The Controller classes that implement the core service broker API are currently only tested with MVC integration tests. These classes should have unit tests that verify the Controller class behavior independent of the MVC test infrastructure.

For catalog management, spring-boot-cf-service-broker provides a default implementation that requires the broker to just provide an implementation of a Catalog bean.
An improvement would be to enable the use of externalized configuration (properties files, YAML files, environment variables or command-line arguments) to set Catalog bean attributes.

Then, a very basic catalog definition using env variables would be :

$ export SERVICES_DEFINITIONS[MONGO_DB]_ID=mongodb-service-broker 
$ export SERVICES_DEFINITIONS[MONGO_DB]_NAME=Mongo DB
$ export SERVICES_DEFINITIONS[MONGO_DB]_DESCRIPTION=A simple MongoDB service broker implementation
$ export SERVICES_DEFINITIONS[MONGO_DB]_PLANS[DEFAULT]_ID=mongo-plan
$ export SERVICES_DEFINITIONS[MONGO_DB]_PLANS[DEFAULT]_NAME=Default Mongo Plan
$ export SERVICES_DEFINITIONS[MONGO_DB]_PLANS[DEFAULT]_DESCRIPTION=This is a default mongo plan. All services are created equally

This feature can be extended by enabling a remote externalized configuration

Can you tell me where I can set the auth_username and auth_password to use for registering the broker with CF environment

cf create-service-broker mybroker auth_username auth_password http://mybroker.example.com

Thank you for helping.

Beth Tran

By default, the current version of the broker API is required for all service broker requests. This limits brokers to only working with one version of the API. This should be changed to ANY.

In a broker I am working I am not able to run cf create-service-key <service> <key> without receiving a response like: {"description":"Missing required fields: appGuid"}%.
I assume that @JsonProperty("app_guid") is requiring the presence of this field even though it should be optional and is not sent when creating a service-key.

Hi,

I 've developped my own PostgreSQL Service Broker using the cloud foundry framework (a basic Spring boot web application - The broker works fine in my Cloud Foundry instance). I'm using the Spring test framework (MockMvc - org.springframework.spring-test-4.3.2.RELEASE) to run integration tests.

Problem
When I run tests (that use the CatalogController for instance), Spring is unable to perform the serialization because it fails to create those two beans: EmptyListSerializer and EmptyMapSerialier.

org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.cloud.servicebroker.model.EmptyListSerializer]: Is the constructor accessible?; nested exception is java.lang.IllegalAccessException: Class org.springframework.beans.BeanUtils can not access a member of class org.springframework.cloud.servicebroker.model.EmptyListSerializer with modifiers "public"
at org.springframework.beans.BeanUtils.instantiate(BeanUtils.java:83)

This instantiation problem is caused by the fact that those classes are not "public" (I don't know if there is a particular reason for that) as shown below :

package org.springframework.cloud.servicebroker.model;
...
...
class EmptyMapSerializer extends JsonSerializer<List<?>> {
...

Therefore Spring is unable to access their constructors.

Temporary solution
Yet I was able to run the tests by patching those classes in the app source code (I just created/overwrote the spring package, and added public to the classes).
Do you think that this patch can be integrated in future releases ?

Thank you in advance.

A.

http://docs.cloudfoundry.org/services/api.html#api-changes-since-v2-10

Add a bindable field to Plan objects.

http://docs.cloudfoundry.org/services/api.html#api-changes-since-v2-8

Add support for service keys which enable access to services by external access:

...the new Service Key feature is added as a new resource which essentially externalizes the old service binding operation, except it does not require an application to be called or manipulated. Like other CF Cloud Controller (CC) resources, this one has the typical CRUD operations (except update, but includes listing)...

The details of the service keys API doesn't seem to existing within the service broker documentation, yet, but is detailed here:

https://developer.ibm.com/opentech/2015/07/09/cloudfoundry-services-keys-and-sample-go-service-broker/

A broker can specify whether a service supports updating of plans in the service catalog.

The ServiceInstanceController should check the value of this field in the service catalog and reject any request to update the service plan with the appropriate error code (422 Unprocessable entity).

http://docs.cloudfoundry.org/services/api-v2.10.html#api-changes-since-v2-9

Add support for volume mounts in response to a request to create a service instance.

Spring library projects typically do not depend on lombok. Consider removing its usage in the next major version.

The service broker API specification suggests that a status code 200 (OK) might be returned in the response of a provisioning/binding if a service instance/binding already exists.

http://docs.cloudfoundry.org/services/api.html#updating-a-service-instance

Only previous_values.plan_id should be supported; other fields have been deprecated.

See https://docs.cloudfoundry.org/services/supporting-multiple-cf-instances.html

The value of the X-Api-Info-Location header should be captured on each request the broker and propagated to the broker-implemented SPI.

https://github.com/openservicebrokerapi/servicebroker/blob/v2.13/release-notes.md#v213

Changes applicable to this project are:

• Added a schemas field to services in the catalog that brokers can use to declare the configuration parameters their service accepts for creating a service instance, updating a service instance and creating a service binding.
• Added a context field to the request body for creating a service binding.
• Add originating identity HTTP header.

