Merge remote-tracking branch 'origin/maven/fixes/9.1' into maven/release/9.1

Author: metaventis-build

Backend/alfresco/common/src/main/java/org/edu_sharing/repository/client/tools/CCConstants.java

@@ -2278,6 +2278,9 @@ public static String getValidGlobalName(String value){
 	public static final String ELASTICSEARCH_SYNONYMSET_PREFIX = "es-synonym-set";
 	public static final String ELASTICSEARCH_ANALYZER_PREFIX = "synonyms";
 
+	public static final String EDU_PASSWORD_KEYSTORE_NAME = "edupasswords";
+	public static final String EDU_PASSWORD_USERNAMEHASH = "usernamehash";
+
 	/**
 	 * Methos that set all the Properties for ProfileSettings
 	 * @return (List) list of all properties we want to be in ProfileSettings

Backend/alfresco/module/src/main/amp/config/log4j2.properties

@@ -8,7 +8,9 @@ appender.console.type=Console
 appender.console.name=ConsoleAppender
 appender.console.layout.type=PatternLayout
 # use log4j NDC to replace %x with tenant domain / username
-appender.console.layout.pattern=%d{ISO8601} %X %-5p [%c{3}] [%t] %replace{%m}{[\r\n]+}{}%n
+# appender.console.layout.pattern=%d{ISO8601} { %notEmpty{%X{SpanId} }%notEmpty{%X{TraceId} }%notEmpty{%X{EduVersion} }%notEmpty{%X{LogEventDate}}} %-5p [%c{3}] [%t] %replace{%m}{[\r\n]+}{}%n
+appender.console.layout.pattern=%d{ISO8601} {%notEmpty{%X{SpanId} %X{TraceId}}} %-5p [%c{3}] [%t] %replace{%m}{[\r\n]+}{}%n
+
 
 ###### Log level overrides #######
 # Commented-in loggers will be exposed as JMX MBeans (refer to org.alfresco.repo.admin.Log4JHierarchyInit)

Backend/alfresco/module/src/main/java/org/edu_sharing/repository/server/tools/ApplicationInfo.java

@@ -115,6 +115,8 @@ public class ApplicationInfo implements Comparable<ApplicationInfo>, Serializabl
 	public static final String KEY_PRIVATE_KEY = "private_key";
 
 	public static final String KEY_CERTIFICATE = "certificate";
+
+	public static final String KEY_KEYSTORE_PW = "keystore_pw";
 
 	public static final String KEY_MESSAGE_OFFSET_MILLISECONDS = "message_offset_ms";
 	public static final String KEY_MESSAGE_SEND_OFFSET_MILLISECONDS = "message_send_offset_ms";
@@ -427,6 +429,8 @@ public class ApplicationInfo implements Comparable<ApplicationInfo>, Serializabl
 	private String cookieAttributes;
 	private Map<CacheKey, Serializable> cache = new HashMap<>();
 
+	private String keyStorePassword;
+
 	public ApplicationInfo(String _appFile) throws Exception{
 		if(_appFile == null) throw new Exception("Application Filename was null!");
 		appFileName = _appFile;
@@ -564,6 +568,8 @@ public ApplicationInfo(String _appFile) throws Exception{
 			validatorRegexCMName = cmNameRegex;
 		}
 
+		keyStorePassword = properties.getProperty(KEY_KEYSTORE_PW);
+
 		ltiClientId = properties.getProperty(KEY_LTI_CLIENT_ID);
 		ltiIss = properties.getProperty(KEY_LTI_ISS);
 		ltiDeploymentId = properties.getProperty(KEY_LTI_DEPLOYMENT_ID);
@@ -1136,4 +1142,8 @@ public boolean isLtiScopeUsername() {
 	public String getCertificate() {
 		return certificate;
 	}
+
+	public String getKeyStorePassword() {
+		return keyStorePassword;
+	}
 }

Backend/services/core/src/main/java/org/alfresco/repo/webdav/auth/LDAPAuthenticationFilter.java

@@ -24,6 +24,7 @@
 import org.edu_sharing.alfresco.lightbend.LightbendConfigLoader;
 import org.edu_sharing.alfrescocontext.gate.AlfAppContextGate;
 import org.edu_sharing.repository.client.tools.CCConstants;
+import org.edu_sharing.repository.server.tools.security.HMac;
 import org.springframework.context.ApplicationContext;
 
 import javax.naming.CommunicationException;
@@ -40,9 +41,6 @@
 import java.util.*;
 
 
-/**
- * Servlet Filter implementation class CockpitAuthenticationFilter
- */
 /**
  * Servlet Filter implementation class CockpitAuthenticationFilter
  */
@@ -108,6 +106,8 @@ public class LDAPAuthenticationFilter implements Filter, DependencyInjectedFilte
 	private String ldapUidProp = null;
 	private String ldapUrl = null;
 
