Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ jobs:
# NOTE: if this gets more complicated, consider having this as a bash script
run: mkdir -p ./legend-shared-server/target && touch ./legend-shared-server/target/legend-shared-server-dummy.jar && docker build --quiet --tag local/legend-shared-server:${{ github.sha }} ./legend-shared-server
- name: Scan image for security issues
uses: aquasecurity/trivy-action@0.2.2
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
with:
# TODO: we should probably also setup misconfiguration scanning
# See https://github.com/aquasecurity/trivy-action#using-trivy-to-scan-infrastucture-as-code
Expand Down
55 changes: 55 additions & 0 deletions CLAUDE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
# CLAUDE.md

This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.

## What this repo is

Shared server-side infrastructure used across FINOS Legend applications: pac4j-based authentication, OpenTracing instrumentation, and a Dropwizard static-content server. Published to Maven Central as `org.finos.legend.shared:*`. Two tenets govern changes (from README): code must be genuinely used by the majority of Legend applications, and new dependencies are heavily scrutinized.

## Build and test

Maven multi-module build (parent pom at repo root, version `0.35.x`).

- Build everything: `mvn install`
- Build one module (with its deps): `mvn install -pl legend-shared-pac4j -am`
- Run all tests in a module: `mvn test -pl legend-shared-pac4j`
- Run a single test class: `mvn test -pl legend-shared-pac4j -Dtest=TestMongoDbSessionStore`
- CI runs: `mvn install javadoc:javadoc`

JDK: the enforcer plugin requires JDK 11, 17, 21, or 25 to *build* (CI uses 25), but `maven.compiler.release` is **8** — source code must stay Java 8 compatible (no `var`, no newer language features or APIs).

Surefire test reports from all modules aggregate into `legend-shared-test-reports/surefire-reports-aggregate`. Tests use JUnit 4 (plus Mockito; Mongo tests use an in-memory `mongo-java-server`).

## Checkstyle

`mvn verify` runs checkstyle with `checkstyle_legend.xml` and **fails on warnings**. Notable enforced style:

- Allman braces: opening brace on its own line (`LeftCurly` = `nl`), closing brace alone.
- No star imports; custom import order; no tabs; 4-space indentation.
- Every file needs the Apache 2.0 license header (see any existing `.java` file).

Match the existing brace/format style exactly when editing — checkstyle will block the build otherwise.

## Module architecture

**Dependency management:**
- `legend-shared-bom` — the single source of truth for dependency versions. All version properties and `dependencyManagement` live in `legend-shared-bom/pom.xml`; the root pom imports it (`<scope>import</scope>`), and it is published so Legend applications can import it too. Its parent is `org.finos:finos` (not the root pom — that would create a model cycle), so its `<version>` is a literal kept in lockstep by the release plugin, and it carries its own `docker` profile skip. To change a dependency version, edit the BOM, not the root pom.

**Authentication (pac4j):**
- `legend-shared-pac4j` — the core. `LegendPac4jBundle` is a Dropwizard bundle (extends `Pac4jBundle`) that Legend apps install to get authentication; it wires pac4j `Client`s from YAML config (`LegendPac4jConfiguration`), sets up security filters (`internal/SecurityFilterHandler`, `UsernameFilter`), and selects a session store. Session state can live in MongoDB (`mongostore/MongoDbSessionStore`, encrypted via `SessionCrypt`) or Hazelcast (`hazelcaststore/HazelcastSessionStore`), fronted by `internal/HttpSessionStore`; `sessionutil/SessionToken` manages the session cookie. `mongoauthorizer/MongoDbAuthorizer` authorizes against a Mongo collection.
- `legend-shared-pac4j-kerberos`, `-gitlab`, `-ping` — pluggable pac4j clients/authenticators for each identity provider, discovered via Jackson subtypes in app YAML config. The GitLab module includes personal-access-token auth and group-based authorization.

**Tracing (OpenTracing/Zipkin):**
- `legend-shared-opentracing-base` — core `OpenTracing` setup, span reporters, pluggable `AuthenticationProvider`s for the trace collector.
- `legend-shared-opentracing-jersey` — `JerseyClientSender` for shipping spans over Jersey.
- `legend-shared-opentracing-servlet-filter` — `OpenTracingFilter` and span decorators for inbound requests.
- `legend-shared-opentracing-test` — shared test helper (`ClientSenderTest`).

**Server:**
- `legend-shared-server` — Dropwizard static-content server (`staticserver/Server` is the main class) plus reusable bundles Legend apps install: `StaticServerBundle`, `LocalAssetBundle`/`LocalAssetServlet`, CORS (`CorsBundleWrapper`), `OpenTracingBundle`, `HtmlRouterRedirectBundle`, `HostnameHeaderBundle`. Has a `Dockerfile`; the docker image is built by the `docker.yml` workflow.

The dependency direction: `legend-shared-server` consumes the pac4j and opentracing modules; provider modules (`-kerberos`, `-gitlab`, `-ping`) depend on `legend-shared-pac4j`.

## Releases

Releases are cut via maven-release-plugin through GitHub workflows (`release.yml`); commits containing `[maven-release-plugin]` are skipped by CI. Don't bump versions manually.
28 changes: 27 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,35 @@ The important tenets for this project are:
* Code must be genuinely used by the majority of Legend applications
* New dependencies must be carefully scrutinized - the goal is to minimize unnecessary dependencies in apps.

## Using the BOM

Legend applications can import `legend-shared-bom` to normalize the versions of the
`org.finos.legend.shared:*` modules and the common third-party stack (Jackson, Dropwizard,
pac4j, Jetty, Guava, SLF4J, MongoDB driver, Hazelcast, test libraries, etc.):

```xml
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.finos.legend.shared</groupId>
<artifactId>legend-shared-bom</artifactId>
<version>${legend.shared.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
```

Notes:
* Some managed entries carry deliberate `<exclusions>` (e.g. `shiro-core` from `pac4j-core`) that
encode CVE/conflict resolutions; these propagate to importers by design.
* To override a version, declare the artifact in your own `dependencyManagement` before (or instead
of) relying on the import — redefining the BOM's version properties has no effect across an import.

## Development setup

This application uses Maven 3.6+ and JDK 8. Simply run `mvn install` to compile.
This application uses Maven 3.6+ and JDK 11, 17, 21, or 25 (compiled code targets Java 8). Simply run `mvn install` to compile.

## Roadmap

Expand Down
Loading
Loading