security review for archetypes (helidon-io#8445)

senivam · hrstoyanov · commit f38d077f2eb4 · 2024-03-11T17:37:42.000-07:00
Signed-off-by: Maxim Nesen &lt;maxim.nesen@oracle.com&gt;
diff --git a/archetypes/archetypes/src/main/archetype/common/files/src/main/resources/keystore.p12 b/archetypes/archetypes/src/main/archetype/common/files/src/main/resources/keystore.p12
diff --git a/archetypes/archetypes/src/main/archetype/mp/custom/database-outputs.xml b/archetypes/archetypes/src/main/archetype/mp/custom/database-outputs.xml
@@ -292,7 +292,7 @@ docker run --rm --name mysql -p 3306:3306 \
     -e MYSQL_ROOT_PASSWORD=root \
     -e MYSQL_DATABASE=pokemon \
     -e MYSQL_USER=user \
-    -e MYSQL_PASSWORD=password \
+    -e MYSQL_PASSWORD=changeit \
     mysql:5.7
 ```
 ]]></value>
@@ -318,7 +318,7 @@ docker run --rm --name mysql -p 3306:3306 \
                     <value key="jdbcDataSource">com.mysql.cj.jdbc.MysqlDataSource</value>
                     <value key="databaseUrl">jdbc:mysql://127.0.0.1:3306/pokemon?useSSL=false</value>
                     <value key="dbUser">user</value>
-                    <value key="userPassword">password</value>
+                    <value key="userPassword">changeit</value>
                 </model>
             </output>
         </method>
diff --git a/archetypes/archetypes/src/main/archetype/mp/custom/files/application.http-signature.yaml b/archetypes/archetypes/src/main/archetype/mp/custom/files/application.http-signature.yaml
@@ -5,7 +5,7 @@
             - key-id: "service1-hmac"
               principal-name: "Service1 - HMAC signature"
               # See [EncryptionFilter](https://helidon.io/docs/latest/apidocs/io.helidon.config.encryption/io/helidon/config/encryption/EncryptionFilter.html) for details about encrypting passwords in configuration files.
-              hmac.secret: "somePasswordForHmacShouldBeEncrypted"
+              hmac.secret: "changeit"
             - key-id: "service1-rsa"
               principal-name: "Service1 - RSA signature"
               public-key:
@@ -17,6 +17,6 @@
                   # defaults to jdk default
                   # keystore-type: "PKCS12"
                   # password of the keystore
-                  passphrase: "password"
+                  passphrase: "changeit"
                   # alias of the certificate to get public key from
                   cert.alias: "service_cert"
diff --git a/archetypes/archetypes/src/main/archetype/se/custom/database-output.xml b/archetypes/archetypes/src/main/archetype/se/custom/database-output.xml
@@ -69,7 +69,7 @@ For details, see https://www.h2database.com/html/cheatSheet.html
                     <list key="db-connection">
                         <value><![CDATA[    url: jdbc:mysql://127.0.0.1:3306/pokemon?useSSL=false
     username: user
-    password: password]]></value>
+    password: changeit]]></value>
                     </list>
                     <value key="start-db" template="mustache"><![CDATA[
 MySQL:
@@ -78,7 +78,7 @@ docker run --rm --name mysql -p 3306:3306 \
     -e MYSQL_ROOT_PASSWORD=root \
     -e MYSQL_DATABASE=pokemon \
     -e MYSQL_USER=user \
-    -e MYSQL_PASSWORD=password \
+    -e MYSQL_PASSWORD=changeit \
     mysql:5.7
 ```
 ]]></value>
diff --git a/archetypes/archetypes/src/main/archetype/se/custom/files/src/main/resources/client-service-jwt.yaml b/archetypes/archetypes/src/main/archetype/se/custom/files/src/main/resources/client-service-jwt.yaml
@@ -10,13 +10,13 @@ security:
     - http-basic-auth:
         users:
           - login: "john"
-            password: "johnnyPassword"
+            password: "changeit"
             roles: ["admin"]
           - login: "jack"
-            password: "password"
+            password: "changeit"
             roles: ["user", "admin"]
           - login: "jill"
-            password: "anotherPassword"
+            password: "changeit"
             roles: ["user"]
     - jwt:
         allow-impersonation: true
diff --git a/archetypes/archetypes/src/main/archetype/se/custom/files/src/test/java/__pkg__/OutboundOverrideJwtTest.java.mustache b/archetypes/archetypes/src/main/archetype/se/custom/files/src/test/java/__pkg__/OutboundOverrideJwtTest.java.mustache
@@ -47,7 +47,7 @@ public class OutboundOverrideJwtTest {
         try (Http1ClientResponse response = client.get()
                 .path("/override")
                 .property(EndpointConfig.PROPERTY_OUTBOUND_ID, "jack")
-                .property(EndpointConfig.PROPERTY_OUTBOUND_SECRET, "password")
+                .property(EndpointConfig.PROPERTY_OUTBOUND_SECRET, "changeit")
                 .request()) {
 
             assertThat(response.status().code(), is(200));
@@ -62,7 +62,7 @@ public class OutboundOverrideJwtTest {
         try (Http1ClientResponse response = client.get()
                 .path("/propagate")
                 .property(EndpointConfig.PROPERTY_OUTBOUND_ID, "jack")
-                .property(EndpointConfig.PROPERTY_OUTBOUND_SECRET, "password")
+                .property(EndpointConfig.PROPERTY_OUTBOUND_SECRET, "changeit")
                 .request()) {
 
