Merge branch 'develop' into bugfix/location_level_issue_599

.github/dependabot.yml

@@ -14,30 +14,17 @@ updates:
     reviewers:
       - "@MikeNeilson"
       - "@DanielTOsborne"
-  - package-ecosystem: "gradle"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    groups:
-      alldependencies:
-        patterns:
-          - "*"
-        update-types:
-          - "major"
-    reviewers:
-      - "@MikeNeilson"
-      - "@DanielTOsborne"
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
     groups:
-      alldependencies:
+      github-action-dependencies:
         patterns:
           - "*"
         update-types:
           - "minor"
           - "patch"
     reviewers:
       - "@MikeNeilson"
-      - "@DanielTOsborne"
+      - "@DanielTOsborne"

.github/workflows/build.yml

@@ -17,17 +17,18 @@ jobs:
       thewar: ${{steps.thebuild.outputs.WARFILE}}
     steps:
       - name: checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4.2.1
       - name: setup java
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@v4.4.0
         with:
+          distribution: 'temurin'
           java-version: '8'
-          java-package: jdk
+          cache: 'gradle'
       - name: build and test
         id: thebuild
         run: ./gradlew build --info --init-script init.gradle
       - name: Upload WAR
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4.4.3
         with:
           name: warfile
           path: cwms-data-api/build/libs/${{steps.thebuild.outputs.WARFILE}}
@@ -43,53 +44,32 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4.2.1
       - name: setup java
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@v4.4.0
         with:
+          distribution: 'temurin'
           java-version: '8'
-          java-package: jdk
+          cache: 'gradle'
       - name: Download all workflow run artifacts from build
         id: artifacts
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4.1.8
         with:
           path: ./
       - name: get version
         id: get_version
         run: .github/workflows/get_version.sh
       - name: show version
         run: echo ${VERSION}
-      - name: tag repo
-        uses: actions/github-script@v3
-        with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
-          script: |
-            github.git.createRef({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              ref: "refs/tags/${{env.VERSION}}",
-              sha: context.sha
-            })
       - name: Create Release
         id: create_release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN }}
+        uses: softprops/[email protected]
         with:
+          files: warfile/${{ needs.build.outputs.thewar}}
           tag_name: ${{env.VERSION}}
-          release_name: Release ${{env.VERSION}}
-      - name: Upload Tomcat War
-        id: upload-war
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: warfile/${{ needs.build.outputs.thewar}}
-          asset_name: ${{ env.WAR_FILE_NAME}}
-          asset_content_type: application/x-webarchive
+          generate_release_notes: true
       - name: Login to Alt Registry
-        uses: docker/login-action@v2.0.0
+        uses: docker/login-action@v3.3.0
         id: login-alt
         with:
           registry: ${{ secrets.ALT_REGISTRY }}
@@ -108,68 +88,3 @@ jobs:
       - name: Logout of ALT registry
         if: ${{ always() }}
         run: docker logout ${{ steps.login-alt.outputs.registry }}
-
-
-  publish:
-    if: github.event_name == 'push' && startsWith(github.ref,'refs/heads/develop')
-    name: API Container Image
-    # The type of runner that the job will run on
-    runs-on: ubuntu-latest
-    needs: build
-    # Steps represent a sequence of tasks that will be executed as part of the job
-    steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - name: checkout code
-        uses: actions/checkout@v2
-      - name: setup java
-        uses: actions/setup-java@v1
-        with:
-          java-version: '8'
-          java-package: jdk
-      - name: get Data-API version
-        id: get_version
-        run: .github/workflows/get_version.sh
-      - name: Configure AWS credentials
-        if: ${{ always() }}
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          aws-access-key-id: ${{ secrets.CWBICI_DEVELOP_AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.CWBICI_DEVELOP_AWS_SECRET_ACCESS_KEY }}
-          aws-region: ${{ secrets.CWBICI_DEVELOP_AWS_REGION }}
-      - name: Login to Amazon ECR
-        if: ${{ success() }}
-        id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v1
-      - name: Login to Alt Registry
-        uses: docker/[email protected]
-        id: login-alt
-        with:
-          registry: ${{ secrets.ALT_REGISTRY }}
-          username: ${{ secrets.ALT_REG_USER }}
-          password: ${{ secrets.ALT_REG_PASSWORD }}
-      - name: Build, tag, and push image to Amazon ECR (cwms/data-api)
-        if: ${{ success() }}
-        env:
-          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-          # do not change to cwms-data-api; upstream config also requires change
-          ECR_REPOSITORY: cwms-radar-api
-          IMAGE_TAG: ${{env.VERSION}}
-          ALT_REGISTRY: ${{ secrets.ALT_REGISTRY }}
-        run: |
-          docker build -t cda:build-latest .
-
-          docker tag cda:build-latest $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
-          docker tag cda:build-latest $ECR_REGISTRY/$ECR_REPOSITORY:latest
-          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
-          docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
-
-          docker tag cda:build-latest $ALT_REGISTRY/cwms/data-api:$IMAGE_TAG
-          docker tag cda:build-latest $ALT_REGISTRY/cwms/data-api:latest-dev
-          docker push $ALT_REGISTRY/cwms/data-api:$IMAGE_TAG
-          docker push $ALT_REGISTRY/cwms/data-api:latest-dev
-      - name: Logout of Amazon ECR
-        if: ${{ always() }}
-        run: docker logout ${{ steps.login-ecr.outputs.registry }}
-      - name: Logout of ALT registry
-        if: ${{ always() }}
-        run: docker logout ${{ steps.login-alt.outputs.registry }}

