light-4j

1.6.39 (2022-04-26)

Merged pull requests:

• fix for NPE if input is null for Mask methods (issue 1208) #1222 (miklish)

2.1.0 (2022-02-27)

Merged pull requests:

• fixes #1124 enhance the sanitizer to make the configuration separated… #1125 (stevehu)
• fixes #1122 log the stacktrace if a middleware handler is not loaded … #1123 (stevehu)
• Issue1120 #1121 (stevehu)
• fixes #1118 allow router to support serviceId from query parameters a… #1119 (stevehu)
• fixes #1116 Update the rate-limit to allow customzied the error code … #1117 (stevehu)
• fixes #1112 add Jdk8Module to the ObjectMappers in config module to h… #1113 (stevehu)
• fixes #1108 update the rule-loader to add another rule action to tran… #1109 (stevehu)
• Bump postgresql from 42.2.25 to 42.3.3 #1107 (dependabot)
• fixes #1105 disable a test case in the body handler as it is not stable #1106 (stevehu)
• Truncated Exception Fix #1104 (KalevGonvick)
• fixes #1102 update the LoggerGetLogContentHandler to return map and h… #1103 (stevehu)
• fixes #1100 remove a logging statement in the DefaultConfigLoader as … #1101 (stevehu)
• fixes #1097 add isNumeric to StringUtils in the utility #1098 (stevehu)
• Bump postgresql from 9.4.1211 to 42.2.25 #1095 (dependabot)
• Issue1093 #1094 (stevehu)
• fixes #1091 update the default rate limit concurrent requests to 2 fr… #1092 (stevehu)
• fixes #1089 update audit status key from Status to status #1090 (stevehu)
• fixes #1087 externalize rate-limit, header and whitelist-ip config files #1088 (stevehu)
• Bump h2 from 2.0.206 to 2.1.210 #1086 (dependabot)
• fixes #1084 update the DefaultConfigLoader to get the values.yml from… #1085 (stevehu)
• Bump httpclient from 4.5.6 to 4.5.13 #1077 (dependabot)
• Bump h2 from 1.4.196 to 2.0.206 #1083 (dependabot)
• fixes #1081 update the ClaimsUtil to name the service id claim with s… #1082 (stevehu)
• fixes #1079 add method and path to the method not found error message #1080 (stevehu)
• fixes #1075 Add rule-loader module to support fine-grained access con… #1076 (stevehu)
• fixes #1073 update the sanitizer.yml to externalize properties for va… #1074 (stevehu)
• fixes #1071 externalize jaeger-tracing configuration properties #1072 (stevehu)
• fixes #1069 update server.yml to externalize server.ip #1070 (stevehu)
• fixes #1067 update the SignKeyRequest to get the proxy info from the … #1068 (stevehu)
• fixes #1065 Turn off hostname verification for OAuthHelper based on t… #1066 (stevehu)
• change promethus config to be extendable #1064 (GavinChenYan)
• fixes #1061 #1062 (GavinChenYan)
• Issue1059 #1060 (stevehu)
• fixes #1057 add ProxyHealthGetHandler in ingress-proxy for the http-s… #1058 (stevehu)
• fixes #1053 update the pom.xml and jaeger-client dependency to avoid … #1054 (stevehu)
• Issue 1048 #1051 (stevehu)
• max json payload for proxy which using buffer stream #1050 (GavinChenYan)
• fixes #1048 update ProxyBodyHandler to handle the data form and add t… #1049 (stevehu)
• add other contentType for proxy body handler #1047 (GavinChenYan)

Upgrade Guidelines:

The following middleware handlers have been changed in this release and the config file needs to be updated to leverage the new features.

• config.yml

For this release, we have set the default value to true for allowDefaultValueEmpty so that an empty value can be used in the template for other config files.

# For some configuration files, we have left some properties without default values as there
# would be a negative impact on the application security. The following config will ensure that
# null will be used when the default value is empty without stopping the server during the start.
allowDefaultValueEmpty: true

• limit.yml

The errorCode is newly added to allow the users to customize the error response if the request is dropped. By default, code 503 is returned.

# If the rate limit is exposed to the Internet to prevent DDoS attacks, it will return 503
# error code to trick the DDoS client/tool to stop the attacks as it considers the server
# is down. However, if the rate limit is used internally to throttle the client requests to
# protect a slow backend API, it will return 429 error code to indicate too many requests
# for the client to wait a grace period to resent the request. By default, 503 is returned.
errorCode: ${limit.errorCode:503}

• sanitizer.yml

This file is changed a lot so that we can set up the encoders for both body and header separately.

