opendevstack · hrcornejo · Sep 26, 2023 · Nov 18, 2021 · Nov 25, 2021 · Nov 25, 2021
@@ -0,0 +1,3 @@
+# Enable auto-env through the sdkman_auto_env config
+# Add key=value pairs of SDKs to use below
+java=11.0.14-tem
@@ -2,6 +2,31 @@
 
 ## Unreleased
 
+## [4.1] - 2022-11-17
+
+### Added
+- Add a configurable ui disclaimer to be set with properties ([#706](https://github.com/opendevstack/ods-provisioning-app/issues/706))
+
+### Fixed
+- DELETE_COMPONENTS API stores and returns project with deleted quickstarter([#702](https://github.com/opendevstack/ods-provisioning-app/issues/702))
+- API DELETE*: wrong jenkins run job (lastExecutionJobs) returned ([#710](https://github.com/opendevstack/ods-provisioning-app/issues/710))
+- Missing bitbucket repository description on repository creation event ([#713](https://github.com/opendevstack/ods-provisioning-app/issues/713))
+- Fix problem assigning admin permissions to bitbucket repositories ([#700](https://github.com/opendevstack/ods-provisioning-app/pull/700))
+- Fix problem assigning admin permissions to bitbucket repositories ([#700](https://github.com/opendevstack/ods-provisioning-app/pull/700))
+- Fixes jcenter repository no more available. ([#737](https://github.com/opendevstack/ods-provisioning-app/pull/737))
+- Fixes could not find com.atlassian.platform:platform:3.5.2 ([#738](https://github.com/opendevstack/ods-provisioning-app/pull/738))
+- ODS AMI E2E quickstarter prov app fails due to no nexus equal false ([#730](https://github.com/opendevstack/ods-provisioning-app/pull/730))
+- Error in RestClientTest using profile "crowd" ([#743](https://github.com/opendevstack/ods-provisioning-app/pull/743))
+
+### Changed
+- Disable openshift service adapter by default ([#721](https://github.com/opendevstack/ods-provisioning-app/pull/721))
+- Update OpenShift client to use fabric8 OpenShift client (OpenShift 4 compatible) ([#720](https://github.com/opendevstack/ods-provisioning-app/pull/720))
+- Disable openshift service adapter by default ([#721](https://github.com/opendevstack/ods-provisioning-app/pull/721))
+- Removed creation of shortcuts ([#735](https://github.com/opendevstack/ods-provisioning-app/pull/735))
+
+
+## [4.0] - 2021-11-18
+
 ### Added
 
 - SPA dependencies update incl. Angular 12 ([#692](https://github.com/opendevstack/ods-provisioning-app/issues/692))
@@ -14,6 +39,7 @@
 - Parameterise jira project type templates ([#404](https://github.com/opendevstack/ods-provisioning-app/issues/404))
 - Provision app should support reuse of shared schemes for Jira & not create permission schemes every time ([#151](https://github.com/opendevstack/ods-provisioning-app/issues/151))
 - Add changelog enforcer as GitHub Action to workflow ([#657](https://github.com/opendevstack/ods-provisioning-app/issues/657))
+- Add a configurable ui disclaimer to be set with properties ([#706](https://github.com/opendevstack/ods-provisioning-app/issues/706)) 
 
 ### Fixed
 
@@ -38,6 +64,11 @@
 - Improve authorization of quickstarter endpoint ([#572](https://github.com/opendevstack/ods-provisioning-app/issues/572))
 - Unknown exception (e.g. existing JIRA project) raised in REST create project endpoint / addProject causes removal of existing projects ([#514](https://github.com/opendevstack/ods-provisioning-app/issues/514))
 - Logging in debug level shows too much jwt details ([#486](https://github.com/opendevstack/ods-provisioning-app/issues/486))
+- Drop prerelease of antora page version in 4.x (https://github.com/opendevstack/ods-documentation/issues/66)
+- DELETE_COMPONENTS API stores and returns project with deleted quickstarter([#702](https://github.com/opendevstack/ods-provisioning-app/issues/702))
+- API DELETE*: wrong jenkins run job (lastExecutionJobs) returned ([#790](https://github.com/opendevstack/ods-provisioning-app/issues/790))
+- Add missing bitbucket repository description on repository creation event ([#712](https://github.com/opendevstack/ods-provisioning-app/issues/712))
+- Bump antora page version in master (https://github.com/opendevstack/ods-documentation/issues/66)
 
