From 0c0933b5e83a8a52364ed821781a9fe2d445b39d Mon Sep 17 00:00:00 2001
From: Michael Schulte <65006436+mschulte-tsi@users.noreply.github.com>
Date: Thu, 16 Dec 2021 14:44:19 +0100
Subject: [PATCH] Fix/Bump Log4j to 2.16 (#118)

* Fix/Bump Log4j to 2.16

* Fix/Bump spring boot to 2.5.7

* fix

* Update pom.xml

* Fix Unit Tests for Spring Boot 2.5.x

* Fix Log4J Update in pom.xml

* Remove Log4J Exclusion

Co-authored-by: Felix Dittrich <Felix.Dittrich@t-systems.com>
---
 pom.xml                                       | 17 ++++----
 .../VerificationPortalHttpFilterTest.java     | 14 +++----
 .../VerificationPortalControllerTest.java     |  6 +--
 ...VerificationPortalErrorControllerTest.java | 42 +++++++++----------
 4 files changed, 38 insertions(+), 41 deletions(-)

diff --git a/pom.xml b/pom.xml
index a28245d..f808497 100644
--- a/pom.xml
+++ b/pom.xml
@@ -31,21 +31,23 @@
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
     <!-- dependencies -->
-    <spring.boot.version>2.5.4</spring.boot.version>
+    <spring.boot.version>2.5.7</spring.boot.version>
     <spring.cloud.version>2020.0.4</spring.cloud.version>
     <keycloak.version>10.0.1</keycloak.version>
     <lombok.version>1.18.12</lombok.version>
     <springdoc.version>1.3.9</springdoc.version>
+    <log4j.version>2.16.0</log4j.version>
     <!-- plugins -->
     <plugin.checkstyle.version>3.1.1</plugin.checkstyle.version>
     <plugin.sonar.version>3.6.1.1688</plugin.sonar.version>
     <plugin.jacoco.version>0.8.5</plugin.jacoco.version>
     <guava.version>30.0-jre</guava.version>
+    <surefire.version>3.0.0-M5</surefire.version>
     <sonar.coverage.exclusions>
       **/VerificationPortalApplication.java,  
       **/SecurityConfig.java,
       **/client/*
-    </sonar.coverage.exclusions>     
+    </sonar.coverage.exclusions>
   </properties>
 
   <dependencyManagement>
@@ -77,6 +79,7 @@
         <version>${springdoc.version}</version>
       </dependency>
     </dependencies>
+
   </dependencyManagement>
 
   <distributionManagement>
@@ -177,11 +180,6 @@
       <artifactId>spring-session-core</artifactId>
       <version>2.3.0.RELEASE</version>
     </dependency>
-    <dependency>
-      <groupId>junit</groupId>
-      <artifactId>junit</artifactId>
-      <scope>test</scope>
-    </dependency>
   </dependencies>
 
   <build>
@@ -197,6 +195,11 @@
           <artifactId>maven-checkstyle-plugin</artifactId>
           <version>${plugin.checkstyle.version}</version>
         </plugin>
+        <plugin>
+          <groupId>org.apache.maven.plugins</groupId>
+          <artifactId>maven-surefire-plugin</artifactId>
+          <version>${surefire.version}</version>
+        </plugin>
         <plugin>
           <groupId>org.sonarsource.scanner.maven</groupId>
           <artifactId>sonar-maven-plugin</artifactId>
diff --git a/src/test/java/app/coronawarn/verification/portal/VerificationPortalHttpFilterTest.java b/src/test/java/app/coronawarn/verification/portal/VerificationPortalHttpFilterTest.java
index 992b027..5449808 100644
--- a/src/test/java/app/coronawarn/verification/portal/VerificationPortalHttpFilterTest.java
+++ b/src/test/java/app/coronawarn/verification/portal/VerificationPortalHttpFilterTest.java
@@ -21,8 +21,12 @@
 package app.coronawarn.verification.portal;
 
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import java.io.IOException;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletResponse;
 import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.boot.test.context.SpringBootTest;
@@ -32,15 +36,7 @@
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.mock.web.MockServletContext;
 import org.springframework.test.context.TestPropertySource;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-
-import static org.junit.Assert.assertEquals;
 