---
# Sanitize request for cross-site scripting during runtime

# indicate if sanitizer is enabled or not
enabled: ${sanitizer.enabled:false}

# if it is enabled, the body needs to be sanitized
bodyEnabled: ${sanitizer.bodyEnabled:true}
# the encoder for the body. javascript, javascript-attribute, javascript-block or javascript-source
# There are other encoders that you can choose depending on your requirement. Please refer to site
# https://github.com/OWASP/owasp-java-encoder/blob/main/core/src/main/java/org/owasp/encoder/Encoders.java
bodyEncoder: ${sanitizer.bodyEncoder:javascript-source}
# pick up a list of keys to encode the values to limit the scope to only selected keys. You can
# choose this option if you want to only encode certain fields in the body. When this option is
# selected, you can not use the bodyAttributesToIgnore list.
bodyAttributesToEncode: ${sanitizer.bodyAttributesToEncode:}
# pick up a list of keys to ignore the values encoding to skip some of the values so that these
# values won't be encoded. You can choose this option if you want to encode everything except
# several values with a list of the keys. When this option is selected, you can not use the
# bodyAttributesToEncode list.
bodyAttributesToIgnore: ${sanitizer.bodyAttributesToIgnore:}

# if it is enabled, the header needs to be sanitized
headerEnabled: ${sanitizer.headerEnabled:true}
# the encoder for the header. javascript, javascript-attribute, javascript-block or javascript-source
# There are other encoders that you can choose depending on your requirement. Please refer to site
# https://github.com/OWASP/owasp-java-encoder/blob/main/core/src/main/java/org/owasp/encoder/Encoders.java
headerEncoder: ${sanitizer.headerEncoder:javascript-attribute}
# pick up a list of keys to encode the values to limit the scope to only selected keys. You can
# choose this option if you want to only encode certain fields in the body. When this option is
# selected, you can not use the headerAttributesToIgnore list.
headerAttributesToEncode: ${sanitizer.headerAttributesToEncode:}
# pick up a list of keys to ignore the values encoding to skip some of the values so that these
# values won't be encoded. You can choose this option if you want to encode everything except
# several values with a list of the keys. When this option is selected, you can not use the
# headerAttributesToEncode list.
headerAttributesToIgnore: ${sanitizer.headerAttributesToIgnore:}

router.yml

The router config in egress-router has been changed to add the query parameter for service_id and URL rewrite rules.

# support serviceId in the query parameter for routing to overwrite serviceId in header routing.
# by default, it is false and shouldn't be used unless you are dealing with a legacy client that
# doesn't support header manipulation. Once this flag is true, we are going to overwrite the header
# service_id derived with other handlers from the prefix, path, endpoint etc.
serviceIdQueryParameter: ${router.serviceIdQueryParameter:false}

# URL rewrite rules, each line will have two parts: the regex pattern and replace string separated
# with a space. The light-router has service discovery for host routing, so when working on the
# url rewrite rules, we only need to create about the path in the URL.
# Test your rules at https://www.freeformatter.com/java-regex-tester.html#ad-output
urlRewriteRules: ${router.urlRewriteRules:}

1.6.38 (2022-02-19)

Merged pull requests:

• fixes #1110 add Suppression annotation for TypeParameterUnusedInFormals #1111 (stevehu)

1.6.37 (2021-11-10)

Merged pull requests:

• Issue1055 #1063 (jaydeepparekh1311)
• Issue1055 - ClassCastException in maskList method #1056 (jaydeepparekh1311)
• fixes #970 #976 (GavinChenYan)

Upgrade Guidelines:

This is a release with some bug fixes and enhancements. It is backward compatible with the 1.6.36 release. For all the changes for the entire platform, please refer to https://trello.com/b/189msq9S/release-schedule

2.0.32 (2021-10-19)

Merged pull requests:

• fixes #1045 add checkInterval to the TTL check body to find the right #1046 (stevehu)
• Feature/get log contents #1044 (KalevGonvick)
• fixes #1042 create a TimeUtil in the utility module for scheduler and… #1043 (stevehu)
• java.lang.IllegalArgumentException: Label cannot be null. #1039 #1040 (helloalbin)
• Added handler for grabbing log contents #1041 (KalevGonvick)
• fixes #1037 A typo in the deregister url for the protal registry #1038 (stevehu)
• fixes #1035 #1036 (GavinChenYan)

Upgrade Guidelines:

This is a release with some bug fixes and enhancements. It is backward compatible with the 2.0.31 release. For all the changes for the entire platform, please refer to https://trello.com/b/189msq9S/release-schedule

2.0.31 (2021-09-22)

