HERESUP-27616 IAM-6079 Fix dependency vulnerabilities

here-oauth-client/pom.xml

@@ -81,8 +81,8 @@
     <dependencies>
         <!-- compile dependencies -->
         <dependency>
-            <groupId>org.ini4j</groupId>
-            <artifactId>ini4j</artifactId>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-configuration2</artifactId>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
@@ -105,7 +105,7 @@
             <scope>test</scope>
         </dependency>
         <dependency>
-            <groupId>com.ning</groupId>
+            <groupId>org.asynchttpclient</groupId>
             <artifactId>async-http-client</artifactId>
             <scope>test</scope>
         </dependency>

here-oauth-client/src/main/java/com/here/account/auth/provider/FromHereCredentialsIniStream.java

@@ -4,12 +4,16 @@
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.Reader;
+import java.util.Iterator;
 import java.util.Objects;
 import java.util.Properties;
 
 import com.here.account.util.Clock;
 import com.here.account.util.SettableSystemClock;
-import org.ini4j.Ini;
+import org.apache.commons.configuration2.INIConfiguration;
+import org.apache.commons.configuration2.ex.ConfigurationException;
+import org.apache.commons.configuration2.HierarchicalConfiguration;
+import org.apache.commons.configuration2.tree.ImmutableNode;
 
 import com.here.account.auth.OAuth1ClientCredentialsProvider;
 import com.here.account.http.HttpConstants.HttpMethods;
@@ -64,30 +68,38 @@ protected static ClientAuthorizationRequestProvider getClientCredentialsProvider
         try {
             Properties properties = getPropertiesFromIni(inputStream, sectionName);
             return FromSystemProperties.getClientCredentialsProviderWithDefaultTokenEndpointUrl(clock, properties);
-        } catch (IOException e) {
+        } catch (IOException | ConfigurationException e) {
             throw new RequestProviderException("trouble FromFile " + e, e);
         }
     }
 
     static final String DEFAULT_INI_SECTION_NAME = "default";
-
-    static Properties getPropertiesFromIni(InputStream inputStream, String sectionName) throws IOException {
-        Ini ini = new Ini();
+
+    static Properties getPropertiesFromIni(InputStream inputStream, String sectionName) throws IOException, ConfigurationException {
         try (Reader reader = new InputStreamReader(inputStream, OAuthConstants.UTF_8_CHARSET)) {
-            ini.load(reader);
-            Ini.Section section = ini.get(sectionName);
+            INIConfiguration ini = new INIConfiguration();
+            ini.read(reader);
+            HierarchicalConfiguration<ImmutableNode> section = ini.getSection(sectionName);
             Properties properties = new Properties();
-            properties.put(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_ENDPOINT_URL_PROPERTY,
-                    section.get(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_ENDPOINT_URL_PROPERTY));
-            properties.put(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_ID_PROPERTY,
-                    section.get(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_ID_PROPERTY));
-            properties.put(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_SECRET_PROPERTY,
-                    section.get(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_SECRET_PROPERTY));
-            // scope is optional
-            String scope = section.get(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_SCOPE_PROPERTY);
-            if (null != scope)
-                properties.put(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_SCOPE_PROPERTY, scope);
-
+            Iterator<String> it = section.getKeys();
+            while (it.hasNext()) {
+                String key = it.next();
+                String value = section.getString(key);
+                switch (key.replaceAll("\\.+", ".")) {
+                    case OAuth1ClientCredentialsProvider.FromProperties.TOKEN_ENDPOINT_URL_PROPERTY:
+                        properties.put(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_ENDPOINT_URL_PROPERTY, value);
+                        break;
+                    case OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_ID_PROPERTY:
+                        properties.put(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_ID_PROPERTY, value);
+                        break;
+                    case OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_SECRET_PROPERTY:
+                        properties.put(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_SECRET_PROPERTY, value);
+                        break;
+                    case OAuth1ClientCredentialsProvider.FromProperties.TOKEN_SCOPE_PROPERTY:
+                        properties.put(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_SCOPE_PROPERTY, value);
+                        break;
+                }
+            }
             return properties;
         }
     }

here-oauth-client/src/test/java/com/here/account/auth/SignatureCalculatorTest.java

@@ -15,12 +15,15 @@
  */
 package com.here.account.auth;
 