 ## [3.0] - 2020-08-11
 

@@ -28,7 +28,26 @@ def stageBuild(def context) {
   }
   stage('Build and Unit Test') {
     withEnv(["TAGVERSION=${context.tagversion}", "NEXUS_USERNAME=${context.nexusUsername}", "NEXUS_PASSWORD=${context.nexusPassword}", "NEXUS_HOST=${context.nexusHost}", "JAVA_OPTS=${javaOpts}","GRADLE_TEST_OPTS=${gradleTestOpts}","ENVIRONMENT=${springBootEnv}"]) {
-      def status = sh(script: "./gradlew clean build --stacktrace --no-daemon", returnStatus: true)
+      def status = sh(script: '''
+        source use-j11.sh || echo 'ERROR: We could NOT setup jdk 11.'
+        ./gradlew --version || echo 'ERROR: Could NOT get gradle version.'
+        java -version || echo 'ERROR: Could NOT get java version.'
+        echo "JAVA_HOME: $JAVA_HOME" || echo "ERROR: JAVA_HOME has NOT been set."
+
+        retryNum=0
+        downloadResult=1
+        while [ 0 -ne $downloadResult ] && [ 5 -gt $retryNum ]; do
+            set -x
+            ./gradlew -i dependencies 
+            set +x
+            downloadResult=$?
+            let "retryNum=retryNum+1"
+        done
+
+        set -x
+        ./gradlew -i clean build --full-stacktrace --no-daemon
+        set +x
+      ''', returnStatus: true)
       if (status != 0) {
         error "Build failed!"
       }

@@ -35,6 +35,7 @@ sourceCompatibility = 1.11
 
 repositories {
     if (!no_nexus) {
+        println("INFO: using nexus repositories, because property no_nexus=$no_nexus and nexus_url=${nexus_url}")
         def nexusMaven = { repoUrl ->
             maven {
                 credentials {
@@ -44,12 +45,29 @@ repositories {
                 url repoUrl
             }
         }
-        nexusMaven("${nexus_url}/repository/jcenter/")
         nexusMaven("${nexus_url}/repository/maven-public/")
         nexusMaven("${nexus_url}/repository/atlassian_public/")
+        maven() {
+            url "https://packages.atlassian.com/mvn/maven-atlassian-external/"
+        }
+        maven() {
+            url "https://packages.atlassian.com/maven-public/"
+        }
     } else {
+        println("INFO: using repository 'mavenCentral', because property no_nexus=$no_nexus")
         mavenCentral()
-        jcenter()
+        maven() {
+            url "https://maven.atlassian.com/content/repositories/atlassian-public/"
+        }
+        maven() {
+            url "https://packages.atlassian.com/mvn/maven-atlassian-external/"
+        }
+        maven() {
+            url "https://packages.atlassian.com/maven-public/"
+        }
+        maven() {
+            url 'https://jcenter.bintray.com/'
+        }
     }
 }
 
@@ -83,7 +101,7 @@ dependencies {
     implementation('org.springframework.security:spring-security-oauth2-jose')
     implementation('org.springframework.security.oauth:spring-security-oauth2:2.5.0.RELEASE')
 
-    implementation('com.openshift:openshift-restclient-java:9.0.1.Final') {
+    implementation('io.fabric8:openshift-client:5.12.1') {
         exclude(group: 'org.slf4j', module: 'slf4j-api')
         exclude(group: 'org.slf4j', module: 'slf4j-log4j12')
     }
@@ -105,10 +123,23 @@ dependencies {
     //easy http calls to atlassian JSON APIs
     implementation('com.squareup.okhttp3:okhttp:4.9.0')
 
+    implementation('commons-io:commons-io:2.11.0')
     implementation('commons-httpclient:commons-httpclient:3.1')
-    implementation('com.atlassian.security:atlassian-cookie-tools:3.2.14')
+    implementation('com.atlassian.platform:platform') {
+        version {
+            strictly '3.5.2'
+        } // Cannot upgrade to '3.5.24'
+        transitive = true
+    }
+    implementation('com.atlassian.security:atlassian-security:3.2.14') {
+        transitive = true
+    }
+    implementation('com.atlassian.security:atlassian-cookie-tools:3.2.14') {
+        transitive = true
+    }
     implementation('javax.validation:validation-api:2.0.1.Final')
-    implementation('com.atlassian.crowd:crowd-integration-springsecurity:1000.82.0') {
+    implementation('com.atlassian.crowd:crowd-integration-springsecurity:5.1.3') {
+        /*
         exclude(group: 'commons-httpclient')
         exclude(group: 'org.apache.ws.commons', module: 'XmlSchema')
         // Explicitly excludes vulnerable versions
@@ -118,12 +149,18 @@ dependencies {
         exclude(group: 'commons-fileupload', module: 'commons-fileupload')
         exclude(group: 'com.fasterxml.jackson.core', module: 'jackson-databind')
         exclude(group: 'org.aspectj', module: 'aspectjweaver')
-        exclude(group: 'com.google.guava', module: 'guava')
+        exclude(group: 'com.google.guava', module: 'guava')*/
     }
 
