安全なPlay Frameworkのバージョンアップの仕方

Transcript

1. ҆શͳPlay Frameworkͷ όʔδϣϯΞοϓͷ࢓ํ 2017-07-29 Scala෱Ԭ2017 גࣜձࣾ ͸ͯͳ പ୩େี (id:daiksy)

2. ࣗݾ঺հ പ୩େี(@daiksy) ▸ גࣜձࣾ ͸ͯͳ ▸ Mackerel։ൃνʔϜσΟϨΫλʔ ▸ εΫϥϜϚελʔ ▸

   ScalaMatsuriελοϑ ▸ Scalaؔ੢Summitελοϑ ▸ ࠷ۙDJ͸͡Ί·ͨ͠

3. ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ ͜ͷߨԋʹ͍ͭͯ ▸ Mackerel͸ݱࡏplay2.5.xͰಈ࡞ ▸ (ͦΖͦΖ2.6΋ߟ͍͑ͨͰ͢Ͷ…) ▸ 2.3 ->

   2.4 ੒ޭ (͔͠͠՝୊͕͋ͬͨ) ▸ 2.4 -> 2.5 ੒ޭ ▸ ͜ͷมભΛ੺དʑʹ͓ಧ͚͠·͢ ▸ ςοΫཁૉ͸গͳΊͰ͢

4. MackerelͰͷPlay Frameworkͷมભ ▸ Play Framework 2.2.1 Ͱ։ൃ։࢝ ▸ ϦϦʔε࣌఺Ͱ͸ Play

   2.3.1 ▸ ͦͷޙ 2.3.7 ·ͰͷϚΠφʔΞοϓσʔτ͸େ͖ͳ໰୊΋ͳ ͘௥ਵ ▸ ͞ΕɺͦΖͦΖ 2.4.x ʹ͍ͨ͠ͳ… ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

5. ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ https://speakerdeck.com/mechairoi/scala-use-cases-at-hatena ࠷ॳظͷ༷ࢠ͸ScalaMatsuri 2014ͷൃදʹ͋Γ·͢

6. Play FrameworkΛ2.4.xʹ͢Δඞཁੑ ▸ Mackerel͸10೥ޙ΋౰ͨΓલͷΑ͏ʹಈ͍ͯͳ͍ͱ͍͚ͳ͍ϓϩμ Ϋτ ▸ 2027೥ͱ͔ʹMackerel͕10೥લͷٕज़Ͱಈ͍͍͍͍ͯͯΘ͚ͳ͍ Ͱ͢ΑͶ ▸ Play2.3ͷWS(HTTPΫϥΠΞϯτ)ʹೖ͍ͬͯΔσϑΥϧτೝূہ৘

   ใ͕ݹ͘ͳΓɺWebhook௨஌ͷॲཧͳͲʹࢧো͕Ͱ͸͡Ί͍ͯͨ ▸ ϑϧελοΫͳϑϨʔϜϫʔΫͳͷͰɺҰ෦ͷϥΠϒϥϦ͚ͩࡌͤ ସ͑ΔΑΓશମΛΞοϓσʔτͨ͠΄͏͕Αͦ͞͏ ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

7. Play2.3.x -> 2.4.x ͸େม… ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

8. Play2.3.x -> 2.4.x ҠߦͷେมϙΠϯτ ▸ ίωΫγϣϯϓʔϧ͕BoneCP ͔Β HikariCPʹ ▸ ࡉ͔͍ઃఆͳͲͷνϡʔχϯάΛ΍Γͳ͓͢ඞཁ͕͋Δ

   ▸ Slick2.x -> Slick3.x ▸ DBIOͱ͍͏ඇಉظϕʔεͳΫΤϦॲཧʹ ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

9. ಛʹSlick͕େม… ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

10. Slick2.x -> Slick3.x ▸ Slick3.x͸ඇಉظ͕ϕʔε ▸ Mackerel͸Slick2.xͰϒϩοΩϯάͳΫΤϦॲཧ ▸ MackerelͷSQL͍ͭ͋͘ΔΜ΍…(਺͑ͨ͘ͳ͍͔Β਺͑ͯ ͳ͍

    ▸ ͜ΕΛීஈͷػೳ։ൃ͠ͳ͕Βશ෦ඇಉظʹஔ͖׵͑Δ ͷ…ʁ ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

11. MackerelͷૌٻϙΠϯτ ▸ ຖिϦϦʔεΛܧଓத ▸ Րɾ໦ͷि2೔ͷఆظϦϦʔε ▸ ຖि༵ۚ೔ʹͦͷिͷϦϦʔε಺༰ΛϒϩάͱϝʔϧͰ͓ ஌Βͤ ▸ 156ि࿈ଓϦϦʔεܧଓத

    (೥຤೥࢝ɾΰʔϧσϯ΢Οʔ ΫɾՆقٳՋظؒΛআ͘) ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