-import com.ning.http.client.FluentStringsMap;
-import com.ning.http.client.oauth.ConsumerKey;
-import com.ning.http.client.oauth.OAuthSignatureCalculator;
-import com.ning.http.client.oauth.RequestToken;
+import org.asynchttpclient.Param;
+import org.asynchttpclient.oauth.ConsumerKey;
+import org.asynchttpclient.oauth.OAuthSignatureCalculatorInstance;
+import org.asynchttpclient.oauth.RequestToken;
+import org.asynchttpclient.uri.Uri;
+import org.asynchttpclient.util.Utf8UrlEncoder;
 import org.junit.Test;
 
+import java.lang.reflect.Method;
 import java.security.*;
 import java.security.spec.*;
 import java.util.*;
@@ -49,7 +52,7 @@ public class SignatureCalculatorTest {
 
     /////////////////////////////// HMAC-SHA1 //////////////////////////////////////////
     @Test
-    public void testSignatureHmacSha1() {
+    public void testSignatureHmacSha1() throws Exception {
         String expectedSignature = computeSHA1SignatureUsingLibrary(baseURL, null, null);
 
         SignatureCalculator sc = new SignatureCalculator(consumerKey, consumerSecret);
@@ -59,7 +62,7 @@ public void testSignatureHmacSha1() {
     }
 
     @Test
-    public void testSignatureHmacSha1WithFormParams() {
+    public void testSignatureHmacSha1WithFormParams() throws Exception {
         String expectedSignature = computeSHA1SignatureUsingLibrary(baseURL, params, null);
 
         SignatureCalculator sc = new SignatureCalculator(consumerKey, consumerSecret);
@@ -69,7 +72,7 @@ public void testSignatureHmacSha1WithFormParams() {
     }
 
     @Test
-    public void testSignatureHmacSha1WithFormParamsWithSpacesInValue() {
+    public void testSignatureHmacSha1WithFormParamsWithSpacesInValue() throws Exception {
 
         Map<String, List<String>> nestedParams = new HashMap<>();
         nestedParams.put("http_method", Arrays.asList("POST"));
@@ -87,7 +90,7 @@ public void testSignatureHmacSha1WithFormParamsWithSpacesInValue() {
     }
 
     @Test
-    public void testSignatureHmacSha1WithQueryParams() {
+    public void testSignatureHmacSha1WithQueryParams() throws Exception {
         String expectedSignature = computeSHA1SignatureUsingLibrary(baseURL, null, params);
 
         SignatureCalculator sc = new SignatureCalculator(consumerKey, consumerSecret);
@@ -97,7 +100,7 @@ public void testSignatureHmacSha1WithQueryParams() {
     }
 
     @Test
-    public void testSignatureHmacSha1WithFormAndQueryParams() {
+    public void testSignatureHmacSha1WithFormAndQueryParams() throws Exception {
         String expectedSignature = computeSHA1SignatureUsingLibrary(baseURL, params, params);
 
         SignatureCalculator sc = new SignatureCalculator(consumerKey, consumerSecret);
@@ -107,7 +110,7 @@ public void testSignatureHmacSha1WithFormAndQueryParams() {
     }
 
     @Test
-    public void testSignatureHmacSha1WithBaseURLWithPort() {
+    public void testSignatureHmacSha1WithBaseURLWithPort() throws Exception {
         String expectedSignature = computeSHA1SignatureUsingLibrary(baseURLWithPort, params, params);
 
         SignatureCalculator sc = new SignatureCalculator(consumerKey, consumerSecret);
@@ -117,7 +120,7 @@ public void testSignatureHmacSha1WithBaseURLWithPort() {
     }
 
     @Test
-    public void testSignatureHmacSha1WithBaseURLWithNonStandardPort() {
+    public void testSignatureHmacSha1WithBaseURLWithNonStandardPort() throws Exception {
         String expectedSignature = computeSHA1SignatureUsingLibrary(baseURLWithNonStandardPort, params, params);
 
         SignatureCalculator sc = new SignatureCalculator(consumerKey, consumerSecret);
@@ -127,7 +130,7 @@ public void testSignatureHmacSha1WithBaseURLWithNonStandardPort() {
     }
 
     @Test
-    public void testVerifySha1Signature() {
+    public void testVerifySha1Signature() throws Exception {
         String expectedSignature = computeSHA1SignatureUsingLibrary(baseURLWithNonStandardPort, params, params);
 
         boolean verified = SignatureCalculator.verifySignature(consumerKey, method, baseURLWithNonStandardPort, timestamp, nonce,
@@ -260,23 +263,21 @@ public static KeyPair generateES512KeyPair()  {
         }
     }
 
