security

kaiyadiy · Sep 4, 2023 · c7c81a7 · c7c81a7
1 parent ac019ac
commit c7c81a7
Show file tree

Hide file tree

Showing 8 changed files with 131 additions and 61 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,31 +1,39 @@
-# Build jbig2enc in a separate stage
+# Use the base image
 FROM frooodle/stirling-pdf-base:beta4
 
-ARG VERSION_TAG
-ENV VERSION_TAG=$VERSION_TAG
-
-ENV DOCKER_ENABLE_SECURITY=false
-
-# Create scripts folder and copy local scripts
-RUN mkdir /scripts
+# Set Environment Variables
+ENV PUID=1000 \
+    PGID=1000 \
+    UMASK=022 \
+    DOCKER_ENABLE_SECURITY=false \
+    HOME=/home/stirlingpdfuser \
+    VERSION_TAG=$VERSION_TAG
+
+# Create user and group
+RUN groupadd -g $PGID stirlingpdfgroup && \
+    useradd -u $PUID -g stirlingpdfgroup -s /bin/sh stirlingpdfuser && \
+    mkdir -p $HOME && chown stirlingpdfuser:stirlingpdfgroup $HOME
+
+# Set up necessary directories and permissions
+RUN mkdir -p /scripts /usr/share/fonts/opentype/noto /usr/share/tesseract-ocr /configs /customFiles && \
+    chown -R stirlingpdfuser:stirlingpdfgroup /scripts /usr/share/fonts/opentype/noto /usr/share/tesseract-ocr /configs /customFiles && \
+    chown -R stirlingpdfuser:stirlingpdfgroup /usr/share/tesseract-ocr-original
+
+# Copy necessary files
 COPY ./scripts/* /scripts/
-
-#Install fonts
-RUN mkdir /usr/share/fonts/opentype/noto/
 COPY src/main/resources/static/fonts/*.ttf /usr/share/fonts/opentype/noto/
 COPY src/main/resources/static/fonts/*.otf /usr/share/fonts/opentype/noto/
-RUN fc-cache -f -v
-
-# Always copy the JAR 
 COPY build/libs/*.jar app.jar
 
-# Expose the application port
-EXPOSE 8080
+# Set font cache and permissions
+RUN fc-cache -f -v && \
+    chown stirlingpdfuser:stirlingpdfgroup /app.jar && \
+    chmod +x /scripts/init.sh
 
-# Set environment variables
-ENV APP_HOME_NAME="Stirling PDF"
+# Expose necessary ports
+EXPOSE 8080
 
-# Run the application
-RUN chmod +x /scripts/init.sh
+# Set user and run command
+USER stirlingpdfuser
 ENTRYPOINT ["/scripts/init.sh"]
 CMD ["java", "-jar", "/app.jar"]
diff --git a/Dockerfile-lite b/Dockerfile-lite
@@ -10,17 +10,43 @@ RUN apt-get update && \
         unoconv && \
     rm -rf /var/lib/apt/lists/*
 
-# Copy the application JAR file
+
+# Set Environment Variables
+ENV PUID=1000 \
+    PGID=1000 \
+    UMASK=022 \
+    DOCKER_ENABLE_SECURITY=false \
+    HOME=/home/stirlingpdfuser \
+    VERSION_TAG=$VERSION_TAG
+
+# Create user and group
+RUN groupadd -g $PGID stirlingpdfgroup && \
+    useradd -u $PUID -g stirlingpdfgroup -s /bin/sh stirlingpdfuser && \
+    mkdir -p $HOME && chown stirlingpdfuser:stirlingpdfgroup $HOME
+
+# Set up necessary directories and permissions
+RUN mkdir -p /scripts /usr/share/fonts/opentype/noto /configs /customFiles && \
+    chown -R stirlingpdfuser:stirlingpdfgroup /usr/share/fonts/opentype/noto /configs /customFiles
+
+# Copy necessary files
+COPY src/main/resources/static/fonts/*.ttf /usr/share/fonts/opentype/noto/
+COPY src/main/resources/static/fonts/*.otf /usr/share/fonts/opentype/noto/
 COPY build/libs/*.jar app.jar
 
+# Set font cache and permissions
+RUN fc-cache -f -v && \
+    chown stirlingpdfuser:stirlingpdfgroup /app.jar
+
+
 
 
 # Expose the application port
 EXPOSE 8080
 
 # Set environment variables
-ENV GROUPS_TO_REMOVE=Python,OpenCV,OCRmyPDF
+ENV ENDPOINTS_GROUPS_TO_REMOVE=Python,OpenCV,OCRmyPDF
 ENV DOCKER_ENABLE_SECURITY=false
 
 # Run the application
+USER stirlingpdfuser
 CMD ["java", "-jar", "/app.jar"]
diff --git a/Dockerfile-ultra-lite b/Dockerfile-ultra-lite
@@ -1,16 +1,33 @@
 # Build jbig2enc in a separate stage
 FROM bellsoft/liberica-openjdk-alpine:17
 