12. ຖिϦϦʔε͸ܧଓ͠ͳ͕Β ϑϨʔϜϫʔΫΛߋ৽͍ͨ͠ʂ ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

13. ͯ͞ɺSlickͷΞοϓσʔτ Ͳ͏͠·͠ΐ͏… ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

14. Slick2.x -> Slick3.x ▸ ຖिϦϦʔε͠ͳ͕ΒDBIOͷஔ͖׵͑Ͱ͖Δͷ͔ʁ ▸ ຖिͷػೳ։ൃͱίϯϑϦΫτ͠ͳ͍Α͏ʹ΍ΕΔʁ ▸ ແཧͦ͏… ▸

    play2.4ԽͨͼͨͼνϟϨϯδ͢Δ͕ɺͲ͏ͯ͠΋Slickͷ όʔδϣϯΞοϓ͕ωοΫʹͳͬͯఫୀΛ܁Γฦ͢ ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

15. ͦ͜΁ٹੈओ͕ొ৔͢Δ ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

16. ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

17. ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

18. blocking-slick ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

19. blocking-slick ▸ Slick3.xͰSlick2.xޓ׵ͷblockingAPI͕࢖͑Δ ▸ implicitͰblockingAPIΛੜ΍ͯ͠ɺطଘͷΫΤϦॲཧ͸ແই Ͱͦͷ··࢖͑Δ ▸ ͍ͬͨΜ͜ΕͰplay2.4ʹͯ͠͠·ͬͯɺগͣͭ͠DBIOʹஔ ͖׵͍͑ͯ͜͏ ҆શͳPlay

    FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

20. blocking-slick ▸ ࠷ॳ͸׬શʹཁ݅Λຬͨͤͳ͔ͬͨ ▸ blocking-slickʹϓϧϦΫΤετΛग़ͨ͠Γ͠ͳ͕Βɺ Mackerel΁ͷద༻੒ޭ ▸ ͍͟ͱͳͬͨΒforkͯ͠Ͱ΋ద༻ͤ͞Δͧɺͱ͍͏ڧ͍ҙࢤ ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

21. Ұ൪ωοΫͩͬͨSlick͕ͳΜͱ͔ͳͬͨ ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

22. ͯ͞ɺͲ͏͍͏࡞ઓͰग़͍ͯ͜͠͏͔ʁ ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

23. Play2.4 Ҡߦେ࡞ઓ ▸ 2.3ͷ··ਐΊΒΕΔҠߦ͸Րɾ໦ͷఆظϦϦʔεͰগͣ͠ ͭೖΕ͍ͯͬͨ ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

24. Play2.4 Ҡߦେ࡞ઓ ▸ ͍Α͍Αখ෼͚ʹͰ͖ͳ͍େ͖ͳϓϧϦΫΤετΛϚʔδ͢ Δͱ͖͕΍͖ͬͯͨ… ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

25. Play2.4 Ҡߦେ࡞ઓ ▸ ϨϏϡʔ… ▸ Files changed 283 ▸ ࣃΛ৯͍͠͹ͬͯ΍Δ͔͠ͳ͍

    ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

26. Play2.4 Ҡߦେ࡞ઓ ▸ ΤϯδχΞશһϨϏϡʔ ▸ ௨ৗͷఆظϦϦʔεʹೖΕΔP-R͸୭͔1ਓͷLGTMͰϚʔ δ͢Δ ▸ play2.4ͷP-R͸ΤϯδχΞશһͷLGTMඞਢ ҆શͳPlay

    FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

27. Play2.4 Ҡߦେ࡞ઓ ▸ ίϯύΠϧݴޠͷ҆৺ײ ▸ ίϯύΠϧͱCI͕௨͍ͬͯΕ͹͍͍ͩͨಈ͘ ▸ ֎෦APIΛୟ͘ͱ͜ΖͳͲ͸ϞοΫͳͷͰɺͦ͏͍ͬͨ؀ ڥґଘͳॲཧ͸ஸೡʹಈ࡞֬ೝ ▸

    ͋ͱ͸Πϯϑϥ໘ͰͷӨڹ͕৺഑ ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

28. Play2.4 Ҡߦେ࡞ઓ ▸ ϦϦʔε͸Ր༵೔ͷఆظϦϦʔε೔ʹ࣮ࢪ ▸ ໦༵೔ͷఆظϦϦʔεޙʹϚʔδ ▸ ໦ɾۚɾ౔ɾ೔ɾ݄ͷ5೔ؒεςʔδϯά؀ڥͰಈ࡞ͤ͞ ͯͦͷظؒͷϝτϦοΫΛݟΔ ▸

    ௨ৗͷఆظϦϦʔε޲͚ͷP-R͸ͦͷ೔ʹ͸Ϛʔδͤͣ play2.4ͷP-R͚ͩϦϦʔε͢Δ(໰୊ͷ੾Γ෼͚Λ໌֬Խ ͢ΔͨΊ) ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

