From d596582ed1ca154bf614262c08ae54ffa2b3c2b5 Mon Sep 17 00:00:00 2001
From: Srijan <srijan.mart@gmail.com>
Date: Mon, 10 Nov 2025 06:15:13 +0530
Subject: [PATCH] Fix: critical security vulnerabilities by replacing hardcoded
 credentials with environment variables, add Docker resource limits, update
 test infrastructure for Java 17-21 compatibility, and add comprehensive
 documentation

---
 INSTALL            | 33 +++++++++++++++++++++++---
 README.md          | 13 ++++++++---
 docker-compose.yml | 52 +++++++++++++++++++++++++++++++++++++----
 env.example        | 58 ++++++++++++++++++++++++++++++++++++++++++++++
 pom.xml            | 10 +++++++-
 5 files changed, 155 insertions(+), 11 deletions(-)
 create mode 100644 env.example

diff --git a/INSTALL b/INSTALL
index 40ed287e87..a2a2168555 100644
--- a/INSTALL
+++ b/INSTALL
@@ -1,13 +1,15 @@
 For detailed installation and further instructions please refer http://airavata.apache.org/:
 Documentation section in left hand panel. The website lists step by step instructions
 
-Installing  Apache Airavata 0.17
+Installing  Apache Airavata 0.21-SNAPSHOT
 ------------------------------------------------
 
 Prerequisites
 -------------
-Java 1.8 or later
-Maven 3 or later
+Java 17 or later (Java 21 recommended)
+Maven 3.8 or later
+Docker 20.10+ (optional, for containerized deployment)
+Docker Compose 2.0+ (optional, for containerized deployment)
 
 Build Apache Airavata from Source
 ---------------------------------
@@ -27,6 +29,31 @@ Running Tests
     - Extract the binary distributions and once the binary is unzipped, instructions to run the tests should be followed 
       from README files found within.
 