             assertThat(response.status().code(), is(200));
diff --git a/archetypes/archetypes/src/main/archetype/se/custom/files/src/test/java/__pkg__/SignatureMainTest.java.mustache b/archetypes/archetypes/src/main/archetype/se/custom/files/src/test/java/__pkg__/SignatureMainTest.java.mustache
@@ -51,7 +51,7 @@ public abstract class SignatureMainTest {
     private void test(String uri, Set<String> expectedRoles, Set<String> invalidRoles, String service) {
         try (Http1ClientResponse response = client.get(uri)
                 .property(PROPERTY_OUTBOUND_ID, "jack")
-                .property(PROPERTY_OUTBOUND_SECRET, "password")
+                .property(PROPERTY_OUTBOUND_SECRET, "changeit")
                 .request()) {
 
             assertThat(response.status().code(), is(200));
diff --git a/archetypes/archetypes/src/main/archetype/se/custom/security-outputs.xml b/archetypes/archetypes/src/main/archetype/se/custom/security-outputs.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-    Copyright (c) 2023 Oracle and/or its affiliates.
+    Copyright (c) 2023, 2024 Oracle and/or its affiliates.
 
     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.
@@ -27,7 +27,7 @@
                         <value><![CDATA[
   - oidc:
       client-id: "your-client-id"
-      client-secret: "your-client-secret"
+      client-secret: "changeit"
       identity-uri: "https://your-tenant-id.identity.oracle.com"
       # A prefix used for custom scopes
       scope-audience: "http://localhost:7987/test-application"
@@ -49,7 +49,7 @@
         # IDCS serves both as open ID connect authenticator and
         # as a role mapper. Using minimal configuration here
         client-id: "your-client-id"
-        client-secret: "your-client-secret"
+        client-secret: "changeit"
         identity-uri: "https://your-tenant-id.identity.oracle.com"]]></value>
                     </list>
                     <list key="paths-config-entries">
@@ -348,10 +348,10 @@ Update the following files with your client id (it should support http://localho
 ## Try JWT
 
 ```bash
-curl -u "jack:password" http://localhost:8080/propagate
-curl -u "jack:password" http://localhost:8080/override
-curl -u "jill:anotherPassword" http://localhost:8080/propagate
-curl -u "jill:anotherPassword" http://localhost:8080/override
+curl -u "jack:changeit" http://localhost:8080/propagate
+curl -u "jack:changeit" http://localhost:8080/override
+curl -u "jill:changeit" http://localhost:8080/propagate
+curl -u "jill:changeit" http://localhost:8080/override
 ```
 ]]></value>
                     </list>
@@ -411,9 +411,9 @@ curl -u "jill:anotherPassword" http://localhost:8080/override
     private static final Map<String, SecureUserStore.User> USERS = new HashMap<>();
 
     static {
-        addUser("jack", "password", List.of("user", "admin"));
-        addUser("jill", "password", List.of("user"));
-        addUser("john", "password", List.of());
+        addUser("jack", "changeit", List.of("user", "admin"));
+        addUser("jill", "changeit", List.of("user"));
+        addUser("john", "changeit", List.of());
     }
 
     private static void addUser(String user, String password, List<String> roles) {
@@ -479,15 +479,15 @@ private static void routing2(HttpRouting.Builder routing) {
                                 .addInbound(InboundClientDefinition
                                         .builder("service1-hmac")
                                         .principalName("Service1 - HMAC signature")
-                                        .hmacSecret("somePasswordForHmacShouldBeEncrypted")
+                                        .hmacSecret("changeit")
                                         .build())
                                 .addInbound(InboundClientDefinition
                                         .builder("service1-rsa")
                                         .principalName("Service1 - RSA signature")
                                         .publicKeyConfig(Keys.builder()
                                                 .keystore(k -> k
                                                         .keystore(Resource.create("keystore.p12"))
-                                                        .passphrase("password")
+                                                        .passphrase("changeit")
                                                         .certAlias("service_cert")
                                                         .build())
                                                 .build())
@@ -529,7 +529,7 @@ private static void routing2(HttpRouting.Builder routing) {
                                 .privateKeyConfig(Keys.builder()
                                         .keystore(k -> k
                                                 .keystore(Resource.create("keystore.p12"))
-                                                .passphrase("password")
+                                                .passphrase("changeit")
                                                 .keyAlias("myPrivateKey")
                                                 .build())
                                         .build())
@@ -545,7 +545,7 @@ private static void routing2(HttpRouting.Builder routing) {
                         OutboundTargetDefinition.class,
                         OutboundTargetDefinition
                                 .builder("service1-hmac")
-                                .hmacSecret("somePasswordForHmacShouldBeEncrypted")
+                                .hmacSecret("changeit")
                                 .build())
                 .build();
     }
@@ -575,9 +575,9 @@ private static void routing2(HttpRouting.Builder routing) {
 ## Try Signature
 
 ```bash
-curl -u "jack:password" http://localhost:8080/service1
-curl -u "jill:password" http://localhost:8080/service1-rsa
-curl -v -u "john:password" http://localhost:8080/service1
+curl -u "jack:changeit" http://localhost:8080/service1
+curl -u "jill:changeit" http://localhost:8080/service1-rsa
+curl -v -u "john:changeit" http://localhost:8080/service1
 ```
 ]]></value>
                     </list>