29. Play2.4 Ҡߦେ࡞ઓ ▸ ΧφϦΞϦϦʔε ▸ Mackerel͕ಈ͍ͯΔαʔόʔ܈ͷ͏ͪɺҰ෦෼͚ͩplay2.4 ʹͯ͠ɺࠞࡏͨ͠ঢ়ଶͰ༷ࢠΛݟΔ ▸ ΋ͱ΋ͱMackerel͸ϩʔϦϯάσϓϩΠͰຖճϦϦʔεͯ͠ ͍ΔͨΊɺ৽ɾچ͕ࠞࡏͯ͠΋ಈ͘͜ͱΛ૝ఆͯ͠ઃܭ͞Ε

    ͍ͯΔ ▸ ͩΊͩͬͨΒઌߦͯ͠ϦϦʔεͨ͠αʔόʔ܈Λϩʔϧόο Ϋ͠Α͏ ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

30. ͍͟ϦϦʔεʂʂʂ ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

31. …… ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

32. Կ͔͕͓͔͍͠… ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

33. Կ͔͓͔͍͠… ▸ ͋Δॲཧ͕࣌ʑࣦഊ͍ͯ͠Δ ▸ ҉߸Խ͞ΕͨσʔλΛ෮߸͍ͯ͠Δॲཧ͕֬཰తʹࣦഊͯ͠ ͍ΔΑ͏ʹΈ͑Δ ▸ ϩʔϧόοΫ͢Δ͔…ʁ ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

34. Կ͔͓͔͍͠… ▸ Play2.4ͷϚΠάϨʔγϣϯΨΠυΑΓ ▸ Play 2.4 uses a new encryption

    format, but it can read data encrypted by earlier versions of Play. However, earlier versions of Play will not be able to read data encrypted by Play 2.4. ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ https://www.playframework.com/documentation/2.4.x/Migration24#Crypto-APIs

35. Կ͔͓͔͍͠… ▸ Play2.4ͷϚΠάϨʔγϣϯΨΠυΑΓ ▸ Play 2.4 uses a new encryption

    format, but it can read data encrypted by earlier versions of Play. However, earlier versions of Play will not be able to read data encrypted by Play 2.4. ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ https://www.playframework.com/documentation/2.4.x/Migration24#Crypto-APIs Play 2.4͸৽͍͠҉߸ԽܗࣜΛ࢖༻͠·͕͢ɺҎલͷόʔδϣϯͷPlayͰ ҉߸Խ͞ΕͨσʔλΛಡΈऔΔ͜ͱ͕Ͱ͖·͢ɻ ͨͩ͠ɺҎલͷόʔ δϣϯͷPlayͰ͸ɺPlay 2.4Ͱ҉߸Խ͞ΕͨσʔλΛಡΈऔΔ͜ͱ͕Ͱ͖ ·ͤΜɻ

36. Կ͔͓͔͍͠… ▸ ΧφϦΞϦϦʔε͕ཪ໨ʹ ▸ ϩʔϧόοΫͨ͠Β͞Βʹ͓͔͘͠ͳΔ ▸ εςʔδϯά؀ڥͰͷݕূ݁ՌͱશମͷϝτϦοΫΛݟͨ ͱ͜ΖͦΕҎ֎͸໰୊ͳͦ͞͏ ▸ શ୆൓өΛܾஅ

    ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

37. ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ ແࣄʹPlay2.4ʹͳͬͨ

38. ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ ͔͠͠՝୊͕࢒Δ݁Ռʹ

39. ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ དྷΔPlay2.5ҠߦΛݟਾ͑ͨৼΓฦΓ

40. ҠߦৼΓฦΓձ (YWT) ͷٞࣄ࿥ΑΓҰ෦ൈਮ ▸ Θ͔ͬͨ͜ͱ ▸ ް͍ϑϨʔϜϫʔΫͷϚΠάϨʔγϣϯେม ▸ ϥΠϒϥϦͲ͏͕͠ґଘͯ͠ϩοΫΠϯ͕ͭΒ͍ͷͱɼόʔ δϣϯΞοϓͰผϥΠϒϥϦ΋্͛ͳ͍ͱͳΒͳ͍ͱ͔͋ͬ

