chore: merge release-7.4 to master

.github/workflows/run_tests.yaml

@@ -45,7 +45,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         working-directory: ./src
-        run: ./gradlew -Dorg.gradle.jvmargs=-Xmx6g -PsonarqubeHost=https://sonarcloud.io -PsonarqubeProjectKey=nordic-institute_X-Road -PsonarqubeOrganization=nordic-institute -PxroadBuildType=RELEASE --stacktrace build sonar test intTest runProxyTest runMetaserviceTest runProxymonitorMetaserviceTest jacocoTestReport dependencyCheckAggregate -Pfrontend-npm-audit
+        run: ./gradlew -Dorg.gradle.jvmargs=-Xmx6g -PsonarqubeHost=https://sonarcloud.io -PsonarqubeProjectKey=nordic-institute_X-Road -PsonarqubeOrganization=nordic-institute -PxroadBuildType=RELEASE --stacktrace build sonar test intTest runProxyTest runMetaserviceTest runProxymonitorMetaserviceTest jacocoTestReport -Pfrontend-npm-audit
       - name: Test report
         env:
           NODE_OPTIONS: '--max-old-space-size=6144'

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Change Log
 
+## 7.4.2 - 2024-03-18
+- XRDDEV-2592: Central Server regenerates shared-params.xml with a new hash if two sign keys are present
+- XRDDEV-2610: Signer does not allow using SoftToken if HSM connection fails
+
 ## 7.4.1 - 2024-02-02
 - XRDDEV-2568: Client list and add client flow breaks with 7.4.0
 - XRDDEV-2565: Global group access not working correctly

src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/module/HardwareModuleWorker.java

@@ -94,6 +94,7 @@ private static InitializeArgs getInitializeArgs(Boolean libraryCantCreateOsThrea
 
     @Override
     public void stop() {
+        super.stop();
         if (pkcs11Module == null) {
             return;
         }

src/central-server/admin-service/core-api/src/main/java/org/niis/xroad/cs/admin/api/domain/ConfigurationSigningKey.java

@@ -39,6 +39,7 @@
 @NoArgsConstructor
 @EqualsAndHashCode
 public class ConfigurationSigningKey {
+    private int id;
     private String keyIdentifier;
     private byte[] cert;
     private Instant keyGeneratedAt;

src/central-server/admin-service/core-api/src/main/java/org/niis/xroad/cs/admin/api/service/ConfigurationService.java

@@ -39,7 +39,7 @@
 
 public interface ConfigurationService {
 
-    Map<String, List<ConfigurationSigningKey>> getNodeAddressesWithConfigurationSigningKeys();
+    Map<String, List<ConfigurationSigningKey>> getNodeAddressesWithOrderedConfigurationSigningKeys();
 
     boolean hasSigningKeys(ConfigurationSourceType sourceType);
 

src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/ConfigurationServiceImpl.java

@@ -69,6 +69,7 @@
 import static ee.ria.xroad.common.conf.globalconf.ConfigurationConstants.FILE_NAME_PRIVATE_PARAMETERS;
 import static ee.ria.xroad.common.conf.globalconf.ConfigurationConstants.FILE_NAME_SHARED_PARAMETERS;
 import static ee.ria.xroad.common.util.CryptoUtils.DEFAULT_UPLOAD_FILE_HASH_ALGORITHM;
+import static java.util.Comparator.comparing;
 import static java.util.stream.Collectors.toList;
 import static java.util.stream.Collectors.toMap;
 import static java.util.stream.Collectors.toSet;
@@ -103,11 +104,13 @@ public class ConfigurationServiceImpl implements ConfigurationService {
     private final ConfigurationSigningKeyMapper configurationSigningKeyMapper;
 
     @Override
-    public Map<String, List<ConfigurationSigningKey>> getNodeAddressesWithConfigurationSigningKeys() {
+    public Map<String, List<ConfigurationSigningKey>> getNodeAddressesWithOrderedConfigurationSigningKeys() {
         return configurationSourceRepository.findAll().stream().collect(toMap(
                 src -> systemParameterService.getCentralServerAddress(src.getHaNodeName()),
                 src -> src.getConfigurationSigningKeys().stream()
                         .map(configurationSigningKeyMapper::toTarget)
+                        // ensure consistent order to prevent shared-params hash's dynamism
+                        .sorted(comparing(ConfigurationSigningKey::getId))
                         .collect(toList()),
                 (signingKeys1, signingKeys2) -> {
                     signingKeys1.addAll(signingKeys2);

src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/ConfigurationServiceImplTest.java

@@ -43,6 +43,7 @@
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.niis.xroad.common.exception.NotFoundException;
 import org.niis.xroad.common.exception.ServiceException;
+import org.niis.xroad.cs.admin.api.domain.ConfigurationSigningKey;
 import org.niis.xroad.cs.admin.api.dto.ConfigurationParts;
 import org.niis.xroad.cs.admin.api.dto.File;
 import org.niis.xroad.cs.admin.api.dto.GlobalConfDownloadUrl;
@@ -76,6 +77,7 @@
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.junit.jupiter.api.Assertions.assertAll;
 import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.mockStatic;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoInteractions;
@@ -213,14 +215,22 @@ void shouldReturnEmptyListWhenSourceNotFound() {
         }
 
