General Information
The repository for this application (open on GitHub) has 12108 stars and was forked 5791 times. The codebase consists of 9977 lines of code and makes use of the following technologies:
Docker Eureka Hystrix Maven RabbitMQ Ribbon Spring Config Spring OAuth Turbine Zuul
Data Flow Diagram
Download the following model file here. Other formats are provided below.
{
"services": [
{
"name": "config",
"stereotypes": [
"configuration_server",
"plaintext_credentials",
"infrastructural",
"csrf_disabled",
"basic_authentication"
],
"tagged_values": {
"Port": 8888,
"Configuration Server": "Spring Cloud Config",
"Username": "user",
"Password": "password"
}
},
{
"name": "registry",
"stereotypes": [
"service_discovery",
"plaintext_credentials",
"infrastructural"
],
"tagged_values": {
"Service Discovery": "Eureka",
"Port": 8761
}
},
{
"name": "monitoring",
"stereotypes": [
"monitoring_dashboard",
"infrastructural"
],
"tagged_values": {
"Monitoring Dashboard": "Hystrix",
"Port": 8080
}
},
{
"name": "turbine_stream_service",
"stereotypes": [
"monitoring_server",
"infrastructural"
],
"tagged_values": {
"Monitoring Server": "Turbine",
"Port": 8989
}
},
{
"name": "rabbitmq",
"stereotypes": [
"message_broker",
"infrastructural"
],
"tagged_values": {
"Message Broker": "RabbitMQ",
"Port": 15672
}
},
{
"name": "auth_service",
"stereotypes": [
"authorization_server",
"pre_authorized_endpoints",
"infrastructural",
"token_server",
"encryption",
"local_logging",
"resource_server",
"csrf_disabled",
"authentication_scope_all_requests"
],
"tagged_values": {
"Authorization Server": "Spring OAuth2",
"Port": 5000,
"Pre-authorized Endpoints": [
"/users"
],
"Endpoints": [
"/users",
"/users/current"
]
}
},
{
"name": "account_service",
"stereotypes": [
"internal",
"pre_authorized_endpoints",
"local_logging",
"resource_server",
"circuit_breaker"
],
"tagged_values": {
"Port": 6000,
"Pre-authorized Endpoints": [
"/{name}"
],
"Circuit Breaker": "Hystrix",
"Endpoints": [
"/{name}",
"/",
"/uaa/users",
"/statistics/{accountName}",
"/current"
]
}
},
{
"name": "notification_service",
"stereotypes": [
"internal",
"local_logging",
"resource_server"
],
"tagged_values": {
"Port": 8000,
"Endpoints": [
"/accounts/{accountName}",
"/recipients/current",
"/recipients"
]
}
},
{
"name": "statistics_service",
"stereotypes": [
"internal",
"local_logging",
"pre_authorized_endpoints",
"resource_server"
],
"tagged_values": {
"Port": 7000,
"Pre-authorized Endpoints": [
"/{accountName}"
],
"Endpoints": [
"/latest",
"/current",
"/{accountName}"
]
}
},
{
"name": "auth_mongodb",
"stereotypes": [
"database",
"plaintext_credentials"
],
"tagged_values": {
"Database": "MongoDB",
"Username": "user",
"Password": "password"
}
},
{
"name": "account_mongodb",
"stereotypes": [
"database",
"plaintext_credentials"
],
"tagged_values": {
"Database": "MongoDB",
"Username": "user",
"Password": "password"
}
},
{
"name": "statistics_mongodb",
"stereotypes": [
"database",
"plaintext_credentials"
],
"tagged_values": {
"Database": "MongoDB",
"Username": "user",
"Password": "password"
}
},
{
"name": "notification_mongodb",
"stereotypes": [
"database",
"plaintext_credentials"
],
"tagged_values": {
"Database": "MongoDB",
"Username": "user",
"Password": "password"
}
},
{
"name": "gateway",
"stereotypes": [
"gateway",
"infrastructural",
"load_balancer"
],
"tagged_values": {
"Gateway": "Zuul",
"Port": 4000,
"Load Balancer": "Ribbon"
}
}
],
"information_flows": [
{
"sender": "config",
"receiver": "registry",
"stereotypes": [
"restful_http",
"plaintext_credentials_link"
],
"tagged_values": {}
},
{
"sender": "config",
"receiver": "monitoring",
"stereotypes": [
"restful_http",
"plaintext_credentials_link"
],
"tagged_values": {}
},
{
"sender": "turbine_stream_service",
"receiver": "registry",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "config",
"receiver": "turbine_stream_service",
"stereotypes": [
"restful_http",
"plaintext_credentials_link"
],
"tagged_values": {}
},
{
"sender": "turbine_stream_service",
"receiver": "monitoring",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "rabbitmq",
"receiver": "turbine_stream_service",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "auth_service",
"receiver": "registry",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "config",
"receiver": "auth_service",
"stereotypes": [
"plaintext_credentials_link",
"restful_http"
],
"tagged_values": {}
},
{
"sender": "account_service",
"receiver": "registry",
"stereotypes": [
"restful_http",
"circuit_breaker_link"
],
"tagged_values": {
"'Circuit Breaker'": "\"Hystrix\""
}
},
{
"sender": "auth_service",
"receiver": "account_service",
"stereotypes": [
"restful_http",
"plaintext_credentials_link",
"auth_provider",
"authentication_with_plaintext_credentials"
],
"tagged_values": {}
},
{
"sender": "account_service",
"receiver": "auth_service",
"stereotypes": [
"restful_http",
"feign_connection",
"load_balanced_link"
],
"tagged_values": {
"'Load Balancer'": "\"Ribbon\""
}
},
{
"sender": "config",
"receiver": "account_service",
"stereotypes": [
