diff --git a/.github/codeql.yml b/.github/codeql.yml new file mode 100644 index 000000000..4fe1e47a9 --- /dev/null +++ b/.github/codeql.yml @@ -0,0 +1,3 @@ +query-filters: + - exclude: + id: java/spring-disabled-csrf-protection diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..f2ad892c1 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,48 @@ +name: "CodeQL" + +on: + push: + branches: [ "develop", "master" ] + pull_request: + branches: [ "develop" ] + schedule: + - cron: "4 23 * * 1" + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ java ] + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Setup Java + uses: actions/setup-java@v3 + with: + distribution: temurin + java-version: 11 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + config-file: ./.github/codeql.yml + queries: +security-and-quality + + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{ matrix.language }}" diff --git a/gradle.properties b/gradle.properties index 646fed7ca..45e227a6e 100644 --- a/gradle.properties +++ b/gradle.properties @@ -1,4 +1,4 @@ -version=4.0.15 +version=4.0.16 group=org.openmbee.mms springBootVersion=2.6.7 diff --git a/groups/src/main/java/org/openmbee/mms/groups/controllers/LocalGroupsController.java b/groups/src/main/java/org/openmbee/mms/groups/controllers/LocalGroupsController.java index ee9c89aa2..b4c957553 100644 --- a/groups/src/main/java/org/openmbee/mms/groups/controllers/LocalGroupsController.java +++ b/groups/src/main/java/org/openmbee/mms/groups/controllers/LocalGroupsController.java @@ -126,7 +126,7 @@ public GroupUpdateResponse updateGroupUsers(@PathVariable String group, response.setGroup(group); groupUpdateRequest.getUsers().forEach(newUser -> { - User user = userRepository.findByUsername(newUser).orElse(null); + User user = userRepository.findByUsernameIgnoreCase(newUser).orElse(null); if (user != null) { if (groupUpdateRequest.getAction() == Action.ADD) { diff --git a/ldap/README.rst b/ldap/README.rst index 60fe9e7a4..d912059d6 100644 --- a/ldap/README.rst +++ b/ldap/README.rst @@ -15,7 +15,7 @@ Configuration The base string to use. Required. ldap.provider.url - The provider url, including the base. Required. + The provider url. Required. ldap.provider.userdn The userdn to use to authenticate to the provider. Optional. @@ -24,7 +24,9 @@ Configuration The password to use to authenticate to the provider. Optional. ldap.user.dn.pattern - The dn pattern for the user. Required. + The dn pattern for the user. Required. Can provide multiple separated by `;` + + | `Default: uid={0}` ldap.user.attributes.username The attribute to use for the username. Optional. @@ -36,11 +38,33 @@ Configuration | `Default: mail` + ldap.user.attributes.firstname + The attribute to use for the first name. Optional. + + | `Default: givenname` + + ldap.user.attributes.lastname + The attribute to use for the last name. Optional. + + | `Default: sn` + ldap.group.role.attribute The attribute to use for the group role. Optional. + | `Default: cn` + ldap.group.search.base The base for group search. Optional. ldap.group.search.filter The search filter for group search. Optional. + + | `Default: (uniqueMember={0})` + + ldap.user.search.base + Base for user search. Optional. + + ldap.user.search.filter + Filter for user search. Optional + + | `Default: (uid={0})` diff --git a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java index 56791c6e0..03ff63141 100644 --- a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java +++ b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java @@ -29,7 +29,6 @@ import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.ldap.SpringSecurityLdapTemplate; -import org.springframework.security.ldap.authentication.LdapAuthenticationProvider; import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider; import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator; import org.springframework.transaction.annotation.EnableTransactionManagement; @@ -155,7 +154,7 @@ private CustomLdapAuthoritiesPopulator(BaseLdapPathContextSource ldapContextSour public Collection getGrantedAuthorities( DirContextOperations userData, String username) { logger.debug("Populating authorities using LDAP"); - Optional userOptional = userRepository.findByUsername(username); + Optional userOptional = userRepository.findByUsernameIgnoreCase(username); if (userOptional.isEmpty()) { logger.info("No user record for {} in the userRepository, creating...", userData.getDn()); diff --git