-# Copy the application JAR file
+# Set Environment Variables
+ENV PUID=1000 \
+    PGID=1000 \
+    UMASK=022 \
+    DOCKER_ENABLE_SECURITY=false \
+    HOME=/home/stirlingpdfuser \
+    VERSION_TAG=$VERSION_TAG
+
+# Create user and group using Alpine's addgroup and adduser
+RUN addgroup -g $PGID stirlingpdfgroup && \
+    adduser -u $PUID -G stirlingpdfgroup -s /bin/sh -D stirlingpdfuser && \
+    mkdir -p $HOME && chown stirlingpdfuser:stirlingpdfgroup $HOME
+
+# Set up necessary directories and permissions
+RUN mkdir -p /scripts /configs /customFiles && \
+    chown -R stirlingpdfuser:stirlingpdfgroup /scripts /configs /customFiles
+
 COPY build/libs/*.jar app.jar
 
+# Set font cache and permissions
+RUN chown stirlingpdfuser:stirlingpdfgroup /app.jar
+
 # Expose the application port
 EXPOSE 8080
 
-
-
 # Set environment variables
-ENV GROUPS_TO_REMOVE=CLI
+ENV ENDPOINTS_GROUPS_TO_REMOVE=CLI
 ENV DOCKER_ENABLE_SECURITY=false
 
 # Run the application

diff --git a/src/main/java/stirling/software/SPDF/controller/api/UserController.java b/src/main/java/stirling/software/SPDF/controller/api/UserController.java
@@ -71,7 +71,7 @@ public RedirectView changeUsernameAndPassword(Principal principal,
 
 
         userService.changePassword(user, newPassword);
-        if(!user.getUsername().equals(newUsername)) {
+        if(newUsername != null && newUsername.length() > 0 && !user.getUsername().equals(newUsername)) {
             userService.changeUsername(user, newUsername);
         }
         userService.changeFirstUse(user, false);
@@ -111,8 +111,9 @@ public RedirectView changeUsername(Principal principal,
     	    return new RedirectView("/account?messageType=usernameExists");
     	}
 
-
-        userService.changeUsername(user, newUsername);
+    	if(newUsername != null && newUsername.length() > 0) {
+            userService.changeUsername(user, newUsername);
+        }
 
         // Logout using Spring's utility
         new SecurityContextLogoutHandler().logout(request, response, null);
@@ -173,9 +174,14 @@ public String updateUserSettings(HttpServletRequest request, Principal principal
 
     @PreAuthorize("hasRole('ROLE_ADMIN')")
     @PostMapping("/admin/saveUser")
-    public String saveUser(@RequestParam String username, @RequestParam String password, @RequestParam String role) {
-        userService.saveUser(username, password, role);
-        return "redirect:/addUsers";  // Redirect to account page after adding the user
+    public RedirectView saveUser(@RequestParam String username, @RequestParam String password, @RequestParam String role, 
+    		@RequestParam(name = "forceChange", required = false, defaultValue = "false") boolean forceChange) {
+
+    	if(userService.usernameExists(username)) {
+    		return new RedirectView("/addUsers?messageType=usernameExists");
+    	}
+        userService.saveUser(username, password, role, forceChange);
+        return new RedirectView("/addUsers");  // Redirect to account page after adding the user
     }
 
 

diff --git a/src/main/resources/messages_en_GB.properties b/src/main/resources/messages_en_GB.properties
@@ -119,6 +119,7 @@ adminUserSettings.role=Role
 adminUserSettings.actions=Actions
 adminUserSettings.apiUser=Limited API User
 adminUserSettings.webOnlyUser=Web Only User
+adminUserSettings.forceChange = Force user to change username/password on login
 adminUserSettings.submit=Save User
 
 #############
@@ -767,13 +768,6 @@ changeMetadata.selectText.5=Add Custom Metadata Entry
 changeMetadata.submit=Change
 
 
-#xlsToPdf
-xlsToPdf.title=Excel to PDF
-xlsToPdf.header=Excel to PDF
-xlsToPdf.selectText.1=Select XLS or XLSX Excel sheet to convert
-xlsToPdf.convert=convert
-
-
 #pdfToPDFA
 pdfToPDFA.title=PDF To PDF/A
 pdfToPDFA.header=PDF To PDF/A

diff --git a/src/main/resources/templates/addUsers.html b/src/main/resources/templates/addUsers.html
@@ -12,7 +12,7 @@
             <div class="container">
                 <div class="row justify-content-center">
                     <div class="col-md-8">
-
+			
                         <!-- User Settings Title -->
                         <h2 class="text-center" th:text="#{adminUserSettings.header}">Admin User Control Settings</h2>
 
@@ -43,6 +43,9 @@ <h2 class="text-center" th:text="#{adminUserSettings.header}">Admin User Control
 
