Upgrade to Spring Boot 1.5.1

.gitignore

@@ -107,3 +107,4 @@ node-v4.4.0-darwin-x64
 
 env
 
+!/gradle/wrapper/gradle-wrapper.jar

build.gradle

@@ -8,7 +8,7 @@ buildscript {
 
     dependencies {
         classpath("org.springframework.boot:spring-boot-gradle-plugin:${spring_boot_version}")
-        classpath("io.spring.gradle:dependency-management-plugin:0.6.1.RELEASE")
+        classpath("io.spring.gradle:dependency-management-plugin:1.0.0.RELEASE")
         classpath("org.asciidoctor:asciidoctor-gradle-plugin:1.5.3")
         classpath("gradle.plugin.com.gorylenko.gradle-git-properties:gradle-git-properties:1.4.17")
         classpath("com.netflix.nebula:gradle-aggregate-javadocs-plugin:3.0.1")

genie-core/build.gradle

@@ -69,7 +69,6 @@ task generateJPAMetaModel(type: JavaCompile, group: "build", description: "Gener
     source = sourceSets.main.java
     outputs.dir generatedSourcesJavaDir
     destinationDir = generatedSourcesJavaDir
-    dependencyCacheDir = compileJava.dependencyCacheDir
     classpath = configurations.compile + configurations.jpaModelGen
     options.compilerArgs = [
             "-proc:only"

genie-docs/src/docs/asciidoc/_properties.adoc

@@ -330,7 +330,11 @@ property is true
 
 |management.security.enabled
 |Whether to enable basic security on the actuator endpoints
-|false
+|true
+
+|management.security.roles
+|The roles a user needs to have in order to access the Actuator endpoints
+|ADMIN
 
 |security.basic.enabled
 |Enable basic authentication
@@ -344,6 +348,10 @@ property is true
 |The secret for the oauth2 client
 |
 
+|security.oauth2.resource.filter-order
+|The order the OAuth2 resource filter is places within the spring security chain
+|3
+
 |security.oauth2.resource.id
 |Id of the resource server
 |

genie-docs/src/docs/asciidoc/_releaseNotes.adoc

@@ -7,11 +7,15 @@ The following are the release notes for Genie {revnumber}.
 * Spring Session support made more flexible
 ** Now can support none (off), Redis, JDBC and HashMap as session data stores based on spring.session.store-type
 property
+* Actuator endpoints secured by default
+** Follows new Spring default
+** Turn off by setting `management.security.enabled` to `false`
 
 === Library Upgrades
 
 * Upgrade Spring Boot from 1.3.8.RELEASE to {springBootVersion}
-** https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-1.4-Release-Notes[Release Notes]
+** https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-1.4-Release-Notes[1.4 Release Notes]
+** https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-1.5-Release-Notes[1.5 Release Notes]
 * Upgrade to Spring Platform IO {springPlatformVersion} for library dependency management
 ** http://docs.spring.io/platform/docs/Athens-SR2/reference/htmlsingle/[Reference Docs]
 * Upgrade to Spring Cloud {springCloudVersion} for cloud dependency management
@@ -28,6 +32,14 @@ to Spring Integration Zookeeper. That library is now used.
 |===
 |Property |Description| Default Value
 
+|management.security.roles
+|The roles a user needs to have in order to access the Actuator endpoints
+|ADMIN
+
+|security.oauth2.resource.filter-order
+|The order the OAuth2 resource filter is places within the spring security chain
+|3
+
 |spring.data.redis.repositories.enabled
 |Whether Spring data repositories should attempt to be created for Redis
 |true
@@ -49,6 +61,10 @@ for more information. Currently on classpath only none, hash_map, redis and jdbc
 |memory,genie,discoveryComposite
 |memory,genieMemory,discoveryComposite
 
+|management.security.enabled
+|false
+|true
+
 |===
 
 ==== Removed

genie-web/src/main/resources/application.yml

@@ -104,11 +104,14 @@ info:
 management:
   context-path: /actuator
   security:
-    enabled: false
+    roles: ADMIN
 
 security:
   basic:
     enabled: false
+  oauth2:
+    resource:
+      filter-order: 3
 
 spring:
   application:

genie-web/src/test/java/com/netflix/genie/web/security/AbstractAPISecurityIntegrationTests.java

