Merge branch 'master' into dev_serializer_register

SECURITY.md

@@ -0,0 +1,9 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you have apprehensions regarding SOFAStack's security or you discover vulnerability or potential threat, don’t hesitate to get in touch with us by dropping a mail at sofastack@antgroup.com.
+
+In the mail, specify the description of the issue or potential threat. You are also urged to recommend the way to reproduce and replicate the issue. The SOFAStack community will get back to you after assessing and analysing the findings.
+
+PLEASE PAY ATTENTION to report the security issue on the security email before disclosing it on public domain.

all/pom.xml

@@ -6,7 +6,7 @@
 
     <groupId>com.alipay.sofa</groupId>
     <artifactId>sofa-rpc-all</artifactId>
-    <version>5.9.1-SNAPSHOT</version>
+    <version>5.9.1</version>
 
 
     <name>${project.groupId}:${project.artifactId}</name>
@@ -282,6 +282,11 @@
             <artifactId>sofa-rpc-metrics-micrometer</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>com.alipay.sofa</groupId>
+            <artifactId>sofa-rpc-metrics-prometheus</artifactId>
+            <version>${project.version}</version>
+        </dependency>
         <dependency>
             <groupId>com.alipay.sofa</groupId>
             <artifactId>sofa-rpc-doc-swagger</artifactId>
@@ -513,6 +518,7 @@
                                     <include>com.alipay.sofa:sofa-rpc-log-common-tools</include>
                                     <include>com.alipay.sofa:sofa-rpc-metrics-lookout</include>
                                     <include>com.alipay.sofa:sofa-rpc-metrics-micrometer</include>
+                                    <include>com.alipay.sofa:sofa-rpc-metrics-prometheus</include>
                                     <include>com.alipay.sofa:sofa-rpc-registry-consul</include>
                                     <include>com.alipay.sofa:sofa-rpc-registry-local</include>
                                     <include>com.alipay.sofa:sofa-rpc-registry-zk</include>

bom/pom.xml

@@ -10,31 +10,32 @@
     <packaging>pom</packaging>
 
     <properties>
-        <revision>5.9.1-SNAPSHOT</revision>
+        <revision>5.9.1</revision>
         <javassist.version>3.20.0-GA</javassist.version>
         <bytebuddy.version>1.9.8</bytebuddy.version>
         <netty.version>4.1.77.Final</netty.version>
         <!-- 3rd extends libs -->
         <servlet.version>2.5</servlet.version>
         <resteasy.version>3.6.3.Final</resteasy.version>
         <jaxrs.api.version>1.0.2.Final</jaxrs.api.version>
-        <cxf.version>3.0.14</cxf.version>
+        <cxf.version>3.4.10</cxf.version>
         <jetty.version>7.5.4.v20111024</jetty.version>
         <curator.version>4.0.1</curator.version>
         <opentracing.version>0.22.0</opentracing.version>
         <dubbo.version>2.6.9</dubbo.version>
         <nacos.version>2.0.3</nacos.version>
         <sofa.registry.version>5.2.0</sofa.registry.version>
         <polaris.version>1.2.2</polaris.version>
-        <swagger.version>1.5.18</swagger.version>
+        <swagger.version>1.6.9</swagger.version>
         <asm.version>7.0</asm.version>
         <guava.version>27.0-jre</guava.version>
+        <prometheus.client.version>0.16.0</prometheus.client.version>
         <!-- serialization -->
         <hessian.version>3.3.13</hessian.version>
         <thrift.version>0.9.2</thrift.version>
-        <protobuf.version>3.16.1</protobuf.version>
-        <jackson.version>2.9.10</jackson.version>
-        <jackson.databind.version>2.9.10.8</jackson.databind.version>
+        <protobuf.version>3.16.3</protobuf.version>
+        <jackson.version>2.12.7</jackson.version>
+        <jackson.databind.version>2.12.7.1</jackson.databind.version>
         <msgpack.version>0.6.12</msgpack.version>
         <protostuff.version>1.5.9</protostuff.version>
         <grpc.version>1.33.1</grpc.version>
@@ -544,6 +545,18 @@
                 <version>${polaris.version}</version>
                 <scope>test</scope>
             </dependency>
+            <!-- prometheus client -->
+            <dependency>
+                <groupId>io.prometheus</groupId>
+                <artifactId>simpleclient</artifactId>
+                <version>${prometheus.client.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>io.prometheus</groupId>
+                <artifactId>simpleclient_httpserver</artifactId>
+                <version>${prometheus.client.version}</version>
+                <scope>test</scope>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 

codec/codec-sofa-hessian/src/main/java/com/alipay/sofa/rpc/codec/sofahessian/GenericMultipleClassLoaderSofaSerializerFactory.java

@@ -86,15 +86,16 @@ public Deserializer getDeserializer(String type) throws HessianProtocolException
             return super.getDeserializer(type);
         }
 