The Response class constructors for both provision and bind requests are confusing. It's not clear when a certain constructor should be used over another.

Following service broker api documentation, service plan should be free by default.

Actual implementation makes service plan not free by default

	/**
	 * Indicates whether the plan can be limited by the non_basic_services_allowed field in a Cloud Foundry Quota.
	 */
	@JsonSerialize
	@JsonProperty("free")
	private boolean free;

Even if a service is not bindable, a bean of type ServiceInstanceBindingService is required regardless.

The cloud foundry service broker API has been standardized into the Open Service Broker API.
Should the project name/documentation be updated to reflect that it can be used with more than just CF?

Support the OSB API spec for the GET service broker endpoint.

• Add instances_retrievable and bindings_retrievable boolean properties to the `ServiceDefinition' model.
• Implement the Fetch service instance endpoint in the service instances controller and service.
• Implement the Fetch service binding endpoint in the service bindings controller and service.

While populating beans with BeanUtils a malicious request can modify the class loader causing a remote code execution. This issue is addressed as CVE-2014-0114: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114
We were able to reproduce it in cloudfoundry service broker with a manipulated parameters attribute in a create request to service_bindings.

How to reproduce:
Create a simple bean for the request parameter, for example MyParameterBean.
In the ServiceInstanceBindingService trigger the parsing of the parameters:

@Service
public class MyService implements ServiceInstanceBindingService {

    @Override
    public CreateServiceInstanceBindingResponse createServiceInstanceBinding(CreateServiceInstanceBindingRequest createServiceInstanceBindingRequest) {
        MyParameterBean params = createServiceInstanceBindingRequest.getParameters(MyParameterBean.class);
        return new CreateServiceInstanceAppBindingResponse();
    }

Now, if an attacker sends a PUT request to /v2/service_instances/:instance_id/service_bindings/:binding_id with a parameter like class.classLoader.defaultAssertionStatus, he can manipulate the class loader.

{
  "service_id": "MyServiceId",
  "plan_id": "MyPlan",
  "organization_guid": "org-guid-here",
  "space_guid": "space-guid-here",
  "parameters": {
  	"class.classLoader.defaultAssertionStatus" : true
  }
}

The solution of BeanUtils to prevent such an attack is to set a special BeanIntrospector:

BeanUtilsBean.getInstance().getPropertyUtils().addBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);

But this Introspector is not set as default by BeanUtils. It has to be set within the spring-cloud-cloudfoundry-service-broker.
See here: https://issues.apache.org/jira/browse/BEANUTILS-463

How am I suppose to reply with the newly created instance details in response -
CreateServiceInstanceResponse does not contain any holder for sending the instance details

Provide guidance on migrating from spring-cloud-cloudfoundry-service-broker:1.0.x to spring-cloud-open-service-broker:2.0.x. This could be done in wiki pages in this repo, as is being done with Spring Boot.

Creating a Catalog is kind of painful and results in some ugly code, i.e. https://github.com/spring-cloud-samples/cloudfoundry-service-broker/blob/master/src%2Fmain%2Fjava%2Forg%2Fspringframework%2Fcloud%2Fservicebroker%2Fmongodb%2Fconfig%2FCatalogConfig.java

We should provide a builder that makes this easier.

The number of fields in request and response classes have grown over time, making constructors difficult to manage. These classes should use the builder pattern instead of constructors to make construction easier to maintain.

Hi,

When is the release of 1.0.2 planned for?

Thanks,
Andrea.

As a user, if I make the mistake of adding a trailing slash when registering my broker

cf create-service-broker mybroker user secret https://mybroker.site.org/

then surprisingly the spring-cloud-cloudfoundry-service-broker will reject requests sent by the CF cloudcontroller of the form https://mybroker.site.org//v2/service_instances/ef1fcb74-55ea-407a-bf79-7c09d8bdd949/last_operation?plan_id=aplan&service_id=aserviceid with the following exception:

2017-11-22T11:37:47.09+0100 [APP/PROC/WEB/0] OUT org.springframework.web.bind.MissingServletRequestParameterException: Required String parameter 'service_id' is not present
2017-11-22T11:37:47.09+0100 [APP/PROC/WEB/0] OUT        at org.springframework.web.method.support.HandlerMethodArgumentResolverComposite.resolveArgument(HandlerMethodArgumentResolverComposite.java:121) ~[spring-web-4.3.10.RELEASE.jar!/:4.3.10.RELEASE]
2017-11-22T11:37:47.09+0100 [APP/PROC/WEB/0] OUT        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:827) ~[spring-webmvc-4.3.10.RELEASE.jar!/:4.3.10.RELEASE]
2017-11-22T11:37:47.09+0100 [APP/PROC/WEB/0] OUT        at javax.servlet.http.HttpServlet.service(HttpServlet.java:635) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
2017-11-22T11:37:47.09+0100 [APP/PROC/WEB/0] OUT        at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
2017-11-22T11:37:47.09+0100 [APP/PROC/WEB/0] OUT        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
2017-11-22T11:37:47.09+0100 [APP/PROC/WEB/0] OUT        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-embed-websocket-8.5.16.jar!/:8.5.16]
2017-11-22T11:37:47.09+0100 [APP/PROC/WEB/0] OUT        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-

