Merge branch 'release/v0.31.0'

.circleci/config.yml

@@ -2516,7 +2516,7 @@ commands:
 orbs:
   maven: circleci/maven@1.0.1
   openjdk-install: cloudesire/openjdk-install@1.2.3
-  sonarcloud: sonarsource/sonarcloud@1.0.2
+  sonarcloud: sonarsource/sonarcloud@2.0.0
 
 executors:
   # https://hub.docker.com/u/cimg (circleci next-gen docker images)

.github/dependabot.yml

@@ -12,3 +12,8 @@ updates:
     ignore:
        - dependency-name: "*"
          update-types: ["version-update:semver-major"]
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates to GitHub Actions every week
+      interval: "weekly"

.github/workflows/build-multiarch-image-latest.yml

@@ -15,27 +15,27 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3
       -
         name: Login to DockerHub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       -
         name: Build and push (AMD64)
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           context: .
           platforms: linux/amd64
           push: true
           tags: ehrbase/ehrbase:latest-amd64
       -
         name: Build and push (ARM64)
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           context: .
           platforms: linux/arm64

.github/workflows/build-multiarch-image-next.yml

@@ -31,27 +31,27 @@ jobs:
           # Set as Environment for all further steps 
           echo "TAG=${v}" >> $GITHUB_ENV
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3
 
       - name: Login to DockerHub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Build and push (AMD64)
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           context: .
           platforms: linux/amd64
           push: true
           tags: ehrbase/ehrbase:${{env.TAG}}-amd64
 
       - name: Build and push (ARM64)
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           context: .
           platforms: linux/arm64

.github/workflows/build-multiarch-image-tag.yml

@@ -15,7 +15,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       -
         name: Create TAG ENV from version of release Branch
         run: |
@@ -27,24 +27,24 @@ jobs:
           echo "TAG=$TAG" >> $GITHUB_ENV
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3
       -
         name: Login to DockerHub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       -
         name: Build and push (AMD64)
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           context: .
           platforms: linux/amd64
           push: true
           tags: ehrbase/ehrbase:tag-amd64
       -
         name: Build and push (ARM64)
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           context: .
           platforms: linux/arm64

.github/workflows/build.yml

@@ -33,12 +33,12 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Setup Java
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v3
         with:
           distribution: 'temurin'
           java-version: '17'
@@ -48,7 +48,7 @@ jobs:
         run: mvn -B verify
 
       - name: Setup Maven Central
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v3
         with:
           distribution: 'temurin'
           java-version: '17'

.github/workflows/codeql.yml

@@ -53,10 +53,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup Java
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v3
         with:
           distribution: 'temurin'
           java-version: '17'

.github/workflows/jdk-compat-robot.yml

@@ -36,12 +36,12 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Setup Java
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v3
         with:
           distribution: 'temurin'
           java-version: ${{ matrix.java }}
@@ -69,7 +69,7 @@ jobs:
           cat /var/tmp/log.txt
           
       - name: Checkout robot
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
           repository: ehrbase/integration-tests

.github/workflows/jdk-compat.yml

@@ -28,12 +28,12 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Setup Java
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v3
         with:
           distribution: 'temurin'
           java-version: ${{ matrix.java }}

.github/workflows/release.yml

@@ -14,7 +14,7 @@ jobs:
     steps:
       # Install the sdk main in the local repo so maven version plugin can find them
       - name: Checkout SDK main
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
           repository: ehrbase/openEHR_SDK
@@ -33,7 +33,7 @@ jobs:
         run: mvn install -Dmaven.test.skip=true
       # Install the sdk dev in the local repo so maven version plugin can find them
       - name: Checkout SDK dev
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
           repository: ehrbase/openEHR_SDK
@@ -46,7 +46,7 @@ jobs:
         run: mvn install
 
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
           # This will be used by git in all further steps