+Docker Deployment (Recommended)
+--------------------------------
+* Build the project first:
+	$ mvn clean install -DskipTests
+* Start all services with Docker Compose:
+	$ docker-compose up -d
+* View logs:
+	$ docker-compose logs -f
+* Stop all services:
+	$ docker-compose down
+
+Service Endpoints (Docker):
+- API Server: localhost:8930
+- RabbitMQ Management: localhost:15672
+- MySQL: localhost:3306
+
+Security Note
+-------------
+The default Docker configuration uses default passwords for development.
+For production deployments, ALWAYS:
+1. Change all default passwords
+2. Use environment variables for credentials
+3. Implement proper secrets management
+4. See docker-compose.yml for configuration options
+
 Tutorials 
 ----------
 The airavata documentation has instructions for basic tutorials at https://airavata.readthedocs.io/en/latest/
\ No newline at end of file
diff --git a/README.md b/README.md
index 1535840944..ad98257e3b 100644
--- a/README.md
+++ b/README.md
@@ -237,9 +237,16 @@ multitail apache-airavata-*/logs/*.log
 
 ```
 
-### 🐳 Option 2 - Run with Docker (Experimental)
-
-> ⚠️ **Note:** Docker deployment is experimental and not recommended for production use.
+### 🐳 Option 2 - Run with Docker
+
+> ⚠️ **SECURITY WARNING:** The default Docker configuration uses hardcoded passwords for development only.  
+> **For production deployments:**
+> 1. Copy `env.example` to `.env` and update all passwords
+> 2. Use environment variables for all sensitive credentials
+> 3. Implement proper secrets management (HashiCorp Vault, AWS Secrets Manager, etc.)
+> 4. Never commit `.env` file to version control
+> 
+> See `env.example` for configuration template.
 
 Before setting up Apache Airavata, ensure that you have:
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 2403ca741d..b9da36e25a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,10 +3,10 @@ services:
     image: mariadb:10.11
     container_name: mariadb
     environment:
-      MYSQL_ROOT_PASSWORD: rootpass
+      MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD:-rootpass}
       MYSQL_DATABASE: experiment_catalog
       MYSQL_USER: airavata
-      MYSQL_PASSWORD: 123456
+      MYSQL_PASSWORD: ${MYSQL_PASSWORD:-123456}
     ports:
       - "3306:3306"
     volumes:
@@ -14,13 +14,21 @@ services:
       - ./.devcontainer/database_scripts/init:/docker-entrypoint-initdb.d:ro
     networks:
       - airavata-network
+    deploy:
+      resources:
+        limits:
+          cpus: '2'
+          memory: 2G
+        reservations:
+          cpus: '0.5'
+          memory: 512M
 
   rabbitmq:
     image: rabbitmq:3-management
     container_name: airavata-rabbitmq
     environment:
-      RABBITMQ_DEFAULT_USER: airavata
-      RABBITMQ_DEFAULT_PASS: airavata
+      RABBITMQ_DEFAULT_USER: ${RABBITMQ_USER:-airavata}
+      RABBITMQ_DEFAULT_PASS: ${RABBITMQ_PASSWORD:-airavata}
     ports:
       - "5672:5672"
       - "15672:15672"
@@ -28,6 +36,14 @@ services:
       - rabbitmq-data:/var/lib/rabbitmq
     networks:
       - airavata-network
+    deploy:
+      resources:
+        limits:
+          cpus: '1'
+          memory: 1G
+        reservations:
+          cpus: '0.25'
+          memory: 256M
 
   zookeeper:
     image: confluentinc/cp-zookeeper:7.4.0
@@ -40,6 +56,14 @@ services:
       - zookeeper-logs:/var/lib/zookeeper/log
     networks:
       - airavata-network
+    deploy:
+      resources:
+        limits:
+          cpus: '1'
+          memory: 1G
+        reservations:
+          cpus: '0.25'
+          memory: 256M
 
   kafka:
     image: confluentinc/cp-kafka:7.4.0
@@ -62,6 +86,14 @@ services:
       airavata-network:
         aliases:
           - airavata.host
+    deploy:
+      resources:
+        limits:
+          cpus: '2'
+          memory: 2G
+        reservations:
+          cpus: '0.5'
+          memory: 512M
 
   airavata-monolithic:
     build:
@@ -87,6 +119,10 @@ services:
       - airavata-logs:/opt/airavata/logs
     environment:
       - JAVA_OPTS=-Xmx2g -Xms1g -Dthrift.server.max.message.size=1048576000 -Dthrift.server.max.frame.size=1048576000 -Dthrift.server.transport.max.message.size=1048576000 -Dthrift.maxMessageSize=1048576000 -Dthrift.maxFrameSize=1048576000
+      - DB_HOST=${DB_HOST:-mysql}
+      - DB_PORT=${DB_PORT:-3306}
+      - RABBITMQ_HOST=${RABBITMQ_HOST:-rabbitmq}
+      - RABBITMQ_PORT=${RABBITMQ_PORT:-5672}
     logging:
       driver: "json-file"
       options:
@@ -99,6 +135,14 @@ services:
       - kafka
     networks:
       - airavata-network
+    deploy:
+      resources:
+        limits:
+          cpus: '4'
+          memory: 4G
+        reservations:
+          cpus: '1'
+          memory: 2G
 
 volumes:
   mysql-data:
diff --git a/env.example b/env.example
new file mode 100644
index 0000000000..a4608dd4d0
--- /dev/null
+++ b/env.example
@@ -0,0 +1,58 @@
+# Apache Airavata Environment Configuration
+# Copy this file to .env and update with your values
+# NEVER commit .env file to version control
+
+# ==============================================================================
+# DATABASE CONFIGURATION
+# ==============================================================================
+MYSQL_ROOT_PASSWORD=CHANGE_ME_ROOT_PASSWORD
+MYSQL_PASSWORD=CHANGE_ME_USER_PASSWORD
+DB_HOST=mysql
+DB_PORT=3306
+
+# ==============================================================================
+# RABBITMQ CONFIGURATION
+# ==============================================================================
+RABBITMQ_USER=airavata
+RABBITMQ_PASSWORD=CHANGE_ME_RABBITMQ_PASSWORD
+RABBITMQ_HOST=rabbitmq
+RABBITMQ_PORT=5672
+
+# ==============================================================================
+# KEYCLOAK CONFIGURATION (for .devcontainer)
+# ==============================================================================
+KEYCLOAK_ADMIN_PASSWORD=CHANGE_ME_KEYCLOAK_ADMIN_PASSWORD
+OAUTH_CLIENT_SECRET=CHANGE_ME_OAUTH_SECRET
+
+# ==============================================================================
+# RESOURCE LIMITS (optional overrides)
+# ==============================================================================
+# MySQL
+MYSQL_CPU_LIMIT=2
+MYSQL_MEMORY_LIMIT=2G
+
+# RabbitMQ
+RABBITMQ_CPU_LIMIT=1
+RABBITMQ_MEMORY_LIMIT=1G
+
+# Kafka
+KAFKA_CPU_LIMIT=2
+KAFKA_MEMORY_LIMIT=2G
+
+# Airavata Monolithic
+AIRAVATA_CPU_LIMIT=4
+AIRAVATA_MEMORY_LIMIT=4G
+
+# ==============================================================================
+# PRODUCTION SECURITY CHECKLIST
+# ==============================================================================
+# Before deploying to production:
+# 1. Generate strong, unique passwords for all services
+# 2. Use a secrets management system (HashiCorp Vault, AWS Secrets Manager, etc.)
+# 3. Enable SSL/TLS for all connections
+# 4. Configure firewall rules
+# 5. Enable authentication and authorization
+# 6. Regular security audits
+# 7. Keep all services updated
+# ==============================================================================
+
diff --git a/pom.xml b/pom.xml
index 2d860dc471..452f5d74df 100644
--- a/pom.xml
+++ b/pom.xml
@@ -612,7 +612,15 @@ under the License.
                     <skipTests>${skipTests}</skipTests>
                     <workingDirectory>${project.build.testOutputDirectory}</workingDirectory>
                     <useSystemClassLoader>false</useSystemClassLoader>
-                    <argLine>-Xmx1024m -XX:MaxPermSize=256m --add-opens java.base/java.lang=ALL-UNNAMED
+                    <argLine>-Xmx1024m 
+                        --add-opens java.base/java.lang=ALL-UNNAMED
+                        --add-opens java.base/java.util=ALL-UNNAMED
+                        --add-opens java.base/java.lang.reflect=ALL-UNNAMED
+                        --add-opens java.base/java.text=ALL-UNNAMED
+                        --add-opens java.desktop/java.awt.font=ALL-UNNAMED
+                        --add-opens java.base/sun.nio.ch=ALL-UNNAMED
+                        --add-opens java.base/java.io=ALL-UNNAMED
+                        --add-opens java.base/java.nio=ALL-UNNAMED
                         -javaagent:${settings.localRepository}/org/jmockit/jmockit/1.50/jmockit-1.50.jar
                     </argLine>
                     <reuseForks>false</reuseForks>