I suspect this because the request mapping enters the branch with an expected cf instance id
https://github.com/spring-cloud/spring-cloud-cloudfoundry-service-broker/blob/7905d070c8f77c2638c5eb1d262f4bfafd66d83d/src/main/java/org/springframework/cloud/servicebroker/controller/ServiceInstanceController.java#L125-L131

It would be nice to be able to display a friendly error message such as "unexpected empty cfInstanceId"

I hope nevertheless this issue might help others running into this problem to fix their base broker url.

This project should make it easy to configure dashboard SSO for service instances as documented here: http://docs.cloudfoundry.org/services/dashboard-sso.html#broker-responsibilities

Hi,

Is 1.0.1.RELEASE published anywhere?

Here's where I'm looking:
https://repo.spring.io/milestone/org/springframework/cloud/spring-cloud-cloudfoundry-service-broker/

Thanks

Expect a consisting styling with Spring Boot
https://docs.gradle.org/current/userguide/checkstyle_plugin.html

OpenShift enable to specify in which order the parameters appear into their GUI by using the convention described here: openshift/origin#16383. By default the GUI is showing parameters sorted by their name (actually the GUI is inline with the ClusterServicePlan and it is this last one that is sorting...).
Currently, the MethodSchema class only support the 'parameters' attribute, hence preventing from using this feature.
A possible solution to enable the usage of this OpenShift feature would be to enable to MethodSchema to accept more attributes or to find a way to enable model customization.

while trying to troubleshoot #53, I ran into this small non compliance to OSB:

https://github.com/openservicebrokerapi/servicebroker/blob/v2.13/spec.md#polling-last-operation states the following, implying the parameters are optional

Currently, these params are made mandatory.
https://github.com/spring-cloud/spring-cloud-cloudfoundry-service-broker/blob/d8c7afabb04a3d88a7f8c4cf89e0fd358942d051/src/main/java/org/springframework/cloud/servicebroker/controller/ServiceInstanceController.java#L103-L105

As a consequence, brokers implemented leveraging spring-cloud-cloudfoundry-service-broker
might fail when invoked by other more relax by conforming clients (e.g. K8S)

I have a geo-distributed service, and have a need to support multiple Cloud Foundry instances. The service will need to be aware of the Cloud Foundry instance to which its bound, so we will need to include a CF instance identifier as shown in the service broker API docs.

@scottfrederick It seems that actual CreateServiceInstanceBindingResponse subclasses implementation makes it impossible to return for instance Credentials and Volume Mount in a single CreateServiceInstanceBindingResponse. Is there a reason for that ?
Service broker api does not seem to be so restrictive.

The project currently contains @Controller and support classes that implement the service broker API along with Spring Boot configuration in the same library. This ties apps that use the project to Spring Web MVC and limits flexibility (as pointed out in #33).

All configuration code should be re-implemented using Spring Boot auto-configuration and moved to a separate sub-project, leaving the main library to depend only on core Spring Framework.

The package org.springframework.cloud.servicebroker.model has grown to be large, and contains model classes for several purposes (catalog metadata, requests, responses, etc). The package should be broken down into subpackages, dividing classes by their responsibility.

This refactoring must be done in a minor release, as it is an API change without backward compatibility.

If org.springframework.cloud.servicebroker.model.Catalog.serviceDefinitions == null, we can't simply add a service definition to the catalog by calling:
catalog..getServiceDefinitions().add(myServiceDefinition);
Could we change the default constructor to:
this.serviceDefinitions = new ArrayList();

http://docs.cloudfoundry.org/services/api.html#changes-since-v211

• Add context field to request body for provisioning and updating a service instance

I get a 404 when I click on the link in your readme under 'Getting Started' in the sentence: "A sample MongoDB service broker project is available."

• it would be very useful if we could see a sample please. Thanks!

After Spring Web MVC configuration has been moved to a separate "starter" subproject in #47, add a second starter that auto-configures Spring WebFlux.

Provide simple sample applications to demonstrate creating a service broker using both Spring Web MVC and Spring WebFlux. These samples should not rely on any external software and should be easily deployable to supported platforms.

Asserting that two instances of CreateServiceInstanceVolumeBindingResponse are equals using basic CreateServiceInstanceVolumeBindingResponse#equals always fails.

The Open Service Broker Spec specifies a bind_resource object in bind requests, with two common fields - app_guid and route. This project will currently parse those two fields in bind_resource. The spec allows platforms to provide other key/value pairs in a bind_resource object in a bind request, and this project should make these additional fields available if present.

#15 adds support for identifying the calling CF instance in broker API methods. Broker authors should have a way to optionally configure unique basic auth usernames and password for each CF instance it is registered to.