Skip to content

improve startup scripts and logs#1236

Open
fhanik wants to merge 4 commits into
cloudfoundry:developfrom
fhanik:pr/improve-startup-scripts-and-logs
Open

improve startup scripts and logs#1236
fhanik wants to merge 4 commits into
cloudfoundry:developfrom
fhanik:pr/improve-startup-scripts-and-logs

Conversation

@fhanik
Copy link
Copy Markdown
Contributor

@fhanik fhanik commented May 7, 2026

Changes span the pre-start script, log4j2 redaction pattern, redirect URI matching default, and release tooling.

 

Redirect URI matching (BREAKING CHANGE)

uaa.client.redirect_uri.matching_mode now defaults to exact rather than legacy. Deployments with clients that use subdomain or path wildcard redirect URIs must register exact URIs or explicitly set matching_mode: legacy in their manifest before upgrading.

 

Logging defaults

uaa.logging_level now defaults to INFO. The log4j2 redaction pattern is extended to cover code=, access_token=, refresh_token=, and id_token= values in addition to password= and client_secret=.

 

cert-cache file ownership

pre-start now calls resecure_cert_cache() after configure_tomcat and configure_spring_boot, restoring cert-cache to root:root 0711 and its contents to root:root 0644. The vcap process retains read-only access to the truststore.

 

Release script temp file handling

perform-release.sh now uses mktemp for all temporary files and directories, with mode 0600 on credential-bearing files and trap ... EXIT for cleanup.

fhanik added 4 commits May 7, 2026 12:26
@fhanik
Use mktemp for temporary files in perform-release.sh
76be6b2 
Replace fixed /tmp paths with mktemp-allocated files and directories.
The private.yml copy is created with mode 0600 and registered with
trap ... EXIT for automatic cleanup. SAVEDIR is also allocated with
mktemp -d instead of a fixed path.
@fhanik
Change redirect_uri.matching_mode default to exact
e68f332 
Switch uaa.client.redirect_uri.matching_mode default from legacy to
exact, aligning with RFC 6749 and current best practice for OAuth2
redirect URI validation.

BREAKING CHANGE: clients relying on subdomain or path wildcard matching
must register exact redirect URIs or explicitly set
uaa.client.redirect_uri.matching_mode: legacy in their manifest before
upgrading.
@fhanik
Change logging_level default to INFO; extend log redaction
7cb571b 
Change uaa.logging_level default from DEBUG to INFO. The DEBUG level
produces verbose Spring Security and JDBC output that is not appropriate
for production deployments.

Extend the log4j2 redaction pattern to cover code=, access_token=,
refresh_token=, and id_token= in addition to the existing password=
and client_secret= patterns.
@fhanik
Restore cert-cache ownership to root after configure_tomcat
acbf4c0 
configure_tomcat transfers ownership of /var/vcap/data/uaa/ to vcap,
which includes cert-cache and the Java truststore within it.

Add resecure_cert_cache() to run after configure_tomcat and
configure_spring_boot. It restores cert-cache to root:root with mode
0711 and all enclosed files to root:root 0644, so the vcap process
retains read access to the truststore without write access.
@fhanik fhanik mentioned this pull request May 7, 2026
Closed
@strehle strehle requested a review from Copilot May 8, 2026 05:10
Copilot AI reviewed May 8, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates UAA release operational defaults and hardening around release tooling, logging redaction, and startup-time file permissions, and introduces a breaking default change for redirect URI matching behavior.

Changes:

  • Harden perform-release.sh temp handling for private.yml by using mktemp and an EXIT cleanup trap.
  • Extend Log4j2 message redaction to cover additional OAuth-related parameters/tokens.
  • Re-secure cert-cache ownership/permissions after Tomcat/Spring Boot setup, and change defaults for logging level and redirect URI matching mode.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 4 comments.

File Description
scripts/perform-release.sh Switches to mktemp for temp paths and securely stages private.yml across branch switches.
jobs/uaa/templates/config/log4j2.properties.erb Extends the Log4j2 %replace redaction regex to redact more credential/token fields.
jobs/uaa/templates/bin/pre-start.erb Adds resecure_cert_cache() and invokes it after configure_tomcat/configure_spring_boot to restore secure ownership/modes.
jobs/uaa/spec Updates defaults (uaa.logging_level to INFO, redirect matching default to exact) and documents the breaking redirect-matching change.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread scripts/perform-release.sh
Comment on lines +10 to 12
SAVEDIR=$(mktemp -d)
RELEASES=$SAVEDIR/releases
FINAL_BUILDS=$SAVEDIR/.final_builds
Comment thread scripts/perform-release.sh
Comment on lines +125 to +130
# we save private.yml to a secure temp file so it survives branch switches
# and is cleaned up automatically on exit.
PRIVATE_YML_COPY=$(mktemp)
chmod 0600 "${PRIVATE_YML_COPY}"
trap 'rm -f "${PRIVATE_YML_COPY}"' EXIT