-        // 自定义Throwable采用JavaDeserializer，反序列化成Throwable而不是GenericObject
-        Deserializer deserializer = getDeserializerForCustomThrowable(type);
+        // 查看是否已经包含反序列化器
+        Deserializer deserializer = DESERIALIZER_MAP.get(type);
         if (deserializer != null) {
             return deserializer;
         }
 
-        // 查看是否已经包含反序列化器
-        deserializer = DESERIALIZER_MAP.get(type);
+        // 自定义Throwable采用JavaDeserializer，反序列化成Throwable而不是GenericObject
+        deserializer = getDeserializerForCustomThrowable(type);
         if (deserializer != null) {
+            DESERIALIZER_MAP.putIfAbsent(type, deserializer);
             return deserializer;
         }
 

codec/codec-sofa-hessian/src/main/java/com/alipay/sofa/rpc/codec/sofahessian/GenericSingleClassLoaderSofaSerializerFactory.java

@@ -86,15 +86,16 @@ public Deserializer getDeserializer(String type) throws HessianProtocolException
             return super.getDeserializer(type);
         }
 
-        // 自定义Throwable采用JavaDeserializer，反序列化成Throwable而不是GenericObject
-        Deserializer deserializer = getDeserializerForCustomThrowable(type);
+        // 查看是否已经包含反序列化器
+        Deserializer deserializer = DESERIALIZER_MAP.get(type);
         if (deserializer != null) {
             return deserializer;
         }
 
-        // 查看是否已经包含反序列化器
-        deserializer = DESERIALIZER_MAP.get(type);
+        // 自定义Throwable采用JavaDeserializer，反序列化成Throwable而不是GenericObject
+        deserializer = getDeserializerForCustomThrowable(type);
         if (deserializer != null) {
+            DESERIALIZER_MAP.putIfAbsent(type, deserializer);
             return deserializer;
         }
 

codec/codec-sofa-hessian/src/test/java/com/alipay/sofa/rpc/codec/sofahessian/GenericMultipleClassLoaderSofaSerializerFactoryTest.java

@@ -38,6 +38,7 @@
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 
+import static com.alipay.sofa.rpc.codec.sofahessian.serialize.GenericCustomThrowableDeterminerTest.clearCacheDeserializerMap;
 import static com.alipay.sofa.rpc.codec.sofahessian.serialize.GenericCustomThrowableDeterminerTest.setGenericThrowException;
 
 /**
@@ -109,6 +110,7 @@ public void testCustomThrowableDeserializerEnabled() throws Exception {
             Assert.assertEquals("MockError", ((MockError) result).getMessage());
         } finally {
             setGenericThrowException(false);
+            clearCacheDeserializerMap();
         }
     }
 }

codec/codec-sofa-hessian/src/test/java/com/alipay/sofa/rpc/codec/sofahessian/GenericSingleClassLoaderSofaSerializerFactoryTest.java

@@ -39,6 +39,7 @@
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 
+import static com.alipay.sofa.rpc.codec.sofahessian.serialize.GenericCustomThrowableDeterminerTest.clearCacheDeserializerMap;
 import static com.alipay.sofa.rpc.codec.sofahessian.serialize.GenericCustomThrowableDeterminerTest.setGenericThrowException;
 
 /**
@@ -116,6 +117,7 @@ public void testCustomThrowableDeserializerEnabled() throws Exception {
             Assert.assertEquals("MockError", ((MockError) result).getMessage());
         } finally {
             setGenericThrowException(false);
+            clearCacheDeserializerMap();
         }
     }
 }

codec/codec-sofa-hessian/src/test/java/com/alipay/sofa/rpc/codec/sofahessian/serialize/GenericCustomThrowableDeterminerTest.java

@@ -17,11 +17,15 @@
 package com.alipay.sofa.rpc.codec.sofahessian.serialize;
 
 import com.alipay.hessian.generic.model.GenericObject;
+import com.alipay.sofa.rpc.codec.sofahessian.GenericMultipleClassLoaderSofaSerializerFactory;
+import com.alipay.sofa.rpc.codec.sofahessian.GenericSingleClassLoaderSofaSerializerFactory;
+import com.caucho.hessian.io.Deserializer;
 import org.junit.Assert;
 import org.junit.Test;
 
 import java.lang.reflect.Field;
 import java.lang.reflect.Modifier;
+import java.util.concurrent.ConcurrentHashMap;
 
 import static com.alipay.sofa.rpc.codec.sofahessian.serialize.GenericCustomThrowableDeterminer.judgeCustomThrowableForGenericObject;
 
