Revert "chore(deps): upgrade play dependencies to remove CVE vulnerabilities (datahub-project#4820)" (datahub-project#4861)

This reverts commit fa4abea.

Author: RyanHolstien

.gitignore

@@ -64,7 +64,4 @@ metadata-ingestion/generated/**
 # docs
 docs/generated/
 tmp*
-temp*
-
-# frontend assets
-datahub-frontend/public/**
+temp*

build.gradle

@@ -16,7 +16,6 @@ buildscript {
     }
     classpath "io.codearte.gradle.nexus:gradle-nexus-staging-plugin:0.30.0"
     classpath "com.palantir.gradle.gitversion:gradle-git-version:0.12.3"
-    classpath "org.gradle.playframework:gradle-playframework:0.12"
     classpath "gradle.plugin.org.hidetake:gradle-swagger-generator-plugin:2.18.1"
   }
 }
@@ -111,14 +110,14 @@ project.ext.externalDependency = [
     'opentracingJdbc':'io.opentracing.contrib:opentracing-jdbc:0.2.15',
     'parquet': 'org.apache.parquet:parquet-avro:1.12.2',
     'picocli': 'info.picocli:picocli:4.5.0',
-    'playCache': 'com.typesafe.play:play-cache_2.12:2.7.6',
-    'playWs': 'com.typesafe.play:play-ahc-ws-standalone_2.12:2.0.8',
-    'playDocs': 'com.typesafe.play:play-docs_2.12:2.7.6',
-    'playGuice': 'com.typesafe.play:play-guice_2.12:2.7.6',
-    'playJavaJdbc': 'com.typesafe.play:play-java-jdbc_2.12:2.7.6',
-    'playTest': 'com.typesafe.play:play-test_2.12:2.7.6',
+    'playCache': 'com.typesafe.play:play-cache_2.11:2.6.18',
+    'playWs': 'com.typesafe.play:play-ahc-ws-standalone_2.11:2.0.8',
+    'playDocs': 'com.typesafe.play:play-docs_2.11:2.6.18',
+    'playGuice': 'com.typesafe.play:play-guice_2.11:2.6.18',
+    'playJavaJdbc': 'com.typesafe.play:play-java-jdbc_2.11:2.6.18',
+    'playTest': 'com.typesafe.play:play-test_2.11:2.6.18',
     'pac4j': 'org.pac4j:pac4j-oidc:3.6.0',
-    'playPac4j': 'org.pac4j:play-pac4j_2.12:8.0.2',
+    'playPac4j': 'org.pac4j:play-pac4j_2.11:7.0.1',
     'postgresql': 'org.postgresql:postgresql:42.3.3',
     'protobuf': 'com.google.protobuf:protobuf-java:3.19.3',
     'reflections': 'org.reflections:reflections:0.9.9',

datahub-frontend/app/auth/AuthModule.java

@@ -12,6 +12,7 @@
 import com.linkedin.util.Configuration;
 import com.datahub.authentication.Authentication;
 import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
 import java.util.Collections;
 import org.apache.commons.codec.digest.DigestUtils;
 import org.pac4j.core.client.Client;

datahub-frontend/app/auth/Authenticator.java

@@ -1,7 +1,6 @@
 package auth;
 
 import com.typesafe.config.Config;
-import java.util.Optional;
 import javax.inject.Inject;
 import play.mvc.Http;
 import play.mvc.Result;
@@ -23,8 +22,7 @@ public class Authenticator extends Security.Authenticator {
 
     @Inject
     public Authenticator(@Nonnull Config config) {
-        this.metadataServiceAuthEnabled = config.hasPath(METADATA_SERVICE_AUTH_ENABLED_CONFIG_PATH)
-            && config.getBoolean(METADATA_SERVICE_AUTH_ENABLED_CONFIG_PATH);
+        this.metadataServiceAuthEnabled = config.hasPath(METADATA_SERVICE_AUTH_ENABLED_CONFIG_PATH) && config.getBoolean(METADATA_SERVICE_AUTH_ENABLED_CONFIG_PATH);
     }
 
     @Override
@@ -40,28 +38,9 @@ public String getUsername(@Nonnull Http.Context ctx) {
         }
     }
 
