Merge pull request #234 from Open-MBEE/release/4.0.16

Release/4.0.16

.github/codeql.yml

@@ -0,0 +1,3 @@
+query-filters:
+  - exclude:
+      id: java/spring-disabled-csrf-protection

.github/workflows/codeql.yml

@@ -0,0 +1,48 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "develop", "master" ]
+  pull_request:
+    branches: [ "develop" ]
+  schedule:
+    - cron: "4 23 * * 1"
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ java ]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Setup Java
+        uses: actions/setup-java@v3
+        with:
+          distribution: temurin
+          java-version: 11
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          config-file: ./.github/codeql.yml
+          queries: +security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:${{ matrix.language }}"

gradle.properties

@@ -1,4 +1,4 @@
-version=4.0.15
+version=4.0.16
 group=org.openmbee.mms
 
 springBootVersion=2.6.7

groups/src/main/java/org/openmbee/mms/groups/controllers/LocalGroupsController.java

@@ -126,7 +126,7 @@ public GroupUpdateResponse updateGroupUsers(@PathVariable String group,
         response.setGroup(group);
 
         groupUpdateRequest.getUsers().forEach(newUser -> {
-            User user = userRepository.findByUsername(newUser).orElse(null);
+            User user = userRepository.findByUsernameIgnoreCase(newUser).orElse(null);
             if (user != null) {
 
                 if (groupUpdateRequest.getAction() == Action.ADD) {

ldap/README.rst

@@ -15,7 +15,7 @@ Configuration
     The base string to use. Required.
 
   ldap.provider.url
-    The provider url, including the base. Required.
+    The provider url. Required.
 
   ldap.provider.userdn
     The userdn to use to authenticate to the provider. Optional.
@@ -24,7 +24,9 @@ Configuration
     The password to use to authenticate to the provider. Optional.
 
   ldap.user.dn.pattern
-    The dn pattern for the user. Required.
+    The dn pattern for the user. Required. Can provide multiple separated by `;`
+
+    | `Default: uid={0}`
 
   ldap.user.attributes.username
     The attribute to use for the username. Optional.
@@ -36,11 +38,33 @@ Configuration
 
     | `Default: mail`
 
+  ldap.user.attributes.firstname
+    The attribute to use for the first name. Optional.
+
+    | `Default: givenname`
+
+  ldap.user.attributes.lastname
+    The attribute to use for the last name. Optional.
+
+    | `Default: sn`
+
   ldap.group.role.attribute
     The attribute to use for the group role. Optional.
 
+    | `Default: cn`
+
   ldap.group.search.base
     The base for group search. Optional.
 
   ldap.group.search.filter
     The search filter for group search. Optional.
+
+    | `Default: (uniqueMember={0})`
+
+  ldap.user.search.base
+    Base for user search. Optional.
+
+  ldap.user.search.filter
+    Filter for user search. Optional
+
+    | `Default: (uid={0})`

ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java

@@ -29,7 +29,6 @@
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.ldap.SpringSecurityLdapTemplate;
-import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
 import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider;
 import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
 import org.springframework.transaction.annotation.EnableTransactionManagement;
@@ -155,7 +154,7 @@ private CustomLdapAuthoritiesPopulator(BaseLdapPathContextSource ldapContextSour
             public Collection<? extends GrantedAuthority> getGrantedAuthorities(
                 DirContextOperations userData, String username) {
                 logger.debug("Populating authorities using LDAP");
-                Optional<User> userOptional = userRepository.findByUsername(username);
+                Optional<User> userOptional = userRepository.findByUsernameIgnoreCase(username);
 
                 if (userOptional.isEmpty()) {
                     logger.info("No user record for {} in the userRepository, creating...", userData.getDn());

localuser/src/main/java/org/openmbee/mms/localuser/security/UserDetailsServiceImpl.java

@@ -31,7 +31,7 @@ public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
 
     @Override
     public UserDetailsImpl loadUserByUsername(String username) throws UsernameNotFoundException {
-        Optional<User> user = userRepository.findByUsername(username);
+        Optional<User> user = userRepository.findByUsernameIgnoreCase(username);
 
         if (!user.isPresent()) {
             throw new UsernameNotFoundException(
@@ -59,7 +59,7 @@ public User register(UserCreateRequest req) {
 