@@ -66,4 +70,28 @@ public static void setGenericThrowException(boolean enabled) {
             e.printStackTrace();
         }
     }
+
+    public static void clearCacheDeserializerMap() {
+        try {
+            Field field = GenericMultipleClassLoaderSofaSerializerFactory.class.getDeclaredField("DESERIALIZER_MAP");
+            field.setAccessible(true);
+            Field modifiersField = Field.class.getDeclaredField("modifiers");
+            modifiersField.setAccessible(true);
+            modifiersField.setInt(field, field.getModifiers() & ~Modifier.FINAL);
+            field.set(null, new ConcurrentHashMap<String, Deserializer>());
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+
+        try {
+            Field field = GenericSingleClassLoaderSofaSerializerFactory.class.getDeclaredField("DESERIALIZER_MAP");
+            field.setAccessible(true);
+            Field modifiersField = Field.class.getDeclaredField("modifiers");
+            modifiersField.setAccessible(true);
+            modifiersField.setInt(field, field.getModifiers() & ~Modifier.FINAL);
+            field.set(null, new ConcurrentHashMap<String, Deserializer>());
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
 }

codec/codec-sofa-hessian/src/test/java/com/alipay/sofa/rpc/codec/sofahessian/serialize/SofaResponseHessianSerializerTest.java

@@ -30,6 +30,7 @@
 import java.util.HashMap;
 import java.util.Map;
 
+import static com.alipay.sofa.rpc.codec.sofahessian.serialize.GenericCustomThrowableDeterminerTest.clearCacheDeserializerMap;
 import static com.alipay.sofa.rpc.codec.sofahessian.serialize.GenericCustomThrowableDeterminerTest.setGenericThrowException;
 
 /**
@@ -89,6 +90,7 @@ public void testCustomThrowableDeserializerEnabled() throws Exception {
             Assert.assertEquals("MockError", ((MockError) sofaResponse2.getAppResponse()).getMessage());
         } finally {
             setGenericThrowException(false);
+            clearCacheDeserializerMap();
         }
     }
 
@@ -117,6 +119,7 @@ public void testCustomThrowableDeserializerEnabledForIncompatible() throws Excep
                             + "found, error: "));
         } finally {
             setGenericThrowException(false);
+            clearCacheDeserializerMap();
         }
     }
 

core/api/src/main/java/com/alipay/sofa/rpc/common/Version.java

@@ -37,6 +37,6 @@ public final class Version {
     /**
      * 当前Build版本，每次发布修改
      */
-    public static final String BUILD_VERSION = "5.9.1_20221207115251";
+    public static final String BUILD_VERSION = "5.9.1_20230106144430";
 
 }

example/src/test/java/com/alipay/sofa/rpc/triple/TripleClientRegistryApplication.java

@@ -44,7 +44,7 @@ public static void main(String[] args) {
             .setProtocol(RpcConstants.PROTOCOL_TYPE_TRIPLE)
             //.setRegistry(registryConfig)
             .setApplication(clientApp)
-            .setDirectUrl("tri://10.15.232.18:19544")
+            .setDirectUrl("tri://127.0.0.1:50051")
             .setRegister(false);
 
         SofaGreeterTriple.IGreeter greeterBlockingStub = consumerConfig.refer();

metrics/metrics-prometheus/pom.xml

@@ -0,0 +1,107 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <artifactId>sofa-rpc-metrics</artifactId>
+        <groupId>com.alipay.sofa</groupId>
+        <version>${revision}</version>
+    </parent>
+
+    <artifactId>sofa-rpc-metrics-prometheus</artifactId>
+
+    <dependencies>
+
+        <dependency>
+            <groupId>com.alipay.sofa</groupId>
+            <artifactId>sofa-rpc-api</artifactId>
+        </dependency>
+
+        <!-- prometheus client -->
+        <dependency>
+            <groupId>io.prometheus</groupId>
+            <artifactId>simpleclient</artifactId>
+        </dependency>
+
+        <!-- test scope -->
+        <dependency>
+            <groupId>io.prometheus</groupId>
+            <artifactId>simpleclient_httpserver</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>com.alipay.sofa</groupId>
+            <artifactId>sofa-rpc-log</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <sourceDirectory>src/main/java</sourceDirectory>
+        <resources>
+            <resource>
+                <directory>src/main/resources</directory>
+                <filtering>false</filtering>
+                <includes>
+                    <include>**/**</include>
+                </includes>
+            </resource>
+        </resources>
+        <testSourceDirectory>src/test/java</testSourceDirectory>
+        <testResources>
+            <testResource>
+                <directory>src/test/resources</directory>
+                <filtering>false</filtering>
+                <includes>
+                    <include>**/**</include>
+                </includes>
+            </testResource>
+        </testResources>
+
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <source>${maven.compiler.source}</source>
+                    <target>${maven.compiler.target}</target>
+                    <encoding>${project.build.sourceEncoding}</encoding>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-install-plugin</artifactId>
+                <configuration>
+                    <skip>${module.install.skip}</skip>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-deploy-plugin</artifactId>
+                <configuration>
+                    <skip>${module.deploy.skip}</skip>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <configuration>
+                    <skipTests>${skipTests}</skipTests>
+                    <includes>
+                        <include>**/*Test.java</include>
+                    </includes>
+                    <forkMode>once</forkMode>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>