Merged pull requests:

• fixes #1033 #1034 (GavinChenYan)
• add default header when client request missed the setting #1032 (GavinChenYan)
• fixes #1030 update the portal de-registry to add checkInterval to the… #1031 (stevehu)
• fixes #1026 #1027 (GavinChenYan)
• add caller id header to audit map which will be used metrics #1025 (GavinChenYan)

2.0.30 (2021-08-23)

Merged pull requests:

• fixes #1023 #1024 (GavinChenYan)
• add status change and new method for Result object #1022 (GavinChenYan)
• Add new error code #1021 (wswjwjccjlu)
• fixes #1019 #1020 (GavinChenYan)
• issue#1017 add new error codes #1018 (wswjwjccjlu)
• fixes #1015 #1016 (GavinChenYan)
• Issue1011 #1014 (stevehu)
• change egress router to allow user to extend the router handler #1013 (GavinChenYan)
• fixes #1011 update the health.yml to enable downstream health check w… #1012 (stevehu)
• fixes #1009 update config server path with config-server base path #1010 (stevehu)

Upgrade Guidelines:

This is a release with some bug fixes and enhancements. It is backward compatible with the 2.0.29 release. For all the changes for the entire platform, please refer to https://trello.com/b/189msq9S/release-schedule

2.0.29 (2021-07-25)

Merged pull requests:

• add two constants for http-sidecar usage #1008 (chenyan71)
• Issue1006 #1007 (chenyan71)
• build error fix, change egress_router value scope #1005 (chenyan71)
• fixes #1003 audit request body serialize to JSON if possible and fall… #1004 (stevehu)
• fix an issue on jwt.yml config file #1002 (chenyan71)
• fixes #1000 support both X509Certificate and JsonWebKeySet at the sam… #1001 (stevehu)
• fixes #998 add portalToken to the portal-registry.yml and use the tok… #999 (stevehu)
• fixes #995 #996 (chenyan71)
• fixes #993 add a test case to generate a bootstrap token for service … #994 (stevehu)
• fixes #991 add a status code for the service claim mismatch to the path #992 (stevehu)
• fixes #989 trim the environment variable for config server uri and co… #990 (stevehu)
• Fix the NPEs in Issues 962 and 981 #988 (containerAnalyzer)
• fixes #986 add a new error code for oauth to indicate that the author… #987 (stevehu)
• fixes #984 #985 (chenyan71)
• fixes #982 disable loadConfigs from DefaultConfigLoader #983 (stevehu)
• fixes #979 lazy creation of the jdk11 http client to connect to confi… #980 (stevehu)
• fixes #970 #975 (chenyan71)
• fixes #977 output content of the config files from config server in log #978 (stevehu)
• fixes #973 switch to jdk 11 http client to connect to the config server #974 (stevehu)
• fixes #971 remove the server.config and switch to getServerConfig method #972 (stevehu)

Upgrade Guidelines:

This is a release with some bug fixes and enhancements. It is backward compatible with the 2.0.28 release. For all the changes for the entire platform, please refer to https://trello.com/b/189msq9S/release-schedule

2.0.28 (2021-06-27)

Merged pull requests:

• fixes #965 #969 (chenyan71)
• fixes #967 make the jaeger-client optional in the client module #968 (stevehu)
• fixes #963 update the logic to support both http and https port cache… #964 (stevehu)
• fixes #960 support both environment variable and jvm option for confi… #961 (stevehu)
• fixes #958 add a new error code to the status.yml to indicate kafka-s… #959 (stevehu)
• fixes #956 add registerModule for the SingletonServiceFactory #957 (stevehu)
• fixes #954 remove the specification section from the server info resp… #955 (stevehu)
• fixes #952 upgrade jaeger to 1.6.0 to resolve security vulnerabilities #953 (stevehu)

Upgrade Guidelines:

This is a release with some bug fixes and enhancements. It is backward compatible with the 2.0.27 release. For all the changes for the entire platform, please refer to https://trello.com/b/189msq9S/release-schedule

1.6.36 (2021-06-27)

Merged pull requests:

2.0.27 (2021-05-25)

Merged pull requests:

• fixes #950 make the body.yml externalizable with the values.yml #951 (stevehu)
• url config loader #947 (xlongwei)
• fixes #948 Add ProxyBodyHandler for sidecar to intercept the body #949 (stevehu)
• fixes #942 handle only one element in an array for masking #946 (stevehu)
• Issue942 #945 (ssoifer)
• fixes #943 update client.yml to move the OAuth token proxyHost and pr… #944 (stevehu)
• fixes #940 update OauthHelper getTokenResult to check before apply pr… #941 (stevehu)
• fixes #938 add healthPath to the portalRegistryService for controller #939 (stevehu)