-    @Override
-    public Optional<String> getUsername(@Nonnull Http.Request request) {
-        Http.Context ctx = Http.Context.current();
-        if (this.metadataServiceAuthEnabled) {
-            // If Metadata Service auth is enabled, we only want to verify presence of the
-            // "Authorization" header OR the presence of a frontend generated session cookie.
-            // At this time, the actor is still considered to be unauthenicated.
-            return Optional.ofNullable(AuthUtils.isEligibleForForwarding(ctx) ? "urn:li:corpuser:UNKNOWN" : null);
-        } else {
-            // If Metadata Service auth is not enabled, verify the presence of a valid session cookie.
-            return Optional.ofNullable(AuthUtils.hasValidSessionCookie(ctx) ? ctx.session().get(ACTOR) : null);
-        }
-    }
-
     @Override
     @Nonnull
     public Result onUnauthorized(@Nullable Http.Context ctx) {
         return unauthorized();
     }
-
-    @Override
-    public Result onUnauthorized(Http.Request req) {
-        return unauthorized();
-    }
 }

datahub-frontend/app/auth/sso/oidc/OidcResponseErrorHandler.java

@@ -10,11 +10,6 @@
 
 
 public class OidcResponseErrorHandler {
-
-    private OidcResponseErrorHandler() {
-
-    }
-
     private static final Logger _logger = LoggerFactory.getLogger("OidcResponseErrorHandler");
 
     private static final String ERROR_FIELD_NAME = "error";
@@ -27,18 +22,20 @@ public static Result handleError(final PlayWebContext context) {
                 getErrorDescription(context));
 
         if (getError(context).equals("access_denied")) {
-            return unauthorized(String.format("Access denied. "
-                    + "The OIDC service responded with 'Access denied'. "
-                    + "It seems that you don't have access to this application yet. Please apply for access. \n\n"
-                    + "If you already have been assigned this application, it may be so that your OIDC request is still in action. "
-                    + "Error details: '%s':'%s'",
+            return unauthorized(String.format("Access denied. " +
+                            "The OIDC service responded with 'Access denied'. " +
+                            "It seems that you don't have access to this application yet. Please apply for access. \n\n" +
+                            "If you already have been assigned this application, it may be so that your OIDC request is still in action. " +
+                            "Error details: '%s':'%s'",
                     context.getRequestParameter("error"),
                     context.getRequestParameter("error_description")));
         }
 
         return internalServerError(
-                String.format("Internal server error. The OIDC service responded with an error: '%s'.\n"
-                        + "Error description: '%s'", getError(context), getErrorDescription(context)));
+                String.format("Internal server error. The OIDC service responded with an error: '%s'.\n" +
+                                "Error description: '%s'",
+                getError(context),
+                getErrorDescription(context)));
     }
 
     public static boolean isError(final PlayWebContext context) {

datahub-frontend/app/auth/sso/oidc/custom/CustomOidcAuthenticator.java

@@ -71,12 +71,8 @@ public CustomOidcAuthenticator(final OidcConfiguration configuration, final Oidc
           chosenMethod = preferredMethod;
         } else {
           throw new TechnicalException(
-              "Preferred authentication method ("
-                  + preferredMethod
-                  + ") not supported "
-                  + "by provider according to provider metadata ("
-                  + metadataMethods
-                  + ").");
+              "Preferred authentication method (" + preferredMethod + ") not supported " +
+                  "by provider according to provider metadata (" + metadataMethods + ").");
         }
       } else {
         chosenMethod = firstSupportedMethod(metadataMethods);
@@ -87,13 +83,13 @@ public CustomOidcAuthenticator(final OidcConfiguration configuration, final Oidc
           chosenMethod);
     }
 
-    final ClientID clientID = new ClientID(configuration.getClientId());
+    final ClientID _clientID = new ClientID(configuration.getClientId());
     if (ClientAuthenticationMethod.CLIENT_SECRET_POST.equals(chosenMethod)) {
-      final Secret secret = new Secret(configuration.getSecret());
-      clientAuthentication = new ClientSecretPost(clientID, secret);
+      final Secret _secret = new Secret(configuration.getSecret());
+      clientAuthentication = new ClientSecretPost(_clientID, _secret);
     } else if (ClientAuthenticationMethod.CLIENT_SECRET_BASIC.equals(chosenMethod)) {
-      final Secret secret = new Secret(configuration.getSecret());
-      clientAuthentication = new ClientSecretBasic(clientID, secret);
+      final Secret _secret = new Secret(configuration.getSecret());
+      clientAuthentication = new ClientSecretBasic(_clientID, _secret);
     } else if (ClientAuthenticationMethod.NONE.equals(chosenMethod)) {
       clientAuthentication = null; // No client authentication in none mode
     } else {
@@ -132,8 +128,8 @@ private static ClientAuthenticationMethod firstSupportedMethod(final List<Client
     if (firstSupported.isPresent()) {
       return firstSupported.get();
     } else {
-      throw new TechnicalException("None of the Token endpoint provider metadata authentication methods are supported: "
-          +  metadataMethods);
+      throw new TechnicalException("None of the Token endpoint provider metadata authentication methods are supported: " +
+          metadataMethods);
     }
   }
 

datahub-frontend/app/client/AuthServiceClient.java

@@ -56,8 +56,7 @@ public String generateSessionTokenForUser(@Nonnull final String userId) {
     try {
 
       final String protocol = this.metadataServiceUseSsl ? "https" : "http";
-      final HttpPost request = new HttpPost(String.format("%s://%s:%s/%s", protocol, this.metadataServiceHost,
-          this.metadataServicePort, GENERATE_SESSION_TOKEN_ENDPOINT));
+      final HttpPost request = new HttpPost(String.format("%s://%s:%s/%s", protocol, this.metadataServiceHost, this.metadataServicePort, GENERATE_SESSION_TOKEN_ENDPOINT));
 