.github/workflows/codeql.yml

@@ -14,24 +14,24 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.2.1
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3.24.10
+        uses: github/codeql-action/init@v3.26.13
         with:
           languages: 'java'
       - name: setup java
-        uses: actions/setup-java@v4.2.1
+        uses: actions/setup-java@v4.4.0
         with:
           java-version: '8'
           java-package: jdk
           distribution: 'temurin'
       - name: Setup Gradle
-        uses: gradle/gradle-build-action@v3.1.0
+        uses: gradle/gradle-build-action@v3.5.0
         with:
           dependency-graph: generate-and-submit
       - name: build and test
         id: build
         run: ./gradlew build --info --init-script init.gradle
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3.24.10
+        uses: github/codeql-action/analyze@v3.26.13

CONTRIBUTING.md

@@ -101,6 +101,29 @@ However, *DO NOT* be afraid to say, "that looks terrible", and tweak it until it
        Otherwise JOOQ creates a new name each time the query is run which can starved the shared memory.
 
 2. Joins are your friend. They are a much better friend IF you let the database do them for you. Do not pull data into java just to do a join. Write the appropriate SQL.
+3. Whenever possible limit by office first.
+
+#### Database version support
+
+1. Given we have active development of both the API and the database and things are not always available at the same time, it is reasonable to gate new features behind a database version check and return an appropriate error message.
+   This is preffered over default errors of things not working
+
+2. If it is known that an integration test requires a specific database version it should be gated behind a EnableIfSchemaVersion (NOTE: not implemented at the time of this writing) annotation so streamline automated testing results.
+
+#### Tests
+
+1. Assume the following when creating and naming your test:
+   a. Someone will come in cold to the entire project.
+   b. The tests will be used by API users to guide their client application designs
+3. For repeated tests with different, but very similar data, ParameterizedTests are preferred.
+4. In integration tests for data that should be cleaned up after all tests register them with the functions available in the base class. Create if reasonable.
+5. If it adds clarity, do not be afraid to use the `@Order` annotation to sequence tests. (See the [ApiKey Controller Test](https://github.com/USACE/cwms-data-api/blob/develop/cwms-data-api/src/test/java/cwms/cda/api/auth/ApiKeyControllerTestIT.java) for an example)
+6. Prefer disabling test by database schema version, if that does work use `EnabledIfProperty` and share a property name between related tests.
+7. Use "real" names for data in test data set. Either use actual real location/project/basin/etc names, or make up something that feels like one.
+  a. NOTE: within reason. Location names, absolutely, but otherwise make sure the purpose of the name is clear.
+8. Name files consistent with the purpose of the test.
+
+
 
 ## Submitting an Issue
 

Dockerfile

@@ -5,19 +5,21 @@ WORKDIR /builddir
 COPY . /builddir/
 RUN  gradle clean prepareDockerBuild --info --no-daemon
 
-FROM alpine:3.19.0 as tomcat_base
-RUN apk update && apk upgrade --no-cache
-RUN apk add openjdk8-jre curl
-RUN apk add --no-cache bash
+FROM alpine:3.20.3 as tomcat_base
+RUN apk --no-cache upgrade && \
+    apk --no-cache add \
+        openjdk8-jre \
+        curl \
+        bash
 