+    implementation group: 'javax.xml.bind', name: 'jaxb-api', version: '2.3.1'
+    implementation group: 'org.glassfish.jaxb', name: 'jaxb-runtime', version: '2.3.1'
+    implementation group: 'xerces', name: 'xercesImpl', version: '2.9.1'
+
+
     // latest version of excluded libs: refactor this when upgrading to new 'com.atlassian.crowd:crowd-integration-springsecurity'
-    implementation('com.google.guava:guava:30.0-jre')
 
+    //implementation('com.google.guava:guava:30.0-jre')
+    testImplementation('com.github.tomakehurst:wiremock-jre8:2.32.0')
 }
 
 bootJar {
@@ -194,4 +231,17 @@ task npmBuild(type:Exec) {
     commandLine 'npm', 'run', 'build'
 }
 
-bootRun.dependsOn npmBuild
+//bootRun.dependsOn npmBuild
+
+configurations.all {
+    resolutionStrategy.eachDependency {
+        // com.atlassian.platform:platform:3.5.2
+        if(it.requested.name == 'platform') {
+            it.useTarget 'com.atlassian.platform:platform:3.5.24'
+        }
+    }
+}
+
+// configurations.implementation {
+//    exclude group: 'com.google.code.findbugs', module: 'jsr305'
+// }
@@ -20,4 +20,4 @@ ENTRYPOINT ["entrypoint.sh"]
 # which are defined in classpath:/application.properties
 # for details refert to Spring boot documention:
 # https://docs.spring.io/spring-boot/docs/current/reference/html/spring-boot-features.html#boot-features-external-config
-CMD ["java", "-jar", "app.jar", "--spring.config.additional-location=/quickstarters/quickstarters.properties,optional:file:/jira-project-types/additional-templates.properties"]
+CMD ["java", "-jar", "app.jar", "--spring.config.additional-location=/quickstarters/quickstarters.properties,optional:file:/jira-project-types/additional-templates.properties"]
@@ -1,3 +1,3 @@
 name: opendevstack
-version: 4.x
-prerelease: Preview
+version: 5.x
+prerelease: Preview
@@ -172,7 +172,7 @@ The process for new operations to be called is:
 
 == Consuming REST APIs via curl
 
-Basic Auth authentication is the recommended way to consume REST API. How to enable Basic Auth authentication is explained xref:provisioning-app:configuration.adoc:Authentication Crowd Configuration[here].
+Basic Auth authentication is the recommended way to consume REST API. How to enable Basic Auth authentication is explained in xref:provisioning-app:configuration.adoc#_authentication_crowd_configuration[Authentication Crowd Configuration].
 
 The following sample script could be used to provision a new project, add a quickstarter to a project or remove a project.
 It uses Basic Auth to authenticate the request.

@@ -50,19 +50,101 @@ However there is a special knob to tighten security (which can be passed with th
 . user group: read / write rights on the generated projects / spaces / repositories
 . readonly group: read rights on the generated projects / spaces / repositories
 
+Moreover, a specific CD user (technical user for the continuous delivery platform) can optionally be specified.
+
 The configuration for the permission sets are configured:
 
 . JIRA Project is provisioned with its own permissionset defined in https://github.com/opendevstack/ods-provisioning-app/blob/master/src/main/resources/permission-templates/jira.permission.all.txt[src/main/resources/permission-templates/jira.permission.all.txt]
 . Confluence Project is provisioned with special permission set defined in https://github.com/opendevstack/ods-provisioning-app/blob/master/src/main/resources/permission-templates[src/main/resources/permission-templates/confluence.permission.*]
-. Bitbucket Project is provisioned with tight read & write roles
+. Bitbucket Project is provisioned with the permissions detailed in the section <<Bitbucket permissions>>.
 . Openshift Project roles linked to the passed groups (`READONLY` - `view`, `ADMINGROUP` - `admin`, `USERS` - `edit`)
 
 Furthermore if you need to define default permission for openshift (e.g. to setup membership permission for cluster admins) you can add this to your application properties:
 ```
 jenkinspipeline.create-project.default-project-groups=ADMINGROUP=<MY_CLUSTER_ADMIN_GROUP_NAME>
 ```
 