       // Build JSON request to generate a token on behalf of a user.
       String json = String.format("{ \"%s\":\"%s\" }", USER_ID_FIELD, userId);

datahub-frontend/app/controllers/Application.java

@@ -14,7 +14,7 @@
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ExecutionException;
 import java.util.stream.Collectors;
-import play.api.Play;
+import play.Play;
 import play.http.HttpEntity;
 import play.libs.ws.InMemoryBodyWritable;
 import play.libs.ws.StandaloneWSClient;
@@ -59,7 +59,7 @@ public Application(@Nonnull Config config) {
    */
   @Nonnull
   private Result serveAsset(@Nullable String path) {
-    InputStream indexHtml = Play.current().classloader().getResourceAsStream("public/index.html");
+    InputStream indexHtml = Play.application().classloader().getResourceAsStream("public/index.html");
     response().setHeader("Cache-Control", "no-cache");
     return ok(indexHtml).as("text/html");
   }
@@ -114,8 +114,7 @@ public CompletableFuture<Result> proxy(String path) throws ExecutionException, I
             .toMap()
             .entrySet()
             .stream()
-            // Remove X-DataHub-Actor to prevent malicious delegation.
-            .filter(entry -> !AuthenticationConstants.LEGACY_X_DATAHUB_ACTOR_HEADER.equals(entry.getKey()))
+            .filter(entry -> !AuthenticationConstants.LEGACY_X_DATAHUB_ACTOR_HEADER.equals(entry.getKey())) // Remove X-DataHub-Actor to prevent malicious delegation.
             .filter(entry -> !Http.HeaderNames.CONTENT_LENGTH.equals(entry.getKey()))
             .filter(entry -> !Http.HeaderNames.CONTENT_TYPE.equals(entry.getKey()))
             .filter(entry -> !Http.HeaderNames.AUTHORIZATION.equals(entry.getKey()))

datahub-frontend/app/controllers/CentralLogoutController.java

@@ -19,14 +19,14 @@ public class CentralLogoutController extends LogoutController {
   @Inject
   public CentralLogoutController(Config config) {
 
-    String authBaseUrl = config.hasPath(AUTH_BASE_URL_CONFIG_PATH)
+    String _authBaseUrl = config.hasPath(AUTH_BASE_URL_CONFIG_PATH)
             ? config.getString(AUTH_BASE_URL_CONFIG_PATH)
             : DEFAULT_BASE_URL_PATH;
 
     _isOidcEnabled = config.hasPath("auth.oidc.enabled") && config.getBoolean("auth.oidc.enabled");
 
-    setDefaultUrl(authBaseUrl);
-    setLogoutUrlPattern(authBaseUrl + ".*");
+    setDefaultUrl(_authBaseUrl);
+    setLogoutUrlPattern(_authBaseUrl + ".*");
     setLocalLogout(true);
     setCentralLogout(true);
 

datahub-frontend/app/controllers/SsoCallbackController.java

@@ -58,8 +58,7 @@ public class SsoCallbackLogic implements CallbackLogic<Result, PlayWebContext> {
 
     private final OidcCallbackLogic _oidcCallbackLogic;
 
-    SsoCallbackLogic(final SsoManager ssoManager, final Authentication systemAuthentication,
-        final EntityClient entityClient, final AuthServiceClient authClient) {
+    SsoCallbackLogic(final SsoManager ssoManager, final Authentication systemAuthentication, final EntityClient entityClient, final AuthServiceClient authClient) {
       _oidcCallbackLogic = new OidcCallbackLogic(ssoManager, systemAuthentication, entityClient, authClient);
     }
 

datahub-frontend/app/controllers/TrackingController.java

@@ -35,7 +35,7 @@ public class TrackingController extends Controller {
     private final Logger _logger = LoggerFactory.getLogger(TrackingController.class.getName());
 
     private static final List<String> KAFKA_SSL_PROTOCOLS = Collections.unmodifiableList(
-            Arrays.asList(SecurityProtocol.SSL.name(), SecurityProtocol.SASL_SSL.name(),
+            Arrays.asList(SecurityProtocol.SSL.name(),SecurityProtocol.SASL_SSL.name(),
             SecurityProtocol.SASL_PLAINTEXT.name()));
 