"plaintext_credentials_link",
"restful_http"
],
"tagged_values": {}
},
{
"sender": "account_service",
"receiver": "rabbitmq",
"stereotypes": [
"restful_http",
"circuit_breaker_link"
],
"tagged_values": {}
},
{
"sender": "notification_service",
"receiver": "registry",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "auth_service",
"receiver": "notification_service",
"stereotypes": [
"restful_http",
"plaintext_credentials_link",
"auth_provider",
"authentication_with_plaintext_credentials"
],
"tagged_values": {}
},
{
"sender": "config",
"receiver": "notification_service",
"stereotypes": [
"plaintext_credentials_link",
"restful_http"
],
"tagged_values": {}
},
{
"sender": "notification_service",
"receiver": "rabbitmq",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "notification_service",
"receiver": "mail_server",
"stereotypes": [
"plaintext_credentials_link",
"restful_http"
],
"tagged_values": {}
},
{
"sender": "statistics_service",
"receiver": "registry",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "auth_service",
"receiver": "statistics_service",
"stereotypes": [
"restful_http",
"plaintext_credentials_link",
"auth_provider",
"authentication_with_plaintext_credentials"
],
"tagged_values": {}
},
{
"sender": "config",
"receiver": "statistics_service",
"stereotypes": [
"plaintext_credentials_link",
"restful_http"
],
"tagged_values": {}
},
{
"sender": "statistics_service",
"receiver": "rabbitmq",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "external_website",
"receiver": "statistics_service",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "account_service",
"receiver": "statistics_service",
"stereotypes": [
"restful_http",
"feign_connection",
"circuit_breaker_link",
"load_balanced_link"
],
"tagged_values": {
"'Circuit Breaker'": "\"Hystrix\"",
" 'Load Balancer'": "\"Ribbon\""
}
},
{
"sender": "notification_service",
"receiver": "account_service",
"stereotypes": [
"restful_http",
"feign_connection",
"load_balanced_link"
],
"tagged_values": {
"'Load Balancer'": "\"Ribbon\""
}
},
{
"sender": "account_mongodb",
"receiver": "account_service",
"stereotypes": [
"jdbc",
"plaintext_credentials_link"
],
"tagged_values": {}
},
{
"sender": "notification_mongodb",
"receiver": "notification_service",
"stereotypes": [
"jdbc",
"plaintext_credentials_link"
],
"tagged_values": {}
},
{
"sender": "statistics_mongodb",
"receiver": "statistics_service",
"stereotypes": [
"jdbc",
"plaintext_credentials_link"
],
"tagged_values": {}
},
{
"sender": "auth_mongodb",
"receiver": "auth_service",
"stereotypes": [
"jdbc",
"plaintext_credentials_link"
],
"tagged_values": {}
},
{
"sender": "registry",
"receiver": "gateway",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "user",
"receiver": "gateway",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "gateway",
"receiver": "user",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "config",
"receiver": "gateway",
"stereotypes": [
"plaintext_credentials_link",
"restful_http"
],
"tagged_values": {}
},
{
"sender": "gateway",
"receiver": "account_service",
"stereotypes": [
"restful_http",
"circuit_breaker_link",
"load_balanced_link"
],
"tagged_values": {
"'Load Balancer'": "\"Ribbon\"",
" 'Circuit Breaker'": "\"Hystrix\""
}
},
{
"sender": "gateway",
"receiver": "statistics_service",
"stereotypes": [
"restful_http",
"circuit_breaker_link",
"load_balanced_link"
],
"tagged_values": {
"'Load Balancer'": "\"Ribbon\"",
" 'Circuit Breaker'": "\"Hystrix\""
}
},
{
"sender": "gateway",
"receiver": "notification_service",
"stereotypes": [
"restful_http",
"circuit_breaker_link",
"load_balanced_link"
],
"tagged_values": {
"'Load Balancer'": "\"Ribbon\"",
" 'Circuit Breaker'": "\"Hystrix\""
}
},
{
"sender": "gateway",
"receiver": "auth_service",
"stereotypes": [
"restful_http",
"circuit_breaker_link",
"load_balanced_link",
"auth_provider"
],
"tagged_values": {
"'Load Balancer'": "\"Ribbon\"",
" 'Circuit Breaker'": "\"Hystrix\""
}
}
],
"external_entities": [
{
"name": "mail_server",
"stereotypes": [
"mail_server",
"plaintext_credentials",
"exitpoint",
"entrypoint"
],
"tagged_values": {
"Mail Server": "Gmail",
"Host": "smtp.gmail.com",
"Port": 465,
"Username": "dev-user",
"Password": "dev-password"
}
},
{
"name": "external_website",
"stereotypes": [
"external_website",
"entrypoint",
"exitpoint"
],
"tagged_values": {
"URL": "https://api.exchangeratesapi.io"
}
},
{
"name": "user",
"stereotypes": [
"user_stereotype",
"entrypoint",
"exitpoint"
],
"tagged_values": {}
}
]
}
Model Items
The Application consists of a total of 246 elements:
| Element | Count |
|---|---|
| Services | 14 |
| External Entities | 3 |
| Information Flows | 37 |
| Annotations | 192 |
| Total Items | 246 |
Model Representations
Open the model in the following formats:
Traceability
Open the traceability information for all model items:
Security Rules
The following table shows the application’s adherence to the 17 architectural security rules. The last column provides model variants that adhere to the rule for each rule that is initially violated.