 
 						<h2 th:text="#{adminUserSettings.addUser}">Add New User</h2>
+						<div th:if="${param.messageType != null and param.messageType.size() > 0 and param.messageType[0] == 'usernameExists'}" class="alert alert-danger">
+						    <span th:text="#{usernameExistsMessage}">Default message if not found</span>
+						</div>
 					    <form action="/admin/saveUser" method="post">
 					        <div class="mb-3">
 					            <label for="username" th:text="#{username}">Username</label>
@@ -61,6 +64,10 @@ <h2 th:text="#{adminUserSettings.addUser}">Add New User</h2>
 						            <option value="ROLE_WEB_ONLY_USER" th:text="#{adminUserSettings.webOnlyUser}">Web Only User</option>
 						        </select>
 						    </div>
+					        <div class="mb-3">
+							    <input type="checkbox" class="form-check-input" id="forceChange" name="forceChange">
+							    <label class="form-check-label" for="forceChange" th:text="#{adminUserSettings.forceChange}">Force user to change username/password on login</label>
+							</div>
 
 					        <!-- Add other fields as required -->
 					        <button type="submit" class="btn btn-primary"  th:text="#{adminUserSettings.submit}">Save User</button>

diff --git a/src/main/resources/templates/change-creds.html b/src/main/resources/templates/change-creds.html
@@ -40,7 +40,7 @@ <h4 th:text="#{changeCreds.changeUserAndPassword}">Change Username and password<
                         <form action="/change-username-and-password" method="post">
                             <div class="mb-3">
                                 <label for="newUsername" th:text="#{changeCreds.newUsername}">New Username</label>
-                                <input type="text" class="form-control" name="newUsername" id="newUsername" placeholder="New Username">
+                                <input type="text" class="form-control" name="newUsername" id="newUsername" th:placeholder="${username}">
                             </div>
                             <div class="mb-3">
                                 <label for="currentPassword" th:text="#{changeCreds.oldPassword}">Old Password</label>

diff --git a/src/main/resources/templates/security/add-watermark.html b/src/main/resources/templates/security/add-watermark.html
@@ -28,7 +28,16 @@ <h2 th:text="#{watermark.header}"></h2>
                                     <option value="image">Image</option>
                                 </select>
                             </div>
-
+                            <div id="alphabetGroup" class="mb-3">
+	                            <label for="fontSize" th:text="#{alphabet} + ':'"></label> 
+	                            <select class="form-control" name="alphabet" id="alphabet-select">
+	                                <option value="roman">Roman</option>
+	                                <option value="arabic">العربية</option>
+	                                <option value="japanese">日本語</option>
+	                                <option value="korean">한국어</option>
+	                                <option value="chinese">简体中文</option>
+	                            </select>
+                            </div>
                             <div id="watermarkTextGroup" class="mb-3">
                                 <label for="watermarkText" th:text="#{watermark.selectText.2}"></label> 
                                 <input type="text" id="watermarkText" name="watermarkText" class="form-control" placeholder="Stirling-PDF" required />
@@ -101,25 +110,28 @@ <h2 th:text="#{watermark.header}"></h2>
                         </form>
 
                         <script>
-						    function toggleFileOption() {
-						        const watermarkType = document.getElementById('watermarkType').value;
-						        const watermarkTextGroup = document.getElementById('watermarkTextGroup');
-						        const watermarkImageGroup = document.getElementById('watermarkImageGroup');
-						        const watermarkText = document.getElementById('watermarkText');
-						        const watermarkImage = document.getElementById('watermarkImage');
-
-						        if (watermarkType === 'text') {
-						            watermarkTextGroup.style.display = 'block';
-						            watermarkText.required = true;
-						            watermarkImageGroup.style.display = 'none';
-						            watermarkImage.required = false;
-						        } else if (watermarkType === 'image') {
-						            watermarkTextGroup.style.display = 'none';
-						            watermarkText.required = false;
-						            watermarkImageGroup.style.display = 'block';
-						            watermarkImage.required = true;
-						        }
-						    }
+                        function toggleFileOption() {
+                            const watermarkType = document.getElementById('watermarkType').value;
+                            const watermarkTextGroup = document.getElementById('watermarkTextGroup');
+                            const watermarkImageGroup = document.getElementById('watermarkImageGroup');
+                            const alphabetGroup = document.getElementById('alphabetGroup'); // This is the new addition
+                            const watermarkText = document.getElementById('watermarkText');
+                            const watermarkImage = document.getElementById('watermarkImage');
+
+                            if (watermarkType === 'text') {
+                                watermarkTextGroup.style.display = 'block';
+                                watermarkText.required = true;
+                                watermarkImageGroup.style.display = 'none';
+                                watermarkImage.required = false;
+                                alphabetGroup.style.display = 'block';
+                            } else if (watermarkType === 'image') {
+                                watermarkTextGroup.style.display = 'none';
+                                watermarkText.required = false;
+                                watermarkImageGroup.style.display = 'block';
+                                watermarkImage.required = true;
+                                alphabetGroup.style.display = 'none';
+                            }
+                        }
 						</script>
 
                     </div>