     @Transactional
     public void changeUserPassword(String username, String password, boolean asAdmin) {
-        Optional<User> userOptional = userRepository.findByUsername(username);
+        Optional<User> userOptional = userRepository.findByUsernameIgnoreCase(username);
         if(! userOptional.isPresent()) {
             throw new UsernameNotFoundException(
                     String.format("No user found with username '%s'.", username));

permissions/src/main/java/org/openmbee/mms/permissions/delegation/DefaultBranchPermissionsDelegate.java

@@ -93,7 +93,7 @@ public void initializePermissions(String creator) {
     @Override
     public void initializePermissions(String creator, boolean inherit) {
 
-        Optional<User> user = getUserRepo().findByUsername(creator);
+        Optional<User> user = getUserRepo().findByUsernameIgnoreCase(creator);
         Optional<Role> role = getRoleRepo().findByName("ADMIN");
 
         if (!user.isPresent()) {
@@ -131,7 +131,7 @@ public PermissionUpdateResponse updateUserPermissions(PermissionUpdateRequest re
         switch(req.getAction()) {
             case MODIFY:
                 for (PermissionUpdateRequest.Permission p: req.getPermissions()) {
-                    Optional<User> user = getUserRepo().findByUsername(p.getName());
+                    Optional<User> user = getUserRepo().findByUsernameIgnoreCase(p.getName());
                     Optional<Role> role = getRoleRepo().findByName(p.getRole());
                     if (!user.isPresent() || !role.isPresent()) {
                         //throw exception or skip
@@ -160,7 +160,7 @@ public PermissionUpdateResponse updateUserPermissions(PermissionUpdateRequest re
                     branchUserPermRepo.findAllByBranchAndInherited(branch, false));
                 branchUserPermRepo.deleteByBranchAndInherited(branch, false);
                 for (PermissionUpdateRequest.Permission p: req.getPermissions()) {
-                    Optional<User> user = getUserRepo().findByUsername(p.getName());
+                    Optional<User> user = getUserRepo().findByUsernameIgnoreCase(p.getName());
                     Optional<Role> role = getRoleRepo().findByName(p.getRole());
                     if (!user.isPresent() || !role.isPresent()) {
                         //throw exception or skip
@@ -174,7 +174,7 @@ public PermissionUpdateResponse updateUserPermissions(PermissionUpdateRequest re
             case REMOVE:
                 Set<String> users = new HashSet<>();
                 req.getPermissions().forEach(p -> {
-                    Optional<User> user = getUserRepo().findByUsername(p.getName());
+                    Optional<User> user = getUserRepo().findByUsernameIgnoreCase(p.getName());
                     if(! user.isPresent()) {
                         //throw or skip;
                         return;

permissions/src/main/java/org/openmbee/mms/permissions/delegation/DefaultOrgPermissionsDelegate.java

@@ -82,7 +82,7 @@ public void initializePermissions(String creator, boolean inherit) {
             throw new IllegalArgumentException("Cannot inherit permissions for an Org");
         }
 
-        Optional<User> user = getUserRepo().findByUsername(creator);
+        Optional<User> user = getUserRepo().findByUsernameIgnoreCase(creator);
         Optional<Role> role = getRoleRepo().findByName(AuthorizationConstants.ADMIN);
 
         if (!user.isPresent()) {
@@ -116,7 +116,7 @@ public PermissionUpdateResponse updateUserPermissions(PermissionUpdateRequest re
         switch(req.getAction()) {
             case MODIFY:
                 for (PermissionUpdateRequest.Permission p: req.getPermissions()) {
-                    Optional<User> user = getUserRepo().findByUsername(p.getName());
+                    Optional<User> user = getUserRepo().findByUsernameIgnoreCase(p.getName());
                     Optional<Role> role = getRoleRepo().findByName(p.getRole());
                     if (!user.isPresent() || !role.isPresent()) {
                         //throw exception or skip
@@ -146,7 +146,7 @@ public PermissionUpdateResponse updateUserPermissions(PermissionUpdateRequest re
                 orgUserPermRepo.deleteByOrganization(organization);
 