     private final Boolean _isEnabled;
@@ -81,7 +81,7 @@ public Result track() throws Exception {
              _producer.send(record);
              _producer.flush();
              return ok();
-        } catch (Exception e) {
+        } catch(Exception e) {
             _logger.error(String.format("Failed to emit product analytics event. actor: %s, event: %s", actor, event));
             return internalServerError(e.getMessage());
         }

datahub-frontend/app/security/AuthenticationManager.java

@@ -44,7 +44,6 @@ public void handle(@Nonnull Callback[] callbacks) {
       NameCallback nc = null;
       PasswordCallback pc = null;
       for (Callback callback : callbacks) {
-        Logger.error("The submitted callback is of type: " + callback.getClass() + " : " + callback);
         if (callback instanceof NameCallback) {
           nc = (NameCallback) callback;
           nc.setName(this.username);

datahub-frontend/app/utils/ConfigUtil.java

@@ -6,10 +6,6 @@
 
 public class ConfigUtil {
 
-  private ConfigUtil() {
-
-  }
-
   // New configurations, provided via application.conf file.
   public static final String METADATA_SERVICE_HOST_CONFIG_PATH = "metadataService.host";
   public static final String METADATA_SERVICE_PORT_CONFIG_PATH = "metadataService.port";

datahub-frontend/build.gradle

@@ -46,21 +46,4 @@ graphqlCodegen {
 
 tasks.withType(Checkstyle) {
   exclude "**/generated/**"
-}
-
-checkstyleMain.source = "app/"
-
-
-/*
-PLAY UPGRADE NOTE
-Generates the distribution jars under the expected names. The playFramework plugin only accepts certain name values
-for the resulting folders and files, so some changes were made to accommodate. Default distribution is main if these are excluded
- */
-distributions {
-  create("datahub-frontend") {
-    distributionBaseName = project.ext.playBinaryBaseName
-  }
-  playBinary {
-    distributionBaseName = project.ext.playBinaryBaseName
-  }
 }

datahub-frontend/conf/application.conf

@@ -26,10 +26,6 @@ play.modules.disabled += "play.api.mvc.CookiesModule"
 play.modules.enabled += "play.api.mvc.LegacyCookiesModule"
 play.modules.enabled += "auth.AuthModule"
 
-# Legacy Configuration to avoid code changes, update to modern approaches eventually
-play.allowHttpContext = true
-play.allowGlobalApplication = true
-
 # Database configuration
 # ~~~~~
 # You can declare as many datasources as you want.

datahub-frontend/conf/routes

@@ -19,22 +19,22 @@ POST          /callback/:protocol                                             co
 GET           /logOut                                                         controllers.CentralLogoutController.executeLogout()
 
 # Proxies API requests to the metadata service api
-GET           /api/*path                                                     controllers.Application.proxy(path)
-POST          /api/*path                                                     controllers.Application.proxy(path)
-DELETE        /api/*path                                                     controllers.Application.proxy(path)
-PUT           /api/*path                                                     controllers.Application.proxy(path)
+GET           /api/*path                                                      controllers.Application.proxy(path)
+POST          /api/*path                                                      controllers.Application.proxy(path)
+DELETE        /api/*path                                                      controllers.Application.proxy(path)
+PUT           /api/*path                                                      controllers.Application.proxy(path)
 
 # Proxies API requests to the metadata service api
-GET           /openapi/*path                                                 controllers.Application.proxy(path)
-POST          /openapi/*path                                                 controllers.Application.proxy(path)
-DELETE        /openapi/*path                                                 controllers.Application.proxy(path)
-PUT           /openapi/*path                                                 controllers.Application.proxy(path)
+GET           /openapi/*path                                                  controllers.Application.proxy(path)
+POST          /openapi/*path                                                  controllers.Application.proxy(path)
+DELETE        /openapi/*path                                                  controllers.Application.proxy(path)
+PUT           /openapi/*path                                                  controllers.Application.proxy(path)
 
 # Map static resources from the /public folder to the /assets URL path
-GET           /assets/*file                                                  controllers.Assets.at(path="/public", file)
+GET           /assets/*file                                                   controllers.Assets.at(path="/public", file)
 
 # Analytics route
-POST          /track                                                         controllers.TrackingController.track()
+POST          /track                                                          controllers.TrackingController.track()
 
 # Wildcard route accepts any routes and delegates to serveAsset which in turn serves the React Bundle
-GET           /*path                                                         controllers.Application.index(path)
+GET           /*path                                                          controllers.Application.index(path)