Upgrade Guidelines:

This is a release with some bug fixes and enhancements. It is backward compatible with the 2.0.26 release. For all the changes for the entire platform, please refer to https://trello.com/b/189msq9S/release-schedule

1.6.35 (2021-05-10)

Merged pull requests:

• Fix audit issue #935 and #936 #937 (jsu216)

2.0.26 (2021-04-27)

Merged pull requests:

• added base path in the HandlerConfig #934 (BalloonWen)
• fixes #932 make the health check path configurable in the portal-regi… #933 (stevehu)
• fixes #929 add error codes for the light-mesh kafka-sidecar #930 (stevehu)

1.6.34 (2021-04-27)

Merged pull requests:

2.0.25 (2021-03-28)

Merged pull requests:

• mask server info sensitive data #927 (BalloonWen)
• Issue924 #925 (stevehu)
• combine proxy info and target servers info #923 (BalloonWen)

Upgrade Guidelines:

This is a release with some bug fixes and enhancements. It is backward compatible with the 2.0.24 release. For all the changes for the entire platform, please refer to https://trello.com/b/189msq9S/release-schedule

1.6.33 (2021-03-28)

Merged pull requests:

2.0.24 (2021-02-24)

Merged pull requests:

• fixes #920 update CookiesDumper in DumpHandler after upgrade to under… #921 (stevehu)
• Bump version.jackson from 2.10.4 to 2.12.1 #919 (dependabot)
• issue #897 key resolving at the start up #918 (BalloonWen)
• fixes #916 register the handler and server modules to server info #917 (stevehu)
• fixes #914 move the getFileExtension from light-codegen to the NioUti… #915 (stevehu)
• allow key injection in configuration #913 (BalloonWen)
• issue #898 log err when get oauth key exception #911 (BalloonWen)
• fixes #909 make shutdown timeout and shutdown graceful period configu… #910 (stevehu)
• fixes #906 remove primary and secondary jks from security resources/c… #907 (stevehu)

Upgrade Guidelines:

This is a release with some bug fixes and enhancements. It is backward compatible with the 2.0.23 release. Along with the PRs above, we have upgraded Undertow to 2.2.4.Final and json-schema-validator to 1.0.49.

For all the changes for the entire platform, please refer to https://trello.com/b/189msq9S/release-schedule

1.6.32 (2021-02-24)

Merged pull requests:

• fixes #920 update CookiesDumper in DumpHandler after upgrade to under… #921 (stevehu)

Upgrade Guidelines:

This is a release with some bug fixes and enhancements. It is backward compatible with the 1.6.31 release. Along with the PR above, we have upgraded Undertow to 2.2.4.Final and json-schema-validator to 1.0.49.

For all the changes for the entire platform, please refer to https://trello.com/b/189msq9S/release-schedule

1.6.31 (2021-01-29)

Merged pull requests:

• fixes #883 output an error message in the service module if the implm… #892 (stevehu)

Upgrade Guidelines:

This is a release with some bug fixes and enhancements. It is backward compatible with the 1.6.30 release except for the following.

For all the changes for the entire platform, please refer to https://trello.com/b/189msq9S/release-schedule

2.0.23 (2021-01-29)

Merged pull requests:

• issue #904 fix message is not displayed by default #905 (BalloonWen)
• fixes #902 add an error code for light-chaos-monkey #903 (stevehu)
• revert issue #898 #901 (BalloonWen)
• Feat/#898 oauth key #900 (BalloonWen)
• Feat/#898 oauth key #899 (BalloonWen)
• Fixing other ranges #896 (jaswalkiranavtar)
• issue #894 show metadaata, description, message separately #895 (BalloonWen)
• Fixing range to make it consistent with others #893 (jaswalkiranavtar)
• Feat/#884 add metadata to Status #889 (BalloonWen)
• fixes #883 output an error message in the service module if the implm… #892 (stevehu)
• fixes #890 move the ByteUtil from light-portal to light-4j utility mo… #891 (stevehu)
• Fix for 887 #888 (helloalbin)
• fixes #885 add two status codes for lambda invoker handler for light-… #886 (stevehu)
• Fix/#876 LightHttpHandler is getting auditOnError and auditStackTrace config properly. #882 (BalloonWen)

Upgrade Guidelines:

This is a release with some bug fixes and enhancements. It is backward compatible with the 1.6.30 release except for the following.

For all the changes for the entire platform, please refer to https://trello.com/b/189msq9S/release-schedule