| Rule ID | Verdict | Evidence | Model Variant |
|---|---|---|---|
| R1 | Evidence | ||
| R2 | Evidence | ||
| R3 | Evidence | ||
| R4 | Evidence | ||
| R5 | Evidence | ||
| R6 | Evidence | Variant | |
| R7 | Evidence | Variant | |
| R8 | Evidence | Variant | |
| R9 | Evidence | Variant | |
| R10 | Evidence | Variant | |
| R11 | Evidence | Variant | |
| R12 | Evidence | Variant | |
| R13 | Evidence | ||
| R14 | Evidence | ||
| R16 | Evidence | ||
| R17 | Evidence | Variant | |
| R18 | Evidence | Variant |
Evidence and explanations for rule decisions
R1
This rule is partially adhered to:
- The @EnableZuulProxy annotation is present,
- No evidence of separate access to authorization server,
- Authorization server route in YML of API Gateway
- only file in whole directory is the main class and there is no @EnableResourceServer annotation, which shows that there is no authentication/authorization at the API gateway.
Artifacts:
R2
Rule is adhered to:
- The @EnableResourceServer annotation is present at every downstream service > tokens are required for incoming requests for authorization even between requests between services
- Tokens need specific scope to be accepted
Artifacts:
- ResourceServerConfig.java: Line: 23
- AuthApplication.java: Line: 10
- ResourceServerConfig.java: Line: 18
- ResourceServerConfig.java: Line: 15
- StatisticsController.java: Line: 25
R3
This rule is adhered to:
- The @EnableAuthorizationServer annotation is present
- No JwtAccessTokenConverter -> Opaque Tokens
- Endpoint for validating user in tokens present
Artifacts:
R4
This rule is adhered to: Identity representations (opaque token) are used at all downstream services and between services for authorization due to @EnableResourceServer annotation, however no indication of a transformation present (see Rule 2 arguments).
R5
Rule is adhered to:
- Endpoint for validating is there per Rule 3 in the Authorization Server,
- Endpoint is listed under “security.oauth2.resource.user-info-uri” in application.yml at the config-server,
- See Rule 3 argumentation.
Artifacts:
- application.yml: Line: 23
R6
Rule is violated: There is no functionality present that enforces any consequences for a specific amount of failed login attempts
R7
Rule is violated:
- There are no certificates in the repository and no “server.ssl.key-store”/”server.ssl.trust-store” arguments inserted in the yml of the API gateway.
- The “server.ssl.enabled” is set, but only in test-suite YML-Configurations
Artifacts:
- gateway.yml: File
R8
Rule is violated: See Rule 7 argumentation.
Artifacts:
- gateway.yml: File
R9
Rule is violated: The README.md mentions centralized logging with elasticsearch, but there is no artifact in the repository to confirm.
Artifacts:
- README.md: Line: 192
R10
Rule is violated: No central logging system is deployed.
R11
Rule is violated: Logs are not explicitly sanitized.
R12
Rule is violated: No message broker is deployed and no logs are collected.
R13
Rule is adhered to: Hystrix is deployed as a circuit breaker on the gateway server with the @EnableZuulProxy annotation.
Artifacts:
R14
Rule is adhered to: The gateway server uses load balancing via Ribbon to access dependent services.
Artifacts:
- GatewayApplication.java: Line: 10
R15
This rule is not applicable: Not a service mesh deployment.
R16
Rule is adhered to:
- Registry Service (Eureka Server) present with @EnableEurekaServer annotation.
- Eureka Server deployed in Docker Compose -> able to start on dedicated server
Artifacts:
R17
Rule is violated: No HTTP basic password listed in any YML-Configuration of format username:password@here-location-of-eureka-server at “eureka.client.serviceUrl.defaultZone”.
Artifacts:
- application.yml: Line: 13
R18
Rule is violated: No secret manager is deployed.