Motivation:

Some reported vulnerabilities of the dependencies by OWASP make
the pipeline broken.

Modification:

- upgrade spring boot starter parent version from 2.3.5.RELEASE
    to 2.3.12.RELEASE
- update list of OWASP check and supress some false positive
    alarms

Result:

Build pipeline succeeds.

Target: master

Motivation:

To gain insight on marketplace-app, the spring framework provide
the facility to expose the application metrics to monitoring
service like Prometheus on Kubernetes.

Modification:

- enable graceful shutdown
- add spring boot actuator and prometheus registry micrometer
    dependencies
- expose the actuator endpoint that will provides: health,
   info, metric etc.
- avoid 404 error on request to /favicon.ico
- add a mapping for '/scripts/config.js' and generate the necessary
    configuration parameter for the web-app static file. This enable
    us to configure the cerebrum endpoint.

Results:

This application now makes it metrics available and can be shutdown
gracefully. Also, moved the config javascript into the application.

Target: master

Target: master

Motivation:

More options are neccessary to enable robust packaging.
The start.sh script presently only takes one option,
however to do set some availabe after build is desirable
and this script can handle this.

Modification:

- make the file path of the web static directory, the port
   number of the server and the spring profile  settable
   through the script.
- set active profile to dev inside the dockerfile file
- add application yml for dev profile

Result:

start.sh now handle many options that can be configure for
starting the server.

Target: master

Motivation:

Modification:

- exclude tomcat and add jetty to the dependency
- remove spring-webmvc

Result:

Jetty server is use in place of tomcat

Target: master

Motivation:

Currently the test coverage is low and we need to deploy the package
for the upcoming demo

Modification:

remove sonarque analysis

Result:

Sonarque test is suspended

Target: master

Motivation:

Getting the access token is now a desirable. This will
enable the the browser to make a direct call to Cerebrum.

The web application is a single page application, hence
to allow the client routing, it become neccessary for the
error controller to be adjusted

Modification:

- create access to the access_token when a user is full
    authenticated.
- implement the error-controller class so that it will
    forward the request back to the index.html when any
    error is hit

Result:

- SPA now works and access to the token is now available.

Target: master

Motivation:

Inside the dockerfile the variable name for the client
secret was mistyped. Also start shell file wasn't able
to pass the secret to the jar file.

Modification:

- fix the mistyped in the dockerfile
- set the value of the client-secret by using the
    spring variable

Result:

User can now be authenticated.

Target: master

Motivation:

At the moment the utility controller is for obtaining
access and refresh token. These are no longer needed
at this time. Since the helmholtz-marketplace-webapp
will is now a dependency of this project, there is no
need for the index.html page.

Modification:

- delete the controller and index.html page

Result:

The server now render the helmholtz-marketplace-webapp
static files.

Target: master

Motivation:

The maven assembly is now use for packaging of the helmholtz-
marketplace-server. Hence, the ci/cd needs to be adjusted to
pick up the new structure.

Modification:

- add helmholtz-marketplace-webapp as a dependency to the project
- add maven assembly plugin with the instruction of how to package
    the distribution inside the distribution.xml. Inside this file
    the helmholtz-marketplace-webapp.jar file will be upacked and
    the output will be put inside the webapp directory
- create a shell script that can be use to start the server
- in the application.yml file, add a custom location for the static
    files, which is webapp directory
- adjust the dockerfile to reflect the new package structure
- adjust the matcher in the security configuration to allow access
    to the static files
- in the ci, add a build stage and rename test_sonar to
    code_quality_analysis
- move the sonar test job into the ci.yml file
- delete static-code-analysis.yml since it is no longer needed
- rename the profile name for the sonar test in the pom file
    from static-code-analysis to sonar
- run sonar test provided the ci/cd is not trigger by upstream
    repository, that is, helmholtz-marketplace-webapp

Result:

1. Create distribution package for the project. The tar file created
will have a structure like this:

| | |____hm-server
| | | |____bin
| | | | |____start.sh
| | | |____classes/
| | | |____webapp
| | | | |____index.html
| | | | |____images/
| | | | |____styles/
| | | |____lib
| | | | |____helmholtz-marketplace-server-0.0.1-SNAPSHOT.jar

2. A stable ci/cd that get trigger by push, merge-request and
pipeline. The following stages are now in the ci:
- build: check if the code compile
- test: both unit and integration test
- sonar: mainly for code quality analysis
- package: when trigger by pipiline it will use the newly available
    snapshot of helmholtz-marketplace-webapp
- deploy: push the artifact into the docker container that will
    be push into the docker hub

Target: master

Motivation:

Each time a aai access token is needed, we need to authenticate
again to obtain a new access token. However, this is not necessary
since we can use the refresh token, provided one is available
to obtain a new access_token.

Modification:

- initialise OAuth2AuthorizedClientService by using constructor
    instead of autowiring
- add a GET controller and a link that can be use to get the
    refresh token
- add to the list of scope `offline_access` to request for the
    refresh token from the auth server (that is Helmholtz AAI server).

Result:

Refresh token can now be obtain

Target: master
Review-at: https://gitlab.hzdr.de/hifis-technical-platform/helmholtz-marketplace-server/-/merge_requests/12

Motivation:

Since we are providing a service which is open to the public we should be aware of vulnerabilities in our code as well in our libraries. For our own code we already have Sonja which covers at least some of it, for the dependencies there is a Maven plugin.

Modifications:

Add the Maven Dependency-Check plugin (https://jeremylong.github.io/DependencyCheck/index.html) to the build.

Result:

The plugin binds to the verify stage of the Maven build and lets the build fail if there are vulnerabilities with a score greater than or equal to the configured CVSS value (currently 8)

Target: master

Request:

Acked-by: @femiadeyemi

Pull-request: !9

Motivation:

The maintainer of helmholtz changed to a new domain.

Modification:

Change the uris of the hdf to reflect the new domain
    name

Result:

AAI works and no visible changes to users

Target: master
Acked-by: Franz Stephan
Review: https://gitlab.hzdr.de/hifis-technical-platform/helmholtz-marketplace-server/-/merge_requests/11

Motivation:

The display name should be the human readable name for the project which can be different from the artifactId

Modifications:

* change property `name` of the project

Result

The project is now shown as "Helmholtz Marketplace Server"

Target: master

Request:

Acked-by:

Pull-request: !4

Motivation:

There was no continuous static code analysis until now. This is an important part of the quality assurance and should be covered in all builds

Modifications:

* add configuration for static code analysis as part of the Maven build
* add the neccessary GitLab configuration

Result

Static code analysis can be executed from the command line and the execution as part of the CI is prepared and only needs to be aenabled

Target: master

Request:

Acked-by: @femiadeyemi

Pull-request: !3

Add GitLab CI Configuration

See merge request hifis-technical-platform/helmholtz-marketplace-server!2

change version for Docker to 19.03.11

remove `maven-wrapper.jar` from the repository

add basic project configuration stuff

See merge request hifis-technical-platform/helmholtz-marketplace-server!1

remove `maven-wrapper.jar` because it is downloaded when building (https://github.com/takari/maven-wrapper#usage-without-binary-jar)

add Dockerfile and add configuration to respect X-Forward-* headers

add option to pass the secret for the Helmholtz AAI into the Docker container