From c7c81a724369f6802bfd9f1679a40db85e2961f7 Mon Sep 17 00:00:00 2001 From: Anthony Stirling <77850077+Frooodle@users.noreply.github.com> Date: Mon, 4 Sep 2023 18:42:22 +0100 Subject: [PATCH] security --- Dockerfile | 44 +++++++++------- Dockerfile-lite | 30 ++++++++++- Dockerfile-ultra-lite | 25 +++++++-- .../SPDF/controller/api/UserController.java | 18 ++++--- src/main/resources/messages_en_GB.properties | 8 +-- src/main/resources/templates/addUsers.html | 9 +++- .../resources/templates/change-creds.html | 2 +- .../templates/security/add-watermark.html | 52 ++++++++++++------- 8 files changed, 129 insertions(+), 59 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6b17228e..fb2d2f41 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,31 +1,39 @@ -# Build jbig2enc in a separate stage +# Use the base image FROM frooodle/stirling-pdf-base:beta4 -ARG VERSION_TAG -ENV VERSION_TAG=$VERSION_TAG +# Set Environment Variables +ENV PUID=1000 \ + PGID=1000 \ + UMASK=022 \ + DOCKER_ENABLE_SECURITY=false \ + HOME=/home/stirlingpdfuser \ + VERSION_TAG=$VERSION_TAG -ENV DOCKER_ENABLE_SECURITY=false +# Create user and group +RUN groupadd -g $PGID stirlingpdfgroup && \ + useradd -u $PUID -g stirlingpdfgroup -s /bin/sh stirlingpdfuser && \ + mkdir -p $HOME && chown stirlingpdfuser:stirlingpdfgroup $HOME -# Create scripts folder and copy local scripts -RUN mkdir /scripts +# Set up necessary directories and permissions +RUN mkdir -p /scripts /usr/share/fonts/opentype/noto /usr/share/tesseract-ocr /configs /customFiles && \ + chown -R stirlingpdfuser:stirlingpdfgroup /scripts /usr/share/fonts/opentype/noto /usr/share/tesseract-ocr /configs /customFiles && \ + chown -R stirlingpdfuser:stirlingpdfgroup /usr/share/tesseract-ocr-original + +# Copy necessary files COPY ./scripts/* /scripts/ - -#Install fonts -RUN mkdir /usr/share/fonts/opentype/noto/ COPY src/main/resources/static/fonts/*.ttf /usr/share/fonts/opentype/noto/ COPY src/main/resources/static/fonts/*.otf /usr/share/fonts/opentype/noto/ -RUN fc-cache -f -v - -# Always copy the JAR COPY build/libs/*.jar app.jar -# Expose the application port +# Set font cache and permissions +RUN fc-cache -f -v && \ + chown stirlingpdfuser:stirlingpdfgroup /app.jar && \ + chmod +x /scripts/init.sh + +# Expose necessary ports EXPOSE 8080 -# Set environment variables -ENV APP_HOME_NAME="Stirling PDF" - -# Run the application -RUN chmod +x /scripts/init.sh +# Set user and run command +USER stirlingpdfuser ENTRYPOINT ["/scripts/init.sh"] CMD ["java", "-jar", "/app.jar"] diff --git a/Dockerfile-lite b/Dockerfile-lite index 0f3fcb5f..8144fff9 100644 --- a/Dockerfile-lite +++ b/Dockerfile-lite @@ -10,17 +10,43 @@ RUN apt-get update && \ unoconv && \ rm -rf /var/lib/apt/lists/* -# Copy the application JAR file + +# Set Environment Variables +ENV PUID=1000 \ + PGID=1000 \ + UMASK=022 \ + DOCKER_ENABLE_SECURITY=false \ + HOME=/home/stirlingpdfuser \ + VERSION_TAG=$VERSION_TAG + +# Create user and group +RUN groupadd -g $PGID stirlingpdfgroup && \ + useradd -u $PUID -g stirlingpdfgroup -s /bin/sh stirlingpdfuser && \ + mkdir -p $HOME && chown stirlingpdfuser:stirlingpdfgroup $HOME + +# Set up necessary directories and permissions +RUN mkdir -p /scripts /usr/share/fonts/opentype/noto /configs /customFiles && \ + chown -R stirlingpdfuser:stirlingpdfgroup /usr/share/fonts/opentype/noto /configs /customFiles + +# Copy necessary files +COPY src/main/resources/static/fonts/*.ttf /usr/share/fonts/opentype/noto/ +COPY src/main/resources/static/fonts/*.otf /usr/share/fonts/opentype/noto/ COPY build/libs/*.jar app.jar +# Set font cache and permissions +RUN fc-cache -f -v && \ + chown stirlingpdfuser:stirlingpdfgroup /app.jar + + # Expose the application port EXPOSE 8080 # Set environment variables -ENV GROUPS_TO_REMOVE=Python,OpenCV,OCRmyPDF +ENV ENDPOINTS_GROUPS_TO_REMOVE=Python,OpenCV,OCRmyPDF ENV DOCKER_ENABLE_SECURITY=false # Run the application +USER stirlingpdfuser CMD ["java", "-jar", "/app.jar"] diff --git a/Dockerfile-ultra-lite b/Dockerfile-ultra-lite index 04e58c42..84798820 100644 --- a/Dockerfile-ultra-lite +++ b/Dockerfile-ultra-lite @@ -1,16 +1,33 @@ # Build jbig2enc in a separate stage FROM bellsoft/liberica-openjdk-alpine:17 -# Copy the application JAR file +# Set Environment Variables +ENV PUID=1000 \ + PGID=1000 \ + UMASK=022 \ + DOCKER_ENABLE_SECURITY=false \ + HOME=/home/stirlingpdfuser \ + VERSION_TAG=$VERSION_TAG + +# Create user and group using Alpine's addgroup