+	HMac hMac = null;
+
 
 	/**
 	 * edu-sharing fix from 4.2.f
@@ -188,6 +188,7 @@ public void init(FilterConfig config) throws ServletException
 		env.put(Context.SECURITY_PRINCIPAL, eduConfig.getString(LDAPAuthenticationFilter.INIT_LDAP_SEC_USER));
 		env.put(Context.SECURITY_CREDENTIALS, eduConfig.getString(LDAPAuthenticationFilter.INIT_LDAP_SEC_PWD));
 
+        hMac = HMac.getInstance();
 	}
 
 	/**
@@ -341,7 +342,7 @@ public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain
 
 						// Authenticate the user
 						try{
-							logger.info("webdav ldap authentication: starting. loginName:####");
+								logger.info("webdav ldap authentication: starting. loginName:"+hMac.calculateHmac(username));
 							user = searchForUser(username,password);
 						}catch(CommunicationException e){
 							logger.error(e.getMessage() +" Will create new InitialDirContext and retry.");
@@ -570,7 +571,7 @@ WebDAVUser searchForUser(String loginName, String password) throws Communication
 				dn = r.getNameInNamespace();
 
 			}else{
-				throw new AuthenticationException("webdav ldap authentication: user not found in directory. loginName:###");
+				throw new AuthenticationException("webdav ldap authentication: user not found in directory. loginName:" + hMac.calculateHmac(loginName));
 			}
 			rs.close();
 
@@ -591,7 +592,7 @@ WebDAVUser searchForUser(String loginName, String password) throws Communication
 					return true;
 				});
 				if(!allowed){
-					throw new AuthenticationException("webdav ldap authentication: USER_BLOCKED. loginName: ###  / userName: ###");
+					throw new AuthenticationException("webdav ldap authentication: USER_BLOCKED. loginName:" + hMac.calculateHmac(loginName) + " / userName:" + hMac.calculateHmac(username) );
 				}
 			}
 
@@ -625,12 +626,12 @@ WebDAVUser searchForUser(String loginName, String password) throws Communication
 		} catch (AuthenticationException ex) {
 			// Do nothing, user object will be null
 			if(ex.getMessage() != null && ex.getMessage().contains("Invalid Credentials")){
-				logger.warn("webdav ldap authentication: failed with Invalid Credentials. loginName: ### / userName: ###");
+				logger.error("webdav ldap authentication: failed with Invalid Credentials. loginName:" + hMac.calculateHmac(loginName) + " / userName:" + hMac.calculateHmac(username));
 			}
 			if (ex.getMessage() != null && ex.getMessage().contains("DN with no password")) {
-				logger.warn("webdav ldap authentication: no password provided. loginName: ### / userName: ###");
+				logger.error("webdav ldap authentication: no password provided. loginName:" + hMac.calculateHmac(loginName) + " / userName:" + hMac.calculateHmac(username));
 			}else {
-				logger.warn(ex.getMsgId());
+				logger.error(ex.getMsgId());
 				if (logger.isDebugEnabled()) {
 					logger.error(ex.getMessage(), ex);
 				}
@@ -669,7 +670,7 @@ private void authenticate(String ldapUserDn, String username, String password, S
 				ApplicationContext context = AlfAppContextGate.getApplicationContext();
 				AuthenticationComponent authComp = (AuthenticationComponent)context.getBean("authenticationComponent");
 				authComp.setCurrentUser(username);
-				logger.info("webdav ldap authentication: sucessfull. loginName: ###  / userName: ###");
+				logger.info("webdav ldap authentication: sucessfull. loginName:" + hMac.calculateHmac(loginName) +" / userName:" + hMac.calculateHmac(username));
 				return;
 			}catch(javax.naming.AuthenticationException e){
 				logger.debug(e.getMessage(), e);

Backend/services/core/src/main/java/org/edu_sharing/repository/server/authentication/ContextManagementFilter.java

@@ -2,11 +2,13 @@
 
 import java.io.IOException;
 import java.io.Serializable;
+import java.util.Date;
 import java.util.Map;
 
 import jakarta.servlet.*;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import java.text.SimpleDateFormat;
 
 import org.alfresco.repo.security.authentication.AuthenticationComponent;
 import org.alfresco.repo.security.authentication.AuthenticationUtil;
@@ -24,6 +26,7 @@
 import org.edu_sharing.repository.client.tools.CCConstants;
 import org.edu_sharing.repository.server.AuthenticationToolAPI;
 import org.edu_sharing.repository.server.tools.ApplicationInfoList;
+import org.edu_sharing.repository.server.tools.security.HMac;
 import org.edu_sharing.repository.server.tools.security.SignatureVerifier;
 import org.edu_sharing.restservices.NodeDao;
 import org.edu_sharing.restservices.RepositoryDao;
@@ -35,10 +38,13 @@
 import org.edu_sharing.service.usage.Usage;
 import org.edu_sharing.service.usage.Usage2Service;
 import org.edu_sharing.service.usage.Usage2Exception;
+import org.edu_sharing.spring.ApplicationContextFactory;
 import org.edu_sharing.webservices.util.AuthenticationUtils;
 
 import net.sf.acegisecurity.AuthenticationCredentialsNotFoundException;
 import org.springframework.context.ApplicationContext;
+import org.apache.logging.log4j.ThreadContext;
+import org.edu_sharing.service.version.VersionService;
 
 
 public class ContextManagementFilter implements jakarta.servlet.Filter {
@@ -54,13 +60,22 @@ public class ContextManagementFilter implements jakarta.servlet.Filter {
 	AuthenticationService authservice = serviceRegistry.getAuthenticationService();
 	AuthenticationComponent authenticationComponent = (AuthenticationComponent)applicationContext.getBean("authenticationComponent");
 