-@ExtendWith(SpringExtension.class)
 @SpringBootTest(classes = VerificationPortalHttpFilter.class)
 @TestPropertySource(properties = {"host-header.whitelist=localhost,localhost:8081", "pod.ip=127.0.0.1", "pod.port=8081"})
 @EnableConfigurationProperties
diff --git a/src/test/java/app/coronawarn/verification/portal/controller/VerificationPortalControllerTest.java b/src/test/java/app/coronawarn/verification/portal/controller/VerificationPortalControllerTest.java
index fe511d1..e80a3b9 100644
--- a/src/test/java/app/coronawarn/verification/portal/controller/VerificationPortalControllerTest.java
+++ b/src/test/java/app/coronawarn/verification/portal/controller/VerificationPortalControllerTest.java
@@ -195,7 +195,7 @@ public void testStartNotFound() throws Exception {
    * @throws Exception if the test cannot be performed.
    */
   @Test
-  @WithMockKeycloakAuth(name = "tester6", authorities = {"ROLE_c19hotline", "ROLE_c19hotline_event"})
+  @WithMockKeycloakAuth(name = "tester6.1", authorities = {"ROLE_c19hotline", "ROLE_c19hotline_event"})
   public void testTeletanEvent() throws Exception {
     log.info("process testTeletanEvent()");
 
@@ -209,7 +209,7 @@ public void testTeletanEvent() throws Exception {
         .param("TEST", ""))
       .andExpect(status().isOk())
       .andExpect(view().name(TELETAN_NAME))
-      .andExpect(model().attribute("userName", equalTo("tester6")))
+      .andExpect(model().attribute("userName", equalTo("tester6.1")))
       .andExpect(model().attribute("teleTAN", equalTo("123454321")))
       .andExpect(model().attribute("role_test", equalTo(true)))
       .andExpect(model().attribute("role_event", equalTo(true)))
@@ -249,7 +249,7 @@ public void testTeletanEvent_InvalidHaId() throws Exception {
    * @throws Exception if the test cannot be performed.
    */
   @Test
-  @WithMockKeycloakAuth(name = "tester6", authorities = {"ROLE_c19hotline", "ROLE_c19hotline_event"})
+  @WithMockKeycloakAuth(name = "tester6.2", authorities = {"ROLE_c19hotline", "ROLE_c19hotline_event"})
   public void testTeletanEvent_MissingHaId() throws Exception {
     log.info("process testTeletanEvent()");
 
diff --git a/src/test/java/app/coronawarn/verification/portal/controller/VerificationPortalErrorControllerTest.java b/src/test/java/app/coronawarn/verification/portal/controller/VerificationPortalErrorControllerTest.java
index d0913b6..37ba326 100644
--- a/src/test/java/app/coronawarn/verification/portal/controller/VerificationPortalErrorControllerTest.java
+++ b/src/test/java/app/coronawarn/verification/portal/controller/VerificationPortalErrorControllerTest.java
@@ -1,32 +1,30 @@
 package app.coronawarn.verification.portal.controller;
 
-import app.coronawarn.verification.portal.VerificationPortalApplication;
+import static org.hamcrest.Matchers.equalTo;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.model;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.view;
+
 import com.c4_soft.springaddons.security.oauth2.test.annotations.keycloak.WithMockKeycloakAuth;
 import com.c4_soft.springaddons.security.oauth2.test.mockmvc.ServletUnitTestingSupport;
+import javax.servlet.RequestDispatcher;
 import lombok.extern.slf4j.Slf4j;
-import static org.hamcrest.Matchers.equalTo;
-
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
-import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.http.HttpStatus;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.TestPropertySource;
 import org.springframework.test.web.servlet.MockMvc;
-import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
-
-import org.springframework.http.HttpStatus;
-import javax.servlet.RequestDispatcher;
 