Comment thread jobs/uaa/templates/config/log4j2.properties.erb
%>
property.log_directory = /var/vcap/sys/log/uaa
property.log_pattern=[<%= timestamp_format %>] uaa%X{context} - %pid [%t] - [%X{traceId},%X{spanId}] .... %5p --- %c{1}: %replace{%m}{(?<=password=|client_secret=)([^&]*)}{<redacted>}%n
property.log_pattern=[<%= timestamp_format %>] uaa%X{context} - %pid [%t] - [%X{traceId},%X{spanId}] .... %5p --- %c{1}: %replace{%m}{(?<=password=|client_secret=|code=|access_token=|refresh_token=|id_token=)([^&\s]*)}{<redacted>}%n
Comment thread jobs/uaa/spec
NOTE: changing this from `legacy` to `exact` is a breaking change for clients that rely on
wildcard or subdomain redirect URI matching. Review all registered client redirect URIs before
enabling `exact` mode in existing deployments.
default: exact
@duanemay duanemay mentioned this pull request May 12, 2026
Open
strehle
strehle reviewed May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@strehle strehle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two issues from the review addressed below (on the local branch pr/improve-startup-scripts-and-logs):

1. SAVEDIR not cleaned up in trap

The trap only removed PRIVATE_YML_COPY but not SAVEDIR (the mktemp -d temp directory). Fixed:

-trap 'rm -f "${PRIVATE_YML_COPY}"' EXIT
+trap 'rm -rf "${SAVEDIR}" "${PRIVATE_YML_COPY}"' EXIT

2. config/private.yml restored without permissions

cp "${PRIVATE_YML_COPY}" config/ would silently create a world-readable config/private.yml if one didn't already exist, undoing the chmod 0600 on the temp copy. Fixed using install:

-cp "${PRIVATE_YML_COPY}" config/
+install -m 0600 "${PRIVATE_YML_COPY}" config/private.yml

Note: copy_master_release_metadata still does rm -rf $SAVEDIR; mkdir -p $SAVEDIR which would break the trap invariant, but it's currently commented out — worth fixing or removing if it's dead code.

strehle
strehle reviewed May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@strehle strehle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see 8264b61

@strehle strehle requested a review from Copilot May 19, 2026 22:04
Copilot AI reviewed May 19, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 4 changed files in this pull request and generated 4 comments.

Comment thread scripts/perform-release.sh
Comment on lines +126 to +129
# and is cleaned up automatically on exit.
PRIVATE_YML_COPY=$(mktemp)
chmod 0600 "${PRIVATE_YML_COPY}"
trap 'rm -f "${PRIVATE_YML_COPY}"' EXIT
Comment thread jobs/uaa/templates/config/log4j2.properties.erb
%>
property.log_directory = /var/vcap/sys/log/uaa
property.log_pattern=[<%= timestamp_format %>] uaa%X{context} - %pid [%t] - [%X{traceId},%X{spanId}] .... %5p --- %c{1}: %replace{%m}{(?<=password=|client_secret=)([^&]*)}{<redacted>}%n
property.log_pattern=[<%= timestamp_format %>] uaa%X{context} - %pid [%t] - [%X{traceId},%X{spanId}] .... %5p --- %c{1}: %replace{%m}{(?<=password=|client_secret=|code=|access_token=|refresh_token=|id_token=)([^&\s]*)}{<redacted>}%n
Comment thread jobs/uaa/spec
Comment on lines 204 to 207
uaa.logging_level:
description: Set UAA logging level. (e.g. TRACE, DEBUG, INFO)
default: DEBUG
default: INFO
uaa.logging.format.timestamp:
Comment thread jobs/uaa/spec
Comment on lines 578 to 587
uaa.client.redirect_uri.matching_mode:
description: |
When set to `legacy`, allow unsafe matching of redirect URIs.
For example, https://example.com would also match all subdomains and all paths of https://example.com.
When set to `exact`, will provide OAuth2 spec-compliant (RFC6749) exact redirect URI matching.
default: legacy
NOTE: changing this from `legacy` to `exact` is a breaking change for clients that rely on
wildcard or subdomain redirect URI matching. Review all registered client redirect URIs before
enabling `exact` mode in existing deployments.
default: exact

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@strehle strehle strehle left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

Foundational Infrastructure Working Group
Status: Inbox

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fhanik @strehle