         @Test
-        void getNodeAddressesWithConfigurationSigningKeys() {
-            when(configurationSourceRepository.findAll()).thenReturn(List.of(configurationSource, configurationSource));
-            when(configurationSource.getConfigurationSigningKeys()).thenReturn(Set.of(new ConfigurationSigningKeyEntity()));
+        void getNodeAddressesWithOrderedConfigurationSigningKeys() {
+            ConfigurationSigningKeyEntity confSigningkey1 = mock(ConfigurationSigningKeyEntity.class);
+            when(confSigningkey1.getId()).thenReturn(2);
+
+            ConfigurationSigningKeyEntity confSigningkey2 = mock(ConfigurationSigningKeyEntity.class);
+            when(confSigningkey2.getId()).thenReturn(1);
+
+            when(configurationSourceRepository.findAll()).thenReturn(List.of(configurationSource));
+            when(configurationSource.getConfigurationSigningKeys()).thenReturn(Set.of(confSigningkey1, confSigningkey2));
             when(configurationSource.getHaNodeName()).thenReturn(HA_NODE_NAME);
             when(systemParameterService.getCentralServerAddress(HA_NODE_NAME)).thenReturn(CENTRAL_SERVICE);
 
-            assertThat(configurationServiceHa.getNodeAddressesWithConfigurationSigningKeys().get(CENTRAL_SERVICE))
-                    .hasSize(2);
+            List<ConfigurationSigningKey> configurationSigningKeys =
+                    configurationServiceHa.getNodeAddressesWithOrderedConfigurationSigningKeys().get(CENTRAL_SERVICE);
+            assertThat(configurationSigningKeys).hasSize(2);
+            assertThat(configurationSigningKeys.get(0).getId()).isLessThan(configurationSigningKeys.get(1).getId());
         }
     }
 

src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersLoader.java

@@ -87,7 +87,7 @@ SharedParameters load() {
     }
 
     private List<SharedParameters.ConfigurationSource> getSources() {
-        return configurationService.getNodeAddressesWithConfigurationSigningKeys().entrySet().stream()
+        return configurationService.getNodeAddressesWithOrderedConfigurationSigningKeys().entrySet().stream()
                 .map(this::toSource)
                 .toList();
     }

src/central-server/admin-service/globalconf-generator/src/test/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersLoaderTest.java

@@ -120,7 +120,7 @@ class SharedParametersLoaderTest {
     @Test
     void loadSharedParameters() {
         when(systemParameterService.getInstanceIdentifier()).thenReturn(XROAD_INSTANCE);
-        when(configurationService.getNodeAddressesWithConfigurationSigningKeys())
+        when(configurationService.getNodeAddressesWithOrderedConfigurationSigningKeys())
                 .thenReturn(getNodeAddressesWithConfigurationSigningKeys());
         when(certificationServicesService.findAll()).thenReturn(List.of(getCertificationService()));
 

src/central-server/admin-service/ui-system-test/src/intTest/resources/application-override.yml

@@ -24,6 +24,7 @@ test-automation:
     browser-size: "1280x900"
     driver-manager-enabled: true
     headless: true
+    chrome-options-args: "--guest,--disable-features=OptimizationHints"
     timeout: 10000
     page-load-timeout: 10000
     screenshots: true

src/central-server/admin-service/ui/yarn.lock

@@ -831,7 +831,7 @@ __metadata:
 
 "@niis/shared-ui@file:../../../shared-ui/niis-shared-ui-3.0.0.tgz::locator=xroad-centralserver-admin-ui%40workspace%3A.":
   version: 3.0.0
-  resolution: "@niis/shared-ui@file:../../../shared-ui/niis-shared-ui-3.0.0.tgz#../../../shared-ui/niis-shared-ui-3.0.0.tgz::hash=94638d&locator=xroad-centralserver-admin-ui%40workspace%3A."
+  resolution: "@niis/shared-ui@file:../../../shared-ui/niis-shared-ui-3.0.0.tgz#../../../shared-ui/niis-shared-ui-3.0.0.tgz::hash=bd2153&locator=xroad-centralserver-admin-ui%40workspace%3A."
   dependencies:
     "@fontsource/open-sans": "npm:^5.0.12"
     "@mdi/font": "npm:^7.2.96"
@@ -840,7 +840,7 @@ __metadata:
     vue: ^3.3.4
     vue-i18n: ^9.4.0
     vuetify: ^3.3.19
-  checksum: efb5cbfa2bd2dd3fc7f385f23090d4d04f8752513ff64e7a1363a8f75b9666ebcae6f8f09cfcb67cfa8a2956b8fc66bfdaf1d7260e2238dcdacdf32399360ca1
+  checksum: f4a48b9c7621724e588b7f567a6d0ef6b019e5aff87b2edec18c895a79a56f1ee040735fe7db73bff16c1c8588b99862ec4fda18829e44b4c6222abb0ddd7153
   languageName: node
   linkType: hard
 

src/configuration-client/src/test/java/ee/ria/xroad/common/conf/globalconf/ConfigurationDownloaderTest.java

