Feature: Allow H2 web console usage for dev purposes

Taking into account review comments : conditional activation based on a maven profile

Signed-off-by: syalioune <sy_alioune@yahoo.fr>

.run/Jetty with H2 Console.run.xml

@@ -0,0 +1,31 @@
+<component name="ProjectRunConfigurationManager">
+  <configuration default="false" name="Jetty with H2 Console" type="MavenRunConfiguration" factoryName="Maven">
+    <MavenSettings>
+      <option name="myGeneralSettings" />
+      <option name="myRunnerSettings" />
+      <option name="myRunnerParameters">
+        <MavenRunnerParameters>
+          <option name="profiles">
+            <set />
+          </option>
+          <option name="goals">
+            <list>
+              <option value="jetty:run" />
+              <option value="-Dlogback.configurationFile=src/main/docker/logback.xml" />
+            </list>
+          </option>
+          <option name="pomFileName" />
+          <option name="profilesMap">
+            <map>
+              <entry key="h2-console" value="true" />
+              <entry key="enhance" value="true" />
+            </map>
+          </option>
+          <option name="resolveToWorkspace" value="false" />
+          <option name="workingDirPath" value="$PROJECT_DIR$" />
+        </MavenRunnerParameters>
+      </option>
+    </MavenSettings>
+    <method v="2" />
+  </configuration>
+</component>

pom.xml

@@ -107,6 +107,7 @@
         <plugin.cyclonedx.projectType>application</plugin.cyclonedx.projectType>
         <plugin.cyclonedx.outputFormat>json</plugin.cyclonedx.outputFormat>
         <plugin.retirejs.breakOnFailure>false</plugin.retirejs.breakOnFailure>
+        <plugin.jetty.version>10.0.14</plugin.jetty.version>
         <!-- SonarCloud properties -->
         <sonar.exclusions>src/main/webapp/**</sonar.exclusions>
         <!-- CycloneDX CLI -->
@@ -490,7 +491,7 @@
             <plugin>
                 <groupId>org.eclipse.jetty</groupId>
                 <artifactId>jetty-maven-plugin</artifactId>
-                <version>10.0.14</version>
+                <version>${plugin.jetty.version}</version>
                 <configuration>
                     <webApp>
                         <contextPath>/</contextPath>
@@ -543,6 +544,24 @@
                 <war-embedded-finalname>${project.build.finalName}-apiserver</war-embedded-finalname>
             </properties>
         </profile>
+        <profile>
+            <id>h2-console</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.eclipse.jetty</groupId>
+                        <artifactId>jetty-maven-plugin</artifactId>
+                        <version>${plugin.jetty.version}</version>
+                        <configuration>
+                            <webApp>
+                                <contextPath>/</contextPath>
+                            </webApp>
+                            <contextXml>src/test/webapp/WEB-INF/h2-console-activation.xml</contextXml>
+                        </configuration>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
         <profile>
             <id>bundle-ui</id>
             <activation>

src/main/java/org/dependencytrack/common/ConfigKey.java

@@ -36,9 +36,7 @@ public enum ConfigKey implements Config.Key {
     REPO_META_ANALYZER_CACHE_STAMPEDE_BLOCKER_ENABLED("repo.meta.analyzer.cacheStampedeBlocker.enabled", true),
     REPO_META_ANALYZER_CACHE_STAMPEDE_BLOCKER_LOCK_BUCKETS("repo.meta.analyzer.cacheStampedeBlocker.lock.buckets", 1000),
     REPO_META_ANALYZER_CACHE_STAMPEDE_BLOCKER_MAX_ATTEMPTS("repo.meta.analyzer.cacheStampedeBlocker.max.attempts", 10),
-    SYSTEM_REQUIREMENT_CHECK_ENABLED("system.requirement.check.enabled", true),
-    H2_CONSOLE_ENABLED("h2.console.enabled", false),
-    H2_CONSOLE_PATH("h2.console.path", "/h2-console");
+    SYSTEM_REQUIREMENT_CHECK_ENABLED("system.requirement.check.enabled", true);
 
     private final String propertyName;
     private final Object defaultValue;

src/main/java/org/dependencytrack/persistence/H2WebConsoleInitializer.java

@@ -21,7 +21,6 @@
 
 import alpine.Config;
 import alpine.common.logging.Logger;
-import org.dependencytrack.common.ConfigKey;
 import org.h2.server.web.WebServlet;
 
 import javax.servlet.ServletContext;
@@ -33,6 +32,9 @@
 public class H2WebConsoleInitializer implements ServletContextListener {
     private static final Logger LOGGER = Logger.getLogger(H2WebConsoleInitializer.class);
 
