HERESUP-27616 IAM-6079 Replace ini4j dependency to apache commons-configuration2, update jackson-databind and async-http-client version to fix high risk vulnerablity"

Signed-off-by: ashikuma <ashish.kumar@here.com>

Author: ashishKhushiKumar

.github/workflows/test.yml

@@ -8,7 +8,7 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - name: Cache local Maven repository
-        uses: actions/cache@v2
+        uses: actions/cache@v4
         with:
           path: $HOME/.m2
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}

here-oauth-client/pom.xml

@@ -81,8 +81,8 @@
     <dependencies>
         <!-- compile dependencies -->
         <dependency>
-            <groupId>org.ini4j</groupId>
-            <artifactId>ini4j</artifactId>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-configuration2</artifactId>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>

here-oauth-client/src/main/java/com/here/account/auth/provider/FromHereCredentialsIniStream.java

@@ -9,7 +9,10 @@
 
 import com.here.account.util.Clock;
 import com.here.account.util.SettableSystemClock;
-import org.ini4j.Ini;
+import org.apache.commons.configuration2.INIConfiguration;
+import org.apache.commons.configuration2.ex.ConfigurationException;
+import org.apache.commons.configuration2.HierarchicalConfiguration;
+import org.apache.commons.configuration2.tree.ImmutableNode;
 
 import com.here.account.auth.OAuth1ClientCredentialsProvider;
 import com.here.account.http.HttpConstants.HttpMethods;
@@ -64,27 +67,27 @@ protected static ClientAuthorizationRequestProvider getClientCredentialsProvider
         try {
             Properties properties = getPropertiesFromIni(inputStream, sectionName);
             return FromSystemProperties.getClientCredentialsProviderWithDefaultTokenEndpointUrl(clock, properties);
-        } catch (IOException e) {
+        } catch (IOException | ConfigurationException e) {
             throw new RequestProviderException("trouble FromFile " + e, e);
         }
     }
 
     static final String DEFAULT_INI_SECTION_NAME = "default";
-    
-    static Properties getPropertiesFromIni(InputStream inputStream, String sectionName) throws IOException {
-        Ini ini = new Ini();
+
+    static Properties getPropertiesFromIni(InputStream inputStream, String sectionName) throws IOException, ConfigurationException {
         try (Reader reader = new InputStreamReader(inputStream, OAuthConstants.UTF_8_CHARSET)) {
-            ini.load(reader);
-            Ini.Section section = ini.get(sectionName);
+            INIConfiguration ini = new INIConfiguration();
+            ini.read(reader);
             Properties properties = new Properties();
+            HierarchicalConfiguration<ImmutableNode> section = ini.getSection(sectionName);
             properties.put(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_ENDPOINT_URL_PROPERTY,
-                    section.get(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_ENDPOINT_URL_PROPERTY));
+                    section.getString(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_ENDPOINT_URL_PROPERTY));
             properties.put(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_ID_PROPERTY,
-                    section.get(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_ID_PROPERTY));
+                    section.getString(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_ID_PROPERTY));
             properties.put(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_SECRET_PROPERTY,
-                    section.get(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_SECRET_PROPERTY));
+                    section.getString(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_SECRET_PROPERTY));
             // scope is optional
-            String scope = section.get(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_SCOPE_PROPERTY);
+            String scope = section.getString(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_SCOPE_PROPERTY);
             if (null != scope)
                 properties.put(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_SCOPE_PROPERTY, scope);
 

here-oauth-client/src/test/java/com/here/account/auth/SignatureCalculatorTest.java

@@ -16,9 +16,11 @@
 package com.here.account.auth;
 
 import com.ning.http.client.FluentStringsMap;
+import com.ning.http.client.Param;
 import com.ning.http.client.oauth.ConsumerKey;
 import com.ning.http.client.oauth.OAuthSignatureCalculator;
 import com.ning.http.client.oauth.RequestToken;
+import com.ning.http.client.uri.Uri;
 import org.junit.Test;
 
 import java.security.*;
@@ -264,19 +266,20 @@ private static String computeSHA1SignatureUsingLibrary(String url, Map<String, L
         RequestToken emptyUserAuth = new RequestToken(null, "");
         OAuthSignatureCalculator calculator = new OAuthSignatureCalculator(new ConsumerKey(consumerKey, consumerSecret), emptyUserAuth);
 
-        FluentStringsMap fluentFormParams = null;
-        if (null != formParams && !formParams.isEmpty()) {
-            fluentFormParams = new FluentStringsMap();
-            fluentFormParams.putAll(formParams);
-        }
+        return calculator.calculateSignature(method, Uri.create(url), timestamp, nonce, convertToParamList(formParams), convertToParamList(queryParams));
+    }
 
-        FluentStringsMap fluentQueryParams = null;
-        if (null != queryParams && !queryParams.isEmpty()) {
-            fluentQueryParams = new FluentStringsMap();
-            fluentQueryParams.putAll(queryParams);
+    private static List<Param> convertToParamList(Map<String, List<String>> paramMap) {
+        List<Param> paramList = new ArrayList<>();
+        if (paramMap != null) {
+            for (Map.Entry<String, List<String>> entry : paramMap.entrySet()) {
+                String key = entry.getKey();
+                for (String value : entry.getValue()) {
+                    paramList.add(new Param(key, value));
+                }
+            }
         }
-
-        return calculator.calculateSignature(method, url, timestamp, nonce, fluentFormParams, fluentQueryParams);
+        return paramList;
     }
 
     private static Map<String, List<String>> createParamsList() {

here-oauth-client/src/test/java/com/here/account/auth/provider/FromHereCredentialsIniStreamTest.java

@@ -23,6 +23,7 @@
 import org.junit.Test;
 import org.mockito.Mockito;
 
+import org.apache.commons.configuration2.ex.ConfigurationException;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -84,7 +85,7 @@ public int read() throws IOException {
     }
 
     @Test(expected = RuntimeException.class)
-    public void test_invalid_stream() throws IOException {
+    public void test_invalid_stream() throws IOException, ConfigurationException {
         FromHereCredentialsIniStream.getPropertiesFromIni(null, TEST_DEFAULT_INI_SECTION_NAME);
     }
 

pom.xml

@@ -65,11 +65,11 @@
 
         <!-- Declare versions for dependencies -->
         <apache.httpclient.version>4.5.13</apache.httpclient.version>
-        <ini4j.version>0.5.4</ini4j.version>
-        <jackson.version>2.13.3</jackson.version>
+        <commons-configuration2.version>2.12.0</commons-configuration2.version>
+        <jackson.version>2.13.4.2</jackson.version>
         <junit.version>4.13.1</junit.version>
         <mockito.version>1.10.19</mockito.version>
-        <ning.version>1.8.17</ning.version>
+        <ning.version>1.9.0</ning.version>
         <browsermob.version>2.1.5</browsermob.version>
 
         <!-- configure surefire and maven to be individually skippable -->
@@ -105,9 +105,9 @@
     <dependencyManagement>
         <dependencies>
             <dependency>
-                <groupId>org.ini4j</groupId>
-                <artifactId>ini4j</artifactId>
-                <version>${ini4j.version}</version>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-configuration2</artifactId>
+                <version>${commons-configuration2.version}</version>
             </dependency>
             <dependency>
                 <groupId>com.fasterxml.jackson.core</groupId>