-In case special permissions sets are defined this the default project groups will be appended to the lis of permissions sets.
+In case special permissions sets are defined this the default project groups will be appended to the list of permissions sets.
+
+=== Bitbucket permissions
+Permissions are set both at project and repository levels.
+
+Whenever the same user or group is assigned different permissions in the same project or repository,
+the actual permissions assigned are the higher-level ones.
+
+For example, if a group is assigned read-only and R/W permissions in the same project,
+it will get R/W permissions on it. If a user is assigned both R/W and admin permissions in a repository,
+it will get admin permissions on it.
+
+The mentioned properties in the following subsections have default values specified in the `application.properties` file.
+Their values can be overridden in the corresponding config map.
+
+==== Project level
+Permissions set at project level depend on whether the special permission set has been specified or not.
+
+If the special permission set has been specified, these are the permissions set at project level:
+
+|===
+|Type |Who? |Permission
+
+|Group|`${global.keyuser.role.name}`|Admin
+|Group|admin group|Admin
+|Group|user group|R/W
+|Group|readonly group|Read only
+|User|CD user (Default:  `${bitbucket.technical.user}`)|R/W
+|===
+
+Additionally, whenever a specific CD User is specified on project creation,
+this user gets read permissions in all repositories specified as readable repos
+(such as link:https://github.com/opendevstack/ods-jenkins-shared-library[ods-jenkins-shared-library]
+and link:https://github.com/opendevstack/ods-quickstarters[ods-quickstarters]).
+
+Note that, if a specific CD user has not been specified,
+it defaults to the value of the `bitbucket.technical.user` property.
+
+If the special permission set has not been specified, these are the default permissions assigned to the project:
+
+|===
+|Type |Who? |Permission
+
+|Group|`${bitbucket.default.user.group}`|R/W
+|Group|`${idmanager.group.opendevstack-users}`|Read only
+|User|CD user (Default:  `${bitbucket.technical.user}`)|R/W
+|===
+
+Additionally, whenever a specific CD User is specified on project creation,
+this user gets read permissions in all repositories specified as readable repos
+(such as link:https://github.com/opendevstack/ods-jenkins-shared-library[ods-jenkins-shared-library]
+and link:https://github.com/opendevstack/ods-quickstarters[ods-quickstarters]).
+
+Note that no admin permissions are assigned to the project when a special permission set has not been specified.
+The only project-level administrators are the global Bitbucket administrators, in this case.
+
+==== Repository level
+Repositories belonging to a project inherit the project permissions.
+Some additional permissions are assigned at repository level.
+
+The following tables show the permissions specified at repository level.
+
+These are the permissions assigned to the repository when a special permission set has been specified:
+
+|===
+|Type |Who? |Permission
+
+|User|`${bitbucket.technical.user}`|R/W
+|===
+
+These are the permissions assigned to the repository when a special permission set has not been specified:
+
+|===
+|Type |Who? |Permission
+
+|Group|`${bitbucket.default.admin.group}` (default: `${bitbucket.default.user.group}`)|Admin
+|User|`${bitbucket.technical.user}`|R/W
+|===
+
+If the `bitbucket.default.admin.group` property is specified with an empty value,
+no admin permissions are assigned at repository level.
 
 == Project/Space types based on templates
 
@@ -144,7 +226,7 @@ NOTE: If no `permission-scheme-id` with the corresponding `project-to-role-*` ma
 
 === Add Webhook Proxy URL to jira project properties based on project type
 It is possible to configure the Provisioning App to add to jira project the Webhook Proxy URL as project property.
-Jira provides an REST API for this purpose (https://docs.atlassian.com/software/jira/docs/api/REST/8.5.3/#api/2/project/{projectIdOrKey}/properties-setProperty)[Jira Properties API])
+Jira provides an REST API for this purpose (https://docs.atlassian.com/software/jira/docs/api/REST/8.5.3/#api/2/project/\{projectIdOrKey}/properties-setProperty)[Jira Properties API])
 
 This functionality can be configured for each project type.
 To enable this you will need to:
@@ -324,18 +406,30 @@ The credentials are read by caling the method _getUserName_ and _getUserPassword
 
 === Other configuration
 
-To adapt the provisioning app to your infrastructure following properties will help you to disable some adapters/services.
+To adapt the provisioning app to your infrastructure following properties will help you to enable/disable some adapters/services.
 
 To disable the confluence adapter you can add this property to the application properties:
 ```
 adapters.confluence.enabled=false
 ```
 
-The Openshift Service currently is used to verify that a project key does not exists in the cluster before provisioning a project.
-If you need to disable it, you can add this property to the application properties:
+The Openshift Service can be used to verify that a project key does not exist in the cluster before provisioning a project.
+If you want to enable it, you can add this property to the application properties:
+```
+services.openshift.enabled=true
+```
+
+If you need to display a disclaimer in the front-end you can add this property to the application properties:
+```
+provision.ui.disclaimer=<DISCLAIMER_TEXT>
+```
+NOTE: this property is not supported yet in the single page front-end.
+
+If you need to display a disclaimer in the front-end you can add this property to the application properties:
 ```
-services.openshift.enabled=false
+provision.ui.disclaimer=<DISCLAIMER_TEXT>
 ```
+NOTE: this property is not supported yet in the single page front-end.
 
 == FAQ