diff --git a/jobs/uaa/spec b/jobs/uaa/spec index 9ed88295b8..cc4ae2836c 100644 --- a/jobs/uaa/spec +++ b/jobs/uaa/spec @@ -203,7 +203,7 @@ properties: description: "The url to use as the issuer URI" uaa.logging_level: description: Set UAA logging level. (e.g. TRACE, DEBUG, INFO) - default: DEBUG + default: INFO uaa.logging.format.timestamp: description: "Format for timestamp in component logs. Valid values are 'rfc3339', 'rfc3339-legacy', and 'deprecated'. 'rfc3339' sets the format to be {yyyy-MM-dd'T'HH:mm:ss.nnnnnn}{GMT+0}Z which is rfc3339 compliant but additionally has microsecond precision and is set to UTC timezone. 'rfc3339-legacy' sets the time format to be yyyy-MM-dd'T'HH:mm:ss.SSSXXX. 'deprecated' sets the time format to be yyyy-MM-dd HH:mm:ss.SSS." default: rfc3339 @@ -580,7 +580,10 @@ properties: When set to `legacy`, allow unsafe matching of redirect URIs. For example, https://example.com would also match all subdomains and all paths of https://example.com. When set to `exact`, will provide OAuth2 spec-compliant (RFC6749) exact redirect URI matching. - default: legacy + NOTE: changing this from `legacy` to `exact` is a breaking change for clients that rely on + wildcard or subdomain redirect URI matching. Review all registered client redirect URIs before + enabling `exact` mode in existing deployments. + default: exact # Clients uaa.clients: diff --git a/jobs/uaa/templates/bin/pre-start.erb b/jobs/uaa/templates/bin/pre-start.erb index b04c7b3da4..eb62e725c5 100755 --- a/jobs/uaa/templates/bin/pre-start.erb +++ b/jobs/uaa/templates/bin/pre-start.erb @@ -176,6 +176,17 @@ function configure_tomcat { chown -R vcap:vcap /var/vcap/data/uaa/ } +function resecure_cert_cache { + # configure_tomcat hands all of /var/vcap/data/uaa/ to vcap via chown -R. + # Re-secure cert-cache so that the vcap process cannot tamper with the + # truststore between deploys. vcap retains read-only access via the + # execute bit on the directory and world-readable mode on the files. + chown root:root "${PERSISTENT_CERTS_DIR}" + chmod 0711 "${PERSISTENT_CERTS_DIR}" + find "${PERSISTENT_CERTS_DIR}" -maxdepth 1 -type f -exec chown root:root {} + + find "${PERSISTENT_CERTS_DIR}" -maxdepth 1 -type f -exec chmod 0644 {} + +} + function configure_spring_boot { # When run with bpm, the vcap user does not have permissions to read # files in the jobs and packages directories. Consequently, we move @@ -213,6 +224,8 @@ configure_tomcat configure_spring_boot +resecure_cert_cache + rm -rf $TMP_DIR log "Completed" diff --git a/jobs/uaa/templates/config/log4j2.properties.erb b/jobs/uaa/templates/config/log4j2.properties.erb index 8a143fc369..7f18e89dca 100644 --- a/jobs/uaa/templates/config/log4j2.properties.erb +++ b/jobs/uaa/templates/config/log4j2.properties.erb @@ -15,7 +15,7 @@ case logging_format_timestamp_value end %> property.log_directory = /var/vcap/sys/log/uaa -property.log_pattern=[<%= timestamp_format %>] uaa%X{context} - %pid [%t] - [%X{traceId},%X{spanId}] .... %5p --- %c{1}: %replace{%m}{(?<=password=|client_secret=)([^&]*)}{}%n +property.log_pattern=[<%= timestamp_format %>] uaa%X{context} - %pid [%t] - [%X{traceId},%X{spanId}] .... %5p --- %c{1}: %replace{%m}{(?<=password=|client_secret=|code=|access_token=|refresh_token=|id_token=)([^&\s]*)}{}%n appender.uaaDefaultAppender.type = File appender.uaaDefaultAppender.name = UaaDefaultAppender diff --git a/scripts/perform-release.sh b/scripts/perform-release.sh index 69b812892e..331d33a44b 100755 --- a/scripts/perform-release.sh +++ b/scripts/perform-release.sh @@ -7,8 +7,7 @@ CYAN='\033[0;36m' BOLD='\033[0;1m' NC='\033[0m' # No Color -TMPDIR=/tmp -SAVEDIR=$TMPDIR/uaa-release-save +SAVEDIR=$(mktemp -d) RELEASES=$SAVEDIR/releases FINAL_BUILDS=$SAVEDIR/.final_builds @@ -123,12 +122,16 @@ git fetch --all --prune > /dev/null echo -e "${CYAN}Creating bosh UAA-release ${GREEN} ${1} ${NC} using `bosh -v`" -# we save private.yml to a temp directory -# just in case it gets deleted during branch switch +# we save private.yml to a secure temp file so it survives branch switches +# and is cleaned up automatically on exit. +PRIVATE_YML_COPY=$(mktemp) +chmod 0600 "${PRIVATE_YML_COPY}" +trap 'rm -f "${PRIVATE_YML_COPY}"' EXIT + if [ "$#" -ge 3 ]; then - cp $3 /tmp/private.yml + cp "$3" "${PRIVATE_YML_COPY}" elif [ -f config/private.yml ]; then - cp config/private.yml /tmp/private.yml + cp config/private.yml "${PRIVATE_YML_COPY}" else echo -e "${RED}ERROR:${NC} Missing private.yml file" >&2 usage @@ -140,7 +143,7 @@ git checkout $branch_to_release_from sub_update # restore private.yml in case it got deleted -cp /tmp/private.yml config/ +cp "${PRIVATE_YML_COPY}" config/ echo -e "${CYAN}Building tarball ${GREEN}${1}${NC} and tag with ${GREEN}v${1}${NC}" # create a release tar ball - and a dev release