelineAgentSecurityConfig {
     @Value("${codecrow.security.encryption-key}")
@@ -57,7 +57,7 @@ public ProjectInternalJwtFilter internalJwtFilter() {
     }
 
     @Bean
-    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+    public SecurityFilterChain filterChain(HttpSecurity http, ProjectInternalJwtFilter internalJwtFilter) throws Exception {
         http.csrf(csrf -> csrf.disable())
                 .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                 .authorizeHttpRequests(auth ->
@@ -70,7 +70,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                 );
 
         // Register internal project-level JWT validator before username/password filter
-        http.addFilterBefore(internalJwtFilter(), UsernamePasswordAuthenticationFilter.class);
+        http.addFilterBefore(internalJwtFilter, UsernamePasswordAuthenticationFilter.class);
 
         return http.build();
     }

java-ecosystem/libs/security/src/main/java/org/rostilos/codecrow/security/pipelineagent/PipelineAgentSecurityConfig.java

@@ -37,7 +37,7 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
                                     FilterChain filterChain) throws ServletException, IOException {
         String requestUri = request.getRequestURI();
 
-        if (requestUri.startsWith(INTERNAL_API_PATH) || requestUri.startsWith(INTERNAL_PROJECTS_PATH)) {
+        if (isInternalApiRequest(requestUri)) {
             if (!validateInternalSecret(request, response)) {
                 return;
             }
@@ -46,6 +46,12 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
         filterChain.doFilter(request, response);
     }
 
+    private boolean isInternalApiRequest(String requestUri) {
+        return requestUri.startsWith(INTERNAL_API_PATH)
+                || requestUri.equals("/internal/projects")
+                || requestUri.startsWith(INTERNAL_PROJECTS_PATH);
+    }
+
     private boolean validateInternalSecret(HttpServletRequest request, HttpServletResponse response) 
             throws IOException {
         if (internalApiSecret == null || internalApiSecret.isBlank()) {

java-ecosystem/libs/security/src/main/java/org/rostilos/codecrow/security/web/InternalApiSecurityFilter.java

@@ -26,7 +26,7 @@
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
-@Configuration
+@Configuration(proxyBeanMethods = false)
 @EnableMethodSecurity(securedEnabled = true, jsr250Enabled = true)
 public class WebSecurityConfig {
     @Value("${codecrow.security.encryption-key}")
@@ -57,15 +57,19 @@ public AuthTokenFilter authenticationJwtTokenFilter() {
     }
 
     @Bean
-    public DaoAuthenticationProvider authenticationProvider() {
+    public DaoAuthenticationProvider authenticationProvider(PasswordEncoder passwordEncoder) {
         DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
 
         authProvider.setUserDetailsService(userDetailsService);
-        authProvider.setPasswordEncoder(passwordEncoder());
+        authProvider.setPasswordEncoder(passwordEncoder);
 
         return authProvider;
     }
 
+    public DaoAuthenticationProvider authenticationProvider() {
+        return authenticationProvider(passwordEncoder());
+    }
+
     @Bean
     public AuthenticationManager authenticationManager(AuthenticationConfiguration authConfig) throws Exception {
         return authConfig.getAuthenticationManager();
@@ -104,9 +108,14 @@ public CorsConfigurationSource corsConfigurationSource() {
     }
 
     @Bean
-    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+    public SecurityFilterChain filterChain(
+            HttpSecurity http,
+            CorsConfigurationSource corsConfigurationSource,
+            DaoAuthenticationProvider authenticationProvider,
+            AuthTokenFilter authTokenFilter
+    ) throws Exception {
         http.csrf(AbstractHttpConfigurer::disable)
-                .cors(cors -> cors.configurationSource(corsConfigurationSource()))
+                .cors(cors -> cors.configurationSource(corsConfigurationSource))
                 .exceptionHandling(exception -> exception.authenticationEntryPoint(unauthorizedHandler))
                 .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                 // Allow framing from Bitbucket for Connect App configure page
@@ -133,6 +142,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                         // GitHub App webhooks (installation lifecycle, no user session)
                         .requestMatchers("/api/integrations/*/app/webhook").permitAll()
                         .requestMatchers("/actuator/**").permitAll()
+                        .requestMatchers("/internal/projects").permitAll()
                         .requestMatchers("/internal/projects/**").permitAll()
                         .requestMatchers("/api/internal/**").permitAll()
                         .requestMatchers("/swagger-ui-custom.html").permitAll()
@@ -149,9 +159,9 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                         .requestMatchers("/api/webhooks/**").permitAll()
                         .anyRequest().authenticated());
 
-        http.authenticationProvider(authenticationProvider());
+        http.authenticationProvider(authenticationProvider);
 
-        http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
+        http.addFilterBefore(authTokenFilter, UsernamePasswordAuthenticationFilter.class);
 
         return http.build();
     }

java-ecosystem/libs/security/src/main/java/org/rostilos/codecrow/security/web/WebSecurityConfig.java

@@ -11,7 +11,7 @@
 /**
  * Meta-annotation for JPA/Repository integration tests.
  * <p>
- * Starts a shared Testcontainers PostgreSQL, uses create-drop DDL,
+ * Starts a shared Testcontainers PostgreSQL, creates schema on context start,
  * activates the "it" profile.
  */
 @Target(ElementType.TYPE)