+	HMac hMac = null;
+
+	SimpleDateFormat logEventDateFormat = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss,SSS");
+
+	private VersionService versionService;
+
 	@Override
 	public void destroy() {
 	}
 
 	@Override
 	public void init(FilterConfig config) throws ServletException {
 		this.context=config.getServletContext();
+		hMac = HMac.getInstance();
+
+		versionService = ApplicationContextFactory.getApplicationContext().getBean(VersionService.class);
 	}
 
 	@Override
@@ -76,12 +91,37 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
 			ScopeAuthenticationServiceFactory.getScopeAuthenticationService().setScopeForCurrentThread();
 
 			try{
+				String user = (String) ((HttpServletRequest) req).getSession().getAttribute(CCConstants.AUTH_USERNAME);
 				// Run as System because there is yet no session opened
 				Map<String, Serializable> info = AuthenticationUtil.runAsSystem(() ->
 						AuthorityServiceFactory.getLocalService().getUserInfo(
-								(String) ((HttpServletRequest) req).getSession().getAttribute(CCConstants.AUTH_USERNAME))
+								user)
 				);
 				QueryUtils.setUserInfo(info);
+
+				String remoteAdress = ((HttpServletRequest) req).getHeader("x-forwarded-for");
+				if(remoteAdress == null){
+					remoteAdress = req.getRemoteAddr();
+				}
+				if(remoteAdress != null) {
+					ThreadContext.put("RemoteAddr", remoteAdress);
+				}
+
+				String ua = ((HttpServletRequest) req).getHeader("user-agent");
+				if(ua != null){
+					ThreadContext.put("UserAgent",ua);
+				}
+
+				if(user != null){
+					String hmac = hMac.calculateHmac(user.trim());
+					ThreadContext.put("UserPlain",user);
+					ThreadContext.put("User",hmac);
+				}
+
+				ThreadContext.put("Url",((HttpServletRequest)req).getRequestURL().toString());
+				ThreadContext.put("EduVersion", versionService.getVersionNoException(VersionService.Type.REPOSITORY));
+				ThreadContext.put("LogEventDate",logEventDateFormat.format(new Date()));
+
 			}catch(Exception e){
 				logger.info("Could not set user info: "+e.getMessage());
 			}
@@ -146,6 +186,8 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
 			//for soap api
 			AuthenticationUtils.setAuthenticationDetails(null);
 
+			ThreadContext.clearAll();
+
 		}
 
 	}

Backend/services/core/src/main/java/org/edu_sharing/repository/server/tools/security/HMac.java

@@ -0,0 +1,48 @@
+package org.edu_sharing.repository.server.tools.security;
+
+
+import org.apache.commons.codec.digest.HmacUtils;
+import org.apache.log4j.Logger;
+import org.edu_sharing.repository.client.tools.CCConstants;
+import org.edu_sharing.repository.server.tools.ApplicationInfoList;
+
+
+public class HMac {
+
+    public static final String ALG_SHA256 = "HmacSHA256";
+
+
+    Logger logger = Logger.getLogger(HMac.class);
+
+    String sharedSecret;
+    String algorithm;
+
+
+    public HMac(String sharedSecret, String algorithm){
+        this.sharedSecret = sharedSecret;
+        this.algorithm = algorithm;
+    }
+
+    public String calculateHmac(String data) {
+        //had problems using HmacUtils as class member and reuse, sometimes got another hex for the same data
+        // so reinit
+        HmacUtils hmacUtils = new HmacUtils(algorithm,sharedSecret);
+        return hmacUtils.hmacHex(data);
+    }
+
+    public boolean checkHmac(String data, String hmacHex) {
+        return calculateHmac(data).equals(hmacHex);
+    }
+
+    public static HMac getInstance() {
+        KeyStoreService keyStoreService = new KeyStoreService();
+
+        try {
+            String hmacPassword = keyStoreService.readPasswordFromKeyStore(CCConstants.EDU_PASSWORD_KEYSTORE_NAME,
+                    ApplicationInfoList.getHomeRepository().getKeyStorePassword(),"",CCConstants.EDU_PASSWORD_USERNAMEHASH);
+            return new HMac(hmacPassword,HMac.ALG_SHA256);
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+}