                 for (PermissionUpdateRequest.Permission p: req.getPermissions()) {
-                    Optional<User> user = getUserRepo().findByUsername(p.getName());
+                    Optional<User> user = getUserRepo().findByUsernameIgnoreCase(p.getName());
                     Optional<Role> role = getRoleRepo().findByName(p.getRole());
                     if (!user.isPresent() || !role.isPresent()) {
                         //throw exception or skip
@@ -160,7 +160,7 @@ public PermissionUpdateResponse updateUserPermissions(PermissionUpdateRequest re
             case REMOVE:
                 Set<String> users = new HashSet<>();
                 req.getPermissions().forEach(p -> {
-                    Optional<User> user = getUserRepo().findByUsername(p.getName());
+                    Optional<User> user = getUserRepo().findByUsernameIgnoreCase(p.getName());
                     if(! user.isPresent()) {
                         //throw or skip;
                         return;

permissions/src/main/java/org/openmbee/mms/permissions/delegation/DefaultProjectPermissionsDelegate.java

@@ -95,7 +95,7 @@ public void initializePermissions(String creator) {
 
     @Override
     public void initializePermissions(String creator, boolean inherit) {
-        Optional<User> user = getUserRepo().findByUsername(creator);
+        Optional<User> user = getUserRepo().findByUsernameIgnoreCase(creator);
         Optional<Role> role = getRoleRepo().findByName("ADMIN");
 
         if (!user.isPresent()) {
@@ -133,7 +133,7 @@ public PermissionUpdateResponse updateUserPermissions(PermissionUpdateRequest re
         switch(req.getAction()) {
             case MODIFY:
                 for (PermissionUpdateRequest.Permission p: req.getPermissions()) {
-                    Optional<User> user = getUserRepo().findByUsername(p.getName());
+                    Optional<User> user = getUserRepo().findByUsernameIgnoreCase(p.getName());
                     Optional<Role> role = getRoleRepo().findByName(p.getRole());
                     if (!user.isPresent() || !role.isPresent()) {
                         //throw exception or skip
@@ -162,7 +162,7 @@ public PermissionUpdateResponse updateUserPermissions(PermissionUpdateRequest re
                     projectUserPermRepo.findAllByProjectAndInherited(project, false));
                 projectUserPermRepo.deleteByProjectAndInherited(project, false);
                 for (PermissionUpdateRequest.Permission p: req.getPermissions()) {
-                    Optional<User> user = getUserRepo().findByUsername(p.getName());
+                    Optional<User> user = getUserRepo().findByUsernameIgnoreCase(p.getName());
                     Optional<Role> role = getRoleRepo().findByName(p.getRole());
                     if (!user.isPresent() || !role.isPresent()) {
                         //throw exception or skip
@@ -176,7 +176,7 @@ public PermissionUpdateResponse updateUserPermissions(PermissionUpdateRequest re
             case REMOVE:
                 Set<String> users = new HashSet<>();
                 req.getPermissions().forEach(p -> {
-                    Optional<User> user = getUserRepo().findByUsername(p.getName());
+                    Optional<User> user = getUserRepo().findByUsernameIgnoreCase(p.getName());
                     if(! user.isPresent()) {
                         //throw or skip;
                         return;

rdb/src/main/java/org/openmbee/mms/rdb/repositories/UserRepository.java

@@ -10,6 +10,6 @@ public interface UserRepository extends JpaRepository<User, Long> {
 
     Optional<User> findByEmail(String email);
 
-    Optional<User> findByUsername(String username);
+    Optional<User> findByUsernameIgnoreCase(String username);
 
 }

twc/src/main/java/org/openmbee/mms/twc/security/TwcUserDetailsService.java

@@ -23,7 +23,7 @@ public void setUserRepository(UserRepository userRepository) {
 
     @Override
     public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
-        Optional<User> user = userRepository.findByUsername(username);
+        Optional<User> user = userRepository.findByUsernameIgnoreCase(username);
 
         User u;
         if (!user.isPresent()) {