 
 RUN mkdir /download && \
     cd /download && \
-    wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.91/bin/apache-tomcat-9.0.91.tar.gz && \
-    echo "b22054c9141782232a693765d23d944f0f50774af17dd8968331e020b425e71459b5877a7ba8c2121246a5ce47e6b6a31c3f4215ef133e942da45b49cb534948 *apache-tomcat-9.0.91.tar.gz" > checksum.txt && \
+    wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.93/bin/apache-tomcat-9.0.93.tar.gz && \
+    echo "3069924eb7041ccc0f2aeceb7d8626793a1a073a5b739a840d7974a18ebeb26cc3374cc5f4a3ffc74d3b019c0cb33e3d1fe96296e6663ac75a73c1171811726d *apache-tomcat-9.0.93.tar.gz" > checksum.txt && \
     sha512sum -c checksum.txt && \
     tar xzf apache-tomcat-*tar.gz && \
-    mv apache-tomcat-9.0.91 /usr/local/tomcat/ && \
+    mv apache-tomcat-9.0.93 /usr/local/tomcat/ && \
     cd / && \
     rm -rf /download
 CMD ["/usr/local/tomcat/bin/catalina.sh","run"]
@@ -38,10 +40,12 @@ ENV CDA_POOL_INIT_SIZE "5"
 ENV CDA_POOL_MAX_ACTIVE "30"
 ENV CDA_POOL_MAX_IDLE "10"
 ENV CDA_POOL_MIN_IDLE "5"
-ENV cwms.dataapi.access.providers ""
-ENV cwms.dataapi.access.openid.wellKnownUrl ""
-ENV cwms.dataapi.access.openid.issuer ""
+ENV cwms.dataapi.access.providers "KeyAccessManager,OpenID"
+ENV cwms.dataapi.access.openid.wellKnownUrl "https://identity-test.cwbi.us/auth/realms/cwbi/.well-known/openid-configuration"
+ENV cwms.dataapi.access.openid.issuer "https://identity-test.cwbi.us/auth/realms/cwbi"
 ENV cwms.dataapi.access.openid.timeout "604800"
+ENV cwms.dataapi.access.openid.altAuthUrl "https://identityc-test.cwbi.us/auth/realms/cwbi"
+
 # used to simplify redeploy in certain contexts. Update to match -<marker> in image label
 ENV IMAGE_MARKER="a"
 EXPOSE 7000

build.gradle

@@ -6,5 +6,5 @@ plugins {
 allprojects {
     apply plugin: 'cda.java-conventions'
     group = 'mil.army.usace.hec.cwms'
-    version = '3.1.5-SNAPSHOT' // ApiServlet.VERSION should be updated to match MAJOR.MINOR changes.
+    version = '3.1.6-SNAPSHOT' // ApiServlet.VERSION should be updated to match MAJOR.MINOR changes.
 }

buildSrc/build.gradle

@@ -6,3 +6,7 @@ repositories {
     gradlePluginPortal() // so that external plugins can be resolved in dependencies section
     mavenCentral()
 }
+
+dependencies {
+    implementation 'org.owasp:dependency-check-gradle:10.0.3'
+}

buildSrc/src/main/groovy/cda.java-conventions.gradle

@@ -2,6 +2,7 @@ plugins {
     id 'java'
     id 'checkstyle'
     id 'jacoco'
+    id 'org.owasp.dependencycheck'
 }
 
 eclipse {

cwms-data-api/build.gradle

@@ -16,6 +16,13 @@ configurations.implementation {
     exclude group: 'com.oracle.database.jdbc'
 }
 
+configurations.all {
+    exclude group: 'dom4j'
+    exclude group: 'org.apache.xmlbeans'
+    exclude group: 'org.apache.poi'
+    exclude group: 'org.bouncycastle'
+}
+
 dependencies {
     implementation(libs.jaxb.api)
     implementation(libs.jaxb.core)
@@ -62,7 +69,9 @@ dependencies {
     implementation(libs.google.errorProne)
     runtimeOnly(libs.google.flogger.backend)
 
-    implementation(libs.nucleus.data)
+    implementation(libs.nucleus.data) {
+        exclude group: "org.jdom"
+    }
     implementation(libs.nucleus.metadata)
     implementation(libs.cwms.ratings.core) {
 
@@ -144,6 +153,9 @@ dependencies {
         transitive = false
     }
 
+
+    // override versions
+    implementation(libs.bundles.overrides)
 }
 
 task extractWebJars(type: Copy) {

cwms-data-api/src/docker/server.xml

@@ -45,6 +45,8 @@
 
     <Connector port="7000" protocol="HTTP/1.1"
                connectionTimeout="20000" scheme="https" secure="true"
+               acceptCount="500" disableUploadTimeout="true" server="cwms-data-api"
+               maxThreads="200" relaxedPathChars="[]" relaxedQueryChars="[]"
                >
                <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
      </Connector>