a/localuser/src/main/java/org/openmbee/mms/localuser/security/UserDetailsServiceImpl.java b/localuser/src/main/java/org/openmbee/mms/localuser/security/UserDetailsServiceImpl.java index 824786805..cd9bc1105 100644 --- a/localuser/src/main/java/org/openmbee/mms/localuser/security/UserDetailsServiceImpl.java +++ b/localuser/src/main/java/org/openmbee/mms/localuser/security/UserDetailsServiceImpl.java @@ -31,7 +31,7 @@ public void setPasswordEncoder(PasswordEncoder passwordEncoder) { @Override public UserDetailsImpl loadUserByUsername(String username) throws UsernameNotFoundException { - Optional user = userRepository.findByUsername(username); + Optional user = userRepository.findByUsernameIgnoreCase(username); if (!user.isPresent()) { throw new UsernameNotFoundException( @@ -59,7 +59,7 @@ public User register(UserCreateRequest req) { @Transactional public void changeUserPassword(String username, String password, boolean asAdmin) { - Optional userOptional = userRepository.findByUsername(username); + Optional userOptional = userRepository.findByUsernameIgnoreCase(username); if(! userOptional.isPresent()) { throw new UsernameNotFoundException( String.format("No user found with username '%s'.", username)); diff --git a/permissions/src/main/java/org/openmbee/mms/permissions/delegation/DefaultBranchPermissionsDelegate.java b/permissions/src/main/java/org/openmbee/mms/permissions/delegation/DefaultBranchPermissionsDelegate.java index f42020f18..ded88a232 100644 --- a/permissions/src/main/java/org/openmbee/mms/permissions/delegation/DefaultBranchPermissionsDelegate.java +++ b/permissions/src/main/java/org/openmbee/mms/permissions/delegation/DefaultBranchPermissionsDelegate.java @@ -93,7 +93,7 @@ public void initializePermissions(String creator) { @Override public void initializePermissions(String creator, boolean inherit) { - Optional user = getUserRepo().findByUsername(creator); + Optional user = getUserRepo().findByUsernameIgnoreCase(creator); Optional role = getRoleRepo().findByName("ADMIN"); if (!user.isPresent()) { @@ -131,7 +131,7 @@ public PermissionUpdateResponse updateUserPermissions(PermissionUpdateRequest re switch(req.getAction()) { case MODIFY: for (PermissionUpdateRequest.Permission p: req.getPermissions()) { - Optional user = getUserRepo().findByUsername(p.getName()); + Optional user = getUserRepo().findByUsernameIgnoreCase(p.getName()); Optional role = getRoleRepo().findByName(p.getRole()); if (!user.isPresent() || !role.isPresent()) { //throw exception or skip @@ -160,7 +160,7 @@ public PermissionUpdateResponse updateUserPermissions(PermissionUpdateRequest re branchUserPermRepo.findAllByBranchAndInherited(branch, false)); branchUserPermRepo.deleteByBranchAndInherited(branch, false); for (PermissionUpdateRequest.Permission p: req.getPermissions()) { - Optional user = getUserRepo().findByUsername(p.getName()); + Optional user = getUserRepo().findByUsernameIgnoreCase(p.getName()); Optional role = getRoleRepo().findByName(p.getRole()); if (!user.isPresent() || !role.isPresent()) { //throw exception or skip @@ -174,7 +174,7 @@ public PermissionUpdateResponse updateUserPermissions(PermissionUpdateRequest re case REMOVE: Set users = new HashSet<>(); req.getPermissions().forEach(p -> { - Optional user = getUserRepo().findByUsername(p.getName()); + Optional user = getUserRepo().findByUsernameIgnoreCase(p.getName()); if(! user.isPresent()) { //throw or skip; return; diff --git a/permissions/src/main/java/org/openmbee/mms/permissions/delegation/DefaultOrgPermissionsDelegate.java b/permissions/src/main/java/org/openmbee/mms/permissions/delegation/DefaultOrgPermissionsDelegate.java index b457d5d77..64ed7f179 100644 --- a/permissions/src/main/java/org/openmbee/mms/permissions/delegation/DefaultOrgPermissionsDelegate.java +++ b/permissions/src/main/java/org/openmbee/mms/permissions/delegation/DefaultOrgPermissionsDelegate.java @@ -82,7 +82,7 @@ public void initializePermissions(String creator, boolean inherit) { throw new IllegalArgumentException("Cannot inherit permissions for an Org"); } - Optional user = getUserRepo().findByUsername(creator); + Optional user = getUserRepo().findByUsernameIgnoreCase(creator); Optional role = getRoleRepo().findByName(AuthorizationConstants.ADMIN); if (!user.isPresent()) { @@ -116,7 +116,7 @@ public PermissionUpdateResponse updateUserPermissions(PermissionUpdateRequest re switch(req.getAction()) { case MODIFY: for (PermissionUpdateRequest.Permission p: req.getPermissions()) { - Optional user = getUserRepo().findByUsername(p.getName()); + Optional user = getUserRepo().findByUsernameIgnoreCase(p.getName()); Optional role = getRoleRepo().findByName(p.getRole()); if (!user.isPresent() || !role.isPresent()) { //throw exception or skip @@ -146,7 +146,7 @@ public PermissionUpdateResponse updateUserPermissions(PermissionUpdateRequest re orgUserPermRepo.deleteByOrganization(organization); for (PermissionUpdateRequest.Permission p: req.getPermissions()) { - Optional user = getUserRepo().findByUsername(p.getName()); + Optional user = getUserRepo().findByUsernameIgnoreCase(p.getName()); Optional role = getRoleRepo().findByName(p.getRole()); if (!user.isPresent() || !role.isPresent()) { //throw exception or skip @@ -160,7 +160,7 @@ public PermissionUpdateResponse updateUserPermissions(PermissionUpdateRequest re case REMOVE: Set users = new HashSet<>(); req.getPermissions().forEach(p -> { - Optional user = getUserRepo().findByUsername(p.getName()); + Optional user = getUserRepo().findByUsernameIgnoreCase(p.getName()); if(! user.isPresent()) { //throw or skip; return; diff --git a/permissions/src/main/java/org/openmbee/mms/permissions/delegation/DefaultProjectPermissionsDelegate.java b/permissions/src/main/java/org/openmbee/mms/permissions/delegation/DefaultProjectPermissionsDelegate.java index e7ae4d69f..5244e15e1 100644 --- a/permissions/src/main/java/org/openmbee/mms/permissions/delegation/DefaultProjectPermissionsDelegate.java +++ b/permissions/src/main/java/org/openmbee/mms/permissions/delegation/DefaultProjectPermissionsDelegate.java @@ -95,7 +95,7 @@ public void initializePermissions(String creator) { @Override public void initializePermissions(String creator, boolean inherit) { - Optional user = getUserRepo().findByUsername(creator); + Optional user = getUserRepo().findByUsernameIgnoreCase(creator); Optional role = getRoleRepo().findByName("ADMIN"); if (!user.isPresent()) { @@ -133,7 +133,7 @@ public PermissionUpdateResponse updateUserPermissions(PermissionUpdateRequest re switch(req.getAction()) { case MODIFY: for (PermissionUpdateRequest.Permission p: req.getPermissions()) { - Optional user = getUserRepo().findByUsername(p.getName()); + Optional user = getUserRepo().findByUsernameIgnoreCase(p.getName()); Optional role = getRoleRepo().findByName(p.getRole()); if (!user.isPresent() || !role.isPresent()) { //throw exception or skip @@ -162,7 +162,7 @@ public PermissionUpdateResponse updateUserPermissions(PermissionUpdateRequest re projectUserPermRepo.findAllByProjectAndInherited(project, false)); projectUserPermRepo.deleteByProjectAndInherited(project, false); for (PermissionUpdateRequest.Permission p: req.getPermissions()) { - Optional user = getUserRepo().findByUsername(p.getName()); + Optional user = getUserRepo().findByUsernameIgnoreCase(p.getName()); Optional role = getRoleRepo().findByName(p.getRole()); if (!user.isPresent() || !role.isPresent()) { //throw exception or skip @@ -176,7 +176,7 @@ public PermissionUpdateResponse updateUserPermissions(PermissionUpdateRequest re case REMOVE: Set users = new HashSet<>(); req.getPermissions().forEach(p -> { - Optional user = getUserRepo().findByUsername(p.getName()); + Optional user = getUserRepo().findByUsernameIgnoreCase(p.getName()); if(! user.isPresent()) { //throw or skip; return; diff --git a/rdb/src/main/java/org/openmbee/mms/rdb/repositories/UserRepository.java b/rdb/src/main/java/org/openmbee/mms/rdb/repositories/UserRepository.java index e9389279e..129355cad 100644 --- a/rdb/src/main/java/org/openmbee/mms/rdb/repositories/UserRepository.java +++ b/rdb/src/main/java/org/openmbee/mms/rdb/repositories/UserRepository.java @@ -10,6 +10,6 @@ public interface UserRepository extends JpaRepository { Optional findByEmail(String email); - Optional findByUsername(String username); + Optional findByUsernameIgnoreCase(String username); } diff --git a/twc/src/main/java/org/openmbee/mms/twc/security/TwcUserDetailsService.java b/twc/src/main/java/org/openmbee/mms/twc/security/TwcUserDetailsService.java index ee3981a26..336d0830f 100644 --- a/twc/src/main/java/org/openmbee/mms/twc/security/TwcUserDetailsService.java +++ b/twc/src/main/java/org/openmbee/mms/twc/security/TwcUserDetailsService.java @@ -23,7 +23,7 @@ public void setUserRepository(UserRepository userRepository) { @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { - Optional user = userRepository.findByUsername(username); + Optional user = userRepository.findByUsernameIgnoreCase(username); User u; if (!user.isPresent()) {