+    private static final String H2_CONSOLE_ENABLED_INIT_PARAM = "h2.console.enabled";
+    private static final String H2_CONSOLE_PATH_INIT_PARAM = "h2.console.path";
+
     /**
      * {@inheritDoc}
      */
@@ -41,7 +43,7 @@ public void contextInitialized(final ServletContextEvent event) {
         Config configuration = Config.getInstance();
         String databaseMode = configuration.getProperty(Config.AlpineKey.DATABASE_MODE);
         String databaseDriver = configuration.getProperty(Config.AlpineKey.DATABASE_DRIVER);
-        Boolean h2ConsoleEnabled = configuration.getPropertyAsBoolean(ConfigKey.H2_CONSOLE_ENABLED);
+        Boolean h2ConsoleEnabled = Boolean.valueOf(event.getServletContext().getInitParameter(H2_CONSOLE_ENABLED_INIT_PARAM));
         // Misconfiguration check, if external database is used, no need to pointlessly expose the H2 console
         if ("external".equals(databaseMode) || !org.h2.Driver.class.getName().equals(databaseDriver) || !h2ConsoleEnabled) {
             LOGGER.debug("H2 web console will not be initialized since either database mode is external or database driver is not H2 or the console is simply disabled !");
@@ -50,13 +52,12 @@ public void contextInitialized(final ServletContextEvent event) {
             LOGGER.debug("H2 web console enabled : "+h2ConsoleEnabled);
             return;
         }
-        String h2ConsolePath = configuration.getProperty(ConfigKey.H2_CONSOLE_PATH);
-        LOGGER.debug("Building and exposing H2 servlet");
+        String h2ConsolePath = event.getServletContext().getInitParameter(H2_CONSOLE_PATH_INIT_PARAM);
+        LOGGER.warn("Building and exposing H2 web servlet to "+h2ConsolePath);
+        LOGGER.warn("It should only be enabled for development purposes to avoid security risks related to production data leak.");
         ServletContext servletContext = event.getServletContext();
         WebServlet h2WebServlet = new WebServlet();
         ServletRegistration.Dynamic registration = servletContext.addServlet("h2Console", h2WebServlet);
-        registration.setInitParameter("webAllowOthers", "false");
-        registration.setInitParameter("trace", "");
         registration.addMapping(h2ConsolePath+"/*");
         registration.setLoadOnStartup(1);
         // Production filter alteration : we rely here on the fact the Jetty server does not entirely respect Servlet 3.0 specs. See https://github.com/DependencyTrack/dependency-track/pull/2561

src/main/resources/application.properties

@@ -343,15 +343,6 @@ alpine.oidc.team.synchronization=false
 # will most likely need to be configured.
 alpine.oidc.teams.claim=groups
 
-# Optional
-# Toggle the activation and exposition of H2 database web console.
-# The default value is false.
-h2.console.enabled=false
-
-# Optional
-# Path at which the H2 database web console will be available.
-h2.console.path=/h2-console
-
 # Optional
 # Define whether system requirement check is enable.
 # The default value is true.

src/test/webapp/WEB-INF/h2-console-activation.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0"  encoding="ISO-8859-1"?>
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
+        "http://www.eclipse.org/jetty/configure_9_0.dtd">
+
+<Configure class="org.eclipse.jetty.maven.plugin.MavenWebAppContext">
+    <Call name="setInitParameter">
+        <Arg>h2.console.enabled</Arg>
+        <Arg>true</Arg>
+    </Call>
+    <Call name="setInitParameter">
+        <Arg>h2.console.path</Arg>
+        <Arg>/h2-console</Arg>
+    </Call>
+</Configure>