@@ -93,12 +93,12 @@ public abstract class AbstractAPISecurityIntegrationTests {
     private static final String JOBS_API = "/api/v3/jobs";
 
     private static final ResultMatcher OK = MockMvcResultMatchers.status().isOk();
-    private static final ResultMatcher ACCEPTED = MockMvcResultMatchers.status().isAccepted();
     private static final ResultMatcher BAD_REQUEST = MockMvcResultMatchers.status().isBadRequest();
     private static final ResultMatcher CREATED = MockMvcResultMatchers.status().isCreated();
     private static final ResultMatcher NO_CONTENT = MockMvcResultMatchers.status().isNoContent();
     private static final ResultMatcher NOT_FOUND = MockMvcResultMatchers.status().isNotFound();
     private static final ResultMatcher FORBIDDEN = MockMvcResultMatchers.status().isForbidden();
+    private static final ResultMatcher UNAUTHORIZED = MockMvcResultMatchers.status().isUnauthorized();
 
     @Value("${management.context-path}")
     private String actuatorEndpoint;
@@ -149,7 +149,7 @@ public void cantCallAnyAPIIfUnauthenticated() throws Exception {
         this.get(CLUSTERS_API, expectedUnauthenticatedStatus);
         this.get(COMMANDS_API, expectedUnauthenticatedStatus);
         this.get(JOBS_API, expectedUnauthenticatedStatus);
-        this.checkActuatorEndpoints(OK);
+        this.checkActuatorEndpoints(UNAUTHORIZED);
     }
 
     /**
@@ -183,7 +183,7 @@ public void cantCallAdminAPIsAsRegularUser() throws Exception {
         this.get(JOBS_API + "/" + UUID.randomUUID().toString(), NOT_FOUND);
         this.delete(JOBS_API + "/" + UUID.randomUUID().toString(), NOT_FOUND);
 
-        this.checkActuatorEndpoints(OK);
+        this.checkActuatorEndpoints(FORBIDDEN);
     }
 
     /**
@@ -251,11 +251,14 @@ private void delete(final String endpoint, final ResultMatcher expectedStatus) t
     private void checkActuatorEndpoints(final ResultMatcher expectedResult) throws Exception {
         // See: https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html
         this.get(this.actuatorEndpoint + "/autoconfig", expectedResult);
+        this.get(this.actuatorEndpoint + "/auditevents", expectedResult);
         this.get(this.actuatorEndpoint + "/beans", expectedResult);
         this.get(this.actuatorEndpoint + "/configprops", expectedResult);
+        this.get(this.actuatorEndpoint + "/dump", expectedResult);
         this.get(this.actuatorEndpoint + "/env", expectedResult);
         this.get(this.actuatorEndpoint + "/health", OK);
-        this.get(this.actuatorEndpoint + "/info", expectedResult);
+        this.get(this.actuatorEndpoint + "/info", OK);
+        this.get(this.actuatorEndpoint + "/loggers", expectedResult);
         this.get(this.actuatorEndpoint + "/mappings", expectedResult);
         this.get(this.actuatorEndpoint + "/metrics", expectedResult);
         this.get(this.actuatorEndpoint + "/trace", expectedResult);

genie-web/src/test/java/com/netflix/genie/web/security/x509/X509ConfigIntegrationTests.java

@@ -25,7 +25,7 @@
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.TestPropertySource;
-import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.context.junit4.SpringRunner;
 import org.springframework.test.web.servlet.ResultMatcher;
 import org.springframework.test.web.servlet.result.MockMvcResultMatchers;
 
@@ -36,10 +36,10 @@
  * @since 3.0.0
  */
 @Category(IntegrationTest.class)
-@RunWith(SpringJUnit4ClassRunner.class)
+@RunWith(SpringRunner.class)
 @SpringBootTest(classes = GenieWeb.class, webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
 @ActiveProfiles({"integration"})
-@TestPropertySource(properties = {"genie.security.x509.enabled = true", "management.security.enabled = true"})
+@TestPropertySource(properties = {"genie.security.x509.enabled = true"})
 public class X509ConfigIntegrationTests extends AbstractAPISecurityIntegrationTests {
 
     /**

genie-web/src/test/resources/application-oauth2-pingfederate-remote.yml

@@ -25,10 +25,6 @@ genie:
         jwt:
           enabled: false
 
-management:
-  security:
-    enabled: true
-
 security:
   oauth2:
     client:

gradle.properties

@@ -19,9 +19,9 @@
 ## Spring Dependency Versions
 
 # Used in documentation and for including the Gradle plugin
-spring_boot_version=1.4.3.RELEASE
-spring_cloud_version=Camden.SR4
-spring_platform_version=Athens-SR2
+spring_boot_version=1.5.1.RELEASE
+spring_cloud_version=Camden.SR5
+spring_platform_version=Brussels-RC1
 
 ## Override Spring Platform IO Versions