-    private static String computeSHA1SignatureUsingLibrary(String url, Map<String, List<String>> formParams, Map<String, List<String>> queryParams) {
-        RequestToken emptyUserAuth = new RequestToken(null, "");
-        OAuthSignatureCalculator calculator = new OAuthSignatureCalculator(new ConsumerKey(consumerKey, consumerSecret), emptyUserAuth);
-
-        FluentStringsMap fluentFormParams = null;
-        if (null != formParams && !formParams.isEmpty()) {
-            fluentFormParams = new FluentStringsMap();
-            fluentFormParams.putAll(formParams);
-        }
+    private static String computeSHA1SignatureUsingLibrary(String url, Map<String, List<String>> formParams, Map<String, List<String>> queryParams) throws Exception {
+        Method computeSignature = OAuthSignatureCalculatorInstance.class.getDeclaredMethod("computeSignature", ConsumerKey.class, RequestToken.class, Uri.class, String.class, List.class, List.class, long.class, String.class);
+        computeSignature.setAccessible(true);
+        return (String) computeSignature.invoke(new OAuthSignatureCalculatorInstance(), new ConsumerKey(consumerKey, consumerSecret), new RequestToken(null, ""), Uri.create(url), method, toParamList(formParams), toParamList(queryParams), timestamp, Utf8UrlEncoder.percentEncodeQueryElement(nonce));
+    }
 
-        FluentStringsMap fluentQueryParams = null;
-        if (null != queryParams && !queryParams.isEmpty()) {
-            fluentQueryParams = new FluentStringsMap();
-            fluentQueryParams.putAll(queryParams);
+    private static List<Param> toParamList(Map<String, List<String>> paramMap) {
+        if (paramMap == null || paramMap.isEmpty()) return null;
+        List<Param> paramList = new ArrayList<>();
+        for (Map.Entry<String, List<String>> entry : paramMap.entrySet()) {
+            for (String value : entry.getValue()) {
+                paramList.add(new Param(entry.getKey(), value));
+            }
         }
-
-        return calculator.calculateSignature(method, url, timestamp, nonce, fluentFormParams, fluentQueryParams);
+        return paramList;
     }
 
     private static Map<String, List<String>> createParamsList() {

here-oauth-client/src/test/java/com/here/account/auth/provider/FromHereCredentialsIniStreamTest.java

@@ -20,6 +20,7 @@
 import com.here.account.http.HttpProvider.HttpRequestAuthorizer;
 import com.here.account.oauth2.ClientAuthorizationRequestProvider;
 import com.here.account.util.Clock;
+import org.apache.commons.configuration2.ex.ConfigurationException;
 import org.junit.Test;
 import org.mockito.Mockito;
 
@@ -84,7 +85,7 @@ public int read() throws IOException {
     }
 
     @Test(expected = RuntimeException.class)
-    public void test_invalid_stream() throws IOException {
+    public void test_invalid_stream() throws IOException, ConfigurationException {
         FromHereCredentialsIniStream.getPropertiesFromIni(null, TEST_DEFAULT_INI_SECTION_NAME);
     }
 

pom.xml

@@ -65,11 +65,11 @@
 
         <!-- Declare versions for dependencies -->
         <apache.httpclient.version>4.5.13</apache.httpclient.version>
-        <ini4j.version>0.5.4</ini4j.version>
-        <jackson.version>2.13.3</jackson.version>
+        <commons-configuration2.version>2.12.0</commons-configuration2.version>
+        <jackson.version>2.19.1</jackson.version>
         <junit.version>4.13.1</junit.version>
         <mockito.version>1.10.19</mockito.version>
-        <ning.version>1.8.17</ning.version>
+        <org.asynchttpclient.version>2.12.4</org.asynchttpclient.version>
         <browsermob.version>2.1.5</browsermob.version>
 
         <!-- configure surefire and maven to be individually skippable -->
@@ -105,9 +105,9 @@
     <dependencyManagement>
         <dependencies>
             <dependency>
-                <groupId>org.ini4j</groupId>
-                <artifactId>ini4j</artifactId>
-                <version>${ini4j.version}</version>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-configuration2</artifactId>
+                <version>${commons-configuration2.version}</version>
             </dependency>
             <dependency>
                 <groupId>com.fasterxml.jackson.core</groupId>
@@ -139,9 +139,9 @@
                 <scope>test</scope>
             </dependency>
             <dependency>
-                <groupId>com.ning</groupId>
+                <groupId>org.asynchttpclient</groupId>
                 <artifactId>async-http-client</artifactId>
-                <version>${ning.version}</version>
+                <version>${org.asynchttpclient.version}</version>
                 <scope>test</scope>
             </dependency>
         </dependencies>