@@ -56,8 +56,8 @@
  */
 public class ConfigurationDownloaderTest {
     private static final int MAX_ATTEMPTS = 5;
-    private static final String LOCATION_URL_SUCCESS = "http://www.example.com";
-    private static final String LOCATION_HTTPS_URL_SUCCESS = "https://www.example.com";
+    private static final String LOCATION_URL_SUCCESS = "http://x-road.global/";
+    private static final String LOCATION_HTTPS_URL_SUCCESS = "https://x-road.global/";
 
     /**
      * For better HA, the order of sources to be tried to download configuration

src/gradle.properties

@@ -1,6 +1,6 @@
 org.gradle.jvmargs=-Xmx1024m
 
-xroadVersion=7.4.1
+xroadVersion=7.4.2
 xroadBuildType=SNAPSHOT
 
 # SonarQube defaults

src/packages/build-rpm.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 set -e
 
-VERSION=7.4.1
+VERSION=7.4.2
 LAST_SUPPORTED_VERSION=7.2.0
 
 if [[ $1 == "-release" ]] ; then

src/packages/src/xroad/ubuntu/generic/changelog

@@ -1,3 +1,10 @@
+xroad (7.4.2-1) stable; urgency=medium
+
+  * Change history is found at /usr/share/doc/xroad-
+    common/CHANGELOG.md.gz
+
+ -- NIIS <info@niis.org>  Mon, 18 Mar 2024 15:16:26 +0000
+
 xroad (7.4.1-1) stable; urgency=medium
 
   * Change history is found at /usr/share/doc/xroad-

src/security-server/admin-service/ui/yarn.lock

@@ -762,7 +762,7 @@ __metadata:
 
 "@niis/shared-ui@file:../../../shared-ui/niis-shared-ui-3.0.0.tgz::locator=frontend%40workspace%3A.":
   version: 3.0.0
-  resolution: "@niis/shared-ui@file:../../../shared-ui/niis-shared-ui-3.0.0.tgz#../../../shared-ui/niis-shared-ui-3.0.0.tgz::hash=b72a4f&locator=frontend%40workspace%3A."
+  resolution: "@niis/shared-ui@file:../../../shared-ui/niis-shared-ui-3.0.0.tgz#../../../shared-ui/niis-shared-ui-3.0.0.tgz::hash=bd2153&locator=frontend%40workspace%3A."
   dependencies:
     "@fontsource/open-sans": "npm:^5.0.12"
     "@mdi/font": "npm:^7.2.96"
@@ -771,7 +771,7 @@ __metadata:
     vue: ^3.3.4
     vue-i18n: ^9.4.0
     vuetify: ^3.3.19
-  checksum: 114261710bde8340a7eba2f1729c19bf5ec24aba409f360d9da92495952393295804b78f406c3ea91ce8fb3e56ff5dc0ea3ed9dcb5101c5bee528844e1970c6f
+  checksum: f4a48b9c7621724e588b7f567a6d0ef6b019e5aff87b2edec18c895a79a56f1ee040735fe7db73bff16c1c8588b99862ec4fda18829e44b4c6222abb0ddd7153
   languageName: node
   linkType: hard
 

src/security-server/system-test/src/intTest/resources/application-override.yml

@@ -37,6 +37,7 @@ test-automation:
     browser-size: "1920x1080"
     driver-manager-enabled: true
     headless: true
+    chrome-options-args: "--guest,--disable-features=OptimizationHints"
     timeout: 15000
     page-load-timeout: 25000
     screenshots: true

src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleManager.java

@@ -119,7 +119,13 @@ public void refresh() {
             mergeConfiguration();
         }
 
-        moduleWorkers.forEach((key, worker) -> worker.refresh());
+        moduleWorkers.forEach((key, worker) -> {
+            try {
+                worker.refresh();
+            } catch (Exception e) {
+                log.error("Error refreshing module '{}'.", key);
+            }
+        });
 
         if (!SLAVE.equals(serverNodeType)) {
             persistConfiguration();
@@ -233,7 +239,7 @@ private Map<String, AbstractModuleWorker> loadModules(Collection<ModuleType> mod
 
                 newModules.put(moduleWorker.getModuleType().getType(), moduleWorker);
             } catch (Exception e) {
-                throw new RuntimeException(e);
+                log.error("Error loading module '{}'.", moduleType, e);
             }
         });
         return newModules;

src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/module/AbstractModuleWorker.java

@@ -89,6 +89,12 @@ public void refresh() {
         }
     }
 
+    @Override
+    public void stop() {
+        stopLostTokenWorkers(tokenWorkers, List.of());
+        tokenWorkers = Collections.emptyMap();
+    }
+
     protected abstract List<TokenType> listTokens() throws Exception;
 
     protected abstract AbstractTokenWorker createWorker(TokenInfo tokenInfo, TokenType tokenType);