    ͯେม ▸ ͦΕͧΕϚΠάϨʔγϣϯΨΠυಡΉײͩ͡ͱɺݟམͱ͠ ͕ൃੜͦ͠͏ʁ ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

41. ҠߦৼΓฦΓձ (YWT) ͷٞࣄ࿥ΑΓҰ෦ൈਮ ▸ Θ͔ͬͨ͜ͱ ▸ ϚΠάϨʔγϣϯΨΠυ͞ΒͬͱಡΉ͚ͩ͡Όͳͯ͘νΣο ΫϦετ࡞ͬͨΓಡΈ߹Θͤ͢Ε͹Α͔ͬͨ ▸ ίϯύΠϧ͕͋Δݴޠ͔ͩͬͨΒͦ͜ϚΠάϨʔγϣϯͰ

    ͖ͨͱ͜Ζ΋͋Δ ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

42. ҠߦৼΓฦΓձ (YWT) ͷٞࣄ࿥ΑΓҰ෦ൈਮ ▸ Play2.5Ҡߦ࣌ʹ΍Δ͜ͱ ▸ ϚΠάϨʔγϣϯΨΠυΛෳ਺ਓಉ࣌ʹಡΈ߹Θͤ͢Δ ▸ ϚΠάϨʔγϣϯΨΠυΛ΋ͱʹνΣοΫϦετΛ࡞Γɺ શһϨϏϡʔ͸ͦΕΛݟͳ͕Β΍Δ

    ▸ εςʔδϯά؀ڥͰɺΧφϦΞϦϦʔεͱϩʔϧόοΫͷ ςετΛ΍Δ (ࠞࡏ؀ڥͰͷಈ࡞ -> ͔ͦ͜ΒϩʔϧόοΫ ͯ͠΋໰୊ͳ͘ಈ͔͘) ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

43. ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ ͦͷͱ͖͸΍͖ͬͯͨ

44. ϚΠάϨʔγϣϯΨΠυΛೖ೦ʹνΣοΫ ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

45. Ҡߦ࡞ઓձٞ΍खॱͷڞ༗
 (౰࣌ͷWikiͷҰ෦Λ঺հ) ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

46. ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ Ҡߦ౰೔

47. ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ ……

48. ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ ແࣄނͰҠߦ੒ޭʂʂ

49. όʔδϣϯΞοϓͰͷҙ֎ͳԸܙ ▸ sbtΛόʔδϣϯΞοϓͨ͠ΒίϯύΠϧ͕଎͘ͳͬͨ ▸ PlayࣗମͷύϑΥʔϚϯεվળͰΞϓϦέʔγϣϯαʔόʔ ͷCPU࢖༻཰͕15%΄Ͳݮͬͨ ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

50. όʔδϣϯΞοϓͰͷҙ֎ͳԸܙ ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

51. ࠓޙͷ՝୊ ▸ 2.5Ͱdeprecatedʹͳͬͨ΋ͷΛ௵ͯ͠2.6΁ͷҠߦ४උΛ ਐΊΔ ▸ ॏްͳϑϨʔϜϫʔΫ΁ͷґଘ౓ΛԼ͍͛ͨ ▸ ϥΠϒϥϦ୯ҐͰؾܰʹόʔδϣϯΞοϓͰ͖ΔΑ͏ʹ͠ ͍ͨ ҆શͳPlay

    FrameworkͷόʔδϣϯΞοϓͷ࢓ํ

52. ·ͱΊ ▸ ͖ͪΜͱςετ͕ॻ͔Ε͍ͯΔCIͷ҆৺ײͨΔ΍ ▸ ϚΠάϨʔγϣϯΨΠυ௒ॏཁ(ݟམͱ͠ݫې) ▸ େ͖ͳߋ৽ͷ৔߹͸εςʔδϯά؀ڥͰϩʔϧόοΫͳͲͷආ೉܇࿅ ΋ඞཁ ▸ ΞϓϦέʔγϣϯϑϨʔϜϫʔΫͷແࣄނͷόʔδϣϯΞοϓ͸͋Δ

    ఔ౓ͷ஌ݟ͕͍ΔͷͰɺͦΕ͕ࣦΘΕͳ͍͏ͪʹఆظతʹ΍Δͱྑ͍ ▸ takezoe͞Μ͋Γ͕ͱ͏͍͟͝·ͨ͠ ҆શͳPlay FrameworkͷόʔδϣϯΞοϓͷ࢓ํ