CHANGELOG.md

@@ -5,6 +5,16 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres
 to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.31.0]
+ ### Added
+ ### Changed 
+ - Upgrade openEHR_SDK to version 2.3.0 see https://github.com/ehrbase/openEHR_SDK/blob/develop/CHANGELOG.md 
+ - Migrated to spring boot 3 ([#1174](https://github.com/ehrbase/ehrbase/pull/1174))
+ - Removed authorization scopes from endpoints and added support for overwriting controllers ([#1157](https://github.com/ehrbase/ehrbase/pull/1157))
+ ### Fixed
+ - Fix audit logs location ([#1160](https://github.com/ehrbase/ehrbase/pull/1160))
+ - Address AQL query security vulnerabilities ([#1190](https://github.com/ehrbase/ehrbase/pull/1190))
+
 ## [0.30.0]
  ### Added
  ### Changed 
@@ -685,3 +695,4 @@ the next release this file will provide a proper overview.
 [0.28.0]: https://github.com/ehrbase/ehrbase/compare/v0.27.4...v0.28.0
 [0.29.0]: https://github.com/ehrbase/ehrbase/compare/v0.28.0...v0.29.0
 [0.30.0]: https://github.com/ehrbase/ehrbase/compare/v0.29.0...v0.30.0
+[0.31.0]: https://github.com/ehrbase/ehrbase/compare/v0.30.0...v0.31.0

api/pom.xml

@@ -26,7 +26,7 @@
     <parent>
         <groupId>org.ehrbase.openehr</groupId>
         <artifactId>server</artifactId>
-        <version>0.30.0</version>
+        <version>0.31.0</version>
     </parent>
 
     <artifactId>api</artifactId>

api/src/main/java/org/ehrbase/api/authorization/EhrbaseAuthorizations.java → api/src/main/java/org/ehrbase/api/annotations/EhrbaseSecurity.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022 vitasystems GmbH and Hannover Medical School.
+ * Copyright (c) 2023 vitasystems GmbH and Hannover Medical School.
  *
  * This file is part of project EHRbase
  *
@@ -15,18 +15,14 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.ehrbase.api.authorization;
+package org.ehrbase.api.annotations;
 
 import static java.lang.annotation.RetentionPolicy.RUNTIME;
 
 import java.lang.annotation.ElementType;
-import java.lang.annotation.Inherited;
 import java.lang.annotation.Retention;
 import java.lang.annotation.Target;
 
-@Inherited
 @Retention(RUNTIME)
 @Target(ElementType.METHOD)
-public @interface EhrbaseAuthorizations {
-    EhrbaseAuthorization[] value();
-}
+public @interface EhrbaseSecurity {}

application/pom.xml

@@ -26,16 +26,18 @@
     <parent>
         <groupId>org.ehrbase.openehr</groupId>
         <artifactId>server</artifactId>
-        <version>0.30.0</version>
+        <version>0.31.0</version>
     </parent>
 
     <artifactId>application</artifactId>
+    <packaging>jar</packaging>
 
     <properties>
         <docker.image.prefix>vitasystems/hip-openehr</docker.image.prefix>
     </properties>
 
     <dependencies>
+
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>

application/src/main/java/org/ehrbase/application/abac/CustomMethodSecurityExpressionRoot.java

@@ -188,7 +188,7 @@ private boolean checkAbac(String type, String subject, Object payload, String co
         }
 
         // Check and extract JWT
-        var jwt = getJwtAuthenticationToken(this.authentication);
+        var jwt = getJwtAuthenticationToken(this.getAuthentication());
 
         // Request body map. will result in simple JSON like {"patient_id":"...", ...}
         // but requires "Object" for template handling, which can have a Set<String> for multiple IDs

application/src/main/java/org/ehrbase/application/config/ServerConfigImp.java

@@ -17,8 +17,8 @@
  */
 package org.ehrbase.application.config;
 
-import javax.validation.constraints.Max;
-import javax.validation.constraints.Min;
+import jakarta.validation.constraints.Max;
+import jakarta.validation.constraints.Min;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.context.annotation.Configuration;
 

application/src/main/java/org/ehrbase/application/config/SwaggerConfiguration.java

@@ -21,7 +21,7 @@
 import io.swagger.v3.oas.models.OpenAPI;
 import io.swagger.v3.oas.models.info.Info;
 import io.swagger.v3.oas.models.info.License;
-import org.springdoc.core.GroupedOpenApi;
+import org.springdoc.core.models.GroupedOpenApi;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;