 @Slf4j
-//@SpringBootTest
 @AutoConfigureMockMvc
 @WebMvcTest(VerificationPortalController.class)
 @TestPropertySource(properties = {"rateLimiting.enabled=true", "rateLimiting.seconds=30"})
@@ -64,8 +62,8 @@ public void setup() {
   public void handleErrorHandlesNotFoundCorrectly() throws Exception {
     log.info("process handleErrorHandlesNotFoundCorrectly() RequestMethod.POST");
     mockMvc.perform(post("/error")
-      .sessionAttr(TOKEN_ATTR_NAME, csrfToken).param(csrfToken.getParameterName(), csrfToken.getToken())
-      .requestAttr(RequestDispatcher.ERROR_STATUS_CODE, HttpStatus.NOT_FOUND.value()))
+        .sessionAttr(TOKEN_ATTR_NAME, csrfToken).param(csrfToken.getParameterName(), csrfToken.getToken())
+        .requestAttr(RequestDispatcher.ERROR_STATUS_CODE, HttpStatus.NOT_FOUND.value()))
       .andExpect(status().isOk())
       .andExpect(view().name("error"))
       .andExpect(model().attribute(ATTR_ERROR_MSG, equalTo(EXPECTED_ERROR_404_MESSAGE)));
@@ -76,8 +74,8 @@ public void handleErrorHandlesNotFoundCorrectly() throws Exception {
   public void handleErrorHandlesForbiddenCorrectly() throws Exception {
     log.info("process handleErrorHandlesForbiddenCorrectly() RequestMethod.POST");
     mockMvc.perform(post("/error")
-      .sessionAttr(TOKEN_ATTR_NAME, csrfToken).param(csrfToken.getParameterName(), csrfToken.getToken())
-      .requestAttr(RequestDispatcher.ERROR_STATUS_CODE, HttpStatus.FORBIDDEN.value()))
+        .sessionAttr(TOKEN_ATTR_NAME, csrfToken).param(csrfToken.getParameterName(), csrfToken.getToken())
+        .requestAttr(RequestDispatcher.ERROR_STATUS_CODE, HttpStatus.FORBIDDEN.value()))
       .andExpect(status().isOk())
       .andExpect(view().name("error"))
       .andExpect(model().attribute(ATTR_ERROR_MSG, equalTo(EXPECTED_ERROR_403_MESSAGE)));
@@ -88,9 +86,9 @@ public void handleErrorHandlesForbiddenCorrectly() throws Exception {
   public void handleErrorHandlesTooManyRequestsWithRateLimitCorrectly() throws Exception {
     log.info("process handleErrorHandlesTooManyRequestsWithRateLimitCorrectly() RequestMethod.POST");
     mockMvc.perform(post("/error")
-      .sessionAttr(TOKEN_ATTR_NAME, csrfToken).param(csrfToken.getParameterName(), csrfToken.getToken())
-      .requestAttr(RequestDispatcher.ERROR_STATUS_CODE, HttpStatus.TOO_MANY_REQUESTS.value())
-      .requestAttr(RequestDispatcher.ERROR_MESSAGE, SERVER_RATE_LIMIT_ERROR_REASON))
+        .sessionAttr(TOKEN_ATTR_NAME, csrfToken).param(csrfToken.getParameterName(), csrfToken.getToken())
+        .requestAttr(RequestDispatcher.ERROR_STATUS_CODE, HttpStatus.TOO_MANY_REQUESTS.value())
+        .requestAttr(RequestDispatcher.ERROR_MESSAGE, SERVER_RATE_LIMIT_ERROR_REASON))
       .andExpect(status().isOk())
       .andExpect(view().name("error"))
       .andExpect(model().attribute(ATTR_ERROR_MSG, equalTo(EXPECTED_ERROR_429_MESSAGE + EXPECTED_RATE_LIMIT_SERVER_TEXT_MESSAGE)));
@@ -101,9 +99,9 @@ public void handleErrorHandlesTooManyRequestsWithRateLimitCorrectly() throws Exc
   public void handleErrorHandlesTooManyRequestsCorrectly() throws Exception {
     log.info("process handleErrorHandlesTooManyRequestsCorrectly() RequestMethod.POST");
     mockMvc.perform(post("/error")
-      .sessionAttr(TOKEN_ATTR_NAME, csrfToken).param(csrfToken.getParameterName(), csrfToken.getToken())
-      .requestAttr(RequestDispatcher.ERROR_STATUS_CODE, HttpStatus.TOO_MANY_REQUESTS.value())
-      .requestAttr(RequestDispatcher.ERROR_MESSAGE, ""))
+        .sessionAttr(TOKEN_ATTR_NAME, csrfToken).param(csrfToken.getParameterName(), csrfToken.getToken())
+        .requestAttr(RequestDispatcher.ERROR_STATUS_CODE, HttpStatus.TOO_MANY_REQUESTS.value())
+        .requestAttr(RequestDispatcher.ERROR_MESSAGE, ""))
       .andExpect(status().isOk())
       .andExpect(view().name("error"))
       .andExpect(model().attribute(ATTR_ERROR_MSG, equalTo(EXPECTED_ERROR_429_MESSAGE + rateLimitingSeconds + EXPECTED_SECONDS_MESSAGE)));
@@ -114,8 +112,8 @@ public void handleErrorHandlesTooManyRequestsCorrectly() throws Exception {
   public void handleErrorHandlesDefaultCorrectly() throws Exception {
     log.info("process handleErrorHandlesDefaultCorrectly() RequestMethod.POST");
     mockMvc.perform(post("/error")
-      .sessionAttr(TOKEN_ATTR_NAME, csrfToken).param(csrfToken.getParameterName(), csrfToken.getToken())
-      .requestAttr(RequestDispatcher.ERROR_STATUS_CODE, HttpStatus.I_AM_A_TEAPOT.value()))
+        .sessionAttr(TOKEN_ATTR_NAME, csrfToken).param(csrfToken.getParameterName(), csrfToken.getToken())
+        .requestAttr(RequestDispatcher.ERROR_STATUS_CODE, HttpStatus.I_AM_A_TEAPOT.value()))
       .andExpect(status().isOk())
       .andExpect(view().name("error"))
       .andExpect(model().attribute(ATTR_ERROR_MSG, equalTo(EXPECTED_ERROR_MESSAGE)));