and adduser +RUN addgroup -g $PGID stirlingpdfgroup && \ + adduser -u $PUID -G stirlingpdfgroup -s /bin/sh -D stirlingpdfuser && \ + mkdir -p $HOME && chown stirlingpdfuser:stirlingpdfgroup $HOME + +# Set up necessary directories and permissions +RUN mkdir -p /scripts /configs /customFiles && \ + chown -R stirlingpdfuser:stirlingpdfgroup /scripts /configs /customFiles + COPY build/libs/*.jar app.jar +# Set font cache and permissions +RUN chown stirlingpdfuser:stirlingpdfgroup /app.jar + # Expose the application port EXPOSE 8080 - - # Set environment variables -ENV GROUPS_TO_REMOVE=CLI +ENV ENDPOINTS_GROUPS_TO_REMOVE=CLI ENV DOCKER_ENABLE_SECURITY=false # Run the application diff --git a/src/main/java/stirling/software/SPDF/controller/api/UserController.java b/src/main/java/stirling/software/SPDF/controller/api/UserController.java index 2cdf60d9..bd4452da 100644 --- a/src/main/java/stirling/software/SPDF/controller/api/UserController.java +++ b/src/main/java/stirling/software/SPDF/controller/api/UserController.java @@ -71,7 +71,7 @@ public class UserController { userService.changePassword(user, newPassword); - if(!user.getUsername().equals(newUsername)) { + if(newUsername != null && newUsername.length() > 0 && !user.getUsername().equals(newUsername)) { userService.changeUsername(user, newUsername); } userService.changeFirstUse(user, false); @@ -111,8 +111,9 @@ public class UserController { return new RedirectView("/account?messageType=usernameExists"); } - - userService.changeUsername(user, newUsername); + if(newUsername != null && newUsername.length() > 0) { + userService.changeUsername(user, newUsername); + } // Logout using Spring's utility new SecurityContextLogoutHandler().logout(request, response, null); @@ -173,9 +174,14 @@ public class UserController { @PreAuthorize("hasRole('ROLE_ADMIN')") @PostMapping("/admin/saveUser") - public String saveUser(@RequestParam String username, @RequestParam String password, @RequestParam String role) { - userService.saveUser(username, password, role); - return "redirect:/addUsers"; // Redirect to account page after adding the user + public RedirectView saveUser(@RequestParam String username, @RequestParam String password, @RequestParam String role, + @RequestParam(name = "forceChange", required = false, defaultValue = "false") boolean forceChange) { + + if(userService.usernameExists(username)) { + return new RedirectView("/addUsers?messageType=usernameExists"); + } + userService.saveUser(username, password, role, forceChange); + return new RedirectView("/addUsers"); // Redirect to account page after adding the user } diff --git a/src/main/resources/messages_en_GB.properties b/src/main/resources/messages_en_GB.properties index 06681b6f..740782cc 100644 --- a/src/main/resources/messages_en_GB.properties +++ b/src/main/resources/messages_en_GB.properties @@ -119,6 +119,7 @@ adminUserSettings.role=Role adminUserSettings.actions=Actions adminUserSettings.apiUser=Limited API User adminUserSettings.webOnlyUser=Web Only User +adminUserSettings.forceChange = Force user to change username/password on login adminUserSettings.submit=Save User ############# @@ -767,13 +768,6 @@ changeMetadata.selectText.5=Add Custom Metadata Entry changeMetadata.submit=Change -#xlsToPdf -xlsToPdf.title=Excel to PDF -xlsToPdf.header=Excel to PDF -xlsToPdf.selectText.1=Select XLS or XLSX Excel sheet to convert -xlsToPdf.convert=convert - - #pdfToPDFA pdfToPDFA.title=PDF To PDF/A pdfToPDFA.header=PDF To PDF/A diff --git a/src/main/resources/templates/addUsers.html b/src/main/resources/templates/addUsers.html index 18d32557..094ede17 100644 --- a/src/main/resources/templates/addUsers.html +++ b/src/main/resources/templates/addUsers.html @@ -12,7 +12,7 @@
- +

Admin User Control Settings

@@ -43,6 +43,9 @@

Add New User

+
+ Default message if not found +
@@ -61,6 +64,10 @@
+
+ + +
diff --git a/src/main/resources/templates/change-creds.html b/src/main/resources/templates/change-creds.html index 0442cb55..6e19bcef 100644 --- a/src/main/resources/templates/change-creds.html +++ b/src/main/resources/templates/change-creds.html @@ -40,7 +40,7 @@
- +
diff --git a/src/main/resources/templates/security/add-watermark.html b/src/main/resources/templates/security/add-watermark.html index 1f699415..6a0619ec 100644 --- a/src/main/resources/templates/security/add-watermark.html +++ b/src/main/resources/templates/security/add-watermark.html @@ -28,7 +28,16 @@
- +